Add ML-KEM

[bartonjs]

As part of the Post-Quantum Cryptography effort, we should add support for Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM).

There is no precedent for Key Encapsulation Mechanism (KEM) algorithms in .NET. Seemingly it makes sense to incorporate in areas where an RSA Encryption Scheme (RSAES) is utilized. This is currently only the case for EnvelopedCms, but KEM support for CMS EnvelopedData is new and not widely supported, so it is not being proposed as active work at this time.

Based on Elliptic-Curve Digital Signature Algorithm's name of "EC-DSA" becoming ECDsa, the class name for ML-KEM is proposed as MLKem.

namespace System.Security.Cryptography
{
    [Experimental("SYSLIB5006")]
    public abstract class MLKem : IDisposable
    {
        public static bool IsSupported { get; }

        protected MLKem(MLKemAlgorithm algorithm);

        public MLKemAlgorithm Algorithm { get; }
        public void Dispose();

        public void Encapsulate(Span<byte> ciphertext, Span<byte> sharedSecret);
        public void Decapsulate(ReadOnlySpan<byte> ciphertext, Span<byte> sharedSecret);

        public byte[] ExportSubjectPublicKeyInfo();
        public bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten);
        public string ExportSubjectPublicKeyInfoPem();

        public byte[] ExportPkcs8PrivateKey();
        public bool TryExportPkcs8PrivateKey(Span<byte> destination, out int bytesWritten);
        public string ExportPkcs8PrivateKeyPem();

        public byte[] ExportEncryptedPkcs8PrivateKey(
            ReadOnlySpan<char> password,
            PbeParameters pbeParameters);
        public byte[] ExportEncryptedPkcs8PrivateKey(
            ReadOnlySpan<byte> passwordBytes,
            PbeParameters pbeParameters);
        public bool TryExportEncryptedPkcs8PrivateKey(
            ReadOnlySpan<char> password,
            PbeParameters pbeParameters,
            Span<byte> destination,
            out int bytesWritten);
        public bool TryExportEncryptedPkcs8PrivateKey(
            ReadOnlySpan<byte> passwordBytes,
            PbeParameters pbeParameters,
            Span<byte> destination,
            out int bytesWritten);
        public string ExportEncryptedPkcs8PrivateKeyPem(
            ReadOnlySpan<char> password,
            PbeParameters pbeParameters);
        public string ExportEncryptedPkcs8PrivateKeyPem(
            ReadOnlySpan<byte> passwordBytes,
            PbeParameters pbeParameters);

        public int ExportMLKemEncapsulationKey(Span<byte> destination);
        public int ExportMLKemDecapsulationKey(Span<byte> destination);
        public int ExportMLKemPrivateSeed(Span<byte> destination);

        public static MLKem GenerateMLKem512Key();
        public static MLKem GenerateMLKem768Key();
        public static MLKem GenerateMLKem1024Key();

        public static MLKem ImportSubjectPublicKeyInfo(ReadOnlySpan<byte> source);
        public static MLKem ImportPkcs8PrivateKey(ReadOnlySpan<byte> source);
        public static MLKem ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, ReadOnlySpan<byte> source);
        public static MLKem ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, ReadOnlySpan<byte> source);
        public static MLKem ImportFromPem(ReadOnlySpan<char> source);
        public static MLKem ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySpan<char> password);
        public static MLKem ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySpan<byte> passwordBytes);
        public static MLDsa ImportMLKemEncapsulationKey(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source);
        public static MLDsa ImportMLKemDecapsulationKey(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source);
        public static MLDsa ImportMLKemPrivateSeed(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source);

        protected void ThrowIfDisposed();
        protected virtual void Dispose(bool disposing);

        protected abstract void EncapsulateCore(Span<byte> ciphertext, Span<byte> sharedSecret);
        protected abstract void DecapsulateCore(ReadOnlySpan<byte> ciphertext, Span<byte> sharedSecret);

        protected abstract void ExportMLKemEncapsulationKey(Span<byte> destination);
        protected abstract void ExportMLKemDecapsulationKey(Span<byte> destination);
        protected abstract void ExportMLKemPrivateSeed(Span<byte> destination);
    }

    [DebuggerDisplay("{Name,nq}")]
    [Experimental("SYSLIB5006")]
    public sealed class MLKemAlgorithm
    {
        private MLKemAlgorithm();

        public static MLKemAlgorithm MLKem512 { get; }
        public static MLKemAlgorithm MLKem768 { get; }
        public static MLKemAlgorithm MLKem1024 { get; }

        public string Name { get; }
        public int EncapsulationKeySizeInBytes { get; }
        public int DecapsulationKeySizeInBytes { get; }
    }

