cypheron-core 0.1.2

Post-quantum cryptography library with NIST-standardized quantum-resistant algorithms
Documentation

Cypheron Core

Crates.io License Build Status

IMPORTANT DEVELOPMENT STATUS NOTICE

This library is currently in ACTIVE DEVELOPMENT (v0.1.1) and is EXPERIMENTAL.

This is a Rust wrapper around official NIST reference implementations - not custom cryptography. The core algorithms are NIST-certified, but the Rust integration layer has NOT undergone:

  • Independent security audits of FFI bindings
  • Formal verification of memory safety wrappers
  • Production environment validation

DO NOT USE IN PRODUCTION without comprehensive integration review and testing.

Risk areas: FFI safety, memory management, build system - NOT the underlying NIST algorithms.

Post-quantum cryptography library providing NIST-standardized quantum-resistant algorithms for secure applications.

Overview

Cypheron Core implements post-quantum cryptographic algorithms that protect against both classical and quantum computer attacks. The library provides a secure, high-performance foundation for building quantum-resistant applications.

Supported Algorithms

Key Encapsulation Mechanisms (KEM)

  • ML-KEM (Kyber) - 512, 768, 1024 bit security levels
  • Quantum-resistant key exchange and encryption

Digital Signatures

  • ML-DSA (Dilithium) - Levels 2, 3, 5
  • Falcon - 512, 1024 bit variants
  • SPHINCS+ - Hash-based signatures with multiple configurations

Hybrid Cryptography

  • ECC + Post-Quantum combinations for migration scenarios
  • Backward compatibility with existing systems

Installation

From Crates.io

cargo add cypheron-core

Or add manually to your Cargo.toml:

[dependencies]
cypheron-core = "0.1.1"

From Source (for auditing)

git clone https://github.com/CypheronLabs/Cypheron-core.git
cd Cypheron-core/core-lib
cargo build --release

Quick Start

Basic usage:

use cypheron_core::kem::ml_kem_768::MlKem768;

// Generate quantum-resistant key pair
let (public_key, secret_key) = MlKem768::generate_keypair();

// Encapsulate shared secret
let (ciphertext, shared_secret) = MlKem768::encapsulate(&public_key);

// Decapsulate on recipient side
let recovered_secret = MlKem768::decapsulate(&secret_key, &ciphertext);
assert_eq!(shared_secret, recovered_secret);

Features

  • Memory Safety - Built in Rust with automatic secure cleanup
  • Cross-platform - Windows, macOS, Linux support
  • Performance Optimized - Optimized implementations with platform-specific acceleration
  • Security Focused - Constant-time implementations and side-channel protection
  • Linux Sandboxing - Optional seccomp-BPF syscall filtering for enhanced security (requires seccomp-bpf feature)
  • Well Tested - Comprehensive test suite including known answer tests and fuzzing

Security

  • Constant-time implementations to prevent timing attacks
  • Secure memory management with automatic zeroization
  • Vendor code integrity verification during build
  • Extensive testing including property-based and fuzz testing

Linux Sandboxing (Optional)

For Linux deployments, Cypheron Core supports seccomp-BPF sandboxing to restrict syscalls and reduce attack surface:

[dependencies]
cypheron-core = { version = "0.1.1", features = ["seccomp-bpf"] }

use cypheron_core::platform::linux::enable_production_security;

// Enable restrictive syscall filtering before cryptographic operations
enable_production_security()?;

// Now only whitelisted syscalls are permitted
// All cryptographic operations continue to work normally

This feature is particularly useful for:

  • High-security production deployments
  • Defense-in-depth security strategies
  • Limiting potential exploit impact
  • Compliance with security hardening requirements

See examples/linux_sandboxing.rs for a complete working example.

Documentation

API Documentation

Run cargo doc --open to build and view complete API documentation locally. Or visit cypheron-core-docs

Resources

  • Website: cypheronlabs.com
  • Security Audit: Full source code available for security review
  • Algorithm Specifications: NIST standardized implementations
  • Performance Benchmarks: Run cargo bench for platform-specific metrics

Community Security Audit

We invite security researchers and cryptography experts to audit this library.

This experimental implementation includes:

  • Comprehensive test suite - NIST KAT, timing analysis, side-channel detection
  • Security tooling - Fuzzing infrastructure, memory safety validation
  • Open methodology - Full source code, build reproducibility, test transparency

Audit Resources

  • Test Suite: Run cargo test --test test_runner for comprehensive security validation
  • Fuzzing: Use cargo fuzz for robustness testing
  • Documentation: Complete API and security model documentation available
  • Vendor Code: C implementations from NIST reference sources with integrity verification

Security Review Areas

  • FFI boundary safety between Rust and C vendor code
  • Constant-time implementation validation
  • Memory safety and zeroization verification
  • Side-channel resistance analysis
  • NIST compliance validation

Security findings welcome: Report to security@cypheronlabs.com following our Security Policy.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

License

Licensed under the Apache License, Version 2.0. See LICENSE for details.

Built by Cypheron Labs - Advancing post-quantum cryptography.