Merge pull request #1100 from pq-code-package/test-acvp_data_update_1_1_0_40

Update the ACVP tests to 1.1.0.40 (add {en,de}capsulationKeyCheck)

Author: mkannwischer

BIBLIOGRAPHY.md

@@ -188,6 +188,7 @@ source code and documentation.
   - [mlkem/src/compress.h](mlkem/src/compress.h)
   - [mlkem/src/indcpa.c](mlkem/src/indcpa.c)
   - [mlkem/src/kem.c](mlkem/src/kem.c)
+  - [mlkem/src/kem.h](mlkem/src/kem.h)
   - [mlkem/src/poly.c](mlkem/src/poly.c)
   - [mlkem/src/poly_k.c](mlkem/src/poly_k.c)
   - [mlkem/src/sampling.c](mlkem/src/sampling.c)

mlkem/mlkem_native.S

@@ -191,6 +191,8 @@
 /* mlkem/src/kem.h */
 #undef MLK_CONFIG_API_NO_SUPERCOP
 #undef MLK_KEM_H
+#undef crypto_kem_check_pk
+#undef crypto_kem_check_sk
 #undef crypto_kem_dec
 #undef crypto_kem_enc
 #undef crypto_kem_enc_derand

mlkem/mlkem_native.c

@@ -180,6 +180,8 @@
 /* mlkem/src/kem.h */
 #undef MLK_CONFIG_API_NO_SUPERCOP
 #undef MLK_KEM_H
+#undef crypto_kem_check_pk
+#undef crypto_kem_check_sk
 #undef crypto_kem_dec
 #undef crypto_kem_enc
 #undef crypto_kem_enc_derand

mlkem/src/kem.c

@@ -36,8 +36,6 @@
  * This is to facilitate building multiple instances
  * of mlkem-native (e.g. with varying security levels)
  * within a single compilation unit. */
-#define mlk_check_pk MLK_ADD_PARAM_SET(mlk_check_pk)
-#define mlk_check_sk MLK_ADD_PARAM_SET(mlk_check_sk)
 #define mlk_check_pct MLK_ADD_PARAM_SET(mlk_check_pct)
 /* End of parameter set namespacing */
 
@@ -50,26 +48,11 @@ __contract__(
 );
 #endif /* CBMC */
 
-/*************************************************
- * Name:        mlk_check_pk
- *
- * Description: Implements modulus check mandated by FIPS 203,
- *              i.e., ensures that coefficients are in [0,q-1].
- *
- * Arguments:   - const uint8_t *pk: pointer to input public key
- *                (an already allocated array of MLKEM_INDCCA_PUBLICKEYBYTES
- *                 bytes)
- *
- * Returns: - 0 on success
- *          - -1 on failure
- *
- * Specification: Implements @[FIPS203, Section 7.2, 'modulus check']
- *
- **************************************************/
 
 /* Reference: Not implemented in the reference implementation @[REF]. */
+MLK_INTERNAL_API
 MLK_MUST_CHECK_RETURN_VALUE
-static int mlk_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES])
+int crypto_kem_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES])
 {
   int res;
   mlk_polyvec p;
@@ -90,27 +73,11 @@ static int mlk_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES])
   return res;
 }
 
-/*************************************************
- * Name:        mlk_check_sk
- *
- * Description: Implements public key hash check mandated by FIPS 203,
- *              i.e., ensures that
- *              sk[768𝑘+32 ∶ 768𝑘+64] = H(pk)= H(sk[384𝑘 : 768𝑘+32])
- *
- * Arguments:   - const uint8_t *sk: pointer to input private key
- *                (an already allocated array of MLKEM_INDCCA_SECRETKEYBYTES
- *                 bytes)
- *
- * Returns: - 0 on success
- *          - -1 on failure
- *
- * Specification: Implements @[FIPS203, Section 7.3, 'hash check']
- *
- **************************************************/
 
 /* Reference: Not implemented in the reference implementation @[REF]. */
+MLK_INTERNAL_API
 MLK_MUST_CHECK_RETURN_VALUE
-static int mlk_check_sk(const uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES])
+int crypto_kem_check_sk(const uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES])
 {
   int res;
   MLK_ALIGN uint8_t test[MLKEM_SYMBYTES];
@@ -267,7 +234,7 @@ int crypto_kem_enc_derand(uint8_t ct[MLKEM_INDCCA_CIPHERTEXTBYTES],
   MLK_ALIGN uint8_t kr[2 * MLKEM_SYMBYTES];
 
