Add ML-KEM-1024 KEM support in HPKE (#14694)

alex · claude · web-flow · commit 798801d89e98 · 2026-04-19T10:30:40.000-05:00
* Add ML-KEM-1024 KEM support in HPKE

Extends the existing HPKE ML-KEM-768 support to also handle ML-KEM-1024
(KEM ID 0x0042) per draft-connolly-cfrg-hpke-mlkem.

* Address review: drop redundant ML-KEM-1024 unreachable tests, use pytest.mark.supported

- Remove MLKEM1024 unreachable panic tests whose match arms are shared
  with MLKEM768 (generate_key, serialize/deserialize_public_key, exchange,
  kem_hash_algorithm). Keep the MLKEM1024 secret_length test since it
  exercises a distinct match arm.
- Change homogeneous `(KEM.MLKEM768, KEM.MLKEM1024)` tuples to lists.
- Convert ML-KEM single-KEM tests to pytest.mark.supported(only_if=...)
  instead of in-body backend.mlkem_supported() skip checks.

---------

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/docs/hazmat/primitives/hpke.rst b/docs/hazmat/primitives/hpke.rst
@@ -98,6 +98,11 @@ specifying auxiliary authenticated information.
         ML-KEM-768. Post-quantum secure. Only available on backends that
         support ML-KEM.
 
+    .. attribute:: MLKEM1024
+
+        ML-KEM-1024. Post-quantum secure. Only available on backends that
+        support ML-KEM.
+
 .. class:: KDF
 
     An enumeration of key derivation functions.
diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/hpke.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/hpke.pyi
@@ -11,6 +11,7 @@ class KEM:
     P384: KEM
     P521: KEM
     MLKEM768: KEM
+    MLKEM1024: KEM
 
 class KDF:
     HKDF_SHA256: KDF
@@ -31,15 +32,17 @@ class Suite:
         plaintext: Buffer,
         public_key: x25519.X25519PublicKey
         | ec.EllipticCurvePublicKey
-        | mlkem.MLKEM768PublicKey,
+        | mlkem.MLKEM768PublicKey
+        | mlkem.MLKEM1024PublicKey,
         info: Buffer | None = None,
     ) -> bytes: ...
     def decrypt(
         self,
         ciphertext: Buffer,
         private_key: x25519.X25519PrivateKey
         | ec.EllipticCurvePrivateKey
-        | mlkem.MLKEM768PrivateKey,
+        | mlkem.MLKEM768PrivateKey
+        | mlkem.MLKEM1024PrivateKey,
         info: Buffer | None = None,
     ) -> bytes: ...
 
@@ -48,7 +51,8 @@ def _encrypt_with_aad(
     plaintext: Buffer,
     public_key: x25519.X25519PublicKey
     | ec.EllipticCurvePublicKey
-    | mlkem.MLKEM768PublicKey,
+    | mlkem.MLKEM768PublicKey
+    | mlkem.MLKEM1024PublicKey,
     info: Buffer | None = None,
     aad: Buffer | None = None,
 ) -> bytes: ...
@@ -57,7 +61,8 @@ def _decrypt_with_aad(
     ciphertext: Buffer,
     private_key: x25519.X25519PrivateKey
     | ec.EllipticCurvePrivateKey
-    | mlkem.MLKEM768PrivateKey,
+    | mlkem.MLKEM768PrivateKey
+    | mlkem.MLKEM1024PrivateKey,
     info: Buffer | None = None,
     aad: Buffer | None = None,
 ) -> bytes: ...
diff --git a/src/rust/src/backend/hpke.rs b/src/rust/src/backend/hpke.rs
@@ -45,6 +45,10 @@ mod kem_params {
     pub const MLKEM768_ID: u16 = 0x0041;
     pub const MLKEM768_NSECRET: usize = 32;
     pub const MLKEM768_NENC: usize = 1088;
+
+    pub const MLKEM1024_ID: u16 = 0x0042;
+    pub const MLKEM1024_NSECRET: usize = 32;
+    pub const MLKEM1024_NENC: usize = 1568;
 }
 
