forked from open-quantum-safe/openssh
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This aligns the algorithms supported by the OQS OpenSSH fork with the algorithms available in liboqs. - Added support for ML-KEM-IPD using the ML-KEM alias and the names/curves documented by the [PQ SSH draft RFC](https://datatracker.ietf.org/doc/draft-kampanakis-curdle-ssh-pq-ke/). - Added support for ML-DSA-IPD using the ML-DSA alias following the conventions from the Dilithium implementation. The Dilithium signatures have been disabled. - Updated from BIKE Round 3 to Round 4. This adds a new parameter set for BIKE-L5. - Added support for the Falcon PADDED format. It is disabled by default to preserve entries in the bit-mask. - Added support for MAYO. The level 1 variant is left disabled. The KEX algorithms specified by the draft RFC do not match the security level pairing convention followed by Kyber so we chose to prefer the pairings specified in the document. There were no proposed parameter sets for ML-KEM-512 so we defaulted to the conventional parameters. x25519 hybrids are currently not handled by the oqs-openssh fork so we've omitted `mlkem768x25519-sha256` support for now. This does not add support for sntrup761 as that requires handling the conflict with the upstream OpenSSH implementation. Related to Issue open-quantum-safe#163 Signed-off-by: Gerardo Ravago <[email protected]>
- Loading branch information
Showing
29 changed files
with
1,669 additions
and
415 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -65,32 +65,38 @@ If an algorithm is provided by liboqs but is not listed below, it can still be u | |
| The following quantum-safe algorithms from liboqs are supported (assuming they have been enabled in liboqs): | ||
|
|
||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_START --> | ||
| - **BIKE**: `bike-l1-sha512`, `bike-l3-sha512` | ||
| - **BIKE**: `bike-l1-sha512`, `bike-l3-sha512`, `bike-l5-sha512` | ||
| - **ClassicMcEliece**: `classic-mceliece-348864-sha256`, `classic-mceliece-348864f-sha256`, `classic-mceliece-460896-sha512`, `classic-mceliece-460896f-sha512`, `classic-mceliece-6688128-sha512`, `classic-mceliece-6688128f-sha512`, `classic-mceliece-6960119-sha512`, `classic-mceliece-6960119f-sha512`, `classic-mceliece-8192128-sha512`, `classic-mceliece-8192128f-sha512` | ||
| - **FrodoKEM**: `frodokem-640-aes-sha256`, `frodokem-976-aes-sha384`, `frodokem-1344-aes-sha512`, `frodokem-640-shake-sha256`, `frodokem-976-shake-sha384`, `frodokem-1344-shake-sha512` | ||
| - **HQC**: `hqc-128-sha256`, `hqc-192-sha384`, `hqc-256-sha512`† | ||
| - **Kyber**: `kyber-512-sha256`, `kyber-768-sha384`, `kyber-1024-sha512` | ||
| - **ML-KEM**: `ml-kem-512-sha256`, `ml-kem-768-sha256`, `ml-kem-1024-sha384` | ||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_END --> | ||
|
|
||
| The following hybrid algorithms are made available: | ||
|
|
||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_HYBRID_KEXS_START --> | ||
| - **BIKE**: `ecdh-nistp256-bike-l1r3[email protected]` `ecdh-nistp384-bike-l3r3[email protected]` | ||
| - **BIKE**: `ecdh-nistp256-bike-l1r4[email protected]` `ecdh-nistp384-bike-[email protected]` `ecdh-nistp521-bike-l5r4[email protected]` | ||
| - **ClassicMcEliece**: `ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org` `ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org` `ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org` `ecdh-nistp384-classic-mceliece-460896fr4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-6688128r4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-6688128fr4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-6960119r4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-6960119fr4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-8192128r4-sha512@openquantumsafe.org` `ecdh-nistp521-classic-mceliece-8192128fr4-sha512@openquantumsafe.org` | ||
