Reverse TLS hybrid keyshares for x25519/x448-mlkem hybrids (#524)

* Share reversal for x25519_mlkem* Signed-off-by: Basil Hess <[email protected]> * Update x25519_mlkem768 code point Signed-off-by: Basil Hess <[email protected]> * interop onlu with x25519_kyber768 Signed-off-by: Basil Hess <[email protected]> * Updated templates to change x25519_mlkem768 to X25519MLKEM768 Signed-off-by: Pravek Sharma <[email protected]> * Hacked hybrid logic to work with new name X25519MLKEM768 Signed-off-by: Pravek Sharma <[email protected]> * Updated templates to change p256_mlkem768 to SecP256r1MLKEM768 Signed-off-by: Pravek Sharma <[email protected]> * Cast void* to char* to satisy MSVC Signed-off-by: Pravek Sharma <[email protected]> * fixing encoders Signed-off-by: Basil Hess <[email protected]> * More explicit logic for share reversal in oqsnames.fragment Signed-off-by: Basil Hess <[email protected]> * Add interop tests with google for X25519MLKEM768 and x25519_kyber768 Signed-off-by: Basil Hess <[email protected]> --------- Signed-off-by: Basil Hess <[email protected]> Signed-off-by: Pravek Sharma <[email protected]> Co-authored-by: Pravek Sharma <[email protected]>
open-quantum-safe · Oct 2, 2024 · 98a355f · 98a355f
1 parent dbdac6b
commit 98a355f
Show file tree

Hide file tree

Showing 38 changed files with 803 additions and 465 deletions.
diff --git a/ALGORITHMS.md b/ALGORITHMS.md
@@ -44,8 +44,8 @@ As standardization for these algorithms within TLS is not done, all TLS code poi
 | mlkem768 | 0x0768 | Yes | OQS_CODEPOINT_MLKEM768 |
 | p384_mlkem768 | 0x2F4C | Yes | OQS_CODEPOINT_P384_MLKEM768 |
 | x448_mlkem768 | 0x2FB7 | Yes | OQS_CODEPOINT_X448_MLKEM768 |
-| x25519_mlkem768 | 0x2FB8 | Yes | OQS_CODEPOINT_X25519_MLKEM768 |
-| p256_mlkem768 | 4587 | Yes | OQS_CODEPOINT_P256_MLKEM768 |
+| X25519MLKEM768 | 0x11ec | Yes | OQS_CODEPOINT_X25519MLKEM768 |
+| SecP256r1MLKEM768 | 0x11eb | Yes | OQS_CODEPOINT_SECP256R1MLKEM768 |
 | mlkem1024 | 0x1024 | Yes | OQS_CODEPOINT_MLKEM1024 |
 | p521_mlkem1024 | 0x2F4D | Yes | OQS_CODEPOINT_P521_MLKEM1024 |
 | p384_mlkem1024 | 0x2F4E | Yes | OQS_CODEPOINT_P384_MLKEM1024 |
@@ -260,8 +260,8 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li
 | mlkem768 | 2.16.840.1.101.3.4.4.2 | OQS_OID_MLKEM768
 | p384_mlkem768 | 1.3.9999.99.75 | OQS_OID_P384_MLKEM768
 | x448_mlkem768 | 1.3.9999.99.53 | OQS_OID_X448_MLKEM768
-| x25519_mlkem768 | 1.3.9999.99.54 | OQS_OID_X25519_MLKEM768
-| p256_mlkem768 | 1.3.9999.99.55 | OQS_OID_P256_MLKEM768
+| X25519MLKEM768 | 1.3.9999.99.54 | OQS_OID_X25519MLKEM768
+| SecP256r1MLKEM768 | 1.3.9999.99.55 | OQS_OID_SECP256R1MLKEM768
 | mlkem1024 | 2.16.840.1.101.3.4.4.3 | OQS_OID_MLKEM1024
 | p521_mlkem1024 | 1.3.9999.99.76 | OQS_OID_P521_MLKEM1024
 | p384_mlkem1024 | 1.3.6.1.4.1.42235.6 | OQS_OID_P384_MLKEM1024

diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ This implementation makes available the following quantum safe algorithms:
 - **CRYSTALS-Kyber**: `kyber512`, `p256_kyber512`, `x25519_kyber512`, `kyber768`, `p384_kyber768`, `x448_kyber768`, `x25519_kyber768`, `p256_kyber768`, `kyber1024`, `p521_kyber1024`
 - **FrodoKEM**: `frodo640aes`, `p256_frodo640aes`, `x25519_frodo640aes`, `frodo640shake`, `p256_frodo640shake`, `x25519_frodo640shake`, `frodo976aes`, `p384_frodo976aes`, `x448_frodo976aes`, `frodo976shake`, `p384_frodo976shake`, `x448_frodo976shake`, `frodo1344aes`, `p521_frodo1344aes`, `frodo1344shake`, `p521_frodo1344shake`
 - **HQC**: `hqc128`, `p256_hqc128`, `x25519_hqc128`, `hqc192`, `p384_hqc192`, `x448_hqc192`, `hqc256`, `p521_hqc256`†
-- **ML-KEM**: `mlkem512`, `p256_mlkem512`, `x25519_mlkem512`, `mlkem768`, `p384_mlkem768`, `x448_mlkem768`, `x25519_mlkem768`, `p256_mlkem768`, `mlkem1024`, `p521_mlkem1024`, `p384_mlkem1024`
+- **ML-KEM**: `mlkem512`, `p256_mlkem512`, `x25519_mlkem512`, `mlkem768`, `p384_mlkem768`, `x448_mlkem768`, `X25519MLKEM768`, `SecP256r1MLKEM768`, `mlkem1024`, `p521_mlkem1024`, `p384_mlkem1024`
 
 ### Signature algorithms
 

diff --git a/oqs-template/ALGORITHMS.md/ids.fragment b/oqs-template/ALGORITHMS.md/ids.fragment
@@ -4,7 +4,7 @@
 {%- for kem in config['kems']  %}
 | {{ kem['name_group'] }} | {{ kem['nid'] }} | Yes | OQS_CODEPOINT_{{ kem['name_group']|upper }} |
 {%- for hybrid in kem['hybrids'] %}
-| {{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }} | {{ hybrid['nid'] }} | Yes | OQS_CODEPOINT_{{ hybrid['hybrid_group']|upper }}_{{ kem['name_group']|upper }} |
+| {% if 'standard_name' in hybrid %}{{ hybrid['standard_name'] }}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %} | {{ hybrid['nid'] }} | Yes | OQS_CODEPOINT_{% if 'standard_name' in hybrid %}{{ hybrid['standard_name']|upper }}{% else %}{{ hybrid['hybrid_group']|upper }}_{{ kem['name_group']|upper }}{% endif %} |
 {%- endfor %}
 {%- endfor %}
 {%- for sig in config['sigs'] %}

diff --git a/oqs-template/ALGORITHMS.md/oids.fragment b/oqs-template/ALGORITHMS.md/oids.fragment
@@ -22,7 +22,7 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li
 {%- for kem in config['kems'] %}
 | {{kem['name_group']}} | {{ kem['oid'] }} | OQS_OID_{{ kem['name_group']|upper }}
 {%- for hybrid in kem['hybrids'] %}
-| {{ hybrid['hybrid_group'] }}_{{kem['name_group']}} | {{hybrid['hybrid_oid']}} | OQS_OID_{{ hybrid['hybrid_group']|upper }}_{{ kem['name_group']|upper }}
+| {% if 'standard_name' in hybrid %}{{ hybrid['standard_name'] }}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %} | {{hybrid['hybrid_oid']}} | OQS_OID_{% if 'standard_name' in hybrid %}{{ hybrid['standard_name']|upper }}{% else %}{{ hybrid['hybrid_group']|upper }}_{{ kem['name_group']|upper }}{% endif %}
 {%- endfor -%}
 {%- endfor %}
 
diff --git a/oqs-template/README.md/algs.fragment b/oqs-template/README.md/algs.fragment
@@ -1,7 +1,7 @@
 
