qasa 0.0.7

Post-quantum cryptography implementation using CRYSTALS-Kyber and CRYSTALS-Dilithium for quantum-safe communications
docs.rs failed to build qasa-0.0.7
Please check the build logs for more information.
See Builds for ideas on how to fix a failed build, or Metadata for how to configure docs.rs builds.
If you believe this is docs.rs' fault, open an issue.
Visit the last successful build: qasa-0.0.3

QaSa (Quantum-Safe) is a production-ready, post-quantum cryptography library for Rust. Built on NIST-standardized algorithms, it provides protection against both classical and quantum computer attacks.

Why QaSa?

  • Future-Proof Security - NIST-selected post-quantum algorithms (Kyber, Dilithium, SPHINCS+)
  • Zero-Copy Design - Efficient memory handling with minimal allocations
  • Ergonomic API - Simple, intuitive interfaces for complex cryptographic operations
  • Memory Safety - Automatic zeroization of sensitive data with SecureBytes
  • Battle-Tested - Built on the proven liboqs library

Installation

[dependencies]
qasa = "0.0.6"

Quick Start

Key Encapsulation (Kyber)

use qasa::prelude::*;

fn main() -> Result<(), CryptoError> {
    // Generate a quantum-safe key pair
    let keypair = KyberKeyPair::generate(KyberVariant::Kyber768)?;
    let public_key = keypair.public_key();

    // Sender: Encapsulate a shared secret
    let (ciphertext, shared_secret_sender) = public_key.encapsulate()?;

    // Receiver: Decapsulate to get the same shared secret
    let shared_secret_receiver = keypair.decapsulate(&ciphertext)?;

    assert_eq!(shared_secret_sender, shared_secret_receiver);
    Ok(())
}

Digital Signatures (Dilithium)

use qasa::prelude::*;

fn main() -> Result<(), CryptoError> {
    // Generate a signing key pair
    let keypair = DilithiumKeyPair::generate(DilithiumVariant::Dilithium3)?;

    // Sign a message
    let message = b"Hello, quantum-safe world!";
    let signature = keypair.sign(message)?;

    // Verify the signature
    let is_valid = keypair.verify(message, &signature)?;
    assert!(is_valid);
    Ok(())
}

End-to-End Encrypted Messaging

use qasa::prelude::*;

fn main() -> Result<(), CryptoError> {
    // Alice generates her keys
    let alice_enc = KyberKeyPair::generate(KyberVariant::Kyber768)?;
    let alice_sig = DilithiumKeyPair::generate(DilithiumVariant::Dilithium3)?;

    // Bob generates his keys
    let bob_enc = KyberKeyPair::generate(KyberVariant::Kyber768)?;

    // Alice sends a secure message to Bob
    let message = b"Secret quantum-safe message";
    let secure_msg = create_secure_message(
        message,
        &bob_enc.public_key(),
        &alice_sig
    )?;

    // Bob receives and decrypts
    let decrypted = open_secure_message(
        &secure_msg,
        &bob_enc,
        &alice_sig.public_key()
    )?;

    assert_eq!(message.to_vec(), decrypted);
    Ok(())
}

Security Levels

QaSa supports multiple security levels aligned with NIST standards:

Algorithm Level 1 (128-bit) Level 3 (192-bit) Level 5 (256-bit)
Kyber Kyber512 Kyber768 Kyber1024
Dilithium Dilithium2 Dilithium3 Dilithium5
SPHINCS+ Sphincs128f/s Sphincs192f/s Sphincs256f/s

Core Features

Cryptographic Primitives

  • CRYSTALS-Kyber - Lattice-based key encapsulation mechanism (KEM)
  • CRYSTALS-Dilithium - Lattice-based digital signatures
  • SPHINCS+ - Hash-based stateless signatures
  • BIKE - Code-based KEM for algorithm diversity
  • AES-GCM - Authenticated symmetric encryption
  • ChaCha20-Poly1305 - Alternative authenticated encryption

Security Features

  • Secure Memory - SecureBytes with automatic zeroization
  • Constant-Time Operations - Side-channel resistant implementations
  • Memory Locking - Optional mlock() for sensitive data
  • Canary Buffers - Overflow detection for critical buffers

Optional Features

[dependencies]
qasa = { version = "0.0.7", features = ["simd", "lean"] }
Feature Description
simd SIMD optimizations (default)
lean Optimized for constrained environments
python Python bindings via PyO3
wasm WebAssembly support
hardware-acceleration Hardware crypto acceleration

Secure Memory Handling

QaSa provides secure containers that automatically zero memory when dropped:

use qasa::prelude::*;

// SecureBytes automatically zeros on drop
let secret = SecureBytes::from(vec![0x42; 32]);

// Scoped secure operations
with_secure_scope(|| {
    let temp_key = derive_key_from_password("password", None, None)?;
    // Key is automatically zeroized when scope exits
    Ok(())
})?;

// Locked memory (won't be swapped to disk)
let locked = LockedBuffer::new(32)?;

Hybrid Encryption

Combine classical and post-quantum algorithms for defense in depth:

use qasa::prelude::*;

// Hybrid KEM: X25519 + Kyber768
let hybrid_keypair = HybridKemKeyPair::generate(HybridKemVariant::X25519Kyber768)?;

// Even if one algorithm is broken, your data remains secure
let (ciphertext, shared_secret) = hybrid_keypair.public_key().encapsulate()?;

Performance

Benchmarked on AMD Ryzen 9 5900X:

Operation Kyber768 Dilithium3
Key Generation 0.31 ms 2.09 ms
Encapsulate/Sign 0.36 ms 4.98 ms
Decapsulate/Verify 0.39 ms 1.52 ms

Run benchmarks yourself:

cargo bench

Examples

Explore the examples/ directory:

cargo run --example secure_communication
cargo run --example quantum_signatures
cargo run --example hybrid_encryption
cargo run --example secure_memory

Documentation

Security Considerations

QaSa implements NIST-standardized post-quantum algorithms. However:

  1. Post-quantum cryptography is evolving - Stay updated with NIST announcements
  2. Side-channel attacks - While we implement constant-time operations, hardware vulnerabilities may exist
  3. Key management - Use the provided secure storage; never store raw keys

Report security vulnerabilities to: djwarfqasa@proton.me

Contributing

We welcome contributions! Please read CONTRIBUTING.md for guidelines.

# Run tests
cargo test

# Run benchmarks
cargo bench

# Check formatting
cargo fmt --check

# Run clippy
cargo clippy

License

MIT License - see LICENSE for details.

Acknowledgments