package hybrid

circl – github.com/cloudflare/circl/kem/hybrid Index | Files

package hybrid

import "github.com/cloudflare/circl/kem/hybrid"

Package hybrid defines several hybrid classical/quantum KEMs for use in TLS.

Hybrid KEMs in TLS are created by simple concatenation of shared secrets, cipher texts, public keys, etc. This is safe for TLS, see eg.

https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf

Note that this approach is not proven secure in broader context.

For deriving a KEM keypair deterministically and encapsulating deterministically, we expand a single seed to both using SHAKE256, so that a non-uniform seed (such as a shared secret generated by a hybrid KEM where one of the KEMs is weak) doesn't impact just one of the KEMs.

Of our XOF (SHAKE256), we desire two security properties:

The internal state of the XOF should be big enough so that we do not loose entropy.
From one of the new seeds, we shouldn't be able to derive the other or the original seed.

SHAKE256, and all siblings in the SHA3 family, have a 200B internal state, so (1) is fine if our seeds are less than 200B. If SHAKE256 is computationally indistinguishable from a random sponge, then it affords us 256b security against (2) by the flat sponge claim [https://keccak.team/files/SpongeFunctions.pdf]. None of the implemented schemes claim more than 256b security and so SHAKE256 will do fine.

Variables ¶

var ErrUninitialized = errors.New("public or private key not initialized")

Functions ¶

func Kyber1024X448 ¶

func Kyber1024X448() kem.Scheme

Returns the hybrid KEM of Kyber1024Draft00 and X448.

func Kyber512X25519 ¶

func Kyber512X25519() kem.Scheme

Returns the hybrid KEM of Kyber512Draft00 and X25519.

func Kyber768X25519 ¶

func Kyber768X25519() kem.Scheme

Returns the hybrid KEM of Kyber768Draft00 and X25519.

func Kyber768X448 ¶

func Kyber768X448() kem.Scheme

Returns the hybrid KEM of Kyber768Draft00 and X448.

func P256Kyber768Draft00 ¶

func P256Kyber768Draft00() kem.Scheme

Returns the hybrid KEM of Kyber768Draft00 and P-256.

func X25519MLKEM768 ¶

func X25519MLKEM768() kem.Scheme

Returns the hybrid KEM of ML-KEM-768 and X25519. https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-01.html

Source Files ¶

ckem.go hybrid.go xkem.go

Version: v1.6.1 (latest)
Published: Apr 9, 2025
Platform: linux/amd64
Imports: 14 packages
Last checked: 2 days ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples

package hybrid

Index ¶

Variables ¶

Functions ¶

func Kyber1024X448 ¶

func Kyber512X25519 ¶

func Kyber768X25519 ¶

func Kyber768X448 ¶

func P256Kyber768Draft00 ¶

func X25519MLKEM768 ¶

Source Files ¶

Jump to identifier

Keyboard shortcuts