Move rustls-post-quantum into the core crate #2288

ctz · 2024-12-19T16:04:49Z

The goal here is:

move the important parts of rustls-post-quantum into the core crate
add X25519MLKEM768 to the default key exchange algorithms for the aws-lc-rs provider (note, MLKEM768 is not included alone, for reasons given in the commit message, but remains available separately)
rustls-post-quantum merely reexports things it previously contained. This will be the final release of rustls-post-quantum.

rustls-benchmarking · 2024-12-19T16:08:08Z

Benchmark results

Instruction counts

Significant differences

⚠️ There are significant instruction count differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server	1176853	1179801	⚠️ 2948 (0.25%)	0.20%

Other differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_server	10698350	10748443	50093 (0.47%)	0.50%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client	8255621	8292612	36991 (0.45%)	1.22%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_server	10742074	10696542	-45532 (-0.42%)	0.71%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_server	10470187	10449005	-21182 (-0.20%)	1.33%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client	3082542	3088242	5700 (0.18%)	0.21%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_client	3864355	3870955	6600 (0.17%)	0.20%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_client	4206439	4213039	6600 (0.16%)	0.20%
handshake_session_id_ring_1.2_rsa_aes_client	4229019	4234959	5940 (0.14%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server	1174543	1172960	-1583 (-0.13%)	0.20%
handshake_tickets_ring_1.2_rsa_aes_client	4489533	4495473	5940 (0.13%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client	8288685	8298462	9777 (0.12%)	0.62%
handshake_no_resume_ring_1.3_ecdsap256_aes_server	1612230	1610488	-1742 (-0.11%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_server	1613596	1611879	-1717 (-0.11%)	0.20%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes_client	1717778	1716117	-1661 (-0.10%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes_client	1925827	1924094	-1733 (-0.09%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha_client	1932573	1930855	-1718 (-0.09%)	0.20%
handshake_no_resume_ring_1.3_rsa_aes_client	2655922	2654115	-1807 (-0.07%)	0.20%
handshake_no_resume_ring_1.3_rsa_chacha_client	2661789	2659982	-1807 (-0.07%)	0.20%
handshake_no_resume_ring_1.2_rsa_aes_client	2563547	2561818	-1729 (-0.07%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_aes_client	3623182	3621031	-2151 (-0.06%)	0.23%
transfer_no_resume_ring_1.3_rsa_aes_server	46487101	46461154	-25947 (-0.06%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_server	46477532	46453629	-23903 (-0.05%)	0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_server	46423830	46400045	-23785 (-0.05%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_client	28206905	28219666	12761 (0.05%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_client	28203892	28216643	12751 (0.05%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_client	28177215	28189900	12685 (0.05%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_client	28210779	28223427	12648 (0.04%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_client	28181056	28193538	12482 (0.04%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_client	28174257	28186664	12407 (0.04%)	0.20%
transfer_no_resume_ring_1.2_rsa_aes_server	46389596	46370330	-19266 (-0.04%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_client	27787065	27797144	10079 (0.04%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_client	27842126	27852169	10043 (0.04%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_client	27846584	27856568	9984 (0.04%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_client	27780244	27789954	9710 (0.03%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_client	27782852	27792518	9666 (0.03%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_client	27839867	27849498	9631 (0.03%)	0.20%
transfer_no_resume_ring_1.3_rsa_chacha_server	80554932	80528992	-25940 (-0.03%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server	2163085	2163741	656 (0.03%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_server	80661843	80637947	-23896 (-0.03%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_client	40179989	40190459	10470 (0.03%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_client	40182932	40193402	10470 (0.03%)	0.20%
handshake_session_id_ring_1.3_rsa_chacha_client	40186983	40197453	10470 (0.03%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_client	40274309	40284779	10470 (0.03%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_client	40277252	40287722	10470 (0.03%)	0.20%
handshake_session_id_ring_1.3_rsa_aes_client	40281303	40291773	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_client	40497499	40507969	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_client	40500760	40511230	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_rsa_chacha_client	40504760	40515230	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_client	40571689	40582159	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_client	40574950	40585420	10470 (0.03%)	0.20%
