Crate latticearc

Expand description

LatticeArc - Post-Quantum Cryptography Library

Production-ready post-quantum cryptography. Hybrid ML-KEM+X25519 by default, all 4 NIST standards (FIPS 203–206), post-quantum TLS, and FIPS 140-3 backend — one crate, zero unsafe.

IMPORTANT: LatticeArc is NOT FIPS 140-3 certified. Only the aws-lc-rs backend algorithms (ML-KEM, AES-GCM, HKDF, SHA-2) run through a FIPS 140-3 validated module. ML-DSA (fips204), SLH-DSA (fips205), and FN-DSA (fn-dsa) implement NIST-standard algorithms but use non-validated crate implementations. Use --features fips to enable the validated aws-lc-rs backend.

§Why LatticeArc?

Without LatticeArc	With LatticeArc
~50 lines for hybrid encrypt	3 lines
Manage 4 key vectors manually	Single `EncryptKey::Hybrid`
Research NIST parameter sets	`UseCase` auto-selects
Manual secret zeroization	Automatic via `Zeroize`

§Algorithm Validation Status

Algorithm	Standard	Backend	FIPS Validated
ML-KEM	FIPS 203	aws-lc-rs	Yes
AES-256-GCM	SP 800-38D	aws-lc-rs	Yes
HKDF-SHA256	SP 800-56C	aws-lc-rs	Yes
SHA-256	FIPS 180-4	aws-lc-rs	Yes
ML-DSA	FIPS 204	fips204	No
SLH-DSA	FIPS 205	fips205	No
FN-DSA	FIPS 206	fn-dsa	No

§Unified API with CryptoConfig

All cryptographic operations use CryptoConfig for configuration. This builder pattern provides automatic algorithm selection based on use case or security level, with optional Zero Trust session verification.

§Basic Usage (Hybrid — Recommended)

use latticearc::{encrypt, decrypt, CryptoConfig, EncryptKey, DecryptKey};

// Hybrid encryption: ML-KEM-768 + X25519 + HKDF + AES-256-GCM
let (pk, sk) = latticearc::generate_hybrid_keypair()?;
let encrypted = encrypt(b"secret", EncryptKey::Hybrid(&pk), CryptoConfig::new())?;
let decrypted = decrypt(&encrypted, DecryptKey::Hybrid(&sk), CryptoConfig::new())?;

§Digital Signatures

use latticearc::{generate_signing_keypair, sign_with_key, verify, CryptoConfig};

let message = b"Document to sign";

// Generate a persistent signing keypair (ML-DSA-65 + Ed25519 hybrid)
let (pk, sk, scheme) = generate_signing_keypair(CryptoConfig::new())?;

// Sign with the persistent keypair
let signed = sign_with_key(message, &sk, &pk, CryptoConfig::new())?;

// Verify (uses public key embedded in SignedData)
let is_valid = verify(&signed, CryptoConfig::new())?;

§Feature Flags

Feature	Description
`fips`	FIPS 140-3 validated backend via aws-lc-rs. Requires CMake + Go build tools. Without this feature, aws-lc-rs uses its default non-FIPS backend (C compiler only).
`fips-self-test`	Power-up KAT self-tests (ML-KEM via aws-lc-rs, AES-GCM, SHA-3). ML-DSA and SLH-DSA use non-validated crate implementations — not FIPS-boundary.
`zkp-serde`	Serialization support for ZKP types (enables `serde_with` for Schnorr/Sigma protocol structs).
`formal-verification`	Compilation marker: enables formal verification harness code (Kani proofs). Does not run proofs — use `cargo kani` separately.
`kani`	Compilation marker: enables Kani bounded model checking proof harnesses. Requires `cargo kani` to execute proofs.
`saw`	Compilation marker: enables SAW formal verification markers (inherited from aws-lc-rs). Does not run SAW proofs at build time.

