PQC: Implement draft RFC for ML-DSA with Ed25519 (#13)

Implements Draft 6
(https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/06/).

Also, chunk ML-KEM and ML-DSA together in lightweight bundle.
Noble-curves had to be updated to v1.7.0 to ensure the same
version of noble-hashes is used as noble-post-quantum,
making it possible to reuse the sha3 code/chunk across libs.

.github/test-suite/config.json.template

@@ -4,7 +4,8 @@
         "id": "sop-openpgpjs-branch",
         "path": "__SOP_OPENPGPJS__",
         "env": {
-          "OPENPGPJS_PATH": "__OPENPGPJS_BRANCH__"
+          "OPENPGPJS_PATH": "__OPENPGPJS_BRANCH__",
+          "OPENPGPJS_CUSTOM_PROFILES": "{\"generate-key\": { \"post-quantum\": { \"description\": \"generate post-quantum v6 keys (relying on ML-DSA + ML-KEM)\", \"options\": { \"type\": \"pqc\", \"config\": { \"v6Keys\": true } } } } }"
         }
       },
       {

openpgp.d.ts

@@ -704,7 +704,7 @@ export type EllipticCurveName = 'ed25519Legacy' | 'curve25519Legacy' | 'nistP256
 interface GenerateKeyOptions {
   userIDs: MaybeArray<UserID>;
   passphrase?: string;
-  type?: 'ecc' | 'rsa' | 'curve25519' | 'curve448';
+  type?: 'ecc' | 'rsa' | 'curve25519' | 'curve448' | 'pqc';
   curve?: EllipticCurveName;
   rsaBits?: number;
   keyExpirationTime?: number;

package.json

@@ -63,7 +63,7 @@
   },
   "devDependencies": {
     "@noble/ciphers": "^1.0.0",
-    "@noble/curves": "^1.6.0",
+    "@noble/curves": "^1.7.0",
     "@noble/ed25519": "^1.7.3",
     "@noble/hashes": "^1.5.0",
     "@noble/post-quantum": "^0.2.1",

src/crypto/crypto.js

@@ -331,8 +331,9 @@ export async function parsePrivateKeyParams(algo, bytes, publicParams) {
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
       const eccSecretKey = util.readExactSubarray(bytes, read, read + getCurvePayloadSize(enums.publicKey.ed25519)); read += eccSecretKey.length;
-      const mldsaSecretKey = util.readExactSubarray(bytes, read, read + 4032); read += mldsaSecretKey.length;
-      return { read, privateParams: { eccSecretKey, mldsaSecretKey } };
+      const mldsaSeed = util.readExactSubarray(bytes, read, read + 32); read += mldsaSeed.length;
+      const { mldsaSecretKey } = await publicKey.postQuantum.signature.mldsaExpandSecretSeed(algo, mldsaSeed);
+      return { read, privateParams: { eccSecretKey, mldsaSecretKey, mldsaSeed } };
     }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
@@ -428,7 +429,8 @@ export function serializeParams(algo, params) {
   ]);
 
   const excludedFields = {
-    [enums.publicKey.pqc_mlkem_x25519]: new Set(['mlkemSecretKey']) // only `mlkemSeed` is serialized
+    [enums.publicKey.pqc_mlkem_x25519]: new Set(['mlkemSecretKey']), // only `mlkemSeed` is serialized
+    [enums.publicKey.pqc_mldsa_ed25519]: new Set(['mldsaSecretKey']) // only `mldsaSeed` is serialized
   };
 
   const orderedParams = Object.keys(params).map(name => {
@@ -506,8 +508,8 @@ export async function generateParams(algo, bits, oid, symmetric) {
         publicParams: { eccPublicKey, mlkemPublicKey }
       }));
     case enums.publicKey.pqc_mldsa_ed25519:
-      return publicKey.postQuantum.signature.generate(algo).then(({ eccSecretKey, eccPublicKey, mldsaSecretKey, mldsaPublicKey }) => ({
-        privateParams: { eccSecretKey, mldsaSecretKey },
+      return publicKey.postQuantum.signature.generate(algo).then(({ eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey }) => ({
+        privateParams: { eccSecretKey, mldsaSeed, mldsaSecretKey },
         publicParams: { eccPublicKey, mldsaPublicKey }
       }));
     case enums.publicKey.dsa:
@@ -607,9 +609,9 @@ export async function validateParams(algo, publicParams, privateParams) {
       return publicKey.postQuantum.kem.validateParams(algo, eccPublicKey, eccSecretKey, mlkemPublicKey, mlkemSeed);
     }
     case enums.publicKey.pqc_mldsa_ed25519: {
-      const { eccSecretKey, mldsaSecretKey } = privateParams;
+      const { eccSecretKey, mldsaSeed } = privateParams;
       const { eccPublicKey, mldsaPublicKey } = publicParams;
-      return publicKey.postQuantum.signature.validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSecretKey);
+      return publicKey.postQuantum.signature.validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed);
     }
     default:
       throw new Error('Unknown public key algorithm.');

src/crypto/public_key/post_quantum/index.js

@@ -1,5 +1,7 @@
 import * as kem from './kem/index';
+import * as signature from './signature';
 
 export {
-  kem
+  kem,
+  signature
 };

src/crypto/public_key/post_quantum/kem/ml_kem.js

@@ -24,7 +24,7 @@ export async function generate(algo) {
 export async function expandSecretSeed(algo, seed) {
   switch (algo) {
     case enums.publicKey.pqc_mlkem_x25519: {
-      const { ml_kem768 } = await import('@noble/post-quantum/ml-kem');
+      const { ml_kem768 } = await import('../noble_post_quantum');
       const { publicKey: encapsulationKey, secretKey: decapsulationKey } = ml_kem768.keygen(seed);
 
       return { mlkemPublicKey: encapsulationKey, mlkemSecretKey: decapsulationKey };
@@ -37,7 +37,7 @@ export async function expandSecretSeed(algo, seed) {
 export async function encaps(algo, mlkemRecipientPublicKey) {
   switch (algo) {
     case enums.publicKey.pqc_mlkem_x25519: {
-      const { ml_kem768 } = await import('@noble/post-quantum/ml-kem');
+      const { ml_kem768 } = await import('../noble_post_quantum');
       const { cipherText: mlkemCipherText, sharedSecret: mlkemKeyShare } = ml_kem768.encapsulate(mlkemRecipientPublicKey);
 
       return { mlkemCipherText, mlkemKeyShare };
@@ -50,7 +50,7 @@ export async function encaps(algo, mlkemRecipientPublicKey) {
 export async function decaps(algo, mlkemCipherText, mlkemSecretKey) {
   switch (algo) {
     case enums.publicKey.pqc_mlkem_x25519: {
-      const { ml_kem768 } = await import('@noble/post-quantum/ml-kem');
+      const { ml_kem768 } = await import('../noble_post_quantum');
       const mlkemKeyShare = ml_kem768.decapsulate(mlkemCipherText, mlkemSecretKey);
 
       return mlkemKeyShare;

src/crypto/public_key/post_quantum/noble_post_quantum.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is needed to dynamic import noble-post-quantum libs.
+ * Separate dynamic imports are not convenient as they result in multiple chunks,
+ * which ultimately share a lot of code and need to be imported together
+ * when it comes to Proton's ML-DSA + ML-KEM keys.
+ */
+
+export { ml_kem768 } from '@noble/post-quantum/ml-kem';
+export { ml_dsa65 } from '@noble/post-quantum/ml-dsa';
+

src/crypto/public_key/post_quantum/signature/ecc_dsa.js

@@ -0,0 +1,46 @@
+import * as eddsa from '../../elliptic/eddsa';
+import enums from '../../../../enums';
+
+export async function generate(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { A, seed } = await eddsa.generate(enums.publicKey.ed25519);
+      return {
+        eccPublicKey: A,
+        eccSecretKey: seed
+      };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { RS: eccSignature } = await eddsa.sign(enums.publicKey.ed25519, hashAlgo, null, eccPublicKey, eccSecretKey, dataDigest);
+
+      return { eccSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function verify(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature) {
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return eddsa.verify(enums.publicKey.ed25519, hashAlgo, { RS: eccSignature }, null, eccPublicKey, dataDigest);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function validateParams(algo, eccPublicKey, eccSecretKey) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return eddsa.validateParams(enums.publicKey.ed25519, eccPublicKey, eccSecretKey);
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}

src/crypto/public_key/post_quantum/signature/index.js

@@ -0,0 +1,2 @@
+export { generate, sign, verify, validateParams, getRequiredHashAlgo } from './signature';
+export { expandSecretSeed as mldsaExpandSecretSeed } from './ml_dsa';

src/crypto/public_key/post_quantum/signature/ml_dsa.js

@@ -0,0 +1,69 @@
+import enums from '../../../../enums';
+import util from '../../../../util';
+import { getRandomBytes } from '../../../random';
+
+export async function generate(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const mldsaSeed = getRandomBytes(32);
+      const { mldsaSecretKey, mldsaPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+
+      return { mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+/**
+ * Expand ML-DSA secret seed and retrieve the secret and public key material
+ * @param {module:enums.publicKey} algo - Public key algorithm
+ * @param {Uint8Array} seed - secret seed to expand
+ * @returns {Promise<{ mldsaPublicKey: Uint8Array, mldsaSecretKey: Uint8Array }>}
+ */
+export async function expandSecretSeed(algo, seed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('../noble_post_quantum');
+      const { secretKey: mldsaSecretKey, publicKey: mldsaPublicKey } = ml_dsa65.keygen(seed);
+
+      return { mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function sign(algo, mldsaSecretKey, dataDigest) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('../noble_post_quantum');
+      const mldsaSignature = ml_dsa65.sign(mldsaSecretKey, dataDigest);
+      return { mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function verify(algo, mldsaPublicKey, dataDigest, mldsaSignature) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { ml_dsa65 } = await import('../noble_post_quantum');
+      return ml_dsa65.verify(mldsaPublicKey, dataDigest, mldsaSignature);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function validateParams(algo, mldsaPublicKey, mldsaSeed) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { mldsaPublicKey: expectedPublicKey } = await expandSecretSeed(algo, mldsaSeed);
+      return util.equalsUint8Array(mldsaPublicKey, expectedPublicKey);
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}

src/crypto/public_key/post_quantum/signature/signature.js

@@ -0,0 +1,70 @@
+import enums from '../../../../enums';
+import * as mldsa from './ml_dsa';
+import * as eccdsa from './ecc_dsa';
+
+export async function generate(algo) {
+  switch (algo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSecretKey, eccPublicKey } = await eccdsa.generate(algo);
+      const { mldsaSeed, mldsaSecretKey, mldsaPublicKey } = await mldsa.generate(algo);
+      return { eccSecretKey, eccPublicKey, mldsaSeed, mldsaSecretKey, mldsaPublicKey };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, mldsaSecretKey, dataDigest) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const { eccSignature } = await eccdsa.sign(signatureAlgo, hashAlgo, eccSecretKey, eccPublicKey, dataDigest);
+      const { mldsaSignature } = await mldsa.sign(signatureAlgo, mldsaSecretKey, dataDigest);
+
+      return { eccSignature, mldsaSignature };
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function verify(signatureAlgo, hashAlgo, eccPublicKey, mldsaPublicKey, dataDigest, { eccSignature, mldsaSignature }) {
+  if (hashAlgo !== getRequiredHashAlgo(signatureAlgo)) {
+    // The signature hash algo MUST be set to the specified algorithm, see
+    // https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+    throw new Error('Unexpected hash algorithm for PQC signature');
+  }
+
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519: {
+      const eccVerifiedPromise = eccdsa.verify(signatureAlgo, hashAlgo, eccPublicKey, dataDigest, eccSignature);
+      const mldsaVerifiedPromise = mldsa.verify(signatureAlgo, mldsaPublicKey, dataDigest, mldsaSignature);
+      const verified = await eccVerifiedPromise && await mldsaVerifiedPromise;
+      return verified;
+    }
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export function getRequiredHashAlgo(signatureAlgo) {
+  // See https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc#section-5.2.1.
+  switch (signatureAlgo) {
+    case enums.publicKey.pqc_mldsa_ed25519:
+      return enums.hash.sha3_256;
+    default:
+      throw new Error('Unsupported signature algorithm');
+  }
+}
+
+export async function validateParams(algo, eccPublicKey, eccSecretKey, mldsaPublicKey, mldsaSeed) {
+  const eccValidationPromise = eccdsa.validateParams(algo, eccPublicKey, eccSecretKey);
+  const mldsaValidationPromise = mldsa.validateParams(algo, mldsaPublicKey, mldsaSeed);
+  const valid = await eccValidationPromise && await mldsaValidationPromise;
+  return valid;
+}