Anubis Rage: Hybrid Post-Quantum File Encryption
Overview
Anubis Rage v2.0 is a modern file encryption tool implementing hybrid post-quantum cryptography that combines proven classical security (X25519) with cutting-edge quantum resistance (ML-KEM-1024). This defense-in-depth approach provides maximum protection against both current and future threats.
🛡️ Defense-in-Depth Security
Anubis Rage uses hybrid mode by default, requiring an attacker to break BOTH:
- X25519 ECDH - Proven secure against classical computers for over a decade
- ML-KEM-1024 - NIST-standardized quantum-resistant KEM (FIPS 203)
This is the same approach used by Signal Protocol, Google Chrome, and TLS 1.3 hybrid drafts.
Why Hybrid Mode?
| Security Approach | Classical Attacks | Quantum Attacks | Status |
|---|---|---|---|
| Hybrid (Default) | ✅ Protected (X25519) | ✅ Protected (ML-KEM) | RECOMMENDED |
| Pure PQC | ⚠️ Relies on ML-KEM | ✅ Protected (ML-KEM) | Future-focused |
| Classical Only | ✅ Protected (X25519) | ❌ Broken by Shor's | Legacy systems |
Verdict: Hybrid mode gives you the best of both worlds - battle-tested classical security AND quantum resistance.
Key Features
- 🔐 Hybrid PQC: X25519 + ML-KEM-1024 defense-in-depth (recommended)
- 🎯 NIST Standardized: ML-KEM-1024 from FIPS 203
- 🚀 Simple & Secure: No config files, explicit keys, clean UNIX interface
- ⚡ High Performance: Minimal overhead vs pure classical encryption
- 🔒 Level-5 Security: NIST's highest security classification
Security Guarantees
Hybrid Mode (Default)
Anubis Rage v2.0 combines two independent security layers:
Layer 1: X25519 ECDH (Classical)
- Security Level: 128-bit (Discrete Log Problem)
- Proven Track Record: Used in billions of devices since 2006
- Status: Secure against classical computers
- Quantum Vulnerability: ❌ Broken by Shor's algorithm
Layer 2: ML-KEM-1024 (Post-Quantum)
- Security Level: 256-bit (Module-LWE Problem)
- Standard: NIST FIPS 203 approved
- Status: Believed secure against quantum computers
- Quantum Resistance: ✅ Resists Shor's and Grover's algorithms
Combined Security (Hybrid)
- An attacker must break BOTH X25519 AND ML-KEM-1024
- If ML-KEM is broken, X25519 still protects you (until quantum computers exist)
- If X25519 is broken by quantum computers, ML-KEM-1024 still protects you
- This is defense-in-depth cryptographic engineering
Full Cryptographic Stack
| Component | Algorithm | Security Level | Standard |
|---|---|---|---|
| Hybrid KEM | X25519 + ML-KEM-1024 | 128-bit classical + 256-bit quantum | NIST FIPS 203 ✓ |
| Key Combiner | HKDF-SHA512 | 256-bit | NIST SP 800-56C ✓ |
| Digital Signatures | ML-DSA-87 | NIST Category 5 | NIST FIPS 204 ✓ |
| Key Derivation | HKDF-SHA512 | 256-bit | SP 800-56C ✓ |
| Message Auth | HMAC-SHA512 | 256-bit | FIPS 198-1 ✓ |
| AEAD Encryption | AES-256-GCM-SIV | 256-bit (nonce-misuse resistant) | RFC 8452 ✓ |
🛡️ See NIST_SECURITY_ANALYSIS.md for complete security analysis and threat model.
Installation
From Source (Recommended)
# Requires Rust 1.71+ and liboqs
# Binaries:
# - target/release/anubis-rage
# - target/release/anubis-rage-keygen
System Dependencies
macOS:
Ubuntu/Debian:
&& &&
&&
Arch Linux:
Quick Start
1. Generate Hybrid Keys (Recommended)
The identity file contains your hybrid private key (X25519 + ML-KEM-1024).
For pure PQC mode (optional):
2. Encrypt a File
Using hybrid mode (default):
)
Or use the identity file:
3. Decrypt a File
Usage Guide
Hybrid Mode Examples
Basic encryption:
# Encrypt with hybrid mode
# Decrypt
Multiple recipients:
# Any recipient can decrypt
Streaming encryption:
# Backup with hybrid encryption
| \
# Restore
|
ASCII armor for email/text:
Command-Line Reference
Usage: anubis-rage [OPTIONS] [INPUT]
Options:
-e, --encrypt Encrypt (default)
-d, --decrypt Decrypt
-r, --recipient <KEY> Hybrid recipient public key
-R, --recipients-file <FILE> File with recipient keys
-i, --identity <FILE> Identity file for decryption
-o, --output <FILE> Output file
-a, --armor ASCII armor output
--mode <MODE> Encryption mode: hybrid (default) | pqc
-h, --help Show help
-V, --version Show version
Mode Selection
Hybrid Mode (Default & Recommended):
# Or simply (hybrid is default):
Pure PQC Mode (Optional):
When to use Pure PQC:
- Compliance requirements mandate post-quantum only
- You want maximum quantum resistance without classical components
- Future-focused security policy
When to use Hybrid (Recommended):
- Production deployments (best security today and tomorrow)
- Defense-in-depth security posture
- Following NIST/industry recommendations
- Maximum compatibility and trust
Library Usage
Rust API - Hybrid Mode
use hybrid;
use ;
use ;
// Generate hybrid identity (X25519 + ML-KEM-1024)
let identity = generate;
let recipient = identity.to_public;
// Encrypt with hybrid mode
let encryptor = with_recipients?;
let mut encrypted = vec!;
let mut writer = encryptor.wrap_output?;
writer.write_all?;
writer.finish?;
// Decrypt (both X25519 and ML-KEM-1024 must succeed)
let decryptor = new?;
let mut decrypted = vec!;
let mut reader = decryptor.decrypt?;
reader.read_to_end?;
assert_eq!;
Pure PQC Mode (Optional)
use mlkem;
// Pure ML-KEM-1024 mode
let identity = generate;
let recipient = identity.to_public;
// ... same encryption/decryption API
How Hybrid Mode Works
Key Encapsulation
Hybrid mode performs two independent key exchanges:
1. X25519 ECDH:
- Generate ephemeral X25519 key pair
- Perform Diffie-Hellman → shared_secret_1 (32 bytes)
2. ML-KEM-1024 Encapsulation:
- Encapsulate to recipient's ML-KEM public key
- Result → ciphertext (1568 bytes) + shared_secret_2 (32 bytes)
3. Hybrid Combiner (NIST-recommended):
IKM = shared_secret_1 || shared_secret_2 (64 bytes)
SALT = ephemeral_x25519_pk || mlkem_ciphertext
wrap_key = HKDF-SHA512(IKM, SALT, "anubis-hybrid-v2/X25519+MLKEM-1024")
4. Encrypt file key with wrap_key
Security Analysis
To break hybrid encryption, an attacker must:
- Break X25519 (solve ECDLP) AND
- Break ML-KEM-1024 (solve Module-LWE) AND
- Have both breaks available simultaneously
This is exponentially harder than breaking either system alone.
Threat scenarios:
- ✅ Quantum computer (future): X25519 broken, but ML-KEM-1024 protects you
- ✅ ML-KEM cryptanalysis: ML-KEM broken, but X25519 still provides 128-bit security
- ✅ Implementation bugs: Two independent implementations reduce risk
- ✅ Side-channel attacks: Attacker must exploit both systems
File Format
Hybrid mode uses a new stanza format:
anubis-encryption.org/v2
-> hybrid
<base64-x25519-ephemeral-public-key>
<base64-mlkem-1024-ciphertext>
<encrypted-file-key>
<encrypted-payload>
File overhead:
- Fixed header: ~2.4 KB
- Per recipient: ~2.2 KB (vs ~2.1 KB for pure PQC)
- Minimal performance impact
Backward compatibility:
- v2.0 hybrid files: ❌ NOT compatible with v1.x (different stanza)
- v1.x PQC files: ✅ Can be decrypted by v2.0 (auto-detection)
Performance
Benchmarks on Apple M1 (2.0 GB file):
| Mode | Encryption | Decryption | Key Size |
|---|---|---|---|
| Hybrid | 187 MB/s | 159 MB/s | ~4.7 KB |
| Pure PQC | 187 MB/s | 159 MB/s | ~4.7 KB |
| Classical (reference) | 190 MB/s | 162 MB/s | 64 bytes |
Cryptographic operation timing:
- X25519 KeyGen: ~0.05ms
- X25519 ECDH: ~0.05ms
- ML-KEM-1024 KeyGen: ~2ms
- ML-KEM-1024 Encapsulate: ~0.5ms
- ML-KEM-1024 Decapsulate: ~0.6ms
- Hybrid Combiner: <0.1ms
Verdict: Hybrid mode adds ~2ms overhead for key operations, negligible for file I/O.
