How to build a custom PQCrypto-VPN with latest (dev) liboqs and OQS-OpenSSL (1.1.1k) on Windows 10 about pqcrypto-vpn HOT 4 CLOSED

Thank you for your continued interest! As you see we haven't had the resources available to update this project yet, but I'm keeping your issues open so that we have them as a reference when we're able.

And of course, we always take pull requests, so if you have the time and motivation to make any of the changes yourself, we'd be glad to take them!

from pqcrypto-vpn.

Greetings all,

Some updates regarding my quick guide:
Taking into consideration that all of OpenSSL, OQS-OpenSSL and libOQS have changed since then (liboqs now turns into 0.5.0 and openssl is regularly updated, having many fixes since my initial post) I would like to note the following observations and propose some quicker ways to do test the latest algorithms on Windows 10 (Pro - co_release in my case)

For the step 1.
You can just download Kevin's PQCrypto-VPN Windows binary from the "Releases page of this repository"
But when building on a Linux (Ubuntu) server, keep in my to replace the repos that are cloned with the ones you would like to test (meaning the latest repos as found on the OQS project according git repositorie sites)

For the step 3.
Replace the previously suggested command with the intended/standard one
( cmake -GNinja -DCMAKE_INSTALL_PREFIX=..\..\openssl-oqs\oqs .. )

For the step 5.
You should copy and replace all of the library files and the binary built with those found in the openvpn\bin directory

Some algorithms such as sidhp e.t.c. are currently now working/enabled on the latest Windows build, so you may need to:

1. Build an initial Ubuntu package with the PQCrypto-VPN script (after replacing with the latest liboqs & openssl-oqs repos)
2. Apply the recommendations for enabling custom algorithms on Ubuntu first, as found in the project Wiki (use the link found in the original post)
3. Move and build the "patched" repos on a Windows machine using this guide

I will try to apply this last recommendation myself aswell and share my future insights.

Congratulations to all the involved people and contributors of the OpenSSL, PQCrypto-VPN, OQS-OpenSSL, libOQS sub-projects for all this great work!

from pqcrypto-vpn.

Greetings Kev,

Yes I would be more than happy to provide some contribution on the PQCrypto-VPN sub-project of OQS, possibly by providing a frequently upgraded branch of all the according repos involved, so I have already started working on it and I will provide you with details pretty soon, maybe within a few days

Also I have to state that in the Windows build, all PQ KEMs are enabled but in HYBRID mode, except NTRU-Prime which is also allowed to be used in normal PQ mode.

That means:
If is any of the algorithms listed above, the following hybrid algorithms are supported:

if <KEX> has L1 security, the fork provides the method p256_<KEX>, which combine <KEX> with ECDH using the P256 curve.
if <KEX> has L3 security, the fork provides the method p384_<KEX>, which combines <KEX> with ECDH using the P384 curve.
if <KEX> has L5 security, the fork provides the method p521_<KEX>, which combines <KEX> with ECDH using the P521 curve.

For example, since kyber768 claims L3 security, the hybrid p384_kyber768 is available.

(these datasheets specify which provide what security)

from pqcrypto-vpn.

Two very last notes for now, I would like to comment, coming from my tests so far, are that:

A. actually every pure PQ KEM algorithm originally enabled in OQS-OpenSSL and libOQS can be used using my guide above, but you have to:

1. Pick KEMs in hybrid-cryptography mode as written in the previous post
2. Pick any enabled pure OQS signature algorithm for the public key signature, and not any among those that are available from the fork for the hybrid-cryptography mode.
   If my assumptions are correct, that way the key exchange that is initialized in hybrid-cryptography mode, results in pure PQ exchange. by using only PQ certs/keys

B. The second one is that if the desired algorithm falls in NIST L4 security, you can use it as either secp384_ or secp521_ (I don't remember now which one worked for me, actually)

Best regards and enjoy the NIST Round 3 submissions!

from pqcrypto-vpn.