Add encap/decapKeyCheck support in ACVP (#2872)

ACVP has support for a new test vectors that test against the
encapsulation/decapsulation key checks defined in FIPS 203.
> Adds "encapsulationKeyCheck" and "decapsulationKeyCheck" as functions
for ML-KEM Encap/Decap FIPS203 to exercise an implementation's
capability to perform the Encapsulation Key Check in FIPS 203 Section
7.2 and the Decapsulation Key Check in FIPS 203 Section 7.3. These tests
are only included if the appropriate function is present in the
registration. They operate by providing a valid or invalid key and
expecting the IUT to return a true for a valid key or false for an
invalid key.

* https://github.com/usnistgov/ACVP-Server/releases

This add support in ACVP to run against the relevant
`crypto_kem_check_pk` and `crypto_kem_check_sk` functions that do the
checks for us. Also added the new `encapsulationKeyCheck` and
`decapsulationKeyCheck` test vectors in `ML-KEM.bz2`.

N/A

new `encapsulationKeyCheck` and `decapsulationKeyCheck` test vectors in
`ML-KEM.bz2`

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: samuel40791765

.github/workflows/linux_x86_omnibus.yml

@@ -175,7 +175,7 @@ jobs:
     runs-on:
       - codebuild-aws-lc-ci-github-actions-${{ github.run_id }}-${{ github.run_attempt }}
         image:linux-5.0
-        instance-size:large
+        instance-size:${{ matrix.build32 && 'xlarge' || 'large' }}
     strategy:
       fail-fast: false
       matrix:

crypto/fipsmodule/ml_kem/ml_kem.c

@@ -394,3 +394,45 @@ int ml_kem_common_decapsulate(int (*decapsulate)(uint8_t *shared_secret, const u
   set_written_len_on_success(res, shared_secret);
   return res;
 }
+
+int ml_kem_512_check_pk(const uint8_t *public_key, size_t public_key_len) {
+  if (public_key == NULL || public_key_len != MLKEM512_PUBLIC_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem512_check_pk(public_key);
+}
+
+int ml_kem_512_check_sk(const uint8_t *secret_key, size_t secret_key_len) {
+  if (secret_key == NULL || secret_key_len != MLKEM512_SECRET_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem512_check_sk(secret_key);
+}
+
+int ml_kem_768_check_pk(const uint8_t *public_key, size_t public_key_len) {
+  if (public_key == NULL || public_key_len != MLKEM768_PUBLIC_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem768_check_pk(public_key);
+}
+
+int ml_kem_768_check_sk(const uint8_t *secret_key, size_t secret_key_len) {
+  if (secret_key == NULL || secret_key_len != MLKEM768_SECRET_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem768_check_sk(secret_key);
+}
+
+int ml_kem_1024_check_pk(const uint8_t *public_key, size_t public_key_len) {
+  if (public_key == NULL || public_key_len != MLKEM1024_PUBLIC_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem1024_check_pk(public_key);
+}
+
+int ml_kem_1024_check_sk(const uint8_t *secret_key, size_t secret_key_len) {
+  if (secret_key == NULL || secret_key_len != MLKEM1024_SECRET_KEY_BYTES) {
+    return -1;
+  }
+  return mlkem1024_check_sk(secret_key);
+}

crypto/fipsmodule/ml_kem/ml_kem.h

@@ -79,6 +79,12 @@ int ml_kem_512_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                                         const uint8_t *ciphertext /* IN  */,
                                         const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_512_check_pk(const uint8_t *public_key /* IN */,
+                                       size_t public_key_len /* IN  */);
+OPENSSL_EXPORT int ml_kem_512_check_sk(const uint8_t *secret_key /* IN */,
+                                       size_t secret_key_len /* IN  */);
+
+
 OPENSSL_EXPORT int ml_kem_768_keypair_deterministic(uint8_t *public_key /* OUT */,
                                                     size_t *public_len  /* IN_OUT */,
                                                     uint8_t *secret_key /* OUT */,
@@ -126,6 +132,11 @@ int ml_kem_768_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                            const uint8_t *ciphertext /* IN  */,
                            const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_768_check_pk(const uint8_t *public_key /* IN */,
+                                       size_t public_key_len /* IN  */);
+OPENSSL_EXPORT int ml_kem_768_check_sk(const uint8_t *secret_key /* IN */,
+                                       size_t secret_key_len /* IN  */);
+
 OPENSSL_EXPORT int ml_kem_1024_keypair_deterministic(uint8_t *public_key /* OUT */,
                                                      size_t *public_len  /* IN_OUT */,
                                                      uint8_t *secret_key /* OUT */,
@@ -175,6 +186,11 @@ int ml_kem_1024_decapsulate_no_self_test(uint8_t *shared_secret    /* OUT */,
                                          const uint8_t *ciphertext /* IN  */,
                                          const uint8_t *secret_key /* IN  */);
 
+OPENSSL_EXPORT int ml_kem_1024_check_pk(const uint8_t *public_key /* IN */,
+                                        size_t public_key_len /* IN  */);
+OPENSSL_EXPORT int ml_kem_1024_check_sk(const uint8_t *secret_key /* IN */,
+                                        size_t secret_key_len /* IN  */);
+
 #if defined(__cplusplus)
 }
 #endif

util/fipstools/acvp/acvptool/subprocess/ml_kem.go

@@ -113,9 +113,10 @@ type mlKemEncDecapTestGroupResponse struct {
 }
 
 type mlKemEncDecapTestCaseResponse struct {
-	ID uint64               `json:"tcId"`
-	C  hexEncodedByteString `json:"c,omitempty"`
-	K  hexEncodedByteString `json:"k,omitempty"`
+	ID     uint64               `json:"tcId"`
+	C      hexEncodedByteString `json:"c,omitempty"`
+	K      hexEncodedByteString `json:"k,omitempty"`
+	Passed *bool                `json:"testPassed,omitempty"`
 }
 
 func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{}, error) {
@@ -129,7 +130,9 @@ func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{
 
 	for _, group := range groups {
 		if (strings.EqualFold(group.Function, "encapsulation") && !strings.EqualFold(group.Type, "AFT")) ||
-			(strings.EqualFold(group.Function, "decapsulation") && !strings.EqualFold(group.Type, "VAL")) {
+			(strings.EqualFold(group.Function, "decapsulation") && !strings.EqualFold(group.Type, "VAL")) ||
+			(strings.EqualFold(group.Function, "decapsulationKeyCheck") && !strings.EqualFold(group.Type, "VAL")) ||
+			(strings.EqualFold(group.Function, "encapsulationKeyCheck") && !strings.EqualFold(group.Type, "VAL")) {
 			return nil, fmt.Errorf("unsupported encapDecap function and test group type pair: (%v, %v)", group.Function, group.Type)
 		}
 
@@ -148,6 +151,10 @@ func processMlKemEncapDecap(vectors json.RawMessage, m Transactable) (interface{
 				testResponse, err = processMlKemEncapTestCase(test.ID, group.ParameterSet, test.EK, test.M, m)
 			case strings.EqualFold(group.Function, "decapsulation"):
 				testResponse, err = processMlKemDecapTestCase(test.ID, group.ParameterSet, test.DK, test.C, m)
+			case strings.EqualFold(group.Function, "encapsulationKeyCheck"):
+				testResponse, err = processMlKemEncapKeyCheckTestCase(test.ID, group.ParameterSet, test.EK, m)
+			case strings.EqualFold(group.Function, "decapsulationKeyCheck"):
+				testResponse, err = processMlKemDecapKeyCheckTestCase(test.ID, group.ParameterSet, test.DK, m)
 			default:
 				return nil, fmt.Errorf("unknown encDecap function: %v", group.Function)
 			}
@@ -192,3 +199,32 @@ func processMlKemDecapTestCase(id uint64, algorithm string, dk []byte, c []byte,
 		K:  k,
 	}, nil
 }
+
+func processMlKemEncapKeyCheckTestCase(id uint64, algorithm string, ek []byte, t Transactable) (mlKemEncDecapTestCaseResponse, error) {
+	results, err := t.Transact("ML-KEM/"+algorithm+"/encapKeyCheck", 1, ek)
+	if err != nil {
+		return mlKemEncDecapTestCaseResponse{}, err
+	}
+
+    testPassed := results[0][0] == 1
+
+	return mlKemEncDecapTestCaseResponse{
+		ID: id,
+		Passed: &testPassed,
+	}, nil
+}
+
+func processMlKemDecapKeyCheckTestCase(id uint64, algorithm string, dk []byte, t Transactable) (mlKemEncDecapTestCaseResponse, error) {
+	results, err := t.Transact("ML-KEM/"+algorithm+"/decapKeyCheck", 1, dk)
+	if err != nil {
+		return mlKemEncDecapTestCaseResponse{}, err
+	}
+
+	testPassed := results[0][0] == 1
+
+	return mlKemEncDecapTestCaseResponse{
+		ID: id,
+		Passed: &testPassed,
+	}, nil
+}
+

util/fipstools/acvp/acvptool/test/expected/ML-KEM.bz2

@@ -59,6 +59,8 @@
 #include "../../../../crypto/fipsmodule/curve25519/internal.h"
 #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa.h"
 #include "../../../../crypto/fipsmodule/ml_dsa/ml_dsa_ref/params.h"
+#include "../../../../crypto/fipsmodule/ml_kem/ml_kem.h"
+
 #include "modulewrapper.h"
 
