# QSSL - Quantum-Safe Secure Layer
[](https://crates.io/crates/qssl)
[](https://docs.rs/qssl)
[](LICENSE-MIT)
[](LICENSE-APACHE)
[](https://www.rust-lang.org)
**Patent-free post-quantum TLS** using SPHINCS+ KEM for key exchange. Implements NIST-standardized algorithms with traffic analysis resistance for organizations requiring post-quantum security without patent encumbrances.
## Security Status
| **SPHINCS+ KEM** | Implemented | Patent-free key exchange (default) |
| **Falcon Signatures** | Implemented | FIPS 204 compliant |
| **ML-KEM (Kyber)** | Implemented | Optional, patent considerations |
| **Traffic Analysis Resistance** | Implemented | Fixed-size frames |
| **Test Coverage** | 40 tests | All passing |
| **Formal Verification** | 100 Lean 4 theorems | Zero sorries, Mathlib v4.27.0 |
**Recommendation**: Suitable for research, testing, and PQC migration planning. Security audit recommended before deployment with sensitive data.
## Why Patent-Free Matters
**The Patent Landscape**:
- ML-KEM (Kyber) has patent claims that create licensing uncertainty for enterprise deployment
- SPHINCS+ is hash-based with no known patent encumbrances
- Organizations with legal/compliance requirements need patent-free alternatives
**QSSL's Approach**:
- **Default**: SPHINCS+ KEM for key exchange (patent-free)
- **Optional**: ML-KEM/Kyber for compatibility when patents are acceptable
- **Clear labeling**: Cipher suites indicate patent status
## Cipher Suites
| 0x0010 | SPHINCS+ | Falcon-512 | AES-128-GCM | 128-bit | Yes |
| 0x0011 | SPHINCS+ | Falcon-512 | AES-256-GCM | 192-bit | Yes |
| 0x0012 | SPHINCS+ | Falcon-1024 | AES-256-GCM | 256-bit | Yes |
| 0x0013 | SPHINCS+ | SPHINCS+-256f | AES-256-GCM | 192-bit | Yes |
| 0x0014 | SPHINCS+ | Falcon-512 | ChaCha20-Poly1305 | 192-bit | Yes |
| 0x0001 | ML-KEM-512 | Falcon-512 | AES-128-GCM | 128-bit | No |
| 0x0002 | ML-KEM-768 | Falcon-512 | AES-256-GCM | 192-bit | No |
| 0x0003 | ML-KEM-1024 | Falcon-1024 | AES-256-GCM | 256-bit | No |
## Key Features
- **Patent-Free Default**: SPHINCS+ KEM avoids licensing concerns
- **Traffic Analysis Resistance**: Fixed-size frames prevent metadata leakage
- **NIST Algorithms**: Falcon (FIPS 204), SPHINCS+ (FIPS 205), ML-KEM (FIPS 203)
- **Memory Safety**: Rust with automatic zeroization
- **Async/Await**: Built on Tokio for high performance
- **Algorithm Agility**: Easy to swap PQC algorithms
## Quick Start
```bash
# Install from crates.io
cargo add qssl
# Or build from source
git clone https://github.com/Paraxiom/qssl
cd qssl
cargo build --release
```
### Basic Usage
```rust
use qssl::{QsslConnection, QsslConfig, CipherSuite};
// Client with patent-free cipher suite
let config = QsslConfig::builder()
.cipher_suite(CipherSuite::SPHINCS_FALCON512_AES256)
.build();
let conn = QsslConnection::connect("server:4433", config).await?;
conn.send(b"Hello Quantum World").await?;
let response = conn.recv().await?;
// Server
let listener = QsslListener::bind("0.0.0.0:4433", server_config).await?;
let conn = listener.accept().await?;
```
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ Application Layer │
├─────────────────────────────────────────────────────────────────┤
│ QSSL Connection │
│ (Handshake, State Machine, Session) │
├─────────────────────────────────────────────────────────────────┤
│ QSSL Transport │
│ (Fixed-Size Records, Encryption, Sequencing) │
├─────────────────────────────────────────────────────────────────┤
│ Post-Quantum Cryptography │
│ SPHINCS+ KEM (default) │ ML-KEM │ Falcon │ SPHINCS+ Sig │
├─────────────────────────────────────────────────────────────────┤
│ Symmetric Crypto │
│ AES-256-GCM │ ChaCha20-Poly1305 │
├─────────────────────────────────────────────────────────────────┤
│ Network (TCP) │
└─────────────────────────────────────────────────────────────────┘
```
## Feature Status
### Implemented
- SPHINCS+ KEM key exchange (patent-free default)
- ML-KEM/Kyber key exchange (optional)
- Falcon-512/1024 signatures
- SPHINCS+ signatures
- AES-GCM and ChaCha20-Poly1305 encryption
- Fixed-size frame transport (traffic analysis resistance)
- Post-quantum X.509-style certificates
- Session management
- HKDF key derivation
### In Development
- Certificate chain validation
- Full session resumption
- 0-RTT support
- OCSP stapling
## Performance
Benchmarks on Apple M1:
| SPHINCS+ KEM encapsulation | ~3ms |
| SPHINCS+ KEM decapsulation | ~3ms |
| Falcon-512 signing | ~200μs |
| Falcon-512 verification | ~80μs |
| ML-KEM-768 encapsulation | ~60μs |
| ML-KEM-768 decapsulation | ~70μs |
| Full handshake (SPHINCS+) | ~8ms |
| Full handshake (ML-KEM) | ~2ms |
*SPHINCS+ is slower but patent-free. Choose based on your requirements.*
## Integration
### With QSSH
QSSL can serve as the transport layer for [QSSH](https://crates.io/crates/qssh):
```rust
use qssl::integrations::qssh::QsshTransport;
let transport = QsshTransport::connect("server:22", config).await?;
```
### With Web Servers
```nginx
server {
listen 443 qssl;
qssl_certificate cert.pem;
qssl_certificate_key key.pem;
qssl_ciphers SPHINCS_FALCON512_AES256; # Patent-free
}
```
## Security Considerations
| **Post-Quantum Security** | NIST FIPS 203, 204, 205 algorithms |
| **Forward Secrecy** | Ephemeral keys per session |
| **Memory Safety** | Rust + zeroize on drop |
| **Replay Protection** | Sequence numbers |
| **Traffic Analysis** | Fixed-size frames |
## Comparison with Existing Solutions
| Patent-free default | Yes | No | No |
| Traffic analysis resistance | Yes | No | No |
| Pure Rust | Yes | Yes | No |
| NIST algorithms | Yes | Yes | Yes |
| Production-ready | No | Partial | Yes |
## Formal Verification
qssl includes Lean 4 machine-checked proofs (Tier 3 of our Kani → Verus → Lean pipeline):
| MLKem.lean | 17 | q=3329 prime, NTT compatibility, Z₃₃₂₉ field instance |
| Falcon.lean | 12 | q=12289 prime, detached sig=658, size bounds |
| SphincsHaraka.lean | 11 | Haraka-128f sig=16976, TLS fragmentation (2 records) |
| KDF.lean | 16 | Master secret=48B, QN-HKDF=96B, AES-256 key sizes |
| QuantumFrame.lean | 12 | 768-byte frame partition, uniform sizing, payload algebra |
| TLSRecord.lean | 12 | 5-byte header, record types, max sizes, TCP fitting |
| CipherSuite.lean | 11 | 12 suites, patent-free classification, code injectivity |
| HybridKEM.lean | 9 | Hybrid ciphertext=17937B, handshake fitting |
| **Total** | **100** | **Zero sorries, Mathlib v4.27.0** |
```bash
cd lean && lake build # 0 errors, 0 warnings
```
## Roadmap
- [x] Formal verification (Lean 4 — 100 theorems)
- [ ] Certificate chain validation
- [ ] 0-RTT session resumption
- [ ] WASM support
- [ ] C FFI bindings
- [ ] Python bindings
## Documentation
- [API Documentation](https://docs.rs/qssl)
- [Changelog](CHANGELOG.md)
## License
Dual-licensed under MIT and Apache-2.0.
## Acknowledgments
- NIST Post-Quantum Cryptography standardization
- pqcrypto crate family
- Part of the Paraxiom quantum-safe protocol suite
---
*QSSL - Patent-free post-quantum TLS for the quantum era.*