1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
//! # B-Wing
//!
//! A high-assurance **hybrid post-quantum cryptography** library implementing
//! [NIST Level 5][nist-pqc] security with redundancy across multiple classical
//! and post-quantum algorithms.
//!
//! B-Wing follows a **redundancy-first** design: every operation is secured by
//! *at least* one classical elliptic-curve primitive **and** two structurally
//! distinct post-quantum primitives. Even if an adversary completely breaks two
//! out of three algorithms, the combined construction remains secure.
//!
//! ## Modules
//!
//! | Module | Feature flag | Description |
//! |--------|-------------|-------------|
//! | [`kem`] | `kem` | **KWing** — Hybrid Key Encapsulation Mechanism |
//! | [`signing`] | `sign` | **SWing** — Hybrid Digital Signature Scheme |
//!
//! ## Security Architecture
//!
//! ### KWing — Key Encapsulation Mechanism
//!
//! Combines three independent KEMs into a single shared secret via
//! HKDF-SHA3-512:
//!
//! | Layer | Algorithm | Assumption |
//! |-------|-----------|------------|
//! | 1 | X25519 | Classical (ECDH) |
//! | 2 | ML-KEM-1024 (Kyber) | Module-lattice (PQ) |
//! | 3 | FrodoKEM-1344-SHAKE | Unstructured LWE (PQ) |
//!
//! ### SWing — Digital Signatures
//!
//! Combines three independent signature schemes into a single composite
//! signature blob; **all three must pass** for verification to succeed:
//!
//! | Layer | Algorithm | Assumption |
//! |-------|-----------|------------|
//! | 1 | Ed25519 | Classical (EdDSA) |
//! | 2 | ML-DSA-87 (Dilithium) | Module-lattice (PQ) |
//! | 3 | SLH-DSA-SHAKE256f (Sphincs+) | Hash-based (PQ) |
//!
//! ## Quick Start
//!
//! Add B-Wing to `Cargo.toml`:
//!
//! ```toml
//! [dependencies]
//! b-wing = "0.1"
//! ```
//!
//! ### Key Encapsulation (KWing)
//!
//! ```rust,no_run
//! use b_wing::{KWing, KemError};
//!
//! # fn example() -> Result<(), KemError> {
//! // --- Recipient side ---
//! // Derive a long-lived key pair from a 128-byte secret seed.
//! // In production, fill `seed` from a CSPRNG (e.g. `getrandom::fill`).
//! let seed = [0u8; 128];
//! let recipient = KWing::from_seed(&seed)?;
//! let public_key = recipient.get_pub_key(); // share this with senders
//!
//! // --- Sender side ---
//! // Encapsulate a fresh shared secret. The 128-byte encaps_seed MUST be
//! // generated freshly for every encapsulation (never reuse it).
//! let encaps_seed = [1u8; 128];
//! let (ciphertext, shared_secret_sender) = KWing::encapsulate(&encaps_seed, public_key)?;
//!
//! // --- Recipient side (again) ---
//! // Recover the same 64-byte OKM from the ciphertext.
//! let shared_secret_recipient = recipient.decapsulate(&ciphertext)?;
//!
//! assert_eq!(shared_secret_sender, shared_secret_recipient);
//! # Ok(())
//! # }
//! ```
//!
//! ### Digital Signatures (SWing)
//!
//! ```rust,no_run
//! use b_wing::{SWing, SignError};
//!
//! # fn example() -> Result<(), SignError> {
//! // --- Signer side ---
//! // Derive a long-lived key pair from a 160-byte master seed.
//! let master_seed = [0u8; 160];
//! let signer = SWing::from_seed(&master_seed)?;
//! let verification_key = signer.get_pub_key(); // publish / distribute this
//!
//! let message = b"Authenticated payload";
//! let context = b"my-application-v1";
//! // The random_seed MUST be generated freshly from a CSPRNG for every signature.
//! let random_seed = [2u8; 64];
//!
//! let signature = signer.sign(message, context, random_seed)?;
//!
//! // --- Verifier side ---
//! // Verification succeeds only when all three sub-signatures are valid.
//! let ok = SWing::verify(verification_key, message, context, &signature)?;
//! assert!(ok);
//! # Ok(())
//! # }
//! ```
//!
//! ## Feature Flags
//!
//! * **`kem`** *(enabled by default)* — Compiles the [`kem`] module and the
//! [`KWing`] / [`KemError`] re-exports.
//! * **`sign`** — Compiles the [`signing`] module and the [`SWing`] /
//! [`SignError`] re-exports.
//!
//! Both features can be enabled simultaneously, or selectively for
//! binary-size-sensitive targets.
//!
//! ## Design Invariants
//!
//! * **Caller-supplied randomness.** All randomness is provided by the caller
//! as typed seed arrays, making the API fully deterministic and suitable for
//! `no_std`, WASM, and embedded targets.
//! * **Heap-cached keys.** Pre-computed composite public keys are stored on the
//! heap to amortise the cost of key derivation across many operations.
//! * **Zeroize on drop.** All secret material is wrapped in [`zeroize::Zeroizing`]
//! and erased from memory when it goes out of scope.
//! * **Strict size validation.** Every public API validates buffer sizes before
//! performing any cryptographic work, returning [`KemError::InvalidFormat`] or
//! [`SignError::InvalidFormat`] on mismatch.
//!
//! [nist-pqc]: https://csrc.nist.gov/projects/post-quantum-cryptography
/// Hybrid classical/PQ digital signature scheme (SWing).
///
/// See the [module-level docs](signing) for a full security breakdown and
/// usage examples.
pub use ;
/// Hybrid classical/PQ key encapsulation mechanism (KWing).
///
/// See the [module-level docs](kem) for a full security breakdown and
/// usage examples.
pub use ;