handshake_tickets_ring_1.3_rsa_aes_client	40578950	40589420	10470 (0.03%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server	2160149	2160690	541 (0.03%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_server	7566704	7564964	-1740 (-0.02%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_server	7564559	7562822	-1737 (-0.02%)	0.20%
handshake_no_resume_ring_1.3_rsa_aes_server	11425039	11423369	-1670 (-0.01%)	0.20%
handshake_no_resume_ring_1.3_rsa_chacha_server	11430994	11429324	-1670 (-0.01%)	0.20%
handshake_no_resume_ring_1.2_rsa_aes_server	11292436	11290807	-1629 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes_client	58245685	58237484	-8201 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_client	58243604	58235404	-8200 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client	58240725	58232527	-8198 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha_server	30377589	30381801	4212 (0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha_server	30380523	30384694	4171 (0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes_server	30422717	30426893	4176 (0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes_server	30423004	30427172	4168 (0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes_server	46456936	46450662	-6274 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_server	46470691	46464416	-6275 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_server	46467812	46461546	-6266 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes_server	46464556	46458293	-6263 (-0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_rsa_aes_server	30420256	30424312	4056 (0.01%)	0.20%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha_server	30380573	30384197	3624 (0.01%)	0.20%
transfer_no_resume_ring_1.3_rsa_aes_client	58342694	58336415	-6279 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_aes_client	58331799	58325522	-6277 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_aes_client	58338934	58332660	-6274 (-0.01%)	0.20%
handshake_no_resume_ring_1.3_ecdsap256_chacha_client	3625011	3624642	-369 (-0.01%)	0.25%
handshake_session_id_ring_1.3_rsa_chacha_server	41490398	41486230	-4168 (-0.01%)	0.20%
handshake_session_id_ring_1.3_rsa_aes_server	41608658	41604490	-4168 (-0.01%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_chacha_server	41492451	41488341	-4110 (-0.01%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_chacha_server	41492499	41488389	-4110 (-0.01%)	0.20%
handshake_session_id_ring_1.3_ecdsap256_aes_server	41610711	41606601	-4110 (-0.01%)	0.20%
handshake_session_id_ring_1.3_ecdsap384_aes_server	41610759	41606649	-4110 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes_client	58181208	58175574	-5634 (-0.01%)	0.20%
transfer_no_resume_ring_1.2_rsa_aes_client	58225376	58219740	-5636 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_client	92704733	92696530	-8203 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_client	92706963	92698768	-8195 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha_client	92710959	92702769	-8190 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_server	80540444	80534176	-6268 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha_server	80648885	80642612	-6273 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_server	80535645	80529381	-6264 (-0.01%)	0.20%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha_server	80641256	80634992	-6264 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap384_chacha_client	92673018	92666738	-6280 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_rsa_chacha_client	92674857	92668583	-6274 (-0.01%)	0.20%
transfer_no_resume_ring_1.3_ecdsap256_chacha_client	92663952	92657682	-6270 (-0.01%)	0.20%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes_client	3079799	3079967	168 (0.01%)	0.21%
handshake_session_id_ring_1.2_rsa_aes_server	4233520	4233310	-210 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_chacha_server	41972158	41970238	-1920 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_chacha_server	41972348	41970428	-1920 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap256_aes_server	42070498	42068578	-1920 (-0.00%)	0.20%
handshake_tickets_ring_1.3_ecdsap384_aes_server	42070688	42068768	-1920 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_chacha_server	41969798	41967940	-1858 (-0.00%)	0.20%
handshake_tickets_ring_1.3_rsa_aes_server	42068138	42066280	-1858 (-0.00%)	0.20%
handshake_tickets_ring_1.2_rsa_aes_server	4698000	4697820	-180 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha_server	28890070	28889305	-765 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_rsa_aes_server	28968359	28967659	-700 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes_server	28970618	28969940	-678 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha_server	28892229	28891627	-602 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha_server	28892178	28891633	-545 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes_server	28970646	28970105	-541 (-0.00%)	0.20%
handshake_session_id_aws_lc_rs_1.2_rsa_aes_server	3872463	3872415	-48 (-0.00%)	0.20%
handshake_tickets_aws_lc_rs_1.2_rsa_aes_server	5019734	5019712	-22 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_chacha_client	35182570	35182451	-119 (-0.00%)	0.20%
handshake_no_resume_ring_1.3_ecdsap384_aes_client	35180648	35180544	-104 (-0.00%)	0.20%

Wall-time

Significant differences

There are no significant wall-time differences

Other differences

Click to expand

Scenario	Baseline	Candidate	Diff	Threshold
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_aes	4.51 ms	4.42 ms	-0.09 ms (-1.93%)	7.90%
transfer_no_resume_aws_lc_rs_1.3_rsa_aes	5.16 ms	5.08 ms	-0.08 ms (-1.51%)	7.52%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_aes	5.21 ms	5.13 ms	-0.08 ms (-1.49%)	7.00%
transfer_no_resume_aws_lc_rs_1.2_rsa_aes	5.09 ms	5.02 ms	-0.07 ms (-1.42%)	7.66%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_chacha	458.90 µs	452.94 µs	-5.96 µs (-1.30%)	4.86%
transfer_no_resume_ring_1.3_ecdsap256_aes	6.36 ms	6.28 ms	-0.08 ms (-1.24%)	5.94%
handshake_no_resume_ring_1.3_ecdsap256_chacha	503.48 µs	497.26 µs	-6.22 µs (-1.24%)	4.61%
transfer_no_resume_ring_1.3_rsa_aes	6.86 ms	6.77 ms	-0.08 ms (-1.20%)	5.49%
handshake_no_resume_ring_1.3_ecdsap256_aes	506.73 µs	500.70 µs	-6.04 µs (-1.19%)	4.08%
handshake_tickets_ring_1.2_rsa_aes	1.61 ms	1.59 ms	-0.02 ms (-1.05%)	1.80%
transfer_no_resume_ring_1.2_rsa_aes	6.78 ms	6.71 ms	-0.07 ms (-1.04%)	5.37%
transfer_no_resume_ring_1.3_ecdsap384_aes	9.47 ms	9.39 ms	-0.08 ms (-0.84%)	3.12%
handshake_no_resume_aws_lc_rs_1.3_ecdsap256_aes	459.70 µs	456.27 µs	-3.42 µs (-0.75%)	5.22%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_chacha	4.49 ms	4.46 ms	-0.03 ms (-0.71%)	1.66%
handshake_session_id_ring_1.2_rsa_aes	1.52 ms	1.51 ms	-0.01 ms (-0.70%)	1.10%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_chacha	4.30 ms	4.27 ms	-0.03 ms (-0.65%)	2.02%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_chacha	4.98 ms	4.95 ms	-0.03 ms (-0.63%)	1.41%
transfer_no_resume_ring_1.3_ecdsap256_chacha	13.01 ms	12.93 ms	-0.08 ms (-0.62%)	2.79%
handshake_tickets_aws_lc_rs_1.2_rsa_aes	1.77 ms	1.79 ms	0.01 ms (0.62%)	2.09%
handshake_session_id_aws_lc_rs_1.3_rsa_chacha	4.95 ms	4.92 ms	-0.03 ms (-0.60%)	1.15%
transfer_no_resume_aws_lc_rs_1.3_ecdsap256_chacha	12.97 ms	12.90 ms	-0.07 ms (-0.55%)	2.97%
handshake_session_id_aws_lc_rs_1.2_rsa_aes	1.61 ms	1.62 ms	0.01 ms (0.55%)	1.71%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_chacha	5.18 ms	5.15 ms	-0.03 ms (-0.55%)	1.43%
handshake_no_resume_ring_1.3_rsa_chacha	996.48 µs	991.02 µs	-5.46 µs (-0.55%)	2.07%
transfer_no_resume_aws_lc_rs_1.3_ecdsap384_chacha	13.68 ms	13.60 ms	-0.07 ms (-0.54%)	2.39%
transfer_no_resume_ring_1.3_rsa_chacha	13.50 ms	13.43 ms	-0.07 ms (-0.52%)	2.93%
