Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: post-quantum support roadmap #64537

Open
rolandshoemaker opened this issue Dec 4, 2023 · 5 comments
Open

crypto: post-quantum support roadmap #64537

rolandshoemaker opened this issue Dec 4, 2023 · 5 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security umbrella

Comments

@rolandshoemaker
Copy link
Member

With the publication of the NIST PQ drafts FIPS 203, FIPS 204, and FIPS 205 and the beginnings of industry adoption of said algorithms (i.e. https://blog.cloudflare.com/post-quantum-for-all/, https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html, etc), we are starting to look at what post-quantum support will look like in Go.

This issue is not going to propose any specific APIs, and is instead meant to lay out the way we intend to approach decisions about what algorithms we will adopt, and the manner in which we will adopt them.

Generally, we are quite conservative about what cryptographic algorithms we choose to support. In part this is because we have a significant maintenance burden once we adopt an algorithm, but also because we want algorithms that are stable (i.e. unlikely to significantly change in the future), and are already being actively used in the wider ecosystem. There are many PQ algorithms which are still experimental, or have found no wider industry adoption as of yet, which do not meet the bar to be included in the standard library, and make more sense being implemented in third-party modules.

When thinking about what PQ algorithms we want to provide support for, the first hurdle is whether that algorithm will actually be used in the standard library itself. What I mean by this is that, at least to begin with, we don't want to introduce support for algorithms which we will not be using ourselves. This means that our choices of initial algorithms are extremely likely to be driven by the adoption decisions made for the TLS protocol (and by extension the X509 web PKI).

Additionally our initial implementations are likely to only be available internally, at least to begin with (i.e. they will not be implemented in public facing libraries which users can directly use). This gives us the opportunity to gain experience with these new algorithms before we commit ourselves to an API design that we'll likely be stuck with for a significant amount of time. Once we are confident that we fully understand the ways users are expected to handle (and mishandle) these APIs we'll propose public APIs.

What's First

The first step in our PQ implementation plan is adding support to the now widely implemented hybrid X25519/Kyber (X25519Kyber768) KEM for TLS, or a successor version, hopefully in Go 1.23. This will provide TLS client/server interoperability with the other public implementations, and provide deployment experience with this new KEM.

This feature will be transparent to users, providing no public Kyber API, and likely will be gated behind a GODEBUG option.

cc @FiloSottile
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 4, 2023
@gopherbot

This comment was marked as outdated.

Sign in to view
@gopherbot

This comment was marked as outdated.

Sign in to view
@gopherbot
Copy link

Change https://go.dev/cl/550215 mentions this issue: crypto/internal/mlkem768: new package

@3052
Copy link

3052 commented Jan 31, 2024

call me naive, but is this really something that needs to be in the standard library? I know Filippo and others are really passionate about crypto, I get and respect that. but one thing I DON'T want to see with Go is that is become the next Python, with a giant standard library (if its not already that). we have to draw the line somewhere, and in this case the proposed package(s) seem clearly on the "do not add" side (to me).

I invite counter arguments, I dont mind being proven wrong here, but I DON'T think it should just be assumed that this needs to be in the standard library. post-quantum crypto is in its infancy as I understand it.

@FiloSottile
Copy link
Contributor

@3052 post-quantum key exchanges are necessary as soon as possible to prevent collect-now-decrypt-later attacks. There is a concerted industry-wide push to migrate to PQ, and we believe it's important for Go applications to enable that.

We are starting with internal packages, and initially probably only ML-KEM actually, probably until the final NIST specifications are published.

If you want to know more about how the implementation is following the Cryptography Principles, you might find https://words.filippo.io/mlkem768/ interesting.

@m8rmclaren m8rmclaren mentioned this issue Apr 1, 2024
Open
gopherbot pushed a commit that referenced this issue Apr 10, 2024
@FiloSottile @gopherbot
crypto/internal/mlkem768: new package
1bac252 
This was initially developed at github.com/FiloSottile/mlkem768.

+ 5ce9162 - mlkem768,xwing: add SeedSize <Filippo Valsorda>
+ b43add9 - mlkem768,xwing: add NewKeyFromSeed <Filippo Valsorda>
+ e000fa4 - mlkem768: improve RoundTrip benchmark <Filippo Valsorda>
+ 344d5ee - mlkem768: add exhaustive tests for compress and decompress (#4) <David Buchanan>
+ 08fb36c - mlkem768: do not panic <Filippo Valsorda>
+ 9e9fcc2 - mlkem768: add proposed Wycheproof test vectors <Filippo Valsorda>
+ 5e630b8 - mlkem768: add more tests <Filippo Valsorda>
+ e3fb5df - mlkem768: add TestUnluckyVector <Filippo Valsorda>
+ 3f410e9 - mlkem768: add accumulated pq-crystals vectors <Filippo Valsorda>
+ 9897e2f - mlkem768: add other known test vectors <Filippo Valsorda>
+ cffbfb9 - mlkem768: update sampleNTT comment <Filippo Valsorda>
+ df1b265 - mlkem768: use uint16 reads, simpler bit twiddling <Josh Bleecher Snyder>
+ 50a7fad - mlkem768: unroll ntt inner loop <Josh Bleecher Snyder>
+ cd8140e - mlkem768: avoid extra data copies <Josh Bleecher Snyder>
+ 0c68443 - mlkem768: buffer reads from sha3 <Josh Bleecher Snyder>
+ bb784ff - mlkem768: create README.md <Filippo Valsorda>
+ 35e7ada - mlkem768: add package docs and LICENSE <Filippo Valsorda>
+ 2e6a3df - mlkem768: drop performance optimization notes <Filippo Valsorda>
+ d5449de - mlkem768: add benchmarks <Filippo Valsorda>
+ 3294fee - mlkem768: implement ML-KEM <Filippo Valsorda>
+ 4cb306e - mlkem768: reimplement compress and decompress <Filippo Valsorda>
+ 48e4c4c - mlkem768: fix AHat draft spec typo <Filippo Valsorda>
+ c34ddcf - mlkem768: make better use of constants <Filippo Valsorda>
+ 3b485e1 - mlkem768: initial commit, a full K-PKE implementation <Filippo Valsorda>

Submitting changes on behalf of Josh Bleecher Snyder as authorized at
https://go-review.googlesource.com/c/go/+/547357/comment/61f8433f_04dc9c5d/
and of David Buchanan as authorized at
FiloSottile/mlkem768#4 (comment).

Updates #64537

Change-Id: I50607336282434d64a1255901b0ef40dbfd47e91
Reviewed-on: https://go-review.googlesource.com/c/go/+/550215
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Security umbrella
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cagedmantis @FiloSottile @rolandshoemaker @gopherbot @3052