A KEM is a Key Encapsulation Mechanism, one of the three components of an
HPKE ciphersuite. DeriveKeyPair derives a key pair from the given input keying material.
It implements DeriveKeyPair, as defined in RFC 9180. GenerateKey generates a new key pair. ID returns the HPKE KEM identifier. NewPrivateKey deserializes a private key from bytes.
It implements DeserializePrivateKey, as defined in RFC 9180. NewPublicKey deserializes a public key from bytes.
It implements DeserializePublicKey, as defined in RFC 9180.
func DHKEM(curve ecdh.Curve) KEM
func MLKEM1024() KEM
func MLKEM1024P384() KEM
func MLKEM768() KEM
func MLKEM768P256() KEM
func MLKEM768X25519() KEM
func NewKEM(id uint16) (KEM, error)
func PrivateKey.KEM() KEM
func PublicKey.KEM() KEM
Recipient is a receiving HPKE context. It is instantiated with a specific KEM
decapsulation key (i.e. the secret key), and it is stateful, incrementing the
nonce counter for each successful [Recipient.Open] call. Export produces a secret value derived from the shared key between sender and
recipient. length must be at most 65,535. Open decrypts the provided ciphertext, optionally binding to the additional
public data aad, or returns an error if decryption fails.
Open uses incrementing counters for each successful call, and must be called
in the same order as Seal on the sending side.
func NewRecipient(enc []byte, k PrivateKey, kdf KDF, aead AEAD, info []byte) (*Recipient, error)
Sender is a sending HPKE context. It is instantiated with a specific KEM
encapsulation key (i.e. the public key), and it is stateful, incrementing the
nonce counter for each [Sender.Seal] call. Export produces a secret value derived from the shared key between sender and
recipient. length must be at most 65,535. Seal encrypts the provided plaintext, optionally binding to the additional
public data aad.
Seal uses incrementing counters for each call, and Open on the receiving side
must be called in the same order as Seal.
func NewSender(pk PublicKey, kdf KDF, aead AEAD, info []byte) (enc []byte, s *Sender, err error)
Package-Level Functions (total 28)
AES128GCM returns an AES-128-GCM AEAD implementation.
AES256GCM returns an AES-256-GCM AEAD implementation.
ChaCha20Poly1305 returns a ChaCha20Poly1305 AEAD implementation.
DHKEM returns a KEM implementing one of
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(P-384, HKDF-SHA384)
- DHKEM(P-521, HKDF-SHA512)
- DHKEM(X25519, HKDF-SHA256)
depending on curve.
HKDFSHA256 returns an HKDF-SHA256 KDF implementation.
HKDFSHA384 returns an HKDF-SHA384 KDF implementation.
HKDFSHA512 returns an HKDF-SHA512 KDF implementation.
MLKEM1024 returns a KEM implementing ML-KEM-1024 from draft-ietf-hpke-pq.
MLKEM1024P384 returns a KEM implementing MLKEM1024-P384 from draft-ietf-hpke-pq.
MLKEM768 returns a KEM implementing ML-KEM-768 from draft-ietf-hpke-pq.
MLKEM768P256 returns a KEM implementing MLKEM768-P256 from draft-ietf-hpke-pq.
MLKEM768X25519 returns a KEM implementing MLKEM768-X25519 (a.k.a. X-Wing)
from draft-ietf-hpke-pq.
NewAEAD returns the AEAD implementation for the given AEAD ID.
Applications are encouraged to use specific implementations like [AES128GCM]
or [ChaCha20Poly1305] instead, unless runtime agility is required.
NewDHKEMPrivateKey returns a PrivateKey implementing
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(P-384, HKDF-SHA384)
- DHKEM(P-521, HKDF-SHA512)
- DHKEM(X25519, HKDF-SHA256)
depending on the underlying curve of priv ([ecdh.X25519], [ecdh.P256],
[ecdh.P384], or [ecdh.P521]).
This function is meant for applications that already have an instantiated
crypto/ecdh private key, or another implementation of a [ecdh.KeyExchanger]
(e.g. a hardware key). Otherwise, applications should use the
[KEM.NewPrivateKey] method of [DHKEM].
