Add DeriveKeyPair API #1877
Add DeriveKeyPair API #1877
Conversation
Signed-off-by: Eddy Kim <[email protected]> Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]> Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]> Signed-off-by: Eddy Kim <[email protected]>
- Add support for BIKE, FrodoKEM, sntrup - Add hooks for testing - Add missing kem comment to documentation - Don't run decaps() in test_kem_derand if encaps_derand() fails - Add markdown documentation changes Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
Eddy-M-K
force-pushed
the
ek-derive-keypair-api
branch
from
ec52093 to
f4fb753
Compare
Signed-off-by: Eddy Kim <[email protected]>
Signed-off-by: Eddy Kim <[email protected]>
|
First off: Thanks for the work making this available, @Eddy-M-K -- and for more than just one algorithm! If I understand it right, you're adding two new functions to the KEM algs, thus requiring all consumers of the library that want to make use of this to write lots of new code (essentially replacing/augmenting keygen/encaps with their new de-randomizing twins): Did I get this right? Is there no way to avoid that (say, by creating a setup function changing the semantics of keygen/encaps)? Is it really necessary to set "randomness"/well, "seeds" at every API invocation? |
| * @param[in] coins The input randomness represented as a byte string. | ||
| * @return OQS_SUCCESS or OQS_ERROR | ||
| */ | ||
| OQS_STATUS (*encaps_derand)(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key, const uint8_t *coins); |
There was a problem hiding this comment.
OK -- now I understand some more: The underlying implementation asks for the seed/coins to be passed in each call. This however begs the question: How many "coins" are needed to correctly operate this API? Shouldn't this be documented & checked here? Equivalent question: How many coins are needed for the keygen API call? Beyond the ability to improve API robustness (check this at invocation), if this were known(?) wouldn't it be possible to pass a sufficient number of "coins" to a "setup_random_coins" call that is invoked once and then used "under the covers" for each subsequent call to (API-wise unchanged) keygen and encaps calls? That way the many "OQS_ERROR" return responses for the KEM algs not supporting that could be saved: They simply wouldn't use "prepared coins" when asked to operate keygen&encaps.
There was a problem hiding this comment.
Sorry it's taken me so long to follow up on this, Michael.
For the first question, length_keypair_coins and length_encaps_coins are added to the OQS_KEM struct; the caller can use them similarly to length_shared_secret, length_ciphertext, etc.
For the second, first let me confirm I'm understanding correctly: setup_random_coins would be a one-time call to set up (i.e., seed) a source of randomness which would then be used as RNG for OQS_randombytes in subsequent KEM operations? This would be similar in functionality to the OQS_randombytes_custom_algorithm call but wouldn't require the caller to define their own function and pass it as a pointer—correct?
The purpose of this PR is to achieve something different. The keypair_derand call is intended to implement (well, expose) the DeriveKeyPair KEM function defined in RFC 9180. This is used notably in the recent Messaging Layer Security standard. By design, this is basically a KDF for KEM keys—the caller provides input keying material and gets back a KEM keypair—which needs to be called multiple times rather than having a one-time setup. The intent is to supplement the existing keygen function, not replace it: RFC 9180 requires that the KEM supports both operations. ML-KEM already supports the DeriveKeyPair operation as part of its API via keypair_derand, as well as a similar encaps_derand function. (I don't know an application for the latter off the top of my head.) I imagine it would have been nice to have this background before you looked at the PR; sorry for the poor coordination on my part.
There was a problem hiding this comment.
Thanks for the explanations. I now understand some more -- but clearly not everything: I thought this PR is meant to enable open-quantum-safe/oqs-provider#447? If this were so (?), I'm afraid this API will require substantial changes to oqsprovider to facilitate this, no? But then again, maybe you or @Eddy-M-K can show me wrong by doing a simple PR implementing open-quantum-safe/oqs-provider#447 based on this new API (maybe a "tracking-..." branch to trigger CI as we also do with new algs?). Again, will be online only by smart phone until Aug 19, so please do not expect serious further feedback from me until then.
|
@Eddy-M-K @baentsch - What do we need to do to get this PR un-stuck? Support for HPKE is also blocked on the lack of DeriveKeyPair. FWIW: I would simplify this PR some:
Also, a naming nit: Instead of |
Truthfully, this has stalled mostly to our limited developer time and other features being higher priority (it's not a coincidence that the last activity on this PR was the Friday before the NIST final standards were released). If you are interested in getting this PR over the finish line, the help would be more than welcome. One open question is the oqs-provider integration: I had hoped that we could kill two birds with one stone and use the new API to solve open-quantum-safe/oqs-provider#447. For HPKE, would you be looking to use liboqs APIs directly or go via the OpenSSL3 provider?
I would have no objection to removing
I have no objection to this, either. I do have one question as I revisit this PR after the publication of FIPS 203: can we expose the "derand" (which I suppose is now "internal") API without running afoul of the final standard? This paragraph at the top of page 16 makes me wary:
|
Welcome to the club @SWilson4 : See e.g., openssl/openssl#25938 (comment) now put into documentation in openssl/openssl#26037. Looks like there really is an advantage contributing to different projects aiming at solving the same problem... :-) |
Add derandomized keypair generation and encapsulation API for all KEM schemes (only ML-KEM has an internal implementation at the moment, all other schemes will throw an error).
Closes #1206
keypair_derand()andencaps_derand()are added to the API of all KEM schemes.