[WIP] HPKE updates

bwesterb · bwesterb · commit c350df6e3d38 · 2025-07-14T21:41:12.000+02:00
From draft-ietf-hpke-pq-01 implements:

- The one-stage SHAKE-based KDFs in the key schedule.
- Hybrid QSF-X25519-MLKEM768 KEM (a.k.a. X-Wing)
- Pure ML-KEM-{512,768,1024} KEMs.

Does not include QSF-P384-MLKEM1024, QSF-P256-MLKEM768 (yet), nor
support for the one-stage KDFs in DHKEM.
diff --git a/hpke/aead.go b/hpke/aead.go
@@ -36,7 +36,11 @@ func (c *encdecContext) Export(exporterContext []byte, length uint) []byte {
 	if length > maxLength {
 		panic(fmt.Errorf("output length must be lesser than %v bytes", maxLength))
 	}
-	return c.suite.labeledExpand(c.exporterSecret, []byte("sec"),
+	if c.suite.kdfID.IsTwoStage() {
+		return c.suite.labeledExpand(c.exporterSecret, []byte("sec"),
+			exporterContext, uint16(length))
+	}
+	return c.suite.labeledDerive(c.exporterSecret, []byte("sec"),
 		exporterContext, uint16(length))
 }
 
diff --git a/hpke/algs.go b/hpke/algs.go
@@ -13,8 +13,12 @@ import (
 
 	"github.com/cloudflare/circl/dh/x25519"
 	"github.com/cloudflare/circl/dh/x448"
+	"github.com/cloudflare/circl/internal/sha3"
 	"github.com/cloudflare/circl/kem"
 	"github.com/cloudflare/circl/kem/kyber/kyber768"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem512"
+	"github.com/cloudflare/circl/kem/mlkem/mlkem768"
 	"github.com/cloudflare/circl/kem/xwing"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/hkdf"
@@ -41,6 +45,13 @@ const (
 	KEM_X25519_KYBER768_DRAFT00 KEM = 0x30
 	// KEM_XWING is a hybrid KEM using X25519 and ML-KEM-768.
 	KEM_XWING KEM = 0x647a
+
+	KEM_MLKEM512  KEM = 0x0040
+	KEM_MLKEM768  KEM = 0x0041
+	KEM_MLKEM1024 KEM = 0x0042
+
+	KEM_QSF_P256_MLKEM768  = 0x0050
+	KEM_QSF_P384_MLKEM1024 = 0x0052
 )
 
 // IsValid returns true if the KEM identifier is supported by the HPKE package.
@@ -52,7 +63,10 @@ func (k KEM) IsValid() bool {
 		KEM_X25519_HKDF_SHA256,
 		KEM_X448_HKDF_SHA512,
 		KEM_X25519_KYBER768_DRAFT00,
-		KEM_XWING:
+		KEM_XWING,
+		KEM_MLKEM512,
+		KEM_MLKEM768,
+		KEM_MLKEM1024:
 		return true
 	default:
 		return false
@@ -77,6 +91,12 @@ func (k KEM) Scheme() kem.Scheme {
 		return hybridkemX25519Kyber768
 	case KEM_XWING:
 		return kemXwing
+	case KEM_MLKEM512:
+		return kemMLKEM512
+	case KEM_MLKEM768:
+		return kemMLKEM768
+	case KEM_MLKEM1024:
+		return kemMLKEM1024
 	default:
 		panic(ErrInvalidKEM)
 	}
@@ -86,27 +106,57 @@ type KDF uint16
 
 //nolint:golint,stylecheck
 const (
-	// KDF_HKDF_SHA256 is a KDF using HKDF with SHA-256.
+	// KDF_HKDF_SHA256 is a two-stage KDF using HKDF with SHA-256.
 	KDF_HKDF_SHA256 KDF = 0x01
-	// KDF_HKDF_SHA384 is a KDF using HKDF with SHA-384.
+	// KDF_HKDF_SHA384 is a two-stage KDF using HKDF with SHA-384.
 	KDF_HKDF_SHA384 KDF = 0x02
-	// KDF_HKDF_SHA512 is a KDF using HKDF with SHA-512.
+	// KDF_HKDF_SHA512 is a two-stage KDF using HKDF with SHA-512.
 	KDF_HKDF_SHA512 KDF = 0x03
+
+	// KDF_SHAKE128 is a one-stage KDF using SHAKE-128.
+	KDF_SHAKE128 = 0x10
+	// KDF_SHAKE256 is a one-stage KDF using SHAKE-256.
+	KDF_SHAKE256 = 0x11
+	// KDF_TurboSHAKE128 is a one-stage KDF using TurboSHAKE-128.
+	KDF_TurboSHAKE128 = 0x12
+	// KDF_TurboSHAKE256 is a one-stage KDF using TurboSHAKE-256.
+	KDF_TurboSHAKE256 = 0x13
 )
 
