pq_crypto 0.6.2 → 0.6.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 94d0fc254c0169b1e49ce177e0bf9830c9a1140dc425be9e917e8b2acfb870ed
-  data.tar.gz: 148381930753a4d6eb850522619ddf43b602cf9ae9966190c91f276c56f0d426
+  metadata.gz: aee26c8aa17143d9a17bd24b9435f073cc5d40beff39cbc90d0685d2221ff8d9
+  data.tar.gz: b0d51294d4639587c619fd5854d2c33d01b5aaa82929aae759dcb8f5776fefbe
 SHA512:
-  metadata.gz: bb8d4c4683429e99d0147ece542dabdb2276ec3933482d03e3dae81a8bd55b3ed2e617c89221dcdec4dbc34c134027dc406ab7d5e814af2ceef91aa1fb1a0240
-  data.tar.gz: 1e911b991634858610ceea12d5cb3a7efbb3a2f480f7ccb531e9afd1e4d01befe673ebec0f1935500dafed37b595d9c9a11a5b9a12adf1ff0720a0a76bf95c96
+  metadata.gz: a293e6386c7a350be36b271f9e26fef69f1f3e6050fd3eca5e5f69a7f039c39ad08d152cecf46918b1fa8d60908746c2784de27cae3e0351082cb1c63470fe49
+  data.tar.gz: e12be8a7ad95c42cb27659215c4bfe9201d5b18d531c344279707c2ce74d5fb981328c28beb79e72815e182acc0790b9a5682af8adf17c8b737a12e691d830ec

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## [0.6.3] - 2026-06-24
+
+### Changed
+- update native mlkem `v1.1.0` → `v1.2.0` (new PowerPC backend, Windows/RISC-V portability, 16-bit `int` UB fix; public API unchanged)
+
 ## [0.6.2] - 2026-05-24
 
 ### Changed

data/ext/pqcrypto/pqcrypto_version.h

@@ -2,6 +2,6 @@
 #ifndef PQCRYPTO_VERSION_H
 #define PQCRYPTO_VERSION_H
 
-#define PQCRYPTO_VERSION "0.6.2"
+#define PQCRYPTO_VERSION "0.6.3"
 
 #endif

data/ext/pqcrypto/vendor/.vendored

@@ -2,11 +2,11 @@
 backend=PQ Code Package native only
 pqclean=removed
 mlkem_native_repo=https://github.com/pq-code-package/mlkem-native.git
-mlkem_native_ref=v1.1.0
-mlkem_native_commit=d2cae2be522a67bfae26100fdb520576f1b2ef90
-mlkem_native_tree_sha256=c225de87a69e6d6360cddc4b5839b03e65fa9d5a1112a5f19700c905b7e74512
+mlkem_native_ref=v1.2.0
+mlkem_native_commit=0ba906cb14b1c241476134d7403a811b382ca498
+mlkem_native_tree_sha256=cc78ed199b8c65abe68635b23a13b294d5a8deb20c8bc7b4d76590c00976bb2d
 mldsa_native_repo=https://github.com/pq-code-package/mldsa-native.git
 mldsa_native_ref=v1.0.0-beta2
 mldsa_native_commit=9b0ee84f4cf399043eca59eca4e5f8531ca1d61b
 mldsa_native_tree_sha256=2887f59926c18a877e8c5a5e30727e84497c357032093d00d7135aedf53f011e
-manifest_sha256=cfcf998232945760d5fd66cc3ec0af54925e13844e1758f559eeb1c7ecf16ffc
+manifest_sha256=011e9d7d1160c7d612869695d950e17f9e330dac6bf782883639593f96fee951

data/ext/pqcrypto/vendor/mlkem-native/README.md

@@ -20,7 +20,7 @@ All C code in [mlkem/src/*](mlkem) and [mlkem/src/fips202/*](mlkem/src/fips202)
 using CBMC[^CBMC]. All AArch64 and x86_64 assembly is proved to be functionally correct,
 memory-safe, and of secret-independent timing (constant-time), using HOL-Light[^HOL-Light].
 
