Skip to content

make coral-tunnel hardening; FINDINGS 6 wording; deterministic lopt sign#48

Merged
wock9000 merged 3 commits into
trunkfrom
coral-tunnel-followups
May 14, 2026
Merged

make coral-tunnel hardening; FINDINGS 6 wording; deterministic lopt sign#48
wock9000 merged 3 commits into
trunkfrom
coral-tunnel-followups

Conversation

@wock9000
Copy link
Copy Markdown
Contributor

@wock9000 wock9000 commented May 14, 2026
edited
Loading

Summary

Three follow-ups, all under-the-hood (no headline numbers change):

  1. make coral-tunnel hardening — pin -4 (IPv4), ServerAliveInterval=30, ExitOnForwardFailure=yes. Saw the tunnel die silently twice during PR V3 throughput bench + FINDINGS entry 5: network bottleneck retires planned experiment #47 work; this stops it.
  2. FINDINGS entry 6 wording — replace "closed line of investigation" with the honest split. Architectural-fix arc (co-location) closed; optimization arc on the Coral's per-step bookkeeping (~41 ms of 43 ms) open and unattempted — C/Cython rewrite or on-device softmax fused with the matmul are each named order-of-magnitude levers.
  3. lopt sign --backend liboqs — deterministic FIPS 204 signatures via the documented OQS_randombytes_custom_algorithm extension point. Same (sk, message, sign-seed) → bit-identical signature bytes; cross-backend interop with pqcrypto's verify confirmed.

Determinism table (ML-DSA-65, end-to-end smoke test)

backend seed result
pqcrypto (default) n/a (hedged) new signature each call; all verify
liboqs same seed twice bit-identical signatures; both verify
liboqs different seeds different signatures; both verify
(either) tampered message verify FAIL, exit 1

Test plan

  • make coral-tunnel works with the new flags on this network (IPv6 was the bug)
  • FINDINGS entry 6 reads honestly — what's closed, what's open
  • liboqs sign roundtrip: keygen → sign (twice same seed) → verify; same seed produces identical bytes; different seeds don't; all verify
  • Tampered message verify exits 1
  • Default behavior unchanged: lopt sign without --backend still uses pqcrypto

🤖 Generated with Claude Code

wock9000 and others added 2 commits May 13, 2026 23:47
@wock9000 @claude
make coral-tunnel: pin IPv4, keepalive; FINDINGS 6 wording fix
18d11c5 
- Makefile coral-tunnel: -4 forces IPv4 (host's IPv6 to coral times
  out in this network), ServerAliveInterval keeps the tunnel from
  silently dying on idle, ExitOnForwardFailure fails fast instead of
  leaving a stale tunnel.
- FINDINGS entry 6: replace "closed line of investigation" with the
  honest split — the architectural-fix arc is closed (built and
  measured), the optimization arc on the Coral-side per-step
  bookkeeping is open and unattempted (C/Cython rewrite of the
  Boltzmann selection, on-device softmax fused with the matmul).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wock9000 @claude
lopt sign: add --backend liboqs for deterministic FIPS 204 signatures
68f19ae 
ML-DSA in pqcrypto's PQClean is hedged (fresh OS randomness per sign,
two signs of the same (sk, message) differ). For callers that need
bit-reproducible signatures — auditability, regression tests,
content-addressed signed artifacts — add a liboqs backend that drives
liboqs's RNG callback with a SHAKE-256 DRBG seeded from --sign-seed-hex.

This uses the documented OQS_randombytes_custom_algorithm C extension
point that liboqs provides explicitly for callers needing a custom
RNG; the binding lives in lopt/_liboqs_rng.py (the same one keygen
already uses). FIPS 204 deterministic mode by construction.

Wire-format compatibility: liboqs-produced signatures verify against
pqcrypto's verify and vice versa (both implement the same standard).

  lopt sign --algo ml-dsa-65 --sk-hex $SK --message-file msg \\
            --backend liboqs --sign-seed-hex $(lopt seed sign-1 --n-bytes 64)
  # same invocation, same bytes out. Pipe to a content-hash, ship.

Default backend stays pqcrypto (no extra C dep). --backend liboqs
errors loudly if liboqs-python or the liboqs shared library isn't
installed; users opt into the heavier dep deliberately.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wock9000 wock9000 changed the title make coral-tunnel: pin IPv4 + keepalive; FINDINGS 6 wording fix make coral-tunnel hardening; FINDINGS 6 wording; deterministic lopt sign May 14, 2026
@wock9000 @claude
pq-deterministic doc: install steps for liboqs 0.15.0 on macOS
b14c743 
The auto-installer in liboqs-python 0.14.1 pins a non-existent
upstream tag; the brew bottle is static-only. Source-build is
currently the only working path on macOS. Documented end-to-end with
the OQS_INSTALL_PATH knob, plus an explicit "what you get" table that
now covers signing reproducibility per backend, not just keygen.

Upstream tracking: liboqs-python issue #133 (already open). Comment
posted with the concrete failure mode + macOS workaround.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@wock9000 wock9000 merged commit ec8a2e2 into trunk May 14, 2026
1 check passed
@wock9000 wock9000 deleted the coral-tunnel-followups branch May 14, 2026 09:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wock9000