Module x25519_hkdf_sha256

Available on crate feature dep_orion only.

DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.

Parameters:

• public_recipient: The public X25519 key of the recipient.
• public_ephemeral: The ephemeral X25519 key fro this KEM operation.
• secret_recipient: The private X25519 of the recipient.
• secret_sender: The private X25519 of the sender.

Errors:

An error will be returned if:

• If a shared X25519 secret is all-zero.
• If ikm.len() < 32 when calling derive_keypair().

Panics:

A panic will occur if:

• generate() panics during encap(), auth_encap(), decap() or auth_decap().

Security:

• The ikm used as input for derive_keypair() must never be reused.
• This KEM is vulnerable to key-compromise impersonation attacks (KCI), meaning that if the recipients private key secret_recipient is leaked at any point, sender authentication no longer holds. See KCI section of the RFC on recommendations on how to mitigate this.
• Please refer to the RFC for a detailed description of all security properties provided: https://www.rfc-editor.org/rfc/rfc9180.html#section-9.

Example:

use orion::hazardous::kem::x25519_hkdf_sha256::DhKem;

let (sender_secret, sender_public) = DhKem::generate_keypair()?;
let (recipient_secret, recipient_public) = DhKem::generate_keypair()?;

let (sender_shared_secret, public_eph) =
    DhKem::auth_encap(&recipient_public, &sender_secret)?;
let recipient_shared_secret = DhKem::auth_decap(&public_eph, &recipient_secret, &sender_public)?;

assert_eq!(sender_shared_secret, recipient_shared_secret);

Structs

DhKem

DHKEM(X25519, HKDF-SHA256) as specified in HPKE RFC 9180.

PrivateKey

A type to represent the PrivateKey that X25519 uses.

PublicKey

A type that represents a PublicKey that X25519 uses.

SharedSecret

A type to represent the SharedSecret that DH-KEM(X25519, HKDF-SHA256) produces.