WIP: Draft: PQ #497

zzz · 2025-04-26T13:11:27-04:00

zzz commented

2025-04-26 13:11:27 -04:00

WIP: PQ. Includes both MLKEM and MLDSA. Will not be merged as-is.

zzz added 4 commits 2025-04-26 13:11:42 -04:00

Draft: WIP: Preliminary implementation of proposal 169 6afd938c53

This MR is for review and testing only. Do not merge.
The final code may be split up into multiple MRs
(for example one for MLDSA and one for MLKEM)
over the next 6-12 months,
and will also start with a revision containing unmodified
bouncycastle code as a base for future merges.

This MR bundles code from bouncycastle 1.80 (license: MIT),
modified to reduce and eliminate unneeded dependencies.
There is no support for building with an external bouncycastle
jar for Debian yet, as 1.80 is only in sid.

The MLDSA code is in core and the MLKEM code is in router.
Small wrappers are provided to bridge between our data structures
and the bouncycastle API.

Implemented portions of proposal 169, briefly tested unless otherwise noted:

- SigType/EncType/SigAlgo/EncAlgo enums for new types
- KeyGenerator and DSAEngine support
- Hybrid handshake support in Noise
- SHA3-128, SHA3-256, SHAKE128, SHAKE256
- All three MLKEM variants 512/768/1024 (only 512 tested)
- All six MLDSA variants 44/56/87 hybrid/PQ-only
- MLKEM hybrid ratchet
- MLKEM types in leasesets
- MLDSA and hybrid signatures for destinations and private key files
- MLDSA and hybrid signature handling in streaming
- MLKEM-only and muxed destination types (5; 6; 7; 5,4; 6,4; 7,4) (muxed untested, probably broken)
- i2ptunnel UI support for selecting new types (requires routerconsole.advanced=true)
- Addressbook support for MLDSA dests
- Repliable datagram support (untested)
- SAM support (untested)

Live network test considerations:

MLKEM hybrid ratchet is backward compatible with the current network and may
be tested today, either with MLKEM-only or MLKEM + X25519 dual support.

MLDSA destinations may be used for clients and for connections to compatible servers
running this code.
MLDSA server destinations cannot be tested (except in loopback) because their leasesets
cannot be published to floodfills, as the floodfills cannot verify the signatures.

Unimplemented portions of proposal 169:

- MLKEM or MLDSA routers
- NTCP2 mods for routers
- SSU2 mods for routers
- MLDSA or hybrid-signed SU3 files (ph variant)

TODO:

- Test vectors, unit tests
- MLKEM KeyFactory threads
- Debian bouncycastle dependency

Standalone tests:

A standalone ratchet test with hybrid support is in
i2p.scripts java-utils/RatchetTest.java

Private key files and leasesets for MLDSA and hybrid signatures
are linked from http://zzz.i2p/topics/3294

Don't pass in MLKEM key factory on Bob side, not required d06b776189

Fix NPE in MLKEMDHState.destroy()

Fixes after testing c1ca38dca2

- NSR corruption
- Track SKM key type
- Implement cloning of hybrid keys
- Min size checks
- Session validation fix
- Logging in HandshakeState, probably temporary
- Don't clone destroyed state
- Javadoc fixes

Fix copy/paste error that broke enctypes 6 and 7 786ba8e190

zzz changed title from ~~pq-wip~~ to WIP: Draft: PQ

2025-04-26 13:15:06 -04:00

zzz added the

crypto

label 2025-04-26 17:37:17 -04:00

zzz self-assigned this 2025-04-28 08:32:47 -04:00

zzz added 1 commit 2025-05-07 11:23:57 -04:00

Muxed fixes after testing e3b3deac69

zzz added 1 commit 2025-06-13 07:52:50 -04:00

Move file to correct package 5c29d88c7e

zzz referenced this pull request

2025-06-13 09:06:54 -04:00

PQ MLKEM hybrid ratchet only #517

zzz commented

2025-06-24 09:41:53 -04:00

Status:

Ratchet: Merged in PR #517, multiple conflicts with this PR which is obsolete
NTCP2/SSU2: Not in this PR, will eventually be a separate PR, mid-late 2025
Sigs: In this PR, with conflicts, will eventually be a separate PR, target 2026. For now, this is the only public place with the MLDSA changes, keeping it here for safekeeping

Status: - Ratchet: Merged in PR #517, multiple conflicts with this PR which is obsolete - NTCP2/SSU2: Not in this PR, will eventually be a separate PR, mid-late 2025 - Sigs: In this PR, with conflicts, will eventually be a separate PR, target 2026. For now, this is the only public place with the MLDSA changes, keeping it here for safekeeping

This pull request has changes conflicting with the target branch.

build.xml
core/java/src/net/i2p/crypto/EncAlgo.java
core/java/src/net/i2p/crypto/EncType.java
core/java/src/net/i2p/crypto/KeyGenerator.java
router/java/src/com/southernstorm/noise/protocol/HandshakeState.java
router/java/src/com/southernstorm/noise/protocol/MLKEMDHState.java
router/java/src/com/southernstorm/noise/protocol/Pattern.java
router/java/src/net/i2p/router/LeaseSetKeys.java
router/java/src/net/i2p/router/crypto/pqc/MLKEM.java
router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u pq-wip:zzz-pq-wip

git checkout zzz-pq-wip

Sign in to join this conversation.

No Label

crypto

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: I2P_Developers/i2p.i2p#497

Allow edits from maintainers