Post Quantum Cryptography
Quantum computers harness the principles of quantum physics to solve certain types of problems exponentially faster than classic computers. One of these is the factoring of large numbers. However, this math is what underlies the asymmetrical cryptography algorithms widely used to secure data and transactions in the modern world.
Post Quantum Cryptography (PQC) are encryption algorithms designed to secure data from attacks by quantum and classic computers. The National Institute of Standards and Technology (NIST) in August 2024 approved three standards and more are under development.
Although current quantum computers cannot break traditional asymmetric cryptography today, the technology is rapidly advancing. And bad actors can harvest information now to be decrypted later when the technology is viable. Therefore, it is of utmost importance to adopt PQC as rapidly as possible.
Acknowledgement
I need to acknowledge the work of Alex Bozarthin in the article “Developing with quantum-safe OpenSSL”, which this article adapts for Red Hat Enterprise Linux v9 running on an IBM Power server. Alex’s instructions are for Ubuntu 22.04 LTS running on x86 and required modifications to accommodate the changes in distro and platform. I recommend that you read his article if you want a better understanding of the context of this tutorial.
Tutorial
The tutorial below shows how to set up OpenSSL 3 with a Quantum Safe provider. It is installed into its own workspace so as to not conflict with any current SSL installations.
It is assumed that you are running these steps with root privileges. If that is not true, make appropriate use of sudo to gain the necessary rights.
Please note that I did not provide the full output of some commands in my screenshots as they were quite lengthy.
Lastly, use this at your own risk. There is nothing inherently dangerous in these instructions, but it is possible that following them may have unintended consequences for your system.
1. Prepare the System
Update Packages
dnf update && dnf upgrade
Create Workspace
These steps create a workspace for the installations and can be any directory that you have write permissions to. The total installation is less than 3GB.
export BUILD_DIR=$WORKSPACE/build
mkdir -p $BUILD_DIR/lib64
ln -s $BUILD_DIR/lib64 $BUILD_DIR/lib
cd $WORKSPACE
Install Build Dependencies
subscription-manager repos –enable \
codeready-builder-for-rhel-9-ppc64le-rpms
dnf -y groupinstall “Development Tools”
dnf -y install perl wget cmake ninja-build
2. Install OpenSSL
cd $WORKSPACE
git clone https://github.com/openssl/openssl.git
cd openssl
./Configure \
–prefix=$BUILD_DIR \
no-ssl no-tls1 no-tls1_1 no-afalgeng \
no-shared threads -lm
make -j $(nproc)
make -j $(nproc) install_sw install_ssldirs
3. Install liboqs
cd $WORKSPACE
git clone https://github.com/open-quantum-safe/liboqs.git
cd liboqs
cmake \
-DCMAKE_INSTALL_PREFIX=$BUILD_DIR \
-DBUILD_SHARED_LIBS=ON \
-DOQS_USE_OPENSSL=OFF \
-DCMAKE_BUILD_TYPE=Release \
-DOQS_BUILD_ONLY_LIB=ON \
-DOQS_DIST_BUILD=ON
make -j $(nproc)
make -j $(nproc) install
4. Install and Configure the Open Quantum Safe Provider
Install Open Quantum Safe
cd $WORKSPACE
git clone https://github.com/open-quantum-safe/oqs-provider.git
cd oqs-provider
liboqs_DIR=$BUILD_DIR cmake \
-DCMAKE_INSTALL_PREFIX=$WORKSPACE/oqs-provider \
-DOPENSSL_ROOT_DIR=$BUILD_DIR \
-DCMAKE_BUILD_TYPE=Release \
-S . \
-B _build
cmake –build _build
Update openssl.cnf to use the provider
cp _build/lib/* $BUILD_DIR/lib/
sed -i “s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g” $BUILD_DIR/ssl/openssl.cnf
sed -i “s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g” $BUILD_DIR/ssl/openssl.cnf
Set Environmental Variables and List Providers
You should see “oqsprovider” listed.
export OPENSSL_CONF=$BUILD_DIR/ssl/openssl.cnf
export OPENSSL_MODULES=$BUILD_DIR/lib
$BUILD_DIR/bin/openssl list -providers -verbose -provider oqsprovider
6. Install and Run cURL with Quantum-Safe Algorithms
cd $WORKSPACE
git clone https://github.com/curl/curl.git
cd curl
autoreconf -fi
./configure \
LIBS=”-lssl -lcrypto -lz” \
LDFLAGS=”-Wl,-rpath,$BUILD_DIR/lib64 -L$BUILD_DIR/lib64 -Wl,-rpath,$BUILD_DIR/lib -L$BUILD_DIR/lib -Wl,-rpath,/lib64 -L/lib64 -Wl,-rpath,/lib -L/lib” \
CFLAGS=”-O3 -fPIC” \
–prefix=$BUILD_DIR \
–with-ssl=$BUILD_DIR \
–with-zlib=/ \
–enable-optimize –enable-libcurl-option –enable-libgcc –enable-shared \
–enable-ldap=no –enable-ipv6 –enable-versioned-symbols \
–disable-manual \
–without-default-ssl-backend \
–without-librtmp –without-libidn2 \
–without-gnutls –without-mbedtls \
–without-wolfssl –without-libpsl
make -j $(nproc)
make -j $(nproc) install
Test
$BUILD_DIR/bin/curl -vk https://test.openquantumsafe.org/CA.crt –output $BUILD_DIR/ca.cert
In the list of SSL connections, you should see a PQC algorithm listed. I received X25519MLKEM768 while Alex’s tutorial resulted in p521_kyber1024.
He did note that the “The port for a signature and key exchange algorithm combination provided by the test server is subject to change.” Referring to the documentation on the test server, that appears to be the difference between these tutorials’ results.
Optional: Generate SPHINCS+ Keypair
Generate Keypair
$BUILD_DIR/bin/openssl genpkey -algorithm sphincssha2128ssimple -provider oqsprovider -out sk.pem
$BUILD_DIR/bin/openssl pkey -in sk.pem -pubout -out pk.pem