Looma Prototype

Overview

This repository contains our Looma prototype, built on top of the picotls TLS 1.3 library.

At a high level, Looma integrates online/offline post-quantum authentication into the TLS workflow with a focus on low-latency handshakes for microservice and datacenter applications.

The environment setup below installs:

• OpenSSL 3.2.2 into /usr/local
• Liboqs (older commit branch) into /usr/local
• Oqs-provider (older fork) into /usr/local
• OpenSSL config updated to auto-load oqsprovider

Note: The Looma prototype expects oqs-provider algorithms named like dilithium2 (not mldsa*). That is why we pin an older liboqs commit and use an older oqs-provider fork.

---

Quickstart

1. Environment setup

We ran experiments on Ubuntu 24.04 (Noble Numbat) with Linux kernel 6.8.0-85-generic. Install the following on both server and client machines.

Hardware requirement: Building the default BLAKE hash implementation requires AVX-512 (AVX512F) on x86_64. If your CPU/toolchain target does not enable AVX-512, compilation will fail.

1. Install prerequisites:

   sudo apt update
   sudo apt install -y build-essential cmake git perl pkg-config ca-certificates \
     curl tar zlib1g-dev

2. Install OpenSSL 3.2.2 to /usr/local:

   cd /tmp
   curl -L -o openssl-3.2.2.tar.gz https://www.openssl.org/source/openssl-3.2.2.tar.gz
   tar -xzf openssl-3.2.2.tar.gz
   cd openssl-3.2.2
   
   ./Configure linux-x86_64 \
     --prefix=/usr/local \
     --openssldir=/usr/local/ssl \
     shared zlib
   
   make -j"$(nproc)"
   make test
   sudo make install_sw install_ssldirs
   
   printf "/usr/local/lib64\n/usr/local/lib\n" | sudo tee /etc/ld.so.conf.d/usr-local-openssl.conf
   sudo ldconfig

   Verify OpenSSL:

   /usr/local/bin/openssl version -a | head -n 3

3. Install liboqs (pinned):

   cd ~
   git clone https://github.com/sus0pid/liboqs.git
   cd liboqs
   git checkout pinned-51708b6
   
   rm -rf build && mkdir build && cd build
   cmake .. \
     -DCMAKE_BUILD_TYPE=Release \
     -DCMAKE_INSTALL_PREFIX=/usr/local \
     -DBUILD_SHARED_LIBS=ON
   cmake --build . -j"$(nproc)"
   sudo cmake --install .
   sudo ldconfig

   Sanity check:

   ldconfig -p | grep -i liboqs

   Expected: liboqs.so.7 (libc6,x86-64) => /usr/local/lib/liboqs.so.7
liboqs.so (libc6,x86-64) => /usr/local/lib/liboqs.so

4. Install oqs-provider (fork):

   cd ~
   git clone https://github.com/sus0pid/oqs-provider.git
   cd oqs-provider
   
   rm -rf _build
   cmake -S . -B _build \
     -DCMAKE_BUILD_TYPE=Release \
     -DCMAKE_INSTALL_PREFIX=/usr/local \
     -DOPENSSL_ROOT_DIR=/usr/local \
     -Dliboqs_DIR=/usr/local/lib/cmake/liboqs
   cmake --build _build -j"$(nproc)"
   sudo cmake --install _build
   sudo ldconfig

   Sanity check:

   ls -l /usr/local/lib64/ossl-modules/oqsprovider.so

   Expected: -rw-r--r-- 1 root root 1096288 Jan 3 19:33 /usr/local/lib64/ossl-modules/oqsprovider.so

5. Configure OpenSSL to auto-load oqsprovider

   Edit /usr/local/ssl/openssl.cnf and ensure the following exists:

   openssl_conf = openssl_init
   
   [openssl_init]
   providers = provider_sect
   
   [provider_sect]
   default = default_sect
   oqsprovider = oqsprovider_sect
   
   [default_sect]
   activate = 1
   
   [oqsprovider_sect]
   module = /usr/local/lib64/ossl-modules/oqsprovider.so
   activate = 1
   

   Verify providers are loaded:

   OPENSSL_CONF=/usr/local/ssl/openssl.cnf /usr/local/bin/openssl list -providers -verbose

2. Build and run Looma

Clone the repo:

cd ~
git clone https://github.com/uoenoplab/looma.git
cd looma

Initialize submodules for picotls:

git submodule update --init --recursive

Build:

./build.sh

Usage examples:

cd build
./simple-server 127.0.0.1 5555 rsa
./simple-client 127.0.0.1 5555 rsa

Use ./simple-server -h and ./simple-client -h for detailed usage.

3. Benchmark scripts

Run scripts from the build/ directory so ./s-server and ./s-client are found. The scripts also call sysctl to set tcp_tw_reuse; you might need sudo privileges for that setting.

Test 1. Basic handshake latency (Fig. 8 and Table VI):

cd build
./o2o_server.sh <SERVER_IP>
./o2o_client.sh <SERVER_IP>

Test 2. Many-to-one scenario (Fig. 10):

cd build
./m2o_server.sh <SERVER_IP>
./m2o_client.sh <SERVER_IP>

Test 3. One-to-many scenario (Fig. 11):

cd build
./o2m_server.sh <SERVER_IP>
./o2m_client.sh <SERVER_IP>

Generated CSV file examples:

wall_handshake_log_rsa_1threads_1conns_0cps_s_n15.csv, which records sTLS handshake latency for RSA, and wall_handshake_log_dilithium2_1threads_1conns_0cps_m_n15.csv, which records mTLS handshake latency for Dilithium-2. In these filenames, the second-to-last label is the TLS mode (s for sTLS, m for mTLS), and the final label (for example, n15) is the hostname of the client machine.

Note: We previously used hsig as the project name, so you may see hsig throughout the codebase. It is equivalent to looma.