Skip to content

Phase 2: PQ in boundary and SHA512 DRBG#9843

Open
kaleb-himes wants to merge 1 commit intowolfSSL:masterfrom
kaleb-himes:PQ-FS-2026-Part2
Open

Phase 2: PQ in boundary and SHA512 DRBG#9843
kaleb-himes wants to merge 1 commit intowolfSSL:masterfrom
kaleb-himes:PQ-FS-2026-Part2

Conversation

@kaleb-himes
Copy link
Contributor

@kaleb-himes kaleb-himes commented Feb 27, 2026
edited
Loading

Description

Phase 2 of the upcoming Post Quantum Full FIPS Submission. ML-KEM, ML-DSA, LMS (Verify), XMSS (Verify) added to module boundary along with a shiny new SHA512-DRBG implementation and NIST vector tests for sanity.

TODO: Once SLH-DSA is merged pull it into module boundary also and update this PR.

Testing

Many in-house FIPS custom scripts, optest app and harness.

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

kaleb-himes
kaleb-himes commented Mar 1, 2026
View reviewed changes
Copy link
Contributor Author

@kaleb-himes kaleb-himes left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

** NON-FIPS **

./wolfcrypt/benchmark/benchmark -rng -rng-sha512 -rng-init -rng-sha512-init
------------------------------------------------------------------------------
 wolfSSL version 5.8.4
------------------------------------------------------------------------------
Math: 	Multi-Precision: Wolf(SP) word-size=64 bits=4096 sp_int.c
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RNG SHA-256 DRBG           205 MiB took 1.021 seconds,  200.853 MiB/s Cycles per byte =  17.50
RNG SHA-512 DRBG           380 MiB took 1.013 seconds,  375.166 MiB/s Cycles per byte =   9.37
RNG      256 SHA256 Init/Free 146504 ops took 1.000 sec, avg 0.007 ms, 146503.616 ops/sec, 3686366718 cycles    25162.2 Cycles/op
RNG      512 SHA512 Init/Free 204287 ops took 1.000 sec, avg 0.005 ms, 204285.977 ops/sec, 3686374128 cycles    18045.1 Cycles/op
Benchmark complete

** FIPS **

./wolfcrypt/benchmark/benchmark -rng -rng-sha512 -rng-init -rng-sha512-init
------------------------------------------------------------------------------
 wolfSSL version 5.8.4
------------------------------------------------------------------------------
wolfCrypt Benchmark (block bytes 1048576, min 1.0 sec each)
RNG SHA-256 DRBG           205 MiB took 1.021 seconds,  200.763 MiB/s Cycles per byte =  17.51
RNG SHA-512 DRBG           375 MiB took 1.010 seconds,  371.333 MiB/s Cycles per byte =   9.47
RNG      256 SHA256 Init/Free 123726 ops took 1.000 sec, avg 0.008 ms, 123725.735 ops/sec, 3686363516 cycles    29794.6 Cycles/op
RNG      512 SHA512 Init/Free 172608 ops took 1.000 sec, avg 0.006 ms, 172607.506 ops/sec, 3686365894 cycles    21356.9 Cycles/op
Benchmark complete

@kaleb-himes
Phase 2: PQ in boundary and SHA512 DRBG
6f2187b 
Add rules to preserve module boundary in include.am

Add HAVE_SELFTEST and rng_bank SHA512 awareness

Fixed ML_KEM, SMALL_STACK tests, and avoidable internal SHA256-use for NSA 2.0

Fix windows ready and multi-test items

Fix the --disable-rng build

Fix RDSEED build failure

Multi-test report fixes

Updates after performance review

Used asym_finish reporting for RNG's but we lose access when PSK only

Continued updates to new benchmarks

SHA512-DRBG default ENTROPY_SCALE_FACTOR on par with SHA256-DRBG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kaleb-himes