Add support for CFRG Hybrid KEMs (#455)

* Add support for ML-KEM

* clang-format

* Add testing of ML-KEM

* Specuatively enable OQS for OpenSSL 3 and BoringSSL

* Update build configuration to work for OpenSSL 3 and BoringSSL

* Add implementations using OpenSSL3 and BoringSSL

* Remove BoringSSL support because of missing SHAKE256

* clang-format

* CI fixes

* Test against the HPKE PQ test vectors

* Pass test vectors

* clang-format

* Change config order to avoid imposing flags on libOQS

* Use liboqs from environment instead of vendored version

* Use vcpkg for libOQS

* Revert hack changes

* Build interop tests with OpenSSL 3

* More hybrid KEM implementation

* Add SHA3_256

* Factor out SHAKE256

* More hybrid KEM implementation

* Add support for hybrid KEMs

* Add PQ test vectors

* clang-format

* Get rid of strlen

* Add a flag to disable PQ and use it consistently

* clang-format

* Add missing comma

* Fix CI issue

* More integer conversions

Author: bifurcation

CMakeLists.txt

@@ -11,6 +11,7 @@ option(SANITIZERS "Enable sanitizers" OFF)
 option(MLS_NAMESPACE_SUFFIX "Namespace Suffix for CXX and CMake Export")
 option(DISABLE_GREASE "Disables the inclusion of MLS protocol recommended GREASE values" OFF)
 option(REQUIRE_BORINGSSL "Require BoringSSL instead of OpenSSL" OFF)
+option(DISABLE_PQ "Disables support for PQ algorithms even when they would otherwise be enabled" OFF)
 
 if(MLS_NAMESPACE_SUFFIX)
     set(MLS_CXX_NAMESPACE "mls_${MLS_NAMESPACE_SUFFIX}" CACHE STRING "Top-level Namespace for CXX")

Makefile

@@ -46,6 +46,13 @@ devB: ${TOOLCHAIN_FILE}
 		-DVCPKG_MANIFEST_DIR=${BORINGSSL_MANIFEST} \
 		-DCMAKE_TOOLCHAIN_FILE=${TOOLCHAIN_FILE}
 
+# Like `dev`, but using OpenSSL 3 with PQ disabled
+dev-no-pq:
+	cmake -B${BUILD_DIR} -DTESTING=ON -DCMAKE_BUILD_TYPE=Debug \
+		-DDISABLE_PQ=ON \
+		-DVCPKG_MANIFEST_DIR=${OPENSSL3_MANIFEST} \
+		-DCMAKE_TOOLCHAIN_FILE=${TOOLCHAIN_FILE}
+
 test: ${BUILD_DIR} test/*
 	cmake --build ${BUILD_DIR} --target mlspp_test
 

lib/hpke/CMakeLists.txt

@@ -42,10 +42,19 @@ if ( OPENSSL_FOUND )
 
     elseif (REQUIRE_BORINGSSL)
       message(FATAL_ERROR "BoringSSL required but not found")
+    elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3.5)
+      target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_OPENSSL3)
+
+      if(NOT DISABLE_PQ)
+        target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_PQ)
+      endif()
     elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 3)
       target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_OPENSSL3)
     elseif (${OPENSSL_VERSION} VERSION_GREATER_EQUAL 1.1.1)
-      set(USING_LIBOQS ON)
+      if(NOT DISABLE_PQ)
+        set(USING_LIBOQS ON)
+        target_compile_definitions(${CURRENT_LIB_NAME} PUBLIC WITH_PQ)
+      endif()
     else()
       message(FATAL_ERROR "OpenSSL 1.1.1 or greater is required")
     endif()

lib/hpke/include/hpke/digest.h

@@ -3,6 +3,7 @@
 #include <memory>
 
 #include <bytes/bytes.h>
+#include <hpke/hpke.h>
 #include <namespace.h>
 
 using namespace MLS_NAMESPACE::bytes_ns;
@@ -16,6 +17,9 @@ struct Digest
     SHA256,
     SHA384,
     SHA512,
+#if !defined(WITH_BORINGSSL)
+    SHA3_256,
+#endif
   };
 
   template<ID id>
@@ -35,4 +39,16 @@ struct Digest
   friend struct HKDF;
 };
 
+#if !defined(WITH_BORINGSSL)
+struct SHAKE256
+{
+  static bytes derive(const bytes& ikm, size_t length);
+  static bytes labeled_derive(KEM::ID kem_id,
+                              const bytes& ikm,
+                              const std::string& label,
+                              const bytes& context,
+                              size_t length);
+};
+#endif
+
 } // namespace MLS_NAMESPACE::hpke

lib/hpke/include/hpke/hpke.h

@@ -19,9 +19,14 @@ struct KEM
     DHKEM_X25519_SHA256 = 0x0020,
 #if !defined(WITH_BORINGSSL)
     DHKEM_X448_SHA512 = 0x0021,
+#endif
+#if defined(WITH_PQ)
     MLKEM512 = 0x0040,
     MLKEM768 = 0x0041,
     MLKEM1024 = 0x0042,
+    MLKEM768_P256 = 0x0050,
+    MLKEM1024_P384 = 0x0051,
+    MLKEM768_X25519 = 0x647a,
 #endif
   };
 
