Adds encoding options for subjectPublicKey and privateKey #123
Conversation
bhess
force-pushed
the
bhe-encoding
branch
2 times, most recently
from
f9ca14e
to
c63bd4c
Compare
Wiki documentation does not help people who just use a release distribution; also it becomes stale, so please document (at least the above) within github repo. Also, the oqs-provider version information does not contain a hint as to what encoding is actually used in the built binary. Please add sth meaningful e.g. here: oqs-provider/oqsprov/oqsprov.c Line 422 in a7e3464 |
* Update fragments * Add test runs to CI (with/without encodings, with/without NOPUBKEY_IN_PRIVKEY) * Encodings settable via env variables
- Allow to pass options to runtests_encodings.sh - Add qsc_encoder version strings
Added a section to README.md in 58a2c11.
Also added in 58a2c11. |
There was a problem hiding this comment.
Thanks for these updates, @bhess! Makes things clearer. Please also add a (single line) entry to https://github.com/open-quantum-safe/oqs-provider/blob/main/RELEASE.md regarding this feature. Also, might it be better to list all parameters in https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md rather than making the README even longer? When considering listing this in ALGORITHMS.md, the immediate question comes to mind whether the OIDs are/should be different based on which encoding is active: Would make sense, no?
Also good would be a link to the IETF drafts (instead of only writing "IETF draft"): That way people may look up possible (new) versions (or discover that this code became outdated :) In general, how do you envision the permitted values to change with new RFC draft rounds? Do the constants always have to change, even if just the draft date changed (creating a new version but no new code)?
Lastly, it may be sensible to add a new file "CONFIGURE.md" given we have ever more build-time configuration options... If you wouldn't want to do this in this PR, NP, I'll follow up afterwards.
Thanks @baentsch. I now moved the env variable docs to ALGORITHMS.md along with links to the IETF drafts and just left the compile options part in README.md (A CONFIGURE.md for these also make sense to me after this PR).
A new round will come with a string identifying the new version (e.g.
Very good point I very much agree. The drafts unfortunately don't specify the OIDs as this wasn't desired yet by IETF. That said, the encoder library in our case don't encode OIDs as only the subjectPublicKey and privateKey are processed. For oqs-provider it is possible to just use the OID env variables to use additional OIDs. In my view, an OID convention like the following would make sense, where
|
- Ifdefs for code only used when USE_ENCODING_LIB is set - Add fragment for algorithms.md
| @@ -178,6 +178,12 @@ excludes all algorithms of the "Sphincs" family. | |||
| *Note*: By default, interoperability testing with oqs-openssl111 is no longer | |||
| performed by default but can be manually enabled in the script `scripts/runtests.sh`. | |||
|
|
|||
| ### Key Encoding | |||
|
|
|||
| By setting `-DUSE_ENCODING_LIB=<ON/OFF>` at compile-time, oqs-provider can be compiled with with an an external encoding library `qsc-key-encoder`. Configuring the encodings is done via environment as described in [ALGORITHMS.md](ALGORITHMS.md). | |||
There was a problem hiding this comment.
Note to self: Document default value (ON).
| - run: | ||
| name: Build OQS-OpenSSL provider (only STD algs) with NOPUBKEY_IN_PRIVKEY | ||
| command: | | ||
| rm -rf _build && mkdir _build && cd _build && cmake -GNinja -DNOPUBKEY_IN_PRIVKEY=ON -DOPENSSL_ROOT_DIR=$(pwd)/../.local -DCMAKE_PREFIX_PATH=$(pwd)/../.local .. && ninja |
There was a problem hiding this comment.
Note to self: No CI test for USE_ENCODING_LIB=OFF -> Add one if we want to keep that (plain) option.
…um-safe#123) * Add encoding library - Encodings settable via env variables - Add key encoding options to README.md - Add qsc_encoder version strings Signed-off-by: Felipe Ventura <felipe.ventura@entrust.com>
Integrates encoding subjectPublicKey and privateKey according the following IETF drafts:
https://datatracker.ietf.org/doc/draft-uni-qsckeys-dilithium/00/
https://datatracker.ietf.org/doc/draft-uni-qsckeys-falcon/00/
https://datatracker.ietf.org/doc/draft-uni-qsckeys-kyber/00/
https://datatracker.ietf.org/doc/draft-uni-qsckeys-sphincsplus/00/
Integrates encoding library from https://github.com/Quantum-Safe-Collaboration/qsc-key-rfc/tree/main/qsc-key-encoder.
The code is used as an external project with cmake
ExternalProject_Add. Optionally, oqs-provider can be built without the dependency by using-DUSE_ENCODING_LIB=OFF. The library provides API to encode/decode according to the draft specification.The encodings are specified by setting environment variables. Example:
export OQS_ENCODING_DILITHIUM2=draft-uni-qsckeys-dilithium-00/sk-pk. If no env variable are set, the default is 'no' encoding (the previous oqs-provider behavior).Supports the
-DNOPUBKEY_IN_PRIVKEYbuild option (enabling private keys without public keys for interop testing #83).Note: some PQC algorithms (Kyber, SPHINCS+) already contain the public key in their 'raw' private key. With
-DNOPUBKEY_IN_PRIVKEY=OFF, this usually leads to an unnecessary duplication of the public key. The encodings according to the IETF drafts avoid this duplication even if-DNOPUBKEY_IN_PRIVKEY=OFF.Adds CI test runs (with / without encodings set, with / without NOPUBKEY_IN_PRIVKEY)
Will add config options to Wiki if merged.
Fixes #89