cryspen · jschneider-bensch · Jul 8, 2025 · Jul 2, 2025 · Jul 2, 2025 · Jul 2, 2025
@@ -33,12 +33,16 @@ libcrux-intrinsics = { version = "0.0.3", path = "../libcrux-intrinsics" }
 libcrux-secrets = { version = "0.0.3", path = "../secrets" }
 libcrux-traits = { version = "0.0.3", path = "../traits" }
 hax-lib.workspace = true
+tls_codec = { version = "0.4.2", features = ["derive"], default-features = false, optional = true}
 
 [features]
 # By default all variants and std are enabled.
 default = ["default-no-std", "std"]
 default-no-std = ["mlkem512", "mlkem768", "mlkem1024", "rand"]
 
+# Serialization & Deserialization using tls_codec
+codec = ["dep:tls_codec"]
+
 # Hardware features can be force enabled.
 # It is not recommended to use these. This crate performs CPU feature detection
 # and enables the features when they are available.

@@ -90,7 +90,10 @@ pub(crate) mod hax_utils;
 // This is being tracked in https://github.com/hacspec/hacspec-v2/issues/27
 pub(crate) mod constants;
 
-#[cfg(all(feature = "alloc", feature = "incremental"))]
+#[cfg(any(
+    all(feature = "alloc", feature = "incremental"),
+    all(feature = "alloc", feature = "codec")
+))]
 extern crate alloc;
 
 /// Helpers for verification and extraction

@@ -146,6 +146,85 @@ mod index_impls {
     impl_index_impls_for_generic_struct!(MlKemPublicKey);
 }
 
+#[cfg(all(feature = "codec", feature = "alloc"))]
+mod codec {
+    use super::*;
+
+    macro_rules! impl_tls_codec_for_generic_struct {
+        ($name:ident) => {
+            impl<const SIZE: usize> tls_codec::SerializeBytes for $name<SIZE> {
+                fn tls_serialize(&self) -> Result<alloc::vec::Vec<u8>, tls_codec::Error> {
+                    tls_codec::TlsByteVecU16::from_slice(self.as_ref()).tls_serialize()
+                }
+            }
+
+            impl<const SIZE: usize> tls_codec::Size for $name<SIZE> {
+                fn tls_serialized_len(&self) -> usize {
+                    SIZE + 2
+                }
+            }
+
+            impl<const SIZE: usize> tls_codec::DeserializeBytes for $name<SIZE> {
+                fn tls_deserialize_bytes(
+                    bytes: &[u8],
+                ) -> Result<($name<SIZE>, &[u8]), tls_codec::Error> {
+                    let (vec, rest) = tls_codec::TlsByteVecU16::tls_deserialize_bytes(bytes)?;
+                    if vec.len() != SIZE {
+                        Err(tls_codec::Error::InvalidVectorLength)
+                    } else {
+                        Ok((
+                            $name::<SIZE>::try_from(vec.as_slice())
+                                .expect("deserialized vector should have the length {SIZE}"),
+                            rest,
+                        ))
+                    }
+                }
+            }
+
+            impl<const SIZE: usize> tls_codec::SerializeBytes for &$name<SIZE> {
+                fn tls_serialize(&self) -> Result<alloc::vec::Vec<u8>, tls_codec::Error> {
+                    tls_codec::TlsByteVecU16::from_slice(self.as_ref()).tls_serialize()
+                }
+            }
+
+            impl<const SIZE: usize> tls_codec::Size for &$name<SIZE> {
+                fn tls_serialized_len(&self) -> usize {
+                    SIZE + 2
+                }
+            }
+        };
+    }
+
+    impl_tls_codec_for_generic_struct!(MlKemCiphertext);
+    impl_tls_codec_for_generic_struct!(MlKemPublicKey);
+
+    #[cfg(test)]
+    mod test {
+        use tls_codec::{DeserializeBytes, SerializeBytes, Size};
+
+        use super::*;
+
+        #[test]
+        fn ser_de() {
+            const SIZE: usize = 1568;
+            let test_struct = MlKemCiphertext::<SIZE>::default();
+
+            assert_eq!(test_struct.tls_serialized_len(), SIZE + 2);
+            let test_struct_serialized = test_struct.tls_serialize().unwrap();
+            assert_eq!(
+                test_struct_serialized.len(),
+                test_struct.tls_serialized_len()
+            );
+
+            let test_struct_deserialied =
+                MlKemCiphertext::<SIZE>::tls_deserialize_exact_bytes(&test_struct_serialized)
+                    .unwrap();
+
+            assert_eq!(test_struct.as_ref(), test_struct_deserialied.as_ref())
+        }
+    }
+}
+
 /// An ML-KEM key pair
 pub struct MlKemKeyPair<const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize> {
     pub(crate) sk: MlKemPrivateKey<PRIVATE_KEY_SIZE>,

@@ -20,16 +20,19 @@ libcrux-kem = { version = "=0.0.3", path = "../libcrux-kem" }
 libcrux-chacha20poly1305 = { version = "0.0.3", path = "../chacha20poly1305" }
 libcrux-hkdf = { version = "=0.0.3", path = "../libcrux-hkdf" }
 libcrux-hmac = { version = "=0.0.3", path = "../libcrux-hmac" }
+libcrux-sha2 = { version = "=0.0.3", path = "../sha2" } 
 classic-mceliece-rust = { version = "3.1.0", features = [
     "mceliece460896f",
     "zeroize",
 ], optional = true }
 rand = { version = "0.9" }
 rand_old = { version = "0.8", package = "rand", optional = true }
-libcrux-ecdh = { version = "0.0.3", path = "../libcrux-ecdh", optional = true }
+libcrux-ecdh = { version = "0.0.3", path = "../libcrux-ecdh" }
+libcrux-ml-kem = { version = "0.0.3", path = "../libcrux-ml-kem", features = ["codec"] }  
 libcrux-ed25519 = { version = "0.0.3", path = "../ed25519", features = [
     "rand",
 ] }
+tls_codec = { version = "0.4.2", features = ["derive"] }
 
 [dev-dependencies]
 libcrux-psq = { path = ".", features = ["test-utils"] }
@@ -43,7 +46,7 @@ classic-mceliece = ["dep:classic-mceliece-rust", "rand_old"]
 # DO NOT USE: This feature enables implementations backed
 # by non-post-quantum KEMs and should only be used for
 # testing purposes and benchmark baselines.
-test-utils = ["libcrux-ecdh"]
+test-utils = []
 
 [[bench]]
 name = "psq"

@@ -10,6 +10,10 @@ use std::array::TryFromSliceError;
 #[derive(Debug)]
 /// PSQ Errors.
 pub enum Error {
+    /// An error during serialization.
+    Serialization,
+    /// The Initator message was stale
-    /// The Initator message was stale
+    /// The Initiator message was stale
-    /// The Initator message was stale
+    /// The Initiator message was stale
+    TimestampElapsed,
     /// An invalid public key was provided
     InvalidPublicKey,
     /// An invalid private key was provided
@@ -75,6 +79,7 @@ const PSK_LENGTH: usize = 32;
 type Psk = [u8; PSK_LENGTH];
 
 pub mod cred;
+pub mod protocol;
 pub mod psk_registration;
 
 #[cfg(feature = "classic-mceliece")]