Overview
hpke-ng is a Rust implementation of Hybrid Public Key Encryption, the cryptographic scheme standardized in RFC 9180 that composes a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) cipher into a single, modular construction for public-key encryption of arbitrary-length plaintexts. The design is crypto-agile, in the sense that protocol designers can swap primitives (e.g. X25519 → a post-quantum KEM) without rewriting the surrounding code — which makes HPKE the building block underneath modern protocols like Messaging Layer Security (MLS), TLS Encrypted Client Hello, and the post-quantum extensions to Signal’s X3DH.
Below are the pull requests I have submitted or plan to submit, with links to the diffs and a short note on what each one changes.
Pull Requests
- #3 (Merged) — Refactor authenticated DHKEM paths to eliminate intermediate heap allocation. Replaced the intermediate
Vecconcatenation inauth_encap/auth_decap/auth_encap_with_ikmwith a newextract_and_expand_piecesthat accepts DH slices directly, mirroring the pattern already used forkem_context, and added the previously-missing X25519auth_encap/auth_decapbenchmarks. - #4 (Merged) — Expand test coverage for auth KEM paths and context sequence number boundaries. Added a direct unit test for
extract_and_expand_pieces, a KEM-layerauth_encap/auth_decaproundtrip test, and a strengthened boundary test that verifies the last validsealbeforeMessageLimitReached; also strengthenedopen_rejects_at_message_limit, added#[inline]to bothextract_and_expandvariants, and renamedsk_s_authed→sk_senderinencap_with. - More coming soon!