Use Cases
Personal Data Protection
# Encrypt sensitive documents with maximum security
Secure Backups
#!/bin/bash
# quantum-safe-backup.sh
DATE=
RECIPIENT="anubis1hybrid1..." # Your hybrid public key
# Database backup with defense-in-depth
| \
| \
Team Collaboration
# Create team recipients file (hybrid keys)
# Encrypt for entire team
CI/CD Integration
# .github/workflows/encrypt-artifacts.yml
- name: Encrypt build artifacts
run: |
anubis-rage -r ${{ secrets.HYBRID_RECIPIENT }} \
-o artifact.encrypted \
target/release/app
Comparison with Other Tools
| Feature | Anubis Rage v2 | age/rage | GPG | Other PQC Tools |
|---|---|---|---|---|
| Hybrid PQC | ✅ X25519 + ML-KEM | ❌ | ❌ | ⚠️ Rare |
| Pure PQC | ✅ ML-KEM-1024 | ❌ | ❌ | ✅ |
| NIST Standardized | ✅ FIPS 203 | ❌ | ✅ (legacy) | ✅ |
| Defense-in-Depth | ✅ Hybrid mode | ❌ | ❌ | ❌ |
| Simple Keys | ✅ | ✅ | ❌ | ⚠️ |
| No Config | ✅ | ✅ | ❌ | ⚠️ |
| UNIX Composability | ✅ | ✅ | ⚠️ | ⚠️ |
| Quantum Resistant | ✅ | ❌ | ❌ | ✅ |
| Production Ready | ✅ (v2.0) | ✅ (classical) | ⚠️ | ❌ |
Unique advantage: Only tool providing hybrid X25519+ML-KEM-1024 with defense-in-depth security.
Migration from v1.x
Breaking Changes in v2.0
- Default mode: Hybrid (was pure PQC)
- Key format: New hybrid keys (X25519 + ML-KEM-1024)
- File format: New hybrid stanza format
Upgrade Path
Option 1: Generate new hybrid keys (recommended)
# Generate v2.0 hybrid key
# Re-encrypt files with hybrid mode
; do
| \
done
Option 2: Continue using v1.x pure PQC mode
# v2.0 can still generate pure PQC keys
# Encrypt with pure PQC mode
Compatibility:
- ✅ v2.0 can decrypt v1.x files (pure ML-KEM-1024)
- ❌ v1.x cannot decrypt v2.0 hybrid files
- ✅ v2.0 can generate both hybrid and pure PQC keys
Security Considerations
Key Storage Best Practices
# Secure permissions
# Backup keys securely
Recommended Practices
- ✅ Use hybrid mode for maximum security
- ✅ Store keys with
chmod 600permissions - ✅ Backup identity files encrypted to recovery keys
- ✅ Use unique keys per device/user
- ✅ Rotate keys periodically
- ✅ Use ASCII armor (
-a) for email/text transmission
Important Warnings
- ⚠️ No passphrase encryption: Keys stored as-is (use full-disk encryption)
- ⚠️ No SSH key support: Only native hybrid/ML-KEM keys
- ⚠️ Quantum security only: Designed for post-quantum threats
- ⚠️ v2.0 breaking change: Hybrid format incompatible with v1.x
Troubleshooting
"liboqs not found":
"Invalid header" errors:
# Check file format
"Recipient not found":
- Verify correct identity file
- Check if file encrypted to your key
- Try both hybrid and pure PQC modes
Building from Source
# Clone repository
# Build with hybrid support
# Run tests
# Install
Development Build
# Debug build
# Test hybrid mode specifically
# Verbose logging
RUST_LOG=debug
Security Disclosure
Email: security@anubis-rage.org
We follow responsible disclosure:
- Acknowledge within 48 hours
- Initial assessment within 7 days
- Patch critical vulnerabilities within 30 days
Contributing
See CONTRIBUTING.md for guidelines.
Areas of interest:
- Performance optimizations
- Additional platform support
- Security audits
- Documentation improvements
- Integration examples
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT license (LICENSE-MIT)
at your option.
Acknowledgments
- NIST - Post-quantum cryptography standardization
- Open Quantum Safe - liboqs implementation
- Filippo Valsorda & Ben Cox - age format design
- Signal Protocol Team - Hybrid PQC design inspiration
- Rust Community - Excellent cryptography ecosystem
Further Reading
Documentation
- Hybrid Design Document - Technical architecture and security analysis
- NIST Security Analysis - Compliance and threat model
- Security Policy - Vulnerability reporting
- API Documentation - Library usage
Standards
- NIST FIPS 203: ML-KEM Standard
- NIST SP 800-56C: Hybrid Key Derivation
- IETF TLS 1.3 Hybrid Draft
- Signal Protocol: Hybrid Mode
Anubis Rage v2.0 - Defense-in-depth security for the quantum era.
Hybrid mode: Because your security shouldn't depend on any single algorithm.