-func (k KDF) IsValid() bool {
+func (k KDF) IsTwoStage() bool {
 	switch k {
 	case KDF_HKDF_SHA256,
 		KDF_HKDF_SHA384,
 		KDF_HKDF_SHA512:
 		return true
+	case KDF_SHAKE128,
+		KDF_TurboSHAKE128,
+		KDF_SHAKE256,
+		KDF_TurboSHAKE256:
+		return false
+	default:
+		panic(ErrInvalidKDF)
+	}
+}
+
+func (k KDF) IsValid() bool {
+	switch k {
+	case KDF_HKDF_SHA256,
+		KDF_HKDF_SHA384,
+		KDF_HKDF_SHA512,
+		KDF_SHAKE128,
+		KDF_TurboSHAKE128,
+		KDF_SHAKE256,
+		KDF_TurboSHAKE256:
+		return true
 	default:
 		return false
 	}
 }
 
 // ExtractSize returns the size (in bytes) of the pseudorandom key produced
-// by KDF.Extract.
+// by KDF.Extract() for a two-stage KDF, and the minimum output length
+// for full security for KDF.Derive() for a one-stage KDF.
 func (k KDF) ExtractSize() int {
 	switch k {
 	case KDF_HKDF_SHA256:
@@ -115,13 +165,19 @@ func (k KDF) ExtractSize() int {
 		return crypto.SHA384.Size()
 	case KDF_HKDF_SHA512:
 		return crypto.SHA512.Size()
+	case KDF_SHAKE128, KDF_TurboSHAKE128:
+		return 32
+	case KDF_SHAKE256, KDF_TurboSHAKE256:
+		return 64
 	default:
 		panic(ErrInvalidKDF)
 	}
 }
 
 // Extract derives a pseudorandom key from a high-entropy, secret input and a
 // salt. The size of the output is determined by KDF.ExtractSize.
+//
+// Panics when called on a one-stage KDF.
 func (k KDF) Extract(secret, salt []byte) (pseudorandomKey []byte) {
 	return hkdf.Extract(k.hash(), secret, salt)
 }
@@ -130,6 +186,8 @@ func (k KDF) Extract(secret, salt []byte) (pseudorandomKey []byte) {
 // and an information string. Panics if the pseudorandom key is less
 // than N bytes, or if the output length is greater than 255*N bytes,
 // where N is the size returned by KDF.Extract function.
+//
+// Panics when called on a one-stage KDF.
 func (k KDF) Expand(pseudorandomKey, info []byte, outputLen uint) []byte {
 	extractSize := k.ExtractSize()
 	if len(pseudorandomKey) < extractSize {
@@ -148,6 +206,27 @@ func (k KDF) Expand(pseudorandomKey, info []byte, outputLen uint) []byte {
 	return output
 }
 
+// Derive derives a variable-length pseudorandom string from a
+// high-entropy, secret input.
+//
+// Panics when called on a two-stage KDF.
+func (k KDF) Derive(ikm []byte, l uint) []byte {
+	ret := make([]byte, l)
+	switch k {
+	case KDF_SHAKE128:
+		sha3.ShakeSum128(ret, ikm)
+	case KDF_SHAKE256:
+		sha3.ShakeSum256(ret, ikm)
+	case KDF_TurboSHAKE128:
+		sha3.TurboShakeSum128(ret, ikm, 0x1f)
+	case KDF_TurboSHAKE256:
+		sha3.TurboShakeSum256(ret, ikm, 0x1f)
+	default:
+		panic(ErrInvalidKDF)
+	}
+	return ret
+}
+
 func (k KDF) hash() func() hash.Hash {
 	switch k {
 	case KDF_HKDF_SHA256:
@@ -243,6 +322,9 @@ var (
 	dhkemx25519hkdfsha256, dhkemx448hkdfsha512                    xKEM
 	hybridkemX25519Kyber768                                       hybridKEM
 	kemXwing                                                      genericNoAuthKEM
+	kemMLKEM512                                                   genericNoAuthKEM
+	kemMLKEM768                                                   genericNoAuthKEM
+	kemMLKEM1024                                                  genericNoAuthKEM
 )
 
 func init() {
@@ -284,4 +366,11 @@ func init() {
 
 	kemXwing.Scheme = xwing.Scheme()
 	kemXwing.name = "HPKE_KEM_XWING"
+
+	kemMLKEM512.Scheme = mlkem512.Scheme()
+	kemMLKEM512.name = "HPKE_KEM_MLKEM512"
+	kemMLKEM768.Scheme = mlkem768.Scheme()
+	kemMLKEM768.name = "HPKE_KEM_MLKEM768"
+	kemMLKEM1024.Scheme = mlkem1024.Scheme()
+	kemMLKEM1024.name = "HPKE_KEM_MLKEM1024"
 }
diff --git a/hpke/hpke.go b/hpke/hpke.go
@@ -17,6 +17,7 @@ import (
 	"crypto/rand"
 	"encoding"
 	"errors"
+	"fmt"
 	"io"
 
