Warning
This code has not been audited. This design has not been analyzed. It is experimental and should not be used for production systems or critical security applications. Use at your own risk.
Thyrse is a transcript-based cryptographic protocol framework built on the
The security of every scheme reduces to the properties of the underlying sponge (indifferentiability from a random
oracle, pseudorandom function security, and collision resistance), all at a 128-bit security level (
Thyrse ships with a library of ready-to-use cryptographic schemes built on the core Protocol type.
| Scheme | What it does |
|---|---|
| digest | Hash (32 bytes) and HMAC (16 bytes) via New / NewKeyed |
| aead | Authenticated encryption implementing crypto/cipher.AEAD |
| siv | Nonce-misuse-resistant AEAD (Synthetic Initialization Vector) |
| aestream | Streaming authenticated encryption with io.Reader / io.Writer wrappers |
| oae2 | Online authenticated encryption with block-based streaming |
| mhf | Data-dependent memory-hard function (DEGSample, Blocki & Holman 2025) |
| Scheme | What it does |
|---|---|
| sig | EdDSA-style Schnorr signatures over Ristretto255 |
| hpke | Hybrid public-key encryption (static-ephemeral DH) |
| signcrypt | Signcryption — confidentiality, authenticity, and signer privacy in one shot |
| oprf | Oblivious pseudorandom function with blinding (RFC 9497-style) |
| vrf | Verifiable random function with proofs |
| pake | Password-authenticated key exchange (CPace-style) |
| frost | FROST threshold signatures (Flexible Round-Optimized Schnorr Threshold) |
| adratchet | Asynchronous double ratchet with forward secrecy and break-in recovery |
All schemes are in schemes/basic/ and schemes/complex/ respectively.
Under the hood, Thyrse accelerates large messages with TreeWrap — a tree-parallel authenticated encryption layer using Sakura flat-tree encoding with kangaroo hopping. TreeWrap cascades across SIMD widths (x1 → x2 → x4 → x8), saturating available vector units automatically.
| Platform | SIMD | Parallel lanes |
|---|---|---|
| x86-64 | AVX-512 | up to 8-wide |
| x86-64 | AVX2 | up to 4-wide |
| x86-64 | SSE2 | up to 2-wide (fallback) |
| ARM64 | NEON / FEAT_SHA3 | up to 4-wide |
| Any | Pure Go | all widths (portable) |
Build with -tags purego to disable assembly on any platform.
At the core is a Protocol — a transcript that accumulates data and derives cryptographic outputs via KT128
(KangarooTwelve, RFC 9861).
p := thyrse.New("myapp.v1")
p.Mix("user-id", userID)
p.Mix("nonce", nonce)
ct := p.Seal("message", nil, plaintext) // encrypt + authenticateKey operations: Mix, Derive, Ratchet, Mask/Unmask, Seal/Open, Fork/ForkN, Clone, Clear.
See the full specification for details.
MIT or Apache 2.0.