How to build a custom PQCrypto-VPN with latest (dev) liboqs and OQS-OpenSSL (1.1.1k) on Windows 10

[pqfan]

My building system's basic details: O.S.: Windows 10 Home Edition

CPU: AMD-type

CMD Prompt: Using Administrator x64 Native tools command prompt of VS 2019

Stage: all tests passed, oqs-openssl and libs installed correctly and working

Here is a quick guide on how to achieve it:

1. Build the repository of Microsoft PQCrypto-VPN as it currently is resulting is the windows binary and install it.

2. Install all the according Windows dependencies(git, VS 2019, Perl - Active & Strawberry - MinGW & MSys, other needed extensions like Ninja, NASM e.t.c. - check the liboqs and openssl-oqs repo) and clone the latest (dev versions) of liboqs and openssl-oqs from the gits.

3. After cloning, when in \liboqs\build use: cmake -GNinja -DCMAKE_INSTALL_PREFIX=..\..\openssl-oqs\oqs -DBUILD_SHARED_LIBS=OFF .. then ninja and ninja install should work just fine

4. build normally according to the instructions (perl Configure VC-WIN64A, then nmake test, then nmake install)

5. Import (copy) the libraries from the newly install Program Files\OpenSSL directory (under C:) to the openvpn\bin directory You should also copy the newly created openssl.exe (binary) from \Program Files\OpenSSL\bin to \OpenVPN\bin aswell. It works but the system may need to be restarted.

**6. Don't forget to set the according PATH variables

7. Test the new algorithms You can also activate other desired OQS algorithms than the default enabled ones. Follow this guide of the openssl-oqs folder on an Ubuntu machine and the download the updated archive/directory to your Windows system, re-install liboqs as explained above targeting this new directory and then perl Configure... , nmake... and you should be ready!

I wish you find my guide useful.

Best regards!

[pqfan]

Greetings all,

Some updates regarding my quick guide: Taking into consideration that all of OpenSSL, OQS-OpenSSL and libOQS have changed since then (liboqs now turns into 0.5.0 and openssl is regularly updated, having many fixes since my initial post) I would like to note the following observations and propose some quicker ways to do test the latest algorithms on Windows 10 (Pro - co_release in my case)

For the step 1. You can just download Kevin's PQCrypto-VPN Windows binary from the "Releases page of this repository" But when building on a Linux (Ubuntu) server, keep in my to replace the repos that are cloned with the ones you would like to test (meaning the latest repos as found on the OQS project according git repositorie sites)

For the step 3. Replace the previously suggested command with the intended/standard one ( cmake -GNinja -DCMAKE_INSTALL_PREFIX=..\..\openssl-oqs\oqs .. )

For the step 5. You should copy and replace all of the library files and the binary built with those found in the openvpn\bin directory

Some algorithms such as sidhp e.t.c. are currently now working/enabled on the latest Windows build, so you may need to:

1. Build an initial Ubuntu package with the PQCrypto-VPN script (after replacing with the latest liboqs & openssl-oqs repos)
2. Apply the recommendations for enabling custom algorithms on Ubuntu first, as found in the project Wiki (use the link found in the original post)
3. Move and build the "patched" repos on a Windows machine using this guide

I will try to apply this last recommendation myself aswell and share my future insights.

Congratulations to all the involved people and contributors of the OpenSSL, PQCrypto-VPN, OQS-OpenSSL, libOQS sub-projects for all this great work!

[kevinmkane]

Thank you for your continued interest! As you see we haven't had the resources available to update this project yet, but I'm keeping your issues open so that we have them as a reference when we're able.

And of course, we always take pull requests, so if you have the time and motivation to make any of the changes yourself, we'd be glad to take them!

[pqfan]

Greetings Kev,

Yes I would be more than happy to provide some contribution on the PQCrypto-VPN sub-project of OQS, possibly by providing a frequently upgraded branch of all the according repos involved, so I have already started working on it and I will provide you with details pretty soon, maybe within a few days

Also I have to state that in the Windows build, all PQ KEMs are enabled but in HYBRID mode, except NTRU-Prime which is also allowed to be used in normal PQ mode.

That means: If is any of the algorithms listed above, the following hybrid algorithms are supported:

if <KEX> has L1 security, the fork provides the method p256_<KEX>, which combine <KEX> with ECDH using the P256 curve.
if <KEX> has L3 security, the fork provides the method p384_<KEX>, which combines <KEX> with ECDH using the P384 curve.
if <KEX> has L5 security, the fork provides the method p521_<KEX>, which combines <KEX> with ECDH using the P521 curve.

For example, since kyber768 claims L3 security, the hybrid p384_kyber768 is available.

(these datasheets specify which provide what security)

[pqfan]

Two very last notes for now, I would like to comment, coming from my tests so far, are that:

A. actually every pure PQ KEM algorithm originally enabled in OQS-OpenSSL and libOQS can be used using my guide above, but you have to:

1. Pick KEMs in hybrid-cryptography mode as written in the previous post
2. Pick any enabled pure OQS signature algorithm for the public key signature, and not any among those that are available from the fork for the hybrid-cryptography mode. If my assumptions are correct, that way the key exchange that is initialized in hybrid-cryptography mode, results in pure PQ exchange. by using only PQ certs/keys

B. The second one is that if the desired algorithm falls in NIST L4 security, you can use it as either secp384 or secp521 (I don't remember now which one worked for me, actually)

Best regards and enjoy the NIST Round 3 submissions!