libpqcrypto

Prerequisites

The following instructions are for Debian/Ubuntu systems. Other modern Linux/BSD/UNIX systems should work with minor adjustments to the instructions. These instructions need the following packages:

Check that df /home/ shows at least 300000 1K-blocks available, and that df -i /home/ shows at least 30000 inodes free. Currently a typical compile-and-test run uses about 200MB and about 15000 inodes.

Download, unpack, compile, test, install

In a root terminal, create a libpqcrypto user:

    adduser --disabled-password --gecos libpqcrypto libpqcrypto

Run a shell as that user:

    su - libpqcrypto

As that user, download and unpack the latest version of libpqcrypto:

    wget -m https://libpqcrypto.org/libpqcrypto-latest-version.txt
    version=$(cat libpqcrypto.org/libpqcrypto-latest-version.txt)
    wget -m https://libpqcrypto.org/libpqcrypto-$version.tar.gz
    tar -xzf libpqcrypto.org/libpqcrypto-$version.tar.gz
    cd libpqcrypto-$version
    ln -s $HOME link-build
    ln -s $HOME link-install

Compile, test, and install (this takes time):

    ./do

Exit the user shell:

    exit

That's it.

Options

Remote installation

The download-unpack-compile-test-install process runs entirely from the command line. The process is compatible with the root shell being run under screen, and is compatible with this screen being run on another machine accessed through ssh.

Skipping prerequisites

If OpenSSL and/or GMP are not present, libpqcrypto will continue compilation, but it will limit the installation to what it can test. For example, the ramstake functions need GMP, and if you compile without GMP then libpqcrypto will omit ramstake. You can install GMP later and recompile libpqcrypto.

Skipping primitives

./do will skip a signature system or encryption system if you set the sticky bit on the relevant crypto_sign or crypto_kem subdirectory. For example, chmod +t crypto_sign/*/ skips all signature systems; chmod -t crypto_sign/*/ undoes this. Similar comments apply to lower-level directories for particular implementations.

Compiler options

./do tries a list of compilers in compilers/c, keeping the fastest working implementation of each primitive. Before running ./do you can edit compilers/c to adjust compiler options or to try additional compilers. Beware that each compiler takes time and disk space.

Multi-ABI support

If you put both 32-bit and 64-bit compilers into compilers/c then ./do will produce both 32-bit and 64-bit libraries, available through lib-x86 and lib-amd64 (on Intel/AMD CPUs) or lib-armeabi and lib-aarch64 (on ARM CPUs). You should put the 64-bit compilers first so that they are used (if possible) for the command-line tools.

Future possibilities

Fewer prerequisites

Not many functions in libpqcrypto use OpenSSL, and eliminating the OpenSSL dependency will not take much more work. There are already alternative non-OpenSSL implementations for crypto_stream_aes256ctr and crypto_hash_sha512. OpenSSL is also used for AES-128-CTR in frodo*; for SHA-256, SHA-384, and SHA-512 in gui* and rainbow*; and for SHA-256 in sphincs*sha256.

Faster compilation and testing

Some effort will allow compilation and testing to be parallelized on multi-core systems. Speed improvements to libpqcrypto will also save time in testing, and increased sharing of internal subroutines will save time in compilation.

Cross-compilation

libpqcrypto already has some internal support for cross-compilation. The first stage of ./do, namely ./build, only generates .o files without running any. The next stage, namely ./test, links and runs binaries and creates libraries but does not make any new .o files.


Version: This is version 2018.03.15 of the "Installation" web page.