Re: [RFC] ML-KEM (FIPS 203) implementation with reusable decapsulation pool

[Eric Biggers <ebiggers@kernel.org>]

On Tue, Jun 09, 2026 at 10:45:48AM +0300, kstzavertaylo wrote:
> Hello,
> I have been working on an ML-KEM (FIPS 203) implementation for the
> Linux kernel. This is an early RFC to solicit feedback on the overall
> design and architecture before further polishing.
> 
> The implementation consists of two closely related variants sharing
> the same core cryptographic logic:
>     1. A userspace implementation accompanied by a set of validation
> programs, including NIST KAT vectors, timing-leakage testing (dudect),
> pool stress tests, and additional functional tests.
>     2. A Linux kernel module implementing the KPP interface and
> reusing the same core architecture where possible.
> 
> Key features include:
>    1. Support for all three parameter sets: ML-KEM-512, ML-KEM-768,
> and ML-KEM-1024.
>    2. The implementation uses a reusable decapsulation pool consisting
> of preallocated slots associated with a key context. The goal of this
> design is to move memory allocation to key initialization and avoid
> per-decapsulation allocations.
>    3. Explicit zeroization of sensitive data and constant-time
> operations where required.
>    4. Portable C11 codebase with minimal differences between userspace
> and kernel versions.
> 
> I am aware that some aspects (local SHA3/SHAKE implementation, coding
> style, etc.) will likely need adjustment to align with upstream
> expectations.
> 
> At this stage, I would like to ask for feedback on the following points:
>    1. Is the general direction (KPP integration + reusable
> decapsulation pool) acceptable?
>    2. Are there any fundamental concerns with the pool-based architecture?
>    3. Would you prefer to reuse kernel crypto primitives for
> SHA3/SHAKE, or is the current embedded approach acceptable at this
> stage?
> 
> The implementation is available at: repository - https://github.com/kstzv/ml-kem
> 
> Documentation and implementation details are available in the repository.
> 
> Any feedback, criticism or suggestions would be greatly appreciated.

There's already a kernel patchset for ML-KEM and X-Wing ready to go:
https://lore.kernel.org/linux-crypto/20260525184403.101818-1-ebiggers@kernel.org/T/#u
It's a high quality implementation that fully follows kernel conventions
already.  There just hasn't been a reason to merge it yet, since there's
no user yet.

We could consider replacing my ML-KEM implementation (patch 1 of that
series) with a different one.  But it would have to be a high-quality
implementation that brings something substantially new to the table.

I think only an integration of
https://github.com/pq-code-package/mlkem-native *might* have a chance at
passing that bar.  However, it would be way more code than my
implementation, would have significant integration challenges, and would
need some fixing up to work in the kernel.  The main benefit would be
getting the assembly code, but it's not clear that will be needed.  So
those are some of the reasons I didn't reach for that initially.

I don't think integrating https://github.com/kstzv/ml-kem would be
beneficial, for a number of reasons.

Anyway, I suggest you review the pre-existing patchset
https://lore.kernel.org/linux-crypto/20260525184403.101818-1-ebiggers@kernel.org/
and give feedback on that, if you have any.

- Eric