 	"github.com/cloudflare/circl/kem"
@@ -216,7 +217,7 @@ func (s *Sender) allSetup(rnd io.Reader) ([]byte, Sealer, error) {
 	seed := make([]byte, scheme.EncapsulationSeedSize())
 	_, err := io.ReadFull(rnd, seed)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, fmt.Errorf("encapsulation seed: %w", err)
 	}
 
 	var enc, ss []byte
diff --git a/hpke/hybridkem.go b/hpke/hybridkem.go
@@ -63,7 +63,7 @@ func (h hybridKEM) Decapsulate(skr kem.PrivateKey, ct []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	ss := append(ssA, ssB...)
+	ss := concat(ssA, ssB)
 
 	return ss, nil
 }
@@ -81,8 +81,8 @@ func (h hybridKEM) EncapsulateDeterministically(
 		return nil, nil, err
 	}
 
-	ct = append(encA, encB...)
-	ss = append(ssA, ssB...)
+	ct = concat(encA, encB)
+	ss = concat(ssA, ssB)
 
 	return ct, ss, nil
 }
@@ -106,7 +106,7 @@ func (k *hybridKEMPrivKey) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return append(skA, skB...), nil
+	return concat(skA, skB), nil
 }
 
 func (k *hybridKEMPrivKey) Equal(sk kem.PrivateKey) bool {
@@ -143,7 +143,7 @@ func (k hybridKEMPubKey) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return append(pkA, pkB...), nil
+	return concat(pkA, pkB), nil
 }
 
 func (k *hybridKEMPubKey) Equal(pk kem.PublicKey) bool {
diff --git a/hpke/kembase.go b/hpke/kembase.go
@@ -51,12 +51,12 @@ func (k kemBase) extractExpand(dh, kemCtx []byte) []byte {
 
 func (k kemBase) labeledExtract(salt, label, info []byte) []byte {
 	suiteID := k.getSuiteID()
-	labeledIKM := append(append(append(append(
-		make([]byte, 0, len(versionLabel)+len(suiteID)+len(label)+len(info)),
-		versionLabel...),
-		suiteID[:]...),
-		label...),
-		info...)
+	labeledIKM := concat(
+		[]byte(versionLabel),
+		suiteID[:],
+		label,
+		info,
+	)
 	return hkdf.Extract(k.New, labeledIKM, salt)
 }
 
@@ -68,11 +68,13 @@ func (k kemBase) labeledExpand(prk, label, info []byte, l uint16) []byte {
 		2+len(versionLabel)+len(suiteID)+len(label)+len(info),
 	)
 	binary.BigEndian.PutUint16(labeledInfo[0:2], l)
-	labeledInfo = append(append(append(append(labeledInfo,
-		versionLabel...),
-		suiteID[:]...),
-		label...),
-		info...)
+	labeledInfo = concat(
+		labeledInfo,
+		[]byte(versionLabel),
+		suiteID[:],
+		label,
+		info,
+	)
 	b := make([]byte, l)
 	rd := hkdf.Expand(k.New, prk, labeledInfo)
 	if _, err := io.ReadFull(rd, b); err != nil {
@@ -152,7 +154,7 @@ func (k dhKemBase) authEncap(
 	if err != nil {
 		return nil, nil, err
 	}
-	kemCtx = append(kemCtx, pkSm...)
+	kemCtx = concat(kemCtx, pkSm)
 
 	ss = k.extractExpand(dh, kemCtx)
 	return enc, ss, nil
@@ -177,7 +179,7 @@ func (k dhKemBase) coreEncap(
 	if err != nil {
 		return nil, nil, err
 	}
-	kemCtx = append(append([]byte{}, enc...), pkRm...)
+	kemCtx = concat(enc, pkRm)
 
 	return enc, kemCtx, nil
 }
@@ -212,7 +214,7 @@ func (k dhKemBase) AuthDecapsulate(
 	if err != nil {
 		return nil, err
 	}
-	kemCtx = append(kemCtx, pkSm...)
+	kemCtx = concat(kemCtx, pkSm)
 	return k.extractExpand(dh, kemCtx), nil
 }
 
