PHPackages                             secudoc/php-liboqs - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. secudoc/php-liboqs

ActivePhp-ext[Security](/categories/security)

secudoc/php-liboqs
==================

PHP extension wrapping liboqs (post-quantum cryptography).

v0.3.3(2mo ago)38MITCPHP ^8.3 || ^8.4 || ^8.5

Since Oct 17Pushed 2mo agoCompare

[ Source](https://github.com/secudoc/php-liboqs)[ Packagist](https://packagist.org/packages/secudoc/php-liboqs)[ Docs](https://github.com/secudoc/php-liboqs)[ RSS](/packages/secudoc-php-liboqs/feed)WikiDiscussions main Synced 1mo ago

READMEChangelog (5)DependenciesVersions (6)Used By (0)

OQS Wrapper Extension
=====================

[](#oqs-wrapper-extension)

A minimal PHP extension wrapping [liboqs](https://openquantumsafe.org/liboqs/) KEM and signature APIs into a namespaced API suitable for the [SecuDoc](https://www.secudoc.nl/) stack. The runtime namespace, configure flag, and module name are **`OQS`** (extension: `oqs.so`).

> Note on naming: NIST standardized Kyber as **ML-KEM** (FIPS 203). liboqs exposes both names (`Kyber{512,768,1024}` and `ML-KEM-{512,768,1024}`) depending on build options. This extension accepts whatever your liboqs provides.

Once PHP natively supports PQC, this wrapper will likely be deprecated.

---

API
---

[](#api)

### KEM

[](#kem)

`OQS\KEM` exposes post-quantum key encapsulation:

- `OQS\KEM::algorithms(): string[]` — list enabled KEM identifiers.
- `OQS\KEM::keypair(string $algorithm): array{0: string $publicKey, 1: string $secretKey, publicKey: string, secretKey: string}`
- `OQS\KEM::encapsulate(string $algorithm, string $publicKey): array{0: string $ciphertext, 1: string $sharedSecret, ciphertext: string, sharedSecret: string}`
- `OQS\KEM::decapsulate(string $algorithm, string $ciphertext, string $secretKey): string`

All algorithm identifiers surfaced by liboqs are also available as class constants, e.g. `OQS\KEM::ALG_KYBER768` and/or `OQS\KEM::ALG_ML_KEM_768` (depending on your liboqs build).

> **Binary outputs**: All keys, ciphertexts, and shared secrets are raw binary strings. Base64-encode if you need printable or JSON-safe values.

> **Secret handling**: temporary native buffers are wiped with `OQS_MEM_cleanse`, but returned PHP strings remain managed by the Zend engine and are not guaranteed to be securely erased later. Treat secret keys and shared secrets as sensitive application data.

### Signatures

[](#signatures)

`OQS\Signature` wraps stateless PQ signatures:

- `OQS\Signature::algorithms(): string[]`
- `OQS\Signature::keypair(string $algorithm): array{0: string $publicKey, 1: string $secretKey, publicKey: string, secretKey: string}`
- `OQS\Signature::sign(string $algorithm, string $message, string $secretKey): string`
- `OQS\Signature::verify(string $algorithm, string $message, string $signature, string $publicKey): bool`

Signature identifiers are also class constants, e.g. `OQS\Signature::ALG_DILITHIUM_3`.

Global namespace constants (e.g. `OQS\VERSION_TEXT`) mirror liboqs build info.

---

Quick start (usage)
-------------------

[](#quick-start-usage)

```