Skip to content

ml-kem: minimum viable seed support for DecapsulationKey#133

Merged
tarcieri merged 1 commit intomasterfrom
ml-kem/seed-support
Oct 25, 2025
Merged

ml-kem: minimum viable seed support for DecapsulationKey#133
tarcieri merged 1 commit intomasterfrom
ml-kem/seed-support

Conversation

@tarcieri
Copy link
Copy Markdown
Member

@tarcieri tarcieri commented Oct 24, 2025
edited
Loading

  • Adds a Seed type alias for Array<u8, U64>
  • Adds infallible DecapsulationKey::from_seed
  • Adds fallible DecapsulationKey::to_seed returning an Option to handle the case that the key was initialized from the expanded form. This involved optionally carrying the original d as an optional struct member of DecapsulationKey.

Additional notes:

  • Seed-related functionality is not gated under the deterministic feature. That feature should possibly be changed to only feature-gate deterministic encryption.
  • None of the existing APIs for handling the expanded form have been updated to disambiguate them, e.g. from_expanded_bytes, though they probably should be, as well as potentially being feature gated (if we got rid of them entirely, to_seed could be infallible).
  • Another way to make to_seed infallible would be an ExpandedDecapsulationKey type which holds everything but d, with DecapsulationKey being a newtype that carries d.
  • ml-kem should probably adopt subtle to replace the built-in constant-time code and do constant-time comparisons of private keys, as noted in a TODO.

Closes #53

@tarcieri tarcieri requested a review from bifurcation October 24, 2025 20:13
@tarcieri tarcieri force-pushed the ml-kem/seed-support branch 2 times, most recently from b9943fd to 4cf637f Compare October 24, 2025 20:17
This was referenced Oct 24, 2025
Closed
Closed
@tarcieri
Copy link
Copy Markdown
Member Author

tarcieri commented Oct 24, 2025
edited
Loading

This could also use a complementary Seed-generation API, though I'll save that for a separate PR to keep this minimal.

@tarcieri tarcieri mentioned this pull request Oct 24, 2025
Closed
@tarcieri tarcieri force-pushed the ml-kem/seed-support branch from 4cf637f to facee02 Compare October 25, 2025 13:36
@tarcieri
ml-kem: minimum viable seed support for DecapsulationKey
29b54d2 
- Adds a `Seed` type alias for `Array<u8, U64>`
- Adds infallible `DecapsulationKey::from_seed`
- Adds fallible `DecapsulationKey::to_seed` returning an `Option` to
  handle the case that the key was initialized from the expanded form.
  This involved optionally carrying the original `d` as an optional
  struct member of `DecapsulationKey`.

Additional notes:
- Seed-related functionality is not gated under the `deterministic`
  feature. That feature should possibly be changed to only feature-gate
  deterministic encryption.
- None of the existing APIs for handling the expanded form have been
  updated to disambiguate them, e.g. `from_expanded_bytes`, though they
  probably should be, as well as potentially being feature gated
  (if we got rid of them entirely, `to_seed` could be infallible).
- Another way to make `to_seed` infallible would be an
  `ExpandedDecapsulationKey` type which holds everything but `d`, with
  `DecapsulationKey` being a newtype that carries `d`.
- `ml-kem` should probably adopt `subtle` to replace the built-in
  constant-time code and do constant-time comparisons of private keys,
  as noted in a TODO.

Closes #53
@tarcieri tarcieri force-pushed the ml-kem/seed-support branch from facee02 to 29b54d2 Compare October 25, 2025 13:36
@tarcieri tarcieri merged commit 1a6b6ca into master Oct 25, 2025
23 checks passed
@tarcieri tarcieri deleted the ml-kem/seed-support branch October 25, 2025 14:09
@tarcieri tarcieri mentioned this pull request Apr 28, 2026
Merged
tarcieri added a commit that referenced this pull request Apr 28, 2026
@tarcieri
ml-kem v0.3.0 (#293)
57ae842 
## Added
- `Seed` support e.g. `DecapsulationKey::from_seed` (#133, #138)
- PKCS#8 support (#135)
- `KeyInit`, `KeySizeUser`, and `KeyExport` impls for decapsulation keys
  (#156, #228)
- Parameter set modules: `ml_kem_512`, `mk_kem_768`, `mk_kem_1024`
  (#162)
- `DecapsulationKey::from_expanded` deprecated compatibility support
  (#163)
- `TryKeyInit` and `KeyExport` impls for encapsulation keys (#188)
- Validations against Wycheproof test vectors (#213, #214, #215,
  #217)
- Implement `kem::Kem` trait (#223)
- Support for `kem::FromSeed` trait (#255)

## Changed
- Edition changed to 2024 and MSRV bumped to 1.85 (#118)
- Relax MSRV policy and allow MSRV bumps in patch releases
- Upgrade `hybrid-array` dependency to 0.4 (#129)
- Extract `module-lattice` crate (#199, #202, #204, #209,
  #210, #211, #212, #218, #219, #220)
- Replace `EncodedSizeUser` with `ExpandedKeyEncoding` (#226)
- Bump `getrandom` to v0.4 (#245)
- Bump `rand_core` to v0.10 (#245)
- Migrate from `subtle` to `ctutils` (#277)
- Bump `sha3` dependency to v0.11 (#282)
- Bump `kem` dependency to v0.3 (#283)
- Bump `pkcs8` dependency to v0.11 (#291)

## Fixed
- Validate encryption/encapsulation keys (#179)
- Validate expanded decapsulation key hash (#207)

## Removed
- `Kem` struct and `KemCore` trait - replaced by `kem::Kem` (#223)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bifurcation bifurcation Awaiting requested review from bifurcation

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ml-kem: seed support for DecapsulationKey

1 participant

@tarcieri