Crate hpke

Expand description

§hpke

WARNING: This code has not been audited. Use at your own discretion.

This is a pure Rust implementation of the HPKE hybrid encryption scheme (RFC 9180). The purpose of hybrid encryption is to use allow someone to send secure messages to an entity whose public key they know. Here’s an example of Alice and Bob, where Alice knows Bob’s public key:

// These types define the ciphersuite Alice and Bob will be using
type Kem = X25519HkdfSha256;
type Aead = ChaCha20Poly1305;
type Kdf = HkdfSha384;

let mut csprng = StdRng::from_os_rng();

// This is a description string for the session. Both Alice and Bob need to know this value.
// It's not secret.
let info_str = b"Alice and Bob's weekly chat";

// Alice initiates a session with Bob. OpModeS::Base means that Alice is not authenticating
// herself at all. If she had a public key herself, or a pre-shared secret that Bob also
// knew, she'd be able to authenticate herself. See the OpModeS and OpModeR types for more
// detail.
let (encapsulated_key, mut encryption_context) =
    hpke::setup_sender::<Aead, Kdf, Kem, _>(&OpModeS::Base, &bob_pk, info_str, &mut csprng)
        .expect("invalid server pubkey!");

// Alice encrypts a message to Bob. `aad` is authenticated associated data that is not
// encrypted.
let msg = b"fronthand or backhand?";
let aad = b"a gentleman's game";
// To seal without allocating:
//     let auth_tag = encryption_context.seal_in_place_detached(&mut msg, aad)?;
// To seal with allocating:
let ciphertext = encryption_context.seal(msg, aad).expect("encryption failed!");

// ~~~
// Alice sends the encapsulated key, message ciphertext, AAD, and auth tag to Bob over the
// internet. Alice doesn't care if it's an insecure connection, because only Bob can read
// her ciphertext.
// ~~~

// Somewhere far away, Bob receives the data and makes a decryption session
let mut decryption_context =
    hpke::setup_receiver::<Aead, Kdf, Kem>(
        &OpModeR::Base,
        &bob_sk,
        &encapsulated_key,
        info_str,
    ).expect("failed to set up receiver!");
// To open without allocating:
//     decryption_context.open_in_place_detached(&mut ciphertext, aad, &auth_tag)
// To open with allocating:
let plaintext = decryption_context.open(&ciphertext, aad).expect("invalid ciphertext!");

assert_eq!(&plaintext, b"fronthand or backhand?");

Re-exports§

pub use generic_array;
pub use rand_core;

Modules§

aead: Traits and structs for authenticated encryption schemes
kdf: Traits and structs for key derivation functions
kem: Traits and structs for key encapsulation mechanisms

Structs§

PskBundle: Contains preshared key bytes and an identifier. This is intended to go inside an OpModeR or OpModeS struct.

Enums§

HpkeError: Describes things that can go wrong in the HPKE protocol
OpModeR: The operation mode of the HPKE session (receiver’s view). This is how the sender authenticates their identity to the receiver. This authentication information can include a preshared key, the identity key of the sender, both, or neither. Base is the only mode that does not provide any kind of sender identity authentication.
OpModeS: The operation mode of the HPKE session (sender’s view). This is how the sender authenticates their identity to the receiver. This authentication information can include a preshared key, the identity key of the sender, both, or neither. Base is the only mode that does not provide any kind of sender identity authentication.

Traits§

Deserializable: Implemented by types that can be deserialized from byte representation
Kem: Represents authenticated encryption functionality
Serializable: Implemented by types that have a fixed-length byte representation

Functions§

setup_receiver: Initiates a decryption context given a private key sk_recip and an encapsulated key which was encapsulated to sk_recip’s corresponding public key
setup_sender: Initiates an encryption context to the given recipient public key
single_shot_openalloc or std: Does a setup_receiver and AeadCtxR::open in one shot. That is, it does a key decapsulation for the specified recipient and decrypts the provided ciphertext. See setup::setup_reciever and AeadCtxR::open for more detail.
single_shot_open_in_place_detached: Does a setup_receiver and AeadCtxR::open_in_place_detached in one shot. That is, it does a key decapsulation for the specified recipient and decrypts the provided ciphertext in place. See setup::setup_reciever and AeadCtxR::open_in_place_detached for more detail.
single_shot_sealalloc or std: Does a setup_sender and AeadCtxS::seal in one shot. That is, it does a key encapsulation to the specified recipient and encrypts the provided plaintext. See setup::setup_sender and AeadCtxS::seal for more detail.
single_shot_seal_in_place_detached: Does a setup_sender and AeadCtxS::seal_in_place_detached in one shot. That is, it does a key encapsulation to the specified recipient and encrypts the provided plaintext in place. See setup::setup_sender and AeadCtxS::seal_in_place_detached for more detail.

Crate hpkeCopy item path