Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intent with respect to liboqs-rust? #2

Closed
jac-cbi opened this issue Oct 12, 2024 · 2 comments
Closed

Intent with respect to liboqs-rust? #2

jac-cbi opened this issue Oct 12, 2024 · 2 comments

Comments

@jac-cbi
Copy link

jac-cbi commented Oct 12, 2024

Hi! Thanks for opening up issues on this repo, much appreciated.

As I mentioned in my issue for liboqs-rust 269, I'm in the early stages of writing a rust library which requires both ML-KEM (FIPS), and Kyber (non-fips). I've started with safe-oqs for two simple reasons: 1) it has a more recent liboqs which contains ML-KEM, and 2) it's published on crates.io.

afaict, there are only two differences between safe-oqs and liboqs-rust.

  1. newer version of liboqs, which includes ML-KEM, ML-DSA

  2. Exposes both to Rust users.

The rest of the diff is just renaming the library.

In the big picture, openssl has incorporated liboqs into their repo, and so there is yet another path for end users, particularly FIPS users to use PQ crypto from Rust.

Which leads to my main question: What is the purpose of safe-oqs? It provides no extra "safety" over its upstream code. Did attempts to upstream changes for ML-KEM and ML-DSA to liboqs-rust fail?

@joernheinemann
Copy link
Member

Hello @jac-cbi

The current version of liboqs is not secure anymore. There was a timing attack against kyber where you could get the secret key. This is fixed in this version of oqs that im using (version 0.10.1 of the c impl: https://github.com/Open-Quantum-Safe/liboqs/tree/5dd87dcaafa6f90e983ef464f9f6a75f9485fb26)

@jac-cbi
Copy link
Author

jac-cbi commented Oct 16, 2024

Ok, I see that now. I just did a diff between the two repos and that didn't show the diff of liboqs. I assumed the liboqs bump was just to pull in ML-KEM / ML-DSA. My bad.

@jac-cbi jac-cbi closed this as completed Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants