feat: [NET-1445] quantum resistant key exchange using ML-KEM (#3060)

## Summary

This PR introduces the ability to use (and to require the use of)
`ML-KEM` for key exchange instead of `RSA`. The former is considered
quantum resistant, while the latter is not. This PR does not change the
defaults, but introduces a new config option to enable the use of the
new quantum resistant algorithm.

Implementing the new algorithm itself was straight forward, but certain
refactoring was necessary to use it. Most of the line changes in this PR
are actually related to that refactoring instead of the core feature
itself.

**Backwards compatibility**

The change is backwards compatible with the default settings, ie. the
change is not breaking as such. However, the new feature can obviously
only be used if both the publisher and subscriber have the new version.

Backwards compatibility with the previous version was tested manually,
and the results are as expected - ie. key exchange works with default
(non-quantum-secure) settings, but fails if
`requireQuantumResistantKeyExchange` is `true`, as the other side
running the old version doesn't support the new algorithm.

## Changes

- Implement encryption and decryption using `ML-KEM` in `EncryptionUtil`
- Refactor interfaces in `EncryptionUtil` to be unified across different
algorithms
- Add a new `StreamrClient` config option under the `encryption` block:
`requireQuantumResistantKeyExchange: <boolean>` (default: false)
- Update `SubscriberKeyExchange` and `PublisherKeyExchange` to read that
config option and act accordingly
- Add to `GroupKeyRequest` and `GroupKeyResponse` protobuf messages an
`encryptionType` field, the value of which is an
`AsymmetricEncryptionType` enum. For backwards compatibility, the
absence of this field is interpreted to imply RSA.
- Refactor away the technical debt of `OldGroupKeyRequest` and
`OldGroupKeyResponse` vs. `NewGroupKeyRequest` and `NewGroupKeyResponse`
mess and get rid of `GroupKeyRequestTranslator`. Now, the "new" group
key classes (generated from protobuf) are used everywhere, and the old
hand-rolled ones have been deleted.
- Add unit test cases for `EncryptionUtil` and integration test cases
for `SubscriberKeyExchange` and `PublisherKeyExchange`
- Add a section to the end-to-end encryption page in the docs,
describing the new feature
- Add a `--quantum` flag to the CLI tool to flip on the new switch


## Limitations and future improvements

- Refactoring away the `OldStreamMessage` / `NewStreamMessage` /
`StreamMessageTranslator` debt is out of scope, the old vs. new classes
issue was only cleaned up in relation to the group key classes, as only
they were relevant to the feature.
- In the future, encryption preferences could come from stream metadata
by default, instead of explicit local config

## Checklist before requesting a review

- [x] Is this a breaking change? If it is, be clear in summary. **->
(No)**
- [x] Read through code myself one more time.
- [x] Make sure any and all `TODO` comments left behind are meant to be
left in.
- [x] Has reasonable passing test coverage?
- [x] Updated changelog if applicable.
- [x] Updated documentation if applicable.

Author: hpihkala

CHANGELOG.md

@@ -13,6 +13,7 @@ Changes before Tatum release are not documented in this file.
 #### Added
 
 - Add new storage node address `STREAMR_STORAGE_NODE_ADDRESS` (https://github.com/streamr-dev/network/pull/3020)
+- Added support for quantum secure key exchange using ML-KEM (https://github.com/streamr-dev/network/pull/3060)
 
 #### Changed
 

docs/docs/streamr-network/security/end-to-end-encryption.md

@@ -5,12 +5,38 @@ sidebar_position: 3
 # End-to-end encryption
 Confidentiality of events published on a stream can be guaranteed with end-to-end encryption. The publisher generates a AES-256 symmetric encryption key and encrypts the messages before publishing them to the network. As the publisher fully controls who can access their data, they are also responsible for communicating the key to subscribers - usually via the key exchange mechanism described below.
 
+The following algorithms are currently available:
+- Message encryption: AES-256
+- Key exchange: RSA (default), ML-KEM (experimental)
+
 ## Key exchange
 The subscribers need the symmetric group key in order to decrypt the data. They automatically obtain this key by performing a key exchange with the publisher. The key exchange happens using asymmetric encryption:
 
--   Both the publisher and subscriber generate a temporary RSA key pair to be used for the key exchange
+-   Both the publisher and subscriber generate a temporary asymmetric key pair (RSA or ML-KEM, depending on configuration) to be used for the key exchange
 -   The subscriber sends a key request to the publisher, containing the subscriber's public key, signed with the subscriber's Ethereum key
--   The publisher checks from the on-chain access control registry whether that subscriber should be able to access the stream, and if it does, the publisher responds with the AES symmetric key, encrypted with the publisher's RSA key for the subscriber's RSA key, and signs with the publisher's Ethereum key.
+-   The publisher checks from the on-chain access control registry whether that subscriber should be able to access the stream, and if it does, the publisher responds by encrypting the AES symmetric key required to unlock the data. The key is encrypted with the publisher's temporary private key for the subscriber's temporary public key, and signed with the publisher's Ethereum key.
+
+## Quantum security
+As an experimental feature, Streamr Network allows quantum resistant cryptographic algorithms to be used instead of traditional ones where applicable. Here's an overview of supported algorithms with commentary from the quantum security point of view:
+- Data encryption: AES-256 (quantum resistant, used by default)
+- Key exchange: ML-KEM-1024 (quantum resistant, available via config option), RSA (not quantum resistant, currently used by default)
+- Signatures: ECDSA with secp256k1 curve (not quantum resistant, used by default). Quantum resistant alternatives coming soon
+
+## Quantum resistant key exchange
+The ML-KEM-1024 based key exchange works as follows. As ML-KEM can only be used to generate a shared secret between the publisher and subscriber, by itself it's not sufficient to allow an arbitrary key to be transferred from the publisher to a subscriber. Therefore, the ML-KEM shared secret is used to derive an AES-256 'wrapper' key using HKDF. The wrapper key is obtained by both the publisher and subscriber by repeating the same key derivation starting with the shared secret. The wrapper key is used to encrypt and decrypt the actual data encryption key, which is the key being exchanged. All algorithms involved in this procedure are considered quantum resistant, therefore making the entirety of the key exchange quantum resistant.
+
+To start using the ML-KEM based key exchange, pass the following configuration to `StreamrClient` on *subscribers*:
+
+```
+const streamr = new StreamrClient({
+    encryption: {
+        requireQuantumResistantKeyExchange: true
+    },
+    // ...
+})
+```
+
+Publishers will automatically respond to key requests based on what algorithm the subscriber requests, so configuring publishers with the above is not necessary. However, if you do set the above config on publishers, they will *only* respond to key requests using ML-KEM, and will ignore requests for RSA. Note that both publishers and subscribers need to have a recent version of the Streamr libraries to use the quantum secure key exchange.
 
 ## Publisher liveness
 To perform the key exchange with the subscribers, the publisher must be online and present in the Network. As the Streamr Network deals with real-time messages, publishers are often constantly online. However, it may happen that the publisher has disappeared since publishing the data, making those messages inaccessible to subscribers who have yet to receive the key. This is a consequence of the data publisher being in full control of who can access their data on the Network.

package-lock.json

@@ -5,12 +5,16 @@ import { getConfig } from './config'
 
 export const getClientConfig = (commandOptions: Options, overridenOptions: StreamrClientConfig = {}): StreamrClientConfig => {
     const configFileJson = getConfig(commandOptions.config)?.client
-    const environmentOptions = { environment: commandOptions.env }
-    const authenticationOptions = (commandOptions.privateKey !== undefined) ? { auth: { privateKey: commandOptions.privateKey } } : undefined
+    const environmentOptions: StreamrClientConfig = { environment: commandOptions.env }
+    const authenticationOptions: StreamrClientConfig = 
+        (commandOptions.privateKey !== undefined) ? { auth: { privateKey: commandOptions.privateKey } } : {}
+    const encryptionOptions: StreamrClientConfig = 
+        (commandOptions.quantum === true) ? { encryption: { requireQuantumResistantKeyExchange: true } } : {}
     return merge(
         configFileJson,
         environmentOptions,
         authenticationOptions,
+        encryptionOptions,
         overridenOptions
     )
 }

