Merge pull request #2 from Mateusvff/feature/ml-dsa-implementation

[PQ Authentication] ML-DSA 5 implementation

Author: Mateusvff

device/device.go

@@ -53,6 +53,8 @@ type Device struct {
 		publicKey       NoisePublicKey
 		mlkemPrivateKey MLKEMPrivateKey
 		mlkemPublicKey  MLKEMPublicKey
+		mldsaPrivateKey MLDSAPrivateKey
+		mldsaPublicKey  MLDSAPublicKey
 	}
 
 	peers struct {

device/noise-protocol.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/cloudflare/circl/kem/kyber/kyber1024"
+	"github.com/cloudflare/circl/sign/dilithium/mode5"
 	"golang.org/x/crypto/blake2s"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/poly1305"
@@ -62,13 +63,13 @@ const (
 )
 
 const (
-	MessageInitiationSize      = 148 + (MLKEMCiphertextSize + poly1305.TagSize) // size of handshake initiation message
-	MessageResponseSize        = 92                                             // size of response message
-	MessageCookieReplySize     = 64                                             // size of cookie reply message
-	MessageTransportHeaderSize = 16                                             // size of data preceding content in transport message
-	MessageTransportSize       = MessageTransportHeaderSize + poly1305.TagSize  // size of empty transport
-	MessageKeepaliveSize       = MessageTransportSize                           // size of keepalive
-	MessageHandshakeSize       = MessageInitiationSize                          // size of largest handshake related message
+	MessageInitiationSize      = 148 + (MLKEMCiphertextSize + poly1305.TagSize) + MLDSASignatureSize // size of handshake initiation message
+	MessageResponseSize        = 92                                                                  // size of response message
+	MessageCookieReplySize     = 64                                                                  // size of cookie reply message
+	MessageTransportHeaderSize = 16                                                                  // size of data preceding content in transport message
+	MessageTransportSize       = MessageTransportHeaderSize + poly1305.TagSize                       // size of empty transport
+	MessageKeepaliveSize       = MessageTransportSize                                                // size of keepalive
+	MessageHandshakeSize       = MessageInitiationSize                                               // size of largest handshake related message
 )
 
 const (
@@ -90,6 +91,7 @@ type MessageInitiation struct {
 	Static    [NoisePublicKeySize + poly1305.TagSize]byte
 	MLKEM     [MLKEMCiphertextSize + poly1305.TagSize]byte
 	Timestamp [tai64n.TimestampSize + poly1305.TagSize]byte
+	Signature MLDSASignature
 	MAC1      [blake2s.Size128]byte
 	MAC2      [blake2s.Size128]byte
 }
@@ -131,8 +133,9 @@ func (msg *MessageInitiation) unmarshal(b []byte) error {
 	copy(msg.Static[:], b[8+len(msg.Ephemeral):])
 	copy(msg.MLKEM[:], b[8+len(msg.Ephemeral)+len(msg.Static):])
 	copy(msg.Timestamp[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM):])
-	copy(msg.MAC1[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp):])
-	copy(msg.MAC2[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.MAC1):])
+	copy(msg.Signature[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp):])
+	copy(msg.MAC1[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.Signature):])
+	copy(msg.MAC2[:], b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.Signature)+len(msg.MAC1):])
 
 	return nil
 }
@@ -148,8 +151,9 @@ func (msg *MessageInitiation) marshal(b []byte) error {
 	copy(b[8+len(msg.Ephemeral):], msg.Static[:])
 	copy(b[8+len(msg.Ephemeral)+len(msg.Static):], msg.MLKEM[:])
 	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM):], msg.Timestamp[:])
-	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp):], msg.MAC1[:])
-	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.MAC1):], msg.MAC2[:])
+	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp):], msg.Signature[:])
+	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.Signature):], msg.MAC1[:])
+	copy(b[8+len(msg.Ephemeral)+len(msg.Static)+len(msg.MLKEM)+len(msg.Timestamp)+len(msg.Signature)+len(msg.MAC1):], msg.MAC2[:])
 