 ### KEM algorithms
 {% for family, kems in config['kems'] | groupby('family') %}
-- **{{ family }}**: {% for kem in kems -%} `{{ kem['name_group'] }}` {%- for hybrid in kem['hybrids'] -%}, `{{ hybrid['hybrid_group']}}_{{ kem['name_group'] }}`{%- endfor -%}{%- if not loop.last %}, {% endif -%}{%- if loop.last and family == 'HQC' -%}†{%- endif -%}{%- endfor -%}
+- **{{ family }}**: {% for kem in kems -%} `{{ kem['name_group'] }}` {%- for hybrid in kem['hybrids'] -%}, `{% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{hybrid['hybrid_group']}}_{{kem['name_group']}}{% endif %}`{%- endfor -%}{%- if not loop.last %}, {% endif -%}{%- if loop.last and family == 'HQC' -%}†{%- endif -%}{%- endfor -%}
 {%- endfor %}
 
 ### Signature algorithms

diff --git a/oqs-template/generate.yml b/oqs-template/generate.yml
@@ -148,6 +148,7 @@ kems:
 # KEM prefix 2.16.840.1.101.3.4.4.
   -
     family: 'ML-KEM'
+    fips_standard: 1
     name_group: 'mlkem512'
 # code point not standardized: Why? XXX
     nid: '0x024A'
@@ -167,6 +168,7 @@ kems:
           nid: '0x2FB6'
   -
     family: 'ML-KEM'
+    fips_standard: 1
     name_group: 'mlkem768'
 # https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-01.html
     nid: '0x0768'
@@ -180,14 +182,17 @@ kems:
         - hybrid_group: "x448"
 # code point not standardized: Why? XXX
           nid: '0x2FB7'
-# To change when hybrid order change implemented, see https://github.com/open-quantum-safe/oqs-provider/issues/503
         - hybrid_group: "x25519"
-          nid: '0x2FB8'
+# https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html#name-x25519mlkem768
+          nid: '0x11ec'
+          standard_name: "X25519MLKEM768"
         - hybrid_group: "p256"
-# https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-01.html#name-iana-considerations
-          nid: '4587'
+# https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html#name-secp256r1mlkem768
+          nid: '0x11eb'
+          standard_name: "SecP256r1MLKEM768"
   -
     family: 'ML-KEM'
+    fips_standard: 1
     name_group: 'mlkem1024'
 # https://www.ietf.org/archive/id/draft-connolly-tls-mlkem-key-agreement-01.html
     nid: '0x1024'

diff --git a/oqs-template/oqs-kem-info.md b/oqs-template/oqs-kem-info.md
@@ -92,7 +92,7 @@
 | ML-KEM         | ML-KEM                   | mlkem512       | FIPS203      |                    1 | 0x2F4B       | secp256_r1                       |
 | ML-KEM         | ML-KEM                   | mlkem512       | FIPS203      |                    1 | 0x2FB6       | x25519                           |
 | ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x0768       |                                  |
+| ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x11eb       | p256                             |
+| ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x11ec       | x25519                           |
 | ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x2F4C       | secp384_r1                       |
 | ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x2FB7       | x448                             |
-| ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 0x2FB8       | x25519                           |
-| ML-KEM         | ML-KEM                   | mlkem768       | FIPS203      |                    3 | 4587         | p256                             |
diff --git a/oqs-template/oqsprov/oqs_decode_der2key.c/decoder_make.fragment b/oqs-template/oqsprov/oqs_decode_der2key.c/decoder_make.fragment
@@ -5,8 +5,8 @@
 MAKE_DECODER(, "{{ kem['name_group'] }}", {{ kem['name_group'] }}, oqsx, PrivateKeyInfo);
 MAKE_DECODER(, "{{ kem['name_group'] }}", {{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo);
 {% for hybrid in kem['hybrids'] %}
-MAKE_DECODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, PrivateKeyInfo);
-MAKE_DECODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}", {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo);
+MAKE_DECODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}"{{hybrid['standard_name']}}"{% else %}"{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, PrivateKeyInfo);
+MAKE_DECODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}"{{hybrid['standard_name']}}"{% else %}"{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, SubjectPublicKeyInfo);
 {%- endfor %}
 {%- endfor %}
 #endif /* OQS_KEM_ENCODERS */

