{"id":4193,"library":"pyhpke","title":"Python HPKE Implementation","description":"PyHPKE is a Python implementation of HPKE (Hybrid Public Key Encryption), providing mechanisms for authenticated encryption with associated data. It supports all HPKE modes and cipher suites defined in RFC9180. The library is currently at version 0.6.4 and maintains a regular release cadence with frequent minor updates and dependency bumps.","status":"active","version":"0.6.4","language":"en","source_language":"en","source_url":"https://github.com/dajiaji/pyhpke","tags":["cryptography","hpke","encryption","security","rfc9180"],"install":[{"cmd":"pip install pyhpke","lang":"bash","label":"Install PyHPKE"}],"dependencies":[{"reason":"Provides underlying cryptographic primitives.","package":"cryptography","optional":false}],"imports":[{"symbol":"CipherSuite","correct":"from pyhpke import CipherSuite"},{"symbol":"KEMKey","correct":"from pyhpke import KEMKey"},{"symbol":"KEMId","correct":"from pyhpke import KEMId"},{"symbol":"KDFId","correct":"from pyhpke import KDFId"},{"symbol":"AEADId","correct":"from pyhpke import AEADId"}],"quickstart":{"code":"from pyhpke import CipherSuite, KEMKey, KEMId, KDFId, AEADId\n\n# --- Sender Side ---\n# Define the HPKE cipher suite\nsuite_s = CipherSuite.new(\n    KEMId.DHKEM_X25519_HKDF_SHA256,\n    KDFId.HKDF_SHA256,\n    AEADId.AES128_GCM\n)\n\n# Recipient's public key (example PEM format)\npublic_key_pem = b\"\"\"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VuAyEAoMfvlI5DN08JRFP2fhWvZ6vBEl28yFeS9O9YQUjNyCY=\n-----END PUBLIC KEY-----\"\"\"\npkr = KEMKey.from_pem(public_key_pem)\n\n# Create sender context and encapsulate key\nenc, sender = suite_s.create_sender_context(pkr)\n\n# Seal the message\nplaintext = b\"Hello world!\"\nciphertext = sender.seal(plaintext)\n\nprint(f\"Encapsulated Key: {enc.hex()}\")\nprint(f\"Ciphertext: {ciphertext.hex()}\")\n\n# --- Recipient Side ---\n# Define the same HPKE cipher suite\nsuite_r = CipherSuite.new(\n    KEMId.DHKEM_X25519_HKDF_SHA256,\n    KDFId.HKDF_SHA256,\n    AEADId.AES128_GCM\n)\n\n# Recipient's private key (example PEM format, corresponding to public_key_pem)\nprivate_key_pem = b\"\"\"-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VuBCIEIMAXvyHjAeXy9x4MXF6rwGbDKw7crgDriFTFXO+XsS1F\n-----END PRIVATE KEY-----\"\"\"\nskr = KEMKey.from_pem(private_key_pem)\n\n# Create recipient context and decapsulate key (using 'enc' from sender)\nrecipient = suite_r.create_recipient_context(enc, skr)\n\n# Open the message\ndecrypted_text = recipient.open(ciphertext)\n\nprint(f\"Decrypted Text: {decrypted_text.decode()}\")\nassert decrypted_text == plaintext","lang":"python","description":"This example demonstrates a basic HPKE 'Base' mode encryption and decryption flow. A sender creates a context using the recipient's public key, encapsulates a symmetric key, and seals a plaintext message. The recipient uses the encapsulated key and their private key to open the ciphertext."},"warnings":[{"fix":"Thoroughly review the codebase and cryptographic primitives or seek independent security audits for critical applications.","message":"The PyHPKE library has not undergone a formal security audit. Users should perform their own risk assessment before deploying it in production environments, especially for sensitive data.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade Python to 3.10 or newer (the current minimum supported version is 3.10) or pin pyhpke to a version prior to 0.6.0.","message":"Support for Python 3.8 was dropped in PyHPKE version 0.6.0. Users on Python 3.8 or older must upgrade their Python environment or use an earlier PyHPKE version (e.g., <0.6.0).","severity":"breaking","affected_versions":">=0.6.0"},{"fix":"Implement robust key management practices, securely generate and store keys, and use unique nonces for each encryption operation (e.g., using a secure random number generator).","message":"Cryptographic libraries require careful key management. Ensure private keys are stored securely, never hardcoded, and access is strictly controlled. Avoid nonce reuse for AEAD modes, as it can lead to severe security vulnerabilities.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}