 	return nil
 }
@@ -223,6 +227,7 @@ type Handshake struct {
 	remoteIndex               uint32                   // index for sending
 	remoteStatic              NoisePublicKey           // long term key
 	remoteMLKEMStatic         MLKEMPublicKey           // long term remote ML-KEM static public key
+	remoteMLDSAStatic         MLDSAPublicKey           // long term remote ML-DSA static public key
 	remoteEphemeral           NoisePublicKey           // ephemeral public key
 	precomputedStaticStatic   [NoisePublicKeySize]byte // precomputed shared secret
 	lastTimestamp             tai64n.Timestamp
@@ -348,6 +353,21 @@ func (device *Device) CreateMessageInitiation(peer *Peer) (*MessageInitiation, e
 
 	handshake.mixHash(msg.Timestamp[:])
 	handshake.state = handshakeInitiationCreated
+
+	signScheme := mode5.Scheme()
+	skSign, err := signScheme.UnmarshalBinaryPrivateKey(device.staticIdentity.mldsaPrivateKey[:])
+	if err != nil {
+		return nil, err
+	}
+
+	messageToSign := make([]byte, MessageInitiationSize)
+	if err := msg.marshal(messageToSign); err != nil {
+		return nil, err
+	}
+
+	signature := signScheme.Sign(skSign, messageToSign[:MessageInitiationSize-blake2s.Size128*2-MLDSASignatureSize], nil)
+	copy(msg.Signature[:], signature)
+
 	return &msg, nil
 }
 
@@ -391,6 +411,21 @@ func (device *Device) ConsumeMessageInitiation(msg *MessageInitiation) *Peer {
 		return nil
 	}
 
+	signScheme := mode5.Scheme()
+	pkSign, err := signScheme.UnmarshalBinaryPublicKey(peer.handshake.remoteMLDSAStatic[:])
+	if err != nil {
+		return nil
+	}
+
+	messageToCheck := make([]byte, MessageInitiationSize)
+	if err := msg.marshal(messageToCheck); err != nil {
+		return nil
+	}
+
+	if !signScheme.Verify(pkSign, messageToCheck[:MessageInitiationSize-blake2s.Size128*2-MLDSASignatureSize], msg.Signature[:], nil) {
+		return nil
+	}
+
 	handshake := &peer.handshake
 
 	// decrypt KEM ciphertext

device/noise-types.go

@@ -87,3 +87,15 @@ type (
 	MLKEMPublicKey  [MLKEMPublicKeySize]byte
 	MLKEMPrivateKey [MLKEMPrivateKeySize]byte
 )
+
+const (
+	MLDSAPublicKeySize  = 2592
+	MLDSAPrivateKeySize = 4864
+	MLDSASignatureSize  = 4595
+)
+
+type (
+	MLDSAPublicKey  [MLDSAPublicKeySize]byte
+	MLDSAPrivateKey [MLDSAPrivateKeySize]byte
+	MLDSASignature  [MLDSASignatureSize]byte
+)

device/quantum-keys.go

@@ -2,6 +2,7 @@ package device
 
 import (
 	"github.com/cloudflare/circl/kem/kyber/kyber1024"
+	"github.com/cloudflare/circl/sign/dilithium/mode5"
 )
 
 func GenerateQuantumKeyPair() (pub []byte, priv []byte, err error) {
@@ -13,3 +14,14 @@ func GenerateQuantumKeyPair() (pub []byte, priv []byte, err error) {
 	priv, _ = sk.MarshalBinary()
 	return pub, priv, nil
 }
+
+func GenerateMLDSAKeyPair() (pub []byte, priv []byte, err error) {
+	pk, sk, err := mode5.Scheme().GenerateKey()
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pub, _ = pk.MarshalBinary()
+	priv, _ = sk.MarshalBinary()
+	return pub, priv, nil
+}

go.mod

@@ -3,6 +3,7 @@ module golang.zx2c4.com/wireguard
 go 1.23.1
 
 require (
+	github.com/cloudflare/circl v1.6.1
 	golang.org/x/crypto v0.37.0
 	golang.org/x/net v0.39.0
 	golang.org/x/sys v0.32.0
@@ -11,7 +12,6 @@ require (
 )
 
 require (
-	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	golang.org/x/time v0.7.0 // indirect
 )