handshake_tickets_aws_lc_rs_1.3_rsa_chacha	5.15 ms	5.12 ms	-0.03 ms (-0.52%)	1.74%
handshake_tickets_aws_lc_rs_1.3_ecdsap256_aes	4.51 ms	4.49 ms	-0.02 ms (-0.50%)	1.63%
handshake_session_id_aws_lc_rs_1.3_rsa_aes	4.97 ms	4.95 ms	-0.02 ms (-0.49%)	1.35%
transfer_no_resume_aws_lc_rs_1.3_rsa_chacha	13.62 ms	13.56 ms	-0.07 ms (-0.49%)	2.86%
handshake_session_id_ring_1.3_rsa_aes	6.88 ms	6.85 ms	-0.03 ms (-0.47%)	1.00%
handshake_tickets_ring_1.3_ecdsap256_aes	6.46 ms	6.43 ms	-0.03 ms (-0.46%)	1.40%
handshake_session_id_aws_lc_rs_1.3_ecdsap256_aes	4.32 ms	4.30 ms	-0.02 ms (-0.45%)	1.38%
handshake_tickets_aws_lc_rs_1.3_rsa_aes	5.16 ms	5.14 ms	-0.02 ms (-0.45%)	1.26%
transfer_no_resume_ring_1.3_ecdsap384_chacha	16.11 ms	16.04 ms	-0.07 ms (-0.43%)	1.85%
handshake_session_id_ring_1.3_ecdsap256_aes	6.38 ms	6.36 ms	-0.03 ms (-0.42%)	1.48%
handshake_tickets_ring_1.3_rsa_aes	6.95 ms	6.92 ms	-0.03 ms (-0.42%)	1.26%
handshake_no_resume_ring_1.2_rsa_aes	992.54 µs	989.09 µs	-3.46 µs (-0.35%)	1.80%
handshake_session_id_ring_1.3_ecdsap384_aes	9.48 ms	9.44 ms	-0.03 ms (-0.33%)	1.00%
handshake_no_resume_ring_1.3_rsa_aes	996.17 µs	992.87 µs	-3.30 µs (-0.33%)	1.99%
handshake_tickets_aws_lc_rs_1.3_ecdsap384_aes	5.21 ms	5.19 ms	-0.02 ms (-0.31%)	1.22%
handshake_session_id_aws_lc_rs_1.3_ecdsap384_aes	5.02 ms	5.00 ms	-0.02 ms (-0.30%)	1.49%
handshake_tickets_ring_1.3_ecdsap384_aes	9.55 ms	9.52 ms	-0.03 ms (-0.28%)	1.00%
handshake_no_resume_aws_lc_rs_1.2_rsa_aes	1.07 ms	1.07 ms	0.00 ms (0.25%)	3.49%
handshake_tickets_ring_1.3_rsa_chacha	6.89 ms	6.87 ms	-0.02 ms (-0.22%)	1.02%
handshake_no_resume_aws_lc_rs_1.3_rsa_chacha	1.11 ms	1.11 ms	0.00 ms (0.22%)	2.19%
handshake_session_id_ring_1.3_rsa_chacha	6.82 ms	6.80 ms	-0.01 ms (-0.19%)	1.00%
handshake_session_id_ring_1.3_ecdsap256_chacha	6.33 ms	6.32 ms	-0.01 ms (-0.19%)	1.27%
handshake_tickets_ring_1.3_ecdsap256_chacha	6.40 ms	6.39 ms	-0.01 ms (-0.18%)	1.13%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_aes	1.16 ms	1.16 ms	0.00 ms (0.13%)	1.54%
handshake_session_id_ring_1.3_ecdsap384_chacha	9.42 ms	9.41 ms	-0.01 ms (-0.13%)	1.00%
handshake_tickets_ring_1.3_ecdsap384_chacha	9.49 ms	9.47 ms	-0.01 ms (-0.11%)	1.00%
handshake_no_resume_ring_1.3_ecdsap384_chacha	3.60 ms	3.60 ms	-0.00 ms (-0.09%)	1.00%
handshake_no_resume_ring_1.3_ecdsap384_aes	3.61 ms	3.60 ms	-0.00 ms (-0.08%)	1.00%
handshake_no_resume_aws_lc_rs_1.3_ecdsap384_chacha	1.15 ms	1.15 ms	0.00 ms (0.08%)	2.15%
handshake_no_resume_aws_lc_rs_1.3_rsa_aes	1.10 ms	1.10 ms	-0.00 ms (-0.03%)	1.82%