    [Experimental("SYSLIB5006")]
    public class MLKemCng : MLKem
    {
         public MLKemCng(CngKey key);
         // On ECDsaCng this is an allocating property. Changed to a method here.
         public CngKey GetCngKey();
    }

    [Experimental("SYSLIB5006")]
    public class MLKemOpenSsl : MLKem
    {
         public MLKemOpenSsl(SafeEvpPKeyHandle keyHandle);
         public SafeEvpPKeyHandle DuplicateKeyHandle();
    }
}

namespace System.Security.Cryptography.X509Certificates
{
    // Extension class to enable porting to Microsoft.Bcl.Cryptography
    [Experimental("SYSLIB5006")]
    public sealed class MLKemCertificateExtensions
    {
        public static MLKem GetMLKemPublicKey(this X509Certificate2 certificate);
        public static MLKem GetMLKemPrivateKey(this X509Certificate2 certificate);
    }
}

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[bartonjs]

This proposal is based on #113502, except

• MLDsaSecretKey/MLDsaPublicKey => MLKemDecapsulationKey/MLKemEncapsulationKey
• s/MLDsa/MLKem/g
• 44/65/87 => 512/768/1024
• Remove SignData/VerifyData/SignPreHash/VerifyPreHash
• Add Encapsulate and Decapsulate
• Doesn't need CMS, COSE, or X509SignatureGenerator work.

An ML-KEM transport certificate can be made by

• Exporting the ML-KEM key as SPKI
• Importing the SPKI into PublicKey
• Using a CertificateRequest ctor that takes PublicKey
• Using a CertificateRequest.Create method that takes the signer cert

Exporting a PKCS#10 carrying ML-KEM is "an exercise left to the reader". If good standardization comes along for how it should "sign" itself for proof of private key, we can innovate on that.

[vcsjones]

This API is a rough sketch, it is not "the" final API. As we implement this and learn more about what exactly is needed the API here will be updated, and then a "final" API will go through the API review process.

[vcsjones]

@bartonjs A couple of thoughts as I firm up implementation and tests (w.r.t ML-KEM)

1. I am starting to come around to the idea that generating keys should be Generate(MLKemAlgorithm), not three distinct generate methods.
2. I am not sure how nice it is that the base class has ThrowIfDisposed is, unless it is abstract. The base class doesn't have enough information to know if it is disposed or not - the implementations do. ThrowIfDisposed just means I have more state I need to keep track of (base class has a bool, implementations need to check handles)
3. MLKemAlgorithm needs
   1. IEquality. Might as well do equality operators then.
   2. The KEM cipher text size.
4. There is some MLDsa leftovers in this proposal. I am not sure if they are leftovers or if they need to adapted somehow. Can you scan the API here for MLDsa and adjust?

[bartonjs]

1. That's OK with me. So long as we don't ::shudder:: pick a default I don't have strong feelings between 3 methods and 1 parameterized one.
2. In my ML-DSA prototype, I gave the base class a _disposed that it sets during Dispose(true); and it meant that none of the derived types needed to do the same. But since we've gotten rid of the "I'm not disposed but I don't have a key (yet)" state I guess that boolean is likely redundant with the nullarity of a key field. Though, with the base class having _disposed, the derived types can declare the field as non-null and ignore any state where it is null (they can set it to null! in Dispose, and the template pattern says they'll never be called again after that). So, really it's all about making the derived/implementation types just have to write the core methods and not track disposal states. If you think that's better achieved as virtual/abstract... I'm willing to opine in a PR.
3. 1. Why does it need IEquality? If it's a class and has no public ctor, then reference equality is all that's needed... you either are the ML-KEM-1024 instance, or not.
   2. Yep, seems fine.
4. "I don't see any". (checks again) "Oh, the parameters to the ImportMLKem{EK|DK|Seed}". Fixed. The comment about how MLKemCng.GetKey is different from ECDsaCng.Key is still valid, since there's no ECKem to compare it to. If you see anything else, feel free to mock me.

[vcsjones]

pick a default

Never again.

Why does it need IEquality? If it's a class and has no public ctor, then reference equality is all that's needed... you either are the ML-KEM-1024 instance, or not.

1. Developer happiness. Someone is going to start using it as an identifier in their own code if (alg == MLKemAlgorithm.MLKem768), etc.
2. I am always worried about reference equality when stuff like assembly load contexts (or app domains in .NET Framework) come in to play.

[tmds]

cc @scott-xu