 mod kdf_params {
@@ -89,6 +93,7 @@ pub(crate) enum KEM {
     P384,
     P521,
     MLKEM768,
+    MLKEM1024,
 }
 
 impl KEM {
@@ -153,6 +158,7 @@ impl KEM {
             KEM::P384 => kem_params::P384_ID,
             KEM::P521 => kem_params::P521_ID,
             KEM::MLKEM768 => kem_params::MLKEM768_ID,
+            KEM::MLKEM1024 => kem_params::MLKEM1024_ID,
         }
     }
 
@@ -163,6 +169,7 @@ impl KEM {
             KEM::P384 => kem_params::P384_NSECRET,
             KEM::P521 => kem_params::P521_NSECRET,
             KEM::MLKEM768 => kem_params::MLKEM768_NSECRET,
+            KEM::MLKEM1024 => kem_params::MLKEM1024_NSECRET,
         }
     }
 
@@ -173,6 +180,7 @@ impl KEM {
             KEM::P384 => kem_params::P384_NENC,
             KEM::P521 => kem_params::P521_NENC,
             KEM::MLKEM768 => kem_params::MLKEM768_NENC,
+            KEM::MLKEM1024 => kem_params::MLKEM1024_NENC,
         }
     }
 
@@ -221,6 +229,15 @@ impl KEM {
                     ));
                 }
             }
+            KEM::MLKEM1024 => {
+                if !key.is_instance(&types::MLKEM1024_PUBLIC_KEY.get(py)?)? {
+                    return Err(CryptographyError::from(
+                        pyo3::exceptions::PyTypeError::new_err(
+                            "Expected MLKEM1024PublicKey for KEM.MLKEM1024",
+                        ),
+                    ));
+                }
+            }
         }
         Ok(())
     }
@@ -270,6 +287,15 @@ impl KEM {
                     ));
                 }
             }
+            KEM::MLKEM1024 => {
+                if !key.is_instance(&types::MLKEM1024_PRIVATE_KEY.get(py)?)? {
+                    return Err(CryptographyError::from(
+                        pyo3::exceptions::PyTypeError::new_err(
+                            "Expected MLKEM1024PrivateKey for KEM.MLKEM1024",
+                        ),
+                    ));
+                }
+            }
         }
         Ok(())
     }
@@ -284,7 +310,7 @@ impl KEM {
         pyo3::Bound<'p, pyo3::types::PyBytes>,
     )> {
         match self {
-            KEM::MLKEM768 => {
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
                 let result = pk_r.call_method0(pyo3::intern!(py, "encapsulate"))?;
                 Ok(result.extract()?)
             }
@@ -302,7 +328,7 @@ impl KEM {
         kem_suite_id: &[u8; 5],
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
         match self {
-            KEM::MLKEM768 => {
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
                 let enc_bytes = pyo3::types::PyBytes::new(py, enc);
                 Ok(sk_r
                     .call_method1(pyo3::intern!(py, "decapsulate"), (enc_bytes,))?
@@ -446,8 +472,8 @@ impl KEM {
                         .into_any(),
                 )
             }
-            KEM::MLKEM768 => {
-                unreachable!("ML-KEM-768 does not generate an ephemeral DH key")
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
+                unreachable!("ML-KEM does not generate an ephemeral DH key")
             }
         }
     }
@@ -470,8 +496,8 @@ impl KEM {
                     ),
                 )?
                 .extract()?),
-            KEM::MLKEM768 => {
-                unreachable!("ML-KEM-768 public keys are not serialized via this path")
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
+                unreachable!("ML-KEM public keys are not serialized via this path")
             }
         }
     }
@@ -495,8 +521,8 @@ impl KEM {
                 let secp521r1 = types::SECP521R1.get(py)?.call0()?;
                 Ok(pyo3::Bound::new(py, ec::from_public_bytes(py, secp521r1, data)?)?.into_any())
             }
-            KEM::MLKEM768 => {
-                unreachable!("ML-KEM-768 encapsulated key is a ciphertext, not a public key")
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
+                unreachable!("ML-KEM encapsulated key is a ciphertext, not a public key")
             }
         }
     }
@@ -515,8 +541,8 @@ impl KEM {
                 let ecdh = types::ECDH.get(py)?.call0()?;
                 Ok(private_key.call_method1(pyo3::intern!(py, "exchange"), (&ecdh, public_key))?)
             }
-            KEM::MLKEM768 => {
-                unreachable!("ML-KEM-768 does not perform a Diffie-Hellman exchange")
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
+                unreachable!("ML-KEM does not perform a Diffie-Hellman exchange")
             }
         }
     }
@@ -529,8 +555,8 @@ impl KEM {
             KEM::X25519 | KEM::P256 => Ok(types::SHA256.get(py)?.call0()?),
             KEM::P384 => Ok(types::SHA384.get(py)?.call0()?),
             KEM::P521 => Ok(types::SHA512.get(py)?.call0()?),
-            KEM::MLKEM768 => {
-                unreachable!("ML-KEM-768 does not use a KEM hash algorithm")
+            KEM::MLKEM768 | KEM::MLKEM1024 => {
+                unreachable!("ML-KEM does not use a KEM hash algorithm")
             }
         }
     }
@@ -994,7 +1020,15 @@ mod tests {
     }
 
     #[test]
-    #[should_panic(expected = "ML-KEM-768 does not generate an ephemeral DH key")]
+    fn test_mlkem1024_secret_length() {
+        assert_eq!(
+            KEM::MLKEM1024.secret_length(),
+            kem_params::MLKEM1024_NSECRET
+        );
+    }
+
+    #[test]
+    #[should_panic(expected = "ML-KEM does not generate an ephemeral DH key")]
     fn test_mlkem768_generate_key_unreachable() {
         pyo3::Python::initialize();
 
@@ -1004,7 +1038,7 @@ mod tests {
     }
 
     #[test]
-    #[should_panic(expected = "ML-KEM-768 public keys are not serialized via this path")]
+    #[should_panic(expected = "ML-KEM public keys are not serialized via this path")]
     fn test_mlkem768_serialize_public_key_unreachable() {
         pyo3::Python::initialize();
 
@@ -1015,7 +1049,7 @@ mod tests {
     }
 
     #[test]
-    #[should_panic(expected = "ML-KEM-768 encapsulated key is a ciphertext, not a public key")]
+    #[should_panic(expected = "ML-KEM encapsulated key is a ciphertext, not a public key")]
     fn test_mlkem768_deserialize_public_key_unreachable() {
         pyo3::Python::initialize();
 
@@ -1025,7 +1059,7 @@ mod tests {
     }
 
     #[test]
-    #[should_panic(expected = "ML-KEM-768 does not perform a Diffie-Hellman exchange")]
+    #[should_panic(expected = "ML-KEM does not perform a Diffie-Hellman exchange")]
     fn test_mlkem768_exchange_unreachable() {
         pyo3::Python::initialize();
 
@@ -1036,7 +1070,7 @@ mod tests {
     }
 
     #[test]
-    #[should_panic(expected = "ML-KEM-768 does not use a KEM hash algorithm")]
+    #[should_panic(expected = "ML-KEM does not use a KEM hash algorithm")]
     fn test_mlkem768_kem_hash_algorithm_unreachable() {
         pyo3::Python::initialize();
 
diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs
@@ -423,6 +423,14 @@ pub static MLKEM768_PRIVATE_KEY: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.asymmetric.mlkem",
     &["MLKEM768PrivateKey"],
 );
+pub static MLKEM1024_PUBLIC_KEY: LazyPyImport = LazyPyImport::new(
+    "cryptography.hazmat.primitives.asymmetric.mlkem",
+    &["MLKEM1024PublicKey"],
+);
+pub static MLKEM1024_PRIVATE_KEY: LazyPyImport = LazyPyImport::new(
+    "cryptography.hazmat.primitives.asymmetric.mlkem",
+    &["MLKEM1024PrivateKey"],
+);
 
 pub static ED25519_PRIVATE_KEY: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.asymmetric.ed25519",
diff --git a/tests/hazmat/primitives/test_hpke.py b/tests/hazmat/primitives/test_hpke.py