packages/cli-tools/src/client.ts

@@ -8,6 +8,7 @@ export interface Options {
     privateKey?: string
     config?: string
     env?: EnvironmentId
+    quantum?: boolean
 }
 
 export const createCommand = (): commander.Command => {
@@ -34,6 +35,7 @@ export const createClientCommand = (
         .option('--config <file>', 'read connection and authentication settings from a config file')
         .option('--env <environmentId>', `use pre-defined environment (${formEnumArgValueDescription(ENVIRONMENT_IDS, DEFAULT_ENVIRONMENT_ID)})`,
             createFnParseEnum('env', ENVIRONMENT_IDS))
+        .option('--quantum', 'use and require quantum secure algorithms where available')
         .action(async (...args: any[]) => {
             const commandOptions = args[args.length - 1].opts()
             try {

packages/cli-tools/src/command.ts

@@ -87,6 +87,7 @@
   "dependencies": {
     "@babel/runtime": "^7.26.7",
     "@babel/runtime-corejs3": "^7.26.7",
+    "@noble/post-quantum": "^0.4.0",
     "@protobuf-ts/runtime": "^2.8.2",
     "@protobuf-ts/runtime-rpc": "^2.8.2",
     "@streamr/config": "^5.5.2",

packages/sdk/package.json

@@ -355,6 +355,15 @@ export interface StreamrClientConfig {
          * requested via the standard Streamr key-exchange.
          */
         rsaKeyLength?: number
+
+        /**
+         * If true, ML-KEM-1024 will be used for key exchange instead of RSA.
+         * If true on subscribers, they will send key requests specifying an ML-KEM public key instead of an RSA one.
+         * If true on publishers, they will *only* respond to key requests specifying an ML-KEM public key.
+         * If false or undefined on publishers, they will respond to key requests with either RSA or ML-KEM
+         * depending on what the subscriber requests.
+         */
+        requireQuantumResistantKeyExchange?: boolean
     }
 
     contracts?: {

packages/sdk/src/Config.ts

@@ -350,6 +350,10 @@
                 "rsaKeyLength": {
                     "type": "number",
                     "default": 4096
+                },
+                "requireQuantumResistantKeyExchange": {
+                    "type": "boolean",
+                    "default": false
                 }
             },
             "default": {}

packages/sdk/src/config.schema.json

@@ -1,28 +1,146 @@
 import crypto, { CipherKey } from 'crypto'
+import { ml_kem1024 } from '@noble/post-quantum/ml-kem'
+import { randomBytes } from '@noble/post-quantum/utils'
 import { StreamMessageAESEncrypted } from '../protocol/StreamMessage'
 import { StreamrClientError } from '../StreamrClientError'
 import { GroupKey } from './GroupKey'
+import { AsymmetricEncryptionType } from '@streamr/trackerless-network'
+import { binaryToUtf8 } from '@streamr/utils'
+import { getSubtle } from '../utils/crossPlatformCrypto'
 
