libcrux-psq 0.0.9

Libcrux Pre-Shared post-Quantum key establishement protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228

use std::io::Cursor;

use tls_codec::{Deserialize, TlsDeserialize, TlsSerialize, TlsSize};

use crate::handshake::{
    ciphersuite::{responder::ResponderCiphersuite, traits::CiphersuiteBase, types::PQCiphertext},
    HandshakeError,
};
pub(crate) const PSQ_MLDSA_CONTEXT: &[u8] = b"PSQ";

pub mod builder;
pub mod initiator;
pub mod responder;
pub mod traits;
pub mod types;

#[derive(TlsSize, TlsSerialize, TlsDeserialize, Clone, Copy, Debug, PartialEq)]
#[repr(u8)]
#[allow(non_camel_case_types)]
/// Available ciphersuites for use in the PSQ handshake.
///
/// The name assigns different algorithms according to the following mask:
/// ```ignore
/// OUTER_PQKEM_AUTH_AEAD_KDF
/// ```
///
/// where
/// - `OUTER` is the elliptic curve Diffie-Hellman key exchange used for the
///   outer messsage layer. Supported curves at this point are: `X25519`
/// - `PQKEM` is the PQ-KEM used in the inner message. Supported PQ-KEMs at this
///   point are: `MLKEM768`, `CLASSICMCELIECE` (using feature
///   `classic-mceliece`) and `NONE` (indicating no PQ-KEM will be used)
/// - `AUTH` is the method of initiator authentication used in the inner
///   message. Supported authentication methods at this point are authentication
///   via the initiator's long-term `X25519` public key, or authentication via a
///   signature under the initiator's long-term signing key. Supported signature
///   schemes at this point are: `MLDSA65` and `ED25519`. Initiator long term
///   public and signing keys are assumed to be available to responder
///   out-of-band.
/// - `AEAD` is the AEAD used for encrypting message payloads. Supported AEADs
///   at this point are: `CHACHA20POLY1305` and `AESGCM128`.
/// - `KDF` is the key derivation function used to derive AEAD keys. Supported
///   KDFs at this point are `HKDFSHA256`.
pub enum CiphersuiteName {
    /// Use X25519 for the outer key exchange, no PQ-KEM, X25519 for
    /// DH-based initiator autentication, Chacha20Poly1305 as payload
    /// AEAD and SHA-256 for HKDF. This is the only ciphersuite
    /// supported in Query mode, where no client authentication takes
    /// place.
    X25519_NONE_X25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// X25519 for DH-based initiator autentication, Chacha20Poly1305
    /// as payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_X25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, X25519 for DH-based initiator autentication,
    /// Chacha20Poly1305 as payload AEAD and SHA-256 for
    /// HKDF. (requires feature `classic-mceliece`)
    X25519_CLASSICMCELIECE_X25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, no PQ-KEM, X25519 for
    /// DH-based initiator autentication, AesGcm128 as payload AEAD
    /// and SHA-256 for HKDF.
    X25519_NONE_X25519_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// X25519 for DH-based initiator autentication, AesGcm128 as
    /// payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_X25519_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, X25519 for DH-based initiator autentication, AesGcm128
    /// as payload AEAD and SHA-256 for HKDF. (requires feature
    /// `classic-mceliece`)
    X25519_CLASSICMCELIECE_X25519_AESGCM128_HKDFSHA256,

    /// Use X25519 for the outer key exchange, no PQ-KEM, Ed25519 for
    /// signature-based initiator autentication, Chacha20Poly1305 as
    /// payload AEAD and SHA-256 for HKDF. This is the only
    /// ciphersuite supported in Query mode, where no client
    /// authentication takes place.
    X25519_NONE_ED25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// Ed25519 for signature-based initiator autentication,
    /// Chacha20Poly1305 as payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_ED25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, Ed25519 for signature-based initiator autentication,
    /// Chacha20Poly1305 as payload AEAD and SHA-256 for
    /// HKDF. (requires feature `classic-mceliece`)
    X25519_CLASSICMCELIECE_ED25519_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, no PQ-KEM, Ed25519 for
    /// signature-based initiator autentication, AesGcm128 as payload AEAD
    /// and SHA-256 for HKDF.
    X25519_NONE_ED25519_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// Ed25519 for signature-based initiator autentication, AesGcm128 as
    /// payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_ED25519_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, Ed25519 for signature-based initiator autentication,
    /// AesGcm128 as payload AEAD and SHA-256 for HKDF. (requires
    /// feature `classic-mceliece`)
    X25519_CLASSICMCELIECE_ED25519_AESGCM128_HKDFSHA256,

