The Hybrid Encryption Imperative

As quantum computing advances, traditional encryption methods face existential threats. Zola Gonano's SARE (Safe At Rest Encryption) project tackles this by fusing post-quantum algorithms with classical cryptography—a hybrid approach ensuring fallback security if one layer fails. But this duality introduced a complex problem: managing multiple cryptographic keys without overwhelming users.

The Key Explosion Problem

SARE's architecture requires four distinct key pairs:
1. Post-quantum KEM (Key Encapsulation Mechanism) for establishing shared secrets
2. Classical Diffie-Hellman (X25519) for key exchange
3. Post-quantum signature algorithm (e.g., Dilithium)
4. Classical elliptic-curve signature (Ed25519)

Storing these separately would create usability nightmares. Gonano's solution? A single 128-byte master seed serving as the cryptographic root for all derived keys.

// Seed structure in SARE
pub struct Seed {
    raw_seed: SecretVec<u8>,
}

impl Seed {
    pub fn generate() -> Self {
        let mut raw_seed_buffer = vec![0u8; 128];
        OsRng.fill_bytes(&mut raw_seed_buffer);
        Seed { raw_seed: SecretVec::from(raw_seed_buffer) }
    }
}

Alien-Proof Security

Why 128 bytes? At 1,024 bits, SARE's seed offers brute-force resistance orders of magnitude beyond AES-256:
- AES-256: 2²⁵⁶ possible keys
- SARE seed: 2¹⁰²⁴ possible combinations
That's 2⁷⁶⁸ times more permutations than AES-256—a number larger than the atoms in the observable universe.

Practical Key Management

The seed converts to a 96-word mnemonic for human-readable backup:

pub fn to_mnemonic(&self) -> SecretString {
    let seed_chunks = self.raw_seed.expose_secret().chunks_exact(32);
    let mut mnemonic_phrase = String::new();

    for chunk in seed_chunks {
        let mnemonic = Mnemonic::from_entropy(chunk, Language::English).unwrap();
        mnemonic_phrase.push_str(mnemonic.phrase());
        mnemonic_phrase.push(' ');
    }
    SecretString::from(mnemonic_phrase.trim_end().to_string())
}

Users can store this seed encrypted via AES-Key-Wrap (AES-KW) or—less advised—in plaintext.

Algorithm-Agnostic Derivation

Magic bytes enable deterministic key generation for different algorithms:

const ED25519_MAGIC_BYTES: [u8; 4] = [25, 85, 210, 14];
const KYBER768_MAGIC_BYTES: [u8; 4] = [104, 7, 0, 0];

HKDF-SHA256/512 derives keys by combining the seed with algorithm-specific identifiers. This design ensures backward compatibility—new algorithms simply get new magic bytes without seed rotation.

Why This Matters

SARE's seed-centric architecture solves critical real-world problems:
1. Usability: No juggling multiple private keys
2. Future-proofing: Algorithm upgrades don't require rekeying
3. Graceful failure: Hybrid design maintains security even if one algorithm is compromised

As Gonano revives the project, SARE represents a pragmatic blueprint for post-quantum migration—where robust cryptography meets deployable engineering.

Source: Making of SARE: Master Seeds in Hybrid Post-Quantum Encryption by Zola Gonano. SARE is available on GitHub.