Module orion::hazardous::kem::x25519_hkdf_sha256

source ·

Available on crate feature safe_api only.

Expand description

DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.

Parameters:

public_recipient: The public X25519 key of the recipient.
public_ephemeral: The ephemeral X25519 key fro this KEM operation.
secret_recipient: The private X25519 of the recipient.
secret_sender: The private X25519 of the sender.

Errors:

An error will be returned if:

If a shared X25519 secret is all-zero.
If ikm.len() < 32 when calling derive_keypair().

Panics:

A panic will occur if:

generate() panics during encap(), auth_encap(), decap() or auth_decap().

Security:

The ikm used as input for derive_keypair() must never be reused.
This KEM is vulnerable to key-compromise impersonation attacks (KCI), meaning that if the recipients private key secret_recipient is leaked at any point, sender authentication no longer holds. See KCI section of the RFC on recommendations on how to mitigate this.
Please refer to the RFC for a detailed description of all security properties provided: https://www.rfc-editor.org/rfc/rfc9180.html#section-9.

Example:

use orion::hazardous::kem::x25519_hkdf_sha256::DhKem;

let (sender_secret, sender_public) = DhKem::generate_keypair()?;
let (recipient_secret, recipient_public) = DhKem::generate_keypair()?;

let (sender_shared_secret, public_eph) =
    DhKem::auth_encap(&recipient_public, &sender_secret)?;
let recipient_shared_secret = DhKem::auth_decap(&public_eph, &recipient_secret, &sender_public)?;

assert_eq!(sender_shared_secret, recipient_shared_secret);

Re-exports

pub use crate::hazardous::ecc::x25519::PrivateKey;
pub use crate::hazardous::ecc::x25519::PublicKey;

Structs

DhKem
DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.
SharedSecret
A type to represent the SharedSecret that DH-KEM(X25519, HKDF-SHA256) produces.