p384_mlkem1024 hybrid added (open-quantum-safe#361)

* p384_mlkem1024 hybrid added Signed-off-by: Felipe Ventura <[email protected]>
EntrustCorporation · Mar 17, 2024 · d646f80 · d646f80
1 parent 70fd101
commit d646f80
Show file tree

Hide file tree

Showing 14 changed files with 123 additions and 54 deletions.
diff --git a/ALGORITHMS.md b/ALGORITHMS.md
@@ -48,6 +48,7 @@ As standardization for these algorithms within TLS is not done, all TLS code poi
 | p256_mlkem768 | 0x2FB5 | Yes | OQS_CODEPOINT_P256_MLKEM768 |
 | mlkem1024 | 0x0249 | Yes | OQS_CODEPOINT_MLKEM1024 |
 | p521_mlkem1024 | 0x2F49 | Yes | OQS_CODEPOINT_P521_MLKEM1024 |
+| p384_mlkem1024 | 0x2F4A | Yes | OQS_CODEPOINT_P384_MLKEM1024 |
 | bikel1 | 0x0241 | Yes | OQS_CODEPOINT_BIKEL1 |
 | p256_bikel1 | 0x2F41 | Yes | OQS_CODEPOINT_P256_BIKEL1 |
 | x25519_bikel1 | 0x2FAE | Yes | OQS_CODEPOINT_X25519_BIKEL1 |
@@ -240,6 +241,7 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li
 | p256_mlkem768 | 1.3.9999.99.58 | OQS_OID_P256_MLKEM768
 | mlkem1024 | 1.3.6.1.4.1.22554.5.6.3 | OQS_OID_MLKEM1024
 | p521_mlkem1024 | 1.3.9999.99.82 | OQS_OID_P521_MLKEM1024
+| p384_mlkem1024 | 1.3.6.1.4.1.42235.6 | OQS_OID_P384_MLKEM1024
 | bikel1 | 1.3.9999.99.84 | OQS_OID_BIKEL1
 | p256_bikel1 | 1.3.9999.99.83 | OQS_OID_P256_BIKEL1
 | x25519_bikel1 | 1.3.9999.99.59 | OQS_OID_X25519_BIKEL1

diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@ This implementation makes available the following quantum safe algorithms:
 - **CRYSTALS-Kyber**: `kyber512`, `p256_kyber512`, `x25519_kyber512`, `kyber768`, `p384_kyber768`, `x448_kyber768`, `x25519_kyber768`, `p256_kyber768`, `kyber1024`, `p521_kyber1024`
 - **FrodoKEM**: `frodo640aes`, `p256_frodo640aes`, `x25519_frodo640aes`, `frodo640shake`, `p256_frodo640shake`, `x25519_frodo640shake`, `frodo976aes`, `p384_frodo976aes`, `x448_frodo976aes`, `frodo976shake`, `p384_frodo976shake`, `x448_frodo976shake`, `frodo1344aes`, `p521_frodo1344aes`, `frodo1344shake`, `p521_frodo1344shake`
 - **HQC**: `hqc128`, `p256_hqc128`, `x25519_hqc128`, `hqc192`, `p384_hqc192`, `x448_hqc192`, `hqc256`, `p521_hqc256`†
-- **ML-KEM**: `mlkem512`, `p256_mlkem512`, `x25519_mlkem512`, `mlkem768`, `p384_mlkem768`, `x448_mlkem768`, `x25519_mlkem768`, `p256_mlkem768`, `mlkem1024`, `p521_mlkem1024`
+- **ML-KEM**: `mlkem512`, `p256_mlkem512`, `x25519_mlkem512`, `mlkem768`, `p384_mlkem768`, `x448_mlkem768`, `x25519_mlkem768`, `p256_mlkem768`, `mlkem1024`, `p521_mlkem1024`, `p384_mlkem1024`
 
 ### Signature algorithms
 

diff --git a/oqs-template/generate.yml b/oqs-template/generate.yml
@@ -1,5 +1,5 @@
 # This is the master document for ID interoperability for KEM IDs, p-hybrid KEM IDs, SIG (O)IDs
-# Next free plain KEM ID: 0x024A, p-hybrid: 0x2F4A, X-hybrid: 0x2FB6
+# Next free plain KEM ID: 0x024A, p-hybrid: 0x2F4B, X-hybrid: 0x2FB6
 kems:
   -
     family: 'FrodoKEM'
@@ -175,6 +175,14 @@ kems:
     oid: '1.3.6.1.4.1.22554.5.6.3'
     nid_hybrid: '0x2F49'
     oqs_alg: 'OQS_KEM_alg_ml_kem_1024'
+    extra_nids:
+      current:
+        # p384_mlkem1024 hybrid doesn't appear in any standardization drafts
+        # this oid is proposed by Tresorit
+        # if the hybrid combination is standardized, feel free to change it
+        - hybrid_group: "p384"
+          hybrid_oid: '1.3.6.1.4.1.42235.6'
+          nid: '0x2F4A'
   -
     family: 'BIKE'
     name_group: 'bike1l1fo'

diff --git a/oqs-template/oqs-kem-info.md b/oqs-template/oqs-kem-info.md
@@ -87,6 +87,7 @@
 | HQC            | 2023-04-30               | hqc256         | 4            |                    5 | 0x2F46       | secp521_r1                       |
 | ML-KEM         | ML-KEM-ipd               | mlkem1024      | ipd          |                    5 | 0x0249       |                                  |
 | ML-KEM         | ML-KEM-ipd               | mlkem1024      | ipd          |                    5 | 0x2F49       | secp521_r1                       |
+| ML-KEM         | ML-KEM-ipd               | mlkem1024      | ipd          |                    5 | 0x2F4A       | p384                             |
 | ML-KEM         | ML-KEM-ipd               | mlkem512       | ipd          |                    1 | 0x0247       |                                  |
 | ML-KEM         | ML-KEM-ipd               | mlkem512       | ipd          |                    1 | 0x2F47       | secp256_r1                       |
 | ML-KEM         | ML-KEM-ipd               | mlkem512       | ipd          |                    1 | 0x2FB2       | x25519                           |

diff --git a/oqsprov/oqs_decode_der2key.c b/oqsprov/oqs_decode_der2key.c
@@ -646,6 +646,9 @@ MAKE_DECODER(, "mlkem1024", mlkem1024, oqsx, SubjectPublicKeyInfo);
 MAKE_DECODER(_ecp, "p521_mlkem1024", p521_mlkem1024, oqsx, PrivateKeyInfo);
 MAKE_DECODER(_ecp, "p521_mlkem1024", p521_mlkem1024, oqsx,
              SubjectPublicKeyInfo);
+MAKE_DECODER(_ecp, "p384_mlkem1024", p384_mlkem1024, oqsx, PrivateKeyInfo);
+MAKE_DECODER(_ecp, "p384_mlkem1024", p384_mlkem1024, oqsx,
+             SubjectPublicKeyInfo);
 MAKE_DECODER(, "bikel1", bikel1, oqsx, PrivateKeyInfo);
 MAKE_DECODER(, "bikel1", bikel1, oqsx, SubjectPublicKeyInfo);
 

diff --git a/oqsprov/oqs_encode_key2any.c b/oqsprov/oqs_encode_key2any.c
@@ -1032,6 +1032,9 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
 #define p521_mlkem1024_evp_type   0
 #define p521_mlkem1024_input_type "p521_mlkem1024"
 #define p521_mlkem1024_pem_type   "p521_mlkem1024"
+#define p384_mlkem1024_evp_type   0
+#define p384_mlkem1024_input_type "p384_mlkem1024"
+#define p384_mlkem1024_pem_type   "p384_mlkem1024"
 #define bikel1_evp_type           0
 #define bikel1_input_type         "bikel1"
 #define bikel1_pem_type           "bikel1"
@@ -2138,6 +2141,13 @@ MAKE_ENCODER(_ecp, p521_mlkem1024, oqsx, PrivateKeyInfo, pem);
 MAKE_ENCODER(_ecp, p521_mlkem1024, oqsx, SubjectPublicKeyInfo, der);
 MAKE_ENCODER(_ecp, p521_mlkem1024, oqsx, SubjectPublicKeyInfo, pem);
 MAKE_TEXT_ENCODER(_ecp, p521_mlkem1024);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, EncryptedPrivateKeyInfo, der);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, EncryptedPrivateKeyInfo, pem);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, PrivateKeyInfo, der);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, PrivateKeyInfo, pem);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, SubjectPublicKeyInfo, der);
+MAKE_ENCODER(_ecp, p384_mlkem1024, oqsx, SubjectPublicKeyInfo, pem);
+MAKE_TEXT_ENCODER(_ecp, p384_mlkem1024);
 MAKE_ENCODER(, bikel1, oqsx, EncryptedPrivateKeyInfo, der);
 MAKE_ENCODER(, bikel1, oqsx, EncryptedPrivateKeyInfo, pem);
 MAKE_ENCODER(, bikel1, oqsx, PrivateKeyInfo, der);

diff --git a/oqsprov/oqs_kmgmt.c b/oqsprov/oqs_kmgmt.c
@@ -1395,6 +1395,7 @@ MAKE_KEM_ECP_KEYMGMT_FUNCTIONS(p256_mlkem768, OQS_KEM_alg_ml_kem_768, 128)
 MAKE_KEM_KEYMGMT_FUNCTIONS(mlkem1024, OQS_KEM_alg_ml_kem_1024, 256)
 
 MAKE_KEM_ECP_KEYMGMT_FUNCTIONS(p521_mlkem1024, OQS_KEM_alg_ml_kem_1024, 256)
+MAKE_KEM_ECP_KEYMGMT_FUNCTIONS(p384_mlkem1024, OQS_KEM_alg_ml_kem_1024, 192)
 MAKE_KEM_KEYMGMT_FUNCTIONS(bikel1, OQS_KEM_alg_bike_l1, 128)
 
 MAKE_KEM_ECP_KEYMGMT_FUNCTIONS(p256_bikel1, OQS_KEM_alg_bike_l1, 128)

diff --git a/oqsprov/oqs_prov.h b/oqsprov/oqs_prov.h
@@ -877,6 +877,23 @@ extern const OSSL_DISPATCH
     oqs_PrivateKeyInfo_der_to_p521_mlkem1024_decoder_functions[];
 extern const OSSL_DISPATCH
     oqs_SubjectPublicKeyInfo_der_to_p521_mlkem1024_decoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_PrivateKeyInfo_der_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_PrivateKeyInfo_pem_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_EncryptedPrivateKeyInfo_der_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_EncryptedPrivateKeyInfo_pem_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_SubjectPublicKeyInfo_der_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_p384_mlkem1024_to_SubjectPublicKeyInfo_pem_encoder_functions[];
+extern const OSSL_DISPATCH oqs_p384_mlkem1024_to_text_encoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_PrivateKeyInfo_der_to_p384_mlkem1024_decoder_functions[];
+extern const OSSL_DISPATCH
+    oqs_SubjectPublicKeyInfo_der_to_p384_mlkem1024_decoder_functions[];
 extern const OSSL_DISPATCH oqs_bikel1_to_PrivateKeyInfo_der_encoder_functions[];
 extern const OSSL_DISPATCH oqs_bikel1_to_PrivateKeyInfo_pem_encoder_functions[];
 extern const OSSL_DISPATCH
@@ -2074,6 +2091,7 @@ extern const OSSL_DISPATCH oqs_ecp_p256_mlkem768_keymgmt_functions[];
 extern const OSSL_DISPATCH oqs_mlkem1024_keymgmt_functions[];
 
 extern const OSSL_DISPATCH oqs_ecp_p521_mlkem1024_keymgmt_functions[];
+extern const OSSL_DISPATCH oqs_ecp_p384_mlkem1024_keymgmt_functions[];
 extern const OSSL_DISPATCH oqs_bikel1_keymgmt_functions[];
 
 extern const OSSL_DISPATCH oqs_ecp_p256_bikel1_keymgmt_functions[];

diff --git a/oqsprov/oqsdecoders.inc b/oqsprov/oqsdecoders.inc
@@ -173,6 +173,9 @@ DECODER_w_structure("frodo640aes", der, PrivateKeyInfo, frodo640aes),
     DECODER_w_structure("p521_mlkem1024", der, PrivateKeyInfo, p521_mlkem1024),
     DECODER_w_structure("p521_mlkem1024", der, SubjectPublicKeyInfo,
                         p521_mlkem1024),
+    DECODER_w_structure("p384_mlkem1024", der, PrivateKeyInfo, p384_mlkem1024),
+    DECODER_w_structure("p384_mlkem1024", der, SubjectPublicKeyInfo,
+                        p384_mlkem1024),
 #    endif
 #    ifdef OQS_ENABLE_KEM_bike_l1
     DECODER_w_structure("bikel1", der, PrivateKeyInfo, bikel1),

