kem 0.3.0

Traits for Key Encapsulation Mechanisms (KEMs): public-key cryptosystems designed to enable a sender (a.k.a. encapsulator) to generate and encrypt a short secret key and transmit it to a receiver (a.k.a. decapsulator) confidentially
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251

#![no_std]
#![cfg_attr(docsrs, feature(doc_cfg))]
#![doc = include_str!("../README.md")]
#![doc(
    html_logo_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg",
    html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/media/8f1a9894/logo.svg"
)]
#![forbid(unsafe_code)]
#![warn(missing_docs, unused_qualifications, missing_debug_implementations)]

//! # Usage
//!
//! There are two roles in a KEM:
//!
//! - Encapsulator: the holder of the public key (a.k.a. encapsulation key), which provides an
//!   operation that simultaneously generates both the plaintext and ciphertext of a random
//!   "shared key" whose ciphertext (a.k.a. encapsulation) can be sent to the party with the
//!   decapsulator key.
//! - Decapsulator: holder secret/private key (a.k.a. decapsulation key), which can be used to
//!   decrypt the encrypted (a.k.a. encapsulated) "shared key" which was randomly generated by
//!   the encapsulator.
//!
//! The following example illustrates the workflow of using this crate's traits with a hypothetical
//! KEM named `K` :
//!
#![cfg_attr(feature = "getrandom", doc = "```")]
#![cfg_attr(not(feature = "getrandom"), doc = "```ignore")]
//! // NOTE: requires the `getrandom` feature is enabled
//!
//! use kem::{Decapsulate, Encapsulate, Kem};
//!
//! # pub fn kem_workflow_example<K: Kem<DecapsulationKey: Decapsulate>>() {
//! // Generate a decapsulation/encapsulation keypair. The first one is the secret one.
//! let (dk, ek) = K::generate_keypair();
//!
//! // Encapsulator:
//! //
//! // Randomly generates and encapsulates/encrypts a shared key which can be decrypted by the
//! // holder of the decapsulation key, obtaining the ciphertext and plaintext of the shared key.
//! let (ct, k_send) = ek.encapsulate();
//!
//! // Decapsulator:
//! //
//! // Decapsulates the encrypted/encapsulated shared key, obtaining its plaintext.
//! let k_recv = dk.decapsulate(&ct);
//!
//! // We've now established a shared key.
//! assert_eq!(k_send, k_recv);
//! # }
//! ```
//!
//! ## Serialization
//!
//! The [`KeyInit`] and [`KeyExport`] traits can be used to load and store encoded decapsulation
//! and encapsulation keys from their byte serialization.
//!
//! Decapsulation keys are often initialized from a compact representation known as a [`Seed`].
//! The [`FromSeed`] trait provides an extension to the [`Kem`] trait for initializing keypairs
//! from a seed value. We recommend the [`KeyInit`] and [`KeyExport`] trait impls on
//! decapsulation keys operate on seed values when there is a choice of multiple key formats
//! (e.g. expanded decapsulation keys).
//!
//! [RFC 9180]: https://www.rfc-editor.org/info/rfc9180

pub use common::{
    self, Generate, InvalidKey, Key, KeyExport, KeyInit, KeySizeUser, TryKeyInit, typenum::consts,
};

use common::array::{self, ArraySize};
use core::fmt::Debug;
use core::{array::TryFromSliceError, convert::Infallible};
use rand_core::CryptoRng;

#[cfg(feature = "getrandom")]
use common::getrandom::{SysRng, rand_core::UnwrapErr};

/// Seed value which can be used to deterministically initialize a KEM keypair.
pub type Seed<K> = array::Array<u8, <K as FromSeed>::SeedSize>;

/// KEM decryption key (i.e. private key) which can decrypt encrypted shared secret ciphertexts
/// which were encrypted by [`EncapsulationKey<K>`].
pub type DecapsulationKey<K> = <K as Kem>::DecapsulationKey;

/// KEM encryption key (i.e. public key) which encrypts shared secrets into ciphertexts which
/// can be decrypted by [`DecapsulationKey<K>`].
pub type EncapsulationKey<K> = <K as Kem>::EncapsulationKey;

/// Shared key: plaintext produced after decapsulation by [`Decapsulate::decapsulate`] which is
/// also returned by [`Encapsulate::encapsulate`], which is the shared secret resulting from the
/// key encapsulation algorithm.
pub type SharedKey<K> = array::Array<u8, <K as Kem>::SharedKeySize>;

/// Ciphertext message (a.k.a. "encapsulated key") produced by [`Encapsulate::encapsulate`] which is
/// an encrypted [`SharedKey`] that can be decrypted using [`Decapsulate::decapsulate`].
pub type Ciphertext<K> = array::Array<u8, <K as Kem>::CiphertextSize>;

/// Key encapsulation mechanism.
///
/// This trait describes the entire type family used by a KEM.
pub trait Kem: Copy + Clone + Debug + Default + Eq + Ord + Send + Sync + 'static {
    /// KEM decryption key (i.e. private key) which can decrypt encrypted shared secret ciphertexts
    /// which were encrypted by [`Kem::EncapsulationKey`].
    type DecapsulationKey: TryDecapsulate<Kem = Self> + Generate;

    /// KEM encryption key (i.e. public key) which encrypts shared secrets into ciphertexts which
    /// can be decrypted by [`Kem::DecapsulationKey`].
    type EncapsulationKey: Encapsulate<Kem = Self> + Clone + Debug + Eq;

    /// Size of the shared key/secret returned by both encapsulation and decapsulation.
    type SharedKeySize: ArraySize;

    /// Size of the ciphertext (a.k.a. "encapsulated key") produced by [`Self::EncapsulationKey`].
    type CiphertextSize: ArraySize;

    /// Generate a random KEM keypair using the provided random number generator.
    fn generate_keypair_from_rng<R: CryptoRng>(
        rng: &mut R,
    ) -> (DecapsulationKey<Self>, EncapsulationKey<Self>) {
        let dk = DecapsulationKey::<Self>::generate_from_rng(rng);
        let ek = dk.encapsulation_key().clone();
        (dk, ek)
    }

    /// Generate a random KEM keypair using the system's secure RNG.
    #[cfg(feature = "getrandom")]
    fn generate_keypair() -> (DecapsulationKey<Self>, EncapsulationKey<Self>) {
        Self::generate_keypair_from_rng(&mut UnwrapErr(SysRng))
    }
}

/// Initialize a KEM from a [`Seed`].
///
/// Many KEMs support a fully deterministic and infallible initialization from a short seed value.
///
/// This trait is blanket impl'd for any [`Kem`] whose [`DecapsulationKey`] impls the [`KeyInit`]
/// trait.
pub trait FromSeed: Kem {
    /// Size of the seed value in bytes.
    type SeedSize: ArraySize;

    /// Using the provided seed value, create a KEM keypair.
    fn from_seed(seed: &Seed<Self>) -> (DecapsulationKey<Self>, EncapsulationKey<Self>);
}

impl<K> FromSeed for K
where
    K: Kem,
    K::DecapsulationKey: KeyInit,
{
    type SeedSize = <K::DecapsulationKey as KeySizeUser>::KeySize;

    fn from_seed(seed: &Seed<Self>) -> (DecapsulationKey<Self>, EncapsulationKey<Self>) {
        let dk = DecapsulationKey::<Self>::new(seed);
        let ek = dk.encapsulation_key().clone();
        (dk, ek)
    }
}

/// Decapsulator with an associated encapsulation key which can be used for encrypting shared keys
/// that this decapsulator can decrypt.
pub trait Decapsulator {
    /// KEM algorithm this decapsulator is for.
    type Kem: Kem;

