Module: PQCrypto

Defined in:: lib/pq_crypto.rb,
lib/pq_crypto/kem.rb,
lib/pq_crypto/spki.rb,
lib/pq_crypto/pkcs8.rb,
lib/pq_crypto/errors.rb,
lib/pq_crypto/version.rb,
lib/pq_crypto/signature.rb,
lib/pq_crypto/hybrid_kem.rb,
lib/pq_crypto/serialization.rb,
lib/pq_crypto/algorithm_registry.rb,
ext/pqcrypto/pqcrypto_ruby_secure.c

Defined Under Namespace

Modules: AlgorithmRegistry, HybridKEM, KEM, NativeBindings, PKCS8, SPKI, Serialization, Signature, Testing Classes: Error, InvalidCiphertextError, InvalidKeyError, SerializationError, UnsupportedAlgorithmError, VerificationError

Constant Summary collapse

SUITES =

{
  kem: AlgorithmRegistry.supported_kems,
  hybrid_kem: AlgorithmRegistry.supported_hybrid_kems,
  signature: AlgorithmRegistry.supported_signatures,
}.freeze

NATIVE_EXTENSION_LOADED =

true

VERSION =

"0.5.1"

ML_KEM_512_PUBLIC_KEY_BYTES =

INT2NUM(MLKEM512_PUBLICKEYBYTES)

ML_KEM_512_SECRET_KEY_BYTES =

INT2NUM(MLKEM512_SECRETKEYBYTES)

ML_KEM_512_CIPHERTEXT_BYTES =

INT2NUM(MLKEM512_CIPHERTEXTBYTES)

ML_KEM_512_SHARED_SECRET_BYTES =

INT2NUM(MLKEM512_SHAREDSECRETBYTES)

ML_KEM_PUBLIC_KEY_BYTES =

INT2NUM(PQ_MLKEM_PUBLICKEYBYTES)

ML_KEM_SECRET_KEY_BYTES =

INT2NUM(PQ_MLKEM_SECRETKEYBYTES)

ML_KEM_CIPHERTEXT_BYTES =

INT2NUM(PQ_MLKEM_CIPHERTEXTBYTES)

ML_KEM_SHARED_SECRET_BYTES =

INT2NUM(PQ_MLKEM_SHAREDSECRETBYTES)

ML_KEM_1024_PUBLIC_KEY_BYTES =

INT2NUM(MLKEM1024_PUBLICKEYBYTES)

ML_KEM_1024_SECRET_KEY_BYTES =

INT2NUM(MLKEM1024_SECRETKEYBYTES)

ML_KEM_1024_CIPHERTEXT_BYTES =

INT2NUM(MLKEM1024_CIPHERTEXTBYTES)

ML_KEM_1024_SHARED_SECRET_BYTES =

INT2NUM(MLKEM1024_SHAREDSECRETBYTES)

HYBRID_KEM_PUBLIC_KEY_BYTES =

INT2NUM(PQ_HYBRID_PUBLICKEYBYTES)

HYBRID_KEM_SECRET_KEY_BYTES =

INT2NUM(PQ_HYBRID_SECRETKEYBYTES)

HYBRID_KEM_CIPHERTEXT_BYTES =

INT2NUM(PQ_HYBRID_CIPHERTEXTBYTES)

HYBRID_KEM_SHARED_SECRET_BYTES =

INT2NUM(PQ_HYBRID_SHAREDSECRETBYTES)

SIGN_44_PUBLIC_KEY_BYTES =

INT2NUM(MLDSA44_PUBLICKEYBYTES)

SIGN_44_SECRET_KEY_BYTES =

INT2NUM(MLDSA44_SECRETKEYBYTES)

SIGN_44_BYTES =

INT2NUM(MLDSA44_BYTES)

SIGN_PUBLIC_KEY_BYTES =

INT2NUM(PQ_MLDSA_PUBLICKEYBYTES)

SIGN_SECRET_KEY_BYTES =

INT2NUM(PQ_MLDSA_SECRETKEYBYTES)

SIGN_BYTES =

INT2NUM(PQ_MLDSA_BYTES)

SIGN_87_PUBLIC_KEY_BYTES =

INT2NUM(MLDSA87_PUBLICKEYBYTES)

SIGN_87_SECRET_KEY_BYTES =

INT2NUM(MLDSA87_SECRETKEYBYTES)

SIGN_87_BYTES =

INT2NUM(MLDSA87_BYTES)

Class Method Summary collapse

.__test_ml_dsa_44_keypair_from_seed(seed) ⇒ Object
.__test_ml_dsa_44_sign_from_seed(message, secret_key, seed) ⇒ Object
.__test_ml_dsa_87_keypair_from_seed(seed) ⇒ Object
.__test_ml_dsa_87_sign_from_seed(message, secret_key, seed) ⇒ Object
.__test_ml_kem_1024_encapsulate_from_seed(public_key, seed) ⇒ Object
.__test_ml_kem_512_encapsulate_from_seed(public_key, seed) ⇒ Object
.__test_ml_kem_encapsulate_from_seed(public_key, seed) ⇒ Object
.__test_ml_kem_keypair_from_seed(seed) ⇒ Object
.__test_sign_from_seed(message, secret_key, seed) ⇒ Object
.__test_sign_keypair_from_seed(seed) ⇒ Object
._native_mldsa_compute_tr(public_key) ⇒ Object
._native_mldsa_extract_tr(secret_key) ⇒ Object
._native_mldsa_mu_builder_finalize(builder_obj) ⇒ Object
._native_mldsa_mu_builder_new(tr, ctx) ⇒ Object
._native_mldsa_mu_builder_release(builder_obj) ⇒ Object
._native_mldsa_mu_builder_update(builder_obj, chunk) ⇒ Object
._native_mldsa_sign_mu(mu, secret_key) ⇒ Object
._native_mldsa_verify_mu(mu, signature, public_key) ⇒ Object
.backend ⇒ Object
.ct_equals ⇒ Object
.hybrid_kem_decapsulate(ciphertext, secret_key) ⇒ Object
.hybrid_kem_decapsulate_expanded(ciphertext, expanded_secret_key) ⇒ Object
.hybrid_kem_decapsulate_expanded_object(ciphertext, expanded_secret_key_obj) ⇒ Object
.hybrid_kem_encapsulate(public_key) ⇒ Object
.hybrid_kem_expand_secret_key(secret_key) ⇒ Object
.hybrid_kem_expand_secret_key_object(secret_key) ⇒ Object
.hybrid_kem_keypair ⇒ Object
.ml_dsa_44_keypair ⇒ Object
.ml_dsa_44_keypair_from_seed ⇒ Object
.ml_dsa_44_sign ⇒ Object
.ml_dsa_44_verify ⇒ Object
.ml_dsa_87_keypair ⇒ Object
.ml_dsa_87_keypair_from_seed ⇒ Object
.ml_dsa_87_sign ⇒ Object
.ml_dsa_87_verify ⇒ Object
.ml_dsa_keypair_from_seed ⇒ Object
.ml_kem_1024_decapsulate ⇒ Object
.ml_kem_1024_encapsulate ⇒ Object
.ml_kem_1024_keypair ⇒ Object
.ml_kem_1024_keypair_from_seed ⇒ Object
.ml_kem_512_decapsulate ⇒ Object
.ml_kem_512_encapsulate ⇒ Object
.ml_kem_512_keypair ⇒ Object
.ml_kem_512_keypair_from_seed ⇒ Object
.ml_kem_decapsulate ⇒ Object
.ml_kem_encapsulate ⇒ Object
.ml_kem_keypair ⇒ Object
.ml_kem_keypair_from_seed ⇒ Object
.native_extension_loaded? ⇒ Boolean
.public_key_from_pqc_container_der(der) ⇒ Object
.public_key_from_pqc_container_pem(pem) ⇒ Object
.public_key_to_pqc_container_der(algorithm, key_bytes) ⇒ Object
.public_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ Object
.secret_key_from_pqc_container_der(der) ⇒ Object
.secret_key_from_pqc_container_pem(pem) ⇒ Object
.secret_key_to_pqc_container_der(algorithm, key_bytes) ⇒ Object
.secret_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ Object
.secure_wipe(str) ⇒ Object
.sign ⇒ Object
.sign_keypair ⇒ Object
.supported_hybrid_kems ⇒ Object
.supported_kems ⇒ Object
.supported_signatures ⇒ Object
.verify ⇒ Object
.version ⇒ Object

Class Method Details

.__test_ml_dsa_44_keypair_from_seed(seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1084

static VALUE pqcrypto__test_ml_dsa_44_keypair_from_seed(VALUE self, VALUE seed) {
    (void)self;
    return pq_run_test_sign_keypair_from_seed(pq_testing_mldsa_44_keypair_nogvl, seed,
                                              MLDSA44_PUBLICKEYBYTES, MLDSA44_SECRETKEYBYTES);
}

.__test_ml_dsa_44_sign_from_seed(message, secret_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1147

static VALUE pqcrypto__test_ml_dsa_44_sign_from_seed(VALUE self, VALUE message, VALUE secret_key,
                                                     VALUE seed) {
    (void)self;
    return pq_run_test_sign_from_seed(pq_testing_mldsa_44_sign_nogvl, message, secret_key, seed,
                                      MLDSA44_SECRETKEYBYTES, MLDSA44_BYTES);
}

.__test_ml_dsa_87_keypair_from_seed(seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1090

static VALUE pqcrypto__test_ml_dsa_87_keypair_from_seed(VALUE self, VALUE seed) {
    (void)self;
    return pq_run_test_sign_keypair_from_seed(pq_testing_mldsa_87_keypair_nogvl, seed,
                                              MLDSA87_PUBLICKEYBYTES, MLDSA87_SECRETKEYBYTES);
}

.__test_ml_dsa_87_sign_from_seed(message, secret_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1154

static VALUE pqcrypto__test_ml_dsa_87_sign_from_seed(VALUE self, VALUE message, VALUE secret_key,
                                                     VALUE seed) {
    (void)self;
    return pq_run_test_sign_from_seed(pq_testing_mldsa_87_sign_nogvl, message, secret_key, seed,
                                      MLDSA87_SECRETKEYBYTES, MLDSA87_BYTES);
}

