2 unstable releases
0.11.1 | Jun 24, 2024 |
---|---|
0.10.1 | May 19, 2023 |
#941 in Cryptography
152 downloads per month
Used in 3 crates
(2 directly)
2MB
3K
SLoC
hpke_pq - a fork of hpke
This is an implementation of the HPKE hybrid encryption standard (RFC 9180).
This fork includes experimental support for the hybrid Kyber-X25519 KEM.
Warning
This crate has not been formally audited. Cloudflare did a security review of version 0.8, though:
The HPKE implementation we decided on comes with the caveat of not yet being formally audited, so we performed our own internal security review. We analyzed the cryptography primitives being used and the corresponding libraries. Between the composition of said primitives and secure programming practices like correctly zeroing memory and safe usage of random number generators, we found no security issues.
What it implements
This implementation complies with the HPKE standard (RFC 9180).
Here are all the primitives listed in the spec. The primitives with checked boxes are the ones that are implemented.
- KEMs
- DHKEM(Curve25519, HKDF-SHA256)
- DHKEM(Curve448, HKDF-SHA512)
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(P-384, HKDF-SHA384)
- DHKEM(P-521, HKDF-SHA512)
- KDFs
- HKDF-SHA256
- HKDF-SHA384
- HKDF-SHA512
- AEADs
- AES-GCM-128
- AES-GCM-256
- ChaCha20Poly1305
Crate Features
Default features flags: alloc
, x25519
, p256
.
Feature flag list:
alloc
- Includes allocating methods likeAeadCtxR::open()
andAeadCtxS::seal()
x25519
- Enables X25519-based KEMsp256
- Enables NIST P-256-based KEMsp384
- Enables NIST P-384-based KEMsserde_impls
- Includes implementations ofserde::Serialize
andserde::Deserialize
for allhpke::Serializable
andhpke::Deserializable
typesstd
- Includes an implementation ofstd::error::Error
forHpkeError
. Also does whatalloc
does.
For info on how to omit or include feature flags, see the cargo docs on features.
Usage Examples
See the client-server example for an idea of how to use HPKE.
MSRV
The current minimum supported Rust version (MSRV) is 1.65.0 (897e37553 2022-11-02).
Changelog
See CHANGELOG.md for a list of changes made throughout past versions.
Tests
To run all tests, execute cargo test --all-features
. This includes known-answer tests, which test against test-vector-COMMIT_ID.json
,where COMMIT_ID
is the short commit of the version of the spec that the test vectors came from. The finalized spec uses commit 5f503c5. See the reference implementation for information on how to generate a test vector.
Benchmarks
To run all benchmarks, execute cargo bench --all-features
. If you set your own feature flags, the benchmarks will still work, and run the subset of benches that it is able to. The results of a benchmark can be read as a neat webpage at target/criterion/report/index.html
.
Ciphersuites benchmarked:
- NIST Ciphersuite with 128-bit security: AES-GCM-128, HKDF-SHA256, ECDH-P256
- Non-NIST Ciphersuite with 128-bit security: ChaCha20-Poly1305, HKDF-SHA256, X25519
Functions benchmarked in each ciphersuite:
Kem::gen_keypair
setup_sender
with OpModes of Base, Auth, Psk, and AuthPsksetup_receiver
with OpModes of Base, Auth, Psk, and AuthPskAeadCtxS::seal
with plaintext length 64 and AAD length 64AeadCtxR::open
with ciphertext length 64 and AAD length 64
Agility
A definition: crypto agility refers to the ability of a cryptosystem or protocol to vary its underlying primitives. For example, TLS has "crypto agility" in that you can run the protocol with many different ciphersuites.
This crate does not support crypto agility out of the box. This is because the cryptographic primitives are encoded as types satisfying certain constraints, and types need to be determined at compile time (broadly speaking). That said, there is nothing preventing you from implementing agility yourself. There is a sample implementation in the examples folder. The sample implementation is messy because agility is messy.
License
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE)
- MIT license (LICENSE-MIT)
at your option.
Dependencies
~3.5–5.5MB
~106K SLoC