PoC on post-quantum algorithms for signature generation and verification in Mojaloop

[elnyry-sam-k]

Request Summary:

Quantum computers threaten to break traditional cryptography like RSA and ECC, making current encryption vulnerable. To protect data in the future, we need post-quantum encryption that can withstand quantum attacks. This PoC explores the algorithms and develops a PoC for signature generation and verification mechanisms used by Mojaloop's services, so that when the change needs to be made (to post-quantum algorithms based cryptography), we can leverage this work.

Request Details:

• Deadline: 31st October (but not to change the mechanism itself, just to provide feedback and accept PoC code on a branch)
• Impact (Teams): No current impact but helps with readiness when the need to use PQ cryptography arises
• Impact (Components): Services generating and validating Signature in the FSPIOP and other such APIs

Notes:
The standards — containing the encryption algorithms’ computer code, instructions for how to implement them, and their intended uses — are the result of an eight-year effort managed by NIST, which has a long history of developing encryption.

1. Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.
2. FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.
3. FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.

Artifacts:

• PRs to follow
• Presentation to the DA to be attached to the issue

Dependencies:

• NPM package used: https://www.npmjs.com/package/@noble/post-quantum

Accountability:

• Owner: @elnyry-sam-k , @s-prak
• Raised By: @elnyry-sam-k

Decision(s):

The DA reviewed the proposal and PoC and is aligned that we need to be prepared with PQ cryptography for signature generation and verification. -- By the "DA members present on the 23rd October 2024 meeting"

Details

• The DA reviewed the PoC and is aligned that we need to be prepared with PQ cryptography for signature generation and verification.

• The DA decided to add an issue to the core-team's backlog to investigate performance of the new signature generation and verification algorithm (from the PoC) and other considerations such as size of keys and signature itself. The DA agreed to move to this as soon as necessary, considering the input from the above spike item.

Follow-up:

• Add an issue to the core-team's backlog to investigate performance of the new signature generation and verification algorithm
• Observations on size of keys, signature header and notes on implications
• Document readiness to move to the new PQ algorithms to help with the move when the DA deems it necessary

[s-prak]

Attached is the Proof of Concept (PoC) document detailing the post-quantum cryptography (PQC)
DA-PQC.pdf