Merge integrate-pq into main #897
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* rebase and added pq-crypto folder(CRLF/LF issue) * local clean up * clean up for PR * codebuild CMakeLists.txt issue * codebuild correct cmake issue2 * updated pq CMakeLists file * fix bracket issues * fix bracket issues attempt 2 * fix bracket issues attempt 3 * cmake updated and braces fixed * API integration and windows codebuild fix * API integration and windows codebuild fix * clean up * apply PR feedback part 1 * Update PR * Updated PR * Updated PR * Resolved all PR reviews to date * PR update * replace ct with SIKE version * fix SIKE ct function * This will fail CodeBuild * Back to working verison * Added helpful comments * Add helpful TODO comments
clean up comments and remove AWS license from SIKE.
This PR imports the source code of SIKE from the official repository: https://github.com/microsoft/PQCrypto-SIDH. The new EVP APIs for PQ KEMs are also refactored to be more in line with the existing EVP APIs in the library. A basic unit test is added to verify the functionality of SIKE's implementation and the newly added PQ KEM APIs. Co-authored-by: Dusan Kostic <[email protected]>
…#343) * Add PQCrystals-Kyber512, Remove SIKE, relocate pq_kem interface. * Use a runtime switch to enable the DRBG, similar to how it is done in fork_detect.c. * Modify Kyber's verify.c logic to avoid a warning-turned-error on MSVC builds. * Increase OID length to accommodate longer OID value for Kyber-R3.
* Remove PQ_KEM API and replace with EVP_KEM API. Update KAT tests to match new API. * Address memory issues found during testing. * Update comment, braces, and function parameter style * Update test names to match convention
The NID and other identifiers of an algorithm in AWS-LC are generated by a script rather than adding the NID by hand. This commit fixes the Kyber512 NID previously added by hand.
The prefix build doesn't work with the Kyber source code because Kyber is doing it's own prefixing that clashes with the one we do in aws-lc. This will be fixed before moving Kyber to the main aws-lc branch.
Merge main into integrate-pq branch
- Removed the OpenSSL 3.0-like structures and APIs from the implementation of PQ KEMs. - Added two new methods in EVP_PKEY, encapsulate and decapsulate, to be used for KEMs. - Renamed some macro and variable names to be consistent with NIST's notation.
Internalize the custom randomness generation done for PQ algorithms testing.
This PR introduces a new signature algorithm CRYSTALS Dilithium that has been selected for standardization by NIST as part of the PQC project. We import the Dilithium source code from this commit of the official Dilithium repository pq-crystals/dilithium@3e9b9f1 as of May 2022. This PR includes only the Dilithium source implementation and does not include higher level API integration. The interface to the EVP APIs will be included within a following PR.
Update integrate-pq from main
Merge main into integrate-pq
This PR introduces the EVP_PKEY APIs for Dilithium3, utilizing key generation, sign and verify. **Addition to EVP interface** This PR also makes Dilithium3 keys available to the EVP PKEY interface including a subset of methods for key management. As the Dilithium signing procedure is a single-shot signing algorithm that does not use a pre-hash, we follow much of the same structure as the EVP interface for Ed25519. For example, to sign and verify we use the EVP operations `EVP_DigestSign` and `EVP_DigestVerify` with hash `|type|` set to NULL. There are two pairs of sign/verify APIs provided by Dilithium, `pqcrystals_dilithium3_ref_signature` and `pqcrystals_dilithium3_ref_verify` which sign and verify (resp.) a Dilithium3 signature generated for some message m, and `pqcrystals_dilithium3_ref` and `pqcrystals_dilithium3_ref_open`, which sign and verify (resp.) a Dilithium3 signed message (which is the composition of a Dilithium3 and the message m that was signed) for some message m. We have chosen to select the two APIs `pqcrystals_dilithium3_ref_signature` and `pqcrystals_dilithium3_ref_verify` to be consistent with existing EVP signature functionality. This is also consistent with other implementations, such as within [LibOQS](https://github.com/open-quantum-safe/liboqs/blob/main/src/sig/dilithium/sig_dilithium_3.c#L33-L34). **DRBG** To support KAT testing, a deterministic random number generator was needed. This PR introduces the same DRBG (AES-CTR) used by the Dilithium source code and uses the same randombytes interface to seed and get random bytes from it. The DRBG only gets built when the testing flag is enabled. Otherwise, the existing RNG is used. **Testing** Unit tests were added which exercise the use of Dilithium3 in the EVP interface. KAT tests from the Dilithium submission to NIST's Round 3 Post-Quantum Cryptography selection process are also included. To support running the KAT tests, an additional random number generator was added which is deterministic and only built-in test mode. The KAT tests are built by the Dilithium team using the `pqcrystals_dilithium3_ref` and `pqcrystals_dilithium3_ref_open` APIs (which include the message within the signature). Since we are using the APIs that do not include the message within the signature we truncate the full signature in the KAT to only the signature part to exclude the copy of the message.
