-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checks for ML-KEM keys #2009
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Abhinav Saxena <[email protected]>
Signed-off-by: Abhinav Saxena <[email protected]>
Signed-off-by: Abhinav Saxena <[email protected]>
Thanks for this improvement @abhinav-thales . It seems the issue tracking this is #1951:
We are allowed to do anything :-) The question is whether the upstream takes such changes. More seriously: Anyway, please see the discussion in the issue above. This PR could serve as a test stopgap measure and as such imo is mergeable as-is. What's your take @bhess: Also do a patch or wait for the upstream? |
I agree that including key validation tests makes sense. As you pointed out, the pq-crystals upstream doesn't include these validations, so we’d need to rely on our patch mechanism, which would increase maintenance overhead on the liboqs side. One alternative to consider is using this as an opportunity to start adopting the https://github.com/pq-code-package/mlkem-native implementation from PQCP. It recently had its first (alpha) release and is actively maintained. This implementation already includes the required key validations [1][2], and the advantage is that it would eliminate the need for us to maintain custom patches. [1] https://github.com/pq-code-package/mlkem-native/blob/112dbd3d3c42aa6558a448bb80affe5f8c158ece/mlkem/kem.c#L36 |
Why not -- not a new issue, though -- my thoughts stated half a year ago still stand/may be worth while addressing then: pq-code-package/tsc#15 (comment) : Technically, this could be simple, no? PQCP adds "copy-from-upstream" YML files and OQS adds it as another upstream (assuming some form of agreement on APIs, of course :) My strong preference would be to then drop other upstreams to indeed make life easier and not more complicated with this addition. |
Additional thought: As and when there are different algorithm code bases becoming available and if OQS would still want to extend its utility, wouldn't this be the perfect opportunity to finally introduce the notion of "upstream maintained" to the YML file as a way to signal code (bases) that someone may rely on for use beyond research & prototyping? Given the various professionally maintained code bases for standardized algorithms already available or with a clear plan to do so, I'm personally less and less convinced this goal is a sensible one for OQS to pursue, though -- but wouldn't want to rule it out and not lay foundations for that -- like with such distinction of actively supported upstream code bases that would make it into a "reliable build" (vs. the current "amalgam/best effort" one). |
There is no final decision yet (as to which upstreams OQS keeps supporting). As far as I'm concerned, there's a lot speaking for switching for ML-KEM from PQClean/reference code to PQCP code -- if OQS decides to keep supporting ML-KEM at all (see related discussion here).
That would be my preference for now. Sub-optimal as it will not be available to users of the library but anything else has a high potential to be wasted effort. |
I agree with @baentsch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks very much for these improvements.
#define ML_KEM_Q 3329 | ||
#define SHA256_OP_LEN 32 | ||
/* since x is 12 bits, max value could be 4095. the below macro uses this to implement a simple time constant mod 3329 */ | ||
#define MOD_Q(x) ((x) - ((x >= ML_KEM_Q) * ML_KEM_Q)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe we can count on comparison operators being constant time. I suggest doing Barrett reduction here instead, similar to the reference implementation. (That code computes a centred representation; we'd just need an additional addition.)
I realize that this is overkill for testing code, but there's a possibility we use this file as a guide for patching the algorithm source later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, added a simple mod function as this was a test file. will change it to proper mod function after few tests at my end.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @abhinav-thales, as per discussion in today's OQS meeting, we're OK with this being non–constant time, as long as the comment stating that it is constant time is removed. Feel free to go ahead with that approach if it's simpler for you. (In that case my preference would be to simply use the %
operator so that the operation does not appear to be constant time.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @SWilson4 , thanks for the update.
But any particular reason, why non-constant time is ok ? having it time constant would be the ideal scenario IMO.
in the meantime, I have tested modQ using "Barrett reduction" and another approach using shift operators as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @SWilson4 , thanks for the update. But any particular reason, why non-constant time is ok ? having it time constant would be the ideal scenario IMO. in the meantime, I have tested modQ using "Barrett reduction" and another approach using shift operators as well.
I brought it up with the OQS team, and we decided that we're OK with a non–constant time function here because the code is limited to a test file, in the interest of not holding up the PR. If you prefer to submit a constant-time implementation, that's fine too :)
Signed-off-by: Abhinav Saxena <[email protected]>
@abhinav-thales wouldn't a check like below on public be more simpler ?
|
See discussion here for why this patch is not a good idea. |
understood. thanks for the explanation. I was just trying to understand whether we really need to encode the key data, after decoding to reject keys. |
@bhess You are planning to change the ML-KEM implementation in liboqs to PQCP's mlkem-native. Will that include the desired checks or will it still require separate code? |
Yes, the checks are by default in mlkem-native. Test code as done in this PR may still be useful IMO. |
This PR introduces the sanity checks for encapsulation and decapsulation keys introduced in the final specification of FIPS-203 in section 7.
The changes include:
- checking generated encaps and decaps key in the keypair step
- checking encaps key before the encapsulation step
- checking decaps key before the decapsulation step
Ideally this check should be in the ML-KEM source code but I am not sure if we are allowed to make changes to the upstream code. Kindly let me know otherwise and will move the code accordingly.