[gnutls-devel] GnuTLS | leancrypto: support leancrypto for post-quantum algorithms (!1925)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Thu Jan 23 09:17:41 CET 2025 



Stephan Mueller commented on a discussion on lib/nettle/pk.c: https://gitlab.com/gnutls/gnutls/-/merge_requests/1925#note_2311275629

 >  {
 > -	mpz_t p;
 >  	int ret;
 > +	enum lc_kyber_type type;
 > +	struct lc_kyber_sk sk;
 > +	struct lc_kyber_pk pk;
 > +	gnutls_datum_t tmp_raw_priv = { NULL, 0 };
 > +	gnutls_datum_t tmp_raw_pub = { NULL, 0 };
 > +	uint8_t *ptr;
 > +	size_t len;
 > +
 > +	type = ml_kem_pk_to_lc_kyber_type(algo);
 > +	if (type == LC_KYBER_UNKNOWN)
 > +		return gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
 > +
 > +	ret = lc_kyber_keypair(&pk, &sk, lc_seeded_rng, type);

The lc_seeded_rng provides a fully seeded RNG. My remarks were about the following considerations: If you use the already provided lc_seeded_rng, your overall implementation now uses two distinct RNG implementations with two distinct seeding operations and possibly different seed sources.

All I was suggesting a means to make sure that your GnuTLS RNG where you manage the state/seed sources according to your rules is used throughout the leancrypto code as well.

Thus, from a crypto point of view, there should be no issue to use lc_seeded_rng out of the box. But from a formal point of view (and perhaps the FIPS 140 view point), you may only want to have one RNG and one seed source assessment instead of two.

That said, your boiler plate RNG implementation is correct, and good and covers the suggestion above. But it does NOT cover one important aspect: https://github.com/smuellerDD/leancrypto/blob/master/ml-kem/src/kyber_kem_api_c.c#L43 shows that internal to the leancrypto library the lc_seeded_rng is used for ML-KEM enc. As this RNG is used to generate the shared secret key, it is a key RNG that is in scope for, say, FIPS as well as the consideration above. Initially this RNG instance was controllable by the caller, but my FIPS colleagues made me hide it. Thus, to cover the discussion above for this very call, you need to replace the lc_seeded_rng callback using the lc_rng_set_seeded. lc_seeded_rng is a pointer and is changed with the lc_rng_set_seeded call to your implementation.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1925#note_2311275629
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250123/93c07a61/attachment-0001.html>

More information about the Gnutls-devel mailing list