abir_guard 3.1.1

Abir-Guard: Quantum-Resilient Agentic Vault for AI Agent Memory with NIST-standard Post-Quantum Cryptography
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198

//! Abir-Guard: ML-DSA Digital Signatures (NIST FIPS 204)
//!
//! Post-quantum secure digital signatures using Module-Lattice-Based Digital
//! Signature Algorithm (ML-DSA). Provides key generation, signing, and
//! verification operations for vault data integrity.
//!
//! Uses ML-DSA-65 (security category 3) for balanced security/performance.

use fips204::ml_dsa_65;
use fips204::traits::{SerDes, Signer, Verifier};
use sha3::{Digest, Sha3_512};
use thiserror::Error;
use std::convert::TryInto;

/// ML-DSA signature errors
#[derive(Debug, Error)]
pub enum MldsaError {
    #[error("key generation failed: {0}")]
    KeyGenFailed(String),
    #[error("signing failed: {0}")]
    SigningFailed(String),
    #[error("verification failed")]
    VerificationFailed,
    #[error("key deserialization failed: {0}")]
    DeserializationFailed(String),
}

/// ML-DSA keypair container
#[derive(Debug, Clone)]
pub struct MldsaKeypair {
    pub signing_key: Vec<u8>,
    pub verifying_key: Vec<u8>,
}

/// Generate a new ML-DSA-65 keypair (security category 3).
pub fn generate_keypair() -> Result<MldsaKeypair, MldsaError> {
    let (pk, sk) = ml_dsa_65::try_keygen()
        .map_err(|e| MldsaError::KeyGenFailed(e.to_string()))?;

    Ok(MldsaKeypair {
        signing_key: sk.into_bytes().to_vec(),
        verifying_key: pk.into_bytes().to_vec(),
    })
}

/// Sign data with ML-DSA-65.
pub fn sign(data: &[u8], signing_key: &[u8]) -> Result<Vec<u8>, MldsaError> {
    let sk_bytes: [u8; 4032] = signing_key
        .try_into()
        .map_err(|_| MldsaError::DeserializationFailed("Invalid signing key length".into()))?;
    let sk = ml_dsa_65::PrivateKey::try_from_bytes(sk_bytes)
        .map_err(|e| MldsaError::DeserializationFailed(e.to_string()))?;

    let sig = sk
        .try_sign(data, &[])
        .map_err(|e| MldsaError::SigningFailed(e.to_string()))?;

    Ok(sig.to_vec())
}

/// Verify an ML-DSA-65 signature.
pub fn verify(data: &[u8], signature: &[u8], verifying_key: &[u8]) -> Result<bool, MldsaError> {
    let pk_bytes: [u8; 1952] = verifying_key
        .try_into()
        .map_err(|_| MldsaError::DeserializationFailed("Invalid verifying key length".into()))?;
    let pk = ml_dsa_65::PublicKey::try_from_bytes(pk_bytes)
        .map_err(|e| MldsaError::DeserializationFailed(e.to_string()))?;

    let sig_bytes: [u8; 3309] = signature
        .try_into()
        .map_err(|_| MldsaError::DeserializationFailed("Invalid signature length".into()))?;

    let valid = pk.verify(data, &sig_bytes, &[]);
    Ok(valid)
}

/// Compute SHA3-512 hash of data for fingerprinting.
pub fn hash_data(data: &[u8]) -> Vec<u8> {
    let mut hasher = Sha3_512::new();
    hasher.update(data);
    hasher.finalize().to_vec()
}

/// Serialize keypair to JSON string for storage.
pub fn serialize_keypair(keypair: &MldsaKeypair) -> String {
    serde_json::json!({
        "signing_key": base64::Engine::encode(
            &base64::engine::general_purpose::STANDARD,
            &keypair.signing_key,
        ),
        "verifying_key": base64::Engine::encode(
            &base64::engine::general_purpose::STANDARD,
            &keypair.verifying_key,
        ),
    })
    .to_string()
}

/// Deserialize keypair from JSON string.
pub fn deserialize_keypair(json: &str) -> Result<MldsaKeypair, MldsaError> {
    let parsed: serde_json::Value =
        serde_json::from_str(json).map_err(|e| MldsaError::DeserializationFailed(e.to_string()))?;

    let sk_b64 = parsed["signing_key"]
        .as_str()
        .ok_or_else(|| MldsaError::DeserializationFailed("Missing signing_key".into()))?;
    let vk_b64 = parsed["verifying_key"]
        .as_str()
        .ok_or_else(|| MldsaError::DeserializationFailed("Missing verifying_key".into()))?;

    let signing_key = base64::Engine::decode(
        &base64::engine::general_purpose::STANDARD,
        sk_b64,
    )
    .map_err(|e| MldsaError::DeserializationFailed(e.to_string()))?;
    let verifying_key = base64::Engine::decode(
        &base64::engine::general_purpose::STANDARD,
        vk_b64,
    )
    .map_err(|e| MldsaError::DeserializationFailed(e.to_string()))?;

    Ok(MldsaKeypair {
        signing_key,
        verifying_key,
    })
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_keypair_generation() {
        let keypair = generate_keypair().unwrap();
        assert!(!keypair.signing_key.is_empty());
        assert!(!keypair.verifying_key.is_empty());
        assert_eq!(keypair.signing_key.len(), 4032);
        assert_eq!(keypair.verifying_key.len(), 1952);
    }

    #[test]
    fn test_sign_and_verify() {
        let keypair = generate_keypair().unwrap();
        let data = b"test data for ML-DSA signature";

        let signature = sign(data, &keypair.signing_key).unwrap();
        assert!(!signature.is_empty());
        assert_eq!(signature.len(), 3309);

        let valid = verify(data, &signature, &keypair.verifying_key).unwrap();
        assert!(valid);
    }

    #[test]
    fn test_invalid_signature_fails() {
        let keypair = generate_keypair().unwrap();
        let data = b"test data";
        let tampered = b"tampered data";

        let signature = sign(data, &keypair.signing_key).unwrap();
        let valid = verify(tampered, &signature, &keypair.verifying_key).unwrap();
        assert!(!valid);
    }

    #[test]
    fn test_serialize_deserialize_keypair() {
        let keypair = generate_keypair().unwrap();
        let json = serialize_keypair(&keypair);
        let restored = deserialize_keypair(&json).unwrap();

        assert_eq!(keypair.signing_key, restored.signing_key);
        assert_eq!(keypair.verifying_key, restored.verifying_key);

        let data = b"test serialization";
        let sig = sign(data, &restored.signing_key).unwrap();
        assert!(verify(data, &sig, &restored.verifying_key).unwrap());
    }

    #[test]
    fn test_different_keypairs_cant_verify() {
        let kp1 = generate_keypair().unwrap();
        let kp2 = generate_keypair().unwrap();

        let data = b"test cross-key verification";
        let sig = sign(data, &kp1.signing_key).unwrap();
        let valid = verify(data, &sig, &kp2.verifying_key).unwrap();
        assert!(!valid);
    }

    #[test]
    fn test_hash_data_consistency() {
        let data = b"test data";
        let hash1 = hash_data(data);
        let hash2 = hash_data(data);
        assert_eq!(hash1, hash2);
        assert_eq!(hash1.len(), 64);
    }
}