TLS 1.3 client and server both performing crypto_kem_keypair() #234
Replies: 4 comments 7 replies
-
That is weird, I agree that it shouldn't be necessary. We'll have to ask @baentsch who wrote the oqs-provider code. Michael, I wonder if it has something to do with https://github.com/open-quantum-safe/oqs-provider/blob/main/oqsprov/oqs_kem.c#L193 which appears to me to be doing a keygen inside the encaps? |
Beta Was this translation helpful? Give feedback.
-
That indeed seems "surprising". Two thoughts, though: a) This code is only run when doing hybrid KEMs; b) @bhess added this code and may explain the rationale of doing a keygen so late in the game. I personally think this has nothing to do with the observation:
I am aware of OpenSSL creating copies of data structures and as part of this a "surprising" keygen op may be performed (and/or @rubiogarcia465179 You may want to build |
Beta Was this translation helpful? Give feedback.
-
Right, this code only runs when doing a hybrid KEM (actually an ECDH+QS-KEM as specified in draft-ietf-tls-hybrid-design). In this case, the hybrid "encaps" returns the ephemeral key share of ECDH (i.e. ECDH does a keygen), concatenated with the ciphertext of the QS-KEM. See also 3.2 in https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/06/.
I agree there should not be an additional keygen on the server side in a non-hybrid case. |
Beta Was this translation helpful? Give feedback.
-
No. But I find it incorrect by the (openssl) server (code) to initiate the keygen in the first place. This should be completely OQS-independent, right? So can you reproduce this behaviour with a classic KEM? If so, what about opening a ticket with this in openssl? |
Beta Was this translation helpful? Give feedback.
-
Hey everyone,
I've been working with the latest OQS library, specifically with OpenSSL (3.2 -dev) + liboqs (0.8.1-dev) + oqs-provider (0.5.1-dev). For my current testing scenario, I am implementing a non-hybrid PQ-based scenario (Dilithium3 + Kyber768). I expected the behavior for PQ TLS 1.3 to be something like the following (simplified) in terms of generating a shared secret (ss):
TLS Client: Generate keypair (pk, sk) -> Send pk to server
TLS Server: Encapsulate (ct, ss, pk) -> Generate ss and send corresponding ct to client
TLS Client: Decapsulate (ss, ct, sk) -> Use ct and pk to generate ss.
In this way, both client and server ** can achieve the same shared secret (ss)**.
However, I noticed an additional keypair generation call done by the TLS Server in the logs. This happens on the server side sometime after the Client Hello is processed and before sending back the Server Hello. For testing purposes, I modified the Kyber768 crypto_kem_keypair() function and added some debug logs (Function attached below).
Is this an intended behavior? Why might the server generate another keypair and what would that keypair be used for? Can anyone point me to documentation or discussions that detail the flow of a standard PQ TLS session, especially with configurations like Dilithium3 + Kyber768?
Thanks for the insights!!
Find below the modified crypto_kem_keypair:
int crypto_kem_keypair(uint8_t *pk,
uint8_t *sk)
{
indcpa_keypair(pk, sk);
printf("\nEntering the crypto kem keypair function within pqcrystals-kyber_kyber768_avx2\n");
//print_stack_trace();
memcpy(sk+KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_INDCPA_PUBLICKEYBYTES);
hash_h(sk+KYBER_SECRETKEYBYTES-2KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
/ Value z for pseudo-random output on reject */
randombytes(sk+KYBER_SECRETKEYBYTES-KYBER_SYMBYTES, KYBER_SYMBYTES);
return 0;
}
Short_logs_PQ_TLS13_client.txt
Short_logs_PQ_TLS13_server.txt
Beta Was this translation helpful? Give feedback.
All reactions