-
Notifications
You must be signed in to change notification settings - Fork 3
Security Posture
When using a cryptographic library, clarity on validation claims, security boundaries, and vulnerability reporting is paramount.
pqcrypto makes a very specific set of claims:
- Mathematical Conformance: The algorithms are mathematically conformant to FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA).
- KAT Exactness: The library is byte-for-byte exact against the official NIST Known Answer Test corpora.
- OpenSSL Interoperability: ML-KEM outputs precisely match those generated by OpenSSL >= 3.5.
What we DO NOT claim:
- This library is NOT "FIPS 140 Validated" or "CMVP Certified."
- CMVP (Cryptographic Module Validation Program) certification applies to specific compiled hardware/software boundaries tested by accredited labs, not source code libraries. Do not use this package if your specific legal compliance requires a CMVP certificate.
Because Dart executes in highly abstracted environments (the Dart VM, JS engines, Wasm runtimes, and mobile AOT compilers), writing perfectly constant-time code is practically impossible. Modern JIT compilers often optimize away constant-time structures.
However, we implement a best-effort defensive posture:
-
Branchless Decapsulation: In ML-KEM, the decision between returning the correct shared secret and the implicit rejection secret is done via bitwise masking (
K' ^ (mask & (K' ^ J(z||c)))), completely avoidingif/elsecontrol flow leaks. -
No Early Exits: Polynomial norm checking (
_normExceeds) evaluates all 256 coefficients regardless of when a failure is detected to avoid leaking the location of large coefficients.
We implement a secureZero() utility that overwrites Uint8List arrays with zeroes.
In KEM decapsulation and DSA signing, sensitive intermediate arrays are wiped in finally blocks before the function returns.
Note on Garbage Collection: Dart memory management cannot guarantee that copies of data haven't been made in hardware registers or moved by the garbage collector.
secureZero()strictly cleans up the primary allocated buffers.
If you find a security defect (e.g., a mathematical flaw causing incorrect signatures, a major timing leak, or an RNG failure), do not open a public issue.
Please review our SECURITY.md file in the repository root for our coordinated disclosure process. We treat all cryptographic flaws as critical.
pqcrypto — pure Dart, zero-dependency post-quantum cryptography (ML-KEM FIPS 203 · ML-DSA FIPS 204) for Dart, Flutter, and the web · MIT License · pub.dev · Repository · Documentation Index
Algorithm/KAT-conformance and interoperability evidence — not a CMVP/FIPS 140 module validation.
pqcrypto Wiki
Getting started
Algorithms
Design & internals
Assurance
Integration
Project
Links