filippo.io/mlkem768: A Secure and Readable Implementation of ML-KEM-768
ML-KEM-768 is a post-quantum key exchange mechanism that is being standardized by NIST and adopted by most of the industry. Filippo Valsorda, a renowned Go developer, has developed a pure-Go implementation of ML-KEM-768 called filippo.io/mlkem768. In this blog post, we will explore the features of this implementation, its design choices, and its implications for the industry.
Implementing ML-KEM-768 in Go
filippo.io/mlkem768 is a pure-Go implementation of ML-KEM-768 that has been optimized for correctness, readability, and security. The implementation consists of approximately 500 lines of code, 200 lines of comments, and 650 lines of tests. It has no dependencies except for golang.org/x/crypto/sha3.
One of the unique aspects of this implementation is that it was written from scratch, without closely reading other codebases. This was done intentionally to validate the ML-KEM specification and demonstrate that it is possible to produce an interoperable implementation based solely on the specification.
To ensure high security assurance and ease of review, the implementation closely mirrors the FIPS 203 specification. Function and variable names, as well as operation ordering, were carefully chosen to align with the specification. Additionally, the implementation includes a comprehensive guide on the necessary math background for implementing ML-KEM.
Readability and Reviewability
One of the primary goals of the filippo.io/mlkem768 implementation is readability. The code has been designed to be easily reviewed and understood by both code reviewers and interested researchers. This focus on readability serves as an educational resource for future maintainers and cryptography engineers.
Despite the emphasis on readability, the implementation does not compromise on security. The code has undergone extensive testing, with a test coverage of over 95%. Test vectors have been designed to cover various edge cases and are reusable by other implementations.
Performance and Optimization
While performance is not the primary goal of the filippo.io/mlkem768 implementation, it has been optimized to be fast enough for practical use. The implementation is competitive with assembly-optimized implementations of other cryptographic algorithms, such as P-256 and X25519.
The performance optimizations in the implementation include minimizing heap allocations and using high-performance Go programming patterns. Further optimizations are still possible, such as storing the sampled matrix for key generation and decapsulation, and optimizing the field implementation.
Interoperability and Standardization
ML-KEM-768 is being standardized by NIST, and the filippo.io/mlkem768 implementation aligns with the latest changes in the specification. The implementation supports the experimental protocols defined in terms of Kyber v3 and can be used for the main deployed PQ TLS key exchange.
By following the specification closely, the implementation ensures interoperability with other ML-KEM-768 implementations. It also allows for fingerprinting the implementation as Kyber-on-ML-KEM without compromising security or functionality.
The filippo.io/mlkem768 implementation of ML-KEM-768 is a secure, readable, and performant implementation of this post-quantum key exchange mechanism. It serves as an excellent resource for understanding and implementing ML-KEM-768, while also ensuring interoperability with other implementations.
With its emphasis on readability, thorough testing, and alignment with the specification, filippo.io/mlkem768 sets a high standard for implementing post-quantum cryptographic algorithms. As the industry continues to adopt ML-KEM-768, this implementation will play a
Show HN: filippo.io/mlkem768 – Post-Quantum Cryptography for the Go Ecosystem