On Tue, Dec 10, 2024 at 10:20:27PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> I’m trying to generate an ML-KEM key-pair (well, and ML-DSA key-pair)
> using OpenSSL CLI, specifically “openssl genpkey”. I have
> OpenSSLS-3.4.0 installed, and “oqs-provider” built from the “main”
> branch.
While I can't help you with OQS, the good news it that ML-KEM and ML-DSA
will likely soon have native support in the upcoming OpenSSL 3.5. The
ML-KEM code is a bit further along, though not yet even fully merged into
the feature branch, a bunch is still in various PRs...
$ openssl genpkey -algorithm ml-kem-512 -out /tmp/ml-512-key.pem
$ openssl pkey -in /tmp/ml-512-key.pem -pubout -out /tmp/ml-512-pub.pem
$ openssl pkeyutl -encap -inkey /tmp/ml-512-pub.pem -secret /tmp/encap.dat -out /tmp/ctext.dat
$ openssl pkeyutl -decap -inkey /tmp/ml-512-key.pem -secret /tmp/decap.dat < /tmp/ctext.dat
$ openssl dgst -sha256 -binary < /tmp/encap.dat | xxd -p -c32
351bc81516ab2b70cf30fbbfd92cbb819f56351460ce655929655c7f2fae7256
$ openssl dgst -sha256 -binary < /tmp/decap.dat | xxd -p -c32
351bc81516ab2b70cf30fbbfd92cbb819f56351460ce655929655c7f2fae7256
$ wc -c /tmp/*.dat
768 /tmp/ctext.dat
32 /tmp/decap.dat
32 /tmp/encap.dat
832 total
$ openssl pkey -in /tmp/ml-512-key.pem -text | sed -e '/pub:/q'
-----BEGIN PRIVATE KEY-----
MFICAQAwCwYJYIZIAWUDBAQBBECkAuecgpTeeI3c9gNy/bor/lneCg08n4A85VlG
wYGhm9CgcO/o2h/xPIjBJ1Ry2n5bCICerYwMjal/MeZ1ioDV
-----END PRIVATE KEY-----
ML-KEM-512 Private-Key:
priv:
a4:02:e7:9c:82:94:de:78:8d:dc:f6:03:72:fd:ba:
2b:fe:59:de:0a:0d:3c:9f:80:3c:e5:59:46:c1:81:
a1:9b:d0:a0:70:ef:e8:da:1f:f1:3c:88:c1:27:54:
72:da:7e:5b:08:80:9e:ad:8c:0c:8d:a9:7f:31:e6:
75:8a:80:d5
pub:
$ openssl pkey -in /tmp/ml-512-pub.pem -pubin -text | sed -e '/pub:/q'
-----BEGIN PUBLIC KEY-----
MIIDMjALBglghkgBZQMEBAEDggMhAOcWAuPrJwXbi8ikCRuDSzoUunHGHJK0R+5L
UOQ2bcercJTqb7AleVijcTkigLDcO7SowHHnIuT2mE6lW4YzwdbKQdQZuQqravG4
x/JSs+jAvFLjrkeYqpYpUo2HDhpMSBAsXGi6rnpywaUyCJ9qhmOrqSEVx+43o1FI
VgiYnvh2XvyZmc/LLY8UywVJc8pxIudJYqpKeGPzMjzRCNQUp17cEpQ6h+6gpDZp
a8ILR7ryuMRBsLpUrNCXANCwqmCWvIP5rCHriVxXN54WBT6WTb7ryNMUjYNAaHiK
gIHUrFUFLIxJksUYYu5Uyj3xWIWBjc85Rk4wZWDHtF1wmoQ3cGymAZnwwGNMzG26
ZhBiuF6wRaNJK8AAqcins6aTCMDYet2njoL7VjCkYpZCnpC6aF67uwuQWEiwJVbi
jIySJ4h5V98zsIrRyHexPqnKvb7TGom5YDabnIPTMuRYAVnKKqIaE65UPn5Lc4AJ
W9dSJZeSE3i3ugchpPgZL1UiZzU4k/MsNdzkG+OLJw+aUit4XMfxhSdbJDhymS0n
TxZoX8HwE1FkggpyhjXit58qaumXLXLHWARJYjXJR+omRq6DYC0XnJCoVZJ6jF+R
iHVIx4e1PHQIVV51oFgcXgTwl8snXQI3tHJ6Aldcrfu8mYDpOdK2bV7octXpWQ0g
Z4U6ESIqh5Z1XPmwarFnipbVXQy5qxPFLvX1j2jMq2ALVPxXJPRZQDRFkDgKtG4o
PsJTPRyhzeHgUTb2dD+VJ9FkHtAMz0jncm/ycYxxklmgO2UQYrTpbZFWbEfhAW6L
bXtyb/T6qlDQaHo7zLGMDrj7MSf1X2yIgxdMBcPBI3HGTgCxpRD2G28bteyHEeuU
tRXbWckjWUVprj1Wqtz1p0tSQWQCC7rCE4NEI1OmNk9GY7BGDYqYBcKnzkb3QOXS
Pm0RTJybx9PnB09gxHsrdEF6LJrxV1H5aMYxXrzwL0rUt/cCdrXmbDvRuVMiYFcW
pOCVWxJWtZNrdTqkwf5gzG24XmqGjk/3GfkPkkEkchfz8eIaf8z0cWJ2wLhP+Mje
Z4PeJIIn
-----END PUBLIC KEY-----
ML-KEM-512 Public-Key:
pub:
[ The openssl-pkeyutl(1) support for encap/decap required some fixes. ]
--
Viktor.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Z3C9LzrQL4COcVP7%40chardros.imrryr.org.
