pq_crypto 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15356ea593b25eefd75360992b4b716df348601a5198b8085e271e866e431371
-  data.tar.gz: b9667b1d123009b44009b8819f02c1f2855bd5117bd6142faa36cef3bcd4bf22
+  metadata.gz: 534c420f62323e9ddb49b48acdfa7af869731e3273bda56637d6bfee753de8d7
+  data.tar.gz: f003494b4d33702a1b718dc6ded7a9f0612b315e41f0d739a5b2fe3ebba9d1d1
 SHA512:
-  metadata.gz: 722560e27ea481d4f9acaee6798b3a34c06796d5d365a2164cb6ca612917e1b6db0e06e36c74b7624b1f33a78ab3e91930f3e67b5e67988363c4498cba24e585
-  data.tar.gz: 843fdee9d26cca30bfe5e6013a759713a062f9d63b08544ea5727b86b3b94e9b58dab0a201d52d0fe2e94c6aedb6ec7c770743bab65ea6d1fbf8545a71d81abc
+  metadata.gz: 1a039325a13cf8c074741fb70edc1e66f4e4939727b4c1369665794bc6ed71ef1ed2ef50d9debd9064d850e4856fac166f325889a9df4bfd3d8849a2d7a918e9
+  data.tar.gz: 304888656181149eed84eca063e24eeb6c862819f6c54022e77b287ca4030b8602e9f61eb17809ad86ca0eea84796c6275a2afa12018ffdeaafc489c15c8f24a

data/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## [0.3.1] — 2026-04-24
+
+### Fixed — X-Wing draft-10 compatibility
+
+- Changed `:ml_kem_768_x25519_xwing` secret keys to the draft-10 32-byte
+  X-Wing decapsulation seed and derive ML-KEM/X25519 private material with
+  SHAKE256 during key generation and decapsulation.
+- Corrected the X-Wing combiner transcript to
+  `ss = SHA3-256( ss_M || ss_X || ct_X || pk_X || XWingLabel )`.
+- Updated the hybrid serialization OID to the X-Wing draft OID
+  `1.3.6.1.4.1.62253.25722`.
+- Redacted key `inspect` output, removed public secret-key fingerprints,
+  improved native extension load diagnostics, switched the extension build
+  flag to C11, and aligned docs with the implementation.
+
 ## [0.3.0] — 2026-04-24
 
 **Breaking release.** Hybrid KEM keys, ciphertexts, and `pqc_container_*`
@@ -9,17 +24,14 @@ and ML-DSA-65 material is unaffected.
 ### Changed — hybrid KEM (breaking)
 
 - Replaced the 0.2.0 ad-hoc `HKDF-SHA256`-with-double-transcript combiner
-  with the **X-Wing** construction from
-  [draft-connolly-cfrg-xwing-kem](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/):
-  `ss = SHA3-256( XWingLabel || ss_M || ss_X || ct_X || pk_X )`, where
-  `XWingLabel` is the 6-byte ASCII string `\.//^\`.
+  with a SHA3-256 X-Wing-inspired combiner. This was later corrected in
+  `0.3.1` to match draft-10 transcript order and 32-byte secret keys.
 - Renamed the hybrid algorithm symbol
   `:ml_kem_768_x25519_hkdf_sha256` → `:ml_kem_768_x25519_xwing`.
 - Retired the 0.2.0 project-local hybrid OID
-  (`2.25.260242945110721168101139140490528778800`). The new OID
-  (`2.25.318532651283923671095712569430174917109`) identifies the X-Wing
-  combiner. `pqc_container_*` blobs carry the new OID; decoding a 0.2.0
-  hybrid container now fails fast with `SerializationError`.
+  (`2.25.260242945110721168101139140490528778800`). 0.3.0 used
+  `2.25.318532651283923671095712569430174917109`; this was later replaced
+  in `0.3.1` by the X-Wing draft OID.
 
 ### Changed — native code hygiene
 
@@ -39,9 +51,8 @@ and ML-DSA-65 material is unaffected.
   `hybrid_public_key_t`, `hybrid_secret_key_t`, and
   `hybrid_ciphertext_t` so any future change that introduces padding
   fails at compile time rather than silently shifting byte offsets.
-- Migrated PEM codec from `EVP_EncodeBlock` / `EVP_DecodeBlock` to the
-  streaming `EVP_EncodeUpdate` / `EVP_DecodeUpdate` API, which rejects
-  invalid base64 characters rather than treating them as zeros.
+- Migrated PEM codec to OpenSSL `BIO_f_base64` with stricter PEM
+  header/footer framing and trailing-garbage checks.
 - Deleted the entire internal HKDF and SHA-256 helper paths that 0.2.0
   used for its combiner; the X-Wing combiner is a single SHA3-256
   invocation through `EVP_DigestUpdate`.
@@ -61,9 +72,9 @@ and ML-DSA-65 material is unaffected.
   `CRYPTO_memcmp` through a new `PQCrypto.ct_equals` native helper, so
   key equality checks no longer leak timing information about a
   prefix-match.
-- `SecretKey#hash` (and `PublicKey#hash` for symmetry) now hash a
-  SHA-256 fingerprint of the bytes instead of the raw bytes, and a
-  public `#fingerprint` method is exposed.
+- `PublicKey#hash` and `SecretKey#hash` now hash a SHA-256 fingerprint
+  of the bytes instead of the raw bytes. The public secret-key fingerprint
+  method is removed in `0.3.1` to reduce accidental logging risk.
 - Native entrypoints and their `native_*` aliases are installed once via
   the new `PQCrypto::NativeBindings` module instead of the ad-hoc
   `unless method_defined?` guards on the singleton.
@@ -72,7 +83,8 @@ and ML-DSA-65 material is unaffected.
 
 ### Changed — packaging
 
-- `required_ruby_version` from `">= 3.4.0.a"` to `">= 3.4"`.
+- Intended to change `required_ruby_version` from `">= 3.4.0.a"` to
+  `">= 3.4"`; the gemspec is aligned in `0.3.1`.
 - Version bumped to `0.3.0`.
 - `VerificationError` class is still defined (and still raised by
   `verify!`) for backward compatibility, but the native `verify`

data/GET_STARTED.md

@@ -43,6 +43,9 @@ result = hybrid.public_key.encapsulate
 shared_secret = hybrid.secret_key.decapsulate(result.ciphertext)
 ```
 
+The raw X-Wing secret key exported by this API is the draft-10 32-byte
+decapsulation seed, not the expanded ML-KEM/X25519 private material.
+
 The hybrid mode follows `draft-connolly-cfrg-xwing-kem`. See
 `SECURITY.md` for audit status.
 

data/README.md

@@ -13,8 +13,8 @@ It exposes three public building blocks:
 The gem is backed by vendored `PQClean` sources for `ML-KEM-768` /
 `ML-DSA-65` and by OpenSSL for `X25519` and `SHA3-256`. Every piece of
 conventional-crypto functionality goes through standard library calls
-(`EVP_*`, `RAND_bytes`, `CRYPTO_memcmp`, streaming `EVP_Encode*` /
-`EVP_Decode*`) — nothing roll-your-own where a library primitive exists.
+(`EVP_*`, `RAND_bytes`, `CRYPTO_memcmp`, `BIO_f_base64`) — nothing
+roll-your-own where a library primitive exists.
 
 ## Status
 
@@ -42,7 +42,7 @@ bundle exec rake compile
 
 - Ruby 3.4.x
 - a C toolchain with C11 support (for `_Static_assert` / `_Thread_local`)
-- OpenSSL **3.0 or later** with SHA3-256 available (default provider)
+- OpenSSL **3.0 or later** with SHA3-256 and SHAKE256 available (default provider)
 
 ## Async / Fiber scheduler support
 
@@ -120,14 +120,16 @@ result = keypair.public_key.encapsulate
 shared_secret = keypair.secret_key.decapsulate(result.ciphertext)
 ```
 
-The combiner is exactly:
+The implementation follows draft-10 key expansion: the X-Wing secret
+decapsulation key is a 32-byte seed expanded with SHAKE256 into ML-KEM
+and X25519 private material. The combiner is exactly:
 
 ```
-ss = SHA3-256( "\.//^\" || ss_M || ss_X || ct_X || pk_X )
+ss = SHA3-256( ss_M || ss_X || ct_X || pk_X || "\.//^\" )
 ```
 
-as specified by `draft-connolly-cfrg-xwing-kem`. See `SECURITY.md` for
-audit status and interoperability caveats.
+as specified by `draft-connolly-cfrg-xwing-kem-10`. See `SECURITY.md`
+for audit status and interoperability caveats.
 
 ## Serialization
 
@@ -172,6 +174,12 @@ key.wipe!                  # scrub the key's internal copy
 `CRYPTO_memcmp` through a `PQCrypto.ct_equals` helper so comparisons
 do not leak timing information about a prefix match.
 
+Secret key `inspect` output is intentionally redacted and secret key
+objects do not expose a public `fingerprint` method. `wipe!` remains
+best-effort only: it clears the current Ruby string buffer owned by the
+key object, not every possible copy made by Ruby, OpenSSL, serialization,
+logging, or the garbage collector.
+
 ## Introspection
 
 ```ruby

data/SECURITY.md

@@ -2,7 +2,7 @@
 
 ## Scope of the public API
 
-`pq_crypto` 0.3.0 exposes a primitive-first public surface:
+`pq_crypto` exposes a primitive-first public surface:
 
 - `PQCrypto::KEM` (`ML-KEM-768`)
 - `PQCrypto::Signature` (`ML-DSA-65`)
@@ -29,23 +29,25 @@ gem.
 ### HybridKEM
 
 `PQCrypto::HybridKEM` implements the **X-Wing** construction from
-[`draft-connolly-cfrg-xwing-kem`](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/):
+[`draft-connolly-cfrg-xwing-kem-10`](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/).
 
-    ss = SHA3-256( XWingLabel || ss_M || ss_X || ct_X || pk_X )
+The X-Wing secret decapsulation key is a 32-byte seed. It is expanded
+with SHAKE256 into the ML-KEM-768 and X25519 private material used
+internally for decapsulation. The public key and ciphertext are the
+fixed-length concatenations specified by the draft.
 
-where `XWingLabel = "\.//^\"` (6 ASCII bytes). The hybrid public key,
-secret key, and ciphertext are the byte concatenations of the ML-KEM
-and X25519 halves exactly as specified by X-Wing.
+    ss = SHA3-256( ss_M || ss_X || ct_X || pk_X || XWingLabel )
+
+where `XWingLabel = "\.//^\"` (6 ASCII bytes).
 
 X-Wing as specified has a proof of classical IND-CCA security under
 the strong Diffie-Hellman assumption for X25519 (in the ROM), and
 post-quantum IND-CCA security in the standard model assuming ML-KEM-768
 is IND-CCA secure and SHA3-256 behaves as a PRF.
 
-This gem is **not** yet part of a cross-language X-Wing interop test
-suite; wire-format claims for this release are limited to "follows the
-X-Wing draft as of version 10." External interoperability should be
-verified against the reference implementation before relying on it.
+This gem is intended to match the X-Wing draft as of version 10. External
+interoperability should still be verified against the reference
+implementation before relying on it.
 
 ### Deterministic test hooks
 
@@ -68,16 +70,16 @@ They are:
 - not real PKCS#8
 - not advertised as interoperable with OpenSSL, Go, Java, or PKI tooling
 
-The OIDs embedded in these containers are project-local UUID-derived
-OIDs under `2.25.*`. They are part of pq_crypto's own serialized
-container schema, not external interoperability identifiers.
+The `pqc_container_*` envelope itself is project-specific. ML-KEM and
+ML-DSA currently use project-local UUID-derived OIDs under `2.25.*`.
+Hybrid X-Wing uses the draft X-Wing OID `1.3.6.1.4.1.62253.25722`.
 
 The hybrid OID used by 0.2.0
-(`2.25.260242945110721168101139140490528778800`) is retired in 0.3.0
-because the combiner semantics changed (0.2.0 used an ad-hoc
-HKDF-SHA256 combiner; 0.3.0 uses X-Wing / SHA3-256). The new hybrid
-OID is `2.25.318532651283923671095712569430174917109`. A 0.2.0 hybrid
-container is rejected at decode time in 0.3.0.
+(`2.25.260242945110721168101139140490528778800`) is retired. The
+intermediate 0.3.0 project-local hybrid OID
+(`2.25.318532651283923671095712569430174917109`) is also retired in
+favor of the draft X-Wing OID. Older hybrid containers are rejected at
+decode time.
 
 ## Memory wiping
 
@@ -98,9 +100,19 @@ OpenSSL is used for:
 - `SHA3-256` (X-Wing combiner, via `EVP_sha3_256`)
 - `RAND_bytes` (production entropy source for `randombytes()`)
 - `CRYPTO_memcmp` (constant-time comparison used by `PQCrypto.ct_equals`)
-- Base64 encode/decode for PEM via the streaming `EVP_Encode*` /
-  `EVP_Decode*` API, which rejects invalid base64 rather than treating
-  it as zeros.
+- Base64 encode/decode for PEM via OpenSSL `BIO_f_base64`, with strict
+  header/footer framing and trailing-garbage checks.
+
+## Secret key display and wiping
+
+Secret key objects redact `inspect` output and intentionally do not expose
+a public `fingerprint` method. This avoids accidental logging of raw secret
+bytes or stable secret-derived identifiers.
+
+`wipe!` is best-effort only. It wipes the current Ruby string buffer held
+by the key object; it cannot guarantee erasure of copies made by Ruby,
+OpenSSL, native wrapper buffers, serialization, logging, crash dumps, or
+the garbage collector.
 
 ## Threading
 

data/ext/pqcrypto/extconf.rb

@@ -3,7 +3,7 @@
 
 require "mkmf"
 
-$CFLAGS << " -std=c99 -Wall -Wextra -O2"
+$CFLAGS << " -std=c11 -Wall -Wextra -O2"
 $CFLAGS << " -fstack-protector-strong -D_FORTIFY_SOURCE=2"
 VENDOR_ONLY_CFLAGS = "-Wno-unused-parameter -Wno-unused-function -Wno-strict-prototypes -Wno-pedantic -Wno-c23-extensions -Wno-undef"
 
@@ -15,6 +15,7 @@ SANITIZE = ENV["PQCRYPTO_SANITIZE"]
 
 if SANITIZE && !SANITIZE.strip.empty?
   sanitize = SANITIZE.strip
+  $CFLAGS.gsub!(/\s-D_FORTIFY_SOURCE=\d+/, "")
   $CFLAGS << " -O1 -g -fno-omit-frame-pointer -fsanitize=#{sanitize}"
   $LDFLAGS << " -fsanitize=#{sanitize}"
 end
@@ -72,6 +73,15 @@ def configure_openssl!
