Expand description
§Quantum-Safe Cryptography
Post-quantum cryptographic primitives for future-proofing authorization data.
This module provides quantum-resistant algorithms for:
- Key Encapsulation: Using ML-KEM (Kyber) for key exchange
- Digital Signatures: Using ML-DSA (Dilithium) for signing tuples
- Hybrid Mode: Classical + Post-Quantum for defense-in-depth
§NIST Post-Quantum Standards
This implementation prepares for NIST’s finalized post-quantum algorithms:
- ML-KEM-768 (Kyber): Key Encapsulation Mechanism
- ML-DSA-65 (Dilithium): Digital Signature Algorithm
- SLH-DSA (SPHINCS+): Stateless Hash-Based Signatures (optional)
§Example
use oxify_authz::quantum::*;
// Generate quantum-safe keypair
let keypair = QuantumKeypair::generate()?;
// Sign authorization tuple
let tuple_data = b"user:alice|document:123|viewer";
let signature = keypair.sign(tuple_data)?;
// Verify signature
assert!(keypair.verify(tuple_data, &signature)?);§Security Notes
- Transition Strategy: Use hybrid mode during migration period
- Key Rotation: Rotate quantum keys every 90 days
- Algorithm Agility: Abstract interface allows swapping algorithms
§Future Work
When pqcrypto or oqs crates mature, replace placeholder with:
ⓘ
use pqcrypto_dilithium::dilithium5;
use pqcrypto_kyber::kyber1024;Structs§
- Quantum
KeyManager - Quantum key rotation manager
- Quantum
Keypair - Quantum-safe keypair for signing authorization tuples
- Quantum
Signature - Quantum-safe digital signature
- Signed
Relation Tuple - Quantum-safe tuple wrapper with signature
Enums§
- Quantum
Algorithm - Quantum-safe algorithm selection