| - **FrodoKEM**: `[email protected]` `[email protected]` `[email protected]` `[email protected]` `[email protected]` `[email protected]` | ||
| - **HQC**: `[email protected]` `[email protected]` `[email protected]` | ||
| - **Kyber**: `[email protected]` `[email protected]` `[email protected]` | ||
| - **ML-KEM**: `[email protected]` `mlkem768nistp256-sha256` `mlkem1024nistp384-sha384` | ||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_HYBRID_KEXS_END --> | ||
|
|
||
| Note that algorithms marked with a dagger (†) have large stack usage and may cause failures when run on threads or in constrained environments. For example, McEliece require building `oqs-openssh` with a large(r) stack provision than is default: Adding `LDFLAGS="-Wl,--stack,20000000"` to [the `./configure` command below](#step-2-build-the-fork) is required to allow cygwin-based testing to pass. | ||
|
|
||
| Algorithms which involve ML-KEM are provided using the names as proposed in [draft-kampanakis-curdle-ssh-pq-ke](https://datatracker.ietf.org/doc/draft-kampanakis-curdle-ssh-pq-ke/). The underlying implementation uses a liboqs API name for the final ML-KEM implementation which is currently (August 13th, 2024) aliased to ML-KEM-IPD. When the final implementation for ML-KEM becomes available, the alias will also be updated to the standardized ML-KEM implementation. | ||
|
|
||
| #### Digital Signature | ||
|
|
||
| The following digital signature algorithms from liboqs are supported (assuming they have been enabled in liboqs). Note that only select L3 signature variants are enabled by default. In general, algorithms that are enabled by default are marked with an asterisk, and should you wish to enable additional variants, consult [the "Code Generation" section of the documentation in the wiki](https://github.com/open-quantum-safe/openssh/wiki/Using-liboqs-supported-algorithms-in-the-fork#code-generation). | ||
|
|
||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_START --> | ||
| - **Dilithium**: `dilithium2`\*, `dilithium3`\*, `dilithium5`\* | ||
| - **Falcon**: `falcon512`\*, `falcon1024`\* | ||
| - **Dilithium**: `dilithium2`, `dilithium3`, `dilithium5` | ||
| - **Falcon**: `falcon512`\*, `falcon1024`\*, `falconpadded512`, `falconpadded1024` | ||
| - **MAYO**: `mayo1`, `mayo2`\*, `mayo3`\*, `mayo5`\* | ||
| - **ML-DSA**: `mldsa44`\*, `mldsa65`\*, `mldsa87`\* | ||
| - **SPHINCS**: `sphincssha2128fsimple`\*, `sphincssha2128ssimple`, `sphincsshake128fsimple`, `sphincsshake128ssimple`, `sphincssha2192fsimple`, `sphincssha2192ssimple`, `sphincsshake192fsimple`, `sphincsshake192ssimple`, `sphincssha2256fsimple`\*, `sphincssha2256ssimple`, `sphincsshake256fsimple`, `sphincsshake256ssimple` | ||
| <!--- OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_END --> | ||
|
|
||
|
|
@@ -101,6 +107,8 @@ The following hybrid algorithms are supported; they combine a quantum-safe algor | |
| - if `<SIG>` has L3 security, the fork provides the method `ecdsa-nistp384-<SIG>`, which combines `<SIG>` with ECDSA using NIST's P384 curve. | ||
| - if `<SIG>` has L5 security, the fork provides the method `ecdsa-nistp521-<SIG>`, which combines `<SIG>` with ECDSA using NIST's P521 curve. | ||
|
|
||
| Algorithms which involve ML-DSA use a liboqs API name for the final ML-DSA implementation which is currently (August 13th, 2024) aliased to ML-DSA-IPD. When the final implementation for ML-DSA becomes available, the alias will also be updated to the standardized ML-DSA implementation. | ||
|
|
||
| ## Quickstart | ||
|
|
||
| The steps below have been confirmed to work on Ubuntu 20.04.1 Focal | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -76,6 +76,7 @@ | |
| #define KEX_KYBER_1024_SHA512 "kyber-1024-sha512" | ||
| #define KEX_BIKE_L1_SHA512 "bike-l1-sha512" | ||
| #define KEX_BIKE_L3_SHA512 "bike-l3-sha512" | ||
| #define KEX_BIKE_L5_SHA512 "bike-l5-sha512" | ||
