cmd/age,tag: implement age1tagpq1.../p256mlkem768tag recipients

Test vectors generated from hpkewg/hpke-pq@19adaeb (hpkewg/hpke-pq#28 +
hpkewg/hpke-pq#32) and cfrg/draft-irtf-cfrg-concrete-hybrid-kems@1bbca40
(cfrg/draft-irtf-cfrg-concrete-hybrid-kems#16), plus the following diff:

diff --git a/reference-implementation/src/bin/generate.rs b/reference-implementation/src/bin/generate.rs
index 25e32e5..bc8f209 100644
--- a/reference-implementation/src/bin/generate.rs
+++ b/reference-implementation/src/bin/generate.rs
@@ -26,6 +26,15 @@ fn generate_test_vectors() -> TestVectors {
     // 5. QSF-P384-MLKEM1024 + SHAKE256 + AES-256-GCM
     vectors.push(TestVector::new::<QsfP384MlKem1024, Shake256, Aes256Gcm>());
 
+    vectors = TestVectors::new();
+
+    // age1pq - xwing
+    vectors.push(TestVector::new::<QsfX25519MlKem768, HkdfSha256, ChaChaPoly>());
+    // age1tag - p256tag
+    vectors.push(TestVector::new::<DhkemP256HkdfSha256, HkdfSha256, ChaChaPoly>());
+    // age1tagpq - p256mlkem768tag
+    vectors.push(TestVector::new::<QsfP256MlKem768, HkdfSha256, ChaChaPoly>());
+
     vectors
 }
 
diff --git a/reference-implementation/src/test_vectors.rs b/reference-implementation/src/test_vectors.rs
index 24335aa..4134fb5 100644
--- a/reference-implementation/src/test_vectors.rs
+++ b/reference-implementation/src/test_vectors.rs
@@ -369,6 +369,10 @@ impl TestVector {
             (0x0051, 0x0011, 0x0002) => self.v::<QsfP384MlKem1024, Shake256, Aes256Gcm>(),
             (0x0051, 0x0011, 0xffff) => self.v::<QsfP384MlKem1024, Shake256, ExportOnly>(),
 
+            // age pq combinations
+            (0x647a, 0x0001, 0x0003) => self.v::<QsfX25519MlKem768, HkdfSha256, ChaChaPoly>(),
+            (0x0050, 0x0001, 0x0003) => self.v::<QsfP256MlKem768, HkdfSha256, ChaChaPoly>(),
+
             _ => Err(format!(
                 "Unsupported algorithm combination: KEM={:#x}, KDF={:#x}, AEAD={:#x}",
                 self.kem_id, self.kdf_id, self.aead_id

Author: FiloSottile

cmd/age/parse.go

@@ -31,7 +31,7 @@ func (gitHubRecipientError) Error() string {
 
 func parseRecipient(arg string) (age.Recipient, error) {
 	switch {
-	case strings.HasPrefix(arg, "age1tag1"):
+	case strings.HasPrefix(arg, "age1tag1") || strings.HasPrefix(arg, "age1tagpq1"):
 		return tag.ParseRecipient(arg)
 	case strings.HasPrefix(arg, "age1") && strings.Count(arg, "1") > 1:
 		return plugin.NewRecipient(arg, pluginTerminalUI)

go.mod

@@ -1,6 +1,6 @@
 module filippo.io/age
 
-go 1.19
+go 1.24.0
 
 require (
 	filippo.io/edwards25519 v1.1.0
@@ -13,6 +13,7 @@ require (
 // Test dependencies.
 require (
 	c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805
+	filippo.io/mlkem768 v0.0.0-20250818110517-29047ffe79fb
 	github.com/rogpeppe/go-internal v1.12.0
 	golang.org/x/tools v0.22.0 // indirect
 )

go.sum

@@ -2,6 +2,8 @@ c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3I
 c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+filippo.io/mlkem768 v0.0.0-20250818110517-29047ffe79fb h1:9eVxcquiUiJn/f8DtnqmsN/8Asqw+h9b1+sM3T/Wl44=
+filippo.io/mlkem768 v0.0.0-20250818110517-29047ffe79fb/go.mod h1:ncYN/Z4GaQBV6TIbmQ7+lIaI+qGXCmZr88zrXHneVHs=
 filippo.io/nistec v0.0.3 h1:h336Je2jRDZdBCLy2fLDUd9E2unG32JLwcJi0JQE9Cw=
 filippo.io/nistec v0.0.3/go.mod h1:84fxC9mi+MhC2AERXI4LSa8cmSVOzrFikg6hZ4IfCyw=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=

tag/internal/hpke/hpke.go

@@ -8,8 +8,10 @@ import (
 	"crypto/cipher"
 	"crypto/ecdh"
 	"crypto/hkdf"
+	"crypto/mlkem"
 	"crypto/rand"
 	"crypto/sha256"
+	"crypto/sha3"
 	"encoding/binary"
 	"errors"
 	"hash"
@@ -131,6 +133,135 @@ func (dh *dhkemRecipient) Decap(encPubEph []byte) ([]byte, error) {
 	return dh.extractAndExpand(dhVal, kemContext)
 }
 
+type qsf struct {
+	id    uint16
+	label string
+}
+
+func (q *qsf) ID() uint16 {
+	return q.id
+}
+
+func (q *qsf) sharedSecret(ssPQ, ssT, ctT, ekT []byte) []byte {
+	h := sha3.New256()
+	h.Write(ssPQ)
+	h.Write(ssT)
+	h.Write(ctT)
+	h.Write(ekT)
+	h.Write([]byte(q.label))
+	return h.Sum(nil)
+}
+
+type qsfSender struct {
+	qsf
+	t  *ecdh.PublicKey
+	pq *mlkem.EncapsulationKey768
+}
+
+// QSFSender returns a KEMSender implementing QSF-P256-MLKEM768-SHAKE256-SHA3256
+// or QSF-X25519-MLKEM768-SHA3256-SHAKE256 (aka X-Wing) from draft-ietf-hpke-pq
+// and draft-irtf-cfrg-concrete-hybrid-kems-00.
+func QSFSender(t *ecdh.PublicKey, pq *mlkem.EncapsulationKey768) (KEMSender, error) {
+	switch t.Curve() {
+	case ecdh.P256():
+		return &qsfSender{
+			t: t, pq: pq,
+			qsf: qsf{
+				id:    0x0050,
+				label: "QSF-P256-MLKEM768-SHAKE256-SHA3256",
+			},
+		}, nil
+	case ecdh.X25519():
+		return &qsfSender{
+			t: t, pq: pq,
+			qsf: qsf{
+				id: 0x647a,
+				label: /**/ `\./` +
+					/*   */ `/^\`,
+			},
+		}, nil
+	default:
+		return nil, errors.New("unsupported curve")
+	}
+}
+
+var testingOnlyEncapsulate func() (ss, ct []byte)
+
+func (s *qsfSender) Encap() (sharedSecret []byte, encapPub []byte, err error) {
+	skE, err := s.t.Curve().GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	if testingOnlyGenerateKey != nil {
+		skE = testingOnlyGenerateKey()
+	}
+	ssT, err := skE.ECDH(s.t)
+	if err != nil {
+		return nil, nil, err
+	}
+	ctT := skE.PublicKey().Bytes()
+
+	ssPQ, ctPQ := s.pq.Encapsulate()
+	if testingOnlyEncapsulate != nil {
+		ssPQ, ctPQ = testingOnlyEncapsulate()
+	}
+
+	ss := s.sharedSecret(ssPQ, ssT, ctT, s.t.Bytes())
+	ct := append(ctPQ, ctT...)
+	return ss, ct, nil
+}
+
+type qsfRecipient struct {
+	qsf
+	t  *ecdh.PrivateKey
+	pq *mlkem.DecapsulationKey768
+}
+
+// QSFRecipient returns a KEMRecipient implementing QSF-P256-MLKEM768-SHAKE256-SHA3256
+// or QSF-MLKEM768-X25519-SHA3256-SHAKE256 (aka X-Wing) from draft-ietf-hpke-pq
+// and draft-irtf-cfrg-concrete-hybrid-kems-00.
+func QSFRecipient(t *ecdh.PrivateKey, pq *mlkem.DecapsulationKey768) (KEMRecipient, error) {
+	switch t.Curve() {
+	case ecdh.P256():
+		return &qsfRecipient{
+			t: t, pq: pq,
+			qsf: qsf{
+				id:    0x0050,
+				label: "QSF-P256-MLKEM768-SHAKE256-SHA3256",
+			},
+		}, nil
+	case ecdh.X25519():
+		return &qsfRecipient{
+			t: t, pq: pq,
+			qsf: qsf{
+				id: 0x647a,
+				label: /**/ `\./` +
+					/*   */ `/^\`,
+			},
+		}, nil
+	default:
+		return nil, errors.New("unsupported curve")
+	}
+}
+
+func (r *qsfRecipient) Decap(enc []byte) ([]byte, error) {
+	ctPQ, ctT := enc[:mlkem.CiphertextSize768], enc[mlkem.CiphertextSize768:]
+	ssPQ, err := r.pq.Decapsulate(ctPQ)
+	if err != nil {
+		return nil, err
+	}
+	pub, err := r.t.Curve().NewPublicKey(ctT)
+	if err != nil {
+		return nil, err
+	}
+	ssT, err := r.t.ECDH(pub)
+	if err != nil {
+		return nil, err
+	}
+	ss := r.sharedSecret(ssPQ, ssT, ctT, r.t.PublicKey().Bytes())
+	return ss, nil
+}
+
 type KDF interface {
 	LabeledExtract(sid, salt []byte, label string, inputKey []byte) ([]byte, error)
 	LabeledExpand(suiteID, randomKey []byte, label string, info []byte, length uint16) ([]byte, error)