feat: Initial implementation of post quantum crypto + account_manager changes

[ch4r10t33r]

Initial implementation of post quantum crypto + account_manager changes

• I have read CONTRIBUTING.md.
• This PR uses conventional commits.

[syjn99]

Few cosmetics reviews. I will dive deeper into the actual implementation. I think I need to spend a couple of hours of hash-sig library to fully understand what this PR deals with. (and luckily the documentation of hash-sig is good!, I guess they recently took an effort regarding it)

Also could you elaborate more about this PR in the description, so that others can quickly grasp the content?

[syjn99]

It seems those kind of changes is not needed.

[syjn99]

It seems like there are bunch of minor version updates which are not that related with this PR. I couldn't find any issues rn. But personally if we want to bump the dependency versions, I think this PR is not a right place to do so as it brings lots of dependency changes itself.

[syjn99]

actually PQSignature is a stub struct that should be fixed after we finalized how we put signature in SignedBlock. I would suggest not changing consensus/lean crate, and remain the stub struct as well.

[ch4r10t33r]

I had to comment it because I ran into issues while testing. I no longer see the issue, I'll revert my changes.

[KolbyML]

use pub _signature:PQSignature then or remove it, but commenting this out doesn't make sense

[syjn99]

This file isn't necessary anymore, seems like you have been working on the outdated codebase. So please remove it.

[KolbyML]

This comment was marked as resolved, but the problem wasn't resolved

[syjn99]

Only checked the pqc crate! Left lots of discussion points.

[syjn99]

[dependencies]
aes-gcm.workspace = true
anyhow.workspace = true
argon2.workspace = true
base64.workspace = true
hashsig.workspace = true
hex.workspace = true
hmac.workspace = true
rand.workspace = true
serde.workspace = true
serde_json.workspace = true
sha2.workspace = true
thiserror.workspace = true
tracing.workspace = true

# ream dependencies
ream-pqc.workspace = true

I think above code is more consistent with our current codebase.

[syjn99]

It seems the filename keystore.rs isn't intuitive, as it mostly handles the signature scheme itself.

[syjn99]

What's the benefit to define as a byte array for both public_key and secret_key, provided GeneralizedXMSSPublicKey and GeneralizedXMSSSecretKey are already serializable? Same comment for XmssSignature.signature.

[syjn99]

We don't have multiple backends for the hash-based signature (at this point), so I don't think this is justified.

[syjn99]

I think this struct can be improved much better. Here's what I experimented with my local environment:

---

Matching by height isn't scalable, and also can't handle different signature schemes. There are so many schemes in hash-sig with different 1) incomparable encodings (e.g., Winternitz, Target Sum, Top-level), 2) chunk size and 3) lifetime.

Fortunately, I found SignatureScheme trait in hash-sig crate, which will make our lives easier. Let me call the new struct XmssWrapper2:

pub struct XmssWrapper2<T: SignatureScheme> {
    _phantom: std::marker::PhantomData<T>,
}

Then we can implement generate_keys with this trait, and note that if we don't use a byte array for PublicKey, most of the code below can also be removed. (Please refer to the previous comment that I left)

impl<T> XmssWrapper2<T>
where
    T: SignatureScheme,
    T::PublicKey: Serialize + for<'de> Deserialize<'de>,
    T::SecretKey: Serialize + for<'de> Deserialize<'de>,
    T::Signature: Serialize + for<'de> Deserialize<'de>,
{
    /// Generate XMSS key pair (serialized)
    pub fn generate_keys<R: Rng>(rng: &mut R) -> Result<KeyPair, XmssWrapperError> {
        let (public_key, secret_key) = T::key_gen(rng, 0, T::LIFETIME as usize);

        let public_key_bytes = serde_json::to_vec(&public_key).map_err(|e| {
            XmssWrapperError::Serialization(format!("Failed to serialize public key: {:?}", e))
        })?;
        let secret_key_bytes = serde_json::to_vec(&secret_key).map_err(|e| {
            XmssWrapperError::Serialization(format!("Failed to serialize secret key: {:?}", e))
        })?;

        Ok(KeyPair {
            public_key: public_key_bytes,
            secret_key: secret_key_bytes,
            lifetime: (T::LIFETIME as f64).log2() as u32,
        })
    }
}

And this can be tested like:

    #[test]
    fn test_key_generation2() {
        let mut rng = rng();

        type XmssWrapper8 = XmssWrapper2<custom_lifetime_8::CustomSIGWinternitzLifetime8W8>;

        let result = XmssWrapper8::generate_keys(&mut rng);
        assert!(result.is_ok());

        let key_pair = result.unwrap();
        assert_eq!(key_pair.lifetime, 8);
        assert!(!key_pair.public_key.is_empty());
        assert!(!key_pair.secret_key.is_empty());
    }

From this approach, I expect we can shrink the LOC of this file upto 40%.

