-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracker for FIPS204 / ML-DSA #568
Conversation
Can we revive this PR to get ML-DSA landed in oqs-provider? @bhess is there anything more you were planning before converting this from a draft PR? |
@feventura @johngray-dev do you have any feedback whether this is heaving as expected in interop with other ML-DSA implementations? |
2feda56
to
6871f3a
Compare
Tests are passing after the merge of open-quantum-safe/liboqs#1919, so the PR is now ready. |
@bhess I look at the changes and I think it does not require any change for the composite. The composite OIDs used in there expect to use ML-DSA not dilithium.
@dstebila I don't think there is interop with this PR and other implementations, but as soon as this is merged and the openquantumsafe/oqs-ossl3 is updated we will see the results of the interop in the Automated Interop Table. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also update the code points as per #578
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
6871f3a
to
2734831
Compare
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
It would be nice to see the results of these interop tests this before we release liboqs 0.12.0. @feventura If I'm understanding correctly what you wrote here, the tests will run automatically when a new version of |
Good idea and easily doable. But a bit "unfriendly" towards "unsuspecting" users of that image. @feventura : Is there any chance one can tweak the tag pulled for that automatic test? When I made these images available a few years (really?) back, I always tagged them ":ietfxyz" to ensure the right image is used at the IETF xyz hackathon event. Would you know who could change that from ":latest" to maybe also run the automated test on a tag like ":prerelease"? Or even simpler: What'd be needed for us (s part of the release process) to create such a test matrix? |
Not quite @SWilson4, correcting myself, the actions will not run automatically when a new version of Now for the interop with this PR I see three options:
|
Yikes. I still have these rights?!? I'll surely not use them without knowing exactly what I'd need to do -- I simply didn't follow the development on the hackathon github (but assumed @praveksharma does).
Thanks for that explanation . Option 1 is imo too "heavy handed"; option 3 sounds like the fastest short-term approach and option 2 like the best "CI-able" long-term approach. Considering @praveksharma both volunteered doing the release and also participates in the hackathon (right?) may I suggest him taking on implementing option 3 in the release test script, followed by 2 in CI (or just 2 if quick-and-easy) to enhance the quality of the release testing in the long run? |
I created some artifacts using liboqs and ML-DSA and manual testing shows they interop with the other providers in our hackathon project. However, the docker image openquantumsafe/oqs-ossl3 that is used is still failing to verify all artifacts. Is this docker image picking up the latest 012.0 (or even the 0.12r1) version of liboqs? I suspect it must not, otherwise the automated table from the hackathon would be showing oqs passing with positive results (instead of failing). |
The liboqs code base or version does not describe the functionality in an oqsprovider until both are released and documented to work together. Only an oqsprovider 0.8.0 (or as of yesterday, main) will work with liboqs 0.12.0: We had been waiting for the interop confirmation before landing the final (O)IDs. Now the docker image can follow (manually or automatically built as per preference, e.g., of @praveksharma ). |
As mentioned above, I manually used libOQS 0.12 to interop with the other implementations in the IETF hackathon, and it works. We are still waiting for the dockerhub image to be updated to 0.12. Once that is done the automated interop table look much better! |
Tracks liboqs ML-DSA #1919
This PR Integrates ML-DSA and (non-composite) hybrids.
However, it does not yet include support for the updated composite signatures with ML-DSA.
@feventura: It would be great if you could amend this PR to incorporate the updated composite signature support. Alternatively, you could submit a follow-up PR for those changes.