Changelog
All notable changes to this project are documented in this file.
The format is based on Keep a Changelog 1.1.0,
and the workspace follows Semantic Versioning 2.0.0.
The pre-1.0 line ships breaking changes in minor version bumps
(0.1.x → 0.2.0); patch versions remain backwards-compatible.
Unreleased
Items planned for v0.2 — see each crate’s Roadmap chapter for the full tier matrix.
Stabilise the C ABI (
quantica_ffi,arcana_ffi) and the WebAssembly bindings (quantica_wasm); flip these crates frompublish = falseto crates.io-published.Fill in the
arcana_benchandarcana_wasmplaceholders.arcana::ecc::eddsa::Ed448full implementation (RFC 8032 §5.2).Continued T1 / T2 hardening work per the Roadmap chapters of
quantica/README.mdandarcana/README.md.Veille-trigger formalisation — record the veille window in
CHANGELOG.mdat every release bump (<window dates>; items reviewed: …; items folded into release: …) so the discipline becomes auditable.
0.1.0 - 2026-06-11
First public release of the krypteia cryptographic workspace.
Four crates ship on crates.io under the krypteia-* namespace:
krypteia-silentops,
krypteia-memory,
krypteia-quantica, and
krypteia-arcana. Apache-2.0
across the workspace.
The
krypteia-*namespace prefix was adopted because the bare namesmemoryandarcanawere already taken on crates.io by third parties at first publish attempt. Every published crate sets[lib] name = "<short>"so consumersuse silentops::*,use memory::*,use quantica::*,use arcana::*exactly as they would have with the bare names; the only place the namespaced name appears is theCargo.toml[dependencies]line and on crates.io / docs.rs URLs.
Added — quantica (post-quantum cryptography)
ML-KEM (FIPS 203, Key Encapsulation Mechanism) — pure-Rust implementation, all parameter sets (
MlKem512,MlKem768,MlKem1024), typed Zeroize-on-Drop key wrappers.ML-DSA (FIPS 204, Digital Signature Algorithm) — pure-Rust implementation, all parameter sets (
MlDsa44,MlDsa65,MlDsa87), with per-iteration mask refresh in the rejection loop (T1-A), Hermelink 2025/276 audit annex onml_dsa::masked(T1-B).SLH-DSA (FIPS 205, Stateless Hash-Based Signatures) — pure-Rust implementation, SHAKE variants (
Sha2-128f/s,Shake-128f/s,Shake-192f/s,Shake-256f/s), with FORS recompute-and-compare redundancy (T1-C, anti-grafting Castelnovi 2018), full-tree streaming FORS sign (T1-D, anti-template Kannwischer 2018), digest → FORS-indices integrity check (T1-E, anti-fault), and a constant-timefors_pk_from_sig_ct(T1-F).First-order DPA masking + shuffled NTT on both ML-KEM and ML-DSA secret paths (
sca-protectedCargo feature, on by default).Iterative BDS FORS treehash (256 KiB → 448 B per call) and streaming signature output (one allocation,
*_intovariants throughout) to fit the M0 baseline RAM budget.Seven RAM-reduction features for ML-DSA bringing the M0 Sign stack from 179 KB → ~17 KB peak.
no_stdbuild target support; cross-compile recipes inquantica/README.mdforthumbv6m-none-eabi,thumbv7em-none-eabihf,thumbv8m.main-none-eabihf,riscv32imc-unknown-none-elf.
Added — arcana (classical cryptography)
RSA — PKCS#1 v1.5, PSS (with
Sha256/Sha384/Sha512/ SHA-3 family digests), OAEP.ECDSA / ECDH — NIST P-256 / P-384 / P-521, SECG
secp256k1, Brainpool families (P-256 / P-384 / P-512). CT hardening onscalar_mul_point(Montgomery ladder, branchlesspoint_add_ct,black_boxshielding onfield_*masks).EdDSA — Ed25519 (RFC 8032 §5.1).
ECDH — X25519 and X448.
AES — 128 / 192 / 256 with ECB, CBC, CTR, GCM, CCM (RFC 3610), XTS (IEEE 1619) modes.
ChaCha20 and ChaCha20-Poly1305 (RFC 8439), XChaCha20-Poly1305 (24-byte nonce extension).
DES / 3DES (legacy use only — flagged in the per-crate Known limitations).
Hashes: SHA-1, SHA-2 family (224 / 256 / 384 / 512 / 512-truncated), SHA-3 family (224 / 256 / 384 / 512 + SHAKE128/256, cSHAKE128/256), BLAKE2b / BLAKE2s, RIPEMD-160.
MACs: HMAC, CMAC.
Optional RustCrypto trait bridges (
digest,cipher,signature) behind therust-crypto-traitsCargo feature.no_stdbuild target support.
Added — silentops (side-channel countermeasure toolkit)
Constant-time primitives —
ct::ct_eq,ct::ct_select_*,ct::ct_zeroize,ct::ct_copywith five architecture- specific inline-assembly backends gated ontarget_arch+target_feature+ Cargo feature:asm-x86_64— x86_64 inline asm;asm-aarch64— AArch64 withcsel/csinv;asm-thumbv7— ARMv7-M Thumb2 IT blocks (Cortex-M3 / M4 / M33);asm-thumbv6m— ARMv6-M no-IT branchless (Cortex-M0 / M0+);asm-riscv32— RV32I branchless (ESP32-C3 / C6 / H2).
ct_grind— Valgrind memcheck client-request helpers (poison/unpoison) with zero-cost no-op fallback on non-Linux x86_64 / aarch64 targets.verify— dudect-style timing-leakage detector (Welch t-test, std-only) refactored as a reusable library.
