Warning
This code has not been audited. This design has not been analyzed. It is experimental and should not be used for production systems or critical security applications. Use at your own risk.
Thyrse is a transcript-based cryptographic protocol framework built on the KT128 hash function and the TW128 authenticated cipher. Inspired by STROBE, Noise Protocol, and Xoodyak, it replaces the usual grab-bag of hash functions, MACs, and KDFs with a single construction. Optimized for modern CPUs (AVX-512, NEON/FEAT_SHA3), Thyrse delivers 10+ Gb/s on modern processors at a 128-bit security level.
Confidentiality and authenticity come from TW128, a tree-parallel authenticated cipher; its authentication tag is
absorbed into the KT128 transcript, so every output commits collision-resistantly to the encrypted message. The
security of every scheme therefore reduces to the properties of the underlying hash function (indifferentiability from a
random oracle, pseudorandom function security, and collision resistance) and the TW128 cipher, all at a
128-bit security level (
Thyrse ships with a library of ready-to-use cryptographic schemes built on the core Protocol type.
| Scheme | What it does |
|---|---|
| digest | Hash (32 bytes) and HMAC (16 bytes) via New / NewKeyed |
| aead | Authenticated encryption implementing crypto/cipher.AEAD |
| siv | Nonce-misuse-resistant AEAD (Synthetic Initialization Vector) |
| aestream | Streaming authenticated encryption with io.Reader / io.Writer wrappers |
| oae2 | Online authenticated encryption with block-based streaming |
| mhf | Data-dependent memory-hard function (DEGSample, Blocki & Holman 2025) |
| Scheme | What it does |
|---|---|
| sig | EdDSA-style Schnorr signatures over Ristretto255 |
| hpke | Hybrid public-key encryption (static-ephemeral DH) |
| signcrypt | Signcryption — confidentiality, authenticity, and signer privacy in one shot |
| oprf | Oblivious pseudorandom function with blinding (RFC 9497-style) |
| vrf | Verifiable random function with proofs |
| pake | Password-authenticated key exchange (CPace-style) |
| frost | FROST threshold signatures (Flexible Round-Optimized Schnorr Threshold) |
| adratchet | Asynchronous double ratchet with forward secrecy and break-in recovery |
All schemes are in schemes/basic/ and schemes/complex/ respectively.
Under the hood, Thyrse hashes inputs and derives keys with KT128, a tree-parallel, permutation-based construction that uses SIMD instructions for lower latency on short inputs and higher throughput on long ones.
| Platform | SIMD | Parallel lanes |
|---|---|---|
| x86-64 | AVX-512 / AVX2 | 8-wide |
| ARM64 | NEON / FEAT_SHA3 | up to 4-wide |
| Any | Pure Go | all widths (portable) |
Encryption uses TW128, a tree-parallel authenticated cipher built on the same Keccak-p[1600] permutation as KT128, so confidentiality and authenticity share one primitive and one SIMD code path. The TW128 tag is absorbed into the KT128 transcript, binding every subsequent output to the encrypted message without a separate authentication primitive.
Build with -tags purego to disable assembly on any platform.
At the core is a Protocol — a transcript that accumulates data and derives cryptographic outputs.
p := thyrse.New("myapp.v1")
p.Mix("user-id", userID)
p.Mix("nonce", nonce)
ct := p.Seal("message", nil, plaintext) // encrypt + authenticateKey operations: Mix, Derive, Ratchet, Mask/Unmask, Seal/Open, Fork/ForkN, Clone, Clear.
MIT or Apache 2.0.