-mlkem-native includes native backends for Arm (64-bit, Neon), Intel/AMD (64-bit, AVX2), and RISC-V (64-bit, RVV). See [benchmarks](https://pq-code-package.github.io/mlkem-native/dev/bench/) for performance data.
+mlkem-native includes native backends for Arm (64-bit, Neon), Intel/AMD (64-bit, AVX2), RISC-V (64-bit, RVV), and POWER (ppc64le, VSX). See [benchmarks](https://pq-code-package.github.io/mlkem-native/dev/bench/) for performance data.
 
 mlkem-native is supported by the [Post-Quantum Cryptography Alliance](https://pqca.org/) as part of the [Linux Foundation](https://linuxfoundation.org/).
 
@@ -53,7 +53,7 @@ mlkem-native is used in
  - [libOQS](https://github.com/open-quantum-safe/liboqs/) of the Open Quantum Safe project since [0.13.0](https://github.com/open-quantum-safe/liboqs/releases/tag/0.13.0) (as the default ML-KEM implementation)
  - AWS' Cryptography library [AWS-LC](https://github.com/aws/aws-lc/) since [v1.50.0](https://github.com/aws/aws-lc/releases/tag/v1.50.0)
  - The [rustls](https://github.com/rustls/rustls) TLS library written in Rust since [0.23.28](https://github.com/rustls/rustls/releases/tag/v%2F0.23.28) (through AWS-LC as the default cryptography provider)
- - The [zeroRISC's fork of OpenTitan](https://github.com/zerorisc/expo) - an open source silicon Root of Trust (RoT)
+ - [Pavona](https://github.com/pavona/pavona) - a library of modular, tapeout-proven, and secure-by-default open silicon blocks
 
 ## Formal Verification
 
@@ -80,6 +80,8 @@ through suitable barriers and constant-time patterns.
 Absence of secret-dependent branches, memory-access patterns and variable-latency instructions is also tested using `valgrind`
 with various combinations of compilers and compilation options.
 
+**Other attacks.** mlkem-native targets resistance against timing side-channels only. Other attack classes, such as power and electromagnetic side-channels, microarchitectural side-channels (e.g. speculative execution), or fault-injection attacks, are currently out of scope.
+
 ## Design
 
 mlkem-native is split into a _frontend_ and two _backends_ for arithmetic and FIPS202 / SHA3. The frontend is
@@ -94,12 +96,13 @@ mlkem-native currently offers the following backends:
 * 64-bit Arm backend (using Neon)
 * 64-bit Intel/AMD backend (using AVX2)
 * 64-bit RISC-V backend (using RVV)
+* 64-bit POWER backend (ppc64le, using VSX; supports POWER8 and above)
 * 32-bit Armv8.1-M backend (using Helium/MVE) -- see [#1501](https://github.com/pq-code-package/mlkem-native/issues/1501). This is still experimental and disabled by default.
 
 If you'd like contribute new backends, please reach out or just open a PR.
 
 Our AArch64 assembly is developed using the [SLOTHY](https://github.com/slothy-optimizer/slothy) superoptimizer, following the approach described in the SLOTHY paper[^SLOTHY_Paper]:
-We write 'clean' assembly by hand and automate micro-optimizations (e.g. see the [clean](dev/aarch64_clean/src/ntt.S) vs [optimized](dev/aarch64_opt/src/ntt.S) AArch64 NTT).
+We write 'clean' assembly by hand and automate micro-optimizations (e.g. see the [clean](dev/aarch64_clean/src/ntt_aarch64_asm.S) vs [optimized](dev/aarch64_opt/src/ntt_aarch64_asm.S) AArch64 NTT).
 See [dev/README.md](dev/README.md) for more details.
 
