-
Notifications
You must be signed in to change notification settings - Fork 3
Cryptographic Algorithms
pqcrypto implements the post-quantum algorithms NIST selected to replace the
classical asymmetric primitives (RSA, ECDH, ECDSA) that a large quantum computer
would break. Today the package ships two of them, each byte-exact against the
official NIST Known-Answer-Test vectors.
| Algorithm | Standard | Purpose | Replaces | Deep dive |
|---|---|---|---|---|
| ML-KEM | FIPS 203 | Key encapsulation (KEM) | RSA-KEM, ECDH | ML-KEM |
| ML-DSA | FIPS 204 | Digital signatures | RSA, ECDSA | ML-DSA |
| SLH-DSA | FIPS 205 | Hash-based signatures | (diversifier) | planned — see Roadmap |
Both shipped algorithms are lattice schemes built on the Module Learning With Errors (MLWE) problem, sharing the same vendored FIPS 202 (SHA-3/SHAKE) core.
- Need two parties to agree on a secret key (then encrypt with an AEAD)? Use ML-KEM. See ML-KEM and the Cookbook encrypt-to-public-key recipe.
- Need to prove a message's authenticity / integrity (tokens, updates, documents, records)? Use ML-DSA. See ML-DSA.
- Building a transport handshake? Combine both with an app-supplied classical exchange (hybrid) — see Serverpod & Flutter.
Module-Lattice-Based Key-Encapsulation Mechanism (formerly CRYSTALS-Kyber).
Operates over the ring Z_q[X]/(X^256 + 1) with q = 3329, using the Number
Theoretic Transform (NTT) for fast polynomial multiplication and the
Fujisaki–Okamoto transform (with constant-time implicit rejection) for IND-CCA2
security.
| Parameter set | NIST category | Public key | Secret key | Ciphertext | Shared secret |
|---|---|---|---|---|---|
| ML-KEM-512 | 1 (~AES-128) | 800 | 1632 | 768 | 32 |
| ML-KEM-768 | 3 (~AES-192) | 1184 | 2400 | 1088 | 32 |
| ML-KEM-1024 | 5 (~AES-256) | 1568 | 3168 | 1568 | 32 |
Full details, data-flow diagram, and caveats: ML-KEM.
Module-Lattice-Based Digital Signature Standard (formerly CRYSTALS-Dilithium). Uses the "Fiat–Shamir with Aborts" paradigm: signing samples masking vectors from a SHAKE XOF and rejection-samples until the signature reveals nothing about the secret key. Signing is hedged by default.
| Parameter set | NIST category | Public key | Secret key | Signature |
|---|---|---|---|---|
| ML-DSA-44 | 2 | 1312 | 2560 | 2420 |
| ML-DSA-65 | 3 | 1952 | 4032 | 3309 |
| ML-DSA-87 | 5 | 2592 | 4896 | 4627 |
HashML-DSA (FIPS 204 §5.4) pre-hashes large messages with the level's approved
hash (SHA-256/384/512). Full details: ML-DSA.
Stateless Hash-Based Digital Signatures (formerly SPHINCS+). It derives security entirely from hash-function assumptions, making it a conservative diversifier against any future lattice cryptanalysis. It features tiny keys but large signatures and slow signing. The SHAKE family targets release 0.4.0 and the SHA-2 family 0.5.0 — see the Roadmap. Not yet implemented.
To stay dependency-free, pqcrypto vendors the hash primitives the algorithms
need: FIPS 202 SHA-3/SHAKE (in lib/src/common/keccak.dart) and FIPS 180-4
SHA-2 (used by HashML-DSA). These are internal and not exported as a public
hashing API today; full FIPS 202 and SP 800-185 (cSHAKE/KMAC/TupleHash) are
planned for 0.7.0. See Architecture and the
Documentation Index.
For the deeper math and code layout, see Architecture and FIPS Compliance.
pqcrypto — pure Dart, zero-dependency post-quantum cryptography (ML-KEM FIPS 203 · ML-DSA FIPS 204) for Dart, Flutter, and the web · MIT License · pub.dev · Repository · Documentation Index
Algorithm/KAT-conformance and interoperability evidence — not a CMVP/FIPS 140 module validation.
pqcrypto Wiki
Getting started
Algorithms
Design & internals
Assurance
Integration
Project
Links