Added — memory (TLSF allocator)
Two allocator backends gated by Cargo feature:
os-alloc(default) — forwards to the platformmalloc/free;self-alloc— TLSF allocator over a caller-provided RAM block, single-init, nostd.
global-allocfeature for the FFI consumers (arcana_ffi, futurequantica_ffi) to register as#[global_allocator].
Added — Cross-architecture validation infrastructure (T3-A)
Workspace-internal, exercised on every push:
tools/qemu-user-tests.sh— workspace lib tests on three Linux triplets viacross+ qemu-user:aarch64-unknown- linux-gnu,armv7-unknown-linux-gnueabihf,riscv64gc-unknown-linux-gnu. Pinned tocross 0.2.5+ghcr.io/cross-rs/*:0.2.5Docker images.tools/qemu-system-tests.sh—tests-embeddedsmoke test on four bare-metal targets:riscv32imc-unknown-none-elf(ESP32-C3),riscv32imac-unknown-none-elf(ESP32-C6 / H2),thumbv6m-none-eabi(Cortex-M0, qemumicrobit),thumbv7em-none-eabihf(Cortex-M4F, qemumps2-an386).tools/qemu-vector-tests.sh+tools/vector-runner/— host↔guest semihosting vector-streaming protocol that runs validation corpora through the bare-metalvector_runnerbin without compiling vectors into the binary. Generator and consumer share the wire format viatests_embedded::protocol.Codeberg Forgejo Actions workflow (
.forgejo/workflows/qemu-cross-tests.yml) running all three layers in parallel on every push tomainand every pull request.
Added — Documentation pack and CI
Sphinx documentation pack (
gendoc.sh all) — per-crate README rendered with the per-cratedoc/sca/side-channel annex inlined as a nested TOC under each crate’s chapter VIII subsection 5; cross-crate sidebar entries forsilentopsandmemory; separate Governance sidebar group forCONTRIBUTINGandSECURITY.Continuous publish to cslashm.codeberg.page/krypteia via
.forgejo/workflows/doc.ymlon every push tomain.Workspace governance documents linked from the root README:
CONTRIBUTING.md— contribution policy, including the AI-assistCo-Authored-By:trailer requirement;SECURITY.md— security maintenance process and full responsible-disclosure policy (90-day coordinated disclosure window default, MITRE CNA process for CVE assignment, safe-harbour clause for good-faith research).
Conventions and workspace shape adopted in v0.1
Rust edition 2024 (MSRV
1.85) across the workspace.[workspace.package]factorisation of release metadata (license, repository, homepage, authors, version, edition, rust-version) — inherited via<field>.workspace = true.[workspace.dependencies]factorisation of inter-crate path-deps withversion = "0.1.0"on each socargo publishaccepts them.publish = falseonquantica_ffi,arcana_ffi,quantica_wasm,quantica_bench,arcana_bench,arcana_wasm,tests-embedded,tools/vector-runner— these are workspace-internal previews / placeholders; the C ABI and JS surface stabilise in v0.2.Strict branch policy enforced by
tools/hooks/pre-commit:main,master,pqc-devare read-only, dev work happens ondev/*/doc/*/infra/*/release/*branches.
Known limitations carried into v0.1
These are documented honestly so a v0.1 consumer or external reviewer can size them up before depending on the workspace:
arcana::ecc::eddsa::Ed448— stub. Full implementation deferred to v0.2 against RFC 8032 §5.2.Five
#[ignore]-d KAT tests underquantica/tests/(three ML-KEM RSP + two SLH-DSA SHAKE-256f) — root cause investigation deferred to v0.2 evaluation prep.thumbv8m.main-none-eabihfbare-metal target — wired intests-embedded/memory/mps2-an505.x,tools/qemu-system-tests.sh, and.cargo/config.toml, but currently disabled in the active matrix due to an upstreamrustc 1.96+cortex-m-rt 0.7.5linker issue that emits an empty ELF.silentops’sasm-thumbv7backend coverage is preserved via thethumbv7empath (M4F and M33 share the asm backend).45
unsafe-op-in-unsafe-fnwarnings onarcana_ffiand ~69not_unsafe_ptr_arg_derefclippy errors onquantica_ffi— edition 2024 ripple on the FFI surface. These are workspace-internal in v0.1 (publish = false) and addressed when the C ABI is reworked for v0.2.Codeberg shared-runner CI is not green for v0.1.0 — two distinct image-compat issues block the workflows on the free shared-runner pool: (a) the
cross-basedqemu-usermatrix in.forgejo/workflows/qemu-cross-tests.ymlrequires Docker-in-Docker, which the pool does not expose; (b) thedoc.ymlSphinx build callsrsync, which is not present in the runner image’s apt set. The bare-metalqemu-systemandqemu-vectormatrices use no Docker and need no additional packages, but were not exercised on the pool for v0.1.0 because the YAMLs are bundled in a single workflow with the brokenqemu-usermatrix. Local validation (./tools/qemu-{user,system,vector}-tests.sh,./tools/ctgrind.sh,./gendoc.sh all) covers the same scope the workflows would have. The v0.1.0 long-form Sphinx doc pack was deployed to Codeberg Pages manually from a local./gendoc.sh allrun, not via thedoc.ymlworkflow. Workflow migration to non-Docker tooling (qemu-user-static + binfmt-misc for the cross-arch matrix, apt-getrsyncfor the doc build) lands in v0.2.
Initial public release commit
The b31fdbd “Initial public release of krypteia” commit
(2026-03-13) seeded the public history as an orphan commit,
deliberately disconnected from earlier internal exploration
branches that referenced third-party non-public material
under NDA. All work in this CHANGELOG is reachable from that
orphan root.