X-Wing support (#437)

* xwing: Add X-Wing draft06 implementation

* xwing: Add tests and documentation

* xwing: Add test between decap key and seed

* xwing: Better explain when the underlying ML-KEM-768 key checks are performed

* xwing: nit

* Update CHANGELOG

CHANGELOG.md

@@ -4,11 +4,11 @@
 
 **Changelog:**
 - Add support for post-quantum ML-KEM from FIPS-203 ([#431](https://github.com/orion-rs/orion/pull/431)).
+- Add support for hybrid KEM X-Wing (draft06 version) ([#434](https://github.com/orion-rs/orion/issues/434)).
 - Implement `core::error::Error` instead of the `std`-version ([#440](https://github.com/orion-rs/orion/pull/440)).
 - Bump MSRV to `1.81.0`.
 - Update CI dependencies.
 
-
 ### 0.17.8
 
 **Date:** January 27, 2025.

README.md

@@ -12,7 +12,7 @@ Currently supports:
 * **Key exchange**: X25519.
 * **MAC**: HMAC, Poly1305.
 * **Stream ciphers**: (X)ChaCha20.
-* **KEM**: ML-KEM, DHKEM(X25519, HKDF-SHA256).
+* **KEM**: X-Wing, ML-KEM, DHKEM(X25519, HKDF-SHA256).
 
 Experimental support (with `experimental` feature enabled):
 * **Committing AEAD**: (X)ChaCha20-Poly1305-BLAKE2b.

src/hazardous/kem/mod.rs

@@ -31,3 +31,6 @@ mod ml_kem;
 pub use ml_kem::mlkem1024;
 pub use ml_kem::mlkem512;
 pub use ml_kem::mlkem768;
+
+/// X-Wing hybrid KEM as specified in [draft-connolly-cfrg-xwing-kem-06](https://www.ietf.org/archive/id/draft-connolly-cfrg-xwing-kem-06.html).
+pub mod xwing;