Apple's corecrypto open sourced
355 views
Skip to first unread message
Jack
May 29, 2026, 12:39:47 PM (5 days ago) May 29
to pqc-forum
Apple open sourced https://github.com/apple/corecrypto, the library behind iOS/macOS, and it includes their MLKEM, MLDSA and X Wing implementations. I had a quick read through and came away genuinely impressed at how hardened it is, well beyond what I usually run into. The constant time selects are randomly masked so they double as a power analysis countermeasure instead of just being timing safe, signature verification carries fault canaries, the elliptic curve paths use projective coordinate randomization with blinded scalar multiplications, and even the software GHASH is built on carryless multiply emulation rather than lookup tables so there's no cache timing surface at all. Most libraries do one or two of these, never seen one like corecrypto applying them consistently across the whole thing, and the post quantum parts are also the ones they formally verified, down to the ARM64 assembly. Well worth a look.
Jacob Alperin-Sheriff
May 29, 2026, 6:21:00 PM (4 days ago) May 29
to Jack, pqc-forum
And yet it’s in C instead of Rust? Shameful
On Fri, May 29, 2026 at 12:39 PM Jack <li0n...@gmail.com> wrote:
Apple open sourced https://github.com/apple/corecrypto, the library behind iOS/macOS, and it includes their MLKEM, MLDSA and X Wing implementations. I had a quick read through and came away genuinely impressed at how hardened it is, well beyond what I usually run into. The constant time selects are randomly masked so they double as a power analysis countermeasure instead of just being timing safe, signature verification carries fault canaries, the elliptic curve paths use projective coordinate randomization with blinded scalar multiplications, and even the software GHASH is built on carryless multiply emulation rather than lookup tables so there's no cache timing surface at all. Most libraries do one or two of these, never seen one like corecrypto applying them consistently across the whole thing, and the post quantum parts are also the ones they formally verified, down to the ARM64 assembly. Well worth a look.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/44eb8cff-e41f-4a87-88d3-208b2259e4fbn%40list.nist.gov.
Q C
May 29, 2026, 10:39:42 PM (4 days ago) May 29
to pqc-forum, Jack
They haven't implemented ML-DSA-44 yet:
https://github.com/apple/corecrypto/blob/main/ccmldsa/corecrypto/ccmldsa.h
https://github.com/apple/corecrypto/blob/main/ccmldsa/corecrypto/ccmldsa.h
Jack
May 30, 2026, 5:08:53 AM (4 days ago) May 30
to pqc-forum, Q C, Jack
Yeah I noticed that, its also only MLKEM 768/1024, might be deliberate choice of not using lower security levels.
Reply all
Reply to author
Forward
0 new messages