diff --git a/Cargo.lock b/Cargo.lock
index 289347a87..87093de82 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -319,6 +319,17 @@ version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70"
 
+[[package]]
+name = "classic-mceliece-rust"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "45ce62f72a15a9071f83c5084bdf0af4e8cbf31431e79eb4a5509a2f7fe7fe5d"
+dependencies = [
+ "rand",
+ "sha3",
+ "zeroize",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.1"
@@ -1045,6 +1056,18 @@ dependencies = [
  "fs_extra",
 ]
 
+[[package]]
+name = "libcrux-psq"
+version = "0.0.2-pre.2"
+dependencies = [
+ "classic-mceliece-rust",
+ "criterion",
+ "libcrux-hkdf",
+ "libcrux-hmac",
+ "libcrux-kem",
+ "rand",
+]
+
 [[package]]
 name = "libcrux-sha3"
 version = "0.0.2-pre.2"
diff --git a/Cargo.toml b/Cargo.toml
index cb0053d51..5c73a2917 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -14,7 +14,7 @@ members = [
     "libcrux-kem",
     "libcrux-hmac",
     "libcrux-hkdf",
-    "libcrux-ecdh",
+    "libcrux-ecdh", "libcrux-psq",
 ]
 
 [workspace.package]
diff --git a/benchmarks/benches/sha2.rs b/benchmarks/benches/sha2.rs
index 297dee805..d9f82577e 100644
--- a/benchmarks/benches/sha2.rs
+++ b/benchmarks/benches/sha2.rs
@@ -10,7 +10,7 @@ macro_rules! impl_comp {
     ($fun:ident, $libcrux:expr, $ring:expr, $rust_crypto:ty, $openssl:expr) => {
         // Comparing libcrux performance for different payload sizes and other implementations.
         fn $fun(c: &mut Criterion) {
-            const PAYLOAD_SIZES: [usize; 1] = [1024 * 1024 * 10];
+            const PAYLOAD_SIZES: [usize; 5] = [100, 1024, 2048, 4096, 8192];
 
             let mut group = c.benchmark_group(stringify!($fun).replace("_", " "));
 
diff --git a/libcrux-psq/Cargo.toml b/libcrux-psq/Cargo.toml
new file mode 100644
index 000000000..e85de5287
--- /dev/null
+++ b/libcrux-psq/Cargo.toml
@@ -0,0 +1,29 @@
+[package]
+name = "libcrux-psq"
+version.workspace = true
+authors.workspace = true
+license.workspace = true
+homepage.workspace = true
+edition.workspace = true
+repository.workspace = true
+readme.workspace = true
+
+[lib]
+path = "src/psq.rs"
+
+[dependencies]
+libcrux-kem = { version = "0.0.2-pre.2", path = "../libcrux-kem" }
+libcrux-hkdf = { version = "=0.0.2-pre.2", path = "../libcrux-hkdf" }
+libcrux-hmac = { version = "=0.0.2-pre.2", path = "../libcrux-hmac" }
+classic-mceliece-rust = { version = "2.0.0", features = [
+    "mceliece460896f",
+    "zeroize",
+] }
+rand = { version = "0.8" }
+
+[dev-dependencies]
+criterion = "0.5"
+
+[[bench]]
+name = "psq"
+harness = false
diff --git a/libcrux-psq/README.md b/libcrux-psq/README.md
new file mode 100644
index 000000000..c98576bbe
--- /dev/null
+++ b/libcrux-psq/README.md
@@ -0,0 +1,32 @@
+# Post-Quantum Pre-Shared-Key Protocol (PSQ) #
+
+This crate implements a protocol for agreeing on a pre-shared key such
+that the protocol messages are secure against
+harvest-now-decrypt-later (HNDL) passive quantum attackers.
+
+The protocol between initator `A` and receiver `B` roughly works as follows:
+```
+A:  (ik, enc) <- PQ-KEM(pk_B)
+    K_0 <- KDF(ik, pk_B || enc || sctxt)
+    K_m <- KDF(K_0, "Confirmation")
+    K <- KDF(K_0, "PSK")
+    mac_ttl <- MAC(K_m, psk_ttl)
+A -> B: (enc, psk_ttl, mac_ttl)
+```
+Where 
+* `pk_B` is the receiver's KEM public key, 
+* `sctx` is context information for the given session of the protocol,
+* `psk_ttl` specifies for how long the PSK should be considered valid, and
+* `K` is the final PSK that is derived from the decapsulated shared
+  secret based on the internal KEM.
