-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverse TLS hybrid keyshares for x25519/x448-mlkem hybrids #524
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Tested with Google-BoringSSL's X25519MLKEM768 and passed :) |
Thanks for the PR, @bhess! Please let me know when you consider it Ready for Review.
I don't understand: What did you test? That the key share reversal works using Kyber768, not MLKEM768? Using which code point?
What reading do you think #522 has on this, @bhess? The changes this PR does apply (with most externally visible relevance) to KEMs with OIDs (well, really primarily x25519mlkem768), right? #522 in turn changes the handling of KEMs without OIDs.
Nice, indeed. Thanks for the confirmation @pi-314159 . Just the names don't seem to align yet: Do you plan on aligning this, too @bhess? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finally, a general comment: On the positive side the approach taken in the PR avoids encoding specific algorithms' names into the provider, so good; I'm not convinced this added configuration option doesn't complicate maintainability of the code, though. Looking at the changes, this looks "brittle": Are you comfortable maintaining/supporting this going forward, @bhess? If so shouldn't there be some documentation explaining how this works? Might it not be better to simply change the order for all X-hybrids (as per suggestion by @pi-314159 I think?)?
@baentsch I asked @bhess earlier about changing the order of all X-hybrids. |
Changing 20 ids one-time doesn't sound that hard compared to having to explain and understand time and again what's going on in which cases and which code paths in hybrid vs composite vs plain PQ. If
It surely may not be necessary. Taking the perspective of a user, wouldn't that be more consistent (across implementions and with spec), though? |
Tested this x25519_mlkem768 with Firefox 132 nightly and they are interoperable. |
I agree that changing all x-hybrids would be a bit simpler. Changing the codepoints would also be ok IMO.
No, I just added the commented-out interop test to Cloudflare again with x25519_kyber768.
If we want to do this, yes. It may take me 1-2 days since I'm traveling this week. @praveksharma kindly offered help with the templating changes needed. Thanks Pravek! Feel free to give it a go. My idea was to add a property like "standard_name" to the .yml file, and to use this as name if available. |
Thanks for testing with Firefox and BoringSSL @ghen2 & @pi-314159! |
FYI, Firefox 132 with x25519_mlkem768 will be released on October 29, and has it enabled by default for HTTP/2 (but they seem to have broken the knob for HTTP/3). |
So why don't we do the switch (reversing all x-hybrids) in two months, i.e. in the oqs-provider release after this one? I think it doesn't hurt and is a plus to have interop of what is used now in practice. @pi-314159 I think it's not a problem if you do this differently in oqs-BoringSSL and drop interop now.
Sure and I'll also be happy to drop this logic when it is not used anymore. The change required is minimal. |
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
At a different code point, though. So CF simply switched to "our" code point for x22519_kyber768 it seems but then works towards implementing MLKEM....
That'd also be my favourite to keep key information in one place.
Thanks also from me @praveksharma ! Any and all additional help with this project welcome! |
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
Signed-off-by: Pravek Sharma <sharmapravek@gmail.com>
The next revision of draft-kwiatkowski-tls-ecdhe-mlkem will also standardise p384_mlkem1024 as |
fips_standard
to kems in generate.yml. If this is set, the key shares in x25519/x448 hybrids are reversed.Open point: working encoder for the "reversed" hybrid kems. @baentsch is this still be needed after #522 lands?
Fixes #503