rustpq 0.3.0

Pure Rust post-quantum cryptography suite - ML-KEM, ML-DSA, and more
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

# RustPQ

A pure Rust post-quantum cryptography suite by [Sanct](https://github.com/sanctgroup).

[![CI](https://github.com/sanctgroup/RustPQ/actions/workflows/ci.yml/badge.svg)](https://github.com/sanctgroup/RustPQ/actions/workflows/ci.yml)
[![Crates.io](https://img.shields.io/crates/v/rustpq.svg)](https://crates.io/crates/rustpq)
[![Docs.rs](https://docs.rs/rustpq/badge.svg)](https://docs.rs/rustpq)
[![License: MIT OR Apache-2.0](https://img.shields.io/badge/License-MIT%20OR%20Apache--2.0-blue.svg)](https://opensource.org/licenses/MIT)

## Algorithms

| Algorithm | Standard | Status |
|-----------|----------|--------|
| ML-KEM (Kyber) | [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final) | Implemented |
| ML-KEM Hybrid | [IETF draft-ietf-tls-ecdhe-mlkem](https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/) | Implemented |
| ML-DSA (Dilithium) | [FIPS 204](https://csrc.nist.gov/pubs/fips/204/final) | Implemented |
| SLH-DSA (SPHINCS+) | [FIPS 205](https://csrc.nist.gov/pubs/fips/205/final) | Planned |

## Features

  - **Pure Rust** - No unsafe code, memory-safe by design
  - **`no_std` Compatible** - Works on embedded devices and bare-metal
  - **Constant-time** - Resistant to timing attacks via the `subtle` crate
  - **Lightweight** - Minimal dependencies

## Installation

```toml
[dependencies]
rustpq = "0.3.0"
```

For hybrid KEMs:

```toml
[dependencies]
rustpq = { version = "0.3.0", features = ["x25519-mlkem768"] }
```

## Usage

### ML-KEM Key Encapsulation

```rust
use rustpq::ml_kem::mlkem768::{generate, encapsulate, decapsulate};
use rand::rngs::OsRng;

// Generate a keypair
let (public_key, secret_key) = generate(&mut OsRng);

// Encapsulate: creates shared secret + ciphertext
let (ciphertext, shared_secret_sender) = encapsulate(&public_key, &mut OsRng);

// Decapsulate: recovers shared secret from ciphertext
let shared_secret_receiver = decapsulate(&secret_key, &ciphertext);

assert_eq!(shared_secret_sender.as_bytes(), shared_secret_receiver.as_bytes());
```

### ML-KEM Hybrid (Post-Quantum + Classical)

Hybrid KEMs combine ML-KEM with traditional ECDH for defense-in-depth. Even if one algorithm is broken, the other provides security.

```rust
use rustpq::ml_kem_hybrid::x25519_mlkem768::{generate, encapsulate, decapsulate};
use rand::rngs::OsRng;

// Generate hybrid keypair (X25519 + ML-KEM-768)
let (pk, sk) = generate(&mut OsRng);

// Encapsulate
let (ct, ss_sender) = encapsulate(&pk, &mut OsRng);

// Decapsulate
let ss_receiver = decapsulate(&sk, &ct);

// Get a ready-to-use 32-byte key (SHA3-256 of combined secrets)
let key = ss_sender.derive_key();

// Or access raw concatenated secret for custom KDF
let raw_64_bytes = ss_sender.as_bytes();
```

### ML-DSA Digital Signatures

```rust
use rustpq::ml_dsa::mldsa44::{generate, sign, verify};
use rand::rngs::OsRng;

// Generate a keypair
let (public_key, secret_key) = generate(&mut OsRng);

// Sign a message
let message = b"Hello World";
let context = b""; // Optional context string
let signature = sign(&secret_key, message, context, &mut OsRng).unwrap();

// Verify the signature
assert!(verify(&public_key, message, context, &signature).is_ok());
```

## Examples

```bash
# ML-KEM key encapsulation
cargo run --example basic --features mlkem768

# ML-KEM hybrid (X25519 + ML-KEM-768)
cargo run --example hybrid --features x25519-mlkem768

# End-to-end encryption (hybrid KEM + signatures)
cargo run --example e2ee --features "x25519-mlkem768,mldsa65"

# ML-DSA digital signatures
cargo run --example mldsa --features mldsa44
```

## Development

```bash
# Run all tests
cargo test --all-features

# Run hybrid tests only
cargo test --features "x25519-mlkem768,p256-mlkem768,p384-mlkem1024"

# Benchmarks
cargo bench --features "mlkem512,mlkem768,mlkem1024"
cargo bench --features "x25519-mlkem768,p256-mlkem768,p384-mlkem1024"

# Check for issues
cargo clippy --all-features
```

## Feature Flags

### ML-KEM (Key Encapsulation)

| Feature | Algorithm | Security | Key Size | Ciphertext | Secret |
|---------|-----------|----------|----------|------------|--------|
| `mlkem512` | ML-KEM-512 | Level 1 (~AES-128) | 800 B | 768 B | 32 B |
| `mlkem768` | ML-KEM-768 | Level 3 (~AES-192) | 1184 B | 1088 B | 32 B |
| `mlkem1024` | ML-KEM-1024 | Level 5 (~AES-256) | 1568 B | 1568 B | 32 B |

### ML-KEM Hybrid (Post-Quantum + Classical)

| Feature | Hybrid | Security | Key Size | Ciphertext | Secret |
|---------|--------|----------|----------|------------|--------|
| `x25519-mlkem768` | X25519 + ML-KEM-768 | Level 3 | 1216 B | 1120 B | 64 B |
| `p256-mlkem768` | P-256 + ML-KEM-768 | Level 3 | 1249 B | 1153 B | 64 B |
| `p384-mlkem1024` | P-384 + ML-KEM-1024 | Level 5 | 1665 B | 1665 B | 80 B |

> Hybrid combiners follow [IETF draft-ietf-tls-ecdhe-mlkem](https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/). Use `derive_key()` for a ready-to-use 32-byte key, or `as_bytes()` for protocol integration or custom KDF.

### ML-DSA (Digital Signatures)

| Feature | Algorithm | Security | Key Size | Signature |
|---------|-----------|----------|----------|-----------|
| `mldsa44` | ML-DSA-44 | Level 2 | 2560 B | 2420 B |
| `mldsa65` | ML-DSA-65 | Level 3 | 4032 B | 3309 B |
| `mldsa87` | ML-DSA-87 | Level 5 | 4896 B | 4627 B |

### General

| Feature | Description |
|---------|-------------|
| `ml-kem` | Enable ML-KEM module (default) |
| `ml-kem-hybrid` | Enable ML-KEM Hybrid module |
| `ml-dsa` | Enable ML-DSA module |
| `std` | Enable standard library support |
| `alloc` | Enable allocator support |

**Default features:** `ml-kem`, `mlkem768`

## Security

This implementation prioritizes correctness and security:

  - Constant-time operations to prevent timing side-channels
  - Zeroization of sensitive data on drop
  - No unsafe code
  - Hybrid KEMs provide defense-in-depth against both classical and quantum attacks

> [!WARNING]
> This library has not yet been audited. Use at your own risk in production systems.

## License

Licensed under either of:

  - Apache License, Version 2.0 ([LICENSE-APACHE](LICENSE-APACHE))
  - MIT license ([LICENSE-MIT](LICENSE-MIT))

at your option.