+  
+The crate implements the protocol based on several different internal
+KEMs:
+    * `X25519`, an elliptic-curve Diffie-Hellman KEM (not post-quantum
+      secure; for performance comparison)
+    * `ML-KEM 768`, a lattice-based post-quantum KEM, in the process
+      of being standardized by NIST
+    * `Classic McEliece`, a code-based post-quantum KEM & Round 4
+      candidate in the NIST PQ competition,
+    * `XWingKemDraft02`, a hybrid post-quantum KEM, combining `X25519`
+      and `ML-KEM 768` based KEMs
diff --git a/libcrux-psq/benches/psq.rs b/libcrux-psq/benches/psq.rs
new file mode 100644
index 000000000..a25a8b343
--- /dev/null
+++ b/libcrux-psq/benches/psq.rs
@@ -0,0 +1,334 @@
+use classic_mceliece_rust::{decapsulate_boxed, encapsulate_boxed};
+use rand::thread_rng;
+use std::time::Duration;
+
+use criterion::{criterion_group, criterion_main, BatchSize, Criterion};
+
+pub fn comparisons_kem_key_generation(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("Raw KEM Key Generation");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter(|| {
+            let _ = libcrux_kem::key_gen(libcrux_kem::Algorithm::MlKem768, &mut rng);
+        })
+    });
+    group.bench_function("libcrux X25519", |b| {
+        b.iter(|| {
+            let _ = libcrux_kem::key_gen(libcrux_kem::Algorithm::X25519, &mut rng);
+        })
+    });
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter(|| {
+            let _ = libcrux_kem::key_gen(libcrux_kem::Algorithm::XWingKemDraft02, &mut rng);
+        })
+    });
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter(|| {
+            let _ = classic_mceliece_rust::keypair_boxed(&mut rng);
+        })
+    });
+}
+
+pub fn comparisons_kem_encaps(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("Raw KEM Encapsulation");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter_batched(
+            || libcrux_kem::key_gen(libcrux_kem::Algorithm::MlKem768, &mut rng).unwrap(),
+            |(_sk, pk)| {
+                let _ = pk.encapsulate(&mut thread_rng());
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux X25519", |b| {
+        b.iter_batched(
+            || libcrux_kem::key_gen(libcrux_kem::Algorithm::X25519, &mut rng).unwrap(),
+            |(_sk, pk)| {
+                let _ = pk.encapsulate(&mut thread_rng());
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter_batched(
+            || libcrux_kem::key_gen(libcrux_kem::Algorithm::XWingKemDraft02, &mut rng).unwrap(),
+            |(_sk, pk)| {
+                let _ = pk.encapsulate(&mut thread_rng());
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter_batched(
+            || classic_mceliece_rust::keypair_boxed(&mut rng),
+            |(pk, _sk)| {
+                let _ = encapsulate_boxed(&pk, &mut thread_rng());
+            },
+            BatchSize::SmallInput,
+        )
+    });
+}
+
+pub fn comparisons_kem_decaps(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("Raw KEM Decapsulation");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) =
+                    libcrux_kem::key_gen(libcrux_kem::Algorithm::MlKem768, &mut rng).unwrap();
+                let (_ss, enc) = pk.encapsulate(&mut rng).unwrap();
+                (sk, enc)
+            },
+            |(sk, enc)| enc.decapsulate(&sk),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux X25519", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) =
+                    libcrux_kem::key_gen(libcrux_kem::Algorithm::X25519, &mut rng).unwrap();
+                let (_ss, enc) = pk.encapsulate(&mut rng).unwrap();
+                (sk, enc)
+            },
+            |(sk, enc)| enc.decapsulate(&sk),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) =
+                    libcrux_kem::key_gen(libcrux_kem::Algorithm::XWingKemDraft02, &mut rng)
+                        .unwrap();
+                let (_ss, enc) = pk.encapsulate(&mut rng).unwrap();
+                (sk, enc)
+            },
+            |(sk, enc)| enc.decapsulate(&sk),
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter_batched(
+            || {
+                let (pk, sk) = classic_mceliece_rust::keypair_boxed(&mut rng);
+                let (enc, _ss) = encapsulate_boxed(&pk, &mut rng);
+                (sk, enc)
+            },
+            |(sk, enc)| decapsulate_boxed(&enc, &sk),
+            BatchSize::SmallInput,
+        )
+    });
+}
+
+pub fn comparisons_psq_key_generation(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("PSK-PQ Key Generation");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter(|| {
+            let _ = libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::MlKem768, &mut rng);
+        })
+    });
+    group.bench_function("libcrux X25519", |b| {
+        b.iter(|| {
+            let _ = libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::X25519, &mut rng);
+        })
+    });
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter(|| {
+            let _ =
+                libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::XWingKemDraft02, &mut rng);
+        })
+    });
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter(|| {
+            let _ =
+                libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::ClassicMcEliece, &mut rng);
+        })
+    });
+}
+
+pub fn comparisons_psq_send(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("PSK-PQ Pre-Shared Key Send");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter_batched(
+            || libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::MlKem768, &mut rng).unwrap(),
+            |(_sk, pk)| {
+                let _ = pk.send_psk(
+                    b"bench context",
+                    Duration::from_secs(3600),
+                    &mut thread_rng(),
+                );
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux X25519", |b| {
+        b.iter_batched(
+            || libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::X25519, &mut rng).unwrap(),
+            |(_sk, pk)| {
+                let _ = pk.send_psk(
+                    b"bench context",
+                    Duration::from_secs(3600),
+                    &mut thread_rng(),
+                );
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter_batched(
+            || {
+                libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::XWingKemDraft02, &mut rng)
+                    .unwrap()
+            },
+            |(_sk, pk)| {
+                let _ = pk.send_psk(
+                    b"bench context",