| #define KEX_CLASSIC_MCELIECE_348864_SHA256 "classic-mceliece-348864-sha256" | ||
| #define KEX_CLASSIC_MCELIECE_348864F_SHA256 "classic-mceliece-348864f-sha256" | ||
| #define KEX_CLASSIC_MCELIECE_460896_SHA512 "classic-mceliece-460896-sha512" | ||
|
|
@@ -89,6 +90,9 @@ | |
| #define KEX_HQC_128_SHA256 "hqc-128-sha256" | ||
| #define KEX_HQC_192_SHA384 "hqc-192-sha384" | ||
| #define KEX_HQC_256_SHA512 "hqc-256-sha512" | ||
| #define KEX_ML_KEM_512_SHA256 "ml-kem-512-sha256" | ||
| #define KEX_ML_KEM_768_SHA256 "ml-kem-768-sha256" | ||
| #define KEX_ML_KEM_1024_SHA384 "ml-kem-1024-sha384" | ||
| #ifdef WITH_OPENSSL | ||
| #ifdef OPENSSL_HAS_ECC | ||
| #define KEX_FRODOKEM_640_AES_ECDH_NISTP256_SHA256 "[email protected]" | ||
|
|
@@ -100,8 +104,9 @@ | |
| #define KEX_KYBER_512_ECDH_NISTP256_SHA256 "[email protected]" | ||
| #define KEX_KYBER_768_ECDH_NISTP384_SHA384 "[email protected]" | ||
| #define KEX_KYBER_1024_ECDH_NISTP521_SHA512 "[email protected]" | ||
| #define KEX_BIKE_L1_ECDH_NISTP256_SHA512 "[email protected]" | ||
| #define KEX_BIKE_L3_ECDH_NISTP384_SHA512 "[email protected]" | ||
| #define KEX_BIKE_L1_ECDH_NISTP256_SHA512 "[email protected]" | ||
| #define KEX_BIKE_L3_ECDH_NISTP384_SHA512 "[email protected]" | ||
| #define KEX_BIKE_L5_ECDH_NISTP521_SHA512 "[email protected]" | ||
| #define KEX_CLASSIC_MCELIECE_348864_ECDH_NISTP256_SHA256 "ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org" | ||
| #define KEX_CLASSIC_MCELIECE_348864F_ECDH_NISTP256_SHA256 "ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org" | ||
| #define KEX_CLASSIC_MCELIECE_460896_ECDH_NISTP384_SHA512 "ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org" | ||
|
|
@@ -115,6 +120,9 @@ | |
| #define KEX_HQC_128_ECDH_NISTP256_SHA256 "[email protected]" | ||
| #define KEX_HQC_192_ECDH_NISTP384_SHA384 "[email protected]" | ||
| #define KEX_HQC_256_ECDH_NISTP521_SHA512 "[email protected]" | ||
| #define KEX_ML_KEM_512_ECDH_NISTP256_SHA256 "[email protected]" | ||
| #define KEX_ML_KEM_768_ECDH_NISTP256_SHA256 "mlkem768nistp256-sha256" | ||
| #define KEX_ML_KEM_1024_ECDH_NISTP384_SHA384 "mlkem1024nistp384-sha384" | ||
| #endif /* OPENSSL_HAS_ECC */ | ||
| #endif /* WITH_OPENSSL */ | ||
| ///// OQS_TEMPLATE_FRAGMENT_DEFINE_KEX_PRETTY_NAMES_END | ||
|
|
@@ -169,6 +177,7 @@ enum kex_exchange { | |
| KEX_KEM_KYBER_1024_SHA512, | ||
| KEX_KEM_BIKE_L1_SHA512, | ||
| KEX_KEM_BIKE_L3_SHA512, | ||
| KEX_KEM_BIKE_L5_SHA512, | ||
| KEX_KEM_CLASSIC_MCELIECE_348864_SHA256, | ||
| KEX_KEM_CLASSIC_MCELIECE_348864F_SHA256, | ||
| KEX_KEM_CLASSIC_MCELIECE_460896_SHA512, | ||
|
|
@@ -182,6 +191,9 @@ enum kex_exchange { | |
| KEX_KEM_HQC_128_SHA256, | ||
| KEX_KEM_HQC_192_SHA384, | ||
| KEX_KEM_HQC_256_SHA512, | ||
| KEX_KEM_ML_KEM_512_SHA256, | ||
| KEX_KEM_ML_KEM_768_SHA256, | ||
| KEX_KEM_ML_KEM_1024_SHA384, | ||
| #ifdef WITH_OPENSSL | ||
| #ifdef OPENSSL_HAS_ECC | ||
| KEX_KEM_FRODOKEM_640_AES_ECDH_NISTP256_SHA256, | ||
|
|
@@ -195,6 +207,7 @@ enum kex_exchange { | |
| KEX_KEM_KYBER_1024_ECDH_NISTP521_SHA512, | ||
| KEX_KEM_BIKE_L1_ECDH_NISTP256_SHA512, | ||
| KEX_KEM_BIKE_L3_ECDH_NISTP384_SHA512, | ||
| KEX_KEM_BIKE_L5_ECDH_NISTP521_SHA512, | ||
| KEX_KEM_CLASSIC_MCELIECE_348864_ECDH_NISTP256_SHA256, | ||
| KEX_KEM_CLASSIC_MCELIECE_348864F_ECDH_NISTP256_SHA256, | ||
| KEX_KEM_CLASSIC_MCELIECE_460896_ECDH_NISTP384_SHA512, | ||
|
|
@@ -208,6 +221,9 @@ enum kex_exchange { | |
| KEX_KEM_HQC_128_ECDH_NISTP256_SHA256, | ||
| KEX_KEM_HQC_192_ECDH_NISTP384_SHA384, | ||
| KEX_KEM_HQC_256_ECDH_NISTP521_SHA512, | ||
| KEX_KEM_ML_KEM_512_ECDH_NISTP256_SHA256, | ||
| KEX_KEM_ML_KEM_768_ECDH_NISTP256_SHA256, | ||
| KEX_KEM_ML_KEM_1024_ECDH_NISTP384_SHA384, | ||
| #endif /* OPENSSL_HAS_ECC */ | ||
| #endif /* WITH_OPENSSL */ | ||
| ///// OQS_TEMPLATE_FRAGMENT_ADD_KEX_ENUMS_END | ||
|
|
@@ -397,6 +413,10 @@ int kex_kem_bike_l1_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | |
| int kex_kem_bike_l3_keypair(struct kex *); | ||
| int kex_kem_bike_l3_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_bike_l3_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* bike_l5 prototypes */ | ||
| int kex_kem_bike_l5_keypair(struct kex *); | ||
| int kex_kem_bike_l5_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_bike_l5_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* classic_mceliece_348864 prototypes */ | ||
| int kex_kem_classic_mceliece_348864_keypair(struct kex *); | ||
| int kex_kem_classic_mceliece_348864_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
|
|
@@ -449,6 +469,18 @@ int kex_kem_hqc_192_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | |
| int kex_kem_hqc_256_keypair(struct kex *); | ||
| int kex_kem_hqc_256_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_hqc_256_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_512 prototypes */ | ||
| int kex_kem_ml_kem_512_keypair(struct kex *); | ||
| int kex_kem_ml_kem_512_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_512_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_768 prototypes */ | ||
| int kex_kem_ml_kem_768_keypair(struct kex *); | ||
| int kex_kem_ml_kem_768_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_768_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_1024 prototypes */ | ||
| int kex_kem_ml_kem_1024_keypair(struct kex *); | ||
| int kex_kem_ml_kem_1024_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_1024_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| #ifdef WITH_OPENSSL | ||
| #ifdef OPENSSL_HAS_ECC | ||
| /* frodokem_640_aes_nistp256 prototypes */ | ||
|
|
@@ -495,6 +527,10 @@ int kex_kem_bike_l1_ecdh_nistp256_dec(struct kex *, const struct sshbuf *, stru | |
| int kex_kem_bike_l3_ecdh_nistp384_keypair(struct kex *); | ||
| int kex_kem_bike_l3_ecdh_nistp384_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_bike_l3_ecdh_nistp384_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* bike_l5_nistp521 prototypes */ | ||
| int kex_kem_bike_l5_ecdh_nistp521_keypair(struct kex *); | ||
| int kex_kem_bike_l5_ecdh_nistp521_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_bike_l5_ecdh_nistp521_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* classic_mceliece_348864_nistp256 prototypes */ | ||
| int kex_kem_classic_mceliece_348864_ecdh_nistp256_keypair(struct kex *); | ||
| int kex_kem_classic_mceliece_348864_ecdh_nistp256_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
|
|
@@ -547,6 +583,18 @@ int kex_kem_hqc_192_ecdh_nistp384_dec(struct kex *, const struct sshbuf *, stru | |
| int kex_kem_hqc_256_ecdh_nistp521_keypair(struct kex *); | ||
| int kex_kem_hqc_256_ecdh_nistp521_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_hqc_256_ecdh_nistp521_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_512_nistp256 prototypes */ | ||
| int kex_kem_ml_kem_512_ecdh_nistp256_keypair(struct kex *); | ||
| int kex_kem_ml_kem_512_ecdh_nistp256_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_512_ecdh_nistp256_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_768_nistp256 prototypes */ | ||
| int kex_kem_ml_kem_768_ecdh_nistp256_keypair(struct kex *); | ||
| int kex_kem_ml_kem_768_ecdh_nistp256_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_768_ecdh_nistp256_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| /* ml_kem_1024_nistp384 prototypes */ | ||
| int kex_kem_ml_kem_1024_ecdh_nistp384_keypair(struct kex *); | ||
| int kex_kem_ml_kem_1024_ecdh_nistp384_enc(struct kex *, const struct sshbuf *, struct sshbuf **, struct sshbuf **); | ||
| int kex_kem_ml_kem_1024_ecdh_nistp384_dec(struct kex *, const struct sshbuf *, struct sshbuf **); | ||
| #endif /* OPENSSL_HAS_ECC */ | ||
| #endif /* WITH_OPENSSL */ | ||
| ///// OQS_TEMPLATE_FRAGMENT_DECLARE_KEX_PROTOTYPES_END | ||
|
|
||
Oops, something went wrong.