-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ENABLE_DILITHIUM flag #2082
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2082 +/- ##
==========================================
+ Coverage 78.75% 78.94% +0.18%
==========================================
Files 598 610 +12
Lines 103650 105189 +1539
Branches 14720 14906 +186
==========================================
+ Hits 81633 83040 +1407
- Misses 21365 21497 +132
Partials 652 652 ☔ View full report in Codecov by Sentry. |
} | ||
|
||
/************************************************* | ||
* Name: crypto_sign_open | ||
* Name: ml_dsa_verify_message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sign_message
and verify_message
variants are never used (we use sign/verify without the appended message on the end, so that signature sizes are constant)-- should we just remove them from the library?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I usually take the position that if
- a function is never used and
- it is not exposed as part of our public API
we should remove it.
@@ -300,7 +300,7 @@ int crypto_sign_signature(ml_dsa_params *params, | |||
} | |||
|
|||
/************************************************* | |||
* Name: crypto_sign | |||
* Name: ml_dsa_sign_message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sign_message
and verify_message
variants are never used (we use sign/verify without the appended message on the end, so that signature sizes are constant)-- should we just remove them from the library?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Holding off on full review until PR 2072, which this PR holds the contents of, has been merged.
However, we haven't always been consistant with this, so there is a mix of both in the library. Users will find the consistency between EVP_PKEY_pqdsa_new_raw_secret_key and EVP_PKEY_kem_new_raw_secret_key more satisfying.
I associate "private key" with asymmetric keys and "secret key" with symmetric keys for HMAC, AES, etc. We have portions of the library that refer to asymmetric private keys as "secret keys"?
Why do we need new EVP APIs for ML-DSA? What inputs/outputs differ from other signature schemes supported by EVP_DigestSign?
Yes, see
We need them for the PKEY and ASN.1 functions, not for the
These are analog to the KEM, DH, and EC PKEY utility function APIs, for example:
We need these so we don't have to have distinct ASN.1 functions for every single ML-DSA parameter set, instead, we put all signature schemes (that support the NIST API framework, so all the PQ ones) into the |
Thanks for the explanation @jakemas, all makes sense. The only (mild) concern I still have is whether the "pqdsa" naming might be too general here. Are we using "pqdsa" instead of "mldsa" because we plan to re-use these functions for SLH-DSA? If so, with the current signature of It might be better to have a distinct Lastly, what are the implications of XMSS for this API? Is XMSS considered part of NIST's "DSA" family of signature algorithms? |
Yes, the idea is to support any signature scheme without having to add an ASN.1 functionality for each algorithm specific parameter set. This would include ML-DSA, HashML-DSA, ExtMuML-DSA, FN-DSA, HashFN-DSA, SLH-DSA, HashSLH-DSA, even ED25519 would fit in the API. I wanted to call it NISTDSA, because DSA is taken, and the API format is not PQ specific, it is NIST specific -- but I got push back in review on that name and have changed it to please the reviewers already. This isn't a one way decision, since we are still now considering changing the name of the analogous KEM API years later after it's first release -- so I'd rather not flip flop back over this decision too many times. Once were through validation we can comb back over any naming decisions that may require lengthy discussion.
I don't understand how this would be considered unwieldy, the PQDSA API supports this very simply. Demo:
You just set the particular algorithm parameter set using Your proposal for I don't foresee a single API being a problem, no matter how many parameter sets SLH-DSA has, we don't have to support them all. We'd likely choose a sane sub-set for our particular application. This is exactly how we plan to support more KEMs in the KEM API should we ever plan to add more. A change here suggests that this is a larger decision that would include the KEM API naming conventions. This is all documented in the PR were we added the PQDSA API #1963. I'll be adding a demo readme once functionality is complete. I could see an argument for replacing all mentions of
Why are you talking about hash NIDs here? Are you talking about pre-hash modes here? This has nothing to do with signing yet still, we're talking about EVP PKEY stuff. The pre-hash NIDs come in through the signing context.
No plans to implement XMSS, stateful signatures are a different use-case to the general-purpose signature schemes we are discussing here. No need to consider its support. |
It looks like the same issue we saw in #1332 is happening in this PR too. Perhaps the removal of the flag within
|
If there's pre-existing consensus on this naming convention, then please disregard my concern. I don't want to reconsider a decision that's already been made. My goal here is to make sure we've discussed alternative interfaces because by removing this flag, as in doing so we're committing to a public API that will require breaking changes to modify.
I wasn't specific enough here. Agreed that the current interface is easy for the caller to use. I meant that it would be "unwieldy" for us to add so many NIDs (one for each of 12 parameter sets) when the hash NID could be specified independently in And of course, adding a few extra NIDs is not a significant cost.
Not suggesting we move forward with this, but here's a sketch of the interface I was thinking of:
Caller would specify which ML-DSA security level they want via I agree that a single API with per-algorithm, per-parameter-set NIDs is preferable.
I don't mean to suggest that you're advocating for this, but IMO we should avoid future renames at ~all costs. They're expensive in places where we have downstream telemetry (internal consumers), and very very difficult to do safely where we don't have downstream telemetry (external consumers). I'm convinced that the current interface is the right one, and likely won't require future revisions. |
include/openssl/pem.h
Outdated
#define PEM_STRING_DILITHIUM3 "DILITHIUM3 PRIVATE KEY" | ||
#define PEM_STRING_DILITHIUM3_PUBLIC "DILITHIUM3 PUBLIC KEY" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we remove these? they're not used anywhere.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed in 3c9fde8
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change looks good, but you'll need to fix the FIPS delaactor issue for ubuntu2204_gcc11x_aarch_fips.
// and zero on error. This API is marked as EXPERIMENTAL (using the deprecated | ||
// warning) to indicate that this API may change as the standards around the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Functions not actually marked as experimental/deprecated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the right mechanism for this? OPENSSL_DEPRECATED
? Or should we create a similar macro OPENSSL_EXPERIMENTAL
(out of scope of this PR)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Andrew and I considered the use of an alias OPENSSL_EXPERIMENTAL that is set to indicate these are experimental, but without a plan in mind on when and how we plan to remove such a flag, I worry that we are just swapping one flag out for a form of another. Is there something from preventing us from reaching a stable API? The ML-KEM experimental functions don't use such a flag for example, and are placed in a different header file.
Issues:
It's time. (also we need to do this to add ML-DSA to the FIPS module)
Description of changes:
enable_dilithium
flagCall-outs:
Removing the flag has little consequence -- other than it makes the APIs we expose in
include/openssl/evp.h
that much more "final". We should consider how much we like them before we commit to them. We made a point to refer to asymmetric keypairs as public and private keys, rather than public and secret keys. However, we haven't always been consistant with this, so there is a mix of both in the library. Users will find the consistency betweenEVP_PKEY_pqdsa_new_raw_secret_key
andEVP_PKEY_kem_new_raw_secret_key
more satisfying.However, after internal discussions, we'd also like to change the name of
EVP_PKEY_kem_new_raw_public_key
andEVP_PKEY_kem_new_raw_secret_key
toEVP_PKEY_kem_new_raw_encapsulation_key
andEVP_PKEY_kem_new_raw_decapsulation_key
to match the names within FIPS 203. Thus, we should stick withsecret
.We did consider the use of an experimental flag (by using the OPENSSL_DEPRECATED alias), but, this seems a little over the top. If there are any discrepancy with the API down the line, we will make a change as we are proposing with the
kem
APIs above. Alternatively, we could place the EVP APIs ininclude/openssl/experimental/
. The arguments ofEVP_PKEY_pqdsa_new_raw_secret_key
,EVP_PKEY_pqdsa_new_raw_public_key
, andEVP_PKEY_CTX_pqdsa_set_params
are stable and consistant withKEM
andEC
variants (see EVP_PKEY_CTX_kem_set_params, EVP_PKEY_CTX_set_dh_paramgen_prime_len, and EVP_PKEY_CTX_set_ec_param_enc, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key, EVP_PKEY_kem_new_raw_public_key).Testing:
To celebrate the removal of this flag, enjoy this haiku:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.