+                    Duration::from_secs(3600),
+                    &mut thread_rng(),
+                );
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter_batched(
+            || {
+                libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::ClassicMcEliece, &mut rng)
+                    .unwrap()
+            },
+            |(_sk, pk)| {
+                let _ = pk.send_psk(
+                    b"bench context",
+                    Duration::from_secs(3600),
+                    &mut thread_rng(),
+                );
+            },
+            BatchSize::SmallInput,
+        )
+    });
+}
+
+pub fn comparisons_psq_receive(c: &mut Criterion) {
+    let mut rng = thread_rng();
+    let mut group = c.benchmark_group("PSK-PQ Pre-Shared Key Receive");
+    group.measurement_time(Duration::from_secs(15));
+
+    group.bench_function("libcrux ML-KEM-768", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) =
+                    libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::MlKem768, &mut rng)
+                        .unwrap();
+
+                let (_psk, message) = pk
+                    .send_psk(b"bench context", Duration::from_secs(3600), &mut rng)
+                    .unwrap();
+                (pk, sk, message)
+            },
+            |(pk, sk, message)| {
+                let _ = sk.receive_psk(&pk, &message, b"bench context");
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux X25519", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) =
+                    libcrux_psq::generate_key_pair(libcrux_psq::Algorithm::X25519, &mut rng)
+                        .unwrap();
+
+                let (_psk, message) = pk
+                    .send_psk(b"bench context", Duration::from_secs(3600), &mut rng)
+                    .unwrap();
+                (pk, sk, message)
+            },
+            |(pk, sk, message)| {
+                let _ = sk.receive_psk(&pk, &message, b"bench context");
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("libcrux XWingKemDraft02", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) = libcrux_psq::generate_key_pair(
+                    libcrux_psq::Algorithm::XWingKemDraft02,
+                    &mut rng,
+                )
+                .unwrap();
+
+                let (_psk, message) = pk
+                    .send_psk(b"bench context", Duration::from_secs(3600), &mut rng)
+                    .unwrap();
+                (pk, sk, message)
+            },
+            |(pk, sk, message)| {
+                let _ = sk.receive_psk(&pk, &message, b"bench context");
+            },
+            BatchSize::SmallInput,
+        )
+    });
+
+    group.bench_function("classic_mceliece_rust (mceliece460896f)", |b| {
+        b.iter_batched(
+            || {
+                let (sk, pk) = libcrux_psq::generate_key_pair(
+                    libcrux_psq::Algorithm::ClassicMcEliece,
+                    &mut rng,
+                )
+                .unwrap();
+
+                let (_psk, message) = pk
+                    .send_psk(b"bench context", Duration::from_secs(3600), &mut rng)
+                    .unwrap();
+                (pk, sk, message)
+            },
+            |(pk, sk, message)| {
+                let _ = sk.receive_psk(&pk, &message, b"bench context");
+            },
+            BatchSize::SmallInput,
+        )
+    });
+}
+
+pub fn comparisons(c: &mut Criterion) {
+    // Raw KEM operations
+    comparisons_kem_key_generation(c);
+    comparisons_kem_encaps(c);
+    comparisons_kem_decaps(c);
+
+    // PSQ protocol
+    comparisons_psq_key_generation(c);
+    comparisons_psq_send(c);
+    comparisons_psq_receive(c);
+}
+
+criterion_group!(benches, comparisons);
+criterion_main!(benches);
diff --git a/libcrux-psq/examples/encaps.rs b/libcrux-psq/examples/encaps.rs
new file mode 100644
index 000000000..6c26ca3d3
--- /dev/null
+++ b/libcrux-psq/examples/encaps.rs
@@ -0,0 +1,17 @@
+use std::time::Duration;
+
+use libcrux_psq::{generate_key_pair, Algorithm};
+use rand::thread_rng;
+
+fn main() {
+    let mut rng = thread_rng();
+    let mlkem_keypair = generate_key_pair(Algorithm::MlKem768, &mut rng).unwrap();
+
+    for _ in 0..100_000 {
+        let _ = core::hint::black_box(mlkem_keypair.1.send_psk(
+            b"size context",
+            Duration::from_secs(3600),
+            &mut rng,
+        ));
+    }
+}
diff --git a/libcrux-psq/examples/sizes.rs b/libcrux-psq/examples/sizes.rs
new file mode 100644
index 000000000..b2fbf2e7d
--- /dev/null
+++ b/libcrux-psq/examples/sizes.rs
@@ -0,0 +1,67 @@
+use std::time::Duration;
+
+use libcrux_psq::*;
+use rand::{self, thread_rng};
+
+fn main() {
+    let mut rng = thread_rng();
+    let mlkem_keypair = generate_key_pair(Algorithm::MlKem768, &mut rng).unwrap();
+    let x25519_keypair = generate_key_pair(Algorithm::X25519, &mut rng).unwrap();
+    let xwing_keypair = generate_key_pair(Algorithm::XWingKemDraft02, &mut rng).unwrap();
+    let classic_mceliece_keypair = generate_key_pair(Algorithm::ClassicMcEliece, &mut rng).unwrap();
+
+    let mlkem_message = mlkem_keypair
+        .1
+        .send_psk(b"size context", Duration::from_secs(3600), &mut rng)
+        .unwrap();
+    let x25519_message = x25519_keypair
+        .1
+        .send_psk(b"size context", Duration::from_secs(3600), &mut rng)
+        .unwrap();
+    let xwing_message = xwing_keypair
+        .1
+        .send_psk(b"size context", Duration::from_secs(3600), &mut rng)
+        .unwrap();
+    let classic_mceliece_message = classic_mceliece_keypair
+        .1
+        .send_psk(b"size context", Duration::from_secs(3600), &mut rng)
+        .unwrap();
+
+    println!("ML-KEM-768:");
+    println!("  Public key size (bytes): {}", mlkem_keypair.1.size());
+    println!("  Message size (bytes): {}", mlkem_message.1.size());
+    println!(
+        "  including ciphertext size (bytes): {}",
+        mlkem_message.1.ct_size()
+    );
+
+    println!("X25519:");
+    println!("  Public key size (bytes): {}", x25519_keypair.1.size());
+    println!("  Message size (bytes): {}", x25519_message.1.size());
+    println!(
+        "  including ciphertext size (bytes): {}",
+        x25519_message.1.ct_size()
+    );
+
+    println!("XWingKemDraft02:");
+    println!("  Public key size (bytes): {}", xwing_keypair.1.size());
+    println!("  Message size (bytes): {}", xwing_message.1.size());
+    println!(
+        "  including ciphertext size (bytes): {}",
+        xwing_message.1.ct_size()
+    );
+
+    println!("Classic McEliece:");
+    println!(
+        "  Public key size (bytes): {}",
+        classic_mceliece_keypair.1.size()
+    );
+    println!(
+        "  Message size (bytes): {}",
+        classic_mceliece_message.1.size()
+    );
+    println!(
+        "  including ciphertext size (bytes): {}",
+        classic_mceliece_message.1.ct_size()
+    );
+}
diff --git a/libcrux-psq/flamegraph.svg b/libcrux-psq/flamegraph.svg
new file mode 100644
index 000000000..9a50187c4
--- /dev/null
+++ b/libcrux-psq/flamegraph.svg
@@ -0,0 +1,491 @@
+<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" width="1200" height="262" onload="init(evt)" viewBox="0 0 1200 262" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:fg="http://github.com/jonhoo/inferno"><!--Flame graph stack visualization. See https://github.com/brendangregg/FlameGraph for latest version, and http://www.brendangregg.com/flamegraphs.html for examples.--><!--NOTES: --><defs><linearGradient id="background" y1="0" y2="1" x1="0" x2="0"><stop stop-color="#eeeeee" offset="5%"/><stop stop-color="#eeeeb0" offset="95%"/></linearGradient></defs><style type="text/css">
+text { font-family:monospace; font-size:12px }
+#title { text-anchor:middle; font-size:17px; }
+#matched { text-anchor:end; }
+#search { text-anchor:end; opacity:0.1; cursor:pointer; }
+#search:hover, #search.show { opacity:1; }
+#subtitle { text-anchor:middle; font-color:rgb(160,160,160); }
+#unzoom { cursor:pointer; }
+#frames > *:hover { stroke:black; stroke-width:0.5; cursor:pointer; }
+.hide { display:none; }
+.parent { opacity:0.5; }
+</style><script type="text/ecmascript"><![CDATA[
+        var nametype = 'Function:';
+        var fontsize = 12;
+        var fontwidth = 0.59;
+        var xpad = 10;
+        var inverted = false;
+        var searchcolor = 'rgb(230,0,230)';
+        var fluiddrawing = true;
+        var truncate_text_right = false;
+    ]]><![CDATA["use strict";
+var details, searchbtn, unzoombtn, matchedtxt, svg, searching, frames, known_font_width;
+function init(evt) {
+    details = document.getElementById("details").firstChild;
+    searchbtn = document.getElementById("search");
+    unzoombtn = document.getElementById("unzoom");
+    matchedtxt = document.getElementById("matched");
+    svg = document.getElementsByTagName("svg")[0];
+    frames = document.getElementById("frames");
+    known_font_width = get_monospace_width(frames);
+    total_samples = parseInt(frames.attributes.total_samples.value);
+    searching = 0;
+
+    // Use GET parameters to restore a flamegraph's state.
+    var restore_state = function() {
+        var params = get_params();
+        if (params.x && params.y)
+            zoom(find_group(document.querySelector('[*|x="' + params.x + '"][y="' + params.y + '"]')));
+        if (params.s)
+            search(params.s);
+    };
+
+    if (fluiddrawing) {
+        // Make width dynamic so the SVG fits its parent's width.
+        svg.removeAttribute("width");
+        // Edge requires us to have a viewBox that gets updated with size changes.
+        var isEdge = /Edge\/\d./i.test(navigator.userAgent);
+        if (!isEdge) {
+            svg.removeAttribute("viewBox");
+        }
+        var update_for_width_change = function() {
+            if (isEdge) {
+                svg.attributes.viewBox.value = "0 0 " + svg.width.baseVal.value + " " + svg.height.baseVal.value;
+            }
+
+            // Keep consistent padding on left and right of frames container.
+            frames.attributes.width.value = svg.width.baseVal.value - xpad * 2;
+
+            // Text truncation needs to be adjusted for the current width.
+            update_text_for_elements(frames.children);
+
+            // Keep search elements at a fixed distance from right edge.
+            var svgWidth = svg.width.baseVal.value;
+            searchbtn.attributes.x.value = svgWidth - xpad;
+            matchedtxt.attributes.x.value = svgWidth - xpad;
+        };
+        window.addEventListener('resize', function() {
+            update_for_width_change();
+        });
+        // This needs to be done asynchronously for Safari to work.
+        setTimeout(function() {
+            unzoom();
+            update_for_width_change();
+            restore_state();
+        }, 0);
+    } else {
+        restore_state();
+    }
+}
+// event listeners
+window.addEventListener("click", function(e) {
+    var target = find_group(e.target);
+    if (target) {
+        if (target.nodeName == "a") {
+            if (e.ctrlKey === false) return;
+            e.preventDefault();
+        }
+        if (target.classList.contains("parent")) unzoom();
+        zoom(target);
+
+        // set parameters for zoom state
+        var el = target.querySelector("rect");
+        if (el && el.attributes && el.attributes.y && el.attributes["fg:x"]) {
+            var params = get_params()
+            params.x = el.attributes["fg:x"].value;
+            params.y = el.attributes.y.value;
+            history.replaceState(null, null, parse_params(params));
+        }
+    }
+    else if (e.target.id == "unzoom") {
+        unzoom();
+
+        // remove zoom state
+        var params = get_params();
+        if (params.x) delete params.x;
+        if (params.y) delete params.y;
+        history.replaceState(null, null, parse_params(params));
+    }
+    else if (e.target.id == "search") search_prompt();
+}, false)
+// mouse-over for info
+// show
+window.addEventListener("mouseover", function(e) {
+    var target = find_group(e.target);
+    if (target) details.nodeValue = nametype + " " + g_to_text(target);
+}, false)
+// clear
+window.addEventListener("mouseout", function(e) {
+    var target = find_group(e.target);
+    if (target) details.nodeValue = ' ';
+}, false)
+// ctrl-F for search
+window.addEventListener("keydown",function (e) {
+    if (e.keyCode === 114 || (e.ctrlKey && e.keyCode === 70)) {
+        e.preventDefault();
+        search_prompt();
+    }
+}, false)
+// functions
+function get_params() {
+    var params = {};
+    var paramsarr = window.location.search.substr(1).split('&');
+    for (var i = 0; i < paramsarr.length; ++i) {
+        var tmp = paramsarr[i].split("=");
+        if (!tmp[0] || !tmp[1]) continue;
+        params[tmp[0]]  = decodeURIComponent(tmp[1]);
+    }
+    return params;
+}
+function parse_params(params) {
+    var uri = "?";
+    for (var key in params) {
+        uri += key + '=' + encodeURIComponent(params[key]) + '&';
+    }
+    if (uri.slice(-1) == "&")
+        uri = uri.substring(0, uri.length - 1);
+    if (uri == '?')
+        uri = window.location.href.split('?')[0];
+    return uri;
+}
+function find_child(node, selector) {
+    var children = node.querySelectorAll(selector);
+    if (children.length) return children[0];
+    return;
+}
+function find_group(node) {
+    var parent = node.parentElement;
+    if (!parent) return;
+    if (parent.id == "frames") return node;
+    return find_group(parent);
+}
+function orig_save(e, attr, val) {
+    if (e.attributes["fg:orig_" + attr] != undefined) return;
+    if (e.attributes[attr] == undefined) return;
+    if (val == undefined) val = e.attributes[attr].value;
+    e.setAttribute("fg:orig_" + attr, val);
+}
+function orig_load(e, attr) {
+    if (e.attributes["fg:orig_"+attr] == undefined) return;
+    e.attributes[attr].value = e.attributes["fg:orig_" + attr].value;
+    e.removeAttribute("fg:orig_" + attr);
+}
+function g_to_text(e) {
+    var text = find_child(e, "title").firstChild.nodeValue;
+    return (text)
+}
+function g_to_func(e) {
+    var func = g_to_text(e);
+    // if there's any manipulation we want to do to the function
+    // name before it's searched, do it here before returning.
+    return (func);
+}
+function get_monospace_width(frames) {
+    // Given the id="frames" element, return the width of text characters if
+    // this is a monospace font, otherwise return 0.
+    text = find_child(frames.children[0], "text");
+    originalContent = text.textContent;
+    text.textContent = "!";
+    bangWidth = text.getComputedTextLength();
+    text.textContent = "W";
+    wWidth = text.getComputedTextLength();
+    text.textContent = originalContent;
+    if (bangWidth === wWidth) {
+        return bangWidth;
+    } else {
+        return 0;
+    }
+}
+function update_text_for_elements(elements) {
+    // In order to render quickly in the browser, you want to do one pass of
+    // reading attributes, and one pass of mutating attributes. See
+    // https://web.dev/avoid-large-complex-layouts-and-layout-thrashing/ for details.
+
+    // Fall back to inefficient calculation, if we're variable-width font.
+    // TODO This should be optimized somehow too.
+    if (known_font_width === 0) {
+        for (var i = 0; i < elements.length; i++) {
+            update_text(elements[i]);
+        }
+        return;
+    }
+
+    var textElemNewAttributes = [];
+    for (var i = 0; i < elements.length; i++) {
+        var e = elements[i];
+        var r = find_child(e, "rect");
+        var t = find_child(e, "text");
+        var w = parseFloat(r.attributes.width.value) * frames.attributes.width.value / 100 - 3;
+        var txt = find_child(e, "title").textContent.replace(/\([^(]*\)$/,"");
+        var newX = format_percent((parseFloat(r.attributes.x.value) + (100 * 3 / frames.attributes.width.value)));
+
+        // Smaller than this size won't fit anything
+        if (w < 2 * known_font_width) {
+            textElemNewAttributes.push([newX, ""]);
+            continue;
+        }
+
+        // Fit in full text width
+        if (txt.length * known_font_width < w) {
+            textElemNewAttributes.push([newX, txt]);
+            continue;
+        }
+
+        var substringLength = Math.floor(w / known_font_width) - 2;
+        if (truncate_text_right) {
+            // Truncate the right side of the text.
+            textElemNewAttributes.push([newX, txt.substring(0, substringLength) + ".."]);
+            continue;
+        } else {
+            // Truncate the left side of the text.
+            textElemNewAttributes.push([newX, ".." + txt.substring(txt.length - substringLength, txt.length)]);
+            continue;
+        }
+    }
+
+    console.assert(textElemNewAttributes.length === elements.length, "Resize failed, please file a bug at https://github.com/jonhoo/inferno/");
+
+    // Now that we know new textContent, set it all in one go so we don't refresh a bazillion times.
+    for (var i = 0; i < elements.length; i++) {
+        var e = elements[i];
+        var values = textElemNewAttributes[i];
+        var t = find_child(e, "text");
+        t.attributes.x.value = values[0];
+        t.textContent = values[1];
+    }
+}
+
+function update_text(e) {
+    var r = find_child(e, "rect");
+    var t = find_child(e, "text");
+    var w = parseFloat(r.attributes.width.value) * frames.attributes.width.value / 100 - 3;
+    var txt = find_child(e, "title").textContent.replace(/\([^(]*\)$/,"");
+    t.attributes.x.value = format_percent((parseFloat(r.attributes.x.value) + (100 * 3 / frames.attributes.width.value)));
+
+    // Smaller than this size won't fit anything
+    if (w < 2 * fontsize * fontwidth) {
+        t.textContent = "";
+        return;
+    }
+    t.textContent = txt;
+    // Fit in full text width
+    if (t.getComputedTextLength() < w)
+        return;
+    if (truncate_text_right) {
+        // Truncate the right side of the text.
+        for (var x = txt.length - 2; x > 0; x--) {
+            if (t.getSubStringLength(0, x + 2) <= w) {
+                t.textContent = txt.substring(0, x) + "..";
+                return;
+            }
+        }
+    } else {
+        // Truncate the left side of the text.
+        for (var x = 2; x < txt.length; x++) {
+            if (t.getSubStringLength(x - 2, txt.length) <= w) {
+                t.textContent = ".." + txt.substring(x, txt.length);
+                return;
+            }
+        }
+    }
+    t.textContent = "";
+}
+// zoom
+function zoom_reset(e) {
+    if (e.tagName == "rect") {
+        e.attributes.x.value = format_percent(100 * parseInt(e.attributes["fg:x"].value) / total_samples);
+        e.attributes.width.value = format_percent(100 * parseInt(e.attributes["fg:w"].value) / total_samples);
+    }
+    if (e.childNodes == undefined) return;
+    for(var i = 0, c = e.childNodes; i < c.length; i++) {
+        zoom_reset(c[i]);
+    }
+}
+function zoom_child(e, x, zoomed_width_samples) {
+    if (e.tagName == "text") {
+        var parent_x = parseFloat(find_child(e.parentNode, "rect[x]").attributes.x.value);
+        e.attributes.x.value = format_percent(parent_x + (100 * 3 / frames.attributes.width.value));
+    } else if (e.tagName == "rect") {
+        e.attributes.x.value = format_percent(100 * (parseInt(e.attributes["fg:x"].value) - x) / zoomed_width_samples);
+        e.attributes.width.value = format_percent(100 * parseInt(e.attributes["fg:w"].value) / zoomed_width_samples);
+    }
+    if (e.childNodes == undefined) return;
+    for(var i = 0, c = e.childNodes; i < c.length; i++) {
+        zoom_child(c[i], x, zoomed_width_samples);
+    }
+}
+function zoom_parent(e) {
+    if (e.attributes) {
+        if (e.attributes.x != undefined) {
+            e.attributes.x.value = "0.0%";
+        }
+        if (e.attributes.width != undefined) {
+            e.attributes.width.value = "100.0%";
+        }
+    }
+    if (e.childNodes == undefined) return;
+    for(var i = 0, c = e.childNodes; i < c.length; i++) {
+        zoom_parent(c[i]);
+    }
+}
+function zoom(node) {
+    var attr = find_child(node, "rect").attributes;
+    var width = parseInt(attr["fg:w"].value);
+    var xmin = parseInt(attr["fg:x"].value);
+    var xmax = xmin + width;
+    var ymin = parseFloat(attr.y.value);
+    unzoombtn.classList.remove("hide");
+    var el = frames.children;
+    var to_update_text = [];
+    for (var i = 0; i < el.length; i++) {
+        var e = el[i];
+        var a = find_child(e, "rect").attributes;
+        var ex = parseInt(a["fg:x"].value);
+        var ew = parseInt(a["fg:w"].value);
+        // Is it an ancestor
+        if (!inverted) {
+            var upstack = parseFloat(a.y.value) > ymin;
+        } else {
+            var upstack = parseFloat(a.y.value) < ymin;
+        }
+        if (upstack) {
+            // Direct ancestor
+            if (ex <= xmin && (ex+ew) >= xmax) {
+                e.classList.add("parent");
+                zoom_parent(e);
+                to_update_text.push(e);
+            }
+            // not in current path
+            else
+                e.classList.add("hide");
+        }
+        // Children maybe
+        else {
+            // no common path
+            if (ex < xmin || ex >= xmax) {
+                e.classList.add("hide");
+            }
+            else {
+                zoom_child(e, xmin, width);
+                to_update_text.push(e);
+            }
+        }
+    }
+    update_text_for_elements(to_update_text);
+}
+function unzoom() {
+    unzoombtn.classList.add("hide");
+    var el = frames.children;
+    for(var i = 0; i < el.length; i++) {
+        el[i].classList.remove("parent");
+        el[i].classList.remove("hide");
+        zoom_reset(el[i]);
+    }
+    update_text_for_elements(el);
+}
+// search
+function reset_search() {
+    var el = document.querySelectorAll("#frames rect");
+    for (var i = 0; i < el.length; i++) {
+        orig_load(el[i], "fill")
+    }
+    var params = get_params();
+    delete params.s;
+    history.replaceState(null, null, parse_params(params));
+}
+function search_prompt() {
+    if (!searching) {
+        var term = prompt("Enter a search term (regexp " +
+            "allowed, eg: ^ext4_)", "");
+        if (term != null) {
+            search(term)
+        }
+    } else {
+        reset_search();
+        searching = 0;
+        searchbtn.classList.remove("show");
+        searchbtn.firstChild.nodeValue = "Search"
+        matchedtxt.classList.add("hide");
+        matchedtxt.firstChild.nodeValue = ""
+    }
+}
+function search(term) {
+    var re = new RegExp(term);
+    var el = frames.children;
+    var matches = new Object();
+    var maxwidth = 0;
+    for (var i = 0; i < el.length; i++) {
+        var e = el[i];
+        // Skip over frames which are either not visible, or below the zoomed-to frame
+        if (e.classList.contains("hide") || e.classList.contains("parent")) {
+            continue;
+        }
+        var func = g_to_func(e);
+        var rect = find_child(e, "rect");
+        if (func == null || rect == null)
+            continue;
+        // Save max width. Only works as we have a root frame
+        var w = parseInt(rect.attributes["fg:w"].value);
+        if (w > maxwidth)
+            maxwidth = w;
+        if (func.match(re)) {
+            // highlight
+            var x = parseInt(rect.attributes["fg:x"].value);
+            orig_save(rect, "fill");
+            rect.attributes.fill.value = searchcolor;
+            // remember matches
+            if (matches[x] == undefined) {
+                matches[x] = w;
+            } else {
+                if (w > matches[x]) {
+                    // overwrite with parent
+                    matches[x] = w;
+                }
+            }
+            searching = 1;
+        }
+    }
+    if (!searching)
+        return;
+    var params = get_params();
+    params.s = term;
+    history.replaceState(null, null, parse_params(params));
+
+    searchbtn.classList.add("show");
+    searchbtn.firstChild.nodeValue = "Reset Search";
+    // calculate percent matched, excluding vertical overlap
+    var count = 0;
+    var lastx = -1;
+    var lastw = 0;
+    var keys = Array();
+    for (k in matches) {
+        if (matches.hasOwnProperty(k))
+            keys.push(k);
+    }
+    // sort the matched frames by their x location
+    // ascending, then width descending
+    keys.sort(function(a, b){
+        return a - b;
+    });
+    // Step through frames saving only the biggest bottom-up frames
+    // thanks to the sort order. This relies on the tree property
+    // where children are always smaller than their parents.
+    for (var k in keys) {
+        var x = parseInt(keys[k]);
+        var w = matches[keys[k]];
+        if (x >= lastx + lastw) {
+            count += w;
+            lastx = x;
+            lastw = w;
+        }
+    }
+    // display matched percent
+    matchedtxt.classList.remove("hide");
+    var pct = 100 * count / maxwidth;
+    if (pct != 100) pct = pct.toFixed(1);
+    matchedtxt.firstChild.nodeValue = "Matched: " + pct + "%";
+}
+function format_percent(n) {
+    return n.toFixed(4) + "%";
+}
+]]></script><rect x="0" y="0" width="100%" height="262" fill="url(#background)"/><text id="title" fill="rgb(0,0,0)" x="50.0000%" y="24.00">Flame Graph</text><text id="details" fill="rgb(0,0,0)" x="10" y="245.00"> </text><text id="unzoom" class="hide" fill="rgb(0,0,0)" x="10" y="24.00">Reset Zoom</text><text id="search" fill="rgb(0,0,0)" x="1190" y="24.00">Search</text><text id="matched" fill="rgb(0,0,0)" x="1190" y="245.00"> </text><svg id="frames" x="10" width="1180" total_samples="2741"><g><title>encaps`DYLD-STUB$$memcpy (1 samples, 0.04%)</title><rect x="0.1459%" y="133" width="0.0365%" height="15" fill="rgb(227,0,7)" fg:x="4" fg:w="1"/><text x="0.3959%" y="143.50"></text></g><g><title>encaps`Hacl_Hash_SHA2_sha256_finish (1 samples, 0.04%)</title><rect x="0.4013%" y="101" width="0.0365%" height="15" fill="rgb(217,0,24)" fg:x="11" fg:w="1"/><text x="0.6513%" y="111.50"></text></g><g><title>encaps`Hacl_Hash_SHA2_sha256_update_last (1 samples, 0.04%)</title><rect x="0.4378%" y="101" width="0.0365%" height="15" fill="rgb(221,193,54)" fg:x="12" fg:w="1"/><text x="0.6878%" y="111.50"></text></g><g><title>encaps`Hacl_Hash_SHA2_sha256_update_nblocks (6 samples, 0.22%)</title><rect x="0.4743%" y="101" width="0.2189%" height="15" fill="rgb(248,212,6)" fg:x="13" fg:w="6"/><text x="0.7243%" y="111.50"></text></g><g><title>encaps`sha256_update (1,169 samples, 42.65%)</title><rect x="0.6932%" y="101" width="42.6487%" height="15" fill="rgb(208,68,35)" fg:x="19" fg:w="1169"/><text x="0.9432%" y="111.50">encaps`sha256_update</text></g><g><title>libsystem_c.dylib`__memcpy_chk (2 samples, 0.07%)</title><rect x="43.3418%" y="101" width="0.0730%" height="15" fill="rgb(232,128,0)" fg:x="1188" fg:w="2"/><text x="43.5918%" y="111.50"></text></g><g><title>encaps`Hacl_HMAC_compute_sha2_256 (1,184 samples, 43.20%)</title><rect x="0.2554%" y="117" width="43.1959%" height="15" fill="rgb(207,160,47)" fg:x="7" fg:w="1184"/><text x="0.5054%" y="127.50">encaps`Hacl_HMAC_compute_sha2_256</text></g><g><title>libsystem_platform.dylib`_platform_memmove (1 samples, 0.04%)</title><rect x="43.4148%" y="101" width="0.0365%" height="15" fill="rgb(228,23,34)" fg:x="1190" fg:w="1"/><text x="43.6648%" y="111.50"></text></g><g><title>encaps`Hacl_Hash_SHA2_sha256_update_nblocks (1 samples, 0.04%)</title><rect x="43.4513%" y="117" width="0.0365%" height="15" fill="rgb(218,30,26)" fg:x="1191" fg:w="1"/><text x="43.7013%" y="127.50"></text></g><g><title>libsystem_c.dylib`DYLD-STUB$$mkdtempat_np (1 samples, 0.04%)</title><rect x="43.4878%" y="117" width="0.0365%" height="15" fill="rgb(220,122,19)" fg:x="1192" fg:w="1"/><text x="43.7378%" y="127.50"></text></g><g><title>libsystem_platform.dylib`_platform_memmove (1 samples, 0.04%)</title><rect x="43.5243%" y="117" width="0.0365%" height="15" fill="rgb(250,228,42)" fg:x="1193" fg:w="1"/><text x="43.7743%" y="127.50"></text></g><g><title>encaps`Hacl_HKDF_expand_sha2_256 (1,193 samples, 43.52%)</title><rect x="0.1824%" y="133" width="43.5243%" height="15" fill="rgb(240,193,28)" fg:x="5" fg:w="1193"/><text x="0.4324%" y="143.50">encaps`Hacl_HKDF_expand_sha2_256</text></g><g><title>libsystem_pthread.dylib`___chkstk_darwin (4 samples, 0.15%)</title><rect x="43.5607%" y="117" width="0.1459%" height="15" fill="rgb(216,20,37)" fg:x="1194" fg:w="4"/><text x="43.8107%" y="127.50"></text></g><g><title>encaps`Hacl_Hash_SHA2_sha256_finish (1 samples, 0.04%)</title><rect x="43.7067%" y="117" width="0.0365%" height="15" fill="rgb(206,188,39)" fg:x="1198" fg:w="1"/><text x="43.9567%" y="127.50"></text></g><g><title>encaps`sha256_update (91 samples, 3.32%)</title><rect x="43.7432%" y="117" width="3.3200%" height="15" fill="rgb(217,207,13)" fg:x="1199" fg:w="91"/><text x="43.9932%" y="127.50">enc..