   /* Specification: Implements @[FIPS203, Section 7.2, Modulus check] */
-  if (mlk_check_pk(pk))
+  if (crypto_kem_check_pk(pk))
   {
     return -1;
   }
@@ -329,7 +296,7 @@ int crypto_kem_dec(uint8_t ss[MLKEM_SSBYTES],
   const uint8_t *pk = sk + MLKEM_INDCPA_SECRETKEYBYTES;
 
   /* Specification: Implements @[FIPS203, Section 7.3, Hash check] */
-  if (mlk_check_sk(sk))
+  if (crypto_kem_check_sk(sk))
   {
     return -1;
   }
@@ -367,6 +334,4 @@ int crypto_kem_dec(uint8_t ss[MLKEM_SSBYTES],
 
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */
-#undef mlk_check_pk
-#undef mlk_check_sk
 #undef mlk_check_pct

mlkem/src/kem.h

@@ -10,6 +10,11 @@
  *   FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard
  *   National Institute of Standards and Technology
  *   https://csrc.nist.gov/pubs/fips/203/final
+ *
+ * - [REF]
+ *   CRYSTALS-Kyber C reference implementation
+ *   Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, Schwabe, Seiler, Stehlé
+ *   https://github.com/pq-crystals/kyber/tree/main/ref
  */
 
 #ifndef MLK_KEM_H
@@ -49,6 +54,56 @@
 #define crypto_kem_enc_derand MLK_NAMESPACE_K(enc_derand)
 #define crypto_kem_enc MLK_NAMESPACE_K(enc)
 #define crypto_kem_dec MLK_NAMESPACE_K(dec)
+#define crypto_kem_check_pk MLK_NAMESPACE_K(check_pk)
+#define crypto_kem_check_sk MLK_NAMESPACE_K(check_sk)
+
+
+
+/*************************************************
+ * Name:        crypto_kem_check_pk
+ *
+ * Description: Implements modulus check mandated by FIPS 203,
+ *              i.e., ensures that coefficients are in [0,q-1].
+ *
+ * Arguments:   - const uint8_t *pk: pointer to input public key
+ *                (an already allocated array of MLKEM_INDCCA_PUBLICKEYBYTES
+ *                 bytes)
+ *
+ * Returns: - 0 on success
+ *          - -1 on failure
+ *
+ * Specification: Implements @[FIPS203, Section 7.2, 'modulus check']
+ *
+ **************************************************/
+
+/* Reference: Not implemented in the reference implementation @[REF]. */
+MLK_INTERNAL_API
+MLK_MUST_CHECK_RETURN_VALUE
+int crypto_kem_check_pk(const uint8_t pk[MLKEM_INDCCA_PUBLICKEYBYTES]);
+
+
+/*************************************************
+ * Name:        crypto_kem_check_sk
+ *
+ * Description: Implements public key hash check mandated by FIPS 203,
+ *              i.e., ensures that
+ *              sk[768𝑘+32 ∶ 768𝑘+64] = H(pk)= H(sk[384𝑘 : 768𝑘+32])
+ *
+ * Arguments:   - const uint8_t *sk: pointer to input private key
+ *                (an already allocated array of MLKEM_INDCCA_SECRETKEYBYTES
+ *                 bytes)
+ *
+ * Returns: - 0 on success
+ *          - -1 on failure
+ *
+ * Specification: Implements @[FIPS203, Section 7.3, 'hash check']
+ *
+ **************************************************/
+
+/* Reference: Not implemented in the reference implementation @[REF]. */
+MLK_INTERNAL_API
+MLK_MUST_CHECK_RETURN_VALUE
+int crypto_kem_check_sk(const uint8_t sk[MLKEM_INDCCA_SECRETKEYBYTES]);
 