    /// Use X25519 for the outer key exchange, no PQ-KEM, ML-DSA 65
    /// for signature-based initiator autentication, Chacha20Poly1305
    /// as payload AEAD and SHA-256 for HKDF. This is the only
    /// ciphersuite supported in Query mode, where no client
    /// authentication takes place.
    X25519_NONE_MLDSA65_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// ML-DSA 65 for signature-based initiator autentication,
    /// Chacha20Poly1305 as payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_MLDSA65_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, ML-DSA 65 for signature-based initiator autentication,
    /// Chacha20Poly1305 as payload AEAD and SHA-256 for
    /// HKDF. (requires feature `classic-mceliece`)
    X25519_CLASSICMCELIECE_MLDSA65_CHACHA20POLY1305_HKDFSHA256,
    /// Use X25519 for the outer key exchange, no PQ-KEM, ML-DSA 65
    /// for signature-based initiator autentication, AesGcm128 as
    /// payload AEAD and SHA-256 for HKDF.
    X25519_NONE_MLDSA65_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, ML-KEM 768 for PQ-KEM,
    /// ML-DSA 65 for signature-based initiator autentication,
    /// AesGcm128 as payload AEAD and SHA-256 for HKDF.
    X25519_MLKEM768_MLDSA65_AESGCM128_HKDFSHA256,
    /// Use X25519 for the outer key exchange, Classic McEliece for
    /// PQ-KEM, ML-DSA 65 for signature-based initiator autentication,
    /// AesGcm128 as payload AEAD and SHA-256 for HKDF. (requires
    /// feature `classic-mceliece`)
    X25519_CLASSICMCELIECE_MLDSA65_AESGCM128_HKDFSHA256,
}

impl CiphersuiteName {
    /// Returns the default ciphersuite used for query mode.
    pub(crate) fn query_ciphersuite() -> Self {
        Self::X25519_NONE_X25519_CHACHA20POLY1305_HKDFSHA256
    }

    /// Coerce the responder ciphersuite into a compatible working
    /// ciphersuite for a given handshake.
    ///
    /// A compatible ciphersuite exists, if the PQ KEMs of both ciphersuites
    /// agree, or if the initiator side does not specify a PQ KEM. If the
    /// initiator side specifies a PQ KEM and it does not match the responder
    /// side, there is no compatible ciphersuite.
    ///
    /// If a compatible ciphersuite exists, it will match the initiator
    /// ciphersuite, i.e. a PQ responder ciphersuite can be coerced into a
    /// compatible non-PQ ciphersuite.
    pub(crate) fn coerce_compatible(
        &self,
        responder_ciphersuite: &ResponderCiphersuite,
    ) -> Result<CiphersuiteName, HandshakeError> {
        match (self, responder_ciphersuite.name()) {
            (CiphersuiteName::X25519_NONE_X25519_CHACHA20POLY1305_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_X25519_CHACHA20POLY1305_HKDFSHA256)
            }
            (CiphersuiteName::X25519_NONE_ED25519_CHACHA20POLY1305_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_ED25519_CHACHA20POLY1305_HKDFSHA256)
            }
            (CiphersuiteName::X25519_NONE_MLDSA65_CHACHA20POLY1305_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_MLDSA65_CHACHA20POLY1305_HKDFSHA256)
            }
            (CiphersuiteName::X25519_NONE_X25519_AESGCM128_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_X25519_AESGCM128_HKDFSHA256)
            }
            (CiphersuiteName::X25519_NONE_ED25519_AESGCM128_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_ED25519_AESGCM128_HKDFSHA256)
            }
            (CiphersuiteName::X25519_NONE_MLDSA65_AESGCM128_HKDFSHA256, _) => {
                Ok(CiphersuiteName::X25519_NONE_MLDSA65_AESGCM128_HKDFSHA256)
            }

            (x, y) if *x == y => Ok(y).into(),
            _ => Err(HandshakeError::UnsupportedCiphersuite),
        }
    }

    pub(crate) fn deserialize_encapsulation(
        &self,
        bytes: &[u8],
    ) -> Result<Option<PQCiphertext>, HandshakeError> {
        match self {
            CiphersuiteName::X25519_NONE_X25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_NONE_X25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_NONE_ED25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_NONE_ED25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_NONE_MLDSA65_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_NONE_MLDSA65_AESGCM128_HKDFSHA256 => Ok(None),

            CiphersuiteName::X25519_MLKEM768_X25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_MLKEM768_MLDSA65_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_MLKEM768_X25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_MLKEM768_ED25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_MLKEM768_ED25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_MLKEM768_MLDSA65_CHACHA20POLY1305_HKDFSHA256 => {
                let enc = Option::<PQCiphertext>::tls_deserialize(&mut Cursor::new(bytes))
                    .map_err(HandshakeError::Deserialize)?;

                Ok(enc)
            }

            #[cfg(feature = "classic-mceliece")]
            CiphersuiteName::X25519_CLASSICMCELIECE_ED25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_MLDSA65_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_X25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_MLDSA65_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_X25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_ED25519_CHACHA20POLY1305_HKDFSHA256 => {
                use std::io::Cursor;

                let enc = Option::<PQCiphertext>::tls_deserialize(&mut Cursor::new(bytes))
                    .map_err(HandshakeError::Deserialize)?;
                Ok(enc)
            }

            #[cfg(not(feature = "classic-mceliece"))]
            CiphersuiteName::X25519_CLASSICMCELIECE_ED25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_MLDSA65_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_X25519_CHACHA20POLY1305_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_MLDSA65_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_X25519_AESGCM128_HKDFSHA256
            | CiphersuiteName::X25519_CLASSICMCELIECE_ED25519_CHACHA20POLY1305_HKDFSHA256 => {
                Err(HandshakeError::UnsupportedCiphersuite)
            }
        }
    }
}