Merge branch 'main' into ma/coalesce-rotation-power-updates

Author: mattac21

CHANGELOG.md

@@ -52,6 +52,7 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * (staking) [#26440](https://github.com/cosmos/cosmos-sdk/pull/26440) Add basic key rotation for validator consensus keys.
 * (crypto) [#26436](https://github.com/cosmos/cosmos-sdk/pull/26436) Add ML-DSA-65 (FIPS 204) post-quantum validator consensus key type, with SDK key wrappers, Amino + interface-registry registration, multisig support, and a `hd.MlDsa65Type` constant.
 * (blockstm) [#26467](https://github.com/cosmos/cosmos-sdk/pull/26467) Track existence for `Has()` reads to reduce false conflicts.
+* (crypto) [#26472](https://github.com/cosmos/cosmos-sdk/pull/26472) Add ML-DSA-65 (FIPS 204) support for user account keys: mnemonic-based keyring creation/recovery (`--algo ml_dsa_65`), transaction signing/verification, and an ante-handler signature-verification gas cost (`Params.SigVerifyCostMlDsa65`).
 
 ### Improvements
 

baseapp/block_gas_test.go

@@ -175,7 +175,7 @@ func TestBaseApp_BlockGas(t *testing.T) {
 				require.Equal(t, []byte("ok"), okValue)
 			}
 			// check block gas is always consumed
-			baseGas := uint64(58359) // baseGas is the gas consumed before tx msg
+			baseGas := uint64(58386) // baseGas is the gas consumed before tx msg
 			expGasConsumed := min(addUint64Saturating(tc.gasToConsume, baseGas), uint64(simtestutil.DefaultConsensusParams.Block.MaxGas))
 			require.Equal(t, int(expGasConsumed), int(ctx.BlockGasMeter().GasConsumed()))
 			// tx fee is always deducted

client/keys/add.go

@@ -244,8 +244,11 @@ func runAddCmd(ctx client.Context, cmd *cobra.Command, args []string, inBuf *buf
 		}
 
 		var pk cryptotypes.PubKey
-		// create an empty pubkey in order to get the algo TypeUrl.
-		tempAny, err := codectypes.NewAnyWithValue(algo.Generate()([]byte{}).PubKey())
+		// Generate a throwaway key from a zero seed solely to obtain the algo's
+		// pubkey TypeUrl. A 32-byte seed is required by all supported account
+		// algos (e.g. ML-DSA-65 panics on a wrong-length seed); the key value
+		// itself is discarded.
+		tempAny, err := codectypes.NewAnyWithValue(algo.Generate()(make([]byte, 32)).PubKey())
 		if err != nil {
 			return err
 		}

crypto/hd/algo.go

@@ -22,8 +22,9 @@ const (
 	// It is currently not supported for end-user keys (wallets/ledgers).
 	Bls12_381Type = PubKeyType("bls12_381")
 	// MlDsa65Type represents the NIST ML-DSA-65 (FIPS 204) post-quantum
-	// signature scheme. It is currently not supported for end-user keys
-	// (wallets/ledgers) and is intended for validator key use.
+	// signature scheme. It is supported for both validator keys and end-user
+	// account keys via the software keyring. Ledger/hardware wallets are not
+	// supported (no device implements ML-DSA today).
 	MlDsa65Type = PubKeyType("ml_dsa_65")
 )
 

crypto/hd/mldsa65.go

@@ -0,0 +1,39 @@
+package hd
+
+import (
+	"github.com/cosmos/cosmos-sdk/crypto/keys/mldsa65"
+	"github.com/cosmos/cosmos-sdk/crypto/types"
+)
+
+// MlDsa65 is the ML-DSA-65 (FIPS 204) account key algorithm.
+var MlDsa65 = mldsa65Algo{}
+
+type mldsa65Algo struct{}
+
+func (mldsa65Algo) Name() PubKeyType {
+	return MlDsa65Type
+}
+
+// Derive reuses the secp256k1 BIP32 derivation. It returns the 32-byte
+// BIP32-derived key for the given mnemonic, passphrase, and HD path, which is
+// used directly as the ML-DSA-65 keygen seed (mldsa65 SeedSize == 32). This
+// gives mnemonic recovery and per-path account separation without inventing a
+// new derivation scheme.
+func (mldsa65Algo) Derive() DeriveFn {
+	return Secp256k1.Derive()
+}
+
+// Generate builds an ML-DSA-65 private key from the 32-byte derived seed.
+func (mldsa65Algo) Generate() GenerateFn {
+	return func(bz []byte) types.PrivKey {
+		privKey, err := mldsa65.GenPrivKeyFromSeed(bz)
+		if err != nil {
+			// A non-32-byte seed only reaches here from a caller passing
+			// untrusted/dummy bytes directly (e.g. ImportPrivKeyHex); the BIP32
+			// derivation path always supplies a 32-byte seed. Such callers must
+			// guard their input — see keyring.generatePrivKey.
+			panic(err)
+		}
+		return &privKey
+	}
+}

