Add DeriveKeyPair API #2070

SWilson4 · 2025-02-07T15:09:20Z

Based on the work of @Eddy-M-K in #1877.

Closes #1206.

Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)? (If so, a version bump will be required from x.y.z to x.(y+1).0.)
Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in fully supported downstream projects dependent on these, i.e., oqs-provider will also need to be ready for review and merge by the time this is merged.)

Signed-off-by: Eddy Kim <Eddy.M.Kim@outlook.com> Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Add pqcrystals-ml_kem_ipd.patch Signed-off-by: Eddy Kim <Eddy.M.Kim@outlook.com> Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Fix encaps key in scheme and revert whitespace changes Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Hopefully corrected patch file Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Corrected missing derand in kem_scheme Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Fix indentation Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Run copy_from_upstream Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> derand testing tentative changes Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Add missing function declarations Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Add template for avx2 derand functions Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Run copy_from_upstream Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> WIP: Add changes for coin length Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Update patch to include coin lengths Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Bootstrap Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Conditional copy Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Run copy_from_upstream Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Separate coins variable into two distinct variables Signed-off-by: Eddy Kim <Eddy.M.Kim@outlook.com> Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Add derand fixes - Add support for BIKE, FrodoKEM, sntrup - Add hooks for testing - Add missing kem comment to documentation - Don't run decaps() in test_kem_derand if encaps_derand() fails - Add markdown documentation changes Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> WIP trying to fix build errors Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Fix remaining build issues Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Resolve unused parameter issues for BIKE Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Resolve unused paramter issues for FrodoKEM Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Fix whitespace inconsistency Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Fix whitepace issue Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Insert unused attributes Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Void all unused parameters Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Use tab instead of spaces in kem_scheme Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Run copy_from_upstream Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Fix kem_derand python tests Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca> Initialize coins in test_kem_derand Signed-off-by: Eddy Kim <e84kim@uwaterloo.ca> Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

bifurcation

Overall, this looks right to me. Couple of minor naming things and questions.

bifurcation · 2025-02-07T21:37:28Z

docs/algorithms/kem/bike.md

-|     BIKE-L1     | NA                    | IND-CPA          |                    1 |                      1541 |                      5223 |                      1573 |                           32 |
-|     BIKE-L3     | NA                    | IND-CPA          |                    3 |                      3083 |                     10105 |                      3115 |                           32 |
-|     BIKE-L5     | NA                    | IND-CPA          |                    5 |                      5122 |                     16494 |                      5154 |                           32 |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair coins (bytes)   | Encapsulation coins (bytes)   |


Is it necessary to have the encapsulation coins / seed as well? As far as I am aware, only the deterministic keypair generation is used in real applications; deterministic encapsulation is only done for testing.

bifurcation · 2025-02-07T21:39:22Z

docs/algorithms/kem/kyber.md

-|    Kyber1024    | NA                    | IND-CCA2         |                    5 |                      1568 |                      3168 |                      1568 |                           32 |
+|  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Ciphertext size (bytes) |   Shared secret size (bytes) | Keypair coins (bytes)   | Encapsulation coins (bytes)   |
+|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|--------------------------:|-----------------------------:|:------------------------|:------------------------------|
+|    Kyber512     | NA                    | IND-CCA2         |                    1 |                       800 |                      1632 |                       768 |                           32 | NA                      | NA                            |


Shouldn't these be the same as the ML-KEM entries? Though I guess it would make sense to introduce the new API service with ML-KEM as the sole example; clearly we can upgrade other KEMs later.

bifurcation · 2025-02-07T21:41:35Z

scripts/copy_from_upstream/copy_from_upstream.py

@@ -200,6 +200,10 @@ def load_instructions(file='copy_from_upstream.yml'):
                scheme['upstream_location'] = family['upstream_location']
            if (not 'arch_specific_upstream_locations' in scheme) and 'arch_specific_upstream_locations' in family:
                scheme['arch_specific_upstream_locations'] = family['arch_specific_upstream_locations']
+            if (not 'derandomized_keypair' in scheme) and 'derandomized_keypair' in family:


Nit: I would change "derandomized" to "deterministic".

bifurcation · 2025-02-07T21:44:50Z

scripts/copy_from_upstream/src/kem/family/kem_scheme.c

+	(void)public_key;
+	(void)secret_key;
+	(void)coins;
+	return OQS_ERROR;


Just to confirm -- this provides a default always-error implementation if the back-end KEM doesn't supply one, right? And likewise below for encap().

bifurcation · 2025-02-07T21:51:02Z

This PR seems pretty mature. What still needs to be done to merge it?

Eddy-M-K and others added 6 commits February 6, 2025 17:37

Update patch to work with mlkem-native

38106c1

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

Update docs generation and templating

aec9812

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

Run copy_from_upstream [full tests] [extended tests]

38b38dc

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

Don't call randombytes on zero-length arrays

e07eba3

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

Run format script

eee5e13

Signed-off-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

bifurcation approved these changes Feb 7, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add DeriveKeyPair API #2070

Add DeriveKeyPair API #2070

SWilson4 commented Feb 7, 2025

bifurcation left a comment

bifurcation Feb 7, 2025

bifurcation Feb 7, 2025

bifurcation Feb 7, 2025

bifurcation Feb 7, 2025

bifurcation Feb 7, 2025

bifurcation commented Feb 7, 2025

	\| Parameter set \| Parameter set alias \| Security model \| Claimed NIST Level \| Public key size (bytes) \| Secret key size (bytes) \| Ciphertext size (bytes) \| Shared secret size (bytes) \| Keypair coins (bytes) \| Encapsulation coins (bytes) \|
	\| Parameter set \| Parameter set alias \| Security model \| Claimed NIST Level \| Public key size (bytes) \| Secret key size (bytes) \| Ciphertext size (bytes) \| Shared secret size (bytes) \| Keypair seed (bytes) \| Encapsulation seed (bytes) \|

Add DeriveKeyPair API #2070

Are you sure you want to change the base?

Add DeriveKeyPair API #2070

Conversation

SWilson4 commented Feb 7, 2025

bifurcation left a comment

Choose a reason for hiding this comment

bifurcation Feb 7, 2025

Choose a reason for hiding this comment

bifurcation Feb 7, 2025

Choose a reason for hiding this comment

bifurcation Feb 7, 2025

Choose a reason for hiding this comment

bifurcation Feb 7, 2025

Choose a reason for hiding this comment

bifurcation Feb 7, 2025

Choose a reason for hiding this comment

bifurcation commented Feb 7, 2025