Crate qfe

Crate qfe 

Source
Expand description

§Qualitative Frame Entanglement (QFE) - Experimental Secure Communication Framework

Current Version Date: April 7, 2025

NOTE: This library is an experimental simulation framework. While it now incorporates standard, vetted cryptographic primitives for core security functions (PQC KEM, HKDF, AEAD), the overall integrated system has not undergone formal security audits. Use with caution and primarily for research or educational purposes.

§Overview

The QFE framework provides Rust types and functions to simulate secure communication between participants represented as Frame instances. Originally conceived from foundational principles, the implementation has evolved significantly to prioritize robust security using modern cryptographic standards.

The core security flow involves:

  1. Frame Initialization: Participants create Frame instances with unique internal states derived deterministically from IDs and seeds using SHA-512.
  2. Post-Quantum Key Establishment: A shared secret context (Sqs) is established using the establish_sqs_kem function. This function simulates key exchange using the ML-KEM-1024 (Kyber) algorithm (a NIST standard for Post-Quantum Cryptography), providing resistance against known quantum computer attacks for the initial shared secret.
  3. Key Derivation: The HKDF-SHA512 key derivation function is used with the ML-KEM shared secret (and contextual information like participant IDs) to derive robust session keys, including a specific key for authenticated encryption. These keys are stored within the Sqs struct shared between the participant Frames.
  4. Authenticated Encryption: Subsequent communication requiring confidentiality, integrity, and authenticity is handled by the encode_aead and decode_aead methods. These methods utilize the ChaCha20-Poly1305 AEAD cipher, keyed with the key derived during the HKDF step. Correct usage requires generating a unique nonce for each message.
  5. Zero-Knowledge Proofs (Optional): The library includes experimental ZKP features within the zkp module (e.g., Schnorr’s protocol) that can be bound to the established session context.

§Security Model

The security of this revised QFE implementation relies directly on the standard cryptographic hardness assumptions of the underlying primitives:

  • ML-KEM-1024: Security based on the hardness of the Module-LWE problem (Post-Quantum Secure).
  • HKDF-SHA512: Security as a standard Key Derivation Function based on HMAC-SHA512.
  • ChaCha20-Poly1305: Standard AEAD security (Confidentiality, Integrity, Authenticity).
  • SHA-512: Standard hash function properties.

Important Considerations:

  • Nonce Reuse: Nonce uniqueness must be maintained for AEAD security. Reusing a nonce with the same key breaks ChaCha20-Poly1305 security guarantees. The current implementation uses random nonces.
  • Key Exchange MitM: The base ML-KEM protocol requires the public key and ciphertext to be exchanged. This exchange is vulnerable to Man-in-the-Middle (MitM) attacks if performed over an insecure channel. Protection against MitM requires either an underlying authenticated channel or out-of-band verification (e.g., comparing Sqs fingerprints after establishment).
  • Experimental Status: As mentioned, the integrated system requires further analysis and review.

§Example Workflow

use qfe::{Frame, establish_sqs_kem, setup_qfe_pair}; // Assuming setup_qfe_pair uses KEM

fn main() -> Result<(), Box<dyn std::error::Error>> {
    // 1. Setup Frames and SQS using KEM + HKDF
    let alice_id = "Alice_Main".to_string();
    let bob_id = "Bob_Main".to_string();
    let context = "example_session_v1";
    // Use setup_qfe_pair (assuming it's updated for KEM and context)
    let (mut frame_a, mut frame_b) = setup_qfe_pair(
        alice_id.clone(), // Seed for Alice's Frame init
        bob_id.clone(),   // Seed for Bob's Frame init
        context                 // Context string for HKDF salt
    )?;

    // (Optional but Recommended) Compare SQS fingerprints out-of-band
    let fp_a = frame_a.calculate_sqs_fingerprint()?;
    let fp_b = frame_b.calculate_sqs_fingerprint()?;
    assert_eq!(fp_a, fp_b, "Fingerprint mismatch indicates potential MitM!");
    println!("SQS Fingerprints match: {}", fp_a);

    // 2. Alice Encrypts a message for Bob
    let plaintext = b"Secret message from Alice!";
    let associated_data = Some(b"message_id_001" as &[u8]);
    let encrypted_msg = frame_a.encode_aead(plaintext, associated_data)?;
    println!("Alice sends encrypted message (len: {})", encrypted_msg.ciphertext.len());

    // 3. Bob Decrypts the message
    let decoded_plaintext = frame_b.decode_aead(&encrypted_msg, associated_data)?;
    println!("Bob received: {}", String::from_utf8_lossy(&decoded_plaintext));
    assert_eq!(plaintext.as_slice(), decoded_plaintext.as_slice());

    Ok(())
}

Re-exports§

pub use zkp::ZkpValidityResponse;
pub use zkp::establish_zkp_sqs;

Modules§

zkp
This module contains experimental implementations related to Zero-Knowledge Proofs using the QFE simulation framework, focusing on a simple non-interactive validity proof scheme based on Fiat-Shamir.

Structs§

Frame
Represents a participant Frame (e.g., Sender A, Receiver B).
QfeEncryptedMessage
Structure to hold the result of AEAD encryption.
Sqs
Represents the established shared state (secret key and context) between two Frames.

Enums§

QfeError
Custom error types for the QFE library operations.

Functions§

establish_sqsDeprecated
Performs the interactive shared state (SQS) establishment process between two Frames.
establish_sqs_kem
Establishes a shared state (SQS) using ML-KEM-1024 key exchange and HKDF. This replaces the previous custom SQS establishment logic.
setup_qfe_pair
Sets up two Frames (A and B) and establishes a shared state (SQS) between them.

Type Aliases§

Sha512Hash