refactor: Replace hard-coded numbers with shared constants

Author: chadsec1

core/constants.py

@@ -16,14 +16,18 @@
 OTP_PADDING_LENGTH = 2
 OTP_PADDING_LIMIT  = 1024
 
+SMP_NONCE_LENGTH     = 64
+SMP_PROOF_LENGTH     = 64
+SMP_QUESTION_MAX_LEN = 500
+
 # NIST-specified key sizes (bytes) and metadata
-ML_KEM_1024_NAME   = "Kyber1024"
+ML_KEM_1024_NAME   = "ML-KEM-1024"
 ML_KEM_1024_SK_LEN = 3168
 ML_KEM_1024_PK_LEN = 1568
 ML_KEM_1024_CT_LEN = 1568
 
 
-ML_DSA_87_NAME     = "Dilithium5"  
+ML_DSA_87_NAME     = "ML-DSA-87"  
 ML_DSA_87_SK_LEN   = 4864
 ML_DSA_87_PK_LEN   = 2592
 ML_DSA_87_SIGN_LEN = 4595

core/crypto.py

@@ -4,16 +4,12 @@
 Post-quantum cryptographic operations for Coldwire.
 
 Implements:
-- Key generation (ML-KEM-1024 / Kyber, ML-DSA-87 / Dilithium5)
+- Key generation (ML-KEM-1024,  ML-DSA-87, Classic-McEliece-8192128f)
 - Signature creation and verification
 - One-Time Pad (OTP) encryption with padding
-- Kyber-based OTP key exchange
+- Retrieving shared secrets from KEM chunks
 - Secure random number generation
-
-Notes:
-- Kyber keys and ciphertext sizes follow NIST spec for ML-KEM-1024.
-- Dilithium5 keys/signature sizes follow NIST spec for ML-DSA-87.
-- OTP padding randomizes message lengths to resist ciphertext length analysis.
+- OTP padding 
 """
 
 import oqs
@@ -37,7 +33,7 @@ def create_signature(algorithm: str, message: bytes, private_key: bytes) -> byte
     Creates a digital signature for a message using a post-quantum signature scheme.
 
     Args:
-        algorithm: PQ signature algorithm (e.g. "Dilithium5").
+        algorithm: PQ signature algorithm (e.g. "ML-DSA-87").
         message: Data to sign.
         private_key: Private key bytes.
 
@@ -52,7 +48,7 @@ def verify_signature(algorithm: str, message: bytes, signature: bytes, public_ke
     Verifies a post-quantum signature.
 
     Args:
-        algorithm: PQ signature algorithm (e.g. "Dilithium5").
+        algorithm: PQ signature algorithm (e.g. "ML-DSA-87").
         message: Original message data.
         signature: Signature to verify.
         public_key: Corresponding public key bytes.
@@ -68,7 +64,7 @@ def generate_sign_keys(algorithm: str = ML_DSA_87_NAME):
     Generates a new post-quantum signature keypair.
 
     Args:
-        algorithm: PQ signature algorithm (default ML-DSA-87 / Dilithium5).
+        algorithm: PQ signature algorithm (default ML-DSA-87).
 
     Returns:
         (private_key, public_key) as bytes.

logic/authentication.py

@@ -1,6 +1,9 @@
 from base64 import b64encode, b64decode
 from core.requests import http_request
 from core.crypto import create_signature 
+from core.constants import (
+        ML_DSA_87_NAME
+)
 
 def authenticate_account(user_data: dict) -> dict:
     url = user_data["server_url"] 
@@ -27,7 +30,7 @@ def authenticate_account(user_data: dict) -> dict:
         raise ValueError("Server gave a malformed challenge! Are you sure this is Coldwire server ?")
 
 
-    signature = create_signature("Dilithium5", challenge, private_key)
+    signature = create_signature(ML_DSA_87_NAME, challenge, private_key)
 
     try:
         response = http_request(url + "/authenticate/verify", "POST", payload = {"signature": b64encode(signature).decode(), "challenge": response["challenge"]})

logic/pfs.py

@@ -9,6 +9,7 @@
 from core.constants import (
     ALGOS_BUFFER_LIMITS,
     ML_KEM_1024_NAME,
+    ML_DSA_87_NAME,
     CLASSIC_MCELIECE_8_F_NAME,
     CLASSIC_MCELIECE_8_F_ROTATE_AT
 )
@@ -57,7 +58,7 @@ def send_new_ephemeral_keys(user_data, user_data_lock, contact_id, ui_queue) ->
         pfs_type = "full"
 
     # Sign them with our per-contact long-term private key
-    publickeys_hashchain_signature = create_signature("Dilithium5", publickeys_hashchain, lt_sign_private_key)
+    publickeys_hashchain_signature = create_signature(ML_DSA_87_NAME, publickeys_hashchain, lt_sign_private_key)
 
     payload = {
             "publickeys_hashchain": b64encode(publickeys_hashchain).decode(),
@@ -147,7 +148,7 @@ def pfs_data_handler(user_data, user_data_lock, user_data_copied, ui_queue, mess
     contact_hashchain_signature = b64decode(message["hashchain_signature"], validate=True)
     contact_publickeys_hashchain = b64decode(message["publickeys_hashchain"], validate=True)
 
-    valid_signature = verify_signature("Dilithium5", contact_publickeys_hashchain, contact_hashchain_signature, contact_lt_public_key)
+    valid_signature = verify_signature(ML_DSA_87_NAME, contact_publickeys_hashchain, contact_hashchain_signature, contact_lt_public_key)
     if not valid_signature:
         logger.error("Invalid ephemeral public-key + hashchain signature from contact (%s)", contact_id)
         return

logic/smp.py

@@ -39,6 +39,9 @@
 from core.crypto import generate_sign_keys
 from core.trad_crypto import derive_key_argon2id, sha3_512
 from base64 import b64encode, b64decode
+from core.constants import (
+        SMP_NONCE_LENGTH
+)
 import hashlib
 import secrets
 import hmac
@@ -58,7 +61,7 @@ def initiate_smp(user_data: dict, user_data_lock, contact_id: str, question: str
         server_url = user_data["server_url"]
         auth_token = user_data["token"]
 
-    our_nonce = b64encode(secrets.token_bytes(32)).decode()
+    our_nonce = b64encode(secrets.token_bytes(SMP_NONCE_LENGTH)).decode()
 
     private_key, public_key = generate_sign_keys()
 
@@ -99,7 +102,7 @@ def initiate_smp(user_data: dict, user_data_lock, contact_id: str, question: str
 def smp_step_2_answer_provided(user_data, user_data_lock, contact_id, answer, ui_queue) -> None:
     answer = normalize_answer(answer)
 
-    our_nonce = secrets.token_bytes(32)
+    our_nonce = secrets.token_bytes(SMP_NONCE_LENGTH)
 
     private_key, public_key = generate_sign_keys()
 

tests/test_crypto.py

@@ -112,7 +112,7 @@ def test_mldsa_keygen_basic():
 
 def test_signature_verifcation():
     """Validate ML-DSA-87 signature creation and verification"""
-    private_key, public_key = generate_sign_keys(algorithm="Dilithium5")
+    private_key, public_key = generate_sign_keys(algorithm=ML_DSA_87_NAME)
 
     assert private_key != public_key, "Private and public keys are identical"