Add ML-DSA-ipd and ML-KEM-ipd & NIST supplied test vectors #1626
Conversation
bhess
force-pushed
the
bhe-fips-ipd
branch
3 times, most recently
from
6ca8117
to
6dc8bba
Compare
There was a problem hiding this comment.
Thanks for adding these algorithms: I very much like how you use our "import machinery" to transform the "old" upstream names into the standard ones. Conceptually this all looks OK -- I'm just not happy with adding version information to the algorithm names: Those may be OK for a hackathon that is not meant to be used for more than that event, but algorithm names with version information included IMO adds an undue burden to downstream integrations: Anyone will have to update their source code as and when the "-ipd" suffix goes away (as opposed to just re-compile or only re-link iff a code change occurs during the transition to final standard).
|
Thanks for the review and comment @baentsch. Good point regarding naming, including the versioning in the names would indeed be a change from the current approach. I see the point of ease of re-compiling and re-deploying. However, I think there are arguments for including the versioning: |
The above has different meanings of the word "user" (of If PQ integrators need name changes to ascertain they also update their OIDs and link the right libraries, they may need to reconsider their job choice. The argumentation of the IETF
indeed seems to indicate a lack of trust in the capabilities of software developers and interop testers to weed out possibly incompatible implementations using the same name. Does this mean that if there is a step after "IPD", let's call it "SPD" that everyone would need to update their software again? Good business for IT consultancies paid by the hour, bad choice for the End Users footing the bill.
This is a good argument. But it is relevant only for comparative testing, i.e., development and test purposes. Should End Users be impacted by this (currently still interesting, but in the long run irrelevant) use case? |
|
Re-reading this discussion, what about the idea to introduce a macro "-ipd" now? That way we can satisfy the IETF folks placing no trust in software developers and allow people knowing what they do to minimize their long-term work effort (by taking the "risk" of using the non-ipd variant)? |
|
@bhess Stepping back from the discussion about -IPD naming in that one specific file to a more general question: what was your philosophy around when to use the ML-KEM-IPD naming and when to use plain ML-KEM? If ML-KEM-IPD != ML-KEM, then there may be a time period where we want to have both ML-KEM-IPD and ML-KEM present in the library, similar to how we're currently imagining wanting to have both Kyber and ML-KEM-IPD present in the library. I'm not sure that would be possible with the current naming in the PR... |
I like the idea of a macro/alias. What about the other way around, i.e. "ML-KEM-512" is an alias of "ML-KEM-512-ipd"? Should there be something like an "-spd" version, the ML-KEM-512 alias can just become an alias of the -spd version. The same would then be possible for the upcoming on-ramp signatures ("OnrampSig"-R1, "OnrampSig"-R2, ..., and an alias "OnrampSig").
The idea was to have a family name "ML-KEM" the individual schemes are called "ML-KEM-512-ipd", "ML-KEM-768-ipd" and "ML-KEM-1024-ipd".
I think you are right, the import logic builds the internal API names using "name"_"scheme": liboqs/scripts/copy_from_upstream/copy_from_upstream.yml Lines 140 to 148 in 3468dc8 If "scheme" is named "512_ipd" instead then it should work. I'll update the PR next week. |
Thanks & fine with me. As long as "ML-KEM-512" (also) becomes available now. Analog for the other "ML..." (sig) algs & strengths. |
|
Updated the PR with:
|
|
As a follow-up to https://github.com/orgs/open-quantum-safe/discussions/1689 this is to ask whether this PR should also change the designation of what is a "STD" algorithm, at the least dropping Kyber and Dilithium. |
|
Thanks for the updates to the STD algs list, @bhess. Only item left: Could you please trigger downstream testing and thus the ML-* PR on oqs-provider as discussed (by way of adding the statement "[trigger downstream]" to a commit message)? |
Agreed, the STD algorithms should contain the standards eventually, and until the standards are finalized only the latest revisions.
Thanks, added the [trigger downstream] message now (wanted to have a passing build first before triggering downstream tests). |
Pull ML-DSA-ipd / ML-KEM-ipd from pq-crystals "standard" branch.
Adds test cases with NIST supplied test vectors: https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization/example-files (see also Note on the intermediate values for ML-KEM: and Note on the intermediate values for ML-DSA:)
The NIST files are rather large (several MB) and we only use parts of the data that can be passed via the public API + randomness. So we process them and store only the data we need in
tests/PQC_Intermediate_Values(script is included to reproduce the files)The PR adds new test code vectors_sig.c and vectors_kem.c that for testing the NIST vectors.
The idea is to keep the current Kyber/Dilithium (round 3) versions for compatibility reasons, and add the ML-* algorithms additionally.
The naming of the algorithms is done following the IETF hackathon: ML-DSA-44-ipd, ML-DSA-65-ipd, ML-DSA-87-ipd, ML-KEM-512-ipd, ML-KEM-768-ipd, ML-KEM-1024-ipd: https://github.com/IETF-Hackathon/pqc-certificates/blob/master/docs/oid_mapping.md
TODOs:
Pull pqclean aarch64 code (may omit for now)Closes #1521.