New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: post-quantum support roadmap #64537
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Change https://go.dev/cl/550215 mentions this issue: |
call me naive, but is this really something that needs to be in the standard library? I know Filippo and others are really passionate about crypto, I get and respect that. but one thing I DON'T want to see with Go is that is become the next Python, with a giant standard library (if its not already that). we have to draw the line somewhere, and in this case the proposed package(s) seem clearly on the "do not add" side (to me). I invite counter arguments, I dont mind being proven wrong here, but I DON'T think it should just be assumed that this needs to be in the standard library. post-quantum crypto is in its infancy as I understand it. |
@3052 post-quantum key exchanges are necessary as soon as possible to prevent collect-now-decrypt-later attacks. There is a concerted industry-wide push to migrate to PQ, and we believe it's important for Go applications to enable that. We are starting with internal packages, and initially probably only ML-KEM actually, probably until the final NIST specifications are published. If you want to know more about how the implementation is following the Cryptography Principles, you might find https://words.filippo.io/mlkem768/ interesting. |
This was initially developed at github.com/FiloSottile/mlkem768. + 5ce9162 - mlkem768,xwing: add SeedSize <Filippo Valsorda> + b43add9 - mlkem768,xwing: add NewKeyFromSeed <Filippo Valsorda> + e000fa4 - mlkem768: improve RoundTrip benchmark <Filippo Valsorda> + 344d5ee - mlkem768: add exhaustive tests for compress and decompress (#4) <David Buchanan> + 08fb36c - mlkem768: do not panic <Filippo Valsorda> + 9e9fcc2 - mlkem768: add proposed Wycheproof test vectors <Filippo Valsorda> + 5e630b8 - mlkem768: add more tests <Filippo Valsorda> + e3fb5df - mlkem768: add TestUnluckyVector <Filippo Valsorda> + 3f410e9 - mlkem768: add accumulated pq-crystals vectors <Filippo Valsorda> + 9897e2f - mlkem768: add other known test vectors <Filippo Valsorda> + cffbfb9 - mlkem768: update sampleNTT comment <Filippo Valsorda> + df1b265 - mlkem768: use uint16 reads, simpler bit twiddling <Josh Bleecher Snyder> + 50a7fad - mlkem768: unroll ntt inner loop <Josh Bleecher Snyder> + cd8140e - mlkem768: avoid extra data copies <Josh Bleecher Snyder> + 0c68443 - mlkem768: buffer reads from sha3 <Josh Bleecher Snyder> + bb784ff - mlkem768: create README.md <Filippo Valsorda> + 35e7ada - mlkem768: add package docs and LICENSE <Filippo Valsorda> + 2e6a3df - mlkem768: drop performance optimization notes <Filippo Valsorda> + d5449de - mlkem768: add benchmarks <Filippo Valsorda> + 3294fee - mlkem768: implement ML-KEM <Filippo Valsorda> + 4cb306e - mlkem768: reimplement compress and decompress <Filippo Valsorda> + 48e4c4c - mlkem768: fix AHat draft spec typo <Filippo Valsorda> + c34ddcf - mlkem768: make better use of constants <Filippo Valsorda> + 3b485e1 - mlkem768: initial commit, a full K-PKE implementation <Filippo Valsorda> Submitting changes on behalf of Josh Bleecher Snyder as authorized at https://go-review.googlesource.com/c/go/+/547357/comment/61f8433f_04dc9c5d/ and of David Buchanan as authorized at FiloSottile/mlkem768#4 (comment). Updates #64537 Change-Id: I50607336282434d64a1255901b0ef40dbfd47e91 Reviewed-on: https://go-review.googlesource.com/c/go/+/550215 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org>
With the publication of the NIST PQ drafts FIPS 203, FIPS 204, and FIPS 205 and the beginnings of industry adoption of said algorithms (i.e. https://blog.cloudflare.com/post-quantum-for-all/, https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html, etc), we are starting to look at what post-quantum support will look like in Go.
This issue is not going to propose any specific APIs, and is instead meant to lay out the way we intend to approach decisions about what algorithms we will adopt, and the manner in which we will adopt them.
Generally, we are quite conservative about what cryptographic algorithms we choose to support. In part this is because we have a significant maintenance burden once we adopt an algorithm, but also because we want algorithms that are stable (i.e. unlikely to significantly change in the future), and are already being actively used in the wider ecosystem. There are many PQ algorithms which are still experimental, or have found no wider industry adoption as of yet, which do not meet the bar to be included in the standard library, and make more sense being implemented in third-party modules.
When thinking about what PQ algorithms we want to provide support for, the first hurdle is whether that algorithm will actually be used in the standard library itself. What I mean by this is that, at least to begin with, we don't want to introduce support for algorithms which we will not be using ourselves. This means that our choices of initial algorithms are extremely likely to be driven by the adoption decisions made for the TLS protocol (and by extension the X509 web PKI).
Additionally our initial implementations are likely to only be available internally, at least to begin with (i.e. they will not be implemented in public facing libraries which users can directly use). This gives us the opportunity to gain experience with these new algorithms before we commit ourselves to an API design that we'll likely be stuck with for a significant amount of time. Once we are confident that we fully understand the ways users are expected to handle (and mishandle) these APIs we'll propose public APIs.
What's First
The first step in our PQ implementation plan is adding support to the now widely implemented hybrid X25519/Kyber (X25519Kyber768) KEM for TLS, or a successor version, hopefully in Go 1.23. This will provide TLS client/server interoperability with the other public implementations, and provide deployment experience with this new KEM.
This feature will be transparent to users, providing no public Kyber API, and likely will be gated behind a GODEBUG option.
cc @FiloSottile
The text was updated successfully, but these errors were encountered: