A secure real-time messaging application implementing hybrid cryptography that combines post-quantum and classical algorithms for defense-in-depth security.
This messenger implements a hybrid cryptographic scheme combining:
- Kyber-768 (ML-KEM): NIST-standardized post-quantum key encapsulation mechanism
- X25519: Classical elliptic curve Diffie-Hellman key exchange
- ChaCha20-Poly1305: Authenticated encryption with additional data (AEAD)
- HKDF-SHA256: Key derivation function for combining shared secrets
The hybrid approach ensures security remains intact even if one algorithm is compromised:
- Kyber-768 protects against future quantum computer attacks
- X25519 provides proven security against classical attacks today
- Security holds if at least one algorithm remains secure
- Quantum-Resistant: Protects communications against future quantum threats
- Forward Secrecy: Ephemeral keys ensure past communications remain secure
- Authenticated Encryption: ChaCha20-Poly1305 prevents message tampering
- Real-time Messaging: Asynchronous TCP-based communication using Tokio
- Zero Dependencies on External Libraries: Pure Rust implementation
- Rust: 1.56.0 or higher
- Operating System: Linux, macOS, or Windows (with WSL for best compatibility)
# Install Rust toolchain
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env# Clone the repository
git clone <repository-url>
cd hybrid-pqc-messenger
# Build the project
cargo build --releaseThe application consists of two binaries: a server and a client.
Open a terminal and run:
cargo run --release --bin serverOr run the compiled binary directly:
./target/release/serverThe server will:
- Start listening on
127.0.0.1:8080 - Wait for a client connection
- Perform hybrid key exchange
- Enable encrypted messaging
Open a second terminal and run:
cargo run --release --bin clientOr run the compiled binary directly:
./target/release/clientThe client will:
- Connect to the server at
127.0.0.1:8080 - Complete the hybrid key exchange
- Enable encrypted messaging
Once both server and client are running:
- Type your message in either terminal
- Press Enter to send
- Messages are encrypted with ChaCha20-Poly1305 before transmission
- Type
/quitto exit
hybrid-pqc-messenger/
├── Cargo.toml # Dependencies and project configuration
├── src/
│ ├── lib.rs # Core cryptography implementation (HybridCrypto)
│ ├── server.rs # Server binary
│ └── client.rs # Client binary
└── README.md # This file
SERVER CLIENT
| |
| 1. Generate Kyber + X25519 keypairs |
|────────────────────────────────────────>|
| Send: kyber_pk, x25519_pk |
| |
| 2. Client encapsulates & responds |
|<────────────────────────────────────────|
| Recv: kyber_ct, x25519_pk |
| |
| 3. Both derive session key |
| HKDF(x25519_shared || kyber_shared) |
| |
| 4. Encrypted chat (ChaCha20-Poly1305) |
|<───────────────────────────────────────>|
Execute the test suite:
cargo testThis will run unit tests for key exchange and encryption/decryption operations.
For optimized production builds:
cargo build --releaseBinaries will be located in target/release/:
target/release/servertarget/release/client
This is a demonstration and learning project. The implementation includes:
- ✅ Hybrid post-quantum and classical key exchange
- ✅ Authenticated encryption
- ✅ Forward secrecy with ephemeral keys
- ✅ Constant-time cryptographic operations (via RustCrypto)
For production deployment, implement:
- Authentication: Verify peer identity (certificates, signatures)
- Key Ratcheting: Perfect forward secrecy with periodic key rotation
- Replay Protection: Monotonic counters or timestamps
- Rate Limiting: Prevent denial-of-service attacks
- Secure Key Storage: Hardware security modules (HSM) or secure enclaves
- Error Handling: Production-grade error recovery without panics
- Logging & Monitoring: Security event logging and alerting
- TLS Layer: Additional transport layer security
- Multi-client Support: Handle multiple concurrent connections
Key cryptographic libraries used:
| Library | Purpose | Version |
|---|---|---|
pqc_kyber |
Kyber-768 post-quantum KEM | 0.7.1 |
x25519-dalek |
X25519 elliptic curve DH | 2.0.1 |
chacha20poly1305 |
Authenticated encryption | 0.10.1 |
hkdf |
Key derivation function | 0.12.4 |
sha2 |
SHA-256 hashing | 0.10.8 |
tokio |
Async runtime | 1.35 |
serde |
Serialization | 1.0 |
bincode |
Binary encoding | 1.3 |
- Kyber Security Level: Level 3 (equivalent to AES-192)
- Public Key Size: 1,184 bytes (Kyber-768)
- Ciphertext Size: 1,088 bytes (Kyber-768)
- Shared Secret Size: 32 bytes (both Kyber and X25519)
- Session Key Size: 32 bytes (256 bits)
- Nonce Size: 12 bytes (96 bits)
Approximate performance on modern CPUs:
- Key Generation: ~100,000 operations/second
- Encapsulation: ~100,000 operations/second
- Decapsulation: ~100,000 operations/second
- Encryption/Decryption: >1 GB/second
Contributions are welcome! Areas for improvement:
- Multi-client support (broadcast messaging)
- File transfer capabilities
- GUI implementation
- Mobile platform support
- Key ratcheting for perfect forward secrecy
- Comprehensive benchmarking suite
MIT License - see LICENSE file for details
- NIST Post-Quantum Cryptography Standardization
- Kyber Specification (CRYSTALS-KYBER)
- RFC 8439: ChaCha20 and Poly1305
- RFC 7748: Elliptic Curves for Security
- RFC 5869: HMAC-based Key Derivation Function
Built with the excellent Rust cryptography ecosystem:
- RustCrypto - Cryptographic algorithms
- dalek-cryptography - Elliptic curve cryptography
- Argyle Software - Kyber implementation
Disclaimer: This is a demonstration project for educational purposes. It has not undergone security auditing and should not be used to protect sensitive information in production environments without proper security review and hardening.