@@ -42,6 +47,7 @@ struct KEM
   };
 
   const ID id;
+  const size_t seed_size;
   const size_t secret_size;
   const size_t enc_size;
   const size_t pk_size;
@@ -71,6 +77,7 @@ struct KEM
 
 protected:
   KEM(ID id_in,
+      size_t seed_size_in,
       size_t secret_size_in,
       size_t enc_size_in,
       size_t pk_size_in,

lib/hpke/scripts/test-vectors-pq.json

@@ -76,6 +76,7 @@ DHKEM::get<KEM::ID::DHKEM_X448_SHA512>()
 
 DHKEM::DHKEM(KEM::ID kem_id_in, const Group& group_in, const KDF& kdf_in)
   : KEM(kem_id_in,
+        group_in.seed_size,
         kdf_in.hash_size,
         group_in.pk_size,
         group_in.pk_size,

lib/hpke/src/dhkem.cpp

@@ -7,6 +7,7 @@
 #include <openssl/core_names.h>
 #endif
 
+#include "common.h"
 #include "openssl_common.h"
 
 namespace MLS_NAMESPACE::hpke {
@@ -24,6 +25,11 @@ openssl_digest_type(Digest::ID digest)
     case Digest::ID::SHA512:
       return EVP_sha512();
 
+#if !defined(WITH_BORINGSSL)
+    case Digest::ID::SHA3_256:
+      return EVP_sha3_256();
+#endif
+
     default:
       throw std::runtime_error("Unsupported ciphersuite");
   }
@@ -43,6 +49,9 @@ openssl_digest_name(Digest::ID digest)
     case Digest::ID::SHA512:
       return OSSL_DIGEST_NAME_SHA2_512;
 
+    case Digest::ID::SHA3_256:
+      return OSSL_DIGEST_NAME_SHA3_256;
+
     default:
       throw std::runtime_error("Unsupported digest algorithm");
   }
@@ -73,6 +82,16 @@ Digest::get<Digest::ID::SHA512>()
   return instance;
 }
 
+#if !defined(WITH_BORINGSSL)
+template<>
+const Digest&
+Digest::get<Digest::ID::SHA3_256>()
+{
+  static const Digest instance(Digest::ID::SHA3_256);
+  return instance;
+}
+#endif
+
 Digest::Digest(Digest::ID id_in)
   : id(id_in)
   , hash_size(EVP_MD_size(openssl_digest_type(id_in)))
@@ -185,4 +204,50 @@ Digest::hmac_for_hkdf_extract(const bytes& key, const bytes& data) const
   return md;
 }
 
+#if !defined(WITH_BORINGSSL)
+bytes
+SHAKE256::derive(const bytes& ikm, size_t length)
+{
+  auto ctx = make_typed_unique(EVP_MD_CTX_new());
+  if (!ctx) {
+    throw openssl_error();
+  }
+
+  if (EVP_DigestInit_ex(ctx.get(), EVP_shake256(), nullptr) != 1) {
+    throw openssl_error();
+  }
+
+  if (EVP_DigestUpdate(ctx.get(), ikm.data(), ikm.size()) != 1) {
+    throw openssl_error();
+  }
+
+  auto out = bytes(length);
+  if (EVP_DigestFinalXOF(ctx.get(), out.data(), out.size()) != 1) {
+    throw openssl_error();
+  }
+
+  return out;
+}
+
+bytes
+SHAKE256::labeled_derive(KEM::ID kem_id,
+                         const bytes& ikm,
+                         const std::string& label,
+                         const bytes& context,
+                         size_t length)
+{
+  const auto hpke_version = from_ascii("HPKE-v1");
+  const auto label_kem = from_ascii("KEM");
+  const auto suite_id = label_kem + i2osp(uint16_t(kem_id), 2);
+  const auto label_bytes = from_ascii(label);
+  const auto label_len = i2osp(uint16_t(label_bytes.size()), 2);
+  const auto length_bytes = i2osp(uint16_t(length), 2);
+
+  return derive(ikm + hpke_version + suite_id + label_len + label_bytes +
+                  length_bytes + context,
+                length);
+}
+
+#endif // !defined(WITH_BORINGSSL)
+
 } // namespace MLS_NAMESPACE::hpke

