pqc-nostd v0.1.0

Implements only NIST-standardized and FIPS-approved algorithms:

• ML-KEM-1024 (FIPS 203 – CRYSTALS-Kyber) – Security Level 5
• ML-DSA-65 (FIPS 204 – CRYSTALS-Dilithium) – Security Level 3

No std, no heap allocation, no unsafe code, no legacy crypto – ever.

FIPS 140-3 Compliance Status (20 November 2025)

• Designed and for Level 2 validation (pure software, no_std boundary)
• Fully satisfies Level 1 requirements
• Complete Power-On Self-Tests (POST):
  • Conditional Algorithm Self-Tests (CASTs) on all SHA-3/SHAKE instances
  • Pair-wise Consistency Tests (PCTs) on every newly generated key pair
• Critical Security Parameters automatically zeroized on drop
• Plaintext CSP export blocked in approved mode
• Approved mode enforced via fips_140_3 feature gate
• Zero dependencies that require std in approved mode

Cargo Features

No default features – the FIPS boundary is explicit and minimal.

Approved-Mode Usage Example

use pqc_nostd::{run_post_or_panic, is_operational, FIPS_CONTEXT};

fn main() {
    run_post_or_panic();  // Executes full POST – panics on any failure
    assert!(is_operational());

    // ML-KEM-1024 (Kyber)
    let kyber_kp = pqc_nostd::kyber_generate_key_pair([0x01u8; 64]);
    let (ct, ss_alice) = pqc_nostd::encapsulate(&kyber_kp.public_key(), [0x02u8; 32]);
    let ss_bob = pqc_nostd::decapsulate(&kyber_kp.private_key(), &ct);
    assert_eq!(ss_alice, ss_bob);

    // ML-DSA-65 (Dilithium)
    let dil_kp = pqc_nostd::dilithium_generate_key_pair([0x03u8; 32]);
    let sig = pqc_nostd::dilithium_sign(&dil_kp.signing_key, b"msg", FIPS_CONTEXT, [0x04u8; 32]).unwrap();
    assert!(pqc_nostd::dilithium_verify(&dil_kp.verification_key, b"msg", FIPS_CONTEXT, &sig).is_ok());
}