crypto_bastion 0.3.0

Hardened post-quantum cryptographic primitives with zero-trust architecture
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

# Bastion

Bastion is a hardened cryptographic crate focused on strict operational constraints:

- post-quantum primitives: ML-KEM-1024 and ML-DSA-87
- authenticated encryption: AES-256-GCM
- SHA-512 hashing
- zeroization of sensitive material
- bounded public API with timing-floor normalization
- runtime dependency-free (`[dependencies]` is empty)
- allocation-aware measurement workflow

## Public API

Only these crate-level functions are public:

- `encrypt`
- `decrypt`
- `encapsulate`
- `decapsulate`
- `sign`
- `verify`
- `hash`
- `compare`
- `layer_encrypt`
- `layer_decrypt`
- `onion`
- `cut`

Current signatures are buffer-oriented (caller provides output memory):

```rust
pub fn encrypt(
    key: &[u8; 32],
    nonce: &[u8; 12],
    aad: &[u8],
    plaintext: &[u8],
    ciphertext_out: &mut [u8],
    tag_out: &mut [u8; 16],
) -> Result<usize, &'static str>;

pub fn decrypt(
    key: &[u8; 32],
    nonce: &[u8; 12],
    aad: &[u8],
    ciphertext: &[u8],
    tag: &[u8; 16],
    plaintext_out: &mut [u8],
) -> Result<usize, &'static str>;

pub fn encapsulate(
    pk: &[u8],
    ct_out: &mut [u8; 1568],
    ss_out: &mut [u8; 32],
) -> Result<(), &'static str>;

pub fn decapsulate(
    sk: &[u8],
    ct: &[u8],
    ss_out: &mut [u8; 32],
) -> Result<(), &'static str>;

pub fn sign(
    sk: &[u8],
    msg: &[u8],
    sig_out: &mut [u8; 4627],
) -> Result<(), &'static str>;

pub fn verify(pk: &[u8], msg: &[u8], sig: &[u8]) -> bool;

pub fn hash(data: &[u8]) -> [u8; 64];
pub fn compare(a: &[u8], b: &[u8]) -> bool;

pub fn layer_encrypt(
    plaintext: &[u8],
    kem_pks: [&[u8]; 3],
    dsa_sks: [&[u8]; 3],
    out: &mut [u8],
) -> Result<usize, &'static str>;

pub fn layer_decrypt(
    packet: &[u8],
    kem_sks: [&[u8]; 3],
    dsa_pks: [&[u8]; 3],
    out: &mut [u8],
) -> Result<usize, &'static str>;

pub fn onion(
    plaintext: &[u8],
    kem_pks: &[&[u8]],
    dsa_sks: &[&[u8]],
    out: &mut [u8],
) -> Result<usize, &'static str>;

pub fn cut(
    packet: &[u8],
    kem_sks: &[&[u8]],
    dsa_pks: &[&[u8]],
    out: &mut [u8],
) -> Result<usize, &'static str>;
```

## Install

```toml
[dependencies]
crypto_bastion = "0.2"
```

## Quick Start

### Hash and Compare

```rust
use crypto_bastion::{compare, hash};

let a = hash(b"alpha");
let b = hash(b"alpha");
assert!(compare(&a, &b));
```

### AES-256-GCM Encrypt

```rust
use crypto_bastion::encrypt;

let key = [0x11u8; 32];
let nonce = [0x22u8; 12];
let aad = b"context";
let pt = b"payload";

let mut ct = vec![0u8; pt.len()];
let mut tag = [0u8; 16];
let n = encrypt(&key, &nonce, aad, pt, &mut ct, &mut tag)?;
assert_eq!(n, pt.len());
# Ok::<(), &'static str>(())
```

### ML-KEM Encapsulation

```rust
use crypto_bastion::encapsulate;

let pk = vec![0x55u8; 1568];
let mut ct = [0u8; 1568];
let mut ss = [0u8; 32];
encapsulate(&pk, &mut ct, &mut ss)?;
# Ok::<(), &'static str>(())
```

### ML-DSA Signature

```rust
use crypto_bastion::sign;

let sk = vec![0x66u8; 4896];
let msg = b"signed-message";
let mut sig = [0u8; 4627];
sign(&sk, msg, &mut sig)?;
# Ok::<(), &'static str>(())
```

### Layered Onion Encryption

Per-layer overhead is `6223` bytes. Required output size is:

- `plaintext.len() + (layers * 6223)`

```rust
use crypto_bastion::onion;

let msg = b"onion-data";
let kem0 = vec![0x01u8; 1568];
let kem1 = vec![0x02u8; 1568];
let dsa0 = vec![0x11u8; 4896];
let dsa1 = vec![0x22u8; 4896];

let kem = [kem0.as_slice(), kem1.as_slice()];
let dsa = [dsa0.as_slice(), dsa1.as_slice()];

let mut out = vec![0u8; msg.len() + (2 * 6223)];
let packet_len = onion(msg, &kem, &dsa, &mut out)?;
assert_eq!(packet_len, msg.len() + (2 * 6223));
# Ok::<(), &'static str>(())
```

## Security and Engineering Constraints

- Secret material is zeroized in internal key/signing paths.
- Public API wrappers enforce timing floors.
- `compare` is constant-time over equal-length slices.
- Public API paths are allocation-aware; measurements are generated by `write_results`.
- Internal modules remain `pub(crate)`; no direct public key container exposure.

See [SECURITY.md](SECURITY.md) for the detailed model and verification process.

## Verification Workflow

```bash
# Formatting and checks
cargo fmt
cargo check --all-targets
cargo test --all-targets

# Benchmarks
cargo bench --bench public_api

# Allocation + memory + timing-spread report
cargo run --example write_results

# Fuzzing targets (cargo-fuzz + nightly)
cd fuzz
cargo +nightly fuzz run fuzz_hash_compare -- -max_total_time=30
cargo +nightly fuzz run fuzz_encrypt_api -- -max_total_time=30
cargo +nightly fuzz run fuzz_encaps_sign_api -- -max_total_time=30
cargo +nightly fuzz run fuzz_onion_api -- -max_total_time=30
```

## Repository Layout

- `src/lib.rs` public API and hybrid orchestration
- `src/algos/aes256gcm/` AES-GCM internals
- `src/algos/mlkem1024/` ML-KEM internals
- `src/algos/mldsa87/` ML-DSA internals
- `src/constant_time.rs` constant-time helpers and timing guard
- `src/zeroize.rs` zeroization primitives
- `examples/` usage and reporting tools
- `benches/` criterion benchmark suites
- `fuzz/` libFuzzer targets

## License

Licensed under MIT OR Apache-2.0.