 export const INITIALIZATION_VECTOR_LENGTH = 16
 
+const INFO = Buffer.from('streamr-key-exchange')
+const KEM_CIPHER_LENGTH_BYTES = 1568
+const KDF_SALT_LENGTH_BYTES = 64
+
 // eslint-disable-next-line @typescript-eslint/no-extraneous-class
 export class EncryptionUtil {
-    private static validateRSAPublicKey(publicKey: crypto.KeyLike): void | never {
-        const keyString = typeof publicKey === 'string' ? publicKey : publicKey.toString('utf8')
-        if (typeof keyString !== 'string' || !keyString.startsWith('-----BEGIN PUBLIC KEY-----')
+    /**
+     * Public API for asymmetric encryption, unified interface across the different AsymmetricEncryptionTypes
+     */
+    static async encryptForPublicKey(plaintext: Uint8Array, publicKey: Uint8Array, type: AsymmetricEncryptionType): Promise<Buffer> {
+        if (type === AsymmetricEncryptionType.ML_KEM) {
+            return this.encryptWithMLKEMPublicKey(plaintext, publicKey)
+        }
+        if (type === AsymmetricEncryptionType.RSA) {
+            return this.encryptWithRSAPublicKey(plaintext, publicKey)
+        }
+        throw new Error(`Unexpected encryption type: ${type}`)
+    }
+
+    static async decryptWithPrivateKey(cipher: Uint8Array, privateKey: Uint8Array, type: AsymmetricEncryptionType): Promise<Buffer> {
+        if (type === AsymmetricEncryptionType.ML_KEM) {
+            return this.decryptWithMLKEMPrivateKey(cipher, privateKey)
+        }
+        if (type === AsymmetricEncryptionType.RSA) {
+            return this.decryptWithRSAPrivateKey(cipher, privateKey)
+        }
+        throw new Error(`Unexpected encryption type: ${type}`)
+    }
+
+    /**
+     * RSA
+     */
+    private static toRSAPublicKeyString(publicKey: Uint8Array): string {
+        // RSA publicKey passed around in string format for legacy reasons
+        const keyString = binaryToUtf8(publicKey)
+        if (!keyString.startsWith('-----BEGIN PUBLIC KEY-----')
             || !keyString.endsWith('-----END PUBLIC KEY-----\n')) {
-            throw new Error('"publicKey" must be a PKCS#8 RSA public key in the PEM format')
+            throw new Error('"publicKey" must be an RSA public key (SPKI) in PEM format, encoded in UTF-8')
+        }
+        return keyString
+    }
+
+    private static toRSAPrivateKeyString(privateKey: Uint8Array): string {
+        // RSA privateKey passed around in string format for legacy reasons
+        const keyString = binaryToUtf8(privateKey)
+        if (!keyString.startsWith('-----BEGIN PRIVATE KEY-----')
+            || !keyString.endsWith('-----END PRIVATE KEY-----\n')) {
+            throw new Error('"privateKey" must be a PKCS#8 RSA private key in PEM format, encoded in UTF-8')
         }
+        return keyString
     }
 
-    static encryptWithRSAPublicKey(plaintextBuffer: Uint8Array, publicKey: crypto.KeyLike): Buffer {
-        this.validateRSAPublicKey(publicKey)
-        const ciphertextBuffer = crypto.publicEncrypt(publicKey, plaintextBuffer)
+    private static encryptWithRSAPublicKey(plaintextBuffer: Uint8Array, publicKey: Uint8Array): Buffer {
+        const keyString = this.toRSAPublicKeyString(publicKey)
+        const ciphertextBuffer = crypto.publicEncrypt(keyString, plaintextBuffer)
         return ciphertextBuffer
     }
 
