-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support 64-byte seed form of ML-KEM private keys #1985
Comments
Thanks for that proposal and offer to contribute. Can I ask how you'd want to go about this? Would you want to provide patches to the upstream code
If we drop 1) adding algorithm-specific APIs integration of Thus, what about the suggestion that you propose a general change of (private) key format to the upstreams that |
Thanks for the clarification @baentsch. I didn't have the context that liboqs isn't owning these implementations. It actually looks like no upstream changes are needed, because the required API is already supported by the underlying implementation. If I understand correctly, The Principle (1) then seems like it would guide towards the "parallel seed-only API" approach. We would create another set of algorithm identifiers (say, Does that seem acceptable? |
Thanks for these explanations, @bifurcation . This proposal looks very good, if I get it right: It would allow
--> looking forward to reviewing that. It will be unique in that it actually creates 2 implementations out of 1 upstream when running |
Thanks @bifurcation for this proposal!
I like the idea to have separate algorithm identifiers to support the seed-only variant. Related to this - as a heads-up - there is ongoing discussion in the PQCP ML-KEM implementation pq-code-package/tsc#4 on extending the upstream API. PQCP is a candidate to replace the pq-crystals upstream in liboqs in the future. Some of the goals are to efficiently accommodate aspects like seed-only representation of private keys, handing expanded keys and supporting key validation. Some of the adaptations there would help us here. |
This is exactly how I understand the proposal by @bifurcation : Same OQS API calling a different pqcrystals API for the new key type.
That now begs the question: What upstreams does OQS keep supporting and (by/until) when? It surely would be great if PQCP would provide API, support and quality warranties OQS currently doesn't get from any upstream (and accordingly, cannot provide such qualities on to users of |
This discussion seems related to a few other discussions in liboqs and PQ Code Package: pq-code-package/tsc#4 and #1877. |
Thanks for the pointer to the PQCP discussion, @dstebila. Do you also read it such that PQCP may decide to support only one SK representation option (e.g., as per NIST guidance)? If so, I see a problem triggered by the reminder of @SWilson4 as to the original mission of OQS, namely to support research -- and as such to enable all options all algorithms permit: If PQCP were to only support one variant, where does OQS get the other from? Keep using a different upstream just for that seems inefficient / unnecessary work. |
Closing in favor of #2003 |
Describe the bug
There is increasing community consensus that ML-KEM private keys should be stored in the form of 64-byte seeds (i.e., the inputs to
ML-KEM.KeyGen_internal()
), not in the expanded form described in FIPS 203. See, for example:https://words.filippo.io/dispatches/ml-kem-seeds/
https://datatracker.ietf.org/meeting/121/materials/slides-121-pquip-fips-issues-with-deploying-ml-kem-and-ml-dsa-04
It is impossible to implement protocols that are defined in terms of seeds. The
OQS_KEM_ml_kem_XXX_keypair()
method produces an expanded private key, andOQS_KEM_ml_kem_XXX_decaps()
consumes an expanded private key.The minimal possible fix here would be to split out a method that creates an expanded private key from a seed. That way an app could mostly just use the current API, except that when generating a completely fresh key, they would have to fill the seed with random data. To even that out, you could make a parallel seed-only API, either by refactoring the existing interface or creating a parallel one. Anything short of removing the current API of course, will leave the risk that a caller will use expanded keys, with the associated risk of corruption.
If we can agree on an approach here, I would be happy to send a PR.
To Reproduce
N/A
Expected behavior
N/A
Screenshots
N/A
Environment (please complete the following information):
Additional context
N/A
The text was updated successfully, but these errors were encountered: