libp2p · royzah · Jun 14, 2026 · Jun 15, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -159,6 +159,9 @@ web-time = "1.1.0"
 
 [patch.crates-io]
 
+# snow fork carrying ML-KEM-768 (mcginty/snow#210), until it lands upstream.
+snow = { git = "https://github.com/royzah/snow", branch = "feat/ml-kem-hfs" }
+
 # Patch away `libp2p-identity` in our dependency tree with the workspace version.
 # `libp2p-identity` is a leaf dependency and used within `rust-multiaddr` which is **not** part of the workspace.
 # As a result, we cannot just reference the workspace version in our crates because the types would mismatch with what

diff --git a/transports/noise/CHANGELOG.md b/transports/noise/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## 0.47.0
 
+- Add an additive, off-by-default `mlkem-hfs` feature: a hybrid post-quantum
+  handshake (`Noise_XXhfs_25519+ML-KEM-768_ChaChaPoly_SHA256`) negotiated
+  alongside `/noise`, falling back to classical X25519 for older peers.
+
 - Raise MSRV to 1.88.0.
   See [PR 6273](https://github.com/libp2p/rust-libp2p/pull/6273).
 

diff --git a/transports/noise/Cargo.toml b/transports/noise/Cargo.toml
@@ -8,6 +8,11 @@ authors = ["Parity Technologies <admin@parity.io>"]
 license = "MIT"
 repository = "https://github.com/libp2p/rust-libp2p"
 
+[features]
+# Hybrid PQ handshake, off by default. use-curve25519 satisfies snow's
+# default-resolver guard (the ML-KEM impl lives there).
+mlkem-hfs = ["snow/use-ml-kem", "snow/use-curve25519"]
+
 [dependencies]
 asynchronous-codec = { workspace = true }
 bytes.workspace = true
@@ -25,10 +30,10 @@ x25519-dalek = "2"
 zeroize = "1"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
-snow = { version = "0.9.6", features = ["ring-resolver"], default-features = false }
+snow = { version = "0.10", features = ["ring-resolver"], default-features = false }
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
-snow = { version = "0.9.5", features = ["default-resolver"], default-features = false }
+snow = { version = "0.10", features = ["default-resolver"], default-features = false }
 
 [dev-dependencies]
 futures_ringbuf = "0.4.0"

diff --git a/transports/noise/src/io/framed.rs b/transports/noise/src/io/framed.rs
@@ -35,7 +35,11 @@ use crate::{Error, protocol::PublicKey};
 /// Max. size of a noise message.
 const MAX_NOISE_MSG_LEN: usize = 65535;
 /// Space given to the encryption buffer to hold key material.
+#[cfg(not(feature = "mlkem-hfs"))]
 const EXTRA_ENCRYPT_SPACE: usize = 1024;
+/// Hybrid adds an ML-KEM-768 key (1184 B) or ciphertext (1088 B) per message.
+#[cfg(feature = "mlkem-hfs")]
+const EXTRA_ENCRYPT_SPACE: usize = 1024 + 1184;
 /// Max. length for Noise protocol message payloads.
 pub(crate) const MAX_FRAME_LEN: usize = MAX_NOISE_MSG_LEN - EXTRA_ENCRYPT_SPACE;
 static_assertions::const_assert! {