SQIsign PQC for Go

Task

The advancement in quantum computers has led to a rise in interest from companies to plan ahead and prepare their infrastructure for a so-called post quantum world, where certain commonly used cryptographic algorithms are expected to become deprecated as they will be "easily" cracked by quantum computers. One major area, which is expected to face a change is the existing handshake algorithms such as ECDH (Elliptic-curve Diffie–Hellman) and digital signatures such as X.509.

Currently there are many new alternatives being researched as possible replacements, however, each has its own downsides. Some have very large public keys and signatures - relevant when transferring them over the internet - and others are quite slow in terms of signing and verification. The table below from Cloudflare represents some alternatives to the current signature schemes.

As seen on the table, one of the more interesting PQC signature schemes is SQIsign, as it has both relatively small sized public keys and signatures, even though it is significantly slower than other alternatives when it comes to signing and verification. This makes SQIsign ideal for certain types of applications that have strict data size requirements; however, the library is written primarily in C and is not rewritten or provide bindings for other programming languages.

Solution

I took it upon myself to build bindings for the library for the Go programming language. I did this by creating bindings for the language using cgo. As the library only needs to expose three functions - namely: keygen, sign, and verify - , it was fairly simple to complete the task.

The project repo is publicly available on my GitHub.

Currently I have also been building bindings for this library for Dart(Flutter) and JavaScript, in order to make it accessible on multiple platforms and in various forms - as packages for apps, WASM files for the web. This work is not public yet, but I will add it to this article when it is released.