lib/hpke/src/digest.cpp

@@ -350,6 +350,57 @@ struct ECKeyGroup : public EVPGroup
       }
     }
 
+#if defined(WITH_OPENSSL3)
+    auto key = keypair_evp_key(sk);
+    return std::make_unique<EVPGroup::PrivateKey>(key.release());
+#else
+    auto pt = make_typed_unique(EC_POINT_new(group));
+    EC_POINT_mul(group, pt.get(), sk.get(), nullptr, nullptr, nullptr);
+
+    EC_KEY_set_private_key(eckey.get(), sk.get());
+    EC_KEY_set_public_key(eckey.get(), pt.get());
+
+    auto pkey = to_pkey(eckey.release());
+    return std::make_unique<PrivateKey>(pkey.release());
+#endif
+  }
+
+  std::unique_ptr<Group::PrivateKey> random_scalar(
+    const bytes& seed) const override
+  {
+#if defined(WITH_OPENSSL3)
+    auto* group = EC_GROUP_new_by_curve_name_ex(nullptr, nullptr, curve_nid);
+    auto group_ptr = make_typed_unique(group);
+#else
+    auto eckey = new_ec_key();
+    const auto* group = EC_KEY_get0_group(eckey.get());
+#endif
+
+    auto order = make_typed_unique(BN_new());
+    if (1 != EC_GROUP_get_order(group, order.get(), nullptr)) {
+      throw openssl_error();
+    }
+
+    auto sk = make_typed_unique(BN_new());
+    BN_zero(sk.get());
+
+    auto start = size_t(0);
+    auto end = sk_size;
+    auto candidate = seed.slice(start, end);
+    auto candidate_size = static_cast<int>(candidate.size());
+    sk.reset(BN_bin2bn(candidate.data(), candidate_size, nullptr));
+
+    while (BN_is_zero(sk.get()) != 0 || BN_cmp(sk.get(), order.get()) != -1) {
+      start = end;
+      end = end + sk_size;
+      if (end > seed.size()) {
+        throw std::runtime_error("Rejection sampling failed");
+      }
+
+      candidate = seed.slice(start, end);
+      sk.reset(BN_bin2bn(candidate.data(), candidate_size, nullptr));
+    }
+
 #if defined(WITH_OPENSSL3)
     auto key = keypair_evp_key(sk);
     return std::make_unique<EVPGroup::PrivateKey>(key.release());
@@ -785,6 +836,16 @@ struct RawKeyGroup : public EVPGroup
     return deserialize_private(skm);
   }
 
+  std::unique_ptr<Group::PrivateKey> random_scalar(
+    const bytes& seed) const override
+  {
+    if (seed.size() != sk_size) {
+      throw std::runtime_error("Invalid seed");
+    }
+
+    return deserialize_private(seed);
+  }
+
   bytes serialize(const Group::PublicKey& pk) const override
   {
     const auto& rpk = dynamic_cast<const PublicKey&>(pk);
@@ -952,6 +1013,32 @@ Group::get<Group::ID::Ed448>()
   return instance;
 }
 
+static inline size_t
+group_seed_size(Group::ID group_id)
+{
+  switch (group_id) {
+    case Group::ID::P256:
+      return 128;
+    case Group::ID::P384:
+      return 48;
+    case Group::ID::P521:
+      // XXX(RLB): This may be wrong, but we're never going to use it
+      return 66;
+    case Group::ID::X25519:
+      return 32;
+    case Group::ID::X448:
+      return 56;
+
+    // Non-DH groups
+    case Group::ID::Ed25519:
+    case Group::ID::Ed448:
+      return 0;
+
+    default:
+      throw std::runtime_error("Unknown group");
+  }
+}
+
 static inline size_t
 group_dh_size(Group::ID group_id)
 {
@@ -1066,6 +1153,7 @@ group_jwk_key_type(Group::ID group_id)
 
 Group::Group(ID group_id_in, const KDF& kdf_in)
   : id(group_id_in)
+  , seed_size(group_seed_size(group_id_in))
   , dh_size(group_dh_size(group_id_in))
   , pk_size(group_pk_size(group_id_in))
   , sk_size(group_sk_size(group_id_in))

lib/hpke/src/group.cpp

@@ -41,6 +41,7 @@ struct Group
   virtual ~Group() = default;
 
   const ID id;
+  const size_t seed_size;
   const size_t dh_size;
   const size_t pk_size;
   const size_t sk_size;
@@ -51,6 +52,8 @@ struct Group
   virtual std::unique_ptr<PrivateKey> derive_key_pair(
     const bytes& suite_id,
     const bytes& ikm) const = 0;
+  virtual std::unique_ptr<PrivateKey> random_scalar(
+    const bytes& seed) const = 0;
 
   virtual bytes serialize(const PublicKey& pk) const = 0;
   virtual std::unique_ptr<PublicKey> deserialize(const bytes& enc) const = 0;