Skip to content

Add DHKEM ciphersuites (P-256, P-384) per RFC 9180#35

Open
AlfioEmanueleFresta wants to merge 8 commits into
facebook:mainfrom
AlfioEmanueleFresta:dhkem-ciphersuites
Open

Add DHKEM ciphersuites (P-256, P-384) per RFC 9180#35
AlfioEmanueleFresta wants to merge 8 commits into
facebook:mainfrom
AlfioEmanueleFresta:dhkem-ciphersuites

Conversation

@AlfioEmanueleFresta

Copy link
Copy Markdown

Summary

  • Add two new ciphersuites using DHKEM (RFC 9180 Section 4.1) with NIST curves:
    • DhkemP256Sha256 — DHKEM(P-256, HKDF-SHA256) + SHA-256 (128-bit security)
    • DhkemP384Sha384 — DHKEM(P-384, HKDF-SHA384) + SHA-384 (192-bit security)
  • Shared secrets are produced via RFC 9180 ExtractAndExpand (HKDF)
  • Extract shared byte_array_newtype! macro to src/util.rs for reuse across ciphersuite modules

Design decisions

  • RFC 9180 DHKEM with HKDF rather than raw ECDH: produces uniform shared secrets and should enable modular security analysis
  • Uncompressed SEC1 encoding for public keys/ciphertexts (65 bytes for P-256, 97 bytes for P-384) to match RFC 9180 parameters and enable interop testing against HPKE test vectors

Test plan

  • RFC 9180 Appendix A.3.1 known-answer test vector validates ExtractAndExpand byte-for-byte
  • KEM roundtrip, key/ciphertext serialization, invalid point rejection, shared secret uniqueness (12 tests per curve)
  • Full 3-move protocol roundtrip, commitment mismatch, cross-session SAS divergence for each suite
  • Deterministic pinned test vectors (ChaCha20Rng seeded [0u8; 32]) catch non-backwards-compatible changes
  • Serde round-trip for Initiator/Responder state with DHKEM suites
  • Zeroize verification for DecapsulationKey, SharedSecret, and Initiator state
  • CI matrix extended with dhkem-p256 and dhkem-p384 feature combinations + no_std build
  • 72 tests pass across all feature combinations; clippy clean

Move the macro from xwing.rs to src/util.rs so it can be
reused by upcoming DHKEM ciphersuite implementations.
Add elliptic-curve, hkdf, p256, p384, p521, sha2 as optional
deps with dhkem-p256, dhkem-p384, dhkem-p521 feature flags.
Add DHKEM ciphersuites with HKDF-based ExtractAndExpand producing
uniform shared secrets (IND-CCA). Drops P-521 to keep scope focused.
Roundtrip, serialization, invalid point rejection, and
shared secret uniqueness tests for both curves.
Full roundtrip, commitment mismatch, and cross-session SAS
tests for P-256 and P-384, using a shared test macro.
Validate ExtractAndExpand against RFC 9180 Appendix A.3.1
known-answer vector. Add deterministic pinned vectors for
DhkemP256Sha256 and DhkemP384Sha384 protocol outputs.
Serde round-trip tests for Initiator/Responder state with
DHKEM suites. Zeroize verification for DK, SharedSecret,
and Initiator state.
Add dhkem-p256 and dhkem-p384 to test and no_std build
matrices. Document new features in lib.rs.
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Meta Open Source bot. label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Meta Open Source bot.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant