Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PQ README #1932

Merged
merged 7 commits into from
Oct 23, 2024
Merged
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions crypto/fipsmodule/PQREADME.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
# Post-Quantum Cryptography in AWS-LC

AWS Cryptography focuses research and engineering efforts on the continuation of providing cryptographic security for our customers, while developing new cryptographic systems that exceed current customers’ demands and protect against projected future adversaries. This document contains notes about the design of the Post-Quantum (PQ) Cryptography provided by AWS-LC, and documentation on our current PQ integrations.

In 2023 the U.S. Government passed the [Quantum Computing Cybersecurity Preparedness Act](https://www.congress.gov/bill/117th-congress/house-bill/7535/text), which creates requirements for government agencies to have a cryptographic inventory and plans to migrate to post-quantum (PQ) cryptography. These requirements extend to information technology providers like AWS. The NSA has also announced the [Commercial National Security Algorithm Suite (CNSA) 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF) that provides timelines for Cloud providers wishing to support National Security Systems, with support of PQ by 2025, and exclusively use PQ by 2033.

## Relevant Standards
To support these initiatives, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) published three PQ algorithms as part of the Federal Information Processing Standards (FIPS):

- [FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard](https://csrc.nist.gov/pubs/fips/203/final)
- [FIPS 204: Module-Lattice-Based Digital Signature Standard](https://csrc.nist.gov/pubs/fips/204/final)
- [FIPS 205: Stateless Hash-Based Digital Signature Standard](https://csrc.nist.gov/pubs/fips/205/final)

## AWS-LC Post-Quantum Algorithms

AWS-LC provides the following post-quantum algorithms:

### FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM)

| Algorithm | Public Key (B) | Private Key (B) |Ciphertext(B) |
|--------------------|-------------------|---------------------|-------------------|
| ML-KEM-512 | 800| 1632| 768|
geedo0 marked this conversation as resolved.
Show resolved Hide resolved
| ML-KEM-768 | 1184| 2400| 1088|
| ML-KEM-1024 | 1568| 3168| 1568|

These three parameter sets were designed to meet security strength categories defined by NIST. These security strength categories are explained further in SP 800-57, Part 1. Concretely, ML-KEM-512 is claimed to be in security category 1, ML-KEM-768 is claimed to be in security category 3, and ML-KEM-1024 is claimed to be in security category 5.

Performance benchmarks for key generation, encapsulation, and decapsulation are included for ML-KEM within the `speed` tool. To run:

```aws-lc-build % ./tool/bssl speed -filter ML-KEM```

#### KyberR3

Round 3 Kyber (KyberR3) was added to AWS-LC in September 2021 ([README](https://github.com/aws/aws-lc/blob/main/crypto/kyber/README.md)). Once all existing deployments of Kyber are migrated over to ML-KEM we will be removing support for Kyber from AWS-LC.

### FIPS 204: Module-Lattice-Based Digital Signature Algorithm (ML-DSA)

| Algorithm | Public Key (B) | Private Key (B) |Signature (B) |
|--------------------|-------------------|---------------------|------------------|
| ML-DSA-44 | 2560| 1312| 2420|
| ML-DSA-65 | 4032| 1952| 3309|
| ML-DSA-87 | 4896| 2592| 4627|

The parameter set ML-DSA-44 is claimed to be in security strength category 2, ML-DSA-65 is claimed to be in category 3, and ML-DSA-87 is claimed to be in category 5.

## AWS-LC Post-Quantum Integrations

### Hybrid Post-Quantum TLS Specifications

To utilize Post-Quantum key exchange in TLS we recommend using our open-source TLS implementation s2n-tls that now supports Hybrid key exchange in TLS 1.3 (draft-ietf-tls-hybrid-design). s2n-TLS also provides support for Post-Quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 (draft-kwiatkowski-tls-ecdhe-mlkem) with a proposal for new key share identifies for x25519 and ML-KEM-768.
geedo0 marked this conversation as resolved.
Show resolved Hide resolved


| Supported Group | IANA ID (Hex) | IANA ID (Dec) |
|---------------------------------|--------------------|--------------------|
| x25519_kyber512 | 0x2f39| 12089|
| p256_kyber512 | 0x2f3a| 12090|
| X25519Kyber768Draft00| 0x6399| 25497|
| X25519Kyber768Draft00| 0x639a| 25498|
geedo0 marked this conversation as resolved.
Show resolved Hide resolved
|SecP256r1MLKEM768 | 0x11eb| 4587|
|X25519MLKEM768 | 0x11ec| 4588|


## AWS Java V2 SDK
geedo0 marked this conversation as resolved.
Show resolved Hide resolved

PQ TLS is also available in the Java V2 SDK. Support for post-quantum algorithms is provided by AWS-LC when configured to use the AWS Common Runtime (CRT) library for TLS.
Loading