pub struct PqKeypair { /* private fields */ }Expand description
A deterministically-derived ML-KEM-768 keypair bound to a huddle identity.
The decapsulation (secret) key never leaves the owner; the encapsulation
(public) key is published so peers can encapsulate a DM key to it. The
inner DecapsulationKey zeroizes its secret material on drop (ml-kem’s
zeroize feature).
Implementations§
Source§impl PqKeypair
impl PqKeypair
Sourcepub fn from_identity_seed(ed25519_seed: &[u8; 32]) -> Self
pub fn from_identity_seed(ed25519_seed: &[u8; 32]) -> Self
Derive the identity’s ML-KEM-768 keypair from its 32-byte Ed25519 secret seed. Deterministic and domain-separated, so the same identity always yields the same keypair with zero extra storage.
The ML-KEM seed is HKDF-SHA256(seed; salt = MLKEM_SEED_LABEL) expanded
to 64 bytes (ML-KEM’s d || z), making the post-quantum key material
cryptographically independent of both the Ed25519 signing key and the
X25519 DM scalar (which use different derivations / labels).
Sourcepub fn encapsulation_key_bytes(&self) -> [u8; 1184]
pub fn encapsulation_key_bytes(&self) -> [u8; 1184]
The serialized encapsulation (public) key, to publish to peers.
Sourcepub fn decapsulate(&self, ciphertext: &[u8]) -> Result<Zeroizing<[u8; 32]>>
pub fn decapsulate(&self, ciphertext: &[u8]) -> Result<Zeroizing<[u8; 32]>>
Decapsulate a ciphertext a peer produced by encapsulating to our encapsulation key, recovering the shared ML-KEM secret.
ML-KEM decapsulation is infallible by construction (FIPS 203 implicit rejection: a malformed/forged ciphertext yields a pseudo-random secret rather than an error), so the only error path here is a wrong-length ciphertext.