 ## Test Vectors

data/ext/pqcrypto/vendor/mlkem-native/RELEASE.md

@@ -1,4 +1,26 @@
 [//]: # (SPDX-License-Identifier: CC-BY-4.0)
+
+mlkem-native v1.2.0
+===================
+
+Release notes
+-------------
+
+mlkem-native v1.2.0 adds a new **PowerPC (ppc64le)** assembly backend and broadens portability of the existing
+backends: the x86_64 backend can now be used on Windows, the RISC-V backend compiles under C90, and a new
+Cortex-M33 baremetal target is tested. It also fixes a signed-shift undefined behavior on 16-bit-`int` targets
+and hardens the RISC-V backend against secret-dependent timing. Finally, the CBMC proofs are extended to
+establish loop termination for all functions except rejection sampling.
+
+What's New
+----------
+
+- **PowerPC (ppc64le) backend**: New VSX arithmetic backend (NTT, inverse NTT, `poly_reduce`, `poly_tomont`) for POWER8 and above, with automatic fallback to C on older targets. Thanks to IBM, and in particular Danny Tsen (@dannytsen) and Basil Hess (@bhess), for this contribution! ([#1677](https://github.com/pq-code-package/mlkem-native/pull/1677))
+- **Assurance**: CBMC now proves loop termination for all functions except rejection sampling. Thanks to Nicky Mouha (@nmouha) for making us aware of the absence of termination proofs. ([#1625](https://github.com/pq-code-package/mlkem-native/pull/1625))
+- **Verification tooling**: Bump CBMC to a development build that works around a Z3 soundness issue ([Z3#9550](https://github.com/Z3Prover/z3/issues/9550)) affecting the SMT solver used by the CBMC proofs. ([#1745](https://github.com/pq-code-package/mlkem-native/pull/1745))
+- **Portability**: the x86_64 assembly backend can now be used on Windows with compilers that support the SysV calling convention per function (GCC and Clang, via `__attribute__((sysv_abi))`) ([#1730](https://github.com/pq-code-package/mlkem-native/pull/1730)), the RISC-V backend compiles under C90 ([#1732](https://github.com/pq-code-package/mlkem-native/pull/1732)), and a new Cortex-M33 baremetal target is tested ([#1579](https://github.com/pq-code-package/mlkem-native/pull/1579)).
+- **Correctness / CT**: Fix signed-shift undefined behavior on 16-bit-`int` targets ([#1727](https://github.com/pq-code-package/mlkem-native/pull/1727)) and harden the RISC-V backend against secret-dependent timing ([#1732](https://github.com/pq-code-package/mlkem-native/pull/1732)).
+
 mlkem-native v1.1.0
 ====================
 

data/ext/pqcrypto/vendor/mlkem-native/mlkem/mlkem_native.c

@@ -88,6 +88,9 @@
 #include "src/native/riscv64/src/rv64v_debug.c"
 #include "src/native/riscv64/src/rv64v_poly.c"
 #endif
+#if defined(MLK_SYS_PPC64LE)
+#include "src/native/ppc64le/src/consts.c"
+#endif
 #endif /* MLK_CONFIG_USE_NATIVE_BACKEND_ARITH */
 
 #if defined(MLK_CONFIG_USE_NATIVE_BACKEND_FIPS202)
@@ -213,6 +216,8 @@
 #undef MLK_FIPS202_HEADER_FILE
 #undef MLK_FREE
 #undef MLK_INTERNAL_API
+#undef MLK_INTERNAL_DATA_DECLARATION
+#undef MLK_INTERNAL_DATA_DEFINITION
 #undef MLK_NAMESPACE
 #undef MLK_NAMESPACE_K
 #undef MLK_NAMESPACE_PREFIX
@@ -365,8 +370,11 @@
 #undef MLK_HAVE_INLINE_ASM
 #undef MLK_INLINE
 #undef MLK_MUST_CHECK_RETURN_VALUE
+#undef MLK_NOINLINE
 #undef MLK_RESTRICT
 #undef MLK_STATIC_TESTABLE
+#undef MLK_SYSV_ABI
+#undef MLK_SYSV_ABI_SUPPORTED
 #undef MLK_SYS_AARCH64
 #undef MLK_SYS_AARCH64_EB
 #undef MLK_SYS_APPLE
@@ -446,11 +454,11 @@
 #undef MLK_FIPS202_NATIVE_AARCH64_AUTO_H
 /* mlkem/src/fips202/native/aarch64/src/fips202_native_aarch64.h */
 #undef MLK_FIPS202_NATIVE_AARCH64_SRC_FIPS202_NATIVE_AARCH64_H
-#undef mlk_keccak_f1600_x1_scalar_asm
-#undef mlk_keccak_f1600_x1_v84a_asm
-#undef mlk_keccak_f1600_x2_v84a_asm
-#undef mlk_keccak_f1600_x4_v8a_scalar_hybrid_asm
-#undef mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm
+#undef mlk_keccak_f1600_x1_scalar_aarch64_asm
+#undef mlk_keccak_f1600_x1_v84a_aarch64_asm
+#undef mlk_keccak_f1600_x2_v84a_aarch64_asm
+#undef mlk_keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm
+#undef mlk_keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm
 #undef mlk_keccakf1600_round_constants
 /* mlkem/src/fips202/native/aarch64/x1_scalar.h */
 #undef MLK_FIPS202_AARCH64_NEED_X1_SCALAR
@@ -483,7 +491,7 @@
 #undef MLK_USE_FIPS202_X4_NATIVE
 /* mlkem/src/fips202/native/x86_64/src/fips202_native_x86_64.h */
 #undef MLK_FIPS202_NATIVE_X86_64_SRC_FIPS202_NATIVE_X86_64_H
-#undef mlk_keccak_f1600_x4_avx2
+#undef mlk_keccak_f1600_x4_avx2_asm
 #undef mlk_keccak_rho56
 #undef mlk_keccak_rho8
 #undef mlk_keccakf1600_round_constants
@@ -542,16 +550,16 @@
 #undef mlk_aarch64_ntt_zetas_layer67
 #undef mlk_aarch64_zetas_mulcache_native
 #undef mlk_aarch64_zetas_mulcache_twisted_native
-#undef mlk_intt_asm
-#undef mlk_ntt_asm
-#undef mlk_poly_mulcache_compute_asm
-#undef mlk_poly_reduce_asm
-#undef mlk_poly_tobytes_asm
-#undef mlk_poly_tomont_asm
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k2
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k3
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k4
-#undef mlk_rej_uniform_asm
+#undef mlk_intt_aarch64_asm
+#undef mlk_ntt_aarch64_asm
+#undef mlk_poly_mulcache_compute_aarch64_asm
+#undef mlk_poly_reduce_aarch64_asm
+#undef mlk_poly_tobytes_aarch64_asm
+#undef mlk_poly_tomont_aarch64_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k2_aarch64_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k3_aarch64_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k4_aarch64_asm
+#undef mlk_rej_uniform_aarch64_asm
 #undef mlk_rej_uniform_table
 #endif /* MLK_SYS_AARCH64 */
 #if defined(MLK_SYS_X86_64)
@@ -582,27 +590,27 @@
 /* mlkem/src/native/x86_64/src/arith_native_x86_64.h */
 #undef MLK_AVX2_REJ_UNIFORM_BUFLEN
 #undef MLK_NATIVE_X86_64_SRC_ARITH_NATIVE_X86_64_H
