Page MenuHome GnuPG

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

Things which are PQC (Post Quantum Cryptography) related.

Recent Activity

Tue, Oct 8

gniibe changed the status of T7316: Curve25519/v5 key cannot be exported, a subtask of T7315: Allow exporting of PQC keys., from Open to Testing.
Tue, Oct 8, 8:38 AM · gnupg26, OpenPGP, PQC, gnupg
gniibe changed the status of T7316: Curve25519/v5 key cannot be exported from Open to Testing.
Tue, Oct 8, 8:38 AM · gnupg26, OpenPGP, PQC, gnupg
gniibe added a comment to T7316: Curve25519/v5 key cannot be exported.

Pushed the fix for exporting OpenPGP v5 key: rG57dce1ee62c2: common,gpg,scd,sm: Fix for Curve25519 OID supporting new and old.

Tue, Oct 8, 8:38 AM · gnupg26, OpenPGP, PQC, gnupg

Thu, Oct 3

gniibe added a comment to T7316: Curve25519/v5 key cannot be exported.

The OID is used for fingerprint computation, which complicates things.

Thu, Oct 3, 7:37 AM · gnupg26, OpenPGP, PQC, gnupg
gniibe claimed T7316: Curve25519/v5 key cannot be exported.
Thu, Oct 3, 2:43 AM · gnupg26, OpenPGP, PQC, gnupg

Wed, Oct 2

werner added a comment to T7316: Curve25519/v5 key cannot be exported.

Using the shorter OID for v5 is on purpose; thus we need to fix the export.

Wed, Oct 2, 8:36 AM · gnupg26, OpenPGP, PQC, gnupg
gniibe triaged T7316: Curve25519/v5 key cannot be exported as Normal priority.
Wed, Oct 2, 7:20 AM · gnupg26, OpenPGP, PQC, gnupg

Tue, Oct 1

werner triaged T7315: Allow exporting of PQC keys. as Normal priority.
Tue, Oct 1, 6:12 PM · gnupg26, OpenPGP, PQC, gnupg

Tue, Sep 17

gniibe changed the status of T7277: libgcrypt: Adding Known Answer Tests for KEM from Open to Testing.

Pushed the change in: rC38742196c04c: cipher:kyber: Add gcry_kem_genkey to support deterministic op.
rC4876a1a45c25: tests:kyber: Add genkey and encap KAT tests.

Tue, Sep 17, 9:39 AM · PQC, libgcrypt

Thu, Sep 12

werner changed the status of T6815: PQC encryption for GnuPG from Open to Testing.

See new subtask T7290 for smartcards and the link entries mentioned above.

Thu, Sep 12, 2:32 PM · gnupg26, OpenPGP, PQC, gnupg
werner changed the status of T6815: PQC encryption for GnuPG, a subtask of T6638: PQC for GnuPG, from Open to Testing.
Thu, Sep 12, 2:32 PM · OpenPGP, PQC, gnupg
werner triaged T7290: Kyber+ECC with smartcards as Normal priority.
Thu, Sep 12, 2:31 PM · gnupg26, OpenPGP, PQC, gnupg

Sep 6 2024

gniibe added a project to T7277: libgcrypt: Adding Known Answer Tests for KEM: PQC.
Sep 6 2024, 8:50 AM · PQC, libgcrypt

Jul 11 2024

fse added a comment to T6637: PQC for Libgcrypt.

We hereby deliver with some delay our completed version of the integration of PQC algorithms into Libgcrypt from our project. The code features the following algorithms:

Jul 11 2024, 12:26 PM · PQC, libgcrypt

Jun 19 2024

werner closed T6755: libgcrypt: KEM API as Resolved.
Jun 19 2024, 12:08 PM · PQC, libgcrypt
werner closed T6755: libgcrypt: KEM API, a subtask of T6637: PQC for Libgcrypt, as Resolved.
Jun 19 2024, 12:08 PM · PQC, libgcrypt

Apr 24 2024

werner moved T6815: PQC encryption for GnuPG from Backlog to QA on the gnupg26 board.
Apr 24 2024, 10:04 AM · gnupg26, OpenPGP, PQC, gnupg
werner added a project to T6815: PQC encryption for GnuPG: gnupg26.
Apr 24 2024, 10:02 AM · gnupg26, OpenPGP, PQC, gnupg
werner added a comment to T6815: PQC encryption for GnuPG.

Most things are done. Missing stuff

Apr 24 2024, 10:01 AM · gnupg26, OpenPGP, PQC, gnupg

Apr 23 2024

werner added a comment to T6815: PQC encryption for GnuPG.

Alright: We have support for all our combined algos ky{768,1024}_bp{256,384,512}and ky{768,1024}_cv{25519,448} as well as test keys and encrypted test messages.

Apr 23 2024, 5:47 PM · gnupg26, OpenPGP, PQC, gnupg

Apr 15 2024

werner added a comment to T6815: PQC encryption for GnuPG.

Here comes a new test key along with its 3 secret parts (one for the primary and two for the composite Kyber subkey).

Apr 15 2024, 5:42 PM · gnupg26, OpenPGP, PQC, gnupg
gniibe changed the status of T7014: agent: Enhancement of PKDECRYPT for KEM interface, a subtask of T6815: PQC encryption for GnuPG, from Open to Testing.
Apr 15 2024, 3:19 AM · gnupg26, OpenPGP, PQC, gnupg

Apr 11 2024

werner added a comment to T6815: PQC encryption for GnuPG.

Wit the test keys posted in T7014 it is now possible to decrypt the sample data. The test data has been slightly adjusted for the new format; see

for a hex dump and for the binary version.

Apr 11 2024, 4:00 PM · gnupg26, OpenPGP, PQC, gnupg

Feb 26 2024

werner added a subtask for T6815: PQC encryption for GnuPG: T7014: agent: Enhancement of PKDECRYPT for KEM interface.
Feb 26 2024, 10:41 AM · gnupg26, OpenPGP, PQC, gnupg

Feb 22 2024

werner added a comment to T6755: libgcrypt: KEM API.

A way to generated keys in the usual s-expression way has been added. This allows us to get the keygrip for the key.

Feb 22 2024, 4:33 PM · PQC, libgcrypt

Feb 21 2024

werner added a comment to T6637: PQC for Libgcrypt.

FWIW, I posted some ideas at https://lists.gnupg.org/pipermail/librepgp-discuss/2024/000043.html . For official use in Germany we will very likely also add Brainpool curves as a replacement for the IETF curves.

Feb 21 2024, 2:52 PM · PQC, libgcrypt

Feb 15 2024

werner added a comment to T6755: libgcrypt: KEM API.

Although, we don't use our usual s-expressions we need to add a way to derive a keygrip from Kyber et al and also to wrap the key into an s-expression to that it can be stored by gpg-agent in its usual files. An exported new API to get the keygrip of a KEM key would be good to avoid encapsulation but for other purposes an encapsulation is still required.

Feb 15 2024, 6:00 PM · PQC, libgcrypt

Jan 17 2024

werner added a comment to T6637: PQC for Libgcrypt.

Regading Kyber in GnuPG, there are a couple of open questions. For example whether the implicit lengths used for the key parameters match well with the overall protocol structure. Thus, as soon as we have finished the Libgcrypt part we will address this and implement it in some way. Before we do this we have to do a couple of changes to GnuPG required for FIPS compliance.

Jan 17 2024, 4:17 PM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

I just saw that Niibe is already working on the integration of the ML-KEM code into the master branch of libgcrypt. Apparently, this is an entirely new code base. Currently we are working on the integration of our ML-KEM implementation in libgcrypt into GnuPG. But based on what I see now it seems that apparently another approach is planned and already underway for libgcrypt and probably later also for GnuPG. It would be helpful if you could give us a pointer what your exact plans are, this makes it easier for us to direct our efforts in the optimal way.

Jan 17 2024, 2:24 PM · PQC, libgcrypt

Nov 28 2023

fse added a comment to T6637: PQC for Libgcrypt.

And another question: in the GnuPG code on the master branch I saw that algorithm identifiers for ML-KEM with Ed25519 and Ed448 are already defined in the code base. Do I understand correctly that the maintainers prefer the inclusion of these two algorithms and not necessarily the inclusion of the ones based on ML-KEM with ECDH using NIST or Brainpool curves?

Nov 28 2023, 1:21 PM · PQC, libgcrypt

Nov 27 2023

fse added a comment to T6637: PQC for Libgcrypt.

We have addressed all comments regarding ML-KEM (Kyber) and KMAC. Currently I am working on the GnuPG integration of the the ML-KEM composites. For that purpose I will need a branch of libgcrypt with both ML-KEM and KMAC. I am not sure if you are considering to integrate the ML-KEM version already now before the final NIST standards are release. Some libraries do it, for instance Botan. Appropriate naming of the algorithms can ensure that there arises no confusion which version of the algorithm one is using.

Nov 27 2023, 4:30 PM · PQC, libgcrypt

Nov 13 2023

werner triaged T6815: PQC encryption for GnuPG as Normal priority.
Nov 13 2023, 4:06 PM · gnupg26, OpenPGP, PQC, gnupg

Oct 31 2023

gniibe added a comment to T6637: PQC for Libgcrypt.

In master, when fixing padding issue, libgcrypt/src/const-time.h is just introduced.
I will replace your functions.

Oct 31 2023, 7:41 AM · PQC, libgcrypt

Oct 24 2023

fse added a comment to T6637: PQC for Libgcrypt.

Yes, int8_t/int16_t/int32_t/uint8_t/uint16_t/uint32_t should not be used. There is size-specific integer types defined in src/types.h which can be used instead (byte/u16/u32). This header does not yet have signed integer types, but those can be added (for example, s8/s16/s32).

