Documentation
¶
Overview ¶
Package chkem implements the Cascaded Hybrid Key Encapsulation Mechanism (CH-KEM).
CH-KEM is a novel defense-in-depth key encapsulation mechanism that combines:
- X25519 (classical elliptic curve Diffie-Hellman)
- ML-KEM-1024 (post-quantum lattice-based KEM)
- SHAKE-256 (cryptographic key derivation)
Security Model ¶
CH-KEM provides IND-CCA2 security if EITHER X25519 OR ML-KEM-1024 is secure, under the random oracle model for SHAKE-256. This hybrid approach provides:
- Quantum Resistance: ML-KEM-1024 resists attacks from quantum computers
- Classical Security: X25519 provides defense if ML-KEM is broken
- Defense in Depth: Both must fail for the system to be compromised
Mathematical Construction ¶
Key Generation:
(sk_x, pk_x) ← X25519.KeyGen() (sk_m, pk_m) ← ML-KEM-1024.KeyGen() pk = pk_x || pk_m sk = (sk_x, sk_m)
Encapsulation:
(ct_m, K_m) ← ML-KEM-1024.Encaps(pk_m) (sk_x_eph, pk_x_eph) ← X25519.KeyGen() K_x ← X25519.DH(sk_x_eph, pk_x) ct = pk_x_eph || ct_m transcript ← SHA3-256(pk_x || pk_m || ct) K ← SHAKE-256(K_x || K_m || transcript || "CH-KEM-v1-SharedSecret", 256)
Decapsulation:
Parse ct as (pk_x_eph, ct_m) K_x ← X25519.DH(sk_x, pk_x_eph) K_m ← ML-KEM-1024.Decaps(sk_m, ct_m) transcript ← SHA3-256(pk_x || pk_m || ct) K ← SHAKE-256(K_x || K_m || transcript || "CH-KEM-v1-SharedSecret", 256)
Security Theorem ¶
Theorem: CH-KEM is IND-CCA2 secure if either X25519 satisfies the Computational Diffie-Hellman (CDH) assumption on Curve25519, OR ML-KEM-1024 is IND-CCA2 secure (based on the Module Learning With Errors problem).
Proof sketch: An adversary breaking CH-KEM must extract information about BOTH K_x AND K_m from the ciphertext. If X25519 is secure, K_x is indistinguishable from random. If ML-KEM is secure, K_m is indistinguishable from random. In either case, the SHAKE-256 derivation produces a computationally indistinguishable output (random oracle model).
Compliance ¶
Components are based on:
- ML-KEM-1024: NIST FIPS 203 (Category 5 security)
- X25519: RFC 7748
- SHAKE-256: NIST FIPS 202
The hybrid approach is compatible with FIPS 140-3 guidelines for post-quantum transition, as it maintains a FIPS-approved algorithm in the composition.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Decapsulate ¶
func Decapsulate(ct *Ciphertext, kp *KeyPair) ([]byte, error)
Decapsulate performs CH-KEM decapsulation to recover the shared secret.
This operation: 1. Performs X25519 DH with the ephemeral public key 2. Decapsulates the ML-KEM ciphertext 3. Combines both secrets with transcript hash using SHAKE-256
Parameters:
- ct: The ciphertext to decapsulate
- kp: The recipient's key pair
Returns:
- sharedSecret: 32-byte derived shared secret (same as encapsulator)
- error: Non-nil if decapsulation fails
Types ¶
type Ciphertext ¶
type Ciphertext struct {
// contains filtered or unexported fields
}
Ciphertext represents a CH-KEM ciphertext.
func Encapsulate ¶
func Encapsulate(recipientPublic *PublicKey) (*Ciphertext, []byte, error)
Encapsulate performs CH-KEM encapsulation to create a shared secret.
This operation: 1. Generates an ephemeral X25519 key pair 2. Performs X25519 DH with the recipient's public key 3. Encapsulates using ML-KEM-1024 4. Combines both secrets with transcript hash using SHAKE-256
Parameters:
- recipientPublic: The recipient's CH-KEM public key
Returns:
- ciphertext: Combined X25519 ephemeral public + ML-KEM ciphertext
- sharedSecret: 32-byte derived shared secret
- error: Non-nil if encapsulation fails
func ParseCiphertext ¶
func ParseCiphertext(data []byte) (*Ciphertext, error)
ParseCiphertext parses a CH-KEM ciphertext from bytes.
func (*Ciphertext) Bytes ¶
func (ct *Ciphertext) Bytes() []byte
Bytes serializes the ciphertext to bytes.
Format: x25519_ephemeral (32 bytes) || mlkem_ciphertext (1568 bytes) Total: 1600 bytes
type KeyPair ¶
type KeyPair struct {
// contains filtered or unexported fields
}
KeyPair represents a CH-KEM key pair combining X25519 and ML-KEM-1024.
func GenerateKeyPair ¶
GenerateKeyPair generates a new CH-KEM key pair.
This generates both X25519 and ML-KEM-1024 key pairs using the system's cryptographically secure random number generator.
Returns:
- KeyPair: The generated key pair
- error: Non-nil if random number generation fails
type PublicKey ¶
type PublicKey struct {
// contains filtered or unexported fields
}
PublicKey represents a CH-KEM public key for encapsulation.
func ParsePublicKey ¶
ParsePublicKey parses a CH-KEM public key from bytes.
func (*PublicKey) Bytes ¶
Bytes serializes the public key to bytes.
Format: x25519_public (32 bytes) || mlkem_public (1568 bytes) Total: 1600 bytes
func (*PublicKey) MLKEMPublicKey ¶
func (pk *PublicKey) MLKEMPublicKey() *crypto.MLKEMPublicKey
MLKEMPublicKey returns the ML-KEM component of the public key.
func (*PublicKey) X25519PublicKey ¶
X25519PublicKey returns the X25519 component of the public key.
Source Files