Skip to content

KBS Protocol | Add PQC algorithm support - Prototype/iss 1271#1383

Open
grant-arqit wants to merge 18 commits into
confidential-containers:mainfrom
grant-arqit:prototype/iss-1271-grn
Open

KBS Protocol | Add PQC algorithm support - Prototype/iss 1271#1383
grant-arqit wants to merge 18 commits into
confidential-containers:mainfrom
grant-arqit:prototype/iss-1271-grn

Conversation

@grant-arqit

@grant-arqit grant-arqit commented May 26, 2026

Copy link
Copy Markdown

This is the initial draft implementation to enable PQC algorithm support across CoCo. These changes reflect those required on the Trustee side, and is enabled via a compile time feature flag.

@grant-arqit
Add prototype PQ encryption and key derivation functions.
beddb1e 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Integrate API Server dispatch with prototype PQ encryption and KDF fu…
eee2960 
…nctions.

Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit grant-arqit mentioned this pull request May 26, 2026
Open
Xynnn007
Xynnn007 reviewed May 27, 2026
View reviewed changes

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks cool. Some nits at first round review. Btw, it would be good to add the experimental information in README.md

Comment thread kbs/src/akp.rs Outdated
Comment thread kbs/src/lib.rs Outdated
@grant-arqit
Re-factor jwe modules and PR remediation.
95c4586 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Merge branch 'main' into prototype/iss-1271-grn
630c038
@grant-arqit
Fix namepspace error.
a3c554f 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Add to README.md for experimental features and Makefile entries.
ae1f2fb 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Update attestation service for PQC experimental POC. This requires de…
7bce769 
…serialiation friendly value for tee_putkey while main TeePubKey type doesn not include new AKP value.

Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Merge branch 'main' into prototype/iss-1271-grn
194e2a1
@grant-arqit grant-arqit mentioned this pull request May 29, 2026
Open
@grant-arqit
Updated to include strongly types TeePubKey from kbs-types. pqc-exper…
cecfe54 
…imental now gated in guest-components. Trustee will accept classic and defined PQC types from guest-components.

Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit grant-arqit mentioned this pull request Jun 2, 2026
Open
@grant-arqit

grant-arqit commented Jun 2, 2026

Copy link
Copy Markdown
Author

Latest commits integrate updated kbs-types definition for TeePubKey implemented in PR 87. The feature gating for processing PQC worklows is driven by changes in guest-components now. This change will encrypt responses based on any of the TeePubKey types defined in the updated kbs-types

Xynnn007
Xynnn007 reviewed Jun 3, 2026
View reviewed changes

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some more ideas;

About the algorithm implementation, only one question (not blocker) is about scheme candidate.

More ideas are about code organization

Comment thread kbs/src/jwe/akp.rs
pub const AKP_KTY: &str = "AKP";

/// Algorithm identifier for ML-KEM-768 with AES-192 key wrap.
pub const ML_KEM_768_A192KW_ALGORITHM: &str = "ML-KEM-768+A192KW";

@Xynnn007 Xynnn007 Jun 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity: why not use MLKEM1024+A256KW?

@grant-arqit grant-arqit Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was no technical reason for this. It's the default for TLS Hybrid and while MLKEM1024+A256KW provides higher assurance ML-KEM-768 which is tied to AES-192 for the key wrap should be adequate for general use. Let me know if you think otherwise.

@Xynnn007 Xynnn007 Jun 4, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no strong preference. I assumed that there is some hidden rules, but looks like no. Probably we need some comments upon the algorithm to help newbie like me to understand the reason?

Comment thread kbs/src/jwe/akp.rs Outdated
Comment thread kbs/src/api_server.rs Outdated
Comment thread kbs/Cargo.toml Outdated
Comment thread kbs/src/jwe/mod.rs
@grant-arqit
Re-instate feature flag. PR remediation.
3db9353 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit
Additional pqc-experimental gating re-instatement.
cda49bd 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
Xynnn007
Xynnn007 approved these changes Jun 4, 2026
View reviewed changes

@Xynnn007 Xynnn007 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Last comments from my side. Others LGTM!

Comment thread kbs/src/jwe/mod.rs Outdated
@Xynnn007 Xynnn007 requested a review from fitzthum June 4, 2026 02:10
@grant-arqit
Remove lint macro. Underscore prefix for optional parameter.
380cb31 
Signed-off-by: Grant Nunn <grant.nunn@arqit.uk>
@grant-arqit grant-arqit marked this pull request as ready for review June 5, 2026 07:18
@grant-arqit grant-arqit requested a review from a team as a code owner June 5, 2026 07:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xynnn007 Xynnn007 Xynnn007 approved these changes

@fitzthum fitzthum Awaiting requested review from fitzthum

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grant-arqit @Xynnn007