pqc-combo

Crates.iopqc-combo
lib.rspqc-combo
version0.1.0
created_at2025-11-01 16:13:13.45425+00
updated_at2025-11-19 09:46:23.88164+00
descriptionPure Rust ML-KEM-1024 + ML-DSA-65 + AES-256-GCM for no_std
homepagehttps://www.pqc-combo.com/
repositoryhttps://github.com/AaronSchnacky1/pqc-combo
max_upload_size
id1912141
size257,111
Aaron Schnacky (AaronSchnacky1)

documentation

https://github.com/AaronSchnacky1/pqc-combo/blob/main/README.md

README

CI Status Pure Rust no_std

pqc-combo v0.1.0 NO KAT TEST

Crates.io Documentation License: MIT Build Status

Pure Rust Post-Quantum Cryptography Library with FIPS 140-3 Support

A production-ready, no_std compatible cryptography library implementing NIST-standardized post-quantum algorithms with optional FIPS 140-3 compliance features.

๐ŸŒ Website: www.pqc-combo.com
๐Ÿ“ฆ Crate: crates.io/crates/pqc-combo
๐Ÿ“– Documentation: docs.rs/pqc-combo
๐Ÿ”— Repository: github.com/AaronSchnacky1/pqc-combo

โœจ Features

๐Ÿงช Testing

cargo test --features std
cargo test --features "std,ml-kem,ml-dsa"
cargo test --features "std,fips_140_3"
cargo test --all-features

cargo test --no-default-features
cargo test --no-default-features --features alloc
cargo test --no-default-features --features "alloc,aes-gcm"

cargo bench
cargo bench --features "std,ml-kem,ml-dsa"
cargo bench keygen
cargo bench ML-KEM

Cryptographic Algorithms

  • ML-KEM-1024 (Kyber) - FIPS 203, Security Level 5

    • Key Encapsulation Mechanism for secure key exchange
    • 1568-byte public keys, 3168-byte private keys
    • 32-byte shared secrets

  • ML-DSA-65 (Dilithium) - FIPS 204, Security Level 3

    • Digital signature algorithm for authentication
    • 1952-byte public keys, 4032-byte private keys
    • 3309-byte signatures

  • AES-256-GCM - FIPS 197 & SP 800-38D

    • Authenticated encryption with associated data
    • Optional feature for hybrid encryption schemes

FIPS 140-3 Compliance Features

When the fips_140_3 feature is enabled, the library includes:

  • โœ… Pre-Operational Self-Tests (POST)

    • Cryptographic Algorithm Self-Tests (CASTs) for hash functions
    • Known Answer Tests (KATs) for ML-KEM and ML-DSA
    • Pair-wise Consistency Tests (PCTs) for key generation

  • โœ… State Machine

    • Enforces proper initialization before cryptographic operations
    • States: Uninitialized โ†’ POST โ†’ Operational โ†’ Error

  • โœ… CSP Controls

    • Prevents plaintext export of secret keys in FIPS mode
    • Automatic key zeroization on drop
    • Keys only accessible through approved APIs

Platform Support

  • โœ… no_std + no_alloc - Bare metal / embedded systems
  • โœ… no_std + alloc - Embedded with allocator
  • โœ… std - Full standard library with OS RNG

๐Ÿš€ Quick Start

Add to your Cargo.toml:

[dependencies]
pqc-combo = "0.1"

Basic Usage

use pqc_combo::*;

// Key Encapsulation (KEM)
let keys = KyberKeys::generate_key_pair();
let (ciphertext, shared_secret_sender) = encapsulate_shared_secret(&keys.pk);
let shared_secret_receiver = decapsulate_shared_secret(&keys.sk, &ciphertext);
assert_eq!(shared_secret_sender, shared_secret_receiver);

// Digital Signatures
let (pk, sk) = generate_dilithium_keypair();
let message = b"Hello, Post-Quantum World!";
let signature = sign_message(&sk, message);
assert!(verify_signature(&pk, message, &signature));

FIPS 140-3 Mode

use pqc_combo::*;

// Run Pre-Operational Self-Tests
run_post().expect("POST failed");

// Generate keys with Pair-wise Consistency Test
let keys = KyberKeys::generate_key_pair_with_pct()
    .expect("PCT failed");

// Use keys normally
let (ct, ss) = encapsulate_shared_secret(&keys.pk);

no_std Usage

#![no_std]

use pqc_combo::*;

// Bring your own entropy source
let seed: [u8; 64] = get_hardware_entropy();

// Generate keys from seed
let keys = KyberKeys::generate_key_pair_with_seed(seed);

๐Ÿ“‹ Feature Flags

Feature Description Default
std Standard library support, enables OS RNG โœ…
alloc Allocator support, required for AES-GCM โœ…
ml-kem ML-KEM-1024 (Kyber) algorithm โœ…
ml-dsa ML-DSA-65 (Dilithium) algorithm โœ…
aes-gcm AES-256-GCM symmetric encryption โœ…
fips_140_3 FIPS 140-3 compliance features โŒ

Configuration Examples

# Default: Full featured with std
pqc-combo = "0.1"

# FIPS mode
pqc-combo = { version = "0.1", features = ["fips_140_3"] }

# Minimal no_std
pqc-combo = { version = "0.1", default-features = false, features = ["ml-kem", "ml-dsa"] }

# no_std with allocator and AES
pqc-combo = { version = "0.1", default-features = false, features = ["alloc", "ml-kem", "ml-dsa", "aes-gcm"] }

๐Ÿ”’ Security

Algorithm Security Levels

  • ML-KEM-1024: NIST Security Level 5 (equivalent to AES-256)
  • ML-DSA-65: NIST Security Level 3 (equivalent to AES-192)
  • AES-256-GCM: 256-bit security

Implementation Security

  • โœ… Pure Rust - Memory safety guaranteed by Rust
  • โœ… Constant-time operations - Via libcrux implementations
  • โœ… Automatic zeroization - Secret keys cleared on drop
  • โœ… No unsafe code - In the public API surface
  • โœ… FIPS 140-3 ready - Self-tests and state machine included

Security Considerations

  • RNG Quality: Use hardware RNG in production environments
  • Side-channel resistance: Implementations use constant-time operations where possible
  • Key management: Secret keys are automatically zeroized, but ensure proper key lifecycle management
  • Not yet certified: FIPS 140-3 certification is in progress

See SECURITY.md for more details.

๐Ÿ“Š Performance

Measured on modern x86_64 hardware (November 2024):

Operation Time Throughput
ML-KEM-1024 KeyGen 12.2 ยตs ~81,900 ops/sec
ML-KEM-1024 Encapsulate 12.9 ยตs ~77,500 ops/sec
ML-KEM-1024 Decapsulate 13.7 ยตs ~72,900 ops/sec
ML-DSA-65 KeyGen 29.8 ยตs ~33,500 ops/sec
ML-DSA-65 Sign 80.2 ยตs ~12,470 ops/sec
ML-DSA-65 Verify 29.1 ยตs ~34,360 ops/sec

Key Insights:

  • ๐Ÿš€ All operations complete in under 100 microseconds
  • ๐Ÿš€ ML-KEM is faster than RSA-2048 for key exchange
  • ๐Ÿš€ ML-DSA is competitive with ECDSA for signatures
  • ๐Ÿš€ Pure Rust with no performance compromises

Run cargo bench to measure on your hardware. See PERFORMANCE_BENCHMARKS.md for detailed analysis.

๐Ÿ› ๏ธ Development Status

โœ… Completed

  • Pure Rust implementations via libcrux
  • no_std support (bare metal to full std)
  • ML-KEM-1024 (Kyber) implementation
  • ML-DSA-65 (Dilithium) implementation
  • AES-256-GCM integration
  • FIPS 140-3 state machine
  • Pair-wise Consistency Tests (PCT)
  • Hash function CASTs
  • Known Answer Tests (KATs) for ML-KEM and ML-DSA
  • CSP controls and zeroization
  • Comprehensive test suite

๐Ÿšง In Progress

  • FIPS 140-3 certification documentation
  • Additional algorithm support (ML-KEM-768, ML-DSA-87)

๐Ÿ“ Planned

  • C FFI wrapper (separate crate)
  • Python bindings
  • WebAssembly support
  • Hardware acceleration
  • Formal verification

๐Ÿ“š Documentation

๐Ÿ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

๐Ÿ™ Acknowledgments

  • libcrux - Pure Rust cryptographic implementations
  • NIST - Post-quantum cryptography standardization
  • Rust Crypto - Cryptographic primitives ecosystem

๐Ÿ“ง Contact

Author: Aaron Schnacky
Email: aaronschnacky@gmail.com
Website: www.pqc-combo.com
GitHub: @AaronSchnacky1

For security issues, please see SECURITY.md for responsible disclosure process.

โš ๏ธ Disclaimer

This software is provided "as is" without warranty of any kind. While it implements NIST-standardized algorithms and includes FIPS 140-3 compliance features, it has not yet completed FIPS 140-3 certification. Use in production environments should be evaluated based on your specific security requirements.

Built with โค๏ธ in Rust | Securing tomorrow's communications today

Commit count: 0

cargo fmt