zig-mlkem
ZigMarkdowntxtzon
$ koh steal kepr.uk/zig-mlkem
·
7e8602expose MlKem768 public API in root.zig; add keyGenInternalIPD; CCTV 10k accumulated KAT (f7db260e…b548d3) verified (v0.1.7)dev4 weeks ago
213dfaimplement kem.zig: ML-KEM KeyGen/Encaps/Decaps with constant-time implicit rejection, IPD-style seeded variants for CCTV; ek/dk/K/c/KBar KATs all green (v0.1.6)dev4 weeks ago
Details
zig-mlkem
Pure Zig ML-KEM-768 (FIPS 203, August 2024). No allocations. Constant-time on every secret-dependent path. Validated against the C2SP CCTV intermediate vectors at every layer and against the 10 000-iteration accumulated KAT.
const MlKem = @import("mlkem").MlKem768;
const kp = MlKem.keyGen(seed_d, seed_z);
const enc = MlKem.encapsulate(kp.publicKey, seed_m);
const ss = MlKem.decapsulate(kp.secretKey, enc.ciphertext);
// `enc.sharedSecret` and `ss` are equal
The library is deterministic: the caller supplies all 32-byte seeds. Source them from a CSPRNG (e.g. std.crypto.random.bytes).
Status
All seven layers implemented; all CCTV KATs green.
Build
zig build test # quick: layer-by-layer KATs only
zig build test -Doptimize=ReleaseSafe # adds the 10 000-iteration KAT
Requires Zig 0.15.2 or later.
Layout
src/
root.zig public API
kem.zig ML-KEM.{KeyGen,Encaps,Decaps}
pke.zig K-PKE component scheme
module.zig PolyVec / PolyMat, Compress_d / Decompress_d
poly.zig polynomial arithmetic, ByteEncode / ByteDecode
ntt.zig NTT, NTT⁻¹, Montgomery / Barrett reduction
sampling.zig SampleNTT, SamplePolyCBD
test/
vectors/ CCTV test vectors
test_*.zig layer-by-layer KATs
License
TBD.