Update integrate-pq branch 12-13-22
Update pq branch 01 17 23
Update pq branch 01 24 23 - merge main
Still need to: - change `DILITHIUM3` to `DILITHIUM3_R3` everywhere - move `crypto/dilithium/` to `crypto/dilithium3/r3`? - update CI to set this feature guard - perhaps move NID up to higher numerical value in an "experimental" namespace where it won't conflict with newer algos/NIDs? - #ifdef out the dilithium NID definition if possible
WillChilds-Klein
force-pushed
the
cleaup-pq
branch
from
f95135d to
ce5eda4
Compare
This change qualifies the public DILITHIUM3 identifiers with a "round 3" (`_R3`) suffix. Internal function, variable, etc. are left as-is because they are not exposed to callers and can be updated if/when a materially different round 4 comes down the pipeline. Ideally, we'd be able to exclude this NID/OID entirely in non-dilithium builds, but this is not currently possible with the current `crypto/obj/` code. A next-best option would have been to put the Dilithium3 NID into an "experimental" NID namespace _well_ above the number of anticipated algorithms over the library's lifetime. I prototyped this out with an NID of 10,001 but as it turns out the tooling will expand NUM_NID and the `kObjects[]` in `obj_dat.h` and backfill all ~9000 ivervening array values with NULL/0-valued entries. This space tradeoff seemed unacceptable, so this implementation presents the `DILITHIUM3_R3` NID in all builds. The next commit will add a test to assert the behavior of trying to specify `DILITHIUM3_R3` in non-`DILITHIUM_ENABLED=ON` builds.
This was only possible by setting OPENSSL_armcap via static defines in order to avoid reading from MIDR_EL1.
Valgrind was outputting an illegal opcode error on
__asm__ volatile("mrs %0, MIDR_EL1" : "=r" (val));
This commit avoids compiling cpu_aarch64_linux.c in valgrind build by passing -DOPENSSL_STATIC_ARMCAP to it and setting all capabilities via the STATIC_ARMCAP macros (except SHA512 which wasn't used before with valgrind and was also causing an "illegal opcode" error when set).
Note: Setting -DOPENSSL_STATIC_ARMCAP without specifying any capabilities disables all of them as in the second
set of tests.
The ssl runner valgrind tests are here made to run in parallel to the valgrind tests (only with the build where all capabilities are set).
WillChilds-Klein
force-pushed
the
cleaup-pq
branch
from
c6de85c to
df834be
Compare
|
Ok, here are the requested changes:
Here's a log of commits I've made since responding to @torben-hansen's last round of feedback (the API version bump is unrelated to this PR and has already been merged): As mentioned previously, once this PR has been merged there will be fast-follow PRs to:
|
torben-hansen
previously approved these changes
May 12, 2023
dkostic
reviewed
May 15, 2023
dkostic
approved these changes
May 16, 2023
torben-hansen
approved these changes
May 16, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Partially addresses CryptoAlg-1665
Notes
There were a few issues in the merge that I had to manually resolve:
giving Dilithium3 an NID of 975 instead (Kyber1024 is 974).
outdated and didn't have a priv_encode_v2 implementation. So, I gave
it a trivial implementation that returns error, specifically EVP err
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE. We may want to come
back and implement this method which "encodes |key| as a
OneAsymmetricKey (RFC 5958)".
To simplify this PR's diff and facilitate reviewing, some portions of the merge
contents have been deleted in discrete commits. These deletions are temporary,
and will be reverted immediately post-merge in a two fast-follow PRs:
@dkostic's guidance
Regarding the code remaining in this PR, much of it has been reviewed
previously. Here's a summary of the PRs for Dilithium-related code:
Testing
Against test binary built with default build flags (i.e.
ENABLE_DILITHIUM=OFF):Against test binary built with
-DENABLE_DILITHIUM=ONset in cmake invocation:By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and
the ISC license.