Hybrid cryptographic implementation using:
- ML-KEM (formerly Crystals-Kyber): Post-Quantum secure Key Encapsulation Mechanism (KEM) for key exchange, standardized by NIST.
- ChaCha20-Poly1305: Authenticated symmetric encryption.
The following diagram describes the protocol flow between the "Sender" and the "Recipient":
sequenceDiagram
participant Sender
participant Recipient
Recipient-->>Sender: Recipient public key (ML-KEM pub key 1184 bytes)
Sender->>Sender: Encapsulate secret (ML-KEM)
Note right of Sender: Generates ephemeral keypair and derives shared secret
Sender->>Sender: Derive ChaCha key (HKDF-SHA256)
Note right of Sender: Uses shared secret to derive symmetric key
Sender->>Sender: Encrypt message (ChaCha20-Poly1305)
Sender->>Recipient: Send {ciphertext, nonce, encrypted message}
Recipient->>Recipient: Decapsulate secret (ML-KEM)
Note right of Recipient: Recovers shared secret
Recipient->>Recipient: Derive ChaCha key (HKDF-SHA256)
Note right of Recipient: Derives the same symmetric key
Recipient->>Recipient: Decrypt message
Note: During the encapsulation process on the sender's side, an ephemeral keypair is generated.
https://docs.rs/kychacha_crypto
- Randomness: Depends on the secure generator of the system.
- HKDF context: Used for protocol binding.
- Nonces: Generated with CSPRNG for each message.