Topic: Post quantum handshake requires call to wolfSSL_UseKeyShare()

Hi,

We ran in to some (to us) unexpected behaviour while testing post quantum support in wolfssl. We build it with the following configuration:

./configure --with-liboqs --enable-kyber --enable-shared --enable-enckeys --enable-sni --enable-opensslextra

We have an openssl server that is configured to accept only the hybrid curve p384_kyber768. But when connecting with wolfssl the handshake fails with error: invalid parameter.
If we configure the server to accept only a "normal" curve like p384 the handshake succeeds.

So I was guessing that wolfssl might not enable post quantum curves by default. So I tried enabling the curve with

    int groups[] = {WOLFSSL_P384_KYBER_LEVEL3};
    int count = 1;
    ret = wolfSSL_CTX_set_groups(sslCtx, groups, count);

Unfortunately that didn't solve the issue. So I looked at your example client code and found that there were calls to wolfSSL_UseKeyShare().

So I added

wolfSSL_UseKeyShare(sslSession, WOLFSSL_P384_KYBER_LEVEL3)

And now the handshake succeeds. But I am wondering why it does not work in the first place?
Is it a bug or a feature that I have to call wolfSSL_UseKeyShare() when using post quantum algorithms but not when using "normal" curves like p384?

Regards,
Frederik

Share

Re: Post quantum handshake requires call to wolfSSL_UseKeyShare()

Hi Frederik,

This is indeed expected behavior, as we do not generate an ephemeral key until you call wolfSSL_UseKeyShare.

May I ask what project you are using our post-quantum support for?  Are you working on a personal or commercial project?  Feel free to contact us at support [AT] wolfssl [DOT] com if these details are sensitive.

Thanks,
Kareem

Share

Re: Post quantum handshake requires call to wolfSSL_UseKeyShare()

Hi Kareem,

Ok then the error is what I expected.
Then what decides which ephemeral keys are automatically generated? Because - as I mention - other curves seems to work fine without calling wolfSSL_UseKeyShare().

We are already in talks with Martin Engstrom about licenses. But we haven't yet decided if we want to go with wolfssl or an alternative library.

Regards,
Frederik

Share

Re: Post quantum handshake requires call to wolfSSL_UseKeyShare()

Hi Frederik,

When using a post-quantum algorithm, only the client needs to do keygen, as opposed to both sides for typical algorithms.  This explicit call helps us enforce this, and prevent doing keygen on the server-side.
In addition, having keygen in its own call allows us to speed up connection time by doing more work during initialization.
Since some post-quantum algorithms such as Kyber have multiple levels, our current approach also lets us prevent generating and sending excess keys for all levels, when only one level was requested.

Thanks,
Kareem

Share