 /*************************************************
  * Name:        crypto_kem_keypair_derand

test/acvp_client.py

@@ -21,10 +21,6 @@
 
 acvp_dir = "test/acvp_data"
 acvp_jsons = [
-    (
-        f"{acvp_dir}/acvp_v1.1.0.36_keyGen_prompt.json",
-        f"{acvp_dir}/acvp_v1.1.0.36_keyGen_expectedResults.json",
-    ),
     (
         f"{acvp_dir}/acvp_v1.1.0.38_keyGen_prompt.json",
         f"{acvp_dir}/acvp_v1.1.0.38_keyGen_expectedResults.json",
@@ -34,8 +30,8 @@
         f"{acvp_dir}/acvp_v1.1.0.39_keyGen_expectedResults.json",
     ),
     (
-        f"{acvp_dir}/acvp_v1.1.0.36_encapDecap_prompt.json",
-        f"{acvp_dir}/acvp_v1.1.0.36_encapDecap_expectedResults.json",
+        f"{acvp_dir}/acvp_v1.1.0.40_keyGen_prompt.json",
+        f"{acvp_dir}/acvp_v1.1.0.40_keyGen_expectedResults.json",
     ),
     (
         f"{acvp_dir}/acvp_v1.1.0.38_encapDecap_prompt.json",
@@ -45,6 +41,10 @@
         f"{acvp_dir}/acvp_v1.1.0.39_encapDecap_prompt.json",
         f"{acvp_dir}/acvp_v1.1.0.39_encapDecap_expectedResults.json",
     ),
+    (
+        f"{acvp_dir}/acvp_v1.1.0.40_encapDecap_prompt.json",
+        f"{acvp_dir}/acvp_v1.1.0.40_encapDecap_expectedResults.json",
+    ),
 ]
 
 
@@ -113,12 +113,15 @@ def run_encapDecap_test(tg, tc):
             results[k] = v
     elif tg["function"] == "decapsulation":
         acvp_bin = get_acvp_binary(tg)
+        # TODO: Remove this fallback workaround. v.1.1.0.40 moved the dk from the
+        # tg to the tc. This can be removed when v1.1.0.39 is removed.
+        dk_value = tc.get("dk", tg.get("dk"))
         acvp_call = exec_prefix + [
             acvp_bin,
             "encapDecap",
             "VAL",
             "decapsulation",
-            f"dk={tg['dk']}",
+            f"dk={dk_value}",
             f"c={tc['c']}",
         ]
         result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
@@ -131,6 +134,45 @@ def run_encapDecap_test(tg, tc):
         for l in result.stdout.splitlines():
             (k, v) = l.split("=")
             results[k] = v
+    elif tg["function"] == "encapsulationKeyCheck":
+        acvp_bin = get_acvp_binary(tg)
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "encapDecap",
+            "VAL",
+            "encapsulationKeyCheck",
+            f"ek={tc['ek']}",
+        ]
+        result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
+        if result.returncode != 0:
+            err("FAIL!")
+            err(f"{acvp_call} failed with error code {result.returncode}")
+            err(result.stderr)
+            exit(1)
+        # Extract results
+        for l in result.stdout.splitlines():
+            (k, v) = l.split("=")
+            results[k] = v == "1"
+
+    elif tg["function"] == "decapsulationKeyCheck":
+        acvp_bin = get_acvp_binary(tg)
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "encapDecap",
+            "VAL",
+            "decapsulationKeyCheck",
+            f"dk={tc['dk']}",
+        ]
+        result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
+        if result.returncode != 0:
+            err("FAIL!")
+            err(f"{acvp_call} failed with error code {result.returncode}")
+            err(result.stderr)
+            exit(1)
+        # Extract results
+        for l in result.stdout.splitlines():
+            (k, v) = l.split("=")
+            results[k] = v == "1"
     info("done")
     return results
 

test/acvp_data/README.md

@@ -1,6 +1,6 @@
 [//]: # (SPDX-License-Identifier: CC-BY-4.0)
 
-This directory contains the ACVP test vectors from [^ACVP_Server], versions v1.1.0.36, v1.1.0.38, and v1.1.0.39. See [^ACVP_Spec] for the
+This directory contains the ACVP test vectors from [^ACVP_Server], versions v1.1.0.38, v1.1.0.39, and v1.1.0.40. See [^ACVP_Spec] for the
 specification of the ACVP tests.
 
 <!--- bibliography --->