[syjn99]

Also in my knowledge, we won't use Winternitz as our primary incomparable encoding scheme.

Reference: https://eprint.iacr.org/2025/1332.pdf

[syjn99]

We shouldn't sign only part of the given message. Is this code intended to get hash value of the message, as an argument?

[syjn99]

message: &[u8; MESSAGE_LENGTH]

^ This can be much better for parameter definition.

[syjn99]

Suggested change

	SIGWinternitzLifetime18W8::sign(rng, &mut secret_key, epoch, &message_array)
	SIGWinternitzLifetime18W8::sign(rng, &secret_key, epoch, &message_array)

It is enough to pass only reference, not mutable reference. It also means that secret_key_bytes is never updated.

[syjn99]

Why do we have copy-pasted assertion for each tests?

[unnawut]

just for my own learning, what required this pinning?

[ch4r10t33r]

The latest version of tempfile has deprecated several functions, which is causing our make pr command to fail.

[unnawut]

use tracing's info! here

[unnawut]

Can we pass in the path as a function argument rather than hardcoding the file name here? Also applies to public key

[ch4r10t33r]

Yes, this entire crate has to be refactored. I'll be addressing all of them in the new PR. The recent discussions in post-quantum group will require further changes in our code base.

[unnawut]

Instead of having save_secret_key() that saves the public key and calls save_encrypted_secret_key(), can we instead put the public key saving into save_public_key().

Then call save_public_key() and save_encrypted_secret_key() from generate_and_save_keys()?

[ch4r10t33r]

Yes, I had them as separate functions for me to test out the serialisation. I'll be moving this over to generate_and_save_keys() with a pre-agreed path.

[unnawut]

I think it'll be quite impractical to recover the secret key from file each time we want to sign a message.

Can we wrap this into, say, an AccountManager struct that can load a secret key from file and keep the decrypted key in memory in the struct? then we call account_manager.sign_message(...) to sign a message?

[KolbyML]

Overall this code feels unstructured. I agree most of these functions should be in structures organized by what makes sense.

[unnawut]

Umm don't we need to keep the epoch argument (i.e. fixed to 0 here) inputtable?

[ch4r10t33r]

Please ignore the acocunt_manager, this code is incomplete.

[unnawut]

Does the keypair change after each signing? I thought the secret_key and lifetime doesn't change per signing.

Also by setting public_key: vec![] this is a destructive operation that removes public key from the keystore file.

[unnawut]

Similar comment to signing, doesn't the epoch need to be an input?

[unnawut]

Do we need to load the file separately to get the tree height? Can we do this as part of load_secret_key()?

[unnawut]

Super nitpick and super unsure. I think we use anyhow::Result everywhere else instead of import it for disambiguity.

@KolbyML @syjn99 Can you help confirm?

[syjn99]

@unnawut Yes, that would be better in terms of consistency

[KolbyML]

He isn't using anyhow here.

We can do 2 things for errors

• anyhow
• this_error

context decides which we opt for

[KolbyML]

I am concerned by the uses of #[allow and I think a lot of functions should in structures, unless they are general utility functions which doesn't seem to be the case for a lot of these.

I left a few comments which should apply to multiple parts of the PR

[KolbyML]

defining path's should only be defined in the main Cargo.toml

[KolbyML]

unwrap shouldn't be used in production code, can this fail? under what conditions? depending on the case we should pass up an error or use expect instead of unwrap, it is probably safer to just pass up an error

[KolbyML]

Suggested change

	.map_err(|e| AccountManagerError::Serialization(e.to_string()))?;
	.map_err(|err| AccountManagerError::Serialization(err.to_string()))?;
	```}
	please make this change in the 22 other spots in the PR

[KolbyML]

He isn't using anyhow here.

We can do 2 things for errors

• anyhow
• this_error

context decides which we opt for

[KolbyML]

these can be inlined, and as @unnawut state println!() shouldn't be used in production code

[KolbyML]

We shouldn't be using #[allow(deprecated)]

Either we update the crate in a separate PR or fix it here in this PR

[KolbyML]

import etc

[KolbyML]

Overall this code feels unstructured. I agree most of these functions should be in structures organized by what makes sense.

[KolbyML]

if this is unused, why is it here?

[KolbyML]

aren't these defined lengths? we shouldn't use vector's if the lengths are defined (are they?)

[ch4r10t33r]

The work will be split into multiple tasks which will be shared by @shariqnaiyer and myself. Hence, closing this pull request.