Skip to content

Commit 977ec1e

Browse files
samuel-lee-msftsamuel-lee-msft
committed
Merged PR 11273883: Implement ML-KEM
## Description: + Adds ML-KEM API surface + Implements the API with initial C implementation, with sprinkling of SSE/NEON for (I)NTT + Adds low level ML-KEM polynomial arithmetic testing which tests self-consistency and exercises internal assertion in debug builds + Adds multi-implementation functionality testing to enable comparative functionality and performance testing on E2E functionality + For now, comparison testing is just between SymCrypt static and dynamic, with 3rd party comparison with libcrux disabled until they publish a final ML-KEM implementation + Adds ML-KEM KATs from NIST Related work items: #50913735
1 parent 3b4cad7 commit 977ec1e

47 files changed

Lines changed: 23798 additions & 8581 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.config/CredScanSuppressions.json

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
{
2+
"tool": "Credential Scanner",
3+
"suppressions": [
4+
{
5+
"file": [
6+
"3rdparty/hacl-packages/rust/tests/wycheproof/ecdh_secp256r1_ecpoint_test.json",
7+
"3rdparty/hacl-packages/rust/tests/wycheproof/x25519_test.json",
8+
"3rdparty/hacl-packages/tests/k256_ecdh/ecdh_secp256k1_test.json",
9+
"3rdparty/hacl-packages/tests/kyber/kyber768_nistkats.json",
10+
"3rdparty/hacl-packages/tests/p256_ecdh/ecdh_secp256r1_ecpoint_test.json",
11+
"3rdparty/hacl-packages/tests/x25519/x25519_test.json"
12+
],
13+
"_justification": "Known answer tests included in hacl-packages submodule are incorrectly identified as secrets"
14+
}
15+
]
16+
}

.gitmodules

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,3 +6,9 @@
66
path = 3rdparty/jitterentropy-library
77
url = https://github.com/smuellerDD/jitterentropy-library
88
ignore = untracked
9+
10+
# To-be updated with final ML-KEM in hacl-packages
11+
# [submodule "libcrux"]
12+
# path = 3rdparty/hacl-packages
13+
# url = https://github.com/cryspen/hacl-packages
14+
# ignore = untracked

.pipelines/OneBranch.PullRequest.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ extends:
3737
break: true # always break the build on policheck issues.
3838
binskim:
3939
enabled: false # Temporarily disable binskim until we sort out BA2018 errors
40+
credscanSuppressionsPath: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json
4041

4142
stages:
4243
- stage: Set_Version
@@ -74,6 +75,7 @@ extends:
7475
arch: 'AMD64'
7576
config: 'Release'
7677
additionalArgs: '--test-legacy-impl'
78+
libcrux: true
7779
- template: .pipelines/templates/build-windows-cmake.yml@self
7880
parameters:
7981
arch: 'ARM64'
@@ -88,6 +90,7 @@ extends:
8890
skipTests: true
8991
additionalArgs: '--no-asm'
9092
identifier: 'NoAsm'
93+
libcrux: true
9194
- template: .pipelines/templates/build-windows-cmake.yml@self
9295
parameters:
9396
arch: 'X86'
@@ -98,6 +101,7 @@ extends:
98101
arch: 'X86'
99102
config: 'Release'
100103
additionalArgs: '--test-legacy-impl'
104+
libcrux: true
101105
- template: .pipelines/templates/build-windows-cmake.yml@self
102106
parameters:
103107
arch: 'AMD64'
@@ -137,6 +141,7 @@ extends:
137141
cc: 'gcc'
138142
cxx: 'g++'
139143
openssl: true
144+
libcrux: true
140145
- template: .pipelines/templates/build-linux.yml@self
141146
parameters:
142147
arch: 'AMD64'
@@ -158,6 +163,7 @@ extends:
158163
cc: 'clang'
159164
cxx: 'clang++'
160165
openssl: true
166+
libcrux: true
161167
- template: .pipelines/templates/build-linux.yml@self
162168
parameters:
163169
arch: 'AMD64'
@@ -210,6 +216,7 @@ extends:
210216
cc: 'clang'
211217
cxx: 'clang++'
212218
additionalArgs: '--toolchain=cmake-configs/Toolchain-Clang-ARM64.cmake'
219+
libcrux: true
213220
- template: .pipelines/templates/build-linux.yml@self
214221
parameters:
215222
arch: 'ARM'
@@ -224,6 +231,7 @@ extends:
224231
cc: 'gcc'
225232
cxx: 'g++'
226233
additionalArgs: '--toolchain=cmake-configs/Toolchain-GCC-ARM.cmake'
234+
libcrux: true
227235

