-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document & curate (O)IDs #351
Comments
I am a bit confused: The IETF hackathon team decided to use the same OIDs for Kyber and ML-KEM, but I thought those algorithms are different (at least they have different KATs): Am I wrong in this assumption? This leads to a c[l|r]ash when activating Kyber and ML-KEM using the same OID. Question to @praveksharma : Have you been part of the IETF hackathon team's decision to give Kyber and ML-KEM the same OIDs/supporting the notion they are functionally equivalent? Also tagging @bhess @dstebila for input. If so, shall we (also follow the IETF hackathon's lead and) eliminate Kyber entirely from May I propose @bhess takes on responsibility for managing the Kyber/Dilithium/ML-KEM/ML-DSA ID range and resolve this particular conundrum? Given we have introduced the capability of encoding KEMs solely for interop testing (and to resolve #194), what about adding a statement along the lines "This feature is experimental until a solid management of KEM OIDs is established. Use at your own risk." to the documentation of OQS_KEM_ENCODERS and remove it from CI until we have properly resolved this issue? Also adding @Muzosh @ralienpp for input as they've been part of the discussions in #194. |
No, that's wrong. You are correct that there are interop differences between "round 3 kyber" and "initial public draft ML-KEM". If you check the hackathon oids table: you will see that we have new OIDs for the ml-kem-ipd. NIST will provide final OIDs with the final versions of the FIPS documents. |
We have the following Kyber-r3 OIDs registered under the IBM tree, which could be used:
The Dilithium and ML-DSA-ipd OIDs are correctly reflected in https://github.com/IETF-Hackathon/pqc-certificates/blob/master/docs/oid_mapping.md |
Very good, thanks. May I invite a PR (similar to #361) tying these down, then? |
Hmm, looking at IETF-Hackathon/pqc-certificates@42c76ac it seems OIDs were not changed, but the algorithm names "Kyber-..." were simply replaced by "ML-KEM-...".
The current "schism" is resolved by IBM taking responsibility for Kyber OIDs. Looking forward to NIST eventually taking responsibility for ML-... OIDs. |
I guess the same discussion could be applied not only to Kyber, but Sphincs+ as well for example. OQS's ALGORITHMS page originally lists IETF Hackathon seems to have renamed it to |
Also, why only the ML-KEM (and in IETF Hackathon's case, couple of more algorithms like BIKE and HQC) is listed under the OID space of The legion of Bouncy Castle? (= |
Btw I really appreciate @baentsch's efforts in this github issue. The current OID space is a wild west and we need some (at least un-official) standardization of OID list in order to save security engineers and developers hours of internet digging. |
To document the OIDs of the NIST standards (from https://csrc.nist.gov/projects/computer-security-objects-register/algorithm-registration):
|
The file oqs-template/generate.yml serves as the master file for all algorithm (O)IDs. Due to the absence of standard documents specifying them, most of the IDs chosen are randomly allocated, many manually, many automatically.
As persistence of PQC signature algorithms is a default feature of
oqsprovider
, OIDs for signature algorithms are manually curated and updated as OID updates are required, e.g., due to algorithm updates.As persistence of PQC KEM algorithms is a non-default feature of
oqsprovider
, OIDs for KEM algorithms are mostly automatically generated and therefore not stable across releases.This issue is to propose changing this with at least the following improvements:
The text was updated successfully, but these errors were encountered: