Ruby

Summary and motivation¶

Post-quantum cryptography (PQC) means cryptography algorithm which people can safely use after (post) quantum computing is practically used in the future. By using the quantum computing which is much more powerful than the current computing, it can be possible to crack the current non-PQC algorithms.

The goal of this ticket is to make Ruby (including libraries: default gems + bundle gems) work in the environment where only post-quantum cryptography (PQC)-supported algorithms are enabled. PQC-supported algorithms are only ML-DSA, ML-KEM and SLH-DSA for now. ML-DSA is used for signature (certification), and ML-KEM is used for connection. As I heard from my colleagues working for OpenSSL, that SLH-DSA is not ready to be used, we can ignore SLH-DSA for now.

Ruby OpenSSL (ruby/openssl) already supports PQC by the ticket ruby/openssl#894. And there are some works are needed for other standard libraries using Ruby OpenSSL in Ruby to support PQC.

I cite the following text from the NIST's PQC document. NIST is an organization defining cryptographic standards.

Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.

I also cite the following text from DigiCert, a security company's blog. (link)

Gartner predicts that by 2029, conventional asymmetric cryptography like RSA and ECC will be unsafe for protecting sensitive data due to “harvest-now, decrypt-later" threats—even before a quantum break occurs.

So, it's better to prepare PQC support now.

As an example of the actual movement European Commission is trying to migrate from non-PQC to PQC.(link)

Proof of concept¶

I manage my proof-of-concept scripts on my junaruga/ruby-pqc-test repository. For now, there are only some scripts to test RubyGems and Bundler in PQC use cases.

Tasks¶

I checked ruby/ruby including default gems and bundled gems at the master branch commit 93f1010f70a3ac924c3b37e4ae82cf1a669fcbf0 which was the latest at that time.
While ruby/ruby original code doesn't have PQC logic, the following libraries that have the own upstream project need to be modified to support PQC use cases in my investigation. And I am motivated to work on these tasks, adding the PQC features and/or tests. I will open the issue ticket for each upstream project ruby/* one by one.

• ruby/rubygems - issue link - Add PQC features
• ruby/rubygems bundler - issue link - Add PQC features
• ruby/net-http - default gem - Update code comments and add PQC tests
• ruby/open-uri - default gem - Add PQC tests
• ruby/spec - spec/ - Add PQC tests
• ruby/drb: bundled gem - Add PQC features
• ruby/rbs: bundled gem - Not sure. There is stdlib/openssl/0/openssl.rbs.

Note I used the following ripgrep's rg command (an enhanced grep command) to check the affected files by PQC.

$ rg "require +['\"]openssl['\"]|OpenSSL" --type ruby

Let me know what you think.