Add ML-KEM / FIPS203 final

.CMake/alg_support.cmake

@@ -127,11 +127,8 @@ cmake_dependent_option(OQS_ENABLE_KEM_kyber_768 "" ON "OQS_ENABLE_KEM_KYBER" OFF
 cmake_dependent_option(OQS_ENABLE_KEM_kyber_1024 "" ON "OQS_ENABLE_KEM_KYBER" OFF)
 
 option(OQS_ENABLE_KEM_ML_KEM "Enable ml_kem algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_ipd "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
-cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_ipd "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
-cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_ipd "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
 cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
 
 option(OQS_ENABLE_SIG_DILITHIUM "Enable dilithium algorithm family" ON)
@@ -320,21 +317,18 @@ endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_ipd_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_512_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_512_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_512" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_ipd_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_768_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_768" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_BMI2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_ipd_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_1024_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024_avx2 "" ON "OQS_ENABLE_KEM_ml_kem_1024" OFF)
 endif()
 endif()

.github/workflows/unix.yml

@@ -203,7 +203,7 @@ jobs:
           path: build/*.deb
       - name: Check STD algorithm and alias
         if: matrix.name == 'jammy-std-openssl3'
-        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512-ipd:\n    isnull: true"'
+        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
         working-directory: build
 
   linux_arm_emulated:

README.md

@@ -40,7 +40,7 @@ Details on each supported algorithm can be found in the [docs/algorithms](https:
 
 The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
 
-The only algorithms in `liboqs` that implement NIST standards drafts are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/ipd) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-kem-ipd" and "ml-kem" as well as "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) (initial public draft) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
 
 Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
 
@@ -54,7 +54,7 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **FrodoKEM**: FrodoKEM-640-AES, FrodoKEM-640-SHAKE, FrodoKEM-976-AES, FrodoKEM-976-SHAKE, FrodoKEM-1344-AES, FrodoKEM-1344-SHAKE
 - **HQC**: HQC-128, HQC-192, HQC-256
 - **Kyber**: Kyber512, Kyber768, Kyber1024
-- **ML-KEM**: ML-KEM-512-ipd (alias: ML-KEM-512), ML-KEM-768-ipd (alias: ML-KEM-768), ML-KEM-1024-ipd (alias: ML-KEM-1024)
+- **ML-KEM**: ML-KEM-512, ML-KEM-768, ML-KEM-1024
 - **NTRU-Prime**: sntrup761
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_KEXS_END -->
 

docs/algorithms/kem/ml_kem.md

@@ -4,22 +4,22 @@
 - **Main cryptographic assumption**: Module LWE+R with base ring Z[x]/(3329, x^256+1).
 - **Principal submitters**: Peter Schwabe.
 - **Auxiliary submitters**: Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, Damien Stehlé.
-- **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203/ipd
-- **Specification version**: ML-KEM-ipd.
+- **Authors' website**: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
+- **Specification version**: ML-KEM.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/kyber/commit/d1321ce5ac0b53f583eb47a040dc3625ee8e7e37 with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd with copy_from_upstream patches
   - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
 
 
 ## Parameter set summary
 
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|
-| ML-KEM-512-ipd  | ML-KEM-512            | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |
-| ML-KEM-768-ipd  | ML-KEM-768            | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |
-| ML-KEM-1024-ipd | ML-KEM-1024           | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |
+|   ML-KEM-512    | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 |
+|   ML-KEM-768    | NA                    | IND-CCA2         |                    3 |                      1184 |                      2400 |                      1088 |                           32 |
+|   ML-KEM-1024   | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |
 
-## ML-KEM-512-ipd implementation characteristics
+## ML-KEM-512 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
@@ -30,7 +30,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
  ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
 