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,10 @@ mod kem_params {`
`45`	`45`	`pub const MLKEM768_ID: u16 = 0x0041;`
`46`	`46`	`pub const MLKEM768_NSECRET: usize = 32;`
`47`	`47`	`pub const MLKEM768_NENC: usize = 1088;`
	`48`	`+`
	`49`	`+ pub const MLKEM1024_ID: u16 = 0x0042;`
	`50`	`+ pub const MLKEM1024_NSECRET: usize = 32;`
	`51`	`+ pub const MLKEM1024_NENC: usize = 1568;`
`48`	`52`	`}`
`49`	`53`
`50`	`54`	`mod kdf_params {`
`@@ -89,6 +93,7 @@ pub(crate) enum KEM {`
`89`	`93`	`P384,`
`90`	`94`	`P521,`
`91`	`95`	`MLKEM768,`
	`96`	`+ MLKEM1024,`
`92`	`97`	`}`
`93`	`98`
`94`	`99`	`impl KEM {`
`@@ -153,6 +158,7 @@ impl KEM {`
`153`	`158`	`KEM::P384 => kem_params::P384_ID,`
`154`	`159`	`KEM::P521 => kem_params::P521_ID,`
`155`	`160`	`KEM::MLKEM768 => kem_params::MLKEM768_ID,`
	`161`	`+ KEM::MLKEM1024 => kem_params::MLKEM1024_ID,`
`156`	`162`	`}`
`157`	`163`	`}`
`158`	`164`
`@@ -163,6 +169,7 @@ impl KEM {`
`163`	`169`	`KEM::P384 => kem_params::P384_NSECRET,`
`164`	`170`	`KEM::P521 => kem_params::P521_NSECRET,`
`165`	`171`	`KEM::MLKEM768 => kem_params::MLKEM768_NSECRET,`
	`172`	`+ KEM::MLKEM1024 => kem_params::MLKEM1024_NSECRET,`
`166`	`173`	`}`
`167`	`174`	`}`
`168`	`175`
`@@ -173,6 +180,7 @@ impl KEM {`
`173`	`180`	`KEM::P384 => kem_params::P384_NENC,`
`174`	`181`	`KEM::P521 => kem_params::P521_NENC,`
`175`	`182`	`KEM::MLKEM768 => kem_params::MLKEM768_NENC,`
	`183`	`+ KEM::MLKEM1024 => kem_params::MLKEM1024_NENC,`
`176`	`184`	`}`
`177`	`185`	`}`
`178`	`186`
`@@ -221,6 +229,15 @@ impl KEM {`
`221`	`229`	`));`
`222`	`230`	`}`
`223`	`231`	`}`
	`232`	`+ KEM::MLKEM1024 => {`
	`233`	`+ if !key.is_instance(&types::MLKEM1024_PUBLIC_KEY.get(py)?)? {`
	`234`	`+ return Err(CryptographyError::from(`
	`235`	`+ pyo3::exceptions::PyTypeError::new_err(`
	`236`	`+ "Expected MLKEM1024PublicKey for KEM.MLKEM1024",`
	`237`	`+ ),`
	`238`	`+ ));`
	`239`	`+ }`
	`240`	`+ }`
`224`	`241`	`}`
`225`	`242`	`Ok(())`
`226`	`243`	`}`
`@@ -270,6 +287,15 @@ impl KEM {`
`270`	`287`	`));`
`271`	`288`	`}`
`272`	`289`	`}`
	`290`	`+ KEM::MLKEM1024 => {`
	`291`	`+ if !key.is_instance(&types::MLKEM1024_PRIVATE_KEY.get(py)?)? {`
	`292`	`+ return Err(CryptographyError::from(`
	`293`	`+ pyo3::exceptions::PyTypeError::new_err(`
	`294`	`+ "Expected MLKEM1024PrivateKey for KEM.MLKEM1024",`
	`295`	`+ ),`
	`296`	`+ ));`
	`297`	`+ }`
	`298`	`+ }`
`273`	`299`	`}`
`274`	`300`	`Ok(())`
`275`	`301`	`}`
`@@ -284,7 +310,7 @@ impl KEM {`
`284`	`310`	`pyo3::Bound<'p, pyo3::types::PyBytes>,`
`285`	`311`	`)> {`
`286`	`312`	`match self {`
`287`		`- KEM::MLKEM768 => {`
	`313`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
`288`	`314`	`let result = pk_r.call_method0(pyo3::intern!(py, "encapsulate"))?;`
`289`	`315`	`Ok(result.extract()?)`
`290`	`316`	`}`
`@@ -302,7 +328,7 @@ impl KEM {`
`302`	`328`	`kem_suite_id: &[u8; 5],`
`303`	`329`	`) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {`
`304`	`330`	`match self {`
`305`		`- KEM::MLKEM768 => {`
	`331`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
`306`	`332`	`let enc_bytes = pyo3::types::PyBytes::new(py, enc);`
`307`	`333`	`Ok(sk_r`
`308`	`334`	`.call_method1(pyo3::intern!(py, "decapsulate"), (enc_bytes,))?`
`@@ -446,8 +472,8 @@ impl KEM {`
`446`	`472`	`.into_any(),`
`447`	`473`	`)`
`448`	`474`	`}`
`449`		`- KEM::MLKEM768 => {`
`450`		`- unreachable!("ML-KEM-768 does not generate an ephemeral DH key")`
	`475`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
	`476`	`+ unreachable!("ML-KEM does not generate an ephemeral DH key")`
`451`	`477`	`}`
`452`	`478`	`}`
`453`	`479`	`}`
`@@ -470,8 +496,8 @@ impl KEM {`
`470`	`496`	`),`
`471`	`497`	`)?`
`472`	`498`	`.extract()?),`
`473`		`- KEM::MLKEM768 => {`
`474`		`- unreachable!("ML-KEM-768 public keys are not serialized via this path")`
	`499`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
	`500`	`+ unreachable!("ML-KEM public keys are not serialized via this path")`
`475`	`501`	`}`
`476`	`502`	`}`
`477`	`503`	`}`
`@@ -495,8 +521,8 @@ impl KEM {`
`495`	`521`	`let secp521r1 = types::SECP521R1.get(py)?.call0()?;`
`496`	`522`	`Ok(pyo3::Bound::new(py, ec::from_public_bytes(py, secp521r1, data)?)?.into_any())`
`497`	`523`	`}`
`498`		`- KEM::MLKEM768 => {`
`499`		`- unreachable!("ML-KEM-768 encapsulated key is a ciphertext, not a public key")`
	`524`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
	`525`	`+ unreachable!("ML-KEM encapsulated key is a ciphertext, not a public key")`
`500`	`526`	`}`
`501`	`527`	`}`
`502`	`528`	`}`
`@@ -515,8 +541,8 @@ impl KEM {`
`515`	`541`	`let ecdh = types::ECDH.get(py)?.call0()?;`
`516`	`542`	`Ok(private_key.call_method1(pyo3::intern!(py, "exchange"), (&ecdh, public_key))?)`
`517`	`543`	`}`
`518`		`- KEM::MLKEM768 => {`
`519`		`- unreachable!("ML-KEM-768 does not perform a Diffie-Hellman exchange")`
	`544`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
	`545`	`+ unreachable!("ML-KEM does not perform a Diffie-Hellman exchange")`
`520`	`546`	`}`
`521`	`547`	`}`
`522`	`548`	`}`
`@@ -529,8 +555,8 @@ impl KEM {`
`529`	`555`	`KEM::X25519 \| KEM::P256 => Ok(types::SHA256.get(py)?.call0()?),`
`530`	`556`	`KEM::P384 => Ok(types::SHA384.get(py)?.call0()?),`
