[cryptotest] Add ML-KEM tests using Wycheproof and ACVP test vectors #219
Merged
mkannwischer merged 2 commits intomasterfrom Apr 8, 2026
Merged
[cryptotest] Add ML-KEM tests using Wycheproof and ACVP test vectors #219mkannwischer merged 2 commits intomasterfrom
mkannwischer merged 2 commits intomasterfrom
Conversation
mkannwischer
force-pushed
the
mjk/mlkem-testvectors
branch
from
f07eb40 to
dbddbb0
Compare
Contributor
Author
|
I have reworked this PR a bit making it easier to also accommodate ML-DSA in #223. |
mkannwischer
force-pushed
the
mjk/mlkem-testvectors
branch
3 times, most recently
from
7f6f49d to
7019f31
Compare
jadephilipoom
approved these changes
Apr 2, 2026
Contributor
jadephilipoom
left a comment
jadephilipoom
left a comment
There was a problem hiding this comment.
LGTM, thanks Matthias!
Contributor
|
CI failure looks unrelated and perhaps like the FPGA may have gotten disconnected, I'd suggest just rerunning it to see if it works. |
Adds the NIST ACVP-Server v1.1.0.41 as an external dependency for ML-KEM (and future algorithm) test vectors. Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
Adds ML-KEM to the cryptotest framework with support for all three
parameter sets (ML-KEM-512, ML-KEM-768, ML-KEM-1024) and four
test operations:
- keygen: deterministic key generation from seed (d||z)
- encaps: deterministic encapsulation with provided ek and
randomness m
- decaps: decapsulation with provided dk and ciphertext
- keygen_decaps: keygen followed by decapsulation (Wycheproof
mlkem_*_test.json provides seed + ciphertext, firmware generates
keys then decapsulates)
Test vector sources:
- Wycheproof (C2SP): keygen_seed_test, encaps_test,
semi_expanded_decaps_test, and the combined test.json
for all three parameter sets (1695 vectors)
- ACVP (NIST ACVP-Server v1.1.0.41): keyGen and encapDecap
internalProjection files (240 vectors)
All 1935 test vectors from both sources are covered.
ACVP encapsulationKeyCheck and decapsulationKeyCheck tests are
mapped to encaps and decaps operations respectively: the cryptolib
does not expose dedicated key validation functions, but
encapsulate_derand and decapsulate perform internal checks (FIPS 203
modulus check, hash consistency) that reject invalid keys. We test
this by calling the operations with the provided (possibly invalid)
key and dummy randomness/ciphertext, and verifying success/failure.
The biggest challenge here is that ML-KEM data structures are
large (ek up to 1568B, dk up to 3168B).
Naively serializing these as ujson output arrays results in a test
runtime of >2.5 hours - the vast majority of which appears to be
spent on JSON encoding in the firmware.
To address this, we instead compute the SHA3-256 hash of the
outputs in the firmware and the parses.
This brings down test time for everything to ~265s.
Note that the ML-KEM tests need work buffers that are too large
for the stack. This commit allocates them in firmware.c
already in preparation for also adding ML-DSA tests, so that
these buffers can be placed in a union.
Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
mkannwischer
force-pushed
the
mjk/mlkem-testvectors
branch
from
7019f31 to
70d21d5
Compare
Contributor
Author
I have done that twice now, but it does not seem to help. |
Contributor
|
Looks like a broader CI issue unfortunately :/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds ML-KEM to the cryptotest framework with support for all three
parameter sets (ML-KEM-512, ML-KEM-768, ML-KEM-1024) and four
test operations:
randomness m
mlkem_*_test.json provides seed + ciphertext, firmware generates
keys then decapsulates)
Test vector sources:
semi_expanded_decaps_test, and the combined test.json
for all three parameter sets (1695 vectors)
internalProjection files (240 vectors)
All 1935 test vectors from both sources are covered.
ACVP encapsulationKeyCheck and decapsulationKeyCheck tests are
mapped to encaps and decaps operations respectively: the cryptolib
does not expose dedicated key validation functions, but
encapsulate_derand and decapsulate perform internal checks (FIPS 203
modulus check, hash consistency) that reject invalid keys. We test
this by calling the operations with the provided (possibly invalid)
key and dummy randomness/ciphertext, and verifying success/failure.
The biggest challenge here is that ML-KEM data structures are
large (ek up to 1568B, dk up to 3168B).
Naively serializing these as ujson output arrays results in a test
runtime of >2.5 hours - the vast majority of which appears to be
spent on JSON encoding in the firmware.
To address this, we instead compute the SHA3-256 hash of the
outputs in the firmware and the parses.
This brings down test time for everything to ~265s.