hpqc is a golang cryptography library. hpqc is used by the Katzenpost mixnet. The theme of the library is hybrid post quantum cryptographic constructions, namely:
- hybrid KEMs
- hybrid NIKEs
- hybrid signature schemes
This library makes some unique contributions in golang:
- a set of generic NIKE interfaces for NIKE scheme, public key and private key types
- generic hybrid NIKE, combines any two NIKEs into one
- secure KEM combiner that can combine an arbtrary number of KEMs into one KEM
- a "NIKE to KEM adapter" which uses an ad hoc hashed elgamal construction
- cgo bindings for the Sphincs+ C reference source
- cgo bindings for the CTIDH C source
- generic hybrid signature scheme, combines any two signature schemes into one
Our ad hoc hashed elgamal construction for adapting any NIKE to a KEM is, in pseudo code:
func ENCAPSULATE(their_pubkey publickey) ([]byte, []byte) {
my_privkey, my_pubkey = GEN_KEYPAIR(RNG)
ss = DH(my_privkey, their_pubkey)
ss2 = PRF(ss || their_pubkey || my_pubkey)
return my_pubkey, ss2
}
func DECAPSULATE(my_privkey, their_pubkey) []byte {
s = DH(my_privkey, their_pubkey)
shared_key = PRF(ss || my_pubkey || their_pubkey)
return shared_key
}
The KEM Combiners paper makes the observation that if a KEM combiner is not security preserving then the resulting hybrid KEM will not have IND-CCA2 security if one of the composing KEMs does not have IND-CCA2 security. Likewise the paper points out that when using a security preserving KEM combiner, if only one of the composing KEMs has IND-CCA2 security then the resulting hybrid KEM will have IND-CCA2 security.
Our KEM combiner uses the split PRF design for an arbitrary number of kems, here shown with only three, in pseudo code:
func SplitPRF(ss1, ss2, ss3, cct1, cct2, cct3 []byte) []byte {
cct := cct1 || cct2 || cct3
return PRF(ss1 || cct) XOR PRF(ss2 || cct) XOR PRF(ss3 || cct)
}
| NIKE: Non-Interactive Key Exchange |
|---|
- Classical Diffiehellman
- X25519
- X448
- CTIDH511, CTIDH512, CTIDH1024, CTIDH2048
- X25519_CTIDH511, X25519_CTIDH512, X25519_CTIDH1024, X25519_CTIDH2048
- NOBS_CSIDH-512
- X25519_NOBS_CSIDH-512
| KEM: Key Encapsulation Methods |
|---|
- X25519 (adapted via ad hoc hashed elgamal construction)
- CTIDH1024 (adapted via ad hoc hashed elgamal construction)
- MLKEM-768
- Xwing
- McEliece
- NTRUPrime
- Kyber
- FrodoKEM
| SIGN: Cryptographic Signature Schemes |
|---|
- ed25519
- sphincs+
- ed25519_sphincs+
- ed25519_dilithium2/3
HPQC (aka hpqc) is free libre open source software (FLOSS) under the AGPL-3.0 software license.
- LICENSE file.
- About free software philosophy
- There are precisely three files which were borrowed from cloudflare's
circlcryptography library:
- https://github.com/katzenpost/hpqc/blob/main/kem/hybrid/hybrid.go
- https://github.com/katzenpost/hpqc/blob/main/kem/interfaces.go
- https://github.com/katzenpost/hpqc/blob/main/sign/interfaces.go
- Classical Diffiehellman implementation from Elixxir/XX Network and modified in place to conform to our NIKE scheme interfaces, BSD 2-clause LICENSE file included
https://github.com/katzenpost/hpqc/blob/main/nike/diffiehellman/dh.go