diff --git a/oqs-template/oqsprov/oqs_encode_key2any.c/encoder_defines.fragment b/oqs-template/oqsprov/oqs_encode_key2any.c/encoder_defines.fragment
@@ -3,9 +3,9 @@
 # define {{ kem['name_group'] }}_input_type    "{{ kem['name_group'] }}"
 # define {{ kem['name_group'] }}_pem_type      "{{ kem['name_group'] }}"
 {% for hybrid in kem['hybrids'] %}
-# define {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}_evp_type     0
-# define {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}_input_type    "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"
-# define {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}_pem_type      "{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"
+# define {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}_evp_type     0
+# define {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}_input_type    {% if 'standard_name' in hybrid %}"{{hybrid['standard_name']}}"{% else %}"{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"{% endif %}
+# define {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}_pem_type      {% if 'standard_name' in hybrid %}"{{hybrid['standard_name']}}"{% else %}"{{hybrid['hybrid_group']}}_{{ kem['name_group'] }}"{% endif %}
 {%- endfor %}
 {%- endfor %}
 

diff --git a/oqs-template/oqsprov/oqs_encode_key2any.c/encoder_make.fragment b/oqs-template/oqsprov/oqs_encode_key2any.c/encoder_make.fragment
@@ -10,13 +10,13 @@ MAKE_ENCODER(, {{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo, der);
 MAKE_ENCODER(, {{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo, pem);
 MAKE_TEXT_ENCODER(, {{ kem['name_group'] }});
 {% for hybrid in kem['hybrids'] %}
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, EncryptedPrivateKeyInfo, der);
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, EncryptedPrivateKeyInfo, pem);
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, PrivateKeyInfo, der);
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, PrivateKeyInfo, pem);
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo, der);
-MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }}, oqsx, SubjectPublicKeyInfo, pem);
-MAKE_TEXT_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {{hybrid['hybrid_group']}}_{{ kem['name_group'] }});
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, EncryptedPrivateKeyInfo, der);
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, EncryptedPrivateKeyInfo, pem);
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, PrivateKeyInfo, der);
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, PrivateKeyInfo, pem);
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, SubjectPublicKeyInfo, der);
+MAKE_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}, oqsx, SubjectPublicKeyInfo, pem);
+MAKE_TEXT_ENCODER({% if hybrid['hybrid_group'].startswith('x') %}_ecx{% else %}_ecp{% endif %}, {% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %});
 {%- endfor %}
 {%- endfor %}
 #endif /* OQS_KEM_ENCODERS */

diff --git a/oqs-template/oqsprov/oqs_kmgmt.c/keymgmt_constructors.fragment b/oqs-template/oqsprov/oqs_kmgmt.c/keymgmt_constructors.fragment
@@ -4,37 +4,37 @@
    {%- set count.val = count.val + 1 %}
 static void *{{variant['name']}}_new_key(void *provctx)
 {
-    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{variant['name']}}", KEY_TYPE_SIG, NULL, {{variant['security']}}, {{ count.val }});
+    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{variant['name']}}", KEY_TYPE_SIG, NULL, {{variant['security']}}, {{ count.val }}, 0);
 }
 
 static void *{{variant['name']}}_gen_init(void *provctx, int selection)
 {
-    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{variant['name']}}", 0, {{variant['security']}}, {{ count.val }});
+    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{variant['name']}}", 0, {{variant['security']}}, {{ count.val }}, 0);
 } 
 
      {%- for classical_alg in variant['mix_with'] %}
      {%- set count.val = count.val + 1 %}
 static void *{{ classical_alg['name'] }}_{{variant['name']}}_new_key(void *provctx)
 {
-    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{ classical_alg['name'] }}_{{variant['name']}}", KEY_TYPE_HYB_SIG, NULL, {{variant['security']}}, {{ count.val }});
+    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{ classical_alg['name'] }}_{{variant['name']}}", KEY_TYPE_HYB_SIG, NULL, {{variant['security']}}, {{ count.val }}, 0);
 }
 
 static void *{{ classical_alg['name'] }}_{{variant['name']}}_gen_init(void *provctx, int selection)
 {
-    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{ classical_alg['name'] }}_{{variant['name']}}", KEY_TYPE_HYB_SIG, {{variant['security']}}, {{ count.val }});
+    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{ classical_alg['name'] }}_{{variant['name']}}", KEY_TYPE_HYB_SIG, {{variant['security']}}, {{ count.val }}, 0);
 } 
 
