Closed Bug 1775046 Opened 3 years ago Closed 1 year ago

KEM API in NSS

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: goutam.tamvada, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 2 obsolete files)

Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review

It seems worthwhile to have a KEM API in NSS for two reasons:

  1. The NIST Post-Quantum Cryptography Standardization project has stated it will soon announce its choice of KEMs for standardization [1]; at the same time, there is discussion in the TLS Working Group over how to deploy KEMs in TLS 1.3 for post-quantum confidentiality (see [2] for example).

  2. The HPKE construction uses (authenticated) KEMs as a building block. See also [3].

One way to do so could be using vendor defined interfaces in PKCS#11. I'd be happy to work on this if there is interest.

[1] https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/fvnhyQ25jUg/m/Slr3bPrnBAAJ
[2] https://mailarchive.ietf.org/arch/msg/tls/9U8S7_CtCkceeuzmwOCTjMOrUf4
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1631890#c2

The osasis PKCS #11 commitee is planning on including Post quantum algorithms and would be happy to accept proposals. A couple of weeks ago I pinged the committee about preferred solution would be to add new functions. Pre-pkcs11 3.0, adding new functions in PKCS#11 was prone to compatibility issues (stomping on vendor defined functions), so the prefered method of solving these issues is reappropriating existing functions (C_DeriveKey(), for instance, would get a lot of extra work). Given that new functions are less expensive, it makes sense to have new encapsulate/decapsulate functions which follow NIST's KEM apis.

I'd be happy to review any proposals, as well as submit them to the technical committee.

bob

Attachment #9303776 - Attachment description: Bug 1775046 - Added a KEM interface and Kyber768 to the PKCS #11 layer. r=jschanck → Bug 1775046 - Added a KEM interface and X25519Kyber768Draft00 to the PKCS #11 layer. r=jschanck

The patch is moving away from what OASIS is proposing from a mechanism perspective.

Attachment #9329130 - Attachment description: Bug 1775046 - Added X25519Kyber768Draft00 to TLS 1.3 on the client side. r=jschanck → Bug 1775046 - Added X25519Kyber768Draft00 to TLS 1.3. r=jschanck,djackson
Attachment #9329130 - Attachment description: Bug 1775046 - Added X25519Kyber768Draft00 to TLS 1.3. r=jschanck,djackson → Bug 1775046 - Added X25519Kyber768Draft00 KEM-based key exchange to TLS 1.3. r=jschanck,djackson
Severity: -- → S4
Priority: -- → P3
Attachment #9295977 - Attachment is obsolete: true
Depends on: 1871152
Attachment #9303776 - Attachment description: Bug 1775046 - Added a KEM interface and X25519Kyber768Draft00 to the PKCS #11 layer. r=jschanck → WIP: Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken. r=rrelyea
Attachment #9329130 - Attachment is obsolete: true
Attachment #9303776 - Attachment description: WIP: Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken. r=rrelyea → Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken. r=rrelyea

https://hg.mozilla.org/projects/nss/rev/584f6b21513dcac8efa242e855c57f090d720d1e

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: