Module orion::hazardous::kem::x25519_hkdf_sha256
source · Available on crate feature
safe_api
only.Expand description
DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.
Parameters:
public_recipient
: The public X25519 key of the recipient.public_ephemeral
: The ephemeral X25519 key fro this KEM operation.secret_recipient
: The private X25519 of the recipient.secret_sender
: The private X25519 of the sender.
Errors:
An error will be returned if:
- If a shared X25519 secret is all-zero.
- If
ikm.len() < 32
when callingderive_keypair()
.
Panics:
A panic will occur if:
generate()
panics duringencap()
,auth_encap()
,decap()
orauth_decap()
.
Security:
- The
ikm
used as input forderive_keypair()
must never be reused. - This KEM is vulnerable to key-compromise impersonation attacks (KCI), meaning
that if the recipients private key
secret_recipient
is leaked at any point, sender authentication no longer holds. See KCI section of the RFC on recommendations on how to mitigate this. - Please refer to the RFC for a detailed description of all security properties provided: https://www.rfc-editor.org/rfc/rfc9180.html#section-9.
Example:
use orion::hazardous::kem::x25519_hkdf_sha256::DhKem;
let (sender_secret, sender_public) = DhKem::generate_keypair()?;
let (recipient_secret, recipient_public) = DhKem::generate_keypair()?;
let (sender_shared_secret, public_eph) =
DhKem::auth_encap(&recipient_public, &sender_secret)?;
let recipient_shared_secret = DhKem::auth_decap(&public_eph, &recipient_secret, &sender_public)?;
assert_eq!(sender_shared_secret, recipient_shared_secret);
Re-exports
pub use crate::hazardous::ecc::x25519::PrivateKey;
pub use crate::hazardous::ecc::x25519::PublicKey;
Structs
- DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.
- A type to represent the
SharedSecret
that DH-KEM(X25519, HKDF-SHA256) produces.