Skip to content

v0.1.5-beta

Choose a tag to compare

View all tags
@gh4rib gh4rib released this 12 Jun 11:18
· 8 commits to main since this release
0.1.5
32b625f

PQPG Architecture Update: The OpenPGP v6 Compatibility Engine

This major release introduces full, interoperable Post-Quantum OpenPGP support. By integrating ProtonMail's highly audited gopenpgp (v3) library, PQPG can now communicate securely with the outside world using standardized IETF post-quantum drafts, without compromising the integrity or algorithmic purity of the native Double Ratchet ecosystem.

Architectural Highlights

  • The Air-Gapped OpenPGP Compartment: The OpenPGP engine operates in strict isolation (Option 3 in the main menu). It utilizes its own dedicated keystore logic, ensuring that standardized Web of Trust operations never bleed into or pollute the bespoke Double Ratchet and Vault state machines.
  • IETF Post-Quantum Draft Compliance: Fully implements draft-ietf-openpgp-pqc-09. The engine natively handles RFC 9580 v6 packets, RFC 3394 AES Key Wrap, and the strict KMAC256 Key Derivation Functions mandated for composite post-quantum routing.
  • Dynamic UX & Keystore Management: Key generation dynamically provisions isolated, user-specific directory structures (e.g., Alice_Smith_openpgp_keys) to cleanly manage multiple identities and prevent path-collision errors.

New Cryptographic Primitives & Pairings

The engine introduces the Proton/PQC cryptographic profile, automatically mapping FIPS-standardized algorithms to their traditional ECC fallbacks to maintain absolute crypto-agility and backwards compatibility:

  • Composite Key Encapsulation (KEM): * Standard: Kyber768 + X25519 (Algorithm ID 29)

  • High Security: Kyber1024 + X448 (Algorithm ID 30)

  • Composite Signatures (DSA):

  • Standard: ML-DSA-65 (Dilithium3) + Ed25519 (Algorithm ID 35)

  • High Security: ML-DSA-87 (Dilithium5) + Ed448 (Algorithm ID 36)

  • Symmetric & Key Protection: Enforces AES-256-GCM for packet encryption and Argon2id for robust, brute-force-resistant private key password protection (S2K).

Supported Interoperable Operations

Users operating within the OpenPGP compartment can now execute the following standardized workflows:

  • Asynchronous File Streaming: Encrypt and sign massive files or decrypt and verify incoming .pgp streams natively.
  • Cleartext Signed Messages: Generate and mathematically verify PGP messages where the plaintext payload remains human-readable.
  • Detached Signatures: Output standalone .sig artifacts for highly secure, post-quantum software release engineering and verification.
  • Keyblock Distribution: Export and import fully compliant .asc armored composite keyblocks for integration with modern, PQC-aware mail clients.

Critical Bug Fixes & Refinements

  • Stateless File Targeting: Patched a fatal nil-pointer vulnerability in the interactive CLI handlers where directory paths were incorrectly passed directly to the gopenpgp byte-reader, resulting in zero-entity panics. Explicit file-path validation and os.ReadFile error handling have been strictly enforced across all OpenPGP operations.
Assets 2
Loading