diff --git a/oqsprov/oqsencoders.inc b/oqsprov/oqsencoders.inc
@@ -500,6 +500,17 @@ ENCODER_w_structure("frodo640aes", frodo640aes, der, PrivateKeyInfo),
     ENCODER_w_structure("p521_mlkem1024", p521_mlkem1024, pem,
                         SubjectPublicKeyInfo),
     ENCODER_TEXT("p521_mlkem1024", p521_mlkem1024),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, der, PrivateKeyInfo),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, pem, PrivateKeyInfo),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, der,
+                        EncryptedPrivateKeyInfo),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, pem,
+                        EncryptedPrivateKeyInfo),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, der,
+                        SubjectPublicKeyInfo),
+    ENCODER_w_structure("p384_mlkem1024", p384_mlkem1024, pem,
+                        SubjectPublicKeyInfo),
+    ENCODER_TEXT("p384_mlkem1024", p384_mlkem1024),
 #    endif
 #    ifdef OQS_ENABLE_KEM_bike_l1
     ENCODER_w_structure("bikel1", bikel1, der, PrivateKeyInfo),

diff --git a/oqsprov/oqsprov.c b/oqsprov/oqsprov.c
@@ -49,7 +49,7 @@ extern OSSL_FUNC_provider_get_capabilities_fn oqs_provider_get_capabilities;
 ///// OQS_TEMPLATE_FRAGMENT_ASSIGN_SIG_OIDS_START
 
 #ifdef OQS_KEM_ENCODERS
-#    define OQS_OID_CNT 196
+#    define OQS_OID_CNT 166
 #else
 #    define OQS_OID_CNT 60
 #endif
@@ -129,6 +129,8 @@ const char *oqs_oid_alg_list[OQS_OID_CNT] = {
     "mlkem1024",
     "1.3.9999.99.35",
     "p521_mlkem1024",
+    "1.3.6.1.4.1.42235.6",
+    "p384_mlkem1024",
     "1.3.9999.99.37",
     "bikel1",
     "1.3.9999.99.36",
@@ -349,46 +351,48 @@ int oqs_patch_oids(void)
 
     if (getenv("OQS_OID_P521_MLKEM1024"))
         oqs_oid_alg_list[70] = getenv("OQS_OID_P521_MLKEM1024");
+    if (getenv("OQS_OID_P384_MLKEM1024"))
+        oqs_oid_alg_list[72] = getenv("OQS_OID_P384_MLKEM1024");
     if (getenv("OQS_OID_BIKEL1"))
-        oqs_oid_alg_list[72] = getenv("OQS_OID_BIKEL1");
+        oqs_oid_alg_list[74] = getenv("OQS_OID_BIKEL1");
 
     if (getenv("OQS_OID_P256_BIKEL1"))
-        oqs_oid_alg_list[74] = getenv("OQS_OID_P256_BIKEL1");
+        oqs_oid_alg_list[76] = getenv("OQS_OID_P256_BIKEL1");
     if (getenv("OQS_OID_X25519_BIKEL1"))
-        oqs_oid_alg_list[76] = getenv("OQS_OID_X25519_BIKEL1");
+        oqs_oid_alg_list[78] = getenv("OQS_OID_X25519_BIKEL1");
     if (getenv("OQS_OID_BIKEL3"))
-        oqs_oid_alg_list[78] = getenv("OQS_OID_BIKEL3");
+        oqs_oid_alg_list[80] = getenv("OQS_OID_BIKEL3");
 
     if (getenv("OQS_OID_P384_BIKEL3"))
-        oqs_oid_alg_list[80] = getenv("OQS_OID_P384_BIKEL3");
+        oqs_oid_alg_list[82] = getenv("OQS_OID_P384_BIKEL3");
     if (getenv("OQS_OID_X448_BIKEL3"))
-        oqs_oid_alg_list[82] = getenv("OQS_OID_X448_BIKEL3");
+        oqs_oid_alg_list[84] = getenv("OQS_OID_X448_BIKEL3");
     if (getenv("OQS_OID_BIKEL5"))
-        oqs_oid_alg_list[84] = getenv("OQS_OID_BIKEL5");
+        oqs_oid_alg_list[86] = getenv("OQS_OID_BIKEL5");
 
