[PSQ] Allow using Classic McEliece for PQ KEM

[jschneider-bensch]

This PR does three things:

1. Clean up, some renaming and more documentation for more of the new PSQ protocol.
2. Move the old PSQ code to a feature-guarded v1 module, with the exception of some of the Classic McEliece code.
3. Introduce an abstraction for PQ KEM keys, which allows to use either ML-KEM 768 or Classic McEliece 460896f as the PQ KEM.

If you want I can separate 1. and 2. into their own PR, so the changes relating to 3. become more clear.

In terms of possible "configurations" for 3. I went the simplest option, i.e. an initiator can have either an ML-KEM or CMC longterm public key of the responder, and the responder can have either an ML-KEM or CMC key pair. If there is a mismatch, i.e. the initiator sends a registration message for which the responder does not have a matching decapsulation key, then the responder will ignore that message and return to its initial state.

---

TODO

• Ciphersuite builder
• Test configuration mismatch

[franziskuskiefer]

Just some early thoughts

[franziskuskiefer]

Shouldn't this still be optional?

[jschneider-bensch]

Good question! I would like it to be, but I built the PQ KEM selection with an enum now, and that would then have to be non_exhaustive, no?
I recall now we had a similar situation in the original PSQ and then resolved to do this with a commonly implemented trait, instead of an enum. Ideally that would be one of the KEM traits from libcrux-traits... I'll see if I can implement that for the CMC wrapper here.

[franziskuskiefer]

Should this go back in?

[jschneider-bensch]

Yes, I temporarily disabled that too work on the new version as if CMC was unconditionally included, but in any case the old protocol needs the feature.

[franziskuskiefer]

? call into for you. So something like this would work as well.

Suggested change

	AEADKey::new(&responder_ikm, tx2).map_err(|e| e.into())
	Ok(AEADKey::new(&responder_ikm, tx2)?)

[franziskuskiefer]

You should add lifetimes here to avoid warnings.

[franziskuskiefer]

This is pretty bad for the CMCE ciphertext (156 vs 1088). But maybe that's fine? Or would it make sense to use references here as well?

[franziskuskiefer]

Some thoughts

[franziskuskiefer]

Should the into once happen up here already?

[franziskuskiefer]

We should make the API consistent. The DH above gets just a reference. We should pick a style and stick to it for both types of keys.

[franziskuskiefer]

Same comment as for the builder below. We should pick a style for both. Here in the call site we just see the difference as well.
I think either could be fine. Either a generic key_gen with an algorithm identifier, or explicitly generating the keys. But I think I like one function for all a little better.

[franziskuskiefer]

Somewhat unrelated to this PR but I think the aad setters need more documentation to tell the user what the outer and inner aads are.

[jschneider-bensch]

I've changed the proposal here to use a trait mechanism for implementing ciphersuites. This makes it easier to pull out Classic McEliece into a non-default feature.

The downside is that in the way I've implemented it here, we need to pre-serialize the PQ encapsulation, to make the HandshakeMessage types oblivious to the used ciphersuite and we need to do the same with the PQ encapsulation key in another place, since we don't yet have a blanket impl of Serialize for Option<&'a T> from T: Serialize. I tried getting around this by introducing a separate associated type for the reference to the encapsulation key, that would also require a Serialize bound, but could not get it to work. At some point I needed to go from Option<C::EncapsulationKey> to Option<C::EncapsulationKeyRef> and I couldn't figure out which (if any) bounds would allow me to do that.

One more thing that is missing here is a builder for the ciphersuites, so now they are statically constructed in the tests.