.__test_ml_kem_1024_encapsulate_from_seed(public_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 974

static VALUE pqcrypto__test_ml_kem_1024_encapsulate_from_seed(VALUE self, VALUE public_key,
                                                              VALUE seed) {
    (void)self;
    return pq_run_test_kem_encapsulate_from_seed(
        pq_testing_ml_kem_1024_encapsulate_nogvl, public_key, seed, MLKEM1024_PUBLICKEYBYTES,
        MLKEM1024_CIPHERTEXTBYTES, MLKEM1024_SHAREDSECRETBYTES);
}

.__test_ml_kem_512_encapsulate_from_seed(public_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 966

static VALUE pqcrypto__test_ml_kem_512_encapsulate_from_seed(VALUE self, VALUE public_key,
                                                             VALUE seed) {
    (void)self;
    return pq_run_test_kem_encapsulate_from_seed(
        pq_testing_ml_kem_512_encapsulate_nogvl, public_key, seed, MLKEM512_PUBLICKEYBYTES,
        MLKEM512_CIPHERTEXTBYTES, MLKEM512_SHAREDSECRETBYTES);
}

.__test_ml_kem_encapsulate_from_seed(public_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 890

static VALUE pqcrypto__test_ml_kem_encapsulate_from_seed(VALUE self, VALUE public_key, VALUE seed) {
    (void)self;
    pq_validate_bytes_argument(public_key, PQ_MLKEM_PUBLICKEYBYTES, "public key");
    StringValue(seed);

    if ((size_t)RSTRING_LEN(seed) != 32) {
        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
    }

    kem_encapsulate_call_t call = {0};
    size_t public_key_len = 0;
    size_t seed_len = 0;
    call.public_key = pq_copy_ruby_string(public_key, &public_key_len);
    call.ciphertext = pq_alloc_buffer(PQ_MLKEM_CIPHERTEXTBYTES);
    call.shared_secret = pq_alloc_buffer(PQ_MLKEM_SHAREDSECRETBYTES);
    call.seed = pq_copy_ruby_string(seed, &seed_len);
    call.seed_len = seed_len;

    rb_thread_call_without_gvl(pq_testing_ml_kem_encapsulate_nogvl, &call, NULL, NULL);
    pq_wipe_and_free((uint8_t *)call.public_key, public_key_len);
    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);

    if (call.result != PQ_SUCCESS) {
        pq_wipe_and_free(call.shared_secret, PQ_MLKEM_SHAREDSECRETBYTES);
        free(call.ciphertext);
        pq_raise_general_error(call.result);
    }

    VALUE result = rb_ary_new2(2);
    rb_ary_push(result, pq_string_from_buffer(call.ciphertext, PQ_MLKEM_CIPHERTEXTBYTES));
    rb_ary_push(result, pq_string_from_buffer(call.shared_secret, PQ_MLKEM_SHAREDSECRETBYTES));

    free(call.ciphertext);
    pq_wipe_and_free(call.shared_secret, PQ_MLKEM_SHAREDSECRETBYTES);
    return result;
}

.__test_ml_kem_keypair_from_seed(seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 857

static VALUE pqcrypto__test_ml_kem_keypair_from_seed(VALUE self, VALUE seed) {
    (void)self;
    StringValue(seed);

    if ((size_t)RSTRING_LEN(seed) != 64) {
        rb_raise(rb_eArgError, "Deterministic ML-KEM test seed must be 64 bytes (FIPS 203 d||z)");
    }

    kem_keypair_call_t call = {0};
    size_t seed_len = 0;
    call.public_key = pq_alloc_buffer(PQ_MLKEM_PUBLICKEYBYTES);
    call.secret_key = pq_alloc_buffer(PQ_MLKEM_SECRETKEYBYTES);
    call.seed = pq_copy_ruby_string(seed, &seed_len);
    call.seed_len = seed_len;

    rb_thread_call_without_gvl(pq_testing_ml_kem_keypair_nogvl, &call, NULL, NULL);
    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);

    if (call.result != PQ_SUCCESS) {
        pq_wipe_and_free(call.secret_key, PQ_MLKEM_SECRETKEYBYTES);
        free(call.public_key);
        pq_raise_general_error(call.result);
    }

    VALUE result = rb_ary_new2(2);
    rb_ary_push(result, pq_string_from_buffer(call.public_key, PQ_MLKEM_PUBLICKEYBYTES));
    rb_ary_push(result, pq_string_from_buffer(call.secret_key, PQ_MLKEM_SECRETKEYBYTES));

    free(call.public_key);
    pq_wipe_and_free(call.secret_key, PQ_MLKEM_SECRETKEYBYTES);
    return result;
}