     if (getenv("OQS_OID_P521_BIKEL5"))
-        oqs_oid_alg_list[86] = getenv("OQS_OID_P521_BIKEL5");
+        oqs_oid_alg_list[88] = getenv("OQS_OID_P521_BIKEL5");
     if (getenv("OQS_OID_HQC128"))
-        oqs_oid_alg_list[88] = getenv("OQS_OID_HQC128");
+        oqs_oid_alg_list[90] = getenv("OQS_OID_HQC128");
 
     if (getenv("OQS_OID_P256_HQC128"))
-        oqs_oid_alg_list[90] = getenv("OQS_OID_P256_HQC128");
+        oqs_oid_alg_list[92] = getenv("OQS_OID_P256_HQC128");
     if (getenv("OQS_OID_X25519_HQC128"))
-        oqs_oid_alg_list[92] = getenv("OQS_OID_X25519_HQC128");
+        oqs_oid_alg_list[94] = getenv("OQS_OID_X25519_HQC128");
     if (getenv("OQS_OID_HQC192"))
-        oqs_oid_alg_list[94] = getenv("OQS_OID_HQC192");
+        oqs_oid_alg_list[96] = getenv("OQS_OID_HQC192");
 
     if (getenv("OQS_OID_P384_HQC192"))
-        oqs_oid_alg_list[96] = getenv("OQS_OID_P384_HQC192");
+        oqs_oid_alg_list[98] = getenv("OQS_OID_P384_HQC192");
     if (getenv("OQS_OID_X448_HQC192"))
-        oqs_oid_alg_list[98] = getenv("OQS_OID_X448_HQC192");
+        oqs_oid_alg_list[100] = getenv("OQS_OID_X448_HQC192");
     if (getenv("OQS_OID_HQC256"))
-        oqs_oid_alg_list[100] = getenv("OQS_OID_HQC256");
+        oqs_oid_alg_list[102] = getenv("OQS_OID_HQC256");
 
     if (getenv("OQS_OID_P521_HQC256"))
-        oqs_oid_alg_list[102] = getenv("OQS_OID_P521_HQC256");
+        oqs_oid_alg_list[104] = getenv("OQS_OID_P521_HQC256");
 
-#    define OQS_KEMOID_CNT 102 + 2
+#    define OQS_KEMOID_CNT 104 + 2
 #else
 #    define OQS_KEMOID_CNT 0
 #endif /* OQS_KEM_ENCODERS */
@@ -893,6 +897,7 @@ static const OSSL_ALGORITHM oqsprovider_asym_kems[] = {
 #ifdef OQS_ENABLE_KEM_ml_kem_1024
     KEMBASEALG(mlkem1024, 256)
     KEMHYBALG(p521_mlkem1024, 256)
+    KEMHYBALG(p384_mlkem1024, 192)
 #endif
 #ifdef OQS_ENABLE_KEM_bike_l1
     KEMBASEALG(bikel1, 128)
@@ -1073,6 +1078,7 @@ static const OSSL_ALGORITHM oqsprovider_keymgmt[]
     KEMKMALG(mlkem1024, 256)
 
     KEMKMHYBALG(p521_mlkem1024, 256, ecp)
+    KEMKMHYBALG(p384_mlkem1024, 192, ecp)
 #endif
 #ifdef OQS_ENABLE_KEM_bike_l1
     KEMKMALG(bikel1, 128)

diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
@@ -83,6 +83,7 @@ static OQS_GROUP_CONSTANTS oqs_group_list[] = {
     {0x0249, 256, TLS1_3_VERSION, 0, -1, -1, 1},
 
     {0x2F49, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4A, 256, TLS1_3_VERSION, 0, -1, -1, 1},
     {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1},
 
     {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1},
@@ -215,40 +216,41 @@ static const OSSL_PARAM oqs_param_group_list[][11] = {
     OQS_GROUP_ENTRY(mlkem1024, mlkem1024, mlkem1024, 34),
 
     OQS_GROUP_ENTRY(p521_mlkem1024, p521_mlkem1024, p521_mlkem1024, 35),
+    OQS_GROUP_ENTRY(p384_mlkem1024, p384_mlkem1024, p384_mlkem1024, 36),
 #endif
 #ifdef OQS_ENABLE_KEM_bike_l1
-    OQS_GROUP_ENTRY(bikel1, bikel1, bikel1, 36),
+    OQS_GROUP_ENTRY(bikel1, bikel1, bikel1, 37),
 
-    OQS_GROUP_ENTRY(p256_bikel1, p256_bikel1, p256_bikel1, 37),
-    OQS_GROUP_ENTRY(x25519_bikel1, x25519_bikel1, x25519_bikel1, 38),
+    OQS_GROUP_ENTRY(p256_bikel1, p256_bikel1, p256_bikel1, 38),
+    OQS_GROUP_ENTRY(x25519_bikel1, x25519_bikel1, x25519_bikel1, 39),
 #endif
 #ifdef OQS_ENABLE_KEM_bike_l3
-    OQS_GROUP_ENTRY(bikel3, bikel3, bikel3, 39),
+    OQS_GROUP_ENTRY(bikel3, bikel3, bikel3, 40),
 
-    OQS_GROUP_ENTRY(p384_bikel3, p384_bikel3, p384_bikel3, 40),
-    OQS_GROUP_ENTRY(x448_bikel3, x448_bikel3, x448_bikel3, 41),
+    OQS_GROUP_ENTRY(p384_bikel3, p384_bikel3, p384_bikel3, 41),
+    OQS_GROUP_ENTRY(x448_bikel3, x448_bikel3, x448_bikel3, 42),
 #endif
 #ifdef OQS_ENABLE_KEM_bike_l5
-    OQS_GROUP_ENTRY(bikel5, bikel5, bikel5, 42),
+    OQS_GROUP_ENTRY(bikel5, bikel5, bikel5, 43),
 
-    OQS_GROUP_ENTRY(p521_bikel5, p521_bikel5, p521_bikel5, 43),
+    OQS_GROUP_ENTRY(p521_bikel5, p521_bikel5, p521_bikel5, 44),
 #endif
 #ifdef OQS_ENABLE_KEM_hqc_128
-    OQS_GROUP_ENTRY(hqc128, hqc128, hqc128, 44),
+    OQS_GROUP_ENTRY(hqc128, hqc128, hqc128, 45),
 
-    OQS_GROUP_ENTRY(p256_hqc128, p256_hqc128, p256_hqc128, 45),
-    OQS_GROUP_ENTRY(x25519_hqc128, x25519_hqc128, x25519_hqc128, 46),
+    OQS_GROUP_ENTRY(p256_hqc128, p256_hqc128, p256_hqc128, 46),
+    OQS_GROUP_ENTRY(x25519_hqc128, x25519_hqc128, x25519_hqc128, 47),
 #endif
 #ifdef OQS_ENABLE_KEM_hqc_192
-    OQS_GROUP_ENTRY(hqc192, hqc192, hqc192, 47),
+    OQS_GROUP_ENTRY(hqc192, hqc192, hqc192, 48),
 
-    OQS_GROUP_ENTRY(p384_hqc192, p384_hqc192, p384_hqc192, 48),
-    OQS_GROUP_ENTRY(x448_hqc192, x448_hqc192, x448_hqc192, 49),
+    OQS_GROUP_ENTRY(p384_hqc192, p384_hqc192, p384_hqc192, 49),
+    OQS_GROUP_ENTRY(x448_hqc192, x448_hqc192, x448_hqc192, 50),
 #endif
 #ifdef OQS_ENABLE_KEM_hqc_256
-    OQS_GROUP_ENTRY(hqc256, hqc256, hqc256, 50),
+    OQS_GROUP_ENTRY(hqc256, hqc256, hqc256, 51),
 
