Add ML-KEM Braid API

Split K-PKE.Encrypt and ML-KEM.Encaps into two phases (u and v) to
support protocols like MLKEMBraid that transmit large KEM components
in parallel over bandwidth-constrained channels.

CPA level (indcpa):
- mlk_indcpa_enc_u: computes ct_u from ek_seed, outputs intermediate
  state (sp, epp, sp_cache)
- mlk_indcpa_enc_v: computes ct_v from ek_vector using intermediate
  state from enc_u

CCA KEM level (kem):
- mlk_kem_enc_derand_u: FO transform + enc_u, outputs shared secret
  and intermediate state; only needs ek_seed and H(pk)
- mlk_kem_enc_v: modulus check on ek_vector + enc_v; only needs
  ek_vector

epp is serialized as 4-bit nibbles (ETA2 - x) to provide a natural
coefficient bound on deserialization; sp is serialized as 16-bit LE.
The shared sp mulcache is computed once and threaded through enc_u/enc_v.

Includes CBMC contracts and proofs for the new functions, the
MLK_CONFIG_ENABLE_MLKEM_BRAID configuration option exposing the API,
recomputed peak stack consumption values, and OpenTitan work buffer
size updates.

The test verifies that the incremental API produces identical
ciphertexts and shared secrets as the standard API across all three
parameter sets.

Co-authored-by: Hanno Becker <beckphan@amazon.co.uk>
Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>

Author: mkannwischer

.github/actions/config-variations/action.yml

@@ -11,7 +11,7 @@ inputs:
     description: 'List of tests to run (space-separated IDs) or "all" for all tests. Available IDs: pct-enabled,
     pct-enabled-broken, custom-alloc-heap, custom-zeroize, native-cap-ON, native-cap-OFF, native-cap-ID_AA64PFR1_EL1,
     native-cap-CPUID_AVX2, no-asm, serial-fips202, custom-randombytes, custom-memcpy, custom-memset, custom-stdlib,
-    nblocks-1, nblocks-2, nblocks-4'
+    mlkem-braid, nblocks-1, nblocks-2, nblocks-4'
     required: false
     default: 'all'
   opt:
@@ -231,6 +231,21 @@ runs:
         examples: false # Some examples use a custom config themselves
         alloc: false # Requires custom config
         rng_fail: true
+    - name: "ML-KEM Braid (incremental encapsulation API)"
+      if: ${{ inputs.tests == 'all' || contains(inputs.tests, 'mlkem-braid') }}
+      uses: ./.github/actions/multi-functest
+      with:
+        gh_token: ${{ inputs.gh_token }}
+        compile_mode: native
+        cflags: "-std=c11 -D_GNU_SOURCE -Itest -DMLK_CONFIG_FILE=\\\\\\\"configs/test_mlkem_braid_config.h\\\\\\\" -fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
+        ldflags: "-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all"
+        func: true
+        kat: true
+        acvp: true
+        opt: ${{ inputs.opt }}
+        examples: false
+        alloc: false
+        rng_fail: true
     - name: "MLKEM_GEN_MATRIX_NBLOCKS=1"
       if: ${{ inputs.tests == 'all' || contains(inputs.tests, 'nblocks-1') }}
       uses: ./.github/actions/multi-functest

.github/workflows/integration-pavona.yml

@@ -79,6 +79,11 @@ jobs:
           echo "=== Patched extensions.bzl ==="
           cat third_party/mlkem_native/extensions.bzl
 
+      - name: Update work buffer sizes
+        run: |
+          cd "$PAVONA_DIR"
+          git apply "$GITHUB_WORKSPACE/integration/pavona/update-alloc-sizes.patch"
+
       - name: Patch functest to only test deterministic API
         run: |
           cd "$PAVONA_DIR"

BIBLIOGRAPHY.md

@@ -91,6 +91,7 @@ source code and documentation.
   - [test/configs/no_asm_config.h](test/configs/no_asm_config.h)
   - [test/configs/serial_fips202_config.h](test/configs/serial_fips202_config.h)
   - [test/configs/test_alloc_config.h](test/configs/test_alloc_config.h)
+  - [test/configs/test_mlkem_braid_config.h](test/configs/test_mlkem_braid_config.h)
 
 ### `FIPS202`
 
@@ -154,6 +155,7 @@ source code and documentation.
   - [test/configs/no_asm_config.h](test/configs/no_asm_config.h)
   - [test/configs/serial_fips202_config.h](test/configs/serial_fips202_config.h)
   - [test/configs/test_alloc_config.h](test/configs/test_alloc_config.h)
+  - [test/configs/test_mlkem_braid_config.h](test/configs/test_mlkem_braid_config.h)
 
 ### `HOL-Light`
 

examples/basic_deterministic/mlkem_native/mlkem_native_config.h

@@ -152,6 +152,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/bring_your_own_fips202/mlkem_native/mlkem_native_config.h

@@ -152,6 +152,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/bring_your_own_fips202_static/mlkem_native/mlkem_native_config.h

@@ -153,6 +153,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/custom_backend/mlkem_native/mlkem_native_config.h

@@ -154,6 +154,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/monolithic_build/mlkem_native/mlkem_native_config.h

@@ -151,6 +151,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/monolithic_build_multilevel/mlkem_native/mlkem_native_config.h

@@ -153,6 +153,16 @@
  */
 /* #define MLK_CONFIG_CONSTANTS_ONLY */
 
+/******************************************************************************
+ * Name:        MLK_CONFIG_ENABLE_MLKEM_BRAID
+ *
+ * Description: If this option is set, mlkem-native exposes the incremental
+ *              encapsulation API (mlk_kem_enc_derand_u, mlk_kem_enc_v)
+ *              needed for the ML-KEM Braid protocol.
+ *
+ *****************************************************************************/
+/* #define MLK_CONFIG_ENABLE_MLKEM_BRAID */
+
 /******************************************************************************
  *
  * Build-only configuration options

examples/monolithic_build_multilevel_native/Makefile

@@ -23,6 +23,7 @@ CFLAGS := \
 	-Wno-long-long \
 	-Wno-unknown-pragmas \
 	-Wno-unused-command-line-argument \
+	-Wno-unused-function \
 	-O3 \
 	-fomit-frame-pointer \
 	-std=c99 \