latticearc 0.8.2

Production-ready post-quantum cryptography. Hybrid ML-KEM+X25519 by default, all 4 NIST standards (FIPS 203–206), and FIPS 140-3 backend — one crate, zero unsafe.
Documentation

latticearc

crates.io docs.rs CI FIPS 203-206 License

Post-quantum cryptography for Rust. Implements all four NIST PQC standards (FIPS 203–206) behind a use-case-driven API — describe what you're protecting, the library picks the algorithm, security level, and compliance mode. Hybrid (PQ + classical) by default; PQ-only mode for CNSA 2.0.

Install

[dependencies]
latticearc = "0.8"

Requires Rust 1.93+ and a C/C++ compiler. For FIPS-validated routing also CMake + Go (--features fips).

Quick Start

use latticearc::{encrypt, decrypt, CryptoConfig, EncryptKey, DecryptKey};

let (pk, sk) = latticearc::generate_hybrid_keypair()?;
let encrypted = encrypt(b"secret data", EncryptKey::Hybrid(&pk), CryptoConfig::new())?;
let decrypted = decrypt(&encrypted, DecryptKey::Hybrid(&sk), CryptoConfig::new())?;
// ML-KEM-768 + X25519 + HKDF-SHA256 + AES-256-GCM — selected automatically

CLI

A companion command-line tool — latticearc-cli — exposes the same library so ops and CI workflows can use PQ crypto without writing Rust:

cargo install --git https://github.com/LatticeArc/latticearc latticearc-cli

# Sign a legal document (ML-DSA-87 + Ed25519 hybrid, selected by use case)
latticearc-cli keygen --use-case legal-documents --output ./keys
latticearc-cli sign   --input contract.pdf \
  --key keys/hybrid-ml-dsa-87-ed25519.sec.json \
  --public-key keys/hybrid-ml-dsa-87-ed25519.pub.json

# Encrypt healthcare records (AES-256-GCM, FIPS 203 backend)
latticearc-cli keygen  --algorithm aes256 --output ./keys
latticearc-cli encrypt --use-case healthcare-records \
  --input patient.json --output patient.enc.json --key keys/aes256.key.json

22 use cases · 12 algorithms · hybrid + PQ-only modes. Full reference: latticearc-cli README.

What's Inside

Category Algorithms Backend
PQ KEM ML-KEM-512/768/1024 (FIPS 203) aws-lc-rs — FIPS-validatable
PQ Signatures ML-DSA, SLH-DSA, FN-DSA (FIPS 204/205/206) fips204 / fips205 / fn-dsa
Classical X25519, Ed25519, AES-256-GCM, SHA-2/3, BLAKE2, HKDF aws-lc-rs / RustCrypto

--features fips routes AES-GCM, ML-KEM, X25519, and HKDF through the CMVP-validated aws-lc-rs build. PQ signatures use NIST-conformant but non-validated crates. LatticeArc itself is not a CMVP-certified cryptographic module.

Security

  • #![forbid(unsafe_code)], constant-time comparisons via subtle, automatic secret zeroization
  • 30 Kani proofs (18 PR-blocking) + cross-impl differential testing + 31 fuzz targets + Wycheproof + mutation testing at 80% floor
  • Pre-1.0: API may change between minor versions; see CHANGELOG.md

More

License

Apache-2.0