   SRC
   abort "OpenSSL SHA3-256 is required (X-Wing combiner)" unless try_compile(sha3_check)
 
+  shake_check = <<~SRC
+    #include <openssl/evp.h>
+    int main(void) {
+        const EVP_MD *md = EVP_shake256();
+        return md == NULL ? 1 : 0;
+    }
+  SRC
+  abort "OpenSSL SHAKE256 is required (X-Wing key expansion)" unless try_compile(shake_check)
+
   $CFLAGS << " -DHAVE_OPENSSL_EVP_H -DHAVE_OPENSSL_RAND_H"
 end
 

data/ext/pqcrypto/pqcrypto_ruby_secure.c

@@ -8,6 +8,10 @@
 
 #include "pqcrypto_secure.h"
 
+#ifndef RB_NOGVL_OFFLOAD_SAFE
+#define RB_NOGVL_OFFLOAD_SAFE 0
+#endif
+
 typedef struct {
     int result;
     uint8_t *public_key;

data/ext/pqcrypto/pqcrypto_secure.c

@@ -99,6 +99,32 @@ cleanup:
     return ret;
 }
 
+static int x25519_public_from_private(uint8_t *pk, const uint8_t *sk) {
+    EVP_PKEY *pkey = NULL;
+    size_t pklen = X25519_PUBLICKEYBYTES;
+    int ret = PQ_ERROR_KEYPAIR;
+
+    if (!pk || !sk) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, sk, X25519_SECRETKEYBYTES);
+    if (!pkey)
+        goto cleanup;
+
+    if (EVP_PKEY_get_raw_public_key(pkey, pk, &pklen) <= 0)
+        goto cleanup;
+    if (pklen != X25519_PUBLICKEYBYTES)
+        goto cleanup;
+
+    ret = PQ_SUCCESS;
+
+cleanup:
+    if (pkey)
+        EVP_PKEY_free(pkey);
+    return ret;
+}
+
 static int x25519_shared_secret(uint8_t *shared, const uint8_t *their_pk, const uint8_t *my_sk) {
     EVP_PKEY_CTX *ctx = NULL;
     EVP_PKEY *pkey = NULL;
@@ -159,8 +185,6 @@ static int xwing_combiner(uint8_t shared_secret[HYBRID_SHAREDSECRETBYTES],
 
     if (EVP_DigestInit_ex(ctx, EVP_sha3_256(), NULL) != 1)
         goto cleanup;
-    if (EVP_DigestUpdate(ctx, XWING_LABEL, sizeof(XWING_LABEL)) != 1)
-        goto cleanup;
     if (EVP_DigestUpdate(ctx, ss_M, MLKEM_SHAREDSECRETBYTES) != 1)
         goto cleanup;
     if (EVP_DigestUpdate(ctx, ss_X, X25519_SHAREDSECRETBYTES) != 1)
@@ -169,6 +193,8 @@ static int xwing_combiner(uint8_t shared_secret[HYBRID_SHAREDSECRETBYTES],
         goto cleanup;
     if (EVP_DigestUpdate(ctx, pk_X, X25519_PUBLICKEYBYTES) != 1)
         goto cleanup;
+    if (EVP_DigestUpdate(ctx, XWING_LABEL, sizeof(XWING_LABEL)) != 1)
+        goto cleanup;
     if (EVP_DigestFinal_ex(ctx, shared_secret, &out_len) != 1)
         goto cleanup;
     if (out_len != HYBRID_SHAREDSECRETBYTES)
@@ -181,6 +207,55 @@ cleanup:
     return ret;
 }
 
+static int xwing_expand_secret_key(hybrid_expanded_secret_key_t *expanded_key,
+                                   const uint8_t seed[HYBRID_SECRETKEYBYTES]) {
+    EVP_MD_CTX *ctx = NULL;
+    uint8_t expanded[XWING_EXPANDEDBYTES];
+    int ret = PQ_ERROR_OPENSSL;
+
+    if (!expanded_key || !seed) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    memset(expanded_key, 0, sizeof(*expanded_key));
+    memset(expanded, 0, sizeof(expanded));
+
+    ctx = EVP_MD_CTX_new();
+    if (!ctx)
+        goto cleanup;
+
+    if (EVP_DigestInit_ex(ctx, EVP_shake256(), NULL) != 1)
+        goto cleanup;
+    if (EVP_DigestUpdate(ctx, seed, HYBRID_SECRETKEYBYTES) != 1)
+        goto cleanup;
+    if (EVP_DigestFinalXOF(ctx, expanded, sizeof(expanded)) != 1)
+        goto cleanup;
+
+    ret = PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair_derand(expanded_key->mlkem_pk,
+                                                           expanded_key->mlkem_sk, expanded);
+    if (ret != 0) {
+        ret = PQ_ERROR_KEYPAIR;
+        goto cleanup;
+    }
+
+    memcpy(expanded_key->x25519_sk, expanded + 64, X25519_SECRETKEYBYTES);
+    ret = x25519_public_from_private(expanded_key->x25519_pk, expanded_key->x25519_sk);
+    if (ret != PQ_SUCCESS) {
+        goto cleanup;
+    }
+
+    ret = PQ_SUCCESS;
+
+cleanup:
+    if (ctx)
+        EVP_MD_CTX_free(ctx);
+    pq_secure_wipe(expanded, sizeof(expanded));
+    if (ret != PQ_SUCCESS && expanded_key) {
+        pq_secure_wipe(expanded_key, sizeof(*expanded_key));
+    }
+    return ret;
+}
+
 int pq_mlkem_keypair(uint8_t *pk, uint8_t *sk) {
     return PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair(pk, sk) == 0 ? PQ_SUCCESS : PQ_ERROR_KEYPAIR;
 }
@@ -278,35 +353,36 @@ int pq_testing_mldsa_sign_from_seed(uint8_t *signature, size_t *signature_len,
 
 int pq_hybrid_kem_keypair(uint8_t *public_key, uint8_t *secret_key) {
     hybrid_public_key_t pk;
-    hybrid_secret_key_t sk;
-    int ret;
+    hybrid_expanded_secret_key_t expanded;
+    uint8_t seed[HYBRID_SECRETKEYBYTES];
+    int ret = PQ_SUCCESS;
 
     if (!public_key || !secret_key) {
         return PQ_ERROR_BUFFER;
     }
 
     memset(&pk, 0, sizeof(pk));
-    memset(&sk, 0, sizeof(sk));
+    memset(&expanded, 0, sizeof(expanded));
+    memset(seed, 0, sizeof(seed));
 
-    ret = PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair(pk.mlkem_pk, sk.mlkem_sk) == 0
-              ? PQ_SUCCESS
-              : PQ_ERROR_KEYPAIR;
-    if (ret != PQ_SUCCESS) {
+    if (RAND_bytes(seed, sizeof(seed)) != 1) {
+        ret = PQ_ERROR_RANDOM;
         goto cleanup;
     }
 
-    ret = x25519_keypair(pk.x25519_pk, sk.x25519_sk);
+    ret = xwing_expand_secret_key(&expanded, seed);
     if (ret != PQ_SUCCESS) {
         goto cleanup;
     }
 
+    memcpy(pk.mlkem_pk, expanded.mlkem_pk, MLKEM_PUBLICKEYBYTES);
+    memcpy(pk.x25519_pk, expanded.x25519_pk, X25519_PUBLICKEYBYTES);
     memcpy(public_key, &pk, HYBRID_PUBLICKEYBYTES);
-    memcpy(secret_key, &sk, HYBRID_SECRETKEYBYTES);
+    memcpy(secret_key, seed, HYBRID_SECRETKEYBYTES);
 
 cleanup:
-    pq_secure_wipe(&sk, sizeof(sk));
-
-    pq_secure_wipe(&pk, sizeof(pk));
+    pq_secure_wipe(seed, sizeof(seed));
+    pq_secure_wipe(&expanded, sizeof(expanded));
     return ret;
 }
 
@@ -357,20 +433,15 @@ cleanup:
     pq_secure_wipe(mlkem_ss, sizeof(mlkem_ss));
     pq_secure_wipe(x25519_ss, sizeof(x25519_ss));
     pq_secure_wipe(x25519_ephemeral_sk, sizeof(x25519_ephemeral_sk));
-    pq_secure_wipe(&pk, sizeof(pk));
-    pq_secure_wipe(&ct, sizeof(ct));
     return ret;
 }
 
 int pq_hybrid_kem_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext,
                               const uint8_t *secret_key) {
     hybrid_ciphertext_t ct;
-    hybrid_secret_key_t sk;
-    uint8_t recipient_x25519_pk[X25519_PUBLICKEYBYTES];
+    hybrid_expanded_secret_key_t expanded;
     uint8_t mlkem_ss[MLKEM_SHAREDSECRETBYTES];
     uint8_t x25519_ss[X25519_SHAREDSECRETBYTES];
-    EVP_PKEY *pkey = NULL;
-    size_t pklen = X25519_PUBLICKEYBYTES;
     int ret = PQ_SUCCESS;
 
     if (!shared_secret || !ciphertext || !secret_key) {
@@ -378,44 +449,34 @@ int pq_hybrid_kem_decapsulate(uint8_t *shared_secret, const uint8_t *ciphertext,
     }
 
     memcpy(&ct, ciphertext, HYBRID_CIPHERTEXTBYTES);
-    memcpy(&sk, secret_key, HYBRID_SECRETKEYBYTES);
-    memset(recipient_x25519_pk, 0, sizeof(recipient_x25519_pk));
+    memset(&expanded, 0, sizeof(expanded));
     memset(mlkem_ss, 0, sizeof(mlkem_ss));
     memset(x25519_ss, 0, sizeof(x25519_ss));
 
-    if (PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(mlkem_ss, ct.mlkem_ct, sk.mlkem_sk) != 0) {
-        ret = PQ_ERROR_DECAPSULATE;
-        goto cleanup;
-    }
-
-    ret = x25519_shared_secret(x25519_ss, ct.x25519_ephemeral, sk.x25519_sk);
+    ret = xwing_expand_secret_key(&expanded, secret_key);
     if (ret != PQ_SUCCESS) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
 
-    pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_X25519, NULL, sk.x25519_sk, X25519_SECRETKEYBYTES);
-    if (!pkey) {
+    if (PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(mlkem_ss, ct.mlkem_ct, expanded.mlkem_sk) != 0) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
-    if (EVP_PKEY_get_raw_public_key(pkey, recipient_x25519_pk, &pklen) <= 0 ||
-        pklen != X25519_PUBLICKEYBYTES) {
+
+    ret = x25519_shared_secret(x25519_ss, ct.x25519_ephemeral, expanded.x25519_sk);
+    if (ret != PQ_SUCCESS) {
         ret = PQ_ERROR_DECAPSULATE;
         goto cleanup;
     }
 
-    ret = xwing_combiner(shared_secret, mlkem_ss, x25519_ss, ct.x25519_ephemeral,
-                         recipient_x25519_pk);
+    ret =
+        xwing_combiner(shared_secret, mlkem_ss, x25519_ss, ct.x25519_ephemeral, expanded.x25519_pk);
 
 cleanup:
-    if (pkey)
-        EVP_PKEY_free(pkey);
-    pq_secure_wipe(recipient_x25519_pk, sizeof(recipient_x25519_pk));
     pq_secure_wipe(mlkem_ss, sizeof(mlkem_ss));
     pq_secure_wipe(x25519_ss, sizeof(x25519_ss));
-    pq_secure_wipe(&ct, sizeof(ct));
-    pq_secure_wipe(&sk, sizeof(sk));
+    pq_secure_wipe(&expanded, sizeof(expanded));
     return ret;
 }
 
@@ -429,8 +490,7 @@ cleanup:
 
 static const char PQC_OID_ML_KEM_768[] = "2.25.186599352125448088867056807454444238446";
 
-static const char PQC_OID_ML_KEM_768_X25519_XWING[] =
-    "2.25.318532651283923671095712569430174917109";
+static const char PQC_OID_ML_KEM_768_X25519_XWING[] = "1.3.6.1.4.1.62253.25722";
 static const char PQC_OID_ML_DSA_65[] = "2.25.305232938483772195555080795650659207792";
 static const char PQC_PUBLIC_KEY_PEM_LABEL[] = "PQC PUBLIC KEY CONTAINER";
 static const char PQC_PRIVATE_KEY_PEM_LABEL[] = "PQC PRIVATE KEY CONTAINER";

data/ext/pqcrypto/pqcrypto_secure.h

@@ -23,9 +23,11 @@
 #define X25519_PUBLICKEYBYTES    32
 #define X25519_SECRETKEYBYTES    32
 #define X25519_SHAREDSECRETBYTES 32
+#define XWING_SEEDBYTES          32
+#define XWING_EXPANDEDBYTES      96
 
 #define HYBRID_PUBLICKEYBYTES    (MLKEM_PUBLICKEYBYTES + X25519_PUBLICKEYBYTES)
-#define HYBRID_SECRETKEYBYTES    (MLKEM_SECRETKEYBYTES + X25519_SECRETKEYBYTES)
+#define HYBRID_SECRETKEYBYTES    XWING_SEEDBYTES
 #define HYBRID_CIPHERTEXTBYTES   (MLKEM_CIPHERTEXTBYTES + X25519_PUBLICKEYBYTES)
 #define HYBRID_SHAREDSECRETBYTES 32
 
@@ -48,10 +50,16 @@ typedef struct {
     uint8_t x25519_pk[X25519_PUBLICKEYBYTES];
 } hybrid_public_key_t;
 
+typedef struct {
+    uint8_t seed[XWING_SEEDBYTES];
+} hybrid_secret_key_t;
+
 typedef struct {
     uint8_t mlkem_sk[MLKEM_SECRETKEYBYTES];
     uint8_t x25519_sk[X25519_SECRETKEYBYTES];
-} hybrid_secret_key_t;
+    uint8_t mlkem_pk[MLKEM_PUBLICKEYBYTES];
+    uint8_t x25519_pk[X25519_PUBLICKEYBYTES];
+} hybrid_expanded_secret_key_t;
 
 typedef struct {
     uint8_t mlkem_ct[MLKEM_CIPHERTEXTBYTES];

data/lib/pq_crypto/kem.rb

@@ -184,11 +184,11 @@ module PQCrypto
       alias eql? ==
 
       def hash
-        fingerprint.hash
+        object_id.hash
       end
 
-      def fingerprint
-        Digest::SHA256.digest(@bytes)
+      def inspect
+        "#<#{self.class}:0x#{object_id.to_s(16)} algorithm=#{algorithm.inspect}>"
       end
 
       private
@@ -206,6 +206,10 @@ module PQCrypto
         @ciphertext = String(ciphertext).b
         @shared_secret = String(shared_secret).b
       end
+
+      def inspect
+        "#<#{self.class}:0x#{object_id.to_s(16)} ciphertext_bytes=#{@ciphertext.bytesize} shared_secret_bytes=#{@shared_secret.bytesize}>"
+      end
     end
   end
 end

data/lib/pq_crypto/serialization.rb

@@ -9,7 +9,7 @@ module PQCrypto
       }.freeze,
       ml_kem_768_x25519_xwing: {
         family: :ml_kem_hybrid,
-        oid: "2.25.318532651283923671095712569430174917109",
+        oid: "1.3.6.1.4.1.62253.25722",
       }.freeze,
       ml_dsa_65: {
         family: :ml_dsa,

data/lib/pq_crypto/signature.rb

@@ -188,11 +188,11 @@ module PQCrypto
       alias eql? ==
 
       def hash
-        fingerprint.hash
+        object_id.hash
       end
 
-      def fingerprint
-        Digest::SHA256.digest(@bytes)
+      def inspect
+        "#<#{self.class}:0x#{object_id.to_s(16)} algorithm=#{algorithm.inspect}>"
       end
 
       private

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: pq_crypto
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Roman Haydarov
 bindir: exe
 cert_chain: []
-date: 2026-04-24 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -163,14 +163,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.4.0.a
+      version: 3.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Primitive-first post-quantum cryptography for Ruby
 test_files: []