4 releases (2 breaking)
| 0.3.0 | Dec 7, 2025 |
|---|---|
| 0.2.2 | Dec 6, 2025 |
| 0.2.0 | Dec 6, 2025 |
| 0.1.0 | Dec 6, 2025 |
#513 in Cryptography
155KB
3.5K
SLoC
RustPQ
A pure Rust post-quantum cryptography suite by Sanct.
Algorithms
| Algorithm | Standard | Status |
|---|---|---|
| ML-KEM (Kyber) | FIPS 203 | Implemented |
| ML-KEM Hybrid | IETF draft-ietf-tls-ecdhe-mlkem | Implemented |
| ML-DSA (Dilithium) | FIPS 204 | Implemented |
| SLH-DSA (SPHINCS+) | FIPS 205 | Planned |
Features
- Pure Rust - No unsafe code, memory-safe by design
no_stdCompatible - Works on embedded devices and bare-metal- Constant-time - Resistant to timing attacks via the
subtlecrate - Lightweight - Minimal dependencies
Installation
[dependencies]
rustpq = "0.3.0"
For hybrid KEMs:
[dependencies]
rustpq = { version = "0.3.0", features = ["x25519-mlkem768"] }
Usage
ML-KEM Key Encapsulation
use rustpq::ml_kem::mlkem768::{generate, encapsulate, decapsulate};
use rand::rngs::OsRng;
// Generate a keypair
let (public_key, secret_key) = generate(&mut OsRng);
// Encapsulate: creates shared secret + ciphertext
let (ciphertext, shared_secret_sender) = encapsulate(&public_key, &mut OsRng);
// Decapsulate: recovers shared secret from ciphertext
let shared_secret_receiver = decapsulate(&secret_key, &ciphertext);
assert_eq!(shared_secret_sender.as_bytes(), shared_secret_receiver.as_bytes());
ML-KEM Hybrid (Post-Quantum + Classical)
Hybrid KEMs combine ML-KEM with traditional ECDH for defense-in-depth. Even if one algorithm is broken, the other provides security.
use rustpq::ml_kem_hybrid::x25519_mlkem768::{generate, encapsulate, decapsulate};
use rand::rngs::OsRng;
// Generate hybrid keypair (X25519 + ML-KEM-768)
let (pk, sk) = generate(&mut OsRng);
// Encapsulate
let (ct, ss_sender) = encapsulate(&pk, &mut OsRng);
// Decapsulate
let ss_receiver = decapsulate(&sk, &ct);
// Get a ready-to-use 32-byte key (SHA3-256 of combined secrets)
let key = ss_sender.derive_key();
// Or access raw concatenated secret for custom KDF
let raw_64_bytes = ss_sender.as_bytes();
ML-DSA Digital Signatures
use rustpq::ml_dsa::mldsa44::{generate, sign, verify};
use rand::rngs::OsRng;
// Generate a keypair
let (public_key, secret_key) = generate(&mut OsRng);
// Sign a message
let message = b"Hello World";
let context = b""; // Optional context string
let signature = sign(&secret_key, message, context, &mut OsRng).unwrap();
// Verify the signature
assert!(verify(&public_key, message, context, &signature).is_ok());
Examples
# ML-KEM key encapsulation
cargo run --example basic --features mlkem768
# ML-KEM hybrid (X25519 + ML-KEM-768)
cargo run --example hybrid --features x25519-mlkem768
# End-to-end encryption (hybrid KEM + signatures)
cargo run --example e2ee --features "x25519-mlkem768,mldsa65"
# ML-DSA digital signatures
cargo run --example mldsa --features mldsa44
Development
# Run all tests
cargo test --all-features
# Run hybrid tests only
cargo test --features "x25519-mlkem768,p256-mlkem768,p384-mlkem1024"
# Benchmarks
cargo bench --features "mlkem512,mlkem768,mlkem1024"
cargo bench --features "x25519-mlkem768,p256-mlkem768,p384-mlkem1024"
# Check for issues
cargo clippy --all-features
Feature Flags
ML-KEM (Key Encapsulation)
| Feature | Algorithm | Security | Key Size | Ciphertext | Secret |
|---|---|---|---|---|---|
mlkem512 |
ML-KEM-512 | Level 1 (~AES-128) | 800 B | 768 B | 32 B |
mlkem768 |
ML-KEM-768 | Level 3 (~AES-192) | 1184 B | 1088 B | 32 B |
mlkem1024 |
ML-KEM-1024 | Level 5 (~AES-256) | 1568 B | 1568 B | 32 B |
ML-KEM Hybrid (Post-Quantum + Classical)
| Feature | Hybrid | Security | Key Size | Ciphertext | Secret |
|---|---|---|---|---|---|
x25519-mlkem768 |
X25519 + ML-KEM-768 | Level 3 | 1216 B | 1120 B | 64 B |
p256-mlkem768 |
P-256 + ML-KEM-768 | Level 3 | 1249 B | 1153 B | 64 B |
p384-mlkem1024 |
P-384 + ML-KEM-1024 | Level 5 | 1665 B | 1665 B | 80 B |
Hybrid combiners follow IETF draft-ietf-tls-ecdhe-mlkem. Use
derive_key()for a ready-to-use 32-byte key, oras_bytes()for protocol integration or custom KDF.
ML-DSA (Digital Signatures)
| Feature | Algorithm | Security | Key Size | Signature |
|---|---|---|---|---|
mldsa44 |
ML-DSA-44 | Level 2 | 2560 B | 2420 B |
mldsa65 |
ML-DSA-65 | Level 3 | 4032 B | 3309 B |
mldsa87 |
ML-DSA-87 | Level 5 | 4896 B | 4627 B |
General
| Feature | Description |
|---|---|
ml-kem |
Enable ML-KEM module (default) |
ml-kem-hybrid |
Enable ML-KEM Hybrid module |
ml-dsa |
Enable ML-DSA module |
std |
Enable standard library support |
alloc |
Enable allocator support |
Default features: ml-kem, mlkem768
Security
This implementation prioritizes correctness and security:
- Constant-time operations to prevent timing side-channels
- Zeroization of sensitive data on drop
- No unsafe code
- Hybrid KEMs provide defense-in-depth against both classical and quantum attacks
[!WARNING] This library has not yet been audited. Use at your own risk in production systems.
License
Licensed under either of:
- Apache License, Version 2.0 (LICENSE-APACHE)
- MIT license (LICENSE-MIT)
at your option.
Dependencies
~1.6–3.5MB
~58K SLoC