krypteia — Cryptography Workspace
Documentation
krypteia — Post-Quantum and Classical Cryptography in Rust
Goals
Status
Workspace layout
Project structure
Building
Cargo profiles
Test coverage and references
Contributing and security
License
krypteia-quantica — Post-Quantum Cryptography for the krypteia workspace
Design rules
Algorithms
ML-KEM (FIPS 203)
ML-DSA (FIPS 204)
SLH-DSA (FIPS 205)
Cargo features
Quick start
ML-KEM (FIPS 203) — Key Encapsulation
ML-DSA (FIPS 204) — Digital Signature
SLH-DSA (FIPS 205) — Stateless Hash-Based Signature
Typed key wrappers (Zeroize-on-Drop)
Parameter sets / curve families
ML-KEM (FIPS 203)
ML-DSA (FIPS 204)
SLH-DSA (FIPS 205) — SHAKE variants only
Design decisions
Side-channel countermeasures (summary)
Always-on
Feature-gated (
sca-protected
, on by default)
Approximate cost (single-threaded, release mode)
Timing leakage verification (dudect)
Known residual surface
Per-algorithm deep dives
krypteia — Side-Channel Analysis and Countermeasures
Performance
Building
Desktop / server (default)
no_std
/ bare-metal cross-compile
Cargo profiles
Test validation
NIST ACVP — happy-path conformance
Wycheproof — edge cases and negative tests
Custom negative / robustness tests
Running everything
Policy on test suites
Examples
Rust
C FFI
Module map
Known limitations
Side-channel protection
Standards conformance
Portability
Testing
Roadmap
Tier 1 — Active vulnerabilities (critical path)
Tier 2 — Hardening for evaluation
Tier 3 — Verification tooling
Tier 4 — Deferred / beyond the current evaluation scope
Tier 5 — Documentation pass
Already shipped (trace-back)
Suggested execution order (critical path)
References
License
krypteia-arcana — Classical Cryptography for the krypteia workspace
Design rules
Algorithms
Hash functions
Symmetric ciphers and modes
Message authentication codes (MACs)
RSA
Elliptic curve cryptography
Edwards / Montgomery curves
Cargo features
Quick start
Hashing (SHA-256)
AEAD (AES-128-GCM)
X25519 ECDH
HMAC-SHA-256 (streaming)
AES-256-CBC (Cipher ctx)
Typed key wrappers (Zeroize-on-Drop)
Parameter sets / curve families
NIST P-curves
Brainpool
secp256k1
Edwards / Montgomery
RSA key sizes
Design decisions
Side-channel countermeasures (summary)
Always-on
Feature-gated
Timing leakage verification (dudect)
Known residual surface
Per-algorithm deep dives
arcana — Side-Channel Analysis and Countermeasures
Performance
Building
Desktop / server (default)
no_std
/ bare-metal cross-compile
Cargo profiles
Test validation
NIST CAVP / FIPS / RFC happy-path conformance
Wycheproof
Custom negative / robustness tests
Running everything
Policy on test suites
Examples
Rust
C FFI
Module map
Known limitations
Side-channel protection
Standards conformance
Portability
Testing
Roadmap
Tier 1 — Active vulnerabilities (critical path)
Tier 2 — Hardening for evaluation
Tier 3 — Verification tooling
Tier 4 — Deferred / beyond the current evaluation scope
Tier 5 — Documentation pass
ECC follow-ups (already shipped)
Suggested execution order (critical path)
References
License
krypteia-silentops — side-channel countermeasure toolkit
Cargo features
Verification status
License
krypteia-memory — TLSF allocator for the krypteia workspace
Cargo features
Usage from C (bare-metal)
License
Rust API reference
How the API reference is produced
Notes for reviewers
Governance
Contributing to Krypteia
Position
Why this document exists
Five principles
1. Domain expertise is the price of admission
2. You own what you submit
3. Validate against ground truth, not vibes
4. Trace your reasoning
5. Be honest about your tools
Pre-submission checklist
What we will reject without lengthy review
What we hold ourselves to
Security Maintenance Process — krypteia
1. Mission and target
2. Three pillars — veille, doc, code
3. The shared skill —
crypto-research
4. Common directives
4.1 Code
4.2 Documentation
4.3 Veille
4.4 Verification
5. Per-crate ownership
6. Lifecycle of a security item
7. Where to find what
8. Vulnerability reporting
8.1 Reporting channel
8.2 Initial response
8.3 Coordinated disclosure window
8.4 Public advisory
8.5 Out of scope
8.6 Safe harbour
9. License
Changelog
Unreleased
0.1.0 - 2026-06-11
Added —
quantica
(post-quantum cryptography)
Added —
arcana
(classical cryptography)
Added —
silentops
(side-channel countermeasure toolkit)
Added —
memory
(TLSF allocator)
Added — Cross-architecture validation infrastructure (T3-A)
Added — Documentation pack and CI
Conventions and workspace shape adopted in v0.1
Known limitations carried into v0.1
Initial public release commit
krypteia — Cryptography Workspace
Index
Index