-    static decryptWithRSAPrivateKey(ciphertext: Uint8Array, privateKey: crypto.KeyLike): Buffer {
-        return crypto.privateDecrypt(privateKey, ciphertext)
+    private static decryptWithRSAPrivateKey(ciphertext: Uint8Array, privateKey: Uint8Array): Buffer {
+        const keyString = this.toRSAPrivateKeyString(privateKey)
+        return crypto.privateDecrypt(keyString, ciphertext)
+    }
+
+    /**
+     * ML-KEM
+     */
+    private static async deriveAESWrapperKey(sharedSecret: Uint8Array, kdfSalt: Uint8Array): Promise<Uint8Array> {
+        const subtle = getSubtle()
+        const keyMaterial = await subtle.importKey(
+            'raw',
+            sharedSecret,
+            { name: 'HKDF' },
+            false,
+            ['deriveKey']
+        )
+    
+        const derivedKey = await subtle.deriveKey(
+            {
+                name: 'HKDF',
+                hash: 'SHA-512',
+                salt: kdfSalt,
+                info: INFO
+            },
+            keyMaterial,
+            { name: 'AES-CTR', length: 256 },
+            true,
+            ['encrypt', 'decrypt']
+        )
+    
+        const exportedKey = await subtle.exportKey('raw', derivedKey)
+        return new Uint8Array(exportedKey)
+    }
+
+    private static async encryptWithMLKEMPublicKey(plaintextBuffer: Uint8Array, publicKey: Uint8Array): Promise<Buffer> {
+        // Encapsulate to get kemCipher and shared secret
+        // The recipient will be able to derive sharedSecret using privateKey and kemCipher
+        const { cipherText: kemCipher, sharedSecret } = ml_kem1024.encapsulate(publicKey)
+
+        if (kemCipher.length !== KEM_CIPHER_LENGTH_BYTES) {
+            throw new Error(`Expected KEM cipher to be ${KEM_CIPHER_LENGTH_BYTES}, but it was ${kemCipher.length} bytes`)
+        }
+
+        // Derive an AES wrapping key from the shared secret using HKDF
+        // The recipient will be able to repeat this computation to derive the same key
+        const kdfSalt = randomBytes(KDF_SALT_LENGTH_BYTES)
+        const wrappingAESKey = await this.deriveAESWrapperKey(sharedSecret, kdfSalt)
+        
+        // Encrypt plaintext with the AES wrapping key
+        const aesEncryptedPlaintext = this.encryptWithAES(plaintextBuffer, Buffer.from(wrappingAESKey))
+
+        // Concatenate the deliverables into a binary package
+        return Buffer.concat([kemCipher, kdfSalt, aesEncryptedPlaintext])
+    }
+
+    private static async decryptWithMLKEMPrivateKey(cipherPackage: Uint8Array, privateKey: Uint8Array): Promise<Buffer> {
+        // Split the cipherPackage, see encryptWithMLKEMPublicKey how it's constructed
+        let pos = 0
+        const kemCipher = cipherPackage.slice(0, KEM_CIPHER_LENGTH_BYTES)
+        pos += KEM_CIPHER_LENGTH_BYTES
+        const kdfSalt = cipherPackage.slice(pos, pos + KDF_SALT_LENGTH_BYTES)
+        pos += KDF_SALT_LENGTH_BYTES
+        const aesEncryptedPlaintext = cipherPackage.slice(pos)
+
+        // Derive the shared secret using the private key and kemCipher
+        const sharedSecret = ml_kem1024.decapsulate(kemCipher, privateKey)
+
+        // Derive the wrappingAESKey
+        const wrappingAESKey = await this.deriveAESWrapperKey(sharedSecret, kdfSalt)
+
+        // Decrypt the aesEncryptedPlaintext
+        return this.decryptWithAES(aesEncryptedPlaintext, Buffer.from(wrappingAESKey))
     }
 
     /*

packages/sdk/src/encryption/EncryptionUtil.ts

@@ -1,5 +1,5 @@
 import crypto from 'crypto'
-import { EncryptedGroupKey } from '../protocol/EncryptedGroupKey'
+import { EncryptedGroupKey } from '@streamr/trackerless-network'
 import { uuid } from '../utils/uuid'
 import { EncryptionUtil } from './EncryptionUtil'
 export class GroupKeyError extends Error {
@@ -70,7 +70,10 @@ export class GroupKey {
 
     /** @internal */
     encryptNextGroupKey(nextGroupKey: GroupKey): EncryptedGroupKey {
-        return new EncryptedGroupKey(nextGroupKey.id, EncryptionUtil.encryptWithAES(nextGroupKey.data, this.data))
+        return {
+            id: nextGroupKey.id, 
+            data: EncryptionUtil.encryptWithAES(nextGroupKey.data, this.data)
+        }
     }
 
     /** @internal */
@@ -81,11 +84,4 @@ export class GroupKey {
         )
     }
 
-    /** @internal */
-    static decryptRSAEncrypted(encryptedKey: EncryptedGroupKey, rsaPrivateKey: string): GroupKey {
-        return new GroupKey(
-            encryptedKey.id,
-            EncryptionUtil.decryptWithRSAPrivateKey(encryptedKey.data, rsaPrivateKey)
-        )
-    }
 }