§More Examples

§Symmetric Encryption

use latticearc::{encrypt, decrypt, CryptoConfig, CryptoScheme, EncryptKey, DecryptKey};

let key = [0u8; 32];  // 256-bit key for AES-256-GCM
let encrypted = encrypt(b"secret", EncryptKey::Symmetric(&key),
    CryptoConfig::new().force_scheme(CryptoScheme::Symmetric))?;
let decrypted = decrypt(&encrypted, DecryptKey::Symmetric(&key), CryptoConfig::new())?;

§With Use Case Selection

use latticearc::{encrypt, CryptoConfig, UseCase, EncryptKey};

// Library selects optimal hybrid algorithm for the use case
let (pk, _sk) = latticearc::generate_hybrid_keypair()?;
let encrypted = encrypt(b"data", EncryptKey::Hybrid(&pk),
    CryptoConfig::new().use_case(UseCase::FileStorage))?;

§Zero Trust Session Verification

For production deployments, use VerifiedSession to enable Zero Trust verification before each operation:

use latticearc::{
    encrypt, decrypt, CryptoConfig, VerifiedSession, generate_keypair,
    EncryptKey, DecryptKey,
};

// Step 1: Generate a keypair (done once, typically at provisioning)
let (pk, sk) = generate_keypair()?;

// Step 2: Establish a verified session (performs challenge-response)
let session = VerifiedSession::establish(&pk, sk.as_ref())?;

// Step 3: Hybrid encryption with session verification
let (enc_pk, enc_sk) = latticearc::generate_hybrid_keypair()?;
let encrypted = encrypt(b"secret", EncryptKey::Hybrid(&enc_pk),
    CryptoConfig::new().session(&session))?;
let decrypted = decrypt(&encrypted, DecryptKey::Hybrid(&enc_sk),
    CryptoConfig::new().session(&session))?;

§Hybrid Encryption (ML-KEM-768 + X25519)

Use the unified API with EncryptKey::Hybrid / DecryptKey::Hybrid:

use latticearc::{encrypt, decrypt, CryptoConfig, EncryptKey, DecryptKey};

let (pk, sk) = latticearc::generate_hybrid_keypair()?;
let encrypted = encrypt(b"secret data", EncryptKey::Hybrid(&pk), CryptoConfig::new())?;
let decrypted = decrypt(&encrypted, DecryptKey::Hybrid(&sk), CryptoConfig::new())?;

§Hybrid Signatures (ML-DSA-65 + Ed25519)

use latticearc::{generate_hybrid_signing_keypair, sign_hybrid, verify_hybrid_signature, SecurityMode};

// Generate a hybrid signing keypair (ML-DSA-65 + Ed25519)
let (pk, sk) = generate_hybrid_signing_keypair(SecurityMode::Unverified)?;

// Sign (both ML-DSA and Ed25519 signatures generated)
let signature = sign_hybrid(b"document", &sk, SecurityMode::Unverified)?;

// Verify (both must pass for signature to be valid)
let valid = verify_hybrid_signature(b"document", &signature, &pk, SecurityMode::Unverified)?;

§Session Lifecycle

Sessions have a 30-minute default lifetime:

use latticearc::{encrypt, CryptoConfig, VerifiedSession, generate_keypair, CoreError, EncryptKey};

let (pk, sk) = generate_keypair()?;
let session = VerifiedSession::establish(&pk, sk.as_ref())?;

// Check session properties
assert!(session.is_valid());  // Not expired
let _ = session.session_id(); // Unique ID for audit
let _ = session.expires_at(); // Expiration time

// Validate before critical operations
session.verify_valid()?;  // Returns Err(SessionExpired) if expired

// Refresh if expired
if !session.is_valid() {
    let new_session = VerifiedSession::establish(&pk, sk.as_ref())?;
}

§Complete Example

use latticearc::{
    encrypt, decrypt, generate_signing_keypair, sign_with_key, verify,
    generate_hybrid_keypair, CryptoConfig, CoreError,
    EncryptKey, DecryptKey,
};

fn secure_workflow() -> Result<(), CoreError> {
    // --- Hybrid Encryption (unified API) ---
    let (enc_pk, enc_sk) = generate_hybrid_keypair()?;
    let encrypted = encrypt(b"confidential", EncryptKey::Hybrid(&enc_pk),
        CryptoConfig::new())?;
    let decrypted = decrypt(&encrypted, DecryptKey::Hybrid(&enc_sk),
        CryptoConfig::new())?;

    // --- Digital Signatures ---
    let (sign_pk, sign_sk, _scheme) = generate_signing_keypair(CryptoConfig::new())?;
    let signed = sign_with_key(b"important document", &sign_sk, &sign_pk, CryptoConfig::new())?;
    let is_valid = verify(&signed, CryptoConfig::new())?;
    assert!(is_valid);

