By Dmitry Belyavskiy
While numerous robust post-quantum (PQ) standards exist, along with various projects implementing them, widespread adoption for communication and data protection hinges on their integration into mainstream OS distributions. By incorporating these standards into popular OS distributions, we can significantly enhance their accessibility and utility.
As a member of the QUBIP consortium, Red Hat has chosen Fedora Linux as the platform to provide initial support for quantum resistant cryptography. The Fedora Project creates an innovative, free, and open source platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users. This community platform is ideal for testing software that will become part of Red Hat Enterprise Linux (RHEL) in a future release cycle. Red Hat has a strong presence in the community, influencing and contributing to its further development.
Rapid release cycle is a major enabling factor in Fedora’s ability to innovate. Being a center of innovation, Fedora Linux may include versions of software based on non-finalized specifications of PQ algorithms and protocols. The PQ software, being suitable for conducting experiments and building test environments, can be widely distributed for feedback. Red Hat teams actively participate in maintaining the QUBIP-relevant portions of the Fedora project.
The scope of the current additions to Fedora Linux is centered around adding low-level components that extend crypto libraries’ capabilities to provide PQ algorithms. The applications relying on these crypto libraries (OpenSSL, NSS) will be suitable to use the PQ algorithms via standard interfaces to the extent it is implemented by their maintainers. For instance, OpenSSL-based webserver NGINX and OpenSSL-dependent command-line TLS client tools like curl
accept the configuration options for specifying key exchange algorithms and can use OpenSSL providers based on system-wide configurations, so-called crypto policies. Introducing PQ support to particular applications (e.g., package signature verification, secure boot) is currently out of the scope of our efforts related to the QUBIP project, but of course we are going to incorporate any changes made by maintainers.
Red Hat associates have a long history of working with crypto libraries such as OpenSSL and NSS chosen as primary targets for providing PQ algorithms and are also involved in the upstream development of these libraries. These libraries are completely different. OpenSSL implements a so-called providers API that allows easy implementation of new algorithms and using them from OpenSSL-based applications. NSS also relies on a pluggable API (PKCS#11) but has more hard-coded limitations to deal with. OpenSSL dominates the web-server world (Apache, NGINX) and command-line utilities (curl
), while the NSS-using web browser Firefox remains a popular GUI tool.
Protocol implementation in Fedora Linux requires standards covering PQ variants that are incomplete nowadays. Therefore, there are no upstream repositories (i.e., the primary public repository of software, or in this case, of the operating system) ready to implement any PQ protocols until there is a complete (enough) specification approved by the relevant standard body.
The Fedora project relies on integrating open source components into the system and working in a compatible manner. Work started with choosing the relevant open source components to integrate into the OS. Our choice is the liboqs
and oqsprovider
, developed by the Open Quantum Safe project.
Learn more about the need for post-quantum cryptography in “QUBIP and the transition to post-quantum cryptography” from the Red Hat Research Quarterly.
liboqs was chosen to be included in Fedora Linux after investigating many options. It is written in C, follows best development practices, provides a wide list of algorithms, and it has a suitable license and a very responsive upstream. The combination of these circumstances makes liboqs a good choice both for QUBIP purposes and for possible future use in Fedora Linux. Furthermore, liboqs uses the same low-level implementation of PQ algorithms (PQClean) that is, to the best of our knowledge, planned to be included into NSS so it improves compatibility between the two libraries.
oqsprovider
is based on liboqs
, is implemented by the same team, and tests using oqsprovider
are run as a part of OpenSSL integration tests. It ensures compatibility between the provider and OpenSSL itself. We added liboqs
and oqsprovider
in Fedora 39, the earliest supported version as of now. Since then it became possible to experiment with PQ key exchange in TLS, which we presented about at FOSDEM’24. At this stage, it was possible to test PQ KEM using hybrid Kyber solutions for NGINX and curl
and also test the interoperability with external implementations (Google, Cloudflare).
Subsequently, we have been working on extending the level of integration of PQ algorithms into Fedora. This requires upgrading OpenSSL, liboqs
, and oqsprovider
versions shipped with Fedora to match up-to-date standard versions and development and contributing to these projects. The version of liboqs available in the distribution determines the level of compatibility with the draft version of standards. Usually, the latest versions liboqs
and oqsprovider
are available in Fedora Rawhide (the Fedora Linux development version).
Currently the PQ algorithms provided by different versions of Fedora Linux are different. Versions 39 and 40 provided Kyber and Dilithium, but this changed after the latest NIST drafts were published. Fedora Rawhide (future Fedora 41) provides both recent NIST versions (ML-DSA and ML-KEM), and we also added the hybrid Kyber-based algorithms to the list of supported algorithms in the build of liboqs
. We did this to be able to interoperate with deployment of these algorithms despite its experimental status. This, however, may change in the future.
Fedora Linux implements crypto policies, a systemwide feature that provides consistent configurations for all applications using core crypto libraries (OpenSSL, NSS, GnuTLS). Separate crypto-policy/policies enabling PQ and/or hybrid algorithms are available.
To simplify the setup for demo purposes, we have implemented a container for NGINX and curl
so users can easily try out simple TLS connections. These container images have all the necessary components and the crypto policies installed but will need some manual steps (like key generation) to be prepared for testing. Documentation is not ready yet, but we plan to provide it before the public release.
liboqs
and oqsprovider
are already available in the distribution. The other partners will make available additional components for testing, in separate repositories that will make it simple to install and test their modifications These repositories may be added to a particular installation during system configuration, and then the standard system commands will be used to install components seamlessly. GUI tools such as Firefox will probably be available in Flatpak format. Applications distributed in this format can include custom versions of system libraries (NSS), this way non-compatible changes don’t affect the whole system.
All these changes make Fedora Linux a great playground for experimenting with PQ algorithms and a viable platform for the QUBIP efforts to integrate PQ cryptography into protocols, networks, and systems we use in our regular work.
This blog post is reshared with permission from the QUBIP website.
About the author: Dmitry Belyavskiy is a principal software engineer at Red Hat.
The QUBIP project is funded by the European Union under Grant Agreement No. 101119746. Views and opinions expressed are, however, those of the author(s) only and do not necessarily reflect those of the European Union or European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.