Lines Matching +full:output +full:- +full:only
1 .\" -*- mode: troff; coding: utf-8 -*-
36 .\" output yourself in some meaningful fashion.
57 .IX Title "EVP_PKEY-ML-KEM 7ossl"
58 .TH EVP_PKEY-ML-KEM 7ossl 2025-09-30 3.5.4 OpenSSL
64 EVP_PKEY\-ML\-KEM,
65 EVP_KEYMGMT\-ML\-KEM,
66 EVP_PKEY\-ML\-KEM\-512,
67 EVP_PKEY\-ML\-KEM\-768,
68 EVP_PKEY\-ML\-KEM\-1024,
69 EVP_KEYMGMT\-ML\-KEM\-512,
70 EVP_KEYMGMT\-ML\-KEM\-768,
71 EVP_KEYMGMT\-ML\-KEM\-1024
72 \&\- ML\-KEM keytype and algorithm support
75 The \fBML\-KEM\-512\fR, \fBML\-KEM\-768\fR, and \fBML\-KEM\-1024\fR keytypes are implemented
84 Internally, ML-KEM generates keys using a 64\-byte random value (seed), which is
85 the concatenation of the 32\-byte \fId\fR and \fIz\fR parameters described in FIPS 203.
86 This optional parameter can be used to set a pre-determined seed prior to
97 and private key output to \fBPKCS#8\fR files will by default include the seed.
99 key files will contain only the private key in FIPS 203 \f(CW\*(C`dk\*(C'\fR format.
103 ML-KEM hashing operations.
109 "Common Information Parameters" in \fBprovider\-keymgmt\fR\|(7)), \fBML-KEM\fR keys
124 \&\fBML\-KEM.KeyGen_internal\fR) \fBek\fR public key for the given ML-KEM variant.
125 Initial import aside, this parameter is otherwise only gettable.
133 \&\fBML\-KEM.KeyGen_internal\fR) \fBdk\fR private key for the given ML-KEM variant.
134 Initial import aside, this parameter is otherwise only gettable.
135 .IP """encoded-pub-key"" (\fBOSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY\fR) <octet string>" 4
136 .IX Item """encoded-pub-key"" (OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY) <octet string>"
139 \&\fBML\-KEM.KeyGen_internal\fR.
140 Updates of the public and private key components are only allowed on keys that
143 This parameter is gettable and settable (once only).
146 See the description of the \fB\-provparam\fR option in \fBopenssl\fR\|(1) to learn
152 .IX Item "ml-kem.import_pct_type (OSSL_PKEY_PARAM_ML_KEM_IMPORT_PCT_TYPE) <UTF8 string>"
153 When an \fBML-KEM\fR key is imported as an explict FIPS 203 \fBdk\fR decapsulation
163 .IX Item "ml-kem.retain_seed (OSSL_PKEY_PARAM_ML_KEM_RETAIN_SEED) <UTF8 string>"
168 only the FIPS 203 \f(CW\*(C`dk\*(C'\fR key.
171 .IX Item "ml-kem.prefer_seed (OSSL_PKEY_PARAM_ML_KEM_PREFER_SEED) <UTF8 string>"
181 .IX Item "ml-kem.input_formats (OSSL_PKEY_PARAM_ML_KEM_INPUT_FORMATS) <UTF8 string>"
185 in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
188 Values specified on the command-line override any configuration file settings.
194 .IX Item "seed-priv:"
195 This format represents \fBPKCS#8\fR objects in which both the FIPS 203 64\-byte
200 \& ML\-KEM\-PrivateKey ::= CHOICE {
208 If the \f(CW\*(C`seed\-priv\*(C'\fR format is not included in the list, this format will not be
212 .IX Item "seed-only:"
213 This format represents \fBPKCS#8\fR objects in which only the 64\-byte \fB(d, z)\fR
215 If the \f(CW\*(C`seed\-only\*(C'\fR format is not included in the list, this format will not be
219 .IX Item "priv-only:"
220 This format represents \fBPKCS#8\fR objects in which only the FIPS 203
222 If the \f(CW\*(C`priv\-only\*(C'\fR format is not included in the list, this format will not be
235 .IX Item "bare-seed:"
237 the 64\-byte FIPS 204 seed \fB(d, z)\fR without any ASN.1 encapsulation.
238 If the \f(CW\*(C`bare\-seed\*(C'\fR format is not included in the list, this format will not be
242 .IX Item "bare-priv:"
245 If the \f(CW\*(C`bare\-priv\*(C'\fR format is not included in the list, this format will not be
252 .IX Item "ml-kem.output_formats (OSSL_PKEY_PARAM_ML_KEM_OUTPUT_FORMATS) <UTF8 string>"
253 Ordered list of enabled private key output formats when writing \fBPKCS#8\fR files.
256 in the "EXAMPLES" section below, or the via the \fB\-provparam\fR command-line
259 This supports the same set of formats as described under \f(CW\*(C`ml\-kem.input_formats\*(C'\fR
262 the first one that is possible to output.
265 The default order is equivalent to \f(CW\*(C`seed\-priv\*(C'\fR first and \f(CW\*(C`priv\-only\*(C'…
266 both seed and key output when the seed is available, and just the
268 If \f(CW\*(C`seed\-only\*(C'\fR is listed first, then the seed will be output without the key
269 when available, otherwise the output will have just the key.
270 If \f(CW\*(C`priv\-only\*(C'\fR is listed first, then just the key is output regardless of
272 The legacy \f(CW\*(C`oqskeypair\*(C'\fR, \f(CW\*(C`bare\-seed\*(C'\fR and \f(CW\*(C`bare\-priv\*(C'…
273 output, by listing those first.
284 \& EVP_PKEY_CTX_new_from_name(NULL, "ML\-KEM\-768", NULL);
287 An \fBML\-KEM\-768\fR key can be generated like this:
290 \& pkey = EVP_PKEY_Q_keygen(NULL, NULL, "ML\-KEM\-768");
293 An \fBML-KEM\fR private key in seed format can be converted to a key in the FIPS
297 \& $ openssl pkey \-provparam ml\-kem.retain_seed=no \e
298 \& \-in seed\-only.pem \-out priv\-only.pem
301 To generate an, e.g., \fBML\-KEM\-768\fR key, in FIPS 203 \fBdk\fR format, you can run:
304 \& $ openssl genpkey \-provparam ml\-kem.retain_seed=no \e
305 \& \-algorithm ml\-kem\-768 \-out priv\-only.pem
312 \& $ openssl pkey \-provparam ml\-kem.prefer_seed=no \e
313 \& \-in seed\-priv.pem \-out priv\-only.pem
329 \& input_formats = seed\-priv, seed\-only, priv\-only
330 \& # Output either the seed alone, or else the key alone
331 \& output_formats = seed\-only, priv\-only
339 \& ml\-kem = ml_kem_sect
342 \& ml\-kem = ml_kem_sect
347 \&\fBopenssl\-pkey\fR\|(1),
348 \&\fBopenssl\-genpkey\fR\|(1),
355 \&\fBprovider\-keymgmt\fR\|(7),
356 \&\fBEVP_KEM\-ML\-KEM\fR\|(7)
362 Copyright 2024\-2025 The OpenSSL Project Authors. All Rights Reserved.