bc-components 0.31.1

Secure Components for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

use dcbor::prelude::*;
use pqcrypto_mlkem::*;

use super::{MLKEMPrivateKey, MLKEMPublicKey};
use crate::{Error, Result};

/// Security levels for the ML-KEM post-quantum key encapsulation mechanism.
///
/// ML-KEM (Module Lattice-based Key Encapsulation Mechanism) is a post-quantum
/// key encapsulation mechanism standardized by NIST. It provides resistance
/// against attacks from both classical and quantum computers.
///
/// Each security level offers different trade-offs between security,
/// performance, and key/ciphertext sizes:
///
/// - `MLKEM512`: NIST security level 1 (roughly equivalent to AES-128)
/// - `MLKEM768`: NIST security level 3 (roughly equivalent to AES-192)
/// - `MLKEM1024`: NIST security level 5 (roughly equivalent to AES-256)
///
/// The numeric values (512, 768, 1024) correspond to the parameter sets and are
/// used in CBOR serialization.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
#[repr(u32)]
pub enum MLKEM {
    /// ML-KEM-512 (NIST security level 1, roughly equivalent to AES-128)
    MLKEM512  = 512,
    /// ML-KEM-768 (NIST security level 3, roughly equivalent to AES-192)
    MLKEM768  = 768,
    /// ML-KEM-1024 (NIST security level 5, roughly equivalent to AES-256)
    MLKEM1024 = 1024,
}

impl MLKEM {
    /// The size of a shared secret in bytes (32 bytes for all security levels).
    pub const SHARED_SECRET_SIZE: usize = mlkem512::shared_secret_bytes();

    /// Generates a new ML-KEM keypair with the specified security level.
    ///
    /// # Returns
    /// A tuple containing the private key and public key.
    ///
    /// # Examples
    ///
    /// ```
    /// use bc_components::MLKEM;
    ///
    /// let (private_key, public_key) = MLKEM::MLKEM512.keypair();
    /// ```
    pub fn keypair(self) -> (MLKEMPrivateKey, MLKEMPublicKey) {
        match self {
            MLKEM::MLKEM512 => {
                let (pk, sk) = mlkem512::keypair();
                (
                    MLKEMPrivateKey::MLKEM512(sk.into()),
                    MLKEMPublicKey::MLKEM512(pk.into()),
                )
            }
            MLKEM::MLKEM768 => {
                let (pk, sk) = mlkem768::keypair();
                (
                    MLKEMPrivateKey::MLKEM768(sk.into()),
                    MLKEMPublicKey::MLKEM768(pk.into()),
                )
            }
            MLKEM::MLKEM1024 => {
                let (pk, sk) = mlkem1024::keypair();
                (
                    MLKEMPrivateKey::MLKEM1024(sk.into()),
                    MLKEMPublicKey::MLKEM1024(pk.into()),
                )
            }
        }
    }

    /// Returns the size of a private key in bytes for this security level.
    ///
    /// # Returns
    /// - `MLKEM512`: 1632 bytes
    /// - `MLKEM768`: 2400 bytes
    /// - `MLKEM1024`: 3168 bytes
    pub fn private_key_size(&self) -> usize {
        match self {
            MLKEM::MLKEM512 => mlkem512::secret_key_bytes(),
            MLKEM::MLKEM768 => mlkem768::secret_key_bytes(),
            MLKEM::MLKEM1024 => mlkem1024::secret_key_bytes(),
        }
    }

    /// Returns the size of a public key in bytes for this security level.
    ///
    /// # Returns
    /// - `MLKEM512`: 800 bytes
    /// - `MLKEM768`: 1184 bytes
    /// - `MLKEM1024`: 1568 bytes
    pub fn public_key_size(&self) -> usize {
        match self {
            MLKEM::MLKEM512 => mlkem512::public_key_bytes(),
            MLKEM::MLKEM768 => mlkem768::public_key_bytes(),
            MLKEM::MLKEM1024 => mlkem1024::public_key_bytes(),
        }
    }

    /// Returns the size of a shared secret in bytes for this security level.
    ///
    /// This is 32 bytes for all security levels.
    pub fn shared_secret_size(&self) -> usize {
        match self {
            MLKEM::MLKEM512 => mlkem512::shared_secret_bytes(),
            MLKEM::MLKEM768 => mlkem768::shared_secret_bytes(),
            MLKEM::MLKEM1024 => mlkem1024::shared_secret_bytes(),
        }
    }

    /// Returns the size of a ciphertext in bytes for this security level.
    ///
    /// # Returns
    /// - `MLKEM512`: 768 bytes
    /// - `MLKEM768`: 1088 bytes
    /// - `MLKEM1024`: 1568 bytes
    pub fn ciphertext_size(&self) -> usize {
        match self {
            MLKEM::MLKEM512 => mlkem512::ciphertext_bytes(),
            MLKEM::MLKEM768 => mlkem768::ciphertext_bytes(),
            MLKEM::MLKEM1024 => mlkem1024::ciphertext_bytes(),
        }
    }
}

/// Converts an `MLKEM` value to CBOR.
impl From<MLKEM> for CBOR {
    /// Converts to the numeric security level value (512, 768, or 1024).
    fn from(mlkem: MLKEM) -> Self { (mlkem as u32).into() }
}

/// Attempts to convert CBOR to an `MLKEM` value.
impl TryFrom<CBOR> for MLKEM {
    type Error = Error;

    /// Converts from a CBOR-encoded security level (512, 768, or 1024).
    ///
    /// # Errors
    /// Returns an error if the CBOR value doesn't represent a valid ML-KEM
    /// level.
    fn try_from(cbor: CBOR) -> Result<Self> {
        let level = u32::try_from(cbor)?;
        match level {
            512 => Ok(MLKEM::MLKEM512),
            768 => Ok(MLKEM::MLKEM768),
            1024 => Ok(MLKEM::MLKEM1024),
            _ => Err(Error::post_quantum(format!(
                "Invalid MLKEM level: {}",
                level
            ))),
        }
    }
}