Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIST CAVP validation of liboqs ML-DSA algorithm #1931

Open
stauro79 opened this issue Sep 20, 2024 · 11 comments
Open

NIST CAVP validation of liboqs ML-DSA algorithm #1931

stauro79 opened this issue Sep 20, 2024 · 11 comments
Labels
question Further information is requested

Comments

@stauro79
Copy link

Is there any road-map/plan for liboqs ML-DSA algorithm to be certified using NIST Cryptographic Algorithm Validation Program (CAVP)?

@SWilson4
Copy link
Member

Thanks for the question, @stauro79. I'm not aware of any plans to do this, though perhaps it's something we could do after the final standard is integrated (in 0.12.0). That said, I imagine we'd want to have a very stable implementation of any algorithm we have certified: perhaps this would be a good criterion for a future 1.0.0 release?

Assuming you're a (possibly potential) consumer of liboqs, is CAVP validation something that you would find valuable and/or essential?

@SWilson4 SWilson4 added the question Further information is requested label Sep 20, 2024
@stauro79
Copy link
Author

Thanks @SWilson4 . Yes it is essential as there is a requirement to use/deploy CAVP validated cryptographic algorithms

@baentsch
Copy link
Member

Yes it is essential as there is a requirement to use/deploy CAVP validated cryptographic algorithms

Well, correct me if I'm wrong, but isn't this but one (of many) ways to ascertain a specific product conforms to the NIST standards (though admittedly the most automated and convenient one)? If so, three thoughts and one question on this:

  1. OQS is not a product. There is discussion to possibly change this but no reliable plan on the horizon. My personal impression is that very much to the contrary, the project has been constantly reducing its features/functions to offset the procedural overhead added by LinuxFoundation/PQCA.
  2. OQS currently uses NIST KATs to achieve the same functionaliy. If you have a requirement to pass CAVP then by all means, please contribute the required client logic/scripting so the whole community can benefit. Otherwise this is now added to the "Roadmap" backlog issues by way of the link above.
  3. This arguably should not just apply to ML-DSA but all newly standardized PQ algs.
  4. What is the "cryptographic module" in CAVP parlance that you'd want to use/see CAVP validated? liboqs straight or rather any of its integrations (openssl, openssl, etc.), @stauro79 ?

@dstebila
Copy link
Member

I believe @ashman-p had been looking at the CAVP test vectors.

@bhess
Copy link
Member

bhess commented Sep 24, 2024

ML-KEM in liboqs is currently tested against NIST's static ACVP vectors. Planning to do the same for the ML-DSA integration. AFAIK the same type of tests are performed during a certification.

@baentsch
Copy link
Member

ML-KEM in liboqs is currently tested against NIST's static ACVP vectors. Planning to do the same for the ML-DSA integration. AFAIK the same type of tests are performed during a certification.

Great! Thanks for reminding (at least me). And the reason we're not landing #1919 is because we're waiting on APIs to become available enabling this test, right? Just for my personal curiosity now: There's no such additional API needed for MLKEM? And to the rest of the team: What are our plans wrt SLH-DSA in this regard? Worth while adding to #1894?

@stauro79
Copy link
Author

  • This arguably should not just apply to ML-DSA but all newly standardized PQ algs.
  • What is the "cryptographic module" in CAVP parlance that you'd want to use/see CAVP validated? liboqs straight or rather any of its integrations (openssl, openssl, etc.), @stauro79 ?

Thanks @baentsch. yes, validation would apply to all the PQC algs defined in the new NIST standard. I am using liboqs through OpenSSL OQS Provider module.

@bhess
Copy link
Member

bhess commented Sep 24, 2024

And the reason we're not landing #1919 is because we're waiting on APIs to become available enabling this test, right? Just for my personal curiosity now: There's no such additional API needed for MLKEM?

Yes to both. Plus to incorporate the tests against the external API that NIST announced for around October.

@baentsch
Copy link
Member

Thanks @bhess for the confirmation(s).

@stauro79 this comment lets me wonder though:

I am using liboqs through OpenSSL OQS Provider module.

Wouldn't you then need to have "certification" applied at that module level instead as it also/further "twiddles around" with the algorithms (not the core logic, though)? Or even better, at OpenSSL level itself (further "twiddling" there :)?

@stauro79
Copy link
Author

The openssl has released OpenSSL FIPS Provider (crypto module) that is certificated by NIST. https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282

Incase of liboqs and oqs provider, I am not sure how certification should work.. liboqs is crypto library and oqs provider just consumes the liboqs crypto implementation.

@baentsch
Copy link
Member

Incase of liboqs and oqs provider, I am not sure how certification should work.. liboqs is crypto library and oqs provider just consumes the liboqs crypto implementation.

Personally, I do not think there is the slightest chance this software combination can ever be getting FIPS certified. I think the best chance for that is getting ML-DSA integrated directly into OpenSSL (and there, with all required prerequisites (that are unknown to me) into the FIPS provider).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
Status: Todo
Development

No branches or pull requests

5 participants