.__test_sign_from_seed(message, secret_key, seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1015

static VALUE pqcrypto__test_sign_from_seed(VALUE self, VALUE message, VALUE secret_key,
                                           VALUE seed) {
    (void)self;
    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
    StringValue(seed);

    if ((size_t)RSTRING_LEN(seed) != 32) {
        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
    }

    sign_call_t call = {0};
    size_t secret_key_len = 0;
    size_t seed_len = 0;
    call.secret_key = pq_copy_ruby_string(secret_key, &secret_key_len);
    call.signature_len = PQ_MLDSA_BYTES;
    call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);
    call.message = pq_copy_ruby_string(message, &call.message_len);
    call.seed = pq_copy_ruby_string(seed, &seed_len);
    call.seed_len = seed_len;

    rb_thread_call_without_gvl(pq_testing_sign_nogvl, &call, NULL, NULL);

    pq_free_buffer(call.message);
    pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);

    if (call.result != PQ_SUCCESS) {
        pq_free_buffer(call.signature);
        pq_raise_general_error(call.result);
    }

    VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
    pq_free_buffer(call.signature);
    return result;
}

.__test_sign_keypair_from_seed(seed) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 982

static VALUE pqcrypto__test_sign_keypair_from_seed(VALUE self, VALUE seed) {
    (void)self;
    StringValue(seed);

    if ((size_t)RSTRING_LEN(seed) != 32) {
        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
    }

    sign_keypair_call_t call = {0};
    size_t seed_len = 0;
    call.public_key = pq_alloc_buffer(PQ_MLDSA_PUBLICKEYBYTES);
    call.secret_key = pq_alloc_buffer(PQ_MLDSA_SECRETKEYBYTES);
    call.seed = pq_copy_ruby_string(seed, &seed_len);
    call.seed_len = seed_len;

    rb_thread_call_without_gvl(pq_testing_sign_keypair_nogvl, &call, NULL, NULL);
    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);

    if (call.result != PQ_SUCCESS) {
        pq_wipe_and_free(call.secret_key, PQ_MLDSA_SECRETKEYBYTES);
        free(call.public_key);
        pq_raise_general_error(call.result);
    }

    VALUE result = rb_ary_new2(2);
    rb_ary_push(result, pq_string_from_buffer(call.public_key, PQ_MLDSA_PUBLICKEYBYTES));
    rb_ary_push(result, pq_string_from_buffer(call.secret_key, PQ_MLDSA_SECRETKEYBYTES));

    free(call.public_key);
    pq_wipe_and_free(call.secret_key, PQ_MLDSA_SECRETKEYBYTES);
    return result;
}

._native_mldsa_compute_tr(public_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1373

static VALUE pqcrypto__native_mldsa_compute_tr(VALUE self, VALUE public_key) {
    (void)self;
    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");

    uint8_t tr[PQ_MLDSA_TRBYTES];
    int rc = pq_mldsa_compute_tr_from_public_key(tr, (const uint8_t *)RSTRING_PTR(public_key));
    if (rc != PQ_SUCCESS) {
        pq_raise_general_error(rc);
    }
    return pq_string_from_buffer(tr, sizeof(tr));
}

._native_mldsa_extract_tr(secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1358

static VALUE pqcrypto__native_mldsa_extract_tr(VALUE self, VALUE secret_key) {
    (void)self;
    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");

    uint8_t tr[PQ_MLDSA_TRBYTES];
    int rc = pq_mldsa_extract_tr_from_secret_key(tr, (const uint8_t *)RSTRING_PTR(secret_key));
    if (rc != PQ_SUCCESS) {
        pq_secure_wipe(tr, sizeof(tr));
        pq_raise_general_error(rc);
    }
    VALUE result = pq_string_from_buffer(tr, sizeof(tr));
    pq_secure_wipe(tr, sizeof(tr));
    return result;
}

._native_mldsa_mu_builder_finalize(builder_obj) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1462

static VALUE pqcrypto__native_mldsa_mu_builder_finalize(VALUE self, VALUE builder_obj) {
    (void)self;
    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);

    uint8_t mu[PQ_MLDSA_MUBYTES];

    mu_finalize_call_t call = {0};
    call.builder = wrapper->builder;
    call.mu_out = mu;

    rb_nogvl(pq_mu_finalize_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);

    wrapper->builder = NULL;

    if (call.result != PQ_SUCCESS) {
        pq_secure_wipe(mu, sizeof(mu));
        pq_raise_general_error(call.result);
    }

    VALUE result = pq_string_from_buffer(mu, sizeof(mu));
    pq_secure_wipe(mu, sizeof(mu));
    return result;
}

._native_mldsa_mu_builder_new(tr, ctx) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1385

static VALUE pqcrypto__native_mldsa_mu_builder_new(VALUE self, VALUE tr, VALUE ctx) {
    (void)self;
    pq_validate_bytes_argument(tr, PQ_MLDSA_TRBYTES, "tr");
    StringValue(ctx);

    size_t ctxlen = (size_t)RSTRING_LEN(ctx);
    if (ctxlen > 255) {
        rb_raise(rb_eArgError, "ML-DSA context length must be <= 255 bytes");
    }

    void *builder = pq_mu_builder_new();
    if (builder == NULL) {
        rb_raise(rb_eNoMemError, "Memory allocation failed (mu builder)");
    }

    int rc = pq_mu_builder_init(builder, (const uint8_t *)RSTRING_PTR(tr),
                                (const uint8_t *)RSTRING_PTR(ctx), ctxlen);
    if (rc != PQ_SUCCESS) {
        pq_mu_builder_release(builder);
        pq_raise_general_error(rc);
    }

    mu_builder_wrapper_t *wrapper;
    VALUE obj =
        TypedData_Make_Struct(rb_cObject, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
    wrapper->builder = builder;
    return obj;
}

._native_mldsa_mu_builder_release(builder_obj) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1486

static VALUE pqcrypto__native_mldsa_mu_builder_release(VALUE self, VALUE builder_obj) {
    (void)self;
    mu_builder_wrapper_t *wrapper;
    TypedData_Get_Struct(builder_obj, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
    if (wrapper != NULL && wrapper->builder != NULL) {
        pq_mu_builder_release(wrapper->builder);
        wrapper->builder = NULL;
    }
    return Qnil;
}

._native_mldsa_mu_builder_update(builder_obj, chunk) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1420

static VALUE pqcrypto__native_mldsa_mu_builder_update(VALUE self, VALUE builder_obj, VALUE chunk) {
    (void)self;
    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);
    StringValue(chunk);

    size_t chunk_len = (size_t)RSTRING_LEN(chunk);
    if (chunk_len == 0) {
        return Qnil;
    }

    if (chunk_len < PQ_MU_ABSORB_NOGVL_MIN_BYTES) {
        int rc = pq_mu_builder_absorb(wrapper->builder, (const uint8_t *)RSTRING_PTR(chunk),
                                      chunk_len);
        if (rc != PQ_SUCCESS) {
            pq_raise_general_error(rc);
        }
        return Qnil;
    }

    uint8_t *copy = pq_alloc_buffer(chunk_len);
    memcpy(copy, RSTRING_PTR(chunk), chunk_len);

    mu_absorb_call_t call = {0};
    call.builder = wrapper->builder;
    call.chunk = copy;
    call.chunk_len = chunk_len;

    rb_nogvl(pq_mu_absorb_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
    free(copy);

    if (call.result != PQ_SUCCESS) {
        pq_raise_general_error(call.result);
    }
    return Qnil;
}

._native_mldsa_sign_mu(mu, secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1503

static VALUE pqcrypto__native_mldsa_sign_mu(VALUE self, VALUE mu, VALUE secret_key) {
    (void)self;
    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");

    sign_mu_call_t call = {0};
    size_t secret_key_len = 0;
    size_t mu_len = 0;
    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
    uint8_t *sk_copy = pq_copy_ruby_string(secret_key, &secret_key_len);

    call.mu = mu_copy;
    call.secret_key = sk_copy;
    call.signature_len = PQ_MLDSA_BYTES;
    call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);

    rb_nogvl(pq_sign_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);

    pq_wipe_and_free(mu_copy, mu_len);
    pq_wipe_and_free(sk_copy, secret_key_len);

    if (call.result != PQ_SUCCESS) {
        pq_free_buffer(call.signature);
        pq_raise_general_error(call.result);
    }

    VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
    pq_free_buffer(call.signature);
    return result;
}

._native_mldsa_verify_mu(mu, signature, public_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1540

static VALUE pqcrypto__native_mldsa_verify_mu(VALUE self, VALUE mu, VALUE signature,
                                              VALUE public_key) {
    (void)self;
    StringValue(signature);
    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");

    verify_mu_call_t call = {0};
    size_t public_key_len = 0;
    size_t signature_len = 0;
    size_t mu_len = 0;
    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
    uint8_t *pk_copy = pq_copy_ruby_string(public_key, &public_key_len);
    uint8_t *sig_copy = pq_copy_ruby_string(signature, &signature_len);

    call.mu = mu_copy;
    call.public_key = pk_copy;
    call.signature = sig_copy;
    call.signature_len = signature_len;

    rb_nogvl(pq_verify_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
    pq_wipe_and_free(mu_copy, mu_len);
    pq_free_buffer(pk_copy);
    pq_free_buffer(sig_copy);

    if (call.result == PQ_SUCCESS) {
        return Qtrue;
    }
    if (call.result == PQ_ERROR_VERIFY) {
        return Qfalse;
    }
    pq_raise_general_error(call.result);
}

.backend ⇒ `Object`



135
136
137

# File 'lib/pq_crypto.rb', line 135

def backend
  :native_pq_code_package
end

.ct_equals ⇒ `Object`

.hybrid_kem_decapsulate(ciphertext, secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 806

static VALUE pqcrypto_hybrid_kem_decapsulate(VALUE self, VALUE ciphertext, VALUE secret_key) {
    (void)self;
    return pq_run_kem_decapsulate(pq_hybrid_kem_decapsulate_nogvl, ciphertext,
                                  PQ_HYBRID_CIPHERTEXTBYTES, secret_key, PQ_HYBRID_SECRETKEYBYTES,
                                  PQ_HYBRID_SHAREDSECRETBYTES);
}

.hybrid_kem_decapsulate_expanded(ciphertext, expanded_secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 813

static VALUE pqcrypto_hybrid_kem_decapsulate_expanded(VALUE self, VALUE ciphertext,
                                                      VALUE expanded_secret_key) {
    (void)self;
    return pq_run_kem_decapsulate(pq_hybrid_kem_decapsulate_expanded_nogvl, ciphertext,
                                  PQ_HYBRID_CIPHERTEXTBYTES, expanded_secret_key,
                                  PQ_HYBRID_EXPANDED_SECRETKEYBYTES,
                                  PQ_HYBRID_SHAREDSECRETBYTES);
}

.hybrid_kem_decapsulate_expanded_object(ciphertext, expanded_secret_key_obj) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 822

static VALUE pqcrypto_hybrid_kem_decapsulate_expanded_object(VALUE self, VALUE ciphertext,
                                                            VALUE expanded_secret_key_obj) {
    (void)self;
    hybrid_expanded_key_wrapper_t *wrapper = hybrid_expanded_key_unwrap(expanded_secret_key_obj);
    hybrid_decapsulate_expanded_pkey_call_t call = {0};
    VALUE result;
    size_t copied_ciphertext_len = 0;

    pq_validate_bytes_argument(ciphertext, PQ_HYBRID_CIPHERTEXTBYTES, "ciphertext");

    call.ciphertext = pq_copy_ruby_string(ciphertext, &copied_ciphertext_len);
    call.expanded_secret_key = wrapper->expanded_secret_key;
    call.shared_secret = pq_alloc_buffer(PQ_HYBRID_SHAREDSECRETBYTES);

    if (EVP_PKEY_up_ref(wrapper->x25519_private_pkey) != 1) {
        pq_wipe_and_free((uint8_t *)call.ciphertext, copied_ciphertext_len);
        pq_wipe_and_free(call.shared_secret, PQ_HYBRID_SHAREDSECRETBYTES);
        pq_raise_general_error(PQ_ERROR_OPENSSL);
    }
    call.x25519_private_pkey = wrapper->x25519_private_pkey;

    rb_thread_call_without_gvl(pq_hybrid_kem_decapsulate_expanded_pkey_nogvl, &call, NULL, NULL);
    EVP_PKEY_free((EVP_PKEY *)call.x25519_private_pkey);
    pq_wipe_and_free((uint8_t *)call.ciphertext, copied_ciphertext_len);

    if (call.result != PQ_SUCCESS) {
        pq_wipe_and_free(call.shared_secret, PQ_HYBRID_SHAREDSECRETBYTES);
        pq_raise_general_error(call.result);
    }

    result = pq_string_from_buffer(call.shared_secret, PQ_HYBRID_SHAREDSECRETBYTES);
    pq_wipe_and_free(call.shared_secret, PQ_HYBRID_SHAREDSECRETBYTES);
    return result;
}

.hybrid_kem_encapsulate(public_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 739

static VALUE pqcrypto_hybrid_kem_encapsulate(VALUE self, VALUE public_key) {
    (void)self;
    return pq_run_kem_encapsulate(pq_hybrid_kem_encapsulate_nogvl, public_key,
                                  PQ_HYBRID_PUBLICKEYBYTES, PQ_HYBRID_CIPHERTEXTBYTES,
                                  PQ_HYBRID_SHAREDSECRETBYTES);
}

.hybrid_kem_expand_secret_key(secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 746

static VALUE pqcrypto_hybrid_kem_expand_secret_key(VALUE self, VALUE secret_key) {
    (void)self;
    hybrid_expand_call_t call = {0};
    VALUE result;
    size_t copied_secret_key_len = 0;

    pq_validate_bytes_argument(secret_key, PQ_HYBRID_SECRETKEYBYTES, "hybrid secret key");

    call.secret_key = pq_copy_ruby_string(secret_key, &copied_secret_key_len);
    call.expanded_secret_key = pq_alloc_buffer(PQ_HYBRID_EXPANDED_SECRETKEYBYTES);

    rb_thread_call_without_gvl(pq_hybrid_kem_expand_secret_key_nogvl, &call, NULL, NULL);
    pq_wipe_and_free((uint8_t *)call.secret_key, copied_secret_key_len);

    if (call.result != PQ_SUCCESS) {
        pq_wipe_and_free(call.expanded_secret_key, PQ_HYBRID_EXPANDED_SECRETKEYBYTES);
        pq_raise_general_error(call.result);
    }

    result = pq_string_from_buffer(call.expanded_secret_key, PQ_HYBRID_EXPANDED_SECRETKEYBYTES);
    pq_wipe_and_free(call.expanded_secret_key, PQ_HYBRID_EXPANDED_SECRETKEYBYTES);
    return result;
}

.hybrid_kem_expand_secret_key_object(secret_key) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 770

static VALUE pqcrypto_hybrid_kem_expand_secret_key_object(VALUE self, VALUE secret_key) {
    (void)self;
    hybrid_expand_call_t call = {0};
    size_t copied_secret_key_len = 0;

    pq_validate_bytes_argument(secret_key, PQ_HYBRID_SECRETKEYBYTES, "hybrid secret key");

    hybrid_expanded_key_wrapper_t *wrapper;
    VALUE obj = TypedData_Make_Struct(rb_cObject, hybrid_expanded_key_wrapper_t,
                                      &hybrid_expanded_key_data_type, wrapper);
    memset(wrapper->expanded_secret_key, 0, sizeof(wrapper->expanded_secret_key));
    wrapper->x25519_private_pkey = NULL;

    call.secret_key = pq_copy_ruby_string(secret_key, &copied_secret_key_len);
    call.expanded_secret_key = wrapper->expanded_secret_key;

    rb_thread_call_without_gvl(pq_hybrid_kem_expand_secret_key_nogvl, &call, NULL, NULL);
    pq_wipe_and_free((uint8_t *)call.secret_key, copied_secret_key_len);

    if (call.result != PQ_SUCCESS) {
        pq_secure_wipe(wrapper->expanded_secret_key, sizeof(wrapper->expanded_secret_key));
        pq_raise_general_error(call.result);
    }

    const hybrid_expanded_secret_key_t *expanded =
        (const hybrid_expanded_secret_key_t *)wrapper->expanded_secret_key;
    wrapper->x25519_private_pkey = EVP_PKEY_new_raw_private_key(
        EVP_PKEY_X25519, NULL, expanded->x25519_sk, X25519_SECRETKEYBYTES);
    if (!wrapper->x25519_private_pkey) {
        pq_secure_wipe(wrapper->expanded_secret_key, sizeof(wrapper->expanded_secret_key));
        pq_raise_general_error(PQ_ERROR_OPENSSL);
    }

    return obj;
}

.hybrid_kem_keypair ⇒ `Object`

.ml_dsa_44_keypair ⇒ `Object`

.ml_dsa_44_keypair_from_seed ⇒ `Object`

.ml_dsa_44_sign ⇒ `Object`

.ml_dsa_44_verify ⇒ `Object`

.ml_dsa_87_keypair ⇒ `Object`

.ml_dsa_87_keypair_from_seed ⇒ `Object`

.ml_dsa_87_sign ⇒ `Object`

.ml_dsa_87_verify ⇒ `Object`

.ml_dsa_keypair_from_seed ⇒ `Object`

.ml_kem_1024_decapsulate ⇒ `Object`

.ml_kem_1024_encapsulate ⇒ `Object`

.ml_kem_1024_keypair ⇒ `Object`

.ml_kem_1024_keypair_from_seed ⇒ `Object`

.ml_kem_512_decapsulate ⇒ `Object`

.ml_kem_512_encapsulate ⇒ `Object`

.ml_kem_512_keypair ⇒ `Object`

.ml_kem_512_keypair_from_seed ⇒ `Object`

.ml_kem_decapsulate ⇒ `Object`

.ml_kem_encapsulate ⇒ `Object`

.ml_kem_keypair ⇒ `Object`

.ml_kem_keypair_from_seed ⇒ `Object`

.native_extension_loaded? ⇒ `Boolean`

Returns:

(Boolean)



139
140
141

# File 'lib/pq_crypto.rb', line 139

def native_extension_loaded?
  true
end

.public_key_from_pqc_container_der(der) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1629

static VALUE pqcrypto_public_key_from_pqc_container_der(VALUE self, VALUE der) {
    (void)self;
    return pq_import_container_der(der, pq_public_key_from_pqc_container_der);
}

.public_key_from_pqc_container_pem(pem) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1634

static VALUE pqcrypto_public_key_from_pqc_container_pem(VALUE self, VALUE pem) {
    (void)self;
    return pq_import_container_pem(pem, pq_public_key_from_pqc_container_pem);
}

.public_key_to_pqc_container_der(algorithm, key_bytes) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1605

static VALUE pqcrypto_public_key_to_pqc_container_der(VALUE self, VALUE algorithm,
                                                      VALUE key_bytes) {
    (void)self;
    return pq_export_container_der(algorithm, key_bytes, pq_public_key_to_pqc_container_der);
}

.public_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1611

static VALUE pqcrypto_public_key_to_pqc_container_pem(VALUE self, VALUE algorithm,
                                                      VALUE key_bytes) {
    (void)self;
    return pq_export_container_pem(algorithm, key_bytes, pq_public_key_to_pqc_container_pem);
}

.secret_key_from_pqc_container_der(der) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1639

static VALUE pqcrypto_secret_key_from_pqc_container_der(VALUE self, VALUE der) {
    (void)self;
    return pq_import_container_der(der, pq_secret_key_from_pqc_container_der);
}

.secret_key_from_pqc_container_pem(pem) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1644

static VALUE pqcrypto_secret_key_from_pqc_container_pem(VALUE self, VALUE pem) {
    (void)self;
    return pq_import_container_pem(pem, pq_secret_key_from_pqc_container_pem);
}

.secret_key_to_pqc_container_der(algorithm, key_bytes) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1617

static VALUE pqcrypto_secret_key_to_pqc_container_der(VALUE self, VALUE algorithm,
                                                      VALUE key_bytes) {
    (void)self;
    return pq_export_container_der(algorithm, key_bytes, pq_secret_key_to_pqc_container_der);
}

.secret_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ `Object`

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1623

static VALUE pqcrypto_secret_key_to_pqc_container_pem(VALUE self, VALUE algorithm,
                                                      VALUE key_bytes) {
    (void)self;
    return pq_export_container_pem(algorithm, key_bytes, pq_secret_key_to_pqc_container_pem);
}

.secure_wipe(str) ⇒ `Object`

Raises:

(ArgumentError)

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1271

def secure_wipe(string)
  string = String(string)
  raise ArgumentError, "secure_wipe requires a mutable String" if string.frozen?