-#undef mlk_invntt_avx2
-#undef mlk_ntt_avx2
-#undef mlk_nttfrombytes_avx2
-#undef mlk_ntttobytes_avx2
-#undef mlk_nttunpack_avx2
-#undef mlk_poly_compress_d10_avx2
-#undef mlk_poly_compress_d11_avx2
-#undef mlk_poly_compress_d4_avx2
-#undef mlk_poly_compress_d5_avx2
-#undef mlk_poly_decompress_d10_avx2
-#undef mlk_poly_decompress_d11_avx2
-#undef mlk_poly_decompress_d4_avx2
-#undef mlk_poly_decompress_d5_avx2
-#undef mlk_poly_mulcache_compute_avx2
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k2
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k3
-#undef mlk_polyvec_basemul_acc_montgomery_cached_asm_k4
-#undef mlk_reduce_avx2
-#undef mlk_rej_uniform_asm
+#undef mlk_invntt_avx2_asm
+#undef mlk_ntt_avx2_asm
+#undef mlk_nttfrombytes_avx2_asm
+#undef mlk_ntttobytes_avx2_asm
+#undef mlk_nttunpack_avx2_asm
+#undef mlk_poly_compress_d10_avx2_asm
+#undef mlk_poly_compress_d11_avx2_asm
+#undef mlk_poly_compress_d4_avx2_asm
+#undef mlk_poly_compress_d5_avx2_asm
+#undef mlk_poly_decompress_d10_avx2_asm
+#undef mlk_poly_decompress_d11_avx2_asm
+#undef mlk_poly_decompress_d4_avx2_asm
+#undef mlk_poly_decompress_d5_avx2_asm
+#undef mlk_poly_mulcache_compute_avx2_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k2_avx2_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k3_avx2_asm
+#undef mlk_polyvec_basemul_acc_montgomery_cached_k4_avx2_asm
+#undef mlk_reduce_avx2_asm
+#undef mlk_rej_uniform_avx2_asm
 #undef mlk_rej_uniform_table
-#undef mlk_tomont_avx2
+#undef mlk_tomont_avx2_asm
 /* mlkem/src/native/x86_64/src/compress_consts.h */
 #undef MLK_NATIVE_X86_64_SRC_COMPRESS_CONSTS_H
 #undef mlk_compress_d10_data
@@ -656,5 +664,38 @@
 #undef mlk_debug_check_bounds_int16m1
 #undef mlk_debug_check_bounds_int16m2
 #endif /* MLK_SYS_RISCV64 */
+#if defined(MLK_SYS_PPC64LE)
+/*
+ * Undefine macros from native code (Arith, PPC64LE)
+ */
+/* mlkem/src/native/ppc64le/meta.h */
+#undef MLK_ARITH_BACKEND_NAME
+#undef MLK_ARITH_BACKEND_PPC64LE_DEFAULT
+#undef MLK_NATIVE_PPC64LE_META_H
+#undef MLK_USE_NATIVE_INTT
+#undef MLK_USE_NATIVE_NTT
+#undef MLK_USE_NATIVE_POLY_REDUCE
+#undef MLK_USE_NATIVE_POLY_TOMONT
+/* mlkem/src/native/ppc64le/src/arith_native_ppc64le.h */
+#undef MLK_NATIVE_PPC64LE_SRC_ARITH_NATIVE_PPC64LE_H
+#undef mlk_intt_ppc_asm
+#undef mlk_ntt_ppc_asm
+#undef mlk_poly_tomont_ppc_asm
+#undef mlk_reduce_ppc_asm
+/* mlkem/src/native/ppc64le/src/consts.h */
+#undef MLK_NATIVE_PPC64LE_SRC_CONSTS_H
+#undef MLK_PPC_C20159_OFFSET
+#undef MLK_PPC_NQ_OFFSET
+#undef MLK_PPC_N_INV_OFFSET
+#undef MLK_PPC_N_INV_TW_OFFSET
+#undef MLK_PPC_Q_OFFSET
+#undef MLK_PPC_TOMONT_OFFSET
+#undef MLK_PPC_TOMONT_TW_OFFSET
+#undef MLK_PPC_ZETA_INTT_OFFSET
+#undef MLK_PPC_ZETA_INTT_TW_OFFSET
+#undef MLK_PPC_ZETA_NTT_OFFSET
+#undef MLK_PPC_ZETA_NTT_TW_OFFSET
+#undef mlk_ppc_qdata
+#endif /* MLK_SYS_PPC64LE */
 #endif /* MLK_CONFIG_USE_NATIVE_BACKEND_ARITH */
 #endif /* !MLK_CONFIG_MONOBUILD_KEEP_SHARED_HEADERS */