-## ML-KEM-768-ipd implementation characteristics
+## ML-KEM-768 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
@@ -39,7 +39,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
-## ML-KEM-1024-ipd implementation characteristics
+## ML-KEM-1024 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|

docs/algorithms/kem/ml_kem.yml

@@ -13,16 +13,15 @@ auxiliary-submitters:
 - Gregor Seiler
 - Damien Stehlé
 crypto-assumption: Module LWE+R with base ring Z[x]/(3329, x^256+1)
-website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203/ipd
-nist-round: ipd
-spec-version: ML-KEM-ipd
+website: https://pq-crystals.org/kyber/ and https://csrc.nist.gov/pubs/fips/203
+nist-round: FIPS203
+spec-version: ML-KEM
 primary-upstream:
-  source: https://github.com/pq-crystals/kyber/commit/d1321ce5ac0b53f583eb47a040dc3625ee8e7e37
+  source: https://github.com/pq-crystals/kyber/commit/10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
     with copy_from_upstream patches
   spdx-license-identifier: CC0-1.0 or Apache-2.0
 parameter-sets:
-- name: ML-KEM-512-ipd
-  alias: ML-KEM-512
+- name: ML-KEM-512
   claimed-nist-level: 1
   claimed-security: IND-CCA2
   length-public-key: 800
@@ -55,8 +54,7 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-KEM-768-ipd
-  alias: ML-KEM-768
+- name: ML-KEM-768
   claimed-nist-level: 3
   claimed-security: IND-CCA2
   length-public-key: 1184
@@ -89,8 +87,7 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-KEM-1024-ipd
-  alias: ML-KEM-1024
+- name: ML-KEM-1024
   claimed-nist-level: 5
   claimed-security: IND-CCA2
   length-public-key: 1568

docs/cbom.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CBOM",
   "specVersion": "1.4-cbom-1.0",
-  "serialNumber": "urn:uuid:58a975ac-ea6b-4ce9-a5ae-80d35105db30",
+  "serialNumber": "urn:uuid:b953d460-1246-4cbb-aff9-642a0308d18b",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-04-09T21:46:17.101849",
+    "timestamp": "2024-08-26T18:04:44.668645",
     "component": {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@2fd65d9ec99a2608149713e5fcaeb9b6402e5872",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "name": "liboqs",
-      "version": "2fd65d9ec99a2608149713e5fcaeb9b6402e5872"
+      "version": "062e793edf54cbc1073b54d0689795063fd41910"
     }
   },
   "components": [
     {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@2fd65d9ec99a2608149713e5fcaeb9b6402e5872",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "name": "liboqs",
-      "version": "2fd65d9ec99a2608149713e5fcaeb9b6402e5872"
+      "version": "062e793edf54cbc1073b54d0689795063fd41910"
     },
     {
       "type": "crypto-asset",
@@ -1041,12 +1041,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-512-ipd:generic",
+      "bom-ref": "alg:ML-KEM-512:generic",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-512-ipd",
+          "variant": "ML-KEM-512",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -1061,12 +1061,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-512-ipd:x86_64",
+      "bom-ref": "alg:ML-KEM-512:x86_64",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-512-ipd",
+          "variant": "ML-KEM-512",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -1081,12 +1081,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-768-ipd:generic",
+      "bom-ref": "alg:ML-KEM-768:generic",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-768-ipd",
+          "variant": "ML-KEM-768",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -1101,12 +1101,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-768-ipd:x86_64",
+      "bom-ref": "alg:ML-KEM-768:x86_64",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-768-ipd",
+          "variant": "ML-KEM-768",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -1121,12 +1121,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-1024-ipd:generic",
+      "bom-ref": "alg:ML-KEM-1024:generic",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-1024-ipd",
+          "variant": "ML-KEM-1024",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -1141,12 +1141,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-KEM-1024-ipd:x86_64",
+      "bom-ref": "alg:ML-KEM-1024:x86_64",
       "name": "ML-KEM",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-KEM-1024-ipd",
+          "variant": "ML-KEM-1024",
           "primitive": "kem",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2408,7 +2408,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:github/open-quantum-safe/liboqs@2fd65d9ec99a2608149713e5fcaeb9b6402e5872",
+      "ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
       "dependsOn": [
         "alg:BIKE-L1:x86_64",
         "alg:BIKE-L3:x86_64",
@@ -2461,12 +2461,12 @@
         "alg:Kyber1024:generic",
         "alg:Kyber1024:x86_64",
         "alg:Kyber1024:armv8-a",
-        "alg:ML-KEM-512-ipd:generic",
-        "alg:ML-KEM-512-ipd:x86_64",
-        "alg:ML-KEM-768-ipd:generic",
-        "alg:ML-KEM-768-ipd:x86_64",
-        "alg:ML-KEM-1024-ipd:generic",
-        "alg:ML-KEM-1024-ipd:x86_64",
+        "alg:ML-KEM-512:generic",
+        "alg:ML-KEM-512:x86_64",
+        "alg:ML-KEM-768:generic",
+        "alg:ML-KEM-768:x86_64",
+        "alg:ML-KEM-1024:generic",
+        "alg:ML-KEM-1024:x86_64",
         "alg:sntrup761:generic",
         "alg:sntrup761:x86_64",
         "alg:Dilithium2:generic",
@@ -2893,42 +2893,42 @@
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-512-ipd:generic",
+      "ref": "alg:ML-KEM-512:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-512-ipd:x86_64",
+      "ref": "alg:ML-KEM-512:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-768-ipd:generic",
+      "ref": "alg:ML-KEM-768:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-768-ipd:x86_64",
+      "ref": "alg:ML-KEM-768:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-1024-ipd:generic",
+      "ref": "alg:ML-KEM-1024:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-KEM-1024-ipd:x86_64",
+      "ref": "alg:ML-KEM-1024:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],

