v1.1.0

mlkem-native v1.1.0

Release notes

mlkem-native v1.1.0 marks the completion of the verification of all x86_64 and AArch64 assembly and the introduction of
SOUNDNESS.md documenting the scope, assumptions and risks of the verification work. It also introduces
various configuration options enabling the customization of mlkem-native for different application contexts. Finally,
new backends for RISC-V RVV and Armv8.1-M MVE have been added.

See the full change log here: v1.0.0...v1.1.0

What's New

Security

• Fix missing zeroization of intermediate polynomial vector pkpv in mlk_indcpa_keypair_derand() and mlk_indcpa_enc(). (#1328)
• Fix missing zeroization of pk and sk buffers on keypair generation failure (e.g. OOM during the pairwise consistency test). (#1559)
• Fix a 4-byte buffer overread in x86_64 rejection sampling assembly. The overread was within the stack frame and the excess bytes were not acted on, but the read itself exceeded the nominal buffer bounds. Found while working on the corresponding memory-safety proof. (#1615)
• Make the value barrier volatile to prevent compilers from optimizing it away, strengthening the constant-time countermeasure. This is a purely preventative measure; no insecure compilations of the previous value barrier have been noted. (#1342)
• Mark the stack as non-executable in all assembly files via .note.GNU-stack section markers. (#1340)

Assurance

• Assembly verification: All x86_64 and AArch64 assembly is verified to be functionally correct, memory-safe and
  free of secret-dependent timing, in HOL Light.
• SOUNDNESS.md: New document mapping out what is proved, what is assumed, and where the gaps and risks
  lie. (#1582)

Performance

• AArch64: Re-optimized arithmetic backend for Neoverse-N1 using SLOTHY. (#1088)
• x86_64: AVX2 assembly for polyvec_basemul (#1097), SSE4.1 rejection sampling (#1136), conversion of compression/decompression from intrinsics to assembly (#1543, #1545), and replacement of the Keccak-f1600 x4 C intrinsics with formally verified AVX2 assembly from s2n-bignum (#1576).
• RISC-V RVV: Native backend for rv64gcv targets using the RISC-V Vector Extension 1.0, providing vectorized NTT,
  inverse NTT, polynomial arithmetic, and rejection sampling. NTT and invNTT are for VLEN >= 256, with automatic
  fallback to C for VLEN=128. Other functions are VLEN agnostic. (#1037)
• Armv8.1-M MVE: Experimental native backend for Cortex-M55 and similar targets, including MVE Keccak-f1600 x4 and baremetal build support for the MPS3 AN547 platform. (#1220, #1518, #1524)

Configuration / API

• MLK_CONFIG_CUSTOM_ALLOC_FREE: Custom allocation/deallocation for large internal structures, for systems with limited stack space. (#1389)
• MLK_CONFIG_CONTEXT_PARAMETER: Add opaque context parameter to top-level API, passed through to custom alloc/free
  routines enabled via MLK_CONFIG_CUSTOM_ALLOC_FREE. Useful for applications without global allocator context. (#1467)
• MLK_CONFIG_NO_RANDOMIZED_API: Build only the deterministic (_derand) API. (#1185)
• MLK_CONFIG_SERIAL_FIPS202_ONLY: Disable 4x-batched FIPS-202, allowing use of a simpler serial-only FIPS-202 backend. (#1231)
• Runtime backend dispatch based on a custom CPU capabilities function. (#1152)
• randombytes() may now return an error code, which is propagated through the KEM API. (#1331)
• mlk_kem_check_pk() / mlk_kem_check_sk() added to the public API for FIPS 203 modulus and hash checks. (#1216)
• C++ compatibility for mlkem_native.h. (#1465)
• MLK_CONFIG_CUSTOM_MEMCPY / MLK_CONFIG_CUSTOM_MEMSET: Custom replacements for memcpy and memset. (#1105)

Testing

• Wycheproof test suite for ML-KEM test vector validation. (#1588)
• Unit test framework for internal functions with native backend consistency checks. (#1188)
• Allocation failure testing, RNG failure testing, stack usage measurement, and unaligned buffer testing.
• Baremetal testing on AVR (16-bit) and AArch64-virt (no MMU).

v1.0.0

mlkem-native v1.0.0

Release notes

v1.0.0 is the first stable release of mlkem-native, a secure, fast and portable C90 implementation of ML-KEM derived from the ML-KEM reference implementation. mlkem-native v1.0.0 offers:

• High maintainability and extensibility through modular frontend/backend design.
• High performance through AArch64 and AVX2 assembly backends and the use of the SLOTHY super-optimizer.
• High assurance through memory- and type-safety proofs for the C frontend + backend, functional correctness proofs for all AArch64 assembly, and extensive constant-time testing.

mlkem-native-v1.0.0 is uniformly licensed Apache-2.0 OR MIT OR ISC, giving consumers the choice to use any of these licenses.

What's New

Compared to v1.0.0-beta the following major improvements have been integrated into mlkem-native:

• Completion of functional correctness proofs of the AArch64 backend
• Uniform licensing of all code in mlkem/* under Apache-2.0 OR ISC OR MIT
• Numerous configuration option improvements
• Numerous documentation improvements

See the full change log here: v1.0.0-beta...v1.0.0

v1.0.0-beta

mlkem-native v1.0.0-beta

About

mlkem-native is a secure, fast and portable C90 implementation of ML-KEM. It is a fork of the ML-KEM reference implementation.

mlkem-native includes native backends for AArch64 and AVX2, offering competitive performance on most Arm, Intel and AMD platforms (see benchmarks). The frontend and the C backend (i.e., all C code in mlkem/* and mlkem/fips202/*) are verified using CBMC to be free of undefined behaviour. In particular, there are no out of bounds accesses, nor integer overflows during optimized modular arithmetic. HOL-Light is used to verify functional correctness of selected AArch64 assembly routines.

mlkem-native is supported by the Post-Quantum Cryptography Alliance as part of the Linux Foundation.

Release notes

This is the second official release of mlkem-native, a secure, fast and portable C90 implementation of ML-KEM.
This beta release expands the scope of formal verification (using CBMC and HOL-Light), improves FIPS compliance by adding improves FIPS compliance by adding PCT, buffer zeroization, and documentation, and increases the confidence in resistance against timing side-channels through extensive Valgrind-based testing.

What's New

Compared to v1.0.0-alpha the following
major improvements have been integrated into mlkem-native:

• Full CBMC proof coverage of the C frontend and backend including FIPS202
• Destruction of intermediate values in #763
• Functional correctness proofs for AArch64 NTT and INTT in #662
• Functional correctness proofs for Keccakx1 in #826 and #821
• Support for single compilation-unit builds in #612
• Addition of the pair-wise consistency test in #769
• Valgrind-based constant-time tests in #687
• Valgrind-based detection of secret-dependent variable-latency instruction in #693
• Improved x86_64 backend performance in #709
• Documentation of differences to the reference implementation in #799
• Addition of references to FIPS algorithms and equations to relevant functions in #776
• Numerous documentation improvements
• Additional examples on using mlkem-native (see examples/)

See the full change log here: v1.0.0-alpha...v1.0.0-beta

v1.0.0-alpha

mlkem-native v1.0.0-alpha

About

mlkem-native is a C90 implementation of ML-KEM targeting PC, mobile and server platforms. It is a fork of the ML-KEM reference implementation.

mlkem-native aims to be fast, secure, and easy to use: It provides native code backends in C, AArch64 and x86_64, offering state-of-the-art performance on most Arm, Intel and AMD platforms. The C code in mlkem/* is verified using CBMC to be free of undefined behavior. In particular, there are no out of bounds accesses, nor integer overflows during optimized modular arithmetic.

Release notes

This is first official release of mlkem-native, a C90 implementation of ML-KEM targeting PC, mobile and server platforms. This alpha release of mlkem-native features complete backends in C, AArch64 and x86_64, offering state-of-the-art performance on most Arm, Intel and AMD platforms.

With this alpha release we intend to spark experiments on integrations of mlkem-native in other software. We appreciate any feedback on how to improve and extend mlkem-native in the future. Please open an issue on https://github.com/pq-code-package/mlkem-native. While we continue on improving and extending mlkem-native, we expect that the majority of the code is stable. In particular, the core external APIs are stable; we will potentially expose additional functions (e.g., operating on expanded secret keys) in the future.