Skip to content

Enable Hybrid PQ KeyShares by default#2531

Merged
WillChilds-Klein merged 7 commits intoaws:mainfrom
alexw91:pq-by-default
Jan 23, 2026
Merged

Enable Hybrid PQ KeyShares by default#2531
WillChilds-Klein merged 7 commits intoaws:mainfrom
alexw91:pq-by-default

Conversation

@alexw91
Copy link
Contributor

@alexw91 alexw91 commented Jul 8, 2025
edited
Loading

Issues:

N/A

Description of changes:

Adds X25519MLKEM768 KeyShare to AWS-LC's default SupportedGroups list.

Call-outs:

  • SSL Padding tests to pad TLS ClientHellos up to 512 bytes were updated to disable X25519MLKEM768 in order to keep testing padding functionality.
  • ssl_version_test.cc was updated to expect SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE when calling SSL_get_peer_tmp_key() on an SSL connection that offered X25519MLKEM768. This is because there is no EVP_PKEY type for hybrid keys, only individual X25519 or MLKEM768 keys.

Testing:

Unit Tests confirm that X25519MLKEM768 and X25519 are now offered by default by AWS-LC.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@alexw91 alexw91 changed the title Enable X25519MLKEM769 by default Enable X25519MLKEM768 by default Jul 8, 2025
@codecov-commenter
Copy link

codecov-commenter commented Jul 8, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.09%. Comparing base (83d9de2) to head (3eb1724).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2531      +/-   ##
==========================================
+ Coverage   78.07%   78.09%   +0.02%     
==========================================
  Files         682      682              
  Lines      118355   118360       +5     
  Branches    16608    16610       +2     
==========================================
+ Hits        92405    92436      +31     
+ Misses      25062    25036      -26     
  Partials      888      888

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@alexw91 alexw91 marked this pull request as ready for review July 9, 2025 17:08
@alexw91 alexw91 requested a review from a team as a code owner July 9, 2025 17:08
WillChilds-Klein
WillChilds-Klein reviewed Jul 9, 2025
View reviewed changes
@darylmartin100 darylmartin100 self-requested a review July 10, 2025 17:33
@darylmartin100
Copy link
Contributor

darylmartin100 commented Jul 10, 2025

FYI: I want to hold off on merging this in until we can better quantify the impact.

@alexw91 alexw91 changed the title Enable X25519MLKEM768 by default Enable Hybrid PQ KeyShares by default Jul 10, 2025
@alexw91 alexw91 force-pushed the pq-by-default branch 2 times, most recently from 9d75c89 to 029a167 Compare September 16, 2025 21:16
@alexw91 alexw91 mentioned this pull request Jan 1, 2026
Merged
@justsmth justsmth requested review from WillChilds-Klein and removed request for darylmartin100 January 12, 2026 11:05
@WillChilds-Klein WillChilds-Klein enabled auto-merge (squash) January 23, 2026 18:17
@WillChilds-Klein WillChilds-Klein merged commit 43721b5 into aws:main Jan 23, 2026
399 of 400 checks passed
@justsmth justsmth mentioned this pull request Feb 20, 2026
Merged
justsmth added a commit that referenced this pull request Feb 20, 2026
@justsmth
Prepare v1.68.0 (#3022)
0628190 
### Description of changes: 
* Bump urllib3 from 2.6.0 to 2.6.3 in /tests/ci by @dependabot[bot] in
#2932
* Add weekly automated check for outdated third-party test vectors by
@sgmenda in #2933
* Enable Hybrid PQ KeyShares by default by @alexw91 in
#2531
* Remove AVX conditional from cmake script by @torben-hansen in
#2958
* openssl-ca command implementation for self-sign certificates by
@skmcgrail in #2937
* Initial Framework for Using Doxygen to Document Public Header Files by
@m271828 in #2908
* Move md4 out of FIPS module by @torben-hansen in
#2956
* Fix image-build-windows workflow to only push on workflow_call and
workflow_dispatch by @skmcgrail in
#2961
* Remove FIPS counter framework and other tidying up by @torben-hansen
in #2947
* Model Device Farm CI Resources in CDK by @skmcgrail in
#2965
* Adds a new randomness generation API by @torben-hansen in
#2963
* Migrate Android Testing to GitHub Actions by @skmcgrail in
#2969
* Ensure pkcs7 checks ASN1_TYPE->type by @skmcgrail in
#2968
* Fix checkout logic for android-omnibus by @skmcgrail in
#2970
* Add missing env vars to check-vectors workflow step by @sgmenda in
#2962
* Shorten Windows Build Directory Path by @skmcgrail in
#2974
* Bump mysql cluster version by @WillChilds-Klein in
#2967
* Integrate Wycheproof ML-DSA test vectors by @sgmenda in
#2973
* Simplify FIPS conditional in top-level build script by @torben-hansen
in #2976
* Fix aws-lc-rs CI job by @justsmth in
#2966
* Add method to get type of ML-DSA instance configured under EVP PKEY by
@torben-hansen in #2980
* Nmap build needs liblinear by @justsmth in
#2985
* Disable SLP vectorizer for FIPS shared library builds on GCC 14+ by
@geedo0 in #2977
* Update Wycheproof ECDSA test vectors and fix workflow typo by @sgmenda
in #2972
* Address some CMake findings by @skmcgrail in
#2979
* Bump bytes from 1.7.1 to 1.11.1 in /tests/ci/lambda by
@dependabot[bot] in #2983
* Support GCC 4.8 for aarch64 by @justsmth in
#2964
* Free potential memory before assigning new pointer by @torben-hansen
in #2989
* Add PyOpenSSL integration test by @WillChilds-Klein in
#2992
* Ensure index argument is not negative in ASN1_BIT_STRING_set_bit by
@torben-hansen in #2987
* Ensure no overflow in signed output length in do_buf by @torben-hansen
in #2988
* Remove redundant CPython 3.9 integration test by @WillChilds-Klein in
#2996
* Ensure public key is set before verifying through ML-DSA verify by
@torben-hansen in #2990
* Correct CCM nids in object definition by @torben-hansen in
#2991
* Address Reported Bug Findings by @skmcgrail in
#3000
* Fix CI: gcc-4.8 by @justsmth in
#3011
* Fix Windows CI: use `cd /d` in run_windows_tests.bat to handle
cross-drive paths by @justsmth in
#3012
* Fix OPENSSL_memchr per C23 by @justsmth in
#3008
* Fix argument order in `hmac_copy` by @justsmth in
#3014
* Miscellaneous CI improvements by @skmcgrail in
#2978
* Fix CI: mariadb by @justsmth in
#3015
* Update Ubuntu 24:04 image compiler verification by @skmcgrail in
#3017
* Support WASM/Emscripten by @justsmth in
#2959
* Generate Rust Bindings by @justsmth in
#2999

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
samuel40791765 pushed a commit to samuel40791765/aws-lc that referenced this pull request Feb 24, 2026
@alexw91 @samuel40791765
Enable Hybrid PQ KeyShares by default (aws#2531)
a2b0442 
(cherry picked from commit 43721b5)
samuel40791765 pushed a commit that referenced this pull request Feb 25, 2026
@alexw91 @samuel40791765
Enable Hybrid PQ KeyShares by default (#2531)
d6d2288 
(cherry picked from commit 43721b5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

@geedo0 geedo0 geedo0 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alexw91 @codecov-commenter @darylmartin100 @WillChilds-Klein @geedo0 @justsmth