      {%- endfor -%}
      {%- for composite_alg in variant['composite'] %}
      {%- set count.val = count.val + 1 %}
 static void *{{ variant['name'] }}_{{ composite_alg['name'] }}_new_key(void *provctx)
 {
-    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{ variant['name'] }}_{{ composite_alg['name'] }}", KEY_TYPE_CMP_SIG, NULL, {{composite_alg['security']}}, {{ count.val }});
+    return oqsx_key_new(PROV_OQS_LIBCTX_OF(provctx), {{variant['oqs_meth']}}, "{{ variant['name'] }}_{{ composite_alg['name'] }}", KEY_TYPE_CMP_SIG, NULL, {{composite_alg['security']}}, {{ count.val }}, 0);
 }
 
 static void *{{ variant['name'] }}_{{ composite_alg['name'] }}_gen_init(void *provctx, int selection)
 {
-    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{ variant['name'] }}_{{ composite_alg['name'] }}", KEY_TYPE_CMP_SIG, {{composite_alg['security']}}, {{ count.val }});
+    return oqsx_gen_init(provctx, selection, {{variant['oqs_meth']}}, "{{ variant['name'] }}_{{ composite_alg['name'] }}", KEY_TYPE_CMP_SIG, {{composite_alg['security']}}, {{ count.val }}, 0);
 } 
 
      {%- endfor -%}

diff --git a/oqs-template/oqsprov/oqs_kmgmt.c/keymgmt_functions.fragment b/oqs-template/oqsprov/oqs_kmgmt.c/keymgmt_functions.fragment
@@ -13,9 +13,9 @@ MAKE_SIG_KEYMGMT_FUNCTIONS({{variant['name']}}_{{ composite_alg['name'] }})
 MAKE_KEM_KEYMGMT_FUNCTIONS({{kem['name_group']}}, {{kem['oqs_alg']}}, {{kem['bit_security']}})
 {% for hybrid in kem['hybrids'] %}
 {% if hybrid['hybrid_group'].startswith('p') -%}
-MAKE_KEM_ECP_KEYMGMT_FUNCTIONS({{hybrid['hybrid_group']}}_{{kem['name_group']}}, {{kem['oqs_alg']}}, {{hybrid['bit_security']}})
+MAKE_KEM_ECP_KEYMGMT_FUNCTIONS({% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{hybrid['hybrid_group']}}_{{kem['name_group']}}{% endif %}, {{kem['oqs_alg']}}, {{hybrid['bit_security']}})
 {%- else %}
-MAKE_KEM_ECX_KEYMGMT_FUNCTIONS({{hybrid['hybrid_group']}}_{{kem['name_group']}}, {{kem['oqs_alg']}}, {{hybrid['bit_security']}})
+MAKE_KEM_ECX_KEYMGMT_FUNCTIONS({% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{hybrid['hybrid_group']}}_{{kem['name_group']}}{% endif %}, {{kem['oqs_alg']}}, {{hybrid['bit_security']}}, {% if 'fips_standard' in kem %}{{kem['fips_standard']}}{% else %}0{% endif %})
 {%- endif %}
 {%- endfor %}
 {%- endfor %}

diff --git a/oqs-template/oqsprov/oqs_prov.h/alg_functions.fragment b/oqs-template/oqsprov/oqs_prov.h/alg_functions.fragment
@@ -13,9 +13,9 @@ extern const OSSL_DISPATCH oqs_{{ variant['name'] }}_{{ composite_alg['name'] }}
 extern const OSSL_DISPATCH oqs_{{ kem['name_group'] }}_keymgmt_functions[];
 {% for hybrid in kem['hybrids'] %}
 {% if hybrid['hybrid_group'].startswith('p') -%}
-extern const OSSL_DISPATCH oqs_ecp_{{ hybrid['hybrid_group']}}_{{ kem['name_group'] }}_keymgmt_functions[];
+extern const OSSL_DISPATCH oqs_ecp_{% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}_keymgmt_functions[];
 {%- else -%}
-extern const OSSL_DISPATCH oqs_ecx_{{ hybrid['hybrid_group']}}_{{ kem['name_group'] }}_keymgmt_functions[];
+extern const OSSL_DISPATCH oqs_ecx_{% if 'standard_name' in hybrid %}{{hybrid['standard_name']}}{% else %}{{ hybrid['hybrid_group'] }}_{{ kem['name_group'] }}{% endif %}_keymgmt_functions[];
 {%- endif %}
 {%- endfor %}
 {%- endfor %}