@@ -237,5 +239,5 @@ func (k dhKemBase) coreDecap(
 		return nil, err
 	}
 
-	return append(append([]byte{}, ct...), pkRm...), nil
+	return concat(ct, pkRm), nil
 }
diff --git a/hpke/marshal.go b/hpke/marshal.go
@@ -106,7 +106,7 @@ func (c *sealContext) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return append([]byte{0}, rawContext...), nil
+	return concat([]byte{0}, rawContext), nil
 }
 
 // UnmarshalSealer parses an HPKE sealer.
@@ -134,7 +134,7 @@ func (c *openContext) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return append([]byte{1}, rawContext...), nil
+	return concat([]byte{1}, rawContext), nil
 }
 
 // UnmarshalOpener parses a serialized HPKE opener and returns the corresponding
diff --git a/hpke/testdata/hpke-pq.json b/hpke/testdata/hpke-pq.json
diff --git a/hpke/util.go b/hpke/util.go
diff --git a/hpke/vectors_test.go b/hpke/vectors_test.go

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,11 @@ func (c *encdecContext) Export(exporterContext []byte, length uint) []byte {`
`36`	`36`	`if length > maxLength {`
`37`	`37`	`panic(fmt.Errorf("output length must be lesser than %v bytes", maxLength))`
`38`	`38`	`}`
`39`		`- return c.suite.labeledExpand(c.exporterSecret, []byte("sec"),`
	`39`	`+ if c.suite.kdfID.IsTwoStage() {`
	`40`	`+ return c.suite.labeledExpand(c.exporterSecret, []byte("sec"),`
	`41`	`+ exporterContext, uint16(length))`
	`42`	`+ }`
	`43`	`+ return c.suite.labeledDerive(c.exporterSecret, []byte("sec"),`
`40`	`44`	`exporterContext, uint16(length))`
`41`	`45`	`}`
`42`	`46`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (h hybridKEM) Decapsulate(skr kem.PrivateKey, ct []byte) ([]byte, error) {`
`63`	`63`	`return nil, err`
`64`	`64`	`}`
`65`	`65`
`66`		`- ss := append(ssA, ssB...)`
	`66`	`+ ss := concat(ssA, ssB)`
`67`	`67`
`68`	`68`	`return ss, nil`
`69`	`69`	`}`
`@@ -81,8 +81,8 @@ func (h hybridKEM) EncapsulateDeterministically(`
`81`	`81`	`return nil, nil, err`
`82`	`82`	`}`
`83`	`83`
`84`		`- ct = append(encA, encB...)`
`85`		`- ss = append(ssA, ssB...)`
	`84`	`+ ct = concat(encA, encB)`
	`85`	`+ ss = concat(ssA, ssB)`
`86`	`86`
`87`	`87`	`return ct, ss, nil`
`88`	`88`	`}`
`@@ -106,7 +106,7 @@ func (k *hybridKEMPrivKey) MarshalBinary() ([]byte, error) {`
`106`	`106`	`if err != nil {`
`107`	`107`	`return nil, err`
`108`	`108`	`}`
`109`		`- return append(skA, skB...), nil`
	`109`	`+ return concat(skA, skB), nil`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`func (k *hybridKEMPrivKey) Equal(sk kem.PrivateKey) bool {`
`@@ -143,7 +143,7 @@ func (k hybridKEMPubKey) MarshalBinary() ([]byte, error) {`
`143`	`143`	`if err != nil {`
`144`	`144`	`return nil, err`
`145`	`145`	`}`
`146`		`- return append(pkA, pkB...), nil`
	`146`	`+ return concat(pkA, pkB), nil`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`func (k *hybridKEMPubKey) Equal(pk kem.PublicKey) bool {`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ func (c *sealContext) MarshalBinary() ([]byte, error) {`
`106`	`106`	`if err != nil {`
`107`	`107`	`return nil, err`
`108`	`108`	`}`
`109`		`- return append([]byte{0}, rawContext...), nil`
	`109`	`+ return concat([]byte{0}, rawContext), nil`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`// UnmarshalSealer parses an HPKE sealer.`
`@@ -134,7 +134,7 @@ func (c *openContext) MarshalBinary() ([]byte, error) {`
`134`	`134`	`if err != nil {`
`135`	`135`	`return nil, err`
`136`	`136`	`}`
`137`		`- return append([]byte{1}, rawContext...), nil`
	`137`	`+ return concat([]byte{1}, rawContext), nil`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`// UnmarshalOpener parses a serialized HPKE opener and returns the corresponding`