    /// Encapsulation key which can encrypt ciphertexts this decapsulator can decrypt.
    fn encapsulation_key(&self) -> &EncapsulationKey<Self::Kem>;
}

/// Decapsulator for encapsulated keys, with an associated `Encapsulator` bounded by the
/// [`Encapsulate`] trait.
///
/// Often, this will just be a secret key. But, as with [`Encapsulate`], it can be a bundle
/// of secret keys, or it can include a sender's private key for authenticated encapsulation.
/// It could also be a hardware device like an HSM, TPM, or SEP.
///
/// When possible (i.e. for software / non-HSM implementations) types which impl this trait should
/// also impl the [`Generate`] trait to support key generation.
pub trait Decapsulate: TryDecapsulate<Error = Infallible> {
    /// Decapsulates the given [`Ciphertext`] a.k.a. "encapsulated key".
    fn decapsulate(&self, ct: &Ciphertext<Self::Kem>) -> SharedKey<Self::Kem>;

    /// Decapsulate the given byte slice containing a  [`Ciphertext`] a.k.a. "encapsulated key".
    ///
    /// # Errors
    /// - If the length of `ct` is not equal to `<Self as Kem>::CiphertextSize`.
    fn decapsulate_slice(&self, ct: &[u8]) -> Result<SharedKey<Self::Kem>, TryFromSliceError> {
        ct.try_into().map(|ct| self.decapsulate(&ct))
    }
}

/// Decapsulator for encapsulated keys with failure handling, with an associated `Encapsulator`
/// bounded by the [`Encapsulate`] trait.
///
/// Prefer to implement the [`Decapsulate`] trait if possible. See that trait's documentation for
/// more information.
pub trait TryDecapsulate: Decapsulator {
    /// Decapsulation error
    type Error: core::error::Error;

    /// Decapsulates the given [`Ciphertext`] a.k.a. "encapsulated key".
    fn try_decapsulate(
        &self,
        ct: &Ciphertext<Self::Kem>,
    ) -> Result<SharedKey<Self::Kem>, Self::Error>;

    /// Decapsulate the given byte slice containing a  [`Ciphertext`] a.k.a. "encapsulated key".
    ///
    /// # Errors
    /// - If the length of `ct` is not equal to `<Self as Kem>::CiphertextSize`.
    fn try_decapsulate_slice(&self, ct: &[u8]) -> Result<SharedKey<Self::Kem>, Self::Error>
    where
        Self::Error: From<TryFromSliceError>,
    {
        self.try_decapsulate(ct.try_into()?)
    }
}

impl<D> TryDecapsulate for D
where
    D: Decapsulate + Decapsulator,
{
    type Error = Infallible;

    fn try_decapsulate(
        &self,
        ct: &Ciphertext<Self::Kem>,
    ) -> Result<SharedKey<Self::Kem>, Infallible> {
        Ok(self.decapsulate(ct))
    }
}

/// Encapsulator for shared secrets.
///
/// Often, this will just be a public key. However, it can also be a bundle of public keys, or it
/// can include a sender's private key for authenticated encapsulation.
pub trait Encapsulate: TryKeyInit + KeyExport {
    /// KEM algorithm this encapsulator is for.
    type Kem: Kem;

    /// Encapsulates a fresh [`SharedKey`] generated using the supplied random number
    /// generator `R`.
    fn encapsulate_with_rng<R>(&self, rng: &mut R) -> (Ciphertext<Self::Kem>, SharedKey<Self::Kem>)
    where
        R: CryptoRng + ?Sized;

    /// Encapsulate a fresh shared secret generated using the system's secure RNG.
    #[cfg(feature = "getrandom")]
    fn encapsulate(&self) -> (Ciphertext<Self::Kem>, SharedKey<Self::Kem>) {
        self.encapsulate_with_rng(&mut UnwrapErr(SysRng))
    }
}