scripts/copy_from_upstream/copy_from_upstream.yml

@@ -32,11 +32,11 @@ upstreams:
   -
     name: pqcrystals-kyber-standard
     git_url: https://github.com/pq-crystals/kyber.git
-    git_branch: standard
-    git_commit: d1321ce5ac0b53f583eb47a040dc3625ee8e7e37
+    git_branch: main
+    git_commit: 10b478fc3cc4ff6215eb0b6a11bd758bf0929cbd
     kem_meta_path: '{pretty_name_full}_META.yml'
     kem_scheme_path: '.'
-    patches: [pqcrystals-ml_kem_ipd.patch]
+    patches: [pqcrystals-ml_kem.patch]
   -
     name: pqcrystals-dilithium
     git_url: https://github.com/pq-crystals/dilithium.git
@@ -161,22 +161,19 @@ kems:
     upstream_location: pqcrystals-kyber-standard
     schemes:
       -
-        scheme: "512_ipd"
-        pqclean_scheme: ml-kem-512-ipd
-        pretty_name_full: ML-KEM-512-ipd
-        alias_scheme: "512"
+        scheme: "512"
+        pqclean_scheme: ml-kem-512
+        pretty_name_full: ML-KEM-512
         alias_pretty_name_full: ML-KEM-512
       -
-        scheme: "768_ipd"
-        pqclean_scheme: ml-kem-768-ipd
-        pretty_name_full: ML-KEM-768-ipd
-        alias_scheme: "768"
+        scheme: "768"
+        pqclean_scheme: ml-kem-768
+        pretty_name_full: ML-KEM-768
         alias_pretty_name_full: ML-KEM-768
       -
-        scheme: "1024_ipd"
-        pqclean_scheme: ml-kem-1024-ipd
-        pretty_name_full: ML-KEM-1024-ipd
-        alias_scheme: "1024"
+        scheme: "1024"
+        pqclean_scheme: ml-kem-1024
+        pretty_name_full: ML-KEM-1024
         alias_pretty_name_full: ML-KEM-1024
 sigs:
   -