Additional information

Historical results

Checkout details:

Base repo: https://github.com/rustls/rustls.git
Base branch: main (9697e63)
Candidate repo: https://github.com/rustls/rustls.git
Candidate branch: jbp-pq-main-crate (3253af2)

codecov · 2024-12-19T16:14:12Z

Codecov Report

Attention: Patch coverage is 98.18182% with 1 line in your changes missing coverage. Please review.

Project coverage is 94.87%. Comparing base (9697e63) to head (3253af2).
Report is 16 commits behind head on main.

Files with missing lines	Patch %	Lines
rustls/src/crypto/aws_lc_rs/pq/hybrid.rs	94.73%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2288      +/-   ##
==========================================
+ Coverage   94.82%   94.87%   +0.05%     
==========================================
  Files         104      103       -1     
  Lines       24100    24136      +36     
==========================================
+ Hits        22853    22900      +47     
+ Misses       1247     1236      -11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ctz · 2024-12-19T16:15:31Z

--- failure function_missing: pub fn removed or renamed ---
--- failure pub_static_missing: pub static is missing ---

I think this is obi1kenobi/cargo-semver-checks#573 -- I'm pretty sure this is semver compatible, otherwise the "semver trick" could never work.

ctz · 2024-12-19T16:18:44Z

⚠️ There are significant instruction count differences

😅

rustls/src/crypto/aws_lc_rs/pq/mod.rs

dconnolly · 2024-12-19T18:44:03Z

rustls/src/crypto/aws_lc_rs/mod.rs

+/// This does not contain MLKEM768; by default MLKEM768 is only offered
+/// in hybrid with X25519.


re the comment message:

This maintains the existing ALL_KX_GROUPS and
introduces DEFAULT_KX_GROUPS. These are different
because (for now) DEFAULT_KX_GROUPS does not contain
ML-KEM-768.

That is out of abundance of caution -- in case ML-KEM
does not fare well in its first years of being (partially)
load-bearing for internet traffic. This seems the most
conservative choice.

Fair enough. There is (at time of writing) activity in TLSWG to adopt and possibly make the MLKEM-only key agreements more 'real' and on track to become an RFC than they currently are, including possibly 'Recommended=Y': if that happens I may ask about shuffling the DEFAULT_KX_GROUPS around again 😅

djc

Very exciting stuff!

So if I understand correctly, the aws-lc-rs default provider will now prioritize X25519MLKEM768 as the key exchange, and that will have a substantial effect on how handshakes will be conducted in the wild. I wonder whether, despite the careful API compatibility, this is the kind of thing that might merit a semver-incompatible release with clear notice in the release notes? Or just start by adding a simple way to enable this without affecting the default providers? (Like crypto::aws_lc_rs::post_quantum_provider().)

Once it's been deployed for a while, we could bring 0.23 up too, but this feels like a big change with substantial risk at breakage.

There is a balance here to be struck between sort of operational risk appetite (PQ key exchange needs many more CPU cycles/round trip-induced latency/bandwidth) and cryptographic risk appetite (quantum computers might be coming soonish so we need to migrate to better crypto ASAP), and in its current state I think this PR is too far on the crypto side.

rustls/src/crypto/aws_lc_rs/pq/mlkem.rs

rustls/src/crypto/aws_lc_rs/pq/hybrid.rs

rustls/src/crypto/aws_lc_rs/mod.rs

rustls/src/crypto/ring/kx.rs

rustls/tests/api.rs

rustls/tests/unbuffered.rs

rustls/src/crypto/aws_lc_rs/pq/mod.rs

cpu

I wonder whether, despite the careful API compatibility, this is the kind of thing that might merit a semver-incompatible release with clear notice in the release notes? Or just start by adding a simple way to enable this without affecting the default providers? (Like crypto::aws_lc_rs::post_quantum_provider().)

I'm optimistic, but share some of Djc's concerns about whether promoting the hybrid kx to default in a point release is going to cause trouble.

It feels like the separate rustls-post-quantum crate probably didn't get a lot of exposure/testing and so I see some appeal in a more gradual process where we make post-qc options more accessible (maybe a crate feature to opt-in to default post-qc without code change?) while concurrently collecting up more work to justify a semver-incompatible release. Hopefully by the time we have a good set of changes for a version bump we'll also have more downstream experience with post-qc and can retire the feature flag and make it a default.

rustls/src/crypto/aws_lc_rs/pq/mod.rs

rustls/src/crypto/aws_lc_rs/pq/mlkem.rs

djc · 2024-12-21T18:43:52Z

Oh, I also like a Cargo feature as a mechanism to enable this, and something that we can easily shift from opt-in to opt-out over time.

ctz · 2025-01-07T14:23:39Z

Oh, I also like a Cargo feature as a mechanism to enable this, and something that we can easily shift from opt-in to opt-out over time.

