Subject: Re: [pqc-forum] sntrup761 browsing demo: 166000 cycles keygen From: "D. J. Bernstein" Date: Thu, 23 Apr 2020 07:55:00 +0200 To: pqc-forum@list.nist.gov Message-ID: <20200423055500.7889.qmail@cr.yp.to> These are updated demo instructions that (1) use the new openssl-1.1.1g instead of openssl-1.1.1f and (2) arrange for the server side to restart after reboot. The OpenSSL patch is the same as before, and there are no changes to the other components. If you've already installed the demo with 1.1.1f then you can simply patch and install 1.1.1g as shown below and restart the applications; the previously installed engntru and libsntrup761 will continue to work. ---Dan ### Demo overview Warning: This demo comes with no cryptographic warranties and no other security warranties. The software here is experimental, and is built upon other software with a long history of security problems, such as OpenSSL. The purpose of this demo is purely to show the sntrup761 performance achievable with a CECPQ2-type data flow for TLS 1.3. The demo has two parts: a server side and a client side. We recommend running each side in its own VM. The server side uses stunnel for SSL termination. It receives TLS connections, including sntrup761 connections, and passes along the answers provided by a preexisting back-end web server, which does not need to support sntrup761 connections. For example, the demo site https://test761.cr.yp.to looks just like the preexisting site https://ntruprime.cr.yp.to, but with the extra feature of supporting sntrup761 connections. Internally, https://test761.cr.yp.to passes requests along through a local connection to the preexisting back-end web server for ntruprime.cr.yp.to. You can use https://test761.cr.yp.to as the server side of this demo, or you can set up the server side for a web server of your choice. The client side uses Epiphany, the Gnome web browser, with no modifications to the Epiphany source code. The glib-networking library used inside Epiphany already supports OpenSSL as an option for outgoing connections, and is configured below to use this option. Both sides use a version of OpenSSL 1.1.1g patched inside libssl to support sntrup761 as experimental group 0xfe00 for TLS 1.3, and patched inside libcrypto to include a reference implementation of sntrup761. Our new engntru library then overrides this reference implementation with a fast implementation, which in turn is built on top of our new libsntrup761. This way of using the OpenSSL ENGINE feature allows OpenSSL to take advantage of fast software implementations while allowing those implementations to be developed in separate libraries; see https://eprint.iacr.org/2018/354. Various other applications that use OpenSSL have been verified to work with libsntrup761 via engntru. This demo focuses on stunnel on the server side and Epiphany on the client side. ### Server side The following instructions for setting up the server side have been tested in a VM running Debian 11 (Bullseye) on a CPU supporting AVX2. You can skip down to the client side if you simply want to try https://test761.cr.yp.to as the server. As root: apt install wget python3 build-essential clang cmake ruby pkg-config -y adduser --disabled-password --gecos opensslntru opensslntru As the new opensslntru user (change the first three lines for your own demo server name, demo server address, and preexisting back-end server address---of course, you should use your favorite VPN to protect the connection from this SSL terminator to the back-end server): EXTERNALNAME=test761.cr.yp.to EXTERNALADDRESS=1.2.3.4:65024 # provide TLS service on this address INTERNALADDRESS=5.6.7.8:80 # use existing server on this address export PATH=$HOME/bin:$PATH cd wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz wget https://ntruprime.cr.yp.to/opensslntru/openssl-1.1.1g-ntru.patch tar -xf openssl-1.1.1g.tar.gz mv openssl-1.1.1g openssl-1.1.1g-ntru cd openssl-1.1.1g-ntru patch -p1 < ../openssl-1.1.1g-ntru.patch ./config shared --prefix=$HOME --openssldir=$HOME -Wl,-rpath=$HOME/lib make -j8 # a few minutes make test # more minutes make install_sw cd wget https://ntruprime.cr.yp.to/opensslntru/libsntrup761-20200415.tar.gz tar -xf libsntrup761-20200415.tar.gz cd libsntrup761-20200415 env USE_RPATH=RUNPATH DESTDIR=$HOME CPATH=$HOME/include LIBRARY_PATH=$HOME/lib make all install test cd wget https://ntruprime.cr.yp.to/opensslntru/engntru-20200415.tar.gz tar -xf engntru-20200415.tar.gz cd engntru-20200415 mkdir build cd build cmake -DCMAKE_PREFIX_PATH="$HOME;$HOME/usr/local" .. make make test make install cd wget