Add HPKE (Hybrid Public Key Encryption) support per RFC 9180

[MkDev11]

Add HPKE (Hybrid Public Key Encryption) support per RFC 9180

Summary

This implements HPKE Base mode as defined in RFC 9180, providing a simple single-shot API for hybrid public key encryption.

What's Included

• Single-shot API: suite.encrypt() and suite.decrypt() methods
• KEM: X25519 (DHKEM)
• KDF: HKDF-SHA256
• AEAD: AES-128-GCM

API Design

from cryptography.hazmat.primitives.hpke import Suite, KEM, KDF, AEAD
from cryptography.hazmat.primitives.asymmetric import x25519

suite = Suite(KEM.X25519, KDF.HKDF_SHA256, AEAD.AES_128_GCM)

# Generate recipient keys
private_key = x25519.X25519PrivateKey.generate()
public_key = private_key.public_key()

# Encrypt (returns enc || ciphertext)
ciphertext = suite.encrypt(b"secret message", public_key, info=b"app", aad=b"data")

# Decrypt
plaintext = suite.decrypt(ciphertext, private_key, info=b"app", aad=b"data")

Design Decisions

• Single-shot only: No multi-message context API in this initial version
• enc || ct format: Like Go's single-shot HPKE API
• Opaque enum values: Enum values are opaque strings, not RFC numeric identifiers

Closes

Closes #14073

[alex]

Please take a look at the failing CI jobs.

[MkDev11]

@reaperhulk @alex can you please review the PR and let me know the result?

[alex]

Please be more patient. This PR will get reviewed, but we all have day jobs.

[alex]

A few high level notes, I haven't reviewed in depth yet:

1. Vectors should be submitted in a seperate PR, in the vectors/ director and documented in test-vectors.rst
2. We strongly avoid subclassing, it shouldn't be necessary here.
3. uv.lock shouldn't be checked in, not sure why that's here
4. The overall size of this PR is too large to be effectively reviewed. The best path is likely to pare this down to a single algorithm of each type and then we can add additional algorithms in follow up PRs.

[alex]

I started reviewing, however I think my request on trimming this down was unclear:

We still want the initial PR to have the overall structure and final API we want, we just want to trim it down by implementing it for only one of the algorithms to reduce the code to review.

[alex]

The API here still doesn't match what was discussed on the issue, so I think we may be talking past each other. Can you explain why this has a different API?

[alex]

I see you're still working, so submitting some quick comments.

Are you intended to submit the vectors as a seperate PR?

[MkDev11]

I see you're still working, so submitting some quick comments.

Are you intended to submit the vectors as a seperate PR?

yes, I plan to submit the test vectors as a separate PR. should I create that PR now, or wait until the API design is finalized based on your feedback about the enc prepending behavior and thread safety concerns?

[alex]

The vectors can be submitted concurrently if they're ready, thanks.

[MkDev11]

The vectors can be submitted concurrently if they're ready, thanks.

sure, I can work on the vectors PR after this one is merged to avoid having multiple open PRs on Gittensor. is there any other feedback on the current implementation I should address in the meantime?

[alex]

I don't know what a git tensor is, but that's not going to dictate our development processes.

[MkDev11]

I don't know what a git tensor is, but that's not going to dictate our development processes.

understood, apologies for the confusion. i'll prepare the vectors PR. in the meantime, are there any other changes needed on this PR? I'm still waiting on clarification about the enc prepending behavior (always vs first message only) and the thread safety concern you mentioned

[MkDev11]

thanks for merging my PR. could you please review the changes I made?

[alex]

It's on my TODO list. Unless we've been radio silent for several days, there's no need to follow up, we haven't forgotten.

[MkDev11]

thanks for your feedback, just pushed the changes

[alex]

Hi, @reaperhulk and I discussed and we'd like to make the following changes to the API:

1. The enums for each KEM/AEAD/KDF shouldn't be the RFC value, they should just be opaque.
2. We want to start with a single-shot API only, so suite.encrypt() + suite.decrypt() with no multi-shot. The result will be enc || ct like Go's single-shot APIs.

This should hopefully make the PR much simpler/shorter to get started.

[MkDev11]

Hi, @reaperhulk and I discussed and we'd like to make the following changes to the API:

1. The enums for each KEM/AEAD/KDF shouldn't be the RFC value, they should just be opaque.
2. We want to start with a single-shot API only, so suite.encrypt() + suite.decrypt() with no multi-shot. The result will be enc || ct like Go's single-shot APIs.

This should hopefully make the PR much simpler/shorter to get started.

Updated to single-shot API per feedback:

• suite.encrypt() / suite.decrypt() instead of sender/recipient contexts
• Returns enc || ciphertext like Go's API
• Opaque enum values
• Removed multi-message support for simplicity