Oct 24 2023, 1:34 PM · PQC, libgcrypt

Oct 23 2023

aheinecke added a comment to T6637: PQC for Libgcrypt.
In T6637#176910, @fse wrote:

OK, fine, however, in order to be able keep an overview of our tasks I would still keep track of them in our GitHub, where I can create a sub-issue from the list of tasks with one click. But we will post our comments and results here as well as far relevant for the purpose of documentation. I think most of the points Jussi raised are more or less clear to me anyway.

Oct 23 2023, 7:23 PM · PQC, libgcrypt
jukivili added a comment to T6637: PQC for Libgcrypt.

Yes, int8_t/int16_t/int32_t/uint8_t/uint16_t/uint32_t should not be used. There is size-specific integer types defined in src/types.h which can be used instead (byte/u16/u32). This header does not yet have signed integer types, but those can be added (for example, s8/s16/s32).

Oct 23 2023, 7:00 PM · PQC, libgcrypt

Oct 18 2023

fse added a comment to T6637: PQC for Libgcrypt.

@jukivilli I have addressed a number of your comments now. You find my comments inline.

Oct 18 2023, 1:33 PM · PQC, libgcrypt

Oct 16 2023

fse added a comment to T6755: libgcrypt: KEM API.

Yes, apparently I confused uint8_t and unsigned char here because the former appears in Simon's comments. We also kept to the use of unsigned char* in our implementations (that is even part of the GNU coding guidelines if I remember correctly).

Oct 16 2023, 1:43 PM · PQC, libgcrypt
werner added a comment to T6755: libgcrypt: KEM API.

Actually we never use uint8_t* because that is c99 and very uncommon except for some MCU projects. Instead we use unsigned char *. The use of void* is often used because this allows to pass arbitrary types to a function without requiring ugly and error-prone casting at the caller site.

Oct 16 2023, 1:14 PM · PQC, libgcrypt
werner added a comment to T6637: PQC for Libgcrypt.

You don't need a library but just one object file.

Oct 16 2023, 12:57 PM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

OK, fine, however, in order to be able keep an overview of our tasks I would still keep track of them in our GitHub, where I can create a sub-issue from the list of tasks with one click. But we will post our comments and results here as well as far relevant for the purpose of documentation. I think most of the points Jussi raised are more or less clear to me anyway.

Oct 16 2023, 12:07 PM · PQC, libgcrypt
fse added a comment to T6755: libgcrypt: KEM API.

With respect to the function signatures, I see the following issues with the API you reference via the provided link:

Oct 16 2023, 12:01 PM · PQC, libgcrypt
werner added a comment to T6637: PQC for Libgcrypt.

@fse: Github is not an option here. We don't use it and thus everything relevant to Libgcrypt needs to be documented here and not at some external platform.

Oct 16 2023, 11:53 AM · PQC, libgcrypt
gniibe added a comment to T6755: libgcrypt: KEM API.

For length information, we can find that Simon's patch (let me call it v1) has length argument:
https://gitlab.com/jas/libgcrypt/-/commit/3af635afca052a9575912b257fe7518a58bfe810

Oct 16 2023, 10:24 AM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

Hi Jussi,

Oct 16 2023, 8:37 AM · PQC, libgcrypt

Oct 15 2023

jukivili added a comment to T6637: PQC for Libgcrypt.
  • There's many functions that use buffers on stack. Do those contain secrets? Should those buffers be wiped before returning from function (with wipememory())? For example, "mlkem_check_secret_key" has two buffers "shared_secret_1" and "shared_secret_2" which are not wiped.
  • mlkem.c: mlkem_check_secret_key: "memcmp" is used to compare shared secrets. Should this use constant time comparison instead?
  • mlkem-common.c: _gcry_mlkem_mlkem_shake256_rkprf:
    • _gcry_md_hash_buffers_extract can be used here instead of _gcry_md_open&write&extract&close.
  • mlkem-symmetric.c: _gcry_mlkem_shake256_prf:
    • _gcry_md_hash_buffers_extract can be used here instead of _gcry_md_open&write&extract&close. Temporary buffer usage can be avoided by passing input buffers through two IOV to _gcry_md_hash_buffers_extract.
Oct 15 2023, 5:08 PM · PQC, libgcrypt
jukivili added a comment to T6637: PQC for Libgcrypt.

Few comments on the patches.

Oct 15 2023, 4:38 PM · PQC, libgcrypt

Oct 11 2023

fse added a comment to T6755: libgcrypt: KEM API.

Our own internal function signatures is not necessarily a good refernce. The main objection to all what you list above is the lack of explicit length information. For each uint8_t* there should also be a size_t ...len in my opinion. Otherwise the API will be highly prone to memory access errors.

Oct 11 2023, 8:34 AM · PQC, libgcrypt
gniibe added a comment to T6755: libgcrypt: KEM API.

@fse Thank you for your comment (quick ! :-).

Oct 11 2023, 6:47 AM · PQC, libgcrypt

Oct 10 2023

fse added a comment to T6755: libgcrypt: KEM API.

The API that you quote at the end is indeed what is comonly understood as how a KEM functions and is exactly what fits to ML-KEM.

Oct 10 2023, 9:11 AM · PQC, libgcrypt