Skip to content

Add ML-KEM-768 KEM support in HPKE#14672

Open
alex wants to merge 5 commits intomainfrom
claude/add-ml-kem-768-support-NDM7b
Open

Add ML-KEM-768 KEM support in HPKE#14672
alex wants to merge 5 commits intomainfrom
claude/add-ml-kem-768-support-NDM7b

Conversation

@alex
Copy link
Copy Markdown
Member

@alex alex commented Apr 16, 2026

Summary

  • Add KEM.MLKEM768 variant to HPKE, enabling post-quantum key encapsulation via ML-KEM-768.
  • ML-KEM encap/decap is a proper abstraction on KEM that dispatches cleanly: ML-KEM calls encapsulate/decapsulate directly, DHKEM variants use the existing DH + extract-and-expand path.
  • Includes roundtrip tests, wrong-key tests, ciphertext format tests, test vector validation against hpke-pq-test-vectors.json (kem_id 0x0041), and #[should_panic] Rust unit tests for all unreachable DHKEM-only paths.

Test plan

  • All existing HPKE tests continue to pass
  • New ML-KEM-768 roundtrip tests across all KDF/AEAD combinations (75 parametrized cases)
  • Wrong-key and wrong-KEM-type tests for ML-KEM-768
  • Test vector decryption for kem_id 0x0041
  • Rust unit tests for MLKEM768 unreachable branches
  • Full OPENSSL_DIR=aws-lc nox -e local passes (3570 passed, 637 skipped, 0 failed)

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas

claude added 4 commits April 16, 2026 01:36
@claude
Add ML-KEM-768 KEM support in HPKE
765c02a 
Add KEM.MLKEM768 to the HPKE suite, enabling post-quantum key
encapsulation in HPKE using ML-KEM-768. Unlike DHKEM variants,
ML-KEM uses direct encapsulate/decapsulate rather than
Diffie-Hellman key exchange.

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas
@claude
Add aws-lc/ to .gitignore
eb11c05 
Ignore locally-built AWS-LC directory used for testing.

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas
@claude
Address review feedback on ML-KEM-768 HPKE support
2bf4999 
- Move encap/decap into KEM as proper abstraction instead of
  if-matches! checks in Suite. DHKEM and ML-KEM paths are now
  cleanly dispatched via match in KEM::encap/decap.
- Trim docs to match brevity of other KEM entries.
- Remove separate changelog entry (HPKE is already new).
- Revert .gitignore change.

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas
@claude
Remove comment header; add unit tests for MLKEM768 unreachable paths
62383ff 
- Remove "DHKEM helpers" comment header.
- Add #[should_panic] unit tests covering all five MLKEM768
  unreachable!() branches in DHKEM-only helper methods.

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas
alex
alex commented Apr 16, 2026
View reviewed changes
Comment thread src/rust/src/backend/hpke.rs
KEM::P256 => kem_params::P256_NSECRET,
KEM::P384 => kem_params::P384_NSECRET,
KEM::P521 => kem_params::P521_NSECRET,
KEM::MLKEM768 => kem_params::MLKEM768_NSECRET,
Copy link
Copy Markdown
Member Author

@alex alex Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this isn't reached on mlkem, needs coverage

@claude
Add unit test for KEM::MLKEM768.secret_length() coverage
fb22a53 
secret_length() is only called from the DHKEM extract_and_expand
path, so the MLKEM768 branch needs explicit test coverage.

https://claude.ai/code/session_01KYKw3dffngLcjPhbdKkUas
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alex @claude