Replies: 4 comments 7 replies
-
Since we are waiting for identifiers for ML-KEM as well, before merging the PQC changes in the six-beta branch, I don't really see any major issues. Providing KEMs via plugins for third-party libraries is planned anyway once these libraries provide implementations (and stable APIs I guess, just to avoid lots of ifdefs, it's not really an issue if there are multiple APIs as long as this is hidden in the plugins). |
Beta Was this translation helpful? Give feedback.
-
Great, I'll continue to get more information on these competing APIs and figure out the most stable path. While it can all be abstracted at the plugin layer, one of our goals is to minimize these kinds of compatibility issues. I also heard that the IETF will be talking about ML-KEM identifiers this week so there may be news very soon on that. Do you have any guidance on when the six-beta branch gets merged? We're not in a rush, so if we can avoid ifdefs and checking in less than stable APIs by leveraging time/information that seems like the best option in the long-term. |
Beta Was this translation helpful? Give feedback.
-
Found one issue while trying to get this to work. This |
Beta Was this translation helpful? Give feedback.
-
Just to provide an update before this thread runs dormant for awhile. I have this working in a private branch with the |
Beta Was this translation helpful? Give feedback.
-
Hi there, I just wanted to open a discussion here to get feedback on this idea before raising it to a feature request. Please let me know if anything is unclear or needs more detail
Is your feature request related to a problem? Please describe.
Post-Quantum (PQ) cryptography aims to mitigate the threat quantum computing poses to confidentiality of our data in transit. In mid-2024, NIST is expected to standardize the PQ algorithm ML-KEM (formerly known as Kyber). An IETF draft has been submitted for registering this algorithm in IANA's IKEv2 parameter registry. We would like to contribute an additional implementation of this algorithm in the openssl plugin.
Currently, strongSwan-6 supports this algorithm in the oqs plugin by using the Open Quantum Safe library
liboqs
directly. This library comes with a strong disclaimer around usage in a production. While there are talks to transition the OQS project to something more production ready with its recent membership in the Linux Foundation, it's still unclear what exactly that means (new library, supporting PQ in existing work, or improving liboqs itself). Some signs signal towards continued development of OQS's OpenSSL-3 provider which uses the OpenSSL KEM API.This feature request proposes using AWS-LC (an OpenSSL derivative) as a means to provide PQ confidentiality while providing a path toward future PQ algorithm implementations in upstream OpenSSL.
Describe the solution you'd like
The openssl plugin can be updated (here) to conditionally provide support for the 3 different Kyber algorithms KE's. It will register an implementation which will be able to handle arbitrary KEM algorithms.
AWS-LC currently provides implementations for Kyber Round 3 with plans to add support for the NIST standardized ML-KEM algorithms as soon as they are available. This is exposed via the EVP KEM API which was introduced in OpenSSL-3. Implementations for these KE's can be implemented in a new source file
openssl_kem.c
which would implement all KEMs using the KEM API.Describe alternatives you've considered
Alternative 1: Create a stand-alone AWS-LC plugin. This plugin would offer very limited functionality on its own (just the ML-KEM KEs and eventually ML-DSA signatures). Our hope is to encourage re-use with upstream OpenSSL when it provides support for ML-KEM. We also don't anticipate to add significant functionality that is unique to AWS-LC so this plugin would have limited utility.
Alternative 2: Add the implementation to the oqs plugin. The oqs plugin happens to link in libcrypto and can be coaxed into calling the libcrypto APIs for PQ implementations. This is messy and mixes concerns without much benefit.
Additional context
While the AWS-LC KEM API is similar to OpenSSL-3's API, it is not identical. The only KEM implemented by OpenSSL using this API is RSA. Until the upstream OpenSSL implementation of ML-KEM is available, there remains a possibility of API inconsistencies that need to be ironed out. This is because it is their policy not to introduce non-standardized algorithms in their library. Long-term, we would like to be drop-in compatible, but we are waiting for the final shape before committing to an interface.
We are in a transition period between two versions of the same algorithm "Kyber Round 3" and "NIST ML-KEM". The naming of the constants in
key_exchange.h
and their IANA code points will change. A strategy needs to be proposed (possibly in a separate thread) to address questions around deprecation and migration across both the openssl and oqs plugins.BoringSSL (AWS-LC's parent and descendent of OpenSSL) has yet another interface for Kyber which is incompatible with the OpenSSL-3's KEM API. We offered to upstream the KEM API implementation, but they are unwilling to expand the EVP_PKEY interface in this way so it's unlikely that BoringSSL will use the same KEM interface.
This feature request focuses on confidentiality of data-in-transit using ML-KEM. It does not address the PQ threat against authenticity which requires PQ signatures such ML-DSA (formerly known as Dilithium). This is because data-in-transit is a current threat due to store-now-harvest later attacks. Exploiting authenticity would require an attacker possessing a quantum computer during connection initiation. AWS-LC does support Dilithium, but it is not included in the default build.
Beta Was this translation helpful? Give feedback.
All reactions