https://www.stunnel.org/downloads/stunnel-5.56.tar.gz tar -xf stunnel-5.56.tar.gz cd stunnel-5.56 ./configure --prefix=$HOME --with-ssl=$HOME LDFLAGS=-Wl,-rpath=$HOME/lib make make install cd mkdir service cd service openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout "$EXTERNALNAME.key" -days 730 -out "$EXTERNALNAME.crt" -subj "/CN=$EXTERNALNAME" -config /etc/ssl/openssl.cnf ( echo "key = $EXTERNALNAME.key" echo "cert = $EXTERNALNAME.crt" echo 'foreground = yes' echo 'engine = engntru' echo 'engineDefault = ALL' echo '[forward]' echo "accept = $EXTERNALADDRESS" echo "connect = $INTERNALADDRESS" echo 'curves = SNTRUP761:X25519:P-256' echo 'config = MinProtocol:TLSv1.2' echo 'ciphers = ECDHE+CHACHA20:ECDHE+AES256:ECDHE+AES128:!aNULL:!eNULL:!LOW:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!SRP:!DSS:!aECDSA' ) > stunnel.conf As root: ( echo '[Unit]' echo 'Description=opensslntru forwarding' echo 'DefaultDependencies=no' echo 'After=network.target' echo '' echo '[Service]' echo 'Type=simple' echo 'User=opensslntru' echo 'Group=opensslntru' echo 'WorkingDirectory=/home/opensslntru/service' echo 'ExecStart=/home/opensslntru/bin/stunnel stunnel.conf' echo '' echo '[Install]' echo 'WantedBy=default.target' ) > /etc/systemd/system/opensslntru.service ln -s /etc/systemd/system/opensslntru.service /etc/systemd/system/multi-user.target.wants systemctl restart opensslntru At this point the server should be working. Try any browser to connect to the server's external address. The certificate is self-signed; signing it with Let's Encrypt is recommended but is outside the scope of these instructions. This stunnel configuration passes SNI along from the client to the server, so the client is free to access any server name provided by the server. For example, almost all *.cr.yp.to are hosted on the same back-end server and can now be retrieved through sntrup761, although for the moment this is announced to the client (and signed) only for test761.cr.yp.to. You can advertise multiple names on the same server through the same stunnel configuration by adding those names to DNS and creating an appropriate certificate. You can instead configure stunnel to forward different SNI choices to different servers with different certificates. ### Client side The following instructions for setting up the client side have been tested in a VM running Debian 10 (Buster) on a CPU supporting AVX2. As root: apt install wget python3 build-essential clang cmake \ ruby pkg-config epiphany-browser meson gnome-pkg-tools \ libglib2.0-dev libproxy-dev \ gsettings-desktop-schemas-dev ca-certificates -y adduser --disabled-password --gecos opensslntru opensslntru As the new opensslntru user: export PATH=$HOME/bin:$PATH cd wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz wget https://ntruprime.cr.yp.to/opensslntru/openssl-1.1.1g-ntru.patch tar -xf openssl-1.1.1g.tar.gz mv openssl-1.1.1g openssl-1.1.1g-ntru cd openssl-1.1.1g-ntru patch -p1 < ../openssl-1.1.1g-ntru.patch ./config shared --prefix=$HOME --openssldir=$HOME -Wl,-rpath=$HOME/lib make -j8 # a few minutes make test # more minutes make install_sw cd wget https://ntruprime.cr.yp.to/opensslntru/libsntrup761-20200415.tar.gz tar -xf libsntrup761-20200415.tar.gz cd libsntrup761-20200415 env USE_RPATH=RUNPATH DESTDIR=$HOME CPATH=$HOME/include LIBRARY_PATH=$HOME/lib make all install test cd wget https://ntruprime.cr.yp.to/opensslntru/engntru-20200415.tar.gz tar -xf engntru-20200415.tar.gz cd engntru-20200415 mkdir build cd build cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_PREFIX_PATH="$HOME;$HOME/usr/local" .. make make test make install cd git clone --branch 2.60.2 https://gitlab.gnome.org/GNOME/glib-networking.git cd glib-networking mkdir build cd build env PKG_CONFIG_PATH=$HOME/lib/pkgconfig CPATH=$HOME/include LIBRARY_PATH=$HOME/lib meson --prefix=$HOME -Dopenssl=enabled -Dgnutls=disabled .. ninja ninja install cd wget https://ntruprime.cr.yp.to/opensslntru/openssl-engntru.cnf export OPENSSL_CONF=$HOME/openssl-engntru.cnf export LD_LIBRARY_PATH=$HOME/lib export GIO_MODULE_DIR=$HOME/lib/x86_64-linux-gnu/gio/modules export ENGNTRU_DEBUG=4 # to watch engntru activating ln -s /etc/ssl/certs $HOME/certs epiphany https://test761.cr.yp.to You should be able to browse to this demo server (using sntrup761), whichever other demo servers you set up above (using sntrup761), and other sites (typically not using sntrup761 yet). The ENGNTRU_DEBUG=4 log information in the terminal includes a note for each sntrup761 keygen, a note for each sntrup761 dec, and a note for each computation of a batch of 32 keys.