[WebCrypto] Implement X-wing in WebCrypto [chromium/src : main]

39 views

Skip to first unread message

Hubert Chao (Gerrit)

unread,

May 6, 2026, 1:23:09 PM (13 days ago) May 6

to David Benjamin, Chromium LUCI CQ, Chromium Metrics Reviews, chromium...@chromium.org, Kentaro Hara, Raphael Kubo da Costa, asvitkine...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jbroma...@chromium.org, kinuko...@chromium.org

Attention needed from David Benjamin

Hubert Chao voted Commit-Queue+1

Commit-Queue

Open in Gerrit

Related details

Attention is currently required from:

David Benjamin

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

David Benjamin (Gerrit)

unread,

May 11, 2026, 3:26:21 PM (8 days ago) May 11

to Hubert Chao, Chromium LUCI CQ, Chromium Metrics Reviews, chromium...@chromium.org, Kentaro Hara, Raphael Kubo da Costa, asvitkine...@chromium.org, blink-re...@chromium.org, blink-revie...@chromium.org, blink-...@chromium.org, jbroma...@chromium.org, kinuko...@chromium.org

Attention needed from Hubert Chao

David Benjamin added 9 comments

File components/webcrypto/algorithms/xwing_unittest.cc

File-level comment, Patchset 4 (Latest):

David Benjamin . unresolved

I forget what was the WPT conclusion. Is there anything here that isn't tested by WPTs? (What's the story with the WPTs?)

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_deserializer_for_modules.cc

Line 391, Patchset 4 (Latest): case kNoParamsKeyTag: {

David Benjamin . unresolved

Why isn't `kKemXwingKeyTag` just `kNoParamsKeyTag`? What did we end up doing for ML-KEM and ML-DSA? I don't see them here either, so I assume we sent them down some generic path?

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_serializer_for_modules.cc

Line 575, Patchset 4 (Latest): tag = kKemXwingKeyTag;

David Benjamin . unresolved

Ditto from other file.

Although I'm very confused because the `default` case has a `DCHECK` that it seems ML-KEM and ML-DSA would fail. Are ML-KEM and ML-DSA support incomplete? How does this code work?

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_serializer_for_modules_test.cc

Line 831, Patchset 4 (Latest): // Generate a KemXwing key pair.

David Benjamin . unresolved

I've never heard the name KemXwing before. Not just "X-Wing"?

Edit: Oh, I see elsewhere you use the string "KEM-XWING". Setting aside that not being a standard name for the algorithm, if the algorithm is to be called KEM-XWING, it seems you should use that in the comment.

Line 853, Patchset 4 (Latest): // Check that the keys have the same RawSeed representation.

David Benjamin . unresolved

Nit: This is also odd to see in prose. "raw seed"?

Line 871, Patchset 4 (Latest): // Check that the keys have the same RawPublic representation.

David Benjamin . unresolved

"raw public"?

File third_party/blink/renderer/bindings/modules/v8/serialization/web_crypto_sub_tags.h

Line 78, Patchset 4 (Latest): kKemXwingKeyTag = 9,

David Benjamin . unresolved

Ditto. But also why allocate this at all instead of just using the no-params tag?

Line 38, Patchset 4 (Latest): kKemXwingTag = 26,

David Benjamin . unresolved

Ditto re what the name of this algorithm is.

File third_party/blink/renderer/modules/crypto/normalize_algorithm.cc

Line 100, Patchset 4 (Latest): {"KEM-XWING", 9, kWebCryptoAlgorithmIdKemXwing},

David Benjamin . unresolved

...oh, is this where KEM-XWING came from? Do you have a link to the spec this is implementing? draft-connolly-cfrg-xwing-kem calls it "X-Wing" while draft-irtf-cfrg-concrete-hybrid-kems calls it "MLKEM768-X25519".

Open in Gerrit

Related details

Attention is currently required from:

Hubert Chao

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Hubert Chao (Gerrit)

unread,

May 18, 2026, 2:27:23 PM (15 hours ago) May 18

Attention needed from David Benjamin

Hubert Chao added 9 comments

File components/webcrypto/algorithms/xwing_unittest.cc

File-level comment, Patchset 4:

David Benjamin . resolved

I forget what was the WPT conclusion. Is there anything here that isn't tested by WPTs? (What's the story with the WPTs?)

Hubert Chao

we don't have WPT's right now; I figured I'd add them and remove these tests (or remove these tests if someone else adds them) once the WPTs are added, which I believe we said should happen after X-wing makes it into the modern crypto spec.

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_deserializer_for_modules.cc

Line 391, Patchset 4: case kNoParamsKeyTag: {

David Benjamin . resolved

Why isn't `kKemXwingKeyTag` just `kNoParamsKeyTag`? What did we end up doing for ML-KEM and ML-DSA? I don't see them here either, so I assume we sent them down some generic path?

Hubert Chao

resolving as a part of crbug.com/512509718

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_serializer_for_modules.cc

Line 575, Patchset 4: tag = kKemXwingKeyTag;

David Benjamin . resolved

Ditto from other file.
Although I'm very confused because the `default` case has a `DCHECK` that it seems ML-KEM and ML-DSA would fail. Are ML-KEM and ML-DSA support incomplete? How does this code work?

Hubert Chao

resolving in crbug.com/512509718

File third_party/blink/renderer/bindings/modules/v8/serialization/v8_script_value_serializer_for_modules_test.cc

Line 831, Patchset 4: // Generate a KemXwing key pair.

David Benjamin . resolved

I've never heard the name KemXwing before. Not just "X-Wing"?
Edit: Oh, I see elsewhere you use the string "KEM-XWING". Setting aside that not being a standard name for the algorithm, if the algorithm is to be called KEM-XWING, it seems you should use that in the comment.

Hubert Chao

changed name to `MLKEM768-X25519` as per discussion outside of CL

Line 853, Patchset 4: // Check that the keys have the same RawSeed representation.

David Benjamin . resolved

Nit: This is also odd to see in prose. "raw seed"?

Hubert Chao

tests removed (in favor of WPT serialization tests, see crbug.com/512509718)

Line 871, Patchset 4: // Check that the keys have the same RawPublic representation.

David Benjamin . resolved

"raw public"?

Hubert Chao

test removed (in favor of WPT serialization tests, see crbug.com/512509718)

File third_party/blink/renderer/bindings/modules/v8/serialization/web_crypto_sub_tags.h

Line 78, Patchset 4: kKemXwingKeyTag = 9,

David Benjamin . resolved

Ditto. But also why allocate this at all instead of just using the no-params tag?

Hubert Chao

resolving as a part of crbug.com/512509718

Line 38, Patchset 4: kKemXwingTag = 26,

David Benjamin . resolved

Ditto re what the name of this algorithm is.

Hubert Chao

Acknowledged

File third_party/blink/renderer/modules/crypto/normalize_algorithm.cc

Line 100, Patchset 4: {"KEM-XWING", 9, kWebCryptoAlgorithmIdKemXwing},

David Benjamin . resolved

...oh, is this where KEM-XWING came from? Do you have a link to the spec this is implementing? draft-connolly-cfrg-xwing-kem calls it "X-Wing" while draft-irtf-cfrg-concrete-hybrid-kems calls it "MLKEM768-X25519".

Hubert Chao

changing name to `MLKEM768-X25519` as per outside discussion.

Open in Gerrit

Related details

Attention is currently required from:

David Benjamin

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

0 new messages