`531`	`557`	`KEM::P521 => Ok(types::SHA512.get(py)?.call0()?),`
`532`		`- KEM::MLKEM768 => {`
`533`		`- unreachable!("ML-KEM-768 does not use a KEM hash algorithm")`
	`558`	`+ KEM::MLKEM768 \| KEM::MLKEM1024 => {`
	`559`	`+ unreachable!("ML-KEM does not use a KEM hash algorithm")`
`534`	`560`	`}`
`535`	`561`	`}`
`536`	`562`	`}`
`@@ -994,7 +1020,15 @@ mod tests {`
`994`	`1020`	`}`
`995`	`1021`
`996`	`1022`	`#[test]`
`997`		`- #[should_panic(expected = "ML-KEM-768 does not generate an ephemeral DH key")]`
	`1023`	`+ fn test_mlkem1024_secret_length() {`
	`1024`	`+ assert_eq!(`
	`1025`	`+ KEM::MLKEM1024.secret_length(),`
	`1026`	`+ kem_params::MLKEM1024_NSECRET`
	`1027`	`+ );`
	`1028`	`+ }`
	`1029`	`+`
	`1030`	`+ #[test]`
	`1031`	`+ #[should_panic(expected = "ML-KEM does not generate an ephemeral DH key")]`
`998`	`1032`	`fn test_mlkem768_generate_key_unreachable() {`
`999`	`1033`	`pyo3::Python::initialize();`
`1000`	`1034`
`@@ -1004,7 +1038,7 @@ mod tests {`
`1004`	`1038`	`}`
`1005`	`1039`
`1006`	`1040`	`#[test]`
`1007`		`- #[should_panic(expected = "ML-KEM-768 public keys are not serialized via this path")]`
	`1041`	`+ #[should_panic(expected = "ML-KEM public keys are not serialized via this path")]`
`1008`	`1042`	`fn test_mlkem768_serialize_public_key_unreachable() {`
`1009`	`1043`	`pyo3::Python::initialize();`
`1010`	`1044`
`@@ -1015,7 +1049,7 @@ mod tests {`
`1015`	`1049`	`}`
`1016`	`1050`
`1017`	`1051`	`#[test]`
`1018`		`- #[should_panic(expected = "ML-KEM-768 encapsulated key is a ciphertext, not a public key")]`
	`1052`	`+ #[should_panic(expected = "ML-KEM encapsulated key is a ciphertext, not a public key")]`
`1019`	`1053`	`fn test_mlkem768_deserialize_public_key_unreachable() {`
`1020`	`1054`	`pyo3::Python::initialize();`
`1021`	`1055`
`@@ -1025,7 +1059,7 @@ mod tests {`
`1025`	`1059`	`}`
`1026`	`1060`
`1027`	`1061`	`#[test]`
`1028`		`- #[should_panic(expected = "ML-KEM-768 does not perform a Diffie-Hellman exchange")]`
	`1062`	`+ #[should_panic(expected = "ML-KEM does not perform a Diffie-Hellman exchange")]`
`1029`	`1063`	`fn test_mlkem768_exchange_unreachable() {`
`1030`	`1064`	`pyo3::Python::initialize();`
`1031`	`1065`
`@@ -1036,7 +1070,7 @@ mod tests {`
`1036`	`1070`	`}`
`1037`	`1071`
`1038`	`1072`	`#[test]`
`1039`		`- #[should_panic(expected = "ML-KEM-768 does not use a KEM hash algorithm")]`
	`1073`	`+ #[should_panic(expected = "ML-KEM does not use a KEM hash algorithm")]`
`1040`	`1074`	`fn test_mlkem768_kem_hash_algorithm_unreachable() {`
`1041`	`1075`	`pyo3::Python::initialize();`
`1042`	`1076`