> This crate provides a rustls::crypto::CryptoProvider that includes a hybrid [1], post-quantum-secure [2] key exchange algorithm – specifically X25519Kyber768Draft00.
> X25519Kyber768Draft00 is pre-standardization, so you should treat this as experimental. You may see unexpected interop failures, and the algorithm implemented here may not be the one that eventually becomes widely deployed.
> However, the two components of this key exchange are well regarded: X25519 alone is already used by default by rustls, and tends to have higher quality implementations than other elliptic curves. Kyber768 was recently standardized by NIST as ML-KEM-768.
> The security of ML-KEM is related to the computational difficulty of the Module Learning with Errors problem. [...] This standard specifies three parameter sets for ML-KEM. In order of increasing security strength and decreasing performance, these are ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
- rustls-post-quantum: https://crates.io/crates/rustls-post-quantum
- rustls-post-quantum docs: https://docs.rs/rustls-post-quantum/latest/rustls_post_quant... :
> This crate provides a rustls::crypto::CryptoProvider that includes a hybrid [1], post-quantum-secure [2] key exchange algorithm – specifically X25519Kyber768Draft00.
> X25519Kyber768Draft00 is pre-standardization, so you should treat this as experimental. You may see unexpected interop failures, and the algorithm implemented here may not be the one that eventually becomes widely deployed.
> However, the two components of this key exchange are well regarded: X25519 alone is already used by default by rustls, and tends to have higher quality implementations than other elliptic curves. Kyber768 was recently standardized by NIST as ML-KEM-768.
"Module-Lattice-Based Key-Encapsulation Mechanism Standard" KEM: https://csrc.nist.gov/pubs/fips/203/final :
> The security of ML-KEM is related to the computational difficulty of the Module Learning with Errors problem. [...] This standard specifies three parameter sets for ML-KEM. In order of increasing security strength and decreasing performance, these are ML-KEM-512, ML-KEM-768, and ML-KEM-1024.
reply