Skip to content

Latest commit

 

History

History
242 lines (163 loc) · 17.4 KB

RELEASE.md

File metadata and controls

242 lines (163 loc) · 17.4 KB

oqs-provider 0.5.4-dev

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.5.4-dev of oqs-provider.

Previous Release Notes

oqs-provider 0.5.3

This is a maintenance release not changing any oqsprovider functionality but only tracking a security update in liboqs (0.9.2).

oqs-provider 0.5.2

About

The Open Quantum Safe (OQS) project has the goal of developing and prototyping quantum-resistant cryptography. More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

oqs-provider is a standalone OpenSSL 3 provider enabling liboqs-based quantum-safe and hybrid key exchange for TLS 1.3, as well as quantum-safe and hybrid X.509 certificate generation, CMS, CMP and dgst (signature) operations.

When deployed, the oqs-provider binary (shared library) thus adds support for quantum-safe cryptographic operations to any standard OpenSSL(v3) installation. The ultimate goal is that all openssl functionality shall be PQC-enabled.

In general, the oqs-provider main branch is meant to be usable in conjunction with the main branch of liboqs and the master branch of OpenSSL.

Further details on building, testing and use can be found in README.md. See in particular limitations on intended use.

Release notes

This is version 0.5.2 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.5.1 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.9.0 of liboqs.

This release also makes available ready-to-run binaries for Windows (.dll) and MacOS (.dylib) compiled for x64 CPUs. Activation and use is documented in USAGE.md.

Additional new feature highlights

What's Changed

New Contributors

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.1...0.5.2

This is version 0.5.1 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.5.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.8.0 of liboqs.

Additional new feature highlights

  • Support for Windows platform
  • Added brew support for MacOS
  • Documentation restructured supporting different platforms
  • Enable statically linkable oqsprovider

What's Changed (full commit list)

New Contributors

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.5.0...0.5.1

This is version 0.5.0 of oqs-provider.

Security considerations

None.

What's New

This release continues from the 0.4.0 release of oqs-provider and is fully tested to be used in conjunction with the main branch of liboqs. This release is guaranteed to be in sync with v0.8.0 of liboqs.

oqs-provider now also enables use of QSC algorithms during TLS1.3 handshake. The required OpenSSL code updates are contained in openssl/openssl#19312. Prior to this code merging, the functionality can be tested by using https://github.com/baentsch/openssl/tree/sigload.

Algorithm updates

All algorithms no longer supported in the NIST PQC competition and not under consideration for standardization by ISO have been removed. All remaining algorithms with the exception of McEliece have been lifted to their final round 3 variants as documented in liboqs. Most notably, algorithm names for Sphincs+ have been changed to the naming chosen by its authors.

Functional updates

  • Enablement of oqs-provider as a (first) dynamically fetchable OpenSSL3 TLS1.3 signature provider.
  • MacOS support
  • Full support for CA functionality
  • Algorithms can now be selected by their respective bit strength using the property string "oqsprovider.security_bits"
  • Documentation of (O)IDs used by the different PQC algorithms used and supported in current and past releases of oqs-openssl and oqs-provider
  • Testing is now completely independent of a source code distribution of OpenSSL being available
  • oqsprovider can be built and installed making use of pre-existing installations of OpenSSL and liboqs. Details are found in the "scripts" directory's build and test scripts.
  • Automated creation of (Debian) packaging information
  • Graceful handling (by way of functional degradation) of the feature sets contained in different OpenSSL releases; all oqsprovider capabilities are only available when using a version > than OpenSSL3.1.
  • A bug regarding handling of hybrid algorithms has been fixed as well as some memory leaks.

Misc updates

  • Dynamic code point and OID changes via environment variables. See ALGORITHMS.md.
  • Dynamic key encoding changes via environment variable using external qsc_key_encoder library. See ALGORITHMS.md.

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.4.0...0.5.0.

This is version 0.4.0 of oqs-provider.

Security considerations

This release removes Rainbow level 1 and all variants of SIDH and SIKE due to cryptanalytic breaks of those algorithms. Users are advised to move away from use of those algorithms immediately.

What's New

This release continues from the 0.3.0 release of oqs-provider and is fully tested to be used in conjunction with version 0.7.2 of liboqs.

oqs-provider has been integrated as an external test component for OpenSSL3 testing and will thus remain in line with any possibly required provider API enhancements.

Algorithm updates

  • Removal of SIKE/SIDH and Rainbow level I due to cryptographic breaks

Functional updates

Misc updates

  • Additional testing
  • Integration with and of OpenSSL test harness

Full Changelog: https://github.com/open-quantum-safe/oqs-provider/compare/0.3.0...0.4.0.

0.3.0 - January 2022

About

This is the first official release of oqsprovider, a plugin/shared library making available quantum safe cryptography (QSC) to OpenSSL (3) installations via the provider API. Work on this project began in oqs-openssl's branch "OQS-OpenSSL3" by @baentsch. This original code dependent on OpenSSL APIs was transferred into a standalone project by @levitte and subsequently branched by the OQS project into this code base.

This project is part of the Open Quantum Safe (OQS) project: More information on OQS can be found on our website: https://openquantumsafe.org/ and on Github at https://github.com/open-quantum-safe/.

Release Notes

The current feature set of oqsprovider comprises

  • support of all QSC KEM algorithms contained in liboqs (v.0.7.1) including hybrid classic/QSC algorithm pairs
  • integration of all QSC KEM algorithms into TLS 1.3 using the groups interface
  • support of all QSC signature algorithms contained in liboqs (v.0.7.1) including hybrid classic/QSC algorithm pairs
  • integration for persistent data structures (X.509) of all QSC signature algorithms using the standard OpenSSL toolset

Limitations