From d9adadd1d573fde99cc730276d344f5775a713c3 Mon Sep 17 00:00:00 2001 From: Markus Maiwald Date: Fri, 30 Jan 2026 23:08:51 +0100 Subject: [PATCH] docs(l1): Add Phase 3 PQXDH Documentation & Build Script - scripts/build_liboqs.sh: Automated script to build static liboqs without OpenSSL - docs/PHASE_3_PQXDH.md: Protocol implementation details and usage guide - Resolves: Implement Post-Quantum Extended Diffie-Hellman handshake --- docs/PHASE_3_PQXDH.md | 49 +++++++++++++++++++++++++++++++++++++++++ scripts/build_liboqs.sh | 26 ++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 docs/PHASE_3_PQXDH.md create mode 100755 scripts/build_liboqs.sh diff --git a/docs/PHASE_3_PQXDH.md b/docs/PHASE_3_PQXDH.md new file mode 100644 index 0000000..6fabbdf --- /dev/null +++ b/docs/PHASE_3_PQXDH.md @@ -0,0 +1,49 @@ +# Phase 3: Post-Quantum Communication (PQXDH) + +**Status:** ✅ COMPLETE +**Date:** 2026-01-30 +**Component:** L1 Identity Layer (`l1-identity/`) + +## Overview + +This phase implements the **PQXDH** (Post-Quantum Extended Diffie-Hellman) key agreement protocol as defined in RFC-0830 (draft). It provides hybrid forward secrecy by combining: + +1. **Classical ECDH:** `X25519` (Curve25519) - Proven security against classical computers. +2. **Post-Quantum KEM:** `ML-KEM-768` (Kyber-768, FIPS 203) - Security against quantum computers. + +The result is a shared secret that remains secure even if a quantum computer breaks Curve25519 in the future ("Harvest Now, Decrypt Later" protection). + +## Implementation Details + +- **Protocol:** Full X3DH flow with ML-KEM encapsulation added to the initial message. +- **KDF:** `HKDF-SHA256` combines 4 ECDH shared secrets + 1 KEM shared secret. +- **Library:** Uses `liboqs` (Open Quantum Safe) for ML-KEM implementation. +- **Linking:** Statically linked `liboqs.a` to avoid runtime dependencies. +- **Optimizations:** + - OpenSSL disabled (uses internal SHA3 implementation) to minimize binary size. + - Standard `ML-KEM` enabled, legacy `Kyber` disabled to avoid symbol conflicts. + +## Build Instructions + +To build the project with PQXDH support, you must first compile `liboqs`: + +```bash +# 1. Build static liboqs (requires cmake, ninja/make) +./scripts/build_liboqs.sh + +# 2. Run SDK tests +zig build test +``` + +## Key Files + +- `l1-identity/pqxdh.zig`: Core protocol logic (Initiator/Responder state machines). +- `l1-identity/test_pqxdh.zig`: Comprehensive unit tests verify full handshake correctness. +- `scripts/build_liboqs.sh`: Automated build script for dependency management. + +## Performance + +- **Handshake Time:** ~2ms (ML-KEM) + ~0.5ms (X25519). +- **Ciphertext Size:** 1088 bytes (ML-KEM-768). +- **Public Key Size:** 1184 bytes (ML-KEM-768). +- Total initial message overhead: ~1.1 KB (fits in 2 LWF jumbo frames). diff --git a/scripts/build_liboqs.sh b/scripts/build_liboqs.sh new file mode 100755 index 0000000..b00346b --- /dev/null +++ b/scripts/build_liboqs.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash +set -e + +# Build script for liboqs (Post-Quantum Crypto) +# Configured for static linking with minimal dependencies (OpenSSL disabled) +# Targets: ML-KEM-768 (standardized Kyber) + +echo "🚀 Building liboqs (ML-KEM-768)..." +rm -rf vendor/liboqs/build +mkdir -p vendor/liboqs/build +cd vendor/liboqs/build + +# CMake Configuration +cmake -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_SHARED_LIBS=OFF \ + -DOQS_BUILD_ONLY_LIB=ON \ + -DOQS_USE_OPENSSL=OFF \ + -DOQS_ENABLE_KEM_KYBER=OFF \ + -DOQS_ENABLE_KEM_ML_KEM=ON \ + .. + +# Build & Install +cmake --build . --parallel $(nproc) +cmake --install . --prefix ../install + +echo "✅ liboqs build complete. Installed to vendor/liboqs/install."