  native_secure_wipe(string)
end

.sign ⇒ `Object`

.sign_keypair ⇒ `Object`

.supported_hybrid_kems ⇒ `Object`



147
148
149

# File 'lib/pq_crypto.rb', line 147

def supported_hybrid_kems
  SUITES.fetch(:hybrid_kem).dup
end

.supported_kems ⇒ `Object`



143
144
145

# File 'lib/pq_crypto.rb', line 143

def supported_kems
  SUITES.fetch(:kem).dup
end

.supported_signatures ⇒ `Object`



151
152
153

# File 'lib/pq_crypto.rb', line 151

def supported_signatures
  SUITES.fetch(:signature).dup
end

.verify ⇒ `Object`

.version ⇒ `Object`



1279
1280
1281

# File 'ext/pqcrypto/pqcrypto_ruby_secure.c', line 1279

def version
  native_version
end

Module: PQCrypto

Defined Under Namespace

Constant Summary collapse

Class Method Summary collapse

Class Method Details

.__test_ml_dsa_44_keypair_from_seed(seed) ⇒ Object

.__test_ml_dsa_44_sign_from_seed(message, secret_key, seed) ⇒ Object

.__test_ml_dsa_87_keypair_from_seed(seed) ⇒ Object

.__test_ml_dsa_87_sign_from_seed(message, secret_key, seed) ⇒ Object

.__test_ml_kem_1024_encapsulate_from_seed(public_key, seed) ⇒ Object

.__test_ml_kem_512_encapsulate_from_seed(public_key, seed) ⇒ Object

.__test_ml_kem_encapsulate_from_seed(public_key, seed) ⇒ Object

.__test_ml_kem_keypair_from_seed(seed) ⇒ Object

.__test_sign_from_seed(message, secret_key, seed) ⇒ Object

.__test_sign_keypair_from_seed(seed) ⇒ Object

._native_mldsa_compute_tr(public_key) ⇒ Object

._native_mldsa_extract_tr(secret_key) ⇒ Object

._native_mldsa_mu_builder_finalize(builder_obj) ⇒ Object

._native_mldsa_mu_builder_new(tr, ctx) ⇒ Object

._native_mldsa_mu_builder_release(builder_obj) ⇒ Object

._native_mldsa_mu_builder_update(builder_obj, chunk) ⇒ Object

._native_mldsa_sign_mu(mu, secret_key) ⇒ Object

._native_mldsa_verify_mu(mu, signature, public_key) ⇒ Object

.backend ⇒ Object

.ct_equals ⇒ Object

.hybrid_kem_decapsulate(ciphertext, secret_key) ⇒ Object

.hybrid_kem_decapsulate_expanded(ciphertext, expanded_secret_key) ⇒ Object

.hybrid_kem_decapsulate_expanded_object(ciphertext, expanded_secret_key_obj) ⇒ Object

.hybrid_kem_encapsulate(public_key) ⇒ Object

.hybrid_kem_expand_secret_key(secret_key) ⇒ Object

.hybrid_kem_expand_secret_key_object(secret_key) ⇒ Object

.hybrid_kem_keypair ⇒ Object

.ml_dsa_44_keypair ⇒ Object

.ml_dsa_44_keypair_from_seed ⇒ Object

.ml_dsa_44_sign ⇒ Object

.ml_dsa_44_verify ⇒ Object

.ml_dsa_87_keypair ⇒ Object

.ml_dsa_87_keypair_from_seed ⇒ Object

.ml_dsa_87_sign ⇒ Object

.ml_dsa_87_verify ⇒ Object

.ml_dsa_keypair_from_seed ⇒ Object

.ml_kem_1024_decapsulate ⇒ Object

.ml_kem_1024_encapsulate ⇒ Object

.ml_kem_1024_keypair ⇒ Object

.ml_kem_1024_keypair_from_seed ⇒ Object

.ml_kem_512_decapsulate ⇒ Object

.ml_kem_512_encapsulate ⇒ Object

.ml_kem_512_keypair ⇒ Object

.ml_kem_512_keypair_from_seed ⇒ Object

.ml_kem_decapsulate ⇒ Object

.ml_kem_encapsulate ⇒ Object

.ml_kem_keypair ⇒ Object

.ml_kem_keypair_from_seed ⇒ Object

.native_extension_loaded? ⇒ Boolean

.public_key_from_pqc_container_der(der) ⇒ Object

.public_key_from_pqc_container_pem(pem) ⇒ Object

.public_key_to_pqc_container_der(algorithm, key_bytes) ⇒ Object

.public_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ Object

.secret_key_from_pqc_container_der(der) ⇒ Object

.secret_key_from_pqc_container_pem(pem) ⇒ Object

.secret_key_to_pqc_container_der(algorithm, key_bytes) ⇒ Object

.secret_key_to_pqc_container_pem(algorithm, key_bytes) ⇒ Object

.secure_wipe(str) ⇒ Object

.sign ⇒ Object

.sign_keypair ⇒ Object

.supported_hybrid_kems ⇒ Object

.supported_kems ⇒ Object

.supported_signatures ⇒ Object

.verify ⇒ Object

.version ⇒ Object