I've added a commit to do that. Here's what I'm thinking about a release note for this:

New crate feature: prefer-post-quantum: setting this feature adjusts the aws-lc-rs provider's DEFAULT_KX_GROUPS order, so X25519MLKEM768 is the most preferred key exchange algorithm. This has some performance impact: handshakes which offer TLS1.3 are larger and slower.

Without this feature, X25519MLKEM768 is the least preferred (so can still be used, if the server prefers).

We expect to add this feature to the crate's default features in a future minor release.

The rustls-post-quantum crate now depends on the core rustls crate and activates this feature.

ctz · 2025-01-07T14:25:39Z

(I'm also aware that the commit ordering of this PR no longer makes much sense; it's on my TODO list.)

ctz · 2025-01-22T15:52:36Z

I think this is ready for a second look. Rough changes since last time:

controlling the priority of X25519MLKEM768 under a crate feature, called prefer-post-quantum. the rustls-post-quantum crate sets this feature, but otherwise it is not set by default.
included a reference to the SP800-227 draft that was recently released
fix a couple of HRR bugs found by bogo when X25519MLKEM768 is highest priority

djc

Nice!

rustls/src/crypto/aws_lc_rs/pq/mlkem.rs

rustls-post-quantum/README.md

rustls-post-quantum/src/lib.rs

rustls/src/manual/defaults.rs

rustls/src/manual/features.rs

cpu

Great work 🌠

cpu · 2024-12-30T16:28:45Z

rustls/tests/api.rs

            version.version,
        );
    }
 }

+fn expected_kx_for_version(_version: &SupportedProtocolVersion) -> NamedGroup {


nice tidy 👍

rustls-post-quantum/README.md

rustls/src/manual/defaults.rs

cpu · 2025-01-23T14:57:21Z

rustls/src/manual/features.rs

@@ -12,6 +12,7 @@ APIs ([`CryptoProvider`] for example).
 * ECDSA, Ed25519 or RSA server authentication by clients `*`
 * ECDSA, Ed25519[^1] or RSA server authentication by servers `*`
 * Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves `*`
+* Post-quantum hybrid key exchange with [X25519MLKEM768](https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/) [^2] `*`


The new "prefer-post-quantum" crate feature controls the default preference of `X25519MLKEM768` in the aws-lc-rs provider. If set, `X25519MLKEM768` is the most preferred algorithm in `DEFAULT_KX_GROUPS`. Otherwise, it is least preferred. `ALL_KX_GROUPS` contains both `X25519MLKEM768` and `MLKEM768`. `DEFAULT_KX_GROUPS` does not contain plain `MLKEM768`. That is out of an abundance of caution -- in case ML-KEM does not fare well in its first years of being (partially) load-bearing for internet traffic. This seems the most conservative choice. rustls-post-quantum sets this feature and re-exports the items that are now in the core crate.

ctz · 2025-01-24T12:13:10Z

I think I've addressed those comments -- thanks. I also removed the link to rustls-post-quantum from the list of alternate providers.

djc · 2025-01-24T12:25:27Z

I'm confused why the semver compatibility lints are failing here. Maybe send some feedback upstream?

These seem like false positives:

--- failure function_missing: pub fn removed or renamed ---

Description:
A publicly-visible function cannot be imported by its prior path. A `pub use` may have been removed, or the function itself may have been renamed or removed entirely.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.38.0/src/lints/function_missing.ron

Failed in:
  function rustls_post_quantum::provider, previously in file /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-post-quantum-0.2.1/src/lib.rs:69

--- failure pub_static_missing: pub static is missing ---

Description:
A public static is missing, renamed, or made private.
        ref: https://doc.rust-lang.org/cargo/reference/semver.html#item-remove
       impl: https://github.com/obi1kenobi/cargo-semver-checks/tree/v0.38.0/src/lints/pub_static_missing.ron

Failed in:

     Summary semver requires new major version: 2 major and 0 minor checks failed
  MLKEM768 in file /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-post-quantum-0.2.1/src/lib.rs:97
  X25519MLKEM768 in file /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/rustls-post-quantum-0.2.1/src/lib.rs:82

ctz · 2025-01-24T15:02:38Z

I'm confused why the semver compatibility lints are failing here. Maybe send some feedback upstream?

This is tracked upstream as obi1kenobi/cargo-semver-checks#638

rustls-post-quantum is now a stub, and will have a summit release that reexports the same API from the core crate.

A HRR that does not request a specific KX group should lead to the precise same KeyShares extension in the second ClientHello. However, we omitted the second keyshare which does not meet the "without modification" requirement of RFC8446 §4.1.2. Fixes `ServerAcceptsEarlyDataOnHRR-Client-TLS13` when `prefer-post-quantum` feature is enabled.

This condition only considered the primary kx. Fixes `UnnecessaryHelloRetryRequest-TLS13` when `prefer-post-quantum` feature enabled.

ctz commented Dec 19, 2024

View reviewed changes

rustls/src/crypto/aws_lc_rs/pq/mod.rs Outdated Show resolved Hide resolved

dconnolly reviewed Dec 19, 2024

View reviewed changes

djc reviewed Dec 20, 2024

View reviewed changes

cpu reviewed Dec 21, 2024

View reviewed changes

rustls/src/crypto/aws_lc_rs/pq/mod.rs Outdated Show resolved Hide resolved

rustls/src/crypto/aws_lc_rs/pq/mlkem.rs Show resolved Hide resolved

cpu mentioned this pull request Dec 21, 2024

FFI for rustls-post-quantum provider crate rustls/rustls-ffi#507

Closed

This was referenced Dec 29, 2024

rustls-post-quantum: 0.2.1 -> 0.2.2 #2293

Closed

rustls 0.23.22, opt-in prefer-post-quantum feature flag rustls/rustls-ffi#520

Merged

ctz force-pushed the jbp-pq-main-crate branch 2 times, most recently from 5917ee1 to aae61da Compare December 30, 2024 15:04

ctz force-pushed the jbp-pq-main-crate branch from aae61da to 9e7a732 Compare January 7, 2025 14:17

ctz force-pushed the jbp-pq-main-crate branch from 9e7a732 to 339504b Compare January 7, 2025 14:36

ctz marked this pull request as draft January 20, 2025 17:03

ctz force-pushed the jbp-pq-main-crate branch from 339504b to 80b9b36 Compare January 20, 2025 17:34

ctz mentioned this pull request Jan 21, 2025

Incidental/preparatory parts of #2288 #2306

Merged

ctz force-pushed the jbp-pq-main-crate branch 2 times, most recently from 8bf0bef to 66f2c9e Compare January 22, 2025 13:01

ctz mentioned this pull request Jan 22, 2025

FIPS: allow more detailed reporting of approval status #2309

Open

ctz marked this pull request as ready for review January 22, 2025 15:52

cpu self-requested a review January 22, 2025 16:16

djc approved these changes Jan 23, 2025

View reviewed changes

cpu approved these changes Jan 23, 2025

View reviewed changes

subsume rustls-post-quantum into core crate

6a662f1

ctz added 2 commits January 24, 2025 11:29

Implement fips() for ML-KEM and generic hybrid

3f7a412

ctz force-pushed the jbp-pq-main-crate branch from 827f765 to 0bf04a9 Compare January 24, 2025 12:09

djc approved these changes Jan 24, 2025

View reviewed changes

ctz added 5 commits January 24, 2025 15:41

Bump rustls 0.23.22, rustls-post-quantum 0.2.2

9011dd5

rustls-post-quantum is now a stub, and will have a summit release that reexports the same API from the core crate.

Move crypto::aws_lc_rs::pq docs into manual

6fef399

Add X25519MLKEM768 to features documentation

d17cc2e

Detect illegal HRR if X25519 offered as secondary kx

3253af2

This condition only considered the primary kx. Fixes `UnnecessaryHelloRetryRequest-TLS13` when `prefer-post-quantum` feature enabled.

ctz force-pushed the jbp-pq-main-crate branch from 0bf04a9 to 3253af2 Compare January 24, 2025 15:42

ctz added this pull request to the merge queue Jan 27, 2025

Merged via the queue into main with commit 43c2336 Jan 27, 2025
60 of 62 checks passed

ctz deleted the jbp-pq-main-crate branch January 27, 2025 10:43

cpu mentioned this pull request Jan 30, 2025

Fix RFC 7250 Compliance (#2257) #2274

Merged

		/// This does not contain MLKEM768; by default MLKEM768 is only offered
		/// in hybrid with X25519.

Move rustls-post-quantum into the core crate #2288

Move rustls-post-quantum into the core crate #2288

Uh oh!

Conversation

Uh oh!

Uh oh!

Benchmark results

Instruction counts

Significant differences

Other differences

Wall-time

Significant differences

Other differences

Additional information

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!