[TLS 1.3] Hybrid PQ/T key establishment

[reneme]

Pull Request Dependencies

• [TLS 1.3] Use a KEM interface in the Callbacks #3608
• Chore: Update BoGo tests #3616
• API modernization PK_KEM_Encryptor/Decryptor #3611

Things to do

• Tests (at least a round-trip test -- e.g. as a new configuration in test_cli.py cli_tls_socket_tests)
• Decide and introduce preliminary code points for compatibility with existing PQ/T endpoints -- e.g. cloudflare, Amazon KMS, Microsoft, IBM, ??)
  • How to handle support for those?
• Try to build/test with hybrid KEX module disabled
• Update the BoGo tests, that seem to support Kyber since May '23
• Act on [TLS 1.3] Hybrid PQ/T key establishment #3609 (comment)

Description

This (finally) follows up on #2983 and is a more serious attempt in delivering hybrid key exchange based on draft-ietf-tls-hybrid-design-06.

Hybrid key exchange is handled by an adapter class Hybrid_KEM_PrivateKey that combines 2 or more KEX/KEM keys as specified in draft-ietf-tls-hybrid-design-06. To upstream users it provides a KEM interface.

Internally Hybrid_KEM_PrivateKey uses another adapter KEX_to_KEM_Adapter_PrivateKey that takes a single Key Agreement key (e.g. X25519) and exposes a KEM interface based on it. "KEM-Encaps" is implemented by generating a matching ephemeral key pair and using the ephemeral public key as the "encapsulated secret".

There are plenty of TODO where we needed to workaround short-comings of the Public_Key API. Potential improvements are collected in #3706.

IANA did not define code points for PQ and PQ/T key exchange groups in TLS, yet. As a result, different (beta) services define incompatible algorithm identifiers. We're providing a number of algorithm aliases to be compatible to both libOQS and Cloudflare's implementation. This is certainly a moving target that might change in the near future.

To give this a test run and connect to cloudflare.com using PQC (see their blog post -- section "What we deployed" -- for more details):

1. Create a TLS policy file (pqc_tls.txt):

allow_tls13 = true
allow_tls12 = false
x25519/Kyber-512-r3 secp256r1/Kyber-512-r3 x25519/Kyber-512-r3/cloudflare

2. Start the CLI like so:

./botan tls_client --tls-version=1.3 --debug cloudflare.com --policy=./pqc_tls.txt

You'll see that the exchanged Client Hello and Server Hello messages in the debug output are unusually large. The kyber public key weighs about 800bytes.

[reneme]

With this policy:

allow_tls13 = true
allow_tls12 = false
key_exchange_groups = x25519/Kyber-512-r3 secp256r1/Kyber-512-r3 x25519/Kyber-512-r3/cloudflare

We tested successfully against:

• cloudflare.com (documentation, blog)
  Unfortunately they use incompatible algo identifiers (hence the x25519/Kyber-512-r3/cloudflare hack in the policy). They use Curve25519 and don't support the NIST curves.
• qsc.eu-de.kms.cloud.ibm.com (documentation)
  IBM uses the algo identifiers proposed by liboqs. It does not support Curve25519. Apart from the hybrid exchange this endpoint can also handle just Kyber-512-r3.
• test.openquantumsafe.org (documentation)
  Yeah. Everything should role.

We couldn't negotiate against:

• kms.eu-central-1.amazonaws.com (documentation)
  This used to work with [TLS 1.3] Post-Quantum Readiness via Hybrid Key Exchange #2983. But the hybrid encoding proposed by IETF draft changed in the mean time. Apparently, Amazon's endpoint still speaks the old draft. (Individual public values were not just concatenated but a length-value-encoding was used.

[coveralls]

coverage: 91.67% (-0.07%) from 91.743% when pulling 4486d90 on Rohde-Schwarz:tls13/kem_establishment into ae37d65 on randombit:master.

[reneme]

Do we need to establish one or more new key_exchange_method in the policy?

I believe we should. See for example Session_Summary::kex_algo() which would currently report UNDEFINED for hybrid and/or KEM.

Edit: done

[reneme]

Rebased to master after merging #3611.

[randombit]

This is only a partial review - I haven't reviewed the KEX->KEM adapter at all and only partially reviewed hybrid_public_key.cpp. I will finish the review asap.

[reneme]

Thanks for the review. Unfortunately, I won't be able to look into it before August 7th. Perhaps @FAlbertDev wants to give it a go, though. 😃

[FAlbertDev]

Perhaps @FAlbertDev wants to give it a go, though. 😃

Yeah, I'll give it a try 👍

[randombit]

Thanks for addressing the review comments @FAlbertDev, on a quick review of just your commit things looked good.

I want to do another full pass review, I'll get this in sometime before next week.

[reneme]

Rebased to master to solve conflicts in test_cli.py after merging #3618.

[reneme]

It would be great if we could access certain basic information of specific algorithms statically.

[randombit]

Thought I had left a comment on this earlier? Hm.

Statically might be difficult given how DH/ECDH are defined over arbitrary groups, but it seems pretty possible to have something like virtual size_t raw_shared_key_length() = 0 the challenge is on what type to put it since PK_Key_Agreement_Key is only for the private keys ...

Conceivably we could have something on Public_Key like so

/**
* Return the length of the relevant artifact of this key.
* 
* Throws Not_Implemented if the key does not support an operation of this type.
*
* For KeyAgreement, returns the raw (non-KDF) output length.
*/
virtual size_t output_length(PublicKeyOperation op) = 0
```

[randombit]

Looks very good, left a few comments, ptal

[reneme]

Done with your latest review comments. I updated the PR description (mainly for future reference) and created #3706 to collect future improvements on the Pubkey-APIs.

I committed the review fixes into new commits for easy review. Let me know if I should squash before we merge eventually.

[reneme]

Rebased to master.

[randombit]

Did a full review, left a few minor comments. Approving to unblock since I didn't notice anything major. This certainly points out some nasty holes in our API surface; in principle it should be possible to implement the hybrid and kex->kem adaptors without referencing any algorithm specific details.