latticearc 0.6.2

Production-ready post-quantum cryptography. Hybrid ML-KEM+X25519 by default, all 4 NIST standards (FIPS 203–206), post-quantum TLS, and FIPS 140-3 backend — one crate, zero unsafe.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

//! Pure-Rust zero-trust types.
//!
//! Contains the `TrustLevel` enum which has no FFI dependencies.
//! The rest of the zero-trust module (sessions, challenges, proofs)
//! lives in [`unified_api`](crate::unified_api) due to Ed25519 FFI dependencies.

/// Trust level for zero-trust sessions.
///
/// Represents the current level of trust established through
/// challenge-response verification.
#[non_exhaustive]
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Default)]
#[cfg_attr(kani, derive(kani::Arbitrary))]
pub enum TrustLevel {
    /// No trust established - initial state before any verification.
    #[default]
    Untrusted = 0,
    /// Partial trust - first verification has passed.
    Partial = 1,
    /// Trusted - multiple verifications have passed.
    Trusted = 2,
    /// Fully trusted - continuous verification is active and passing.
    FullyTrusted = 3,
}

impl TrustLevel {
    /// Returns `true` if at least partial trust has been established.
    #[must_use]
    pub fn is_trusted(&self) -> bool {
        *self >= Self::Partial
    }

    /// Returns `true` if full trust has been established.
    #[must_use]
    pub fn is_fully_trusted(&self) -> bool {
        *self == Self::FullyTrusted
    }
}

// Formal verification with Kani
#[cfg(kani)]
mod kani_proofs {
    use super::*;

    /// Proves that TrustLevel ordering is total: for any two levels,
    /// exactly one of <, ==, > holds. This ensures the trust hierarchy
    /// has no ambiguous comparisons.
    #[kani::proof]
    fn trust_level_ordering_total() {
        let a: TrustLevel = kani::any();
        let b: TrustLevel = kani::any();

        let less = a < b;
        let equal = a == b;
        let greater = a > b;

        // Exactly one must hold (XOR logic via sum)
        let count = less as u8 + equal as u8 + greater as u8;
        kani::assert(count == 1, "TrustLevel ordering must be total");
    }

    /// Proves that `is_trusted()` returns true if and only if the level
    /// is at least Partial. Security property: Untrusted entities are
    /// never considered trusted.
    #[kani::proof]
    fn trust_level_is_trusted_iff_at_least_partial() {
        let level: TrustLevel = kani::any();

        let trusted = level.is_trusted();
        let at_least_partial = level >= TrustLevel::Partial;

        kani::assert(trusted == at_least_partial, "is_trusted() must be true iff level >= Partial");
    }

    /// Proves that Untrusted is the minimum trust level — no level
    /// is lower. Security property: the trust floor is well-defined.
    #[kani::proof]
    fn trust_level_untrusted_is_minimum() {
        let level: TrustLevel = kani::any();

        kani::assert(TrustLevel::Untrusted <= level, "Untrusted must be the minimum trust level");
    }

    /// Proves is_fully_trusted() returns true IFF level is FullyTrusted.
    /// Security: only continuously-verified sessions are fully trusted.
    #[kani::proof]
    fn trust_level_is_fully_trusted_iff_fully_trusted() {
        let level: TrustLevel = kani::any();
        let method = level.is_fully_trusted();
        let expected = level == TrustLevel::FullyTrusted;
        kani::assert(method == expected, "is_fully_trusted() iff FullyTrusted");
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used, clippy::expect_used)]
mod tests {
    use super::*;

    #[test]
    fn test_trust_level_default_succeeds() {
        assert_eq!(TrustLevel::default(), TrustLevel::Untrusted);
    }

    #[test]
    fn test_trust_level_ordering_succeeds() {
        assert!(TrustLevel::Untrusted < TrustLevel::Partial);
        assert!(TrustLevel::Partial < TrustLevel::Trusted);
        assert!(TrustLevel::Trusted < TrustLevel::FullyTrusted);
    }

    #[test]
    fn test_trust_level_is_trusted_succeeds() {
        assert!(!TrustLevel::Untrusted.is_trusted());
        assert!(TrustLevel::Partial.is_trusted());
        assert!(TrustLevel::Trusted.is_trusted());
        assert!(TrustLevel::FullyTrusted.is_trusted());
    }

    #[test]
    fn test_trust_level_is_fully_trusted_succeeds() {
        assert!(!TrustLevel::Untrusted.is_fully_trusted());
        assert!(!TrustLevel::Partial.is_fully_trusted());
        assert!(!TrustLevel::Trusted.is_fully_trusted());
        assert!(TrustLevel::FullyTrusted.is_fully_trusted());
    }
}