-    OQS_GROUP_ENTRY(p521_hqc256, p521_hqc256, p521_hqc256, 51),
+    OQS_GROUP_ENTRY(p521_hqc256, p521_hqc256, p521_hqc256, 52),
 #endif
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_NAMES_END
 };
@@ -385,40 +387,43 @@ int oqs_patch_codepoints()
     if (getenv("OQS_CODEPOINT_P521_MLKEM1024"))
         oqs_group_list[35].group_id
             = atoi(getenv("OQS_CODEPOINT_P521_MLKEM1024"));
+    if (getenv("OQS_CODEPOINT_P384_MLKEM1024"))
+        oqs_group_list[36].group_id
+            = atoi(getenv("OQS_CODEPOINT_P384_MLKEM1024"));
     if (getenv("OQS_CODEPOINT_BIKEL1"))
-        oqs_group_list[36].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL1"));
+        oqs_group_list[37].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL1"));
     if (getenv("OQS_CODEPOINT_P256_BIKEL1"))
-        oqs_group_list[37].group_id = atoi(getenv("OQS_CODEPOINT_P256_BIKEL1"));
+        oqs_group_list[38].group_id = atoi(getenv("OQS_CODEPOINT_P256_BIKEL1"));
     if (getenv("OQS_CODEPOINT_X25519_BIKEL1"))
-        oqs_group_list[38].group_id
+        oqs_group_list[39].group_id
             = atoi(getenv("OQS_CODEPOINT_X25519_BIKEL1"));
     if (getenv("OQS_CODEPOINT_BIKEL3"))
-        oqs_group_list[39].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL3"));
+        oqs_group_list[40].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL3"));
     if (getenv("OQS_CODEPOINT_P384_BIKEL3"))
-        oqs_group_list[40].group_id = atoi(getenv("OQS_CODEPOINT_P384_BIKEL3"));
+        oqs_group_list[41].group_id = atoi(getenv("OQS_CODEPOINT_P384_BIKEL3"));
     if (getenv("OQS_CODEPOINT_X448_BIKEL3"))
-        oqs_group_list[41].group_id = atoi(getenv("OQS_CODEPOINT_X448_BIKEL3"));
+        oqs_group_list[42].group_id = atoi(getenv("OQS_CODEPOINT_X448_BIKEL3"));
     if (getenv("OQS_CODEPOINT_BIKEL5"))
-        oqs_group_list[42].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL5"));
+        oqs_group_list[43].group_id = atoi(getenv("OQS_CODEPOINT_BIKEL5"));
     if (getenv("OQS_CODEPOINT_P521_BIKEL5"))
-        oqs_group_list[43].group_id = atoi(getenv("OQS_CODEPOINT_P521_BIKEL5"));
+        oqs_group_list[44].group_id = atoi(getenv("OQS_CODEPOINT_P521_BIKEL5"));
     if (getenv("OQS_CODEPOINT_HQC128"))
-        oqs_group_list[44].group_id = atoi(getenv("OQS_CODEPOINT_HQC128"));
+        oqs_group_list[45].group_id = atoi(getenv("OQS_CODEPOINT_HQC128"));
     if (getenv("OQS_CODEPOINT_P256_HQC128"))
-        oqs_group_list[45].group_id = atoi(getenv("OQS_CODEPOINT_P256_HQC128"));
+        oqs_group_list[46].group_id = atoi(getenv("OQS_CODEPOINT_P256_HQC128"));
     if (getenv("OQS_CODEPOINT_X25519_HQC128"))
-        oqs_group_list[46].group_id
+        oqs_group_list[47].group_id
             = atoi(getenv("OQS_CODEPOINT_X25519_HQC128"));
     if (getenv("OQS_CODEPOINT_HQC192"))
-        oqs_group_list[47].group_id = atoi(getenv("OQS_CODEPOINT_HQC192"));
+        oqs_group_list[48].group_id = atoi(getenv("OQS_CODEPOINT_HQC192"));
     if (getenv("OQS_CODEPOINT_P384_HQC192"))
-        oqs_group_list[48].group_id = atoi(getenv("OQS_CODEPOINT_P384_HQC192"));
+        oqs_group_list[49].group_id = atoi(getenv("OQS_CODEPOINT_P384_HQC192"));
     if (getenv("OQS_CODEPOINT_X448_HQC192"))
-        oqs_group_list[49].group_id = atoi(getenv("OQS_CODEPOINT_X448_HQC192"));
+        oqs_group_list[50].group_id = atoi(getenv("OQS_CODEPOINT_X448_HQC192"));
     if (getenv("OQS_CODEPOINT_HQC256"))
-        oqs_group_list[50].group_id = atoi(getenv("OQS_CODEPOINT_HQC256"));
+        oqs_group_list[51].group_id = atoi(getenv("OQS_CODEPOINT_HQC256"));
     if (getenv("OQS_CODEPOINT_P521_HQC256"))
-        oqs_group_list[51].group_id = atoi(getenv("OQS_CODEPOINT_P521_HQC256"));
+        oqs_group_list[52].group_id = atoi(getenv("OQS_CODEPOINT_P521_HQC256"));
 
     if (getenv("OQS_CODEPOINT_DILITHIUM2"))
         oqs_sigalg_list[0].code_point