    Ok(())
}

Re-exports§

pub use unified_api as core;
pub use prelude::LatticeArcError;
pub use unified_api::AlgorithmSelection;
pub use unified_api::Challenge;
pub use unified_api::ComplianceMode;
pub use unified_api::ContinuousSession;
pub use unified_api::ContinuousVerifiable;
pub use unified_api::CoreError;
pub use unified_api::CryptoConfig;
pub use unified_api::CryptoContext;
pub use unified_api::CryptoPayload;
pub use unified_api::CryptoScheme;
pub use unified_api::DataCharacteristics;
pub use unified_api::DecryptKey;
pub use unified_api::Decryptable;
pub use unified_api::EncryptKey;
pub use unified_api::Encryptable;
pub use unified_api::EncryptedData;
pub use unified_api::EncryptedMetadata;
pub use unified_api::EncryptedOutput;
pub use unified_api::EncryptionScheme;
pub use unified_api::HardwareAccelerator;
pub use unified_api::HardwareAware;
pub use unified_api::HardwareCapabilities;
pub use unified_api::HardwareInfo;
pub use unified_api::HardwareType;
pub use unified_api::HashOutput;
pub use unified_api::HybridComponents;
pub use unified_api::KeyDerivable;
pub use unified_api::KeyPair;
pub use unified_api::PatternType;
pub use unified_api::PerformancePreference;
pub use unified_api::PrivateKey;
pub use unified_api::ProofOfPossession;
pub use unified_api::ProofOfPossessionData;
pub use unified_api::PublicKey;
pub use unified_api::Result;
pub use unified_api::SchemeSelector;
pub use unified_api::SecurityLevel;
pub use unified_api::SecurityMode;
pub use unified_api::Signable;
pub use unified_api::SignedData;
pub use unified_api::SignedMetadata;
pub use unified_api::SymmetricKey;
pub use unified_api::TrustLevel;
pub use unified_api::UseCase;
pub use unified_api::VERSION;
pub use unified_api::Verifiable;
pub use unified_api::VerificationStatus;
pub use unified_api::VerifiedSession;
pub use unified_api::ZeroKnowledgeProof;
pub use unified_api::ZeroTrustAuth;
pub use unified_api::ZeroTrustAuthenticable;
pub use unified_api::ZeroTrustSession;
pub use unified_api::ZeroizedBytes;
pub use unified_api::fips_available;
pub use unified_api::init;
pub use unified_api::init_with_config;
pub use unified_api::decrypt;
pub use unified_api::encrypt;
pub use unified_api::generate_signing_keypair;
pub use unified_api::sign_with_key;
pub use unified_api::verify;
pub use unified_api::generate_hybrid_keypair;
pub use unified_api::generate_hybrid_keypair_with_level;
pub use unified_api::generate_hybrid_signing_keypair;
pub use unified_api::generate_hybrid_signing_keypair_with_config;
pub use unified_api::sign_hybrid;
pub use unified_api::sign_hybrid_with_config;
pub use unified_api::verify_hybrid_signature;
pub use unified_api::verify_hybrid_signature_with_config;
pub use unified_api::key_format::KeyAlgorithm;
pub use unified_api::key_format::KeyData;
pub use unified_api::key_format::KeyType;
pub use unified_api::key_format::PortableKey;
pub use tls::TlsConfig;
pub use tls::TlsConstraints;
pub use tls::TlsContext;
pub use tls::TlsMode;
pub use tls::TlsPolicyEngine;
pub use tls::TlsUseCase;
pub use tls::tls_accept;
pub use tls::tls_connect;

Modules§

hybrid: Hybrid cryptography combining post-quantum and classical algorithms. Hybrid Cryptography for LatticeArc
perf: Performance monitoring and benchmarking utilities. LatticeArc Performance Primitives
prelude: Common prelude with error handling, domain constants, and testing infrastructure. LatticeArc Prelude
primitives: Core cryptographic primitives (KEM, signatures, AEAD, hash, KDF, MAC).
tls: TLS 1.3 with native post-quantum key exchange (rustls 0.23.37+, no extra dependencies).
types: Pure-Rust domain types, traits, configuration, and policy engine.
unified_api: Unified cryptographic API with Zero-Trust security.
zkp: Zero-knowledge proof primitives (Schnorr, Sigma protocols, Pedersen commitments). Non-FIPS: uses non-approved EC operations. Basic Zero-Knowledge Proof Primitives