Skip to content

v0.1.3-beta

Choose a tag to compare

View all tags
@gh4rib gh4rib released this 11 Jun 12:13
· 12 commits to main since this release
0.1.3
881ce88

PQPG - Symmetric Architecture Upgrade

Type: Major Feature & Security Upgrade

This release massively expands the symmetric cryptographic suite of the Post-Quantum Privacy Guard (PQPG). Moving beyond standard 12-byte nonce limitations, this update introduces Cryptographic Pluralism by integrating 24-byte extended nonces and CAESAR-winning Misuse-Resistant Authenticated Encryption (MRAE) architectures to mathematically eliminate collision risks on massive datasets.

[+] Added (New Cryptographic Primitives)

  • XAES-256-GCM: Integrated a native Go implementation utilizing an SP800-108r1 KDF. Extends the AES-GCM nonce to 24 bytes, combining hardware-accelerated speeds with immunity to birthday-bound collisions.
  • XChaCha20-Poly1305: Activated the extended 24-byte nonce variant of ChaCha20, enabling perfectly safe, randomized stream encryption for asynchronous messaging without counter-management overhead.
  • AES-GCM-SIV (RFC 8452): Integrated pure-Go, cross-platform Synthetic Initialization Vector (SIV) architecture. Provides absolute nonce-misuse resistance; a repeated nonce degrades gracefully to deterministic encryption without leaking the authentication key.
  • AES-SIV-CMAC: Added deterministic, ASM-accelerated SIV functionality (via secure-io) utilizing a 64-byte dual-key setup. Ideal for deduping local static vaults and blind-indexing local BoltDB structures.
  • Deoxys-II-256-128: Integrated the CAESAR competition winner for "Defense in Depth" (via Oasis Protocol). Provides a native 15-byte nonce and ultimate MRAE protection against catastrophic OS-level entropy failures.

[+] Added (Features & Tooling)

  • 16 New High-Assurance Profiles: Expanded the CLI identity generator (identity-handlers.go) with Options 40 through 55, allowing users to explicitly bind their Post-Quantum KEMs (ML-KEM, FrodoKEM) to Extended Nonce or Misuse-Resistant symmetric ciphers.
  • Stateful MRAE Bounding: Added dedicated identity profiles linking FIPS 205 Stateful Signatures (XMSS) directly with Deoxys-II for ultra-secure release engineering.

[~] Changed & Refactored

  • Symmetric Factory (sym-adapters.go): Completely refactored the AEAD interface registry to dynamically route between 12-byte, 15-byte, 16-byte, and 24-byte nonce sizes. This allows the core stream.go and vault.go orchestrators to auto-adjust their random initializations without breaking legacy standard profiles.
  • Dual-Track SIV Architecture: Segregated SIV logic into aesgcmsiv-noasm (for RFC-compliant, cross-platform portability) and aesgcmsiv-asm (for hardware-accelerated deterministic operations) to ensure flawless cross-compilation across Android, Windows, macOS, and Linux targets.
Assets 2
Loading