crypto/hd/mldsa65_test.go

@@ -0,0 +1,58 @@
+package hd_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/cosmos/cosmos-sdk/crypto/hd"
+	"github.com/cosmos/cosmos-sdk/crypto/keys/mldsa65"
+)
+
+const (
+	testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	hdPath0      = "m/44'/118'/0'/0/0"
+	hdPath1      = "m/44'/118'/0'/0/1"
+)
+
+func TestMlDsa65Name(t *testing.T) {
+	require.Equal(t, hd.MlDsa65Type, hd.MlDsa65.Name())
+}
+
+func TestMlDsa65DeriveAndGenerate(t *testing.T) {
+	derive := hd.MlDsa65.Derive()
+	gen := hd.MlDsa65.Generate()
+
+	seed, err := derive(testMnemonic, "", hdPath0)
+	require.NoError(t, err)
+	require.Len(t, seed, 32) // matches mldsa65 SeedSize
+
+	priv := gen(seed)
+	require.NotNil(t, priv)
+	_, ok := priv.(*mldsa65.PrivKey)
+	require.True(t, ok)
+}
+
+func TestMlDsa65GenerateZeroSeedNoPanic(t *testing.T) {
+	require.NotPanics(t, func() {
+		priv := hd.MlDsa65.Generate()(make([]byte, 32))
+		require.NotNil(t, priv)
+		require.Equal(t, "ml_dsa_65", priv.PubKey().Type())
+	})
+}
+
+func TestMlDsa65DerivationDeterministic(t *testing.T) {
+	derive := hd.MlDsa65.Derive()
+	gen := hd.MlDsa65.Generate()
+
+	mk := func(path string) []byte {
+		seed, err := derive(testMnemonic, "", path)
+		require.NoError(t, err)
+		return gen(seed).PubKey().Bytes()
+	}
+
+	// Same mnemonic+path -> same key (recovery).
+	require.Equal(t, mk(hdPath0), mk(hdPath0))
+	// Different path -> different account (path salt).
+	require.NotEqual(t, mk(hdPath0), mk(hdPath1))
+}

crypto/keyring/keyring.go

@@ -210,7 +210,7 @@ func newKeystore(kr keyring.Keyring, cdc codec.Codec, backend string, opts ...Op
 	// Default options for keybase, these can be overwritten using the
 	// Option function
 	options := Options{
-		SupportedAlgos:       SigningAlgoList{hd.Secp256k1},
+		SupportedAlgos:       SigningAlgoList{hd.Secp256k1, hd.MlDsa65},
 		SupportedAlgosLedger: SigningAlgoList{hd.Secp256k1},
 	}
 
@@ -334,6 +334,18 @@ func (ks keystore) ImportPrivKey(uid, armor, passphrase string) error {
 	return nil
 }
 
+// generatePrivKey runs the signing algorithm's key generator on raw bytes,
+// converting a panic from invalid input (e.g. a wrong-length ML-DSA-65 seed
+// supplied via import-hex) into a returned error instead of crashing.
+func generatePrivKey(algo SignatureAlgo, bz []byte) (priv types.PrivKey, err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = errorsmod.Wrapf(sdkerrors.ErrInvalidRequest, "invalid private key bytes for %s: %v", algo.Name(), r)
+		}
+	}()
+	return algo.Generate()(bz), nil
+}
+
 func (ks keystore) ImportPrivKeyHex(uid, privKey, algoStr string) error {
 	if _, err := ks.Key(uid); err == nil {
 		return errorsmod.Wrap(ErrOverwriteKey, uid)
@@ -349,7 +361,10 @@ func (ks keystore) ImportPrivKeyHex(uid, privKey, algoStr string) error {
 	if err != nil {
 		return err
 	}
-	priv := algo.Generate()(decodedPriv)
+	priv, err := generatePrivKey(algo, decodedPriv)
+	if err != nil {
+		return err
+	}
 	_, err = ks.writeLocalKey(uid, priv)
 	if err != nil {
 		return err

crypto/keyring/keyring_test.go

@@ -2083,4 +2083,72 @@ func assertKeysExist(t *testing.T, kr Keyring, names ...string) {
 	}
 }
 
+func TestNewMnemonicMlDsa65(t *testing.T) {
+	cdc := getCodec()
+	kb := NewInMemory(cdc)
+
+	// Assert hd.MlDsa65 is among the supported algorithms.
+	algos, _ := kb.SupportedAlgorithms()
+	require.True(t, algos.Contains(hd.MlDsa65), "expected hd.MlDsa65 in SupportedAlgos")
+
+	// Create a new mnemonic-backed ML-DSA-65 key.
+	rec, mnemonic, err := kb.NewMnemonic("mldsa", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.MlDsa65)
+	require.NoError(t, err)
+	require.NotEmpty(t, mnemonic)
+
+	// Get the pubkey from the new record.
+	pub, err := rec.GetPubKey()
+	require.NoError(t, err)
+	require.Equal(t, "ml_dsa_65", pub.Type())
+	require.Len(t, pub.Address(), 20)
+
+	// Re-read the key by name; verify address and key stability.
+	rec2, err := kb.Key("mldsa")
+	require.NoError(t, err)
+	pub2, err := rec2.GetPubKey()
+	require.NoError(t, err)
+	require.True(t, pub.Equals(pub2))
+}
+
+func TestMlDsa65SignVerifyThroughKeyring(t *testing.T) {
+	cdc := getCodec()
+	kb := NewInMemory(cdc)
+
+	rec, _, err := kb.NewMnemonic("mldsa-signer", English, sdk.FullFundraiserPath, DefaultBIP39Passphrase, hd.MlDsa65)
+	require.NoError(t, err)
+
+	msg := []byte("sign me with a post-quantum key")
+	sig, pub, err := kb.Sign("mldsa-signer", msg, signing.SignMode_SIGN_MODE_DIRECT)
+	require.NoError(t, err)
+	require.Equal(t, "ml_dsa_65", pub.Type())
+	require.True(t, pub.VerifySignature(msg, sig))
+
+	recPub, err := rec.GetPubKey()
+	require.NoError(t, err)
+	require.True(t, pub.Equals(recPub))
+}
+
+func TestImportPrivKeyHexMlDsa65WrongLength(t *testing.T) {
+	kb := NewInMemory(getCodec())
+	// 31 bytes -> 62 hex chars; not a valid 32-byte ML-DSA-65 seed.
+	badHex := strings.Repeat("ab", 31)
+	require.NotPanics(t, func() {
+		err := kb.ImportPrivKeyHex("bad", badHex, string(hd.MlDsa65Type))
+		require.Error(t, err)
+	})
+}
+
+func TestImportPrivKeyHexMlDsa65Valid(t *testing.T) {
+	kb := NewInMemory(getCodec())
+	seedHex := strings.Repeat("11", 32) // 32 bytes
+	err := kb.ImportPrivKeyHex("good", seedHex, string(hd.MlDsa65Type))
+	require.NoError(t, err)
+
+	rec, err := kb.Key("good")
+	require.NoError(t, err)
+	pub, err := rec.GetPubKey()
+	require.NoError(t, err)
+	require.Equal(t, "ml_dsa_65", pub.Type())
+}
+
 func accAddr(k *Record) (sdk.AccAddress, error) { return k.GetAddress() }

crypto/keys/mldsa65/bench_test.go

@@ -0,0 +1,26 @@
+package mldsa65_test
+
+import (
+	"testing"
+
+	"github.com/cosmos/cosmos-sdk/crypto/keys/internal/benchmarking"
+	"github.com/cosmos/cosmos-sdk/crypto/keys/mldsa65"
+)
+
+func BenchmarkSigning(b *testing.B) {
+	b.ReportAllocs()
+	priv, err := mldsa65.GenPrivKey()
+	if err != nil {
+		b.Fatal(err)
+	}
+	benchmarking.BenchmarkSigning(b, &priv)
+}
+
+func BenchmarkVerification(b *testing.B) {
+	b.ReportAllocs()
+	priv, err := mldsa65.GenPrivKey()
+	if err != nil {
+		b.Fatal(err)
+	}
+	benchmarking.BenchmarkVerification(b, &priv)
+}

crypto/keys/mldsa65/key.go

@@ -46,6 +46,17 @@ func GenPrivKey() (PrivKey, error) {
 	return PrivKey{Key: sk.Bytes()}, nil
 }
 
+// GenPrivKeyFromSeed deterministically derives an ML-DSA-65 private key from a
+// 32-byte seed (mldsa.SeedSize). The same seed always yields the same key,
+// which is what makes mnemonic-based account recovery possible.
+func GenPrivKeyFromSeed(seed []byte) (PrivKey, error) {
+	sk, err := mldsa.GenPrivKeyFromSeed(seed)
+	if err != nil {
+		return PrivKey{}, err
+	}
+	return PrivKey{Key: sk.Bytes()}, nil
+}
+
 // Bytes returns the serialized private key bytes.
 func (privKey PrivKey) Bytes() []byte {
 	return privKey.Key
@@ -117,10 +128,10 @@ var (
 	_ codec.AminoMarshaler = &PubKey{}
 )
 
-// Address returns the validator address: SHA256(pubkey) truncated to 20 bytes,
-// matching the convention used by other CometBFT validator key types. ML-DSA-65
-// is not intended for account-level use; SDK accounts should not derive
-// addresses from this key.
+// Address returns the account/validator address: SHA256(pubkey) truncated to 20
+// bytes, matching the convention used by ed25519 keys. This scheme is valid for
+// both CometBFT validator addresses and SDK account addresses; it MUST NOT change
+// once accounts exist, as that would be a breaking change to derived addresses.
 func (pubKey PubKey) Address() crypto.Address {
 	pk, err := mldsa.NewPubKeyFromBytes(pubKey.Key)
 	if err != nil {