NewDHKEMPublicKey returns a PublicKey implementing
- DHKEM(P-256, HKDF-SHA256)
- DHKEM(P-384, HKDF-SHA384)
- DHKEM(P-521, HKDF-SHA512)
- DHKEM(X25519, HKDF-SHA256)
depending on the underlying curve of pub ([ecdh.X25519], [ecdh.P256],
[ecdh.P384], or [ecdh.P521]).
This function is meant for applications that already have an instantiated
crypto/ecdh public key. Otherwise, applications should use the
[KEM.NewPublicKey] method of [DHKEM].
NewHybridPublicKey returns a PublicKey implementing one of
- MLKEM768-X25519 (a.k.a. X-Wing)
- MLKEM768-P256
- MLKEM1024-P384
from draft-ietf-hpke-pq, depending on the underlying curve of t
([ecdh.X25519], [ecdh.P256], or [ecdh.P384]) and the type of pq (either
*[mlkem.EncapsulationKey768] or *[mlkem.EncapsulationKey1024]).
This function is meant for applications that already have instantiated
crypto/ecdh and crypto/mlkem public keys. Otherwise, applications should use
the [KEM.NewPublicKey] method of e.g. [MLKEM768X25519].
NewKDF returns the KDF implementation for the given KDF ID.
Applications are encouraged to use specific implementations like [HKDFSHA256]
instead, unless runtime agility is required.
NewKEM returns the KEM implementation for the given KEM ID.
Applications are encouraged to use specific implementations like [DHKEM] or
[MLKEM768X25519] instead, unless runtime agility is required.
NewMLKEMPrivateKey returns a KEMPrivateKey implementing
- ML-KEM-768
- ML-KEM-1024
from draft-ietf-hpke-pq, depending on the type of priv.Encapsulator()
(either *[mlkem.EncapsulationKey768] or *[mlkem.EncapsulationKey1024]).
This function is meant for applications that already have an instantiated
crypto/mlkem private key. Otherwise, applications should use the
[KEM.NewPrivateKey] method of e.g. [MLKEM768].
NewMLKEMPublicKey returns a KEMPublicKey implementing
- ML-KEM-768
- ML-KEM-1024
from draft-ietf-hpke-pq, depending on the type of pub
(*[mlkem.EncapsulationKey768] or *[mlkem.EncapsulationKey1024]).
This function is meant for applications that already have an instantiated
crypto/mlkem public key. Otherwise, applications should use the
[KEM.NewPublicKey] method of e.g. [MLKEM768].
NewRecipient returns a receiving HPKE context for the provided KEM
decapsulation key (i.e. the secret key), and using the ciphersuite defined by
the combination of KEM, KDF, and AEAD.
The enc parameter must have been produced by a matching sending HPKE context
with the corresponding KEM encapsulation key. The info parameter is
additional public information that must match between sender and recipient.
NewSender returns a sending HPKE context for the provided KEM encapsulation
key (i.e. the public key), and using the ciphersuite defined by the
combination of KEM, KDF, and AEAD.
The info parameter is additional public information that must match between
sender and recipient.
The returned enc ciphertext can be used to instantiate a matching receiving
HPKE context with the corresponding KEM decapsulation key.
Open instantiates a single-use HPKE receiving HPKE context like [NewRecipient],
and then decrypts the provided ciphertext like [Recipient.Open] (with no aad).
ciphertext must be the concatenation of the encapsulated key and the actual ciphertext.
Seal instantiates a single-use HPKE sending HPKE context like [NewSender],
and then encrypts the provided plaintext like [Sender.Seal] (with no aad).
Seal returns the concatenation of the encapsulated key and the ciphertext.
SHAKE128 returns a SHAKE128 KDF implementation.
SHAKE256 returns a SHAKE256 KDF implementation.
The pages are generated with Goldsv0.8.3-preview. (GOOS=linux GOARCH=amd64)
Golds is a Go 101 project developed by Tapir Liu.
PR and bug reports are welcome and can be submitted to the issue list.
Please follow @zigo_101 (reachable from the left QR code) to get the latest news of Golds.
