Skip to content

Post-quantum certificate support (ML-DSA-87 + ML-KEM-1024)#5

Merged
disentangle-network merged 1 commit intomasterfrom
feature/pq-certificates
Feb 19, 2026
Merged

Post-quantum certificate support (ML-DSA-87 + ML-KEM-1024)#5
disentangle-network merged 1 commit intomasterfrom
feature/pq-certificates

Conversation

@disentangle-network
Copy link
Copy Markdown
Owner

@disentangle-network disentangle-network commented Feb 19, 2026

Summary

  • Add Curve_PQ (value 2) to the Curve enum for post-quantum certificates
  • ML-DSA-87 (FIPS 204) for CA and certificate signing via cloudflare/circl
  • ML-KEM-1024 (FIPS 203) for host key agreement keys
  • V2 ASN.1 certificate format handles variable-length PQ keys natively
  • PEM banners for all PQ key types (MLDSA87 signing, MLKEM1024 key agreement, encrypted)
  • All marshal/unmarshal/verify functions handle PQ key sizes

Key sizes

Component Classical (Ed25519) Post-Quantum (ML-DSA-87)
Public key 32 B 2,592 B
Signature 64 B 4,627 B
Host cert total ~200 B ~7,500 B

Test plan

  • TestCertificateV2_SignPQ: CA cert sign/verify/marshal/unmarshal roundtrip
  • TestCertificateV2_SignPQ_HostCert: CA-signed host cert with ML-KEM-1024 key
  • All 38 existing cert tests pass (zero regressions)

feat: add ML-DSA-87 and ML-KEM-1024 post-quantum certificate support
d43cf56 
Add Curve_PQ (value 2) to the Curve enum for post-quantum certificates
using NIST FIPS 204 (ML-DSA-87) for signing and FIPS 203 (ML-KEM-1024)
for key agreement. V2 ASN.1 certificate format handles variable-length
keys natively.

Crypto surface changes:
- cert/sign.go: ML-DSA-87 sign via cloudflare/circl
- cert/cert_v2.go: ML-DSA-87 verify, ML-KEM-1024 key pair verification
- cert/pem.go: MLDSA87 and MLKEM1024 PEM banners for all key types
- cert/crypto.go: encrypted PQ private key support
- cert/helper_test.go: PQ CA keygen (ML-DSA-87) and host keygen (ML-KEM-1024)

Key sizes:
- ML-DSA-87 public key: 2592 bytes, signature: 4627 bytes
- ML-KEM-1024 public key: 1568 bytes

Tests:
- TestCertificateV2_SignPQ: CA cert sign/verify/marshal/unmarshal roundtrip
- TestCertificateV2_SignPQ_HostCert: CA-signed host cert with ML-KEM-1024 key
- All 38 existing cert tests pass (zero regressions)

Dependency: github.com/cloudflare/circl v1.6.3 (FIPS-aligned PQ crypto)
@disentangle-network disentangle-network mentioned this pull request Feb 19, 2026
Merged
5 tasks
@disentangle-network disentangle-network merged commit d2beb29 into master Feb 19, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@disentangle-network