Closed jschneider-bensch closed 3 months ago
This crate implements a protocol for agreeing on a pre-shared key such that the protocol messages are secure against harvest-now-decrypt-later (HNDL) passive quantum attackers.
The protocol between initator A and receiver B roughly works as follows:
A
B
A: (ik, enc) <- PQ-KEM(pk_B) K_0 <- KDF(ik, pk_B || enc || sctxt) K_m <- KDF(K_0, "Confirmation") K <- KDF(K_0, "PSK") mac_ttl <- MAC(K_m, psk_ttl) A -> B: (enc, psk_ttl, mac_ttl)
Where
pk_B
sctx
psk_ttl
K
The crate implements the protocol based on several different internal KEMs:
X25519
ML-KEM 768
Classic McEliece
XWingKemDraft02
This crate implements a protocol for agreeing on a pre-shared key such that the protocol messages are secure against harvest-now-decrypt-later (HNDL) passive quantum attackers.
The protocol between initator
Aand receiverBroughly works as follows:Where
pk_Bis the receiver's KEM public key,sctxis context information for the given session of the protocol,psk_ttlspecifies for how long the PSK should be considered valid, andKis the final PSK that is derived from the decapsulated shared secret based on the internal KEM.The crate implements the protocol based on several different internal KEMs:
X25519, an elliptic-curve Diffie-Hellman KEM (not post-quantum secure; for performance comparison)ML-KEM 768, a lattice-based post-quantum KEM, in the process of being standardized by NISTClassic McEliece, a code-based post-quantum KEM & Round 4 candidate in the NIST PQ competition,XWingKemDraft02, a hybrid post-quantum KEM, combiningX25519andML-KEM 768based KEMs