228236
- stage: Build_macOS
229237
displayName: Build macOS
@@ -249,4 +257,4 @@ extends:
249257
arch: 'ARM64'
250258
config: 'Release'
251259
additionalArgs: '--no-asm'
252-
skipTests: true
260+
skipTests: true

.pipelines/OneBranch.WindowsUndocked.PullRequest.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ extends:
3737
globalSdl:
3838
tsa:
3939
enabled: false # Disable TSA to force build breaks
40+
credscanSuppressionsPath: $(Build.SourcesDirectory)/.config/CredScanSuppressions.json
4041
featureFlags:
4142
EnableCDPxPAT: false
4243
WindowsHostVersion: '1ESWindows2022'

.pipelines/templates/build-linux.yml

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,10 @@ parameters:
3131
- name: identifier # Additional identifier for job name
3232
type: string
3333
default: ''
34-
- name: openssl # Build with OpenSSL
34+
- name: openssl # Build with OpenSSL testing
35+
type: boolean
36+
default: false
37+
- name: libcrux # Build with libcrux testing
3538
type: boolean
3639
default: false
3740

@@ -53,6 +56,10 @@ jobs:
5356
openssl_build_flag: '--openssl-build-from-source'
5457
${{ else }}:
5558
openssl_build_flag: ''
59+
${{ if eq(parameters.libcrux, true) }}:
60+
libcrux_build_flag: '--libcrux'
61+
${{ else }}:
62+
libcrux_build_flag: ''
5663

5764
steps:
5865
- script: |
@@ -107,7 +114,7 @@ jobs:
107114
inputs:
108115
scriptSource: 'filePath'
109116
scriptPath: scripts/build.py
110-
arguments: 'cmake bin --arch ${{ parameters.arch }} --config ${{ parameters.config }} --cc ${{ parameters.cc }} --cxx ${{ parameters.cxx }} ${{ parameters.additionalArgs }} $(verbose_build_flag) $(openssl_build_flag)'
117+
arguments: 'cmake bin --arch ${{ parameters.arch }} --config ${{ parameters.config }} --cc ${{ parameters.cc }} --cxx ${{ parameters.cxx }} ${{ parameters.additionalArgs }} $(verbose_build_flag) $(openssl_build_flag) $(libcrux_build_flag)'
111118
workingDirectory: $(Build.SourcesDirectory)
112119

113120
# Overwrite default artifact publishing with our copy (enables publishing binaries for failed runs)

.pipelines/templates/build-windows-cmake.yml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ parameters:
2323
- name: sign # Sign user-mode binaries. Required by Guardian, even though we don't publish Windows binaries from CMake
2424
type: boolean
2525
default: false
26+
- name: libcrux # Build with libcrux testing
27+
type: boolean
28+
default: false
2629

2730
jobs:
2831

@@ -39,6 +42,10 @@ jobs:
3942
verbose_build_flag: '--verbose'
4043
${{ else }}:
4144
verbose_build_flag: ''
45+
${{ if eq(parameters.libcrux, true) }}:
46+
libcrux_build_flag: '--libcrux'
47+
${{ else }}:
48+
libcrux_build_flag: ''
4249

4350
steps:
4451

@@ -47,7 +54,7 @@ jobs:
4754
inputs:
4855
scriptSource: 'filePath'
4956
scriptPath: scripts\build.py
50-
arguments: 'cmake bin --arch ${{ parameters.arch }} --config ${{ parameters.config }} ${{ parameters.additionalArgs }} $(verbose_build_flag)'
57+
arguments: 'cmake bin --arch ${{ parameters.arch }} --config ${{ parameters.config }} ${{ parameters.additionalArgs }} $(verbose_build_flag) $(libcrux_build_flag)'
5158
workingDirectory: $(Build.SourcesDirectory)
5259

5360
# Overwrite default artifact publishing with our copy (enables publishing binaries for failed runs)

0 commit comments

Comments
 (0)