PQ-PSK prototype

Cargo.toml

@@ -14,7 +14,7 @@ members = [
     "libcrux-kem",
     "libcrux-hmac",
     "libcrux-hkdf",
-    "libcrux-ecdh",
+    "libcrux-ecdh", "libcrux-psq",
 ]
 
 [workspace.package]

benchmarks/benches/sha2.rs

@@ -10,7 +10,7 @@ macro_rules! impl_comp {
     ($fun:ident, $libcrux:expr, $ring:expr, $rust_crypto:ty, $openssl:expr) => {
         // Comparing libcrux performance for different payload sizes and other implementations.
         fn $fun(c: &mut Criterion) {
-            const PAYLOAD_SIZES: [usize; 1] = [1024 * 1024 * 10];
+            const PAYLOAD_SIZES: [usize; 5] = [100, 1024, 2048, 4096, 8192];
 
             let mut group = c.benchmark_group(stringify!($fun).replace("_", " "));
 

libcrux-psq/Cargo.toml

@@ -0,0 +1,29 @@
+[package]
+name = "libcrux-psq"
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+edition.workspace = true
+repository.workspace = true
+readme.workspace = true
+
+[lib]
+path = "src/psq.rs"
+
+[dependencies]
+libcrux-kem = { version = "0.0.2-pre.2", path = "../libcrux-kem" }
+libcrux-hkdf = { version = "=0.0.2-pre.2", path = "../libcrux-hkdf" }
+libcrux-hmac = { version = "=0.0.2-pre.2", path = "../libcrux-hmac" }
+classic-mceliece-rust = { version = "2.0.0", features = [
+    "mceliece460896f",
+    "zeroize",
+] }
+rand = { version = "0.8" }
+
+[dev-dependencies]
+criterion = "0.5"
+
+[[bench]]
+name = "psq"
+harness = false

libcrux-psq/README.md

@@ -0,0 +1,32 @@
+# Post-Quantum Pre-Shared-Key Protocol (PSQ) #
+
+This crate implements a protocol for agreeing on a pre-shared key such
+that the protocol messages are secure against
+harvest-now-decrypt-later (HNDL) passive quantum attackers.
+
+The protocol between initator `A` and receiver `B` roughly works as follows:
+```
+A:  (ik, enc) <- PQ-KEM(pk_B)
+    K_0 <- KDF(ik, pk_B || enc || sctxt)
+    K_m <- KDF(K_0, "Confirmation")
+    K <- KDF(K_0, "PSK")
+    mac_ttl <- MAC(K_m, psk_ttl)
+A -> B: (enc, psk_ttl, mac_ttl)
+```
+Where 
+* `pk_B` is the receiver's KEM public key, 
+* `sctx` is context information for the given session of the protocol,
+* `psk_ttl` specifies for how long the PSK should be considered valid, and
+* `K` is the final PSK that is derived from the decapsulated shared
+  secret based on the internal KEM.
+
+The crate implements the protocol based on several different internal
+KEMs:
+    * `X25519`, an elliptic-curve Diffie-Hellman KEM (not post-quantum
+      secure; for performance comparison)
+    * `ML-KEM 768`, a lattice-based post-quantum KEM, in the process
+      of being standardized by NIST
+    * `Classic McEliece`, a code-based post-quantum KEM & Round 4
+      candidate in the NIST PQ competition,
+    * `XWingKemDraft02`, a hybrid post-quantum KEM, combining `X25519`
+      and `ML-KEM 768` based KEMs