Expand description
§oqs-safe
A Post-Quantum Cryptography (PQC) toolkit in Rust built on top of libOQS.
This crate provides safe, minimal abstractions for:
- Post-quantum key exchange (ML-KEM)
- Post-quantum signatures (ML-DSA)
- Hybrid cryptography (X25519 + ML-KEM)
- Secure session key derivation (HKDF)
§Features
- ML-KEM (512 / 768 / 1024)
- ML-DSA (44 / 65 / 87)
- Hybrid cryptography (classical + PQC)
- Zeroized secret handling
- Mock backend (default) + liboqs backend
§Quick Example (KEM)
use oqs_safe::kem::{Kem, KemAlgorithm, KemInstance};
let kem = KemInstance::new(KemAlgorithm::MlKem768);
let (pk, sk) = kem.keypair().unwrap();
let (ct, ss1) = kem.encapsulate(&pk).unwrap();
let ss2 = kem.decapsulate(&ct, &sk).unwrap();
assert_eq!(ss1.len(), ss2.len());§Signature Example (ML-DSA)
use oqs_safe::sig::{SigAlgorithm, SigInstance, SignatureScheme};
let sig = SigInstance::new(SigAlgorithm::MlDsa44);
let (pk, sk) = sig.keypair().unwrap();
let msg = b"hello pqc";
let signature = sig.sign(&sk, msg).unwrap();
sig.verify(&pk, msg, &signature).unwrap();§Hybrid Example (Recommended for PQC Migration)
// Run the full example:
// cargo run --example hybrid_x25519_mlkem§Modules
kem- Post-quantum key exchange (ML-KEM)sig- Post-quantum signatures (ML-DSA)hybrid- Hybrid cryptography helperssession- Secure session key derivationerror- Error types
§Backends
- Default: mock backend (no native dependencies, for CI/dev)
- Optional:
liboqsfeature for real PQC operations
§Security Notes
- Always derive keys using HKDF before use
- Use hybrid cryptography (X25519 + ML-KEM) for migration
- Do not rely on PQC-only deployments yet
- Avoid logging or serializing secret material
This crate is not formally audited.
Re-exports§
pub use error::OqsError;