 
@@ -1392,7 +1394,7 @@ static bool GetConfig(const Span<const uint8_t> args[],
         "mode": "encapDecap",
         "revision": "FIPS203",
         "parameterSets": ["ML-KEM-512", "ML-KEM-768", "ML-KEM-1024"],
-        "functions": ["encapsulation", "decapsulation"]
+        "functions": ["encapsulation", "decapsulation", "encapsulationKeyCheck", "decapsulationKeyCheck"]
       },)"
       R"({
         "algorithm": "EDDSA",
@@ -3170,6 +3172,58 @@ static bool ML_KEM_DECAP(const Span<const uint8_t> args[],
       {Span<const uint8_t>(shared_secret.data(), shared_secret_len)});
 }
 
+template <int nid>
+static bool MLKEM_ENCAP_CHECK(const Span<const uint8_t> args[],
+                         ReplyCallback write_reply) {
+  const Span<const uint8_t> ek = args[0];
+
+  int (*check_fn)(const uint8_t*, size_t) = nullptr;
+  if(nid == NID_MLKEM512) {
+    check_fn = ml_kem_512_check_pk;
+  } else if(nid == NID_MLKEM768) {
+    check_fn = ml_kem_768_check_pk;
+  } else if(nid == NID_MLKEM1024) {
+    check_fn = ml_kem_1024_check_pk;
+  } else {
+    return false;
+  }
+
+  // The check_sk function validates mandated by FIPS 203 Section 7.2.
+  uint8_t success_flag[1] = {0};
+  if(check_fn(ek.data(), ek.size()) != 0) {
+    return write_reply({Span<const uint8_t>(success_flag)});
+  }
+
+  success_flag[0] = 1;
+  return write_reply({Span<const uint8_t>(success_flag)});
+}
+
+template <int nid>
+static bool MLKEM_DECAP_CHECK(const Span<const uint8_t> args[],
+                         ReplyCallback write_reply) {
+  const Span<const uint8_t> dk = args[0];
+
+  int (*check_fn)(const uint8_t*, size_t) = nullptr;
+  if(nid == NID_MLKEM512) {
+    check_fn = ml_kem_512_check_sk;
+  } else if(nid == NID_MLKEM768) {
+    check_fn = ml_kem_768_check_sk;
+  } else if(nid == NID_MLKEM1024) {
+    check_fn = ml_kem_1024_check_sk;
+  } else {
+    return false;
+  }
+
+  // The check_sk function validates mandated by FIPS 203 Section 7.3.
+  uint8_t success_flag[1] = {0};
+  if(check_fn(dk.data(), dk.size()) != 0) {
+    return write_reply({Span<const uint8_t>(success_flag)});
+  }
+
+  success_flag[0] = 1;
+  return write_reply({Span<const uint8_t>(success_flag)});
+}
+
 static bool ED25519KeyGen(const Span<const uint8_t> args[],
                           ReplyCallback write_reply) {
   std::vector<uint8_t> private_key(ED25519_PRIVATE_KEY_LEN);
@@ -3685,6 +3739,12 @@ static struct {
     {"ML-KEM/ML-KEM-512/decap", 2, ML_KEM_DECAP<NID_MLKEM512>},
     {"ML-KEM/ML-KEM-768/decap", 2, ML_KEM_DECAP<NID_MLKEM768>},
     {"ML-KEM/ML-KEM-1024/decap", 2, ML_KEM_DECAP<NID_MLKEM1024>},
+    {"ML-KEM/ML-KEM-512/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM512>},
+    {"ML-KEM/ML-KEM-768/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM768>},
+    {"ML-KEM/ML-KEM-1024/encapKeyCheck", 1, MLKEM_ENCAP_CHECK<NID_MLKEM1024>},
+    {"ML-KEM/ML-KEM-512/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM512>},
+    {"ML-KEM/ML-KEM-768/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM768>},
+    {"ML-KEM/ML-KEM-1024/decapKeyCheck", 1, MLKEM_DECAP_CHECK<NID_MLKEM1024>},
     {"EDDSA/ED-25519/keyGen", 0, ED25519KeyGen},
     {"EDDSA/ED-25519/keyVer", 1, ED25519KeyVer},
     {"EDDSA/ED-25519/sigGen", 2, ED25519SigGen},