Danger
This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.
HPKE (Hybrid Public Key Encryption)
HPKE is a standard for public key encryption that combines a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. It is defined in RFC 9180.
HPKE provides authenticated encryption: the recipient can be certain that the
message was encrypted by someone who knows the recipient’s public key, but
the sender is anonymous. Each call to Suite.encrypt() generates a fresh
ephemeral key pair, so encrypting the same plaintext twice will produce
different ciphertext.
The info parameter should be used to bind the encryption to a specific
context (e.g., “MyApp-v1-UserMessages”). Per RFC 9180 Section 8.1,
applications using single-shot APIs should use the info parameter for
specifying auxiliary authenticated information.
from cryptography.hazmat.primitives.hpke import Suite, KEM, KDF, AEAD
from cryptography.hazmat.primitives.asymmetric import x25519
suite = Suite(KEM.X25519, KDF.HKDF_SHA256, AEAD.AES_128_GCM)
# Generate recipient key pair
private_key = x25519.X25519PrivateKey.generate()
public_key = private_key.public_key()
# Encrypt
ciphertext = suite.encrypt(b"secret message", public_key, info=b"app info")
# Decrypt
plaintext = suite.decrypt(ciphertext, private_key, info=b"app info")
- class cryptography.hazmat.primitives.hpke.Suite(kem, kdf, aead)
An HPKE cipher suite combining a KEM, KDF, and AEAD.
- Parameters:
- encrypt(plaintext, public_key, info=b'')
Encrypt a message using HPKE.
- Parameters:
plaintext (bytes) – The message to encrypt.
public_key – The recipient’s public key. The type must match the
KEMchosen for the suite:X25519PublicKeyforKEM.X25519;EllipticCurvePublicKeyon the corresponding curve forKEM.P256,KEM.P384, andKEM.P521;MLKEM768PublicKeyforKEM.MLKEM768;MLKEM1024PublicKeyforKEM.MLKEM1024;MLKEM768X25519PublicKeyforKEM.MLKEM768_X25519; andMLKEM1024P384PublicKeyforKEM.MLKEM1024_P384.info (bytes) – Application-specific context string for binding the encryption to a specific application or protocol.
- Returns:
The encapsulated key concatenated with ciphertext (enc || ct).
- Return type:
- decrypt(ciphertext, private_key, info=b'')
Decrypt a message using HPKE.
- Parameters:
private_key – The recipient’s private key. The type must match the
KEMchosen for the suite:X25519PrivateKeyforKEM.X25519;EllipticCurvePrivateKeyon the corresponding curve forKEM.P256,KEM.P384, andKEM.P521;MLKEM768PrivateKeyforKEM.MLKEM768;MLKEM1024PrivateKeyforKEM.MLKEM1024;MLKEM768X25519PrivateKeyforKEM.MLKEM768_X25519; andMLKEM1024P384PrivateKeyforKEM.MLKEM1024_P384.info (bytes) – Application-specific context string (must match the value used during encryption).
- Returns:
The decrypted plaintext.
- Return type:
- Raises:
cryptography.exceptions.InvalidTag – If decryption fails.
- class cryptography.hazmat.primitives.hpke.KEM
An enumeration of key encapsulation mechanisms.
- enc_length()
Added in version 49.0.0.
- Returns:
The length in bytes of the encapsulated key (
enc) produced by this KEM. Theencis the prefix of the value returned bySuite.encrypt(), so this can be used to split the result intoencand the AEAD ciphertext:ciphertext = suite.encrypt(plaintext, public_key) enc_len = KEM.X25519.enc_length() enc, ct = ciphertext[:enc_len], ciphertext[enc_len:]
- Return type:
- X25519
DHKEM(X25519, HKDF-SHA256)
- P256
DHKEM(P-256, HKDF-SHA256)
- P384
DHKEM(P-384, HKDF-SHA384)
- P521
DHKEM(P-521, HKDF-SHA512)
- MLKEM768
ML-KEM-768. Post-quantum secure. Only available on backends that support ML-KEM.
- MLKEM1024
ML-KEM-1024. Post-quantum secure. Only available on backends that support ML-KEM.
- MLKEM768_X25519
A hybrid KEM combining ML-KEM-768 with X25519 (also known as X-Wing). Post-quantum secure. Only available on backends that support ML-KEM. Public and private keys are
MLKEM768X25519PublicKeyandMLKEM768X25519PrivateKey.
- MLKEM1024_P384
A hybrid KEM combining ML-KEM-1024 with P-384. Post-quantum secure. Only available on backends that support ML-KEM. Public and private keys are
MLKEM1024P384PublicKeyandMLKEM1024P384PrivateKey.
- class cryptography.hazmat.primitives.hpke.MLKEM768X25519PrivateKey(mlkem_key, x25519_key)
Added in version 47.0.0.
A hybrid ML-KEM-768 / X25519 private key for use with
KEM.MLKEM768_X25519. Combines anMLKEM768PrivateKeyand anX25519PrivateKeyinto a single recipient key.- Parameters:
mlkem_key (
MLKEM768PrivateKey) – The ML-KEM-768 private key component.x25519_key (
X25519PrivateKey) – The X25519 private key component.
- public_key()
- Returns:
- class cryptography.hazmat.primitives.hpke.MLKEM768X25519PublicKey(mlkem_key, x25519_key)
Added in version 47.0.0.
A hybrid ML-KEM-768 / X25519 public key for use with
KEM.MLKEM768_X25519. Combines anMLKEM768PublicKeyand anX25519PublicKeyinto a single recipient key.- Parameters:
mlkem_key (
MLKEM768PublicKey) – The ML-KEM-768 public key component.x25519_key (
X25519PublicKey) – The X25519 public key component.
- class cryptography.hazmat.primitives.hpke.MLKEM1024P384PrivateKey(mlkem_key, p384_key)
Added in version 47.0.0.
A hybrid ML-KEM-1024 / P-384 private key for use with
KEM.MLKEM1024_P384. Combines anMLKEM1024PrivateKeyand anEllipticCurvePrivateKeyon the SECP384R1 curve into a single recipient key.- Parameters:
mlkem_key (
MLKEM1024PrivateKey) – The ML-KEM-1024 private key component.p384_key (
EllipticCurvePrivateKey) – The P-384 private key component.
- public_key()
- Returns:
- class cryptography.hazmat.primitives.hpke.MLKEM1024P384PublicKey(mlkem_key, p384_key)
Added in version 47.0.0.
A hybrid ML-KEM-1024 / P-384 public key for use with
KEM.MLKEM1024_P384. Combines anMLKEM1024PublicKeyand anEllipticCurvePublicKeyon the SECP384R1 curve into a single recipient key.- Parameters:
mlkem_key (
MLKEM1024PublicKey) – The ML-KEM-1024 public key component.p384_key (
EllipticCurvePublicKey) – The P-384 public key component.