Bastion

Bastion is a hardened MLSigcrypt crate focused on strict operational constraints:

MLSigcrypt-v3 level-3 signcryption over an algebraic encapsulation + ML-DSA-87
shared signing-mask / encapsulation randomness in the packet path
zeroization of sensitive material
bounded public API with timing-floor normalization
runtime dependency-free ([dependencies] is empty)
allocation-aware measurement workflow

Public API

Only these crate-level functions are public:

mlsigcrypt_keygen
mlsigcrypt_signcrypt
mlsigcrypt_unsigncrypt

The crate also exposes public size constants for buffer sizing:

MLSIGCRYPT_PUBLIC_KEY_SIZE
MLSIGCRYPT_SECRET_KEY_SIZE
MLSIGCRYPT_PACKET_OVERHEAD

Current signatures are buffer-oriented (caller provides output memory):

pub fn mlsigcrypt_keygen(
    pk_user_out: &mut [u8; MLSIGCRYPT_PUBLIC_KEY_SIZE],
    sk_user_out: &mut [u8; MLSIGCRYPT_SECRET_KEY_SIZE],
) -> Result<(), &'static str>;

pub fn mlsigcrypt_signcrypt(
    sk_user_sender: &[u8],
    pk_user_recipient: &[u8],
    aad: &[u8],
    message: &[u8],
    packet_out: &mut [u8],
) -> Result<usize, &'static str>;

pub fn mlsigcrypt_unsigncrypt(
    sk_user_recipient: &[u8],
    pk_user_sender: &[u8],
    aad: &[u8],
    packet: &[u8],
    plaintext_out: &mut [u8],
) -> Result<usize, &'static str>;

Install

[dependencies]
crypto_bastion = "0.7.0"

Quick Start

MLSigcrypt-v3 Unified Signcryption

MLSIGCRYPT_PACKET_OVERHEAD is the fixed packet cost excluding the payload ciphertext.

use crypto_bastion::{
    MLSIGCRYPT_PACKET_OVERHEAD, MLSIGCRYPT_PUBLIC_KEY_SIZE, MLSIGCRYPT_SECRET_KEY_SIZE,
    mlsigcrypt_keygen, mlsigcrypt_signcrypt, mlsigcrypt_unsigncrypt,
};

let aad = b"context";
let msg = b"signcrypted";

let mut sender_pk = [0u8; MLSIGCRYPT_PUBLIC_KEY_SIZE];
let mut sender_sk = [0u8; MLSIGCRYPT_SECRET_KEY_SIZE];
let mut recipient_pk = [0u8; MLSIGCRYPT_PUBLIC_KEY_SIZE];
let mut recipient_sk = [0u8; MLSIGCRYPT_SECRET_KEY_SIZE];
let mut packet = vec![0u8; MLSIGCRYPT_PACKET_OVERHEAD + msg.len()];
let mut plaintext = vec![0u8; msg.len()];

mlsigcrypt_keygen(&mut sender_pk, &mut sender_sk)?;
mlsigcrypt_keygen(&mut recipient_pk, &mut recipient_sk)?;
let packet_len =
    mlsigcrypt_signcrypt(&sender_sk, &recipient_pk, aad, msg, &mut packet)?;
let plain_len = mlsigcrypt_unsigncrypt(
    &recipient_sk,
    &sender_pk,
    aad,
    &packet[..packet_len],
    &mut plaintext,
)?;

assert_eq!(&plaintext[..plain_len], msg);
# Ok::<(), &'static str>(())

Security and Engineering Constraints

Secret material is zeroized in internal key/signing paths.
MLSigcrypt-v3 level 3 uses a split packet layout (encap | z | c_tilde | h | ct_len | ct) with a 7657-byte fixed overhead in the current exact-encoding implementation.
Public key-generation paths are buffer-oriented and zeroize transient seeds/intermediates.
Public API wrappers enforce timing floors.
Public API paths are allocation-aware; measurements are generated by write_results.
Key material stays as raw caller-owned byte buffers; no public heap-backed containers are exposed.

See SECURITY.md for the detailed model and verification process.

Verification Workflow

# Formatting and checks
cargo fmt
cargo check --all-targets
cargo test --all-targets

# Benchmarks
cargo bench --bench public_api

# Allocation + memory + timing-spread report
cargo run --example write_results

# Fuzzing targets (cargo-fuzz + nightly)
cd fuzz
cargo +nightly fuzz run fuzz_mlsigcrypt_api -- -max_total_time=30

Repository Layout

src/lib.rs public MLSigcrypt API
src/mlsigcrypt/ MLSigcrypt-v3 protocol orchestration and internal packet logic
src/mlsigcrypt/specs/ internal spec modules: algebraic encapsulation, Keccak/SHAKE, consolidated SHA3-512/SHA-512 hashing, ML
src/constant_time.rs constant-time comparison helpers
src/zeroize.rs zeroization primitives
examples/ usage and reporting tools
benches/ criterion benchmark suites
fuzz/ libFuzzer targets

License

Licensed under MIT OR Apache-2.0.

crypto_bastion 0.8.0