crate | crates.io | docs.rs | License |
---|---|---|---|
safe-oqs-sys | |||
safe-oqs |
liboqs-rust offers two Rust wrappers for the Open Quantum Safe liboqs C library, which is a C library for quantum-resistant cryptographic algorithms.
- The
safe-oqs-sys
crate compiles and buildsliboqs
and generatesunsafe
bindings to the C library. - The
safe-oqs
crate offers a Rust-style safe interface to the schemes included inliboqs
.
Releases up to and including release 0.9.0
of oqs
and oqs-sys
followed the liboqs
versioning 1-on-1.
Starting from release 0.9.0
, this is no longer guaranteed.
These crates will now receive version bumps as necessary.
We will include the version number of liboqs
that is distributed by liboqs-sys
in the version number of liboqs-sys
as 0.9.0+liboqs-0.9.0
.
oqs-sys
depends on the liboqs C library.
It will build liboqs
automatically with the default-enabled vendored
feature.
See below for more information.
This crate provides unsafe ffi
bindings in the oqs-sys
crate, and safe wrappers are offered via the oqs
crate.
The rendered Rustdoc documentation can be found here
Update your Cargo.toml
and include oqs
:
[dependencies]
safe-oqs = "0.10.0"
safe-oqs-sys
can be specified equivalently.
The default-on kems
and sigs
features turn on all supported KEMs and signature schemes. If you want a smaller build, turn off these default features and opt-in to individual algorithms.
Note that if you specify default-features = false
, you may also want to re-include the oqs-sys/openssl
feature.
By default safe-oqs-sys
attempts to find a system-provided version of liboqs
and build against it,
falling back to vendored from-source build otherwise.
You can opt into forcing the vendored build by enabling the vendored
feature.
Otherwise, if you want to force using the system-provided liboqs
,
you can set the LIBOQS_NO_VENDOR=1
environment variable and the build will fail if the library is not found.
You can enable serde
serialization support by enabling the serde
feature on the safe-oqs
crate.
The safe-oqs-sys
crate does not use std
at all.
Note that the default features do enable building liboqs
with openssl
, so use default-features = false
.
To make oqs
a #![no_std]
crate make sure the std
feature is disabled.
Make sure to also disable the safe-oqs-sys/openssl
feature by specifying default-features = false
.
As default-features
includes the kems
and sigs
features, consider re-adding them as well. This results into:
[dependencies.safe-oqs]
version = "*"
default-features = false
features = ["sigs", "kems"]
You will probably want to change the random-number generator through the OQS_RAND
API offered by safe-oqs-sys
.
If compiled with the non_portable
feature, liboqs-sys
will not enable CPU feature detection and
always use the best implementation on your current platform. This enables support for implementations
where feature detection is not functional.
Some algorithms use large amounts of stack space. This means that you may need
to specify RUST_MIN_STACK
in your environment. This for example affects
tests.
kems
(default): Compile with all KEMs enabledbike
classic_mceliece
frodokem
hqc
kyber
ntruprime
saber
ml_kem
sigs
(default): Compile with all signature schemes enableddilithium
falcon
picnic
rainbow
sphincs
: SPHINCS+ml_dsa
/// # Example: Some signed KEX
/// This protocol has no replay protection!
///
use safe_oqs::*;
fn main() -> Result<()> {
let sigalg = sig::Sig::new(sig::Algorithm::Dilithium2)?;
let kemalg = kem::Kem::new(kem::Algorithm::Kyber512)?;
// A's long-term secrets
let (a_sig_pk, a_sig_sk) = sigalg.keypair()?;
// B's long-term secrets
let (b_sig_pk, b_sig_sk) = sigalg.keypair()?;
// assumption: A has (a_sig_sk, a_sig_pk, b_sig_pk)
// assumption: B has (b_sig_sk, b_sig_pk, a_sig_pk)
// A -> B: kem_pk, signature
let (kem_pk, kem_sk) = kemalg.keypair()?;
let signature = sigalg.sign(kem_pk.as_ref(), &a_sig_sk)?;
// B -> A: kem_ct, signature
sigalg.verify(kem_pk.as_ref(), &signature, &a_sig_pk)?;
let (kem_ct, b_kem_ss) = kemalg.encapsulate(&kem_pk)?;
let signature = sigalg.sign(kem_ct.as_ref(), &b_sig_sk)?;
// A verifies, decapsulates, now both have kem_ss
sigalg.verify(kem_ct.as_ref(), &signature, &b_sig_pk)?;
let a_kem_ss = kemalg.decapsulate(&kem_sk, &kem_ct)?;
assert_eq!(a_kem_ss, b_kem_ss);
Ok(())
}
liboqs is designed for prototyping and evaluating quantum-resistant cryptography. Security of proposed quantum-resistant algorithms may rapidly change as research advances, and may ultimately be completely insecure against either classical or quantum computers.
We believe that the NIST Post-Quantum Cryptography standardization project is currently the best avenue to identifying potentially quantum-resistant algorithms. liboqs does not intend to "pick winners", and we strongly recommend that applications and protocols rely on the outcomes of the NIST standardization project when deploying post-quantum cryptography.
We acknowledge that some parties may want to begin deploying post-quantum cryptography prior to the conclusion of the NIST standardization project. We strongly recommend that any attempts to do make use of so-called hybrid cryptography, in which post-quantum public-key algorithms are used alongside traditional public key algorithms (like RSA or elliptic curves) so that the solution is at least no less secure than existing traditional cryptography.
Just like liboqs, liboqs-rust is provided "as is", without warranty of any kind. See LICENSE-MIT for the full disclaimer.
liboqs-rust is dual-licensed under the MIT and Apache-2.0 licenses.
The included library liboqs
is covered by the liboqs
license.
The Open Quantum Safe project is led by Douglas Stebila and Michele Mosca at the University of Waterloo.
liboqs-rust was developed by Thom Wiggers at Radboud University.
Financial support for the development of Open Quantum Safe has been provided by Amazon Web Services and the Canadian Centre for Cyber Security.
We'd like to make a special acknowledgement to the companies who have dedicated programmer time to contribute source code to OQS, including Amazon Web Services, Cisco Systems, evolutionQ, IBM Research, and Microsoft Research.
Research projects which developed specific components of OQS have been supported by various research grants, including funding from the Natural Sciences and Engineering Research Council of Canada (NSERC); see the source papers for funding acknowledgments.
Thom Wiggers' contributions before May 2023 were supported by the European Research Council through Starting Grant No. 805031 (EPOQUE).