</text></g><g><title>libsystem_c.dylib`__memcpy_chk (1 samples, 0.04%)</title><rect x="47.0631%" y="117" width="0.0365%" height="15" fill="rgb(231,73,38)" fg:x="1290" fg:w="1"/><text x="47.3131%" y="127.50"></text></g><g><title>encaps`Hacl_HMAC_compute_sha2_256 (94 samples, 3.43%)</title><rect x="43.7067%" y="133" width="3.4294%" height="15" fill="rgb(225,20,46)" fg:x="1198" fg:w="94"/><text x="43.9567%" y="143.50">enc..</text></g><g><title>libsystem_platform.dylib`_platform_memmove (1 samples, 0.04%)</title><rect x="47.0996%" y="117" width="0.0365%" height="15" fill="rgb(210,31,41)" fg:x="1291" fg:w="1"/><text x="47.3496%" y="127.50"></text></g><g><title>libsystem_malloc.dylib`_nanov2_free (1 samples, 0.04%)</title><rect x="47.1361%" y="69" width="0.0365%" height="15" fill="rgb(221,200,47)" fg:x="1292" fg:w="1"/><text x="47.3861%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`nanov2_malloc (1 samples, 0.04%)</title><rect x="47.1726%" y="69" width="0.0365%" height="15" fill="rgb(226,26,5)" fg:x="1293" fg:w="1"/><text x="47.4226%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`nanov2_realloc (1 samples, 0.04%)</title><rect x="47.2090%" y="69" width="0.0365%" height="15" fill="rgb(249,33,26)" fg:x="1294" fg:w="1"/><text x="47.4590%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`_nanov2_free (1 samples, 0.04%)</title><rect x="47.2090%" y="53" width="0.0365%" height="15" fill="rgb(235,183,28)" fg:x="1294" fg:w="1"/><text x="47.4590%" y="63.50"></text></g><g><title>libsystem_malloc.dylib`szone_realloc (2 samples, 0.07%)</title><rect x="47.2455%" y="69" width="0.0730%" height="15" fill="rgb(221,5,38)" fg:x="1295" fg:w="2"/><text x="47.4955%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`szone_malloc_should_clear (1 samples, 0.04%)</title><rect x="47.2820%" y="53" width="0.0365%" height="15" fill="rgb(247,18,42)" fg:x="1296" fg:w="1"/><text x="47.5320%" y="63.50"></text></g><g><title>libsystem_malloc.dylib`small_malloc_should_clear (1 samples, 0.04%)</title><rect x="47.2820%" y="37" width="0.0365%" height="15" fill="rgb(241,131,45)" fg:x="1296" fg:w="1"/><text x="47.5320%" y="47.50"></text></g><g><title>libsystem_malloc.dylib`_malloc_zone_realloc (8 samples, 0.29%)</title><rect x="47.1361%" y="85" width="0.2919%" height="15" fill="rgb(249,31,29)" fg:x="1292" fg:w="8"/><text x="47.3861%" y="95.50"></text></g><g><title>libsystem_platform.dylib`_platform_memmove (3 samples, 0.11%)</title><rect x="47.3185%" y="69" width="0.1094%" height="15" fill="rgb(225,111,53)" fg:x="1297" fg:w="3"/><text x="47.5685%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`default_zone_realloc (1 samples, 0.04%)</title><rect x="47.4279%" y="85" width="0.0365%" height="15" fill="rgb(238,160,17)" fg:x="1300" fg:w="1"/><text x="47.6779%" y="95.50"></text></g><g><title>libsystem_malloc.dylib`nanov2_realloc (1 samples, 0.04%)</title><rect x="47.4644%" y="85" width="0.0365%" height="15" fill="rgb(214,148,48)" fg:x="1301" fg:w="1"/><text x="47.7144%" y="95.50"></text></g><g><title>encaps`alloc::raw_vec::RawVec&lt;T,A&gt;::reserve::do_reserve_and_handle (11 samples, 0.40%)</title><rect x="47.1361%" y="133" width="0.4013%" height="15" fill="rgb(232,36,49)" fg:x="1292" fg:w="11"/><text x="47.3861%" y="143.50"></text></g><g><title>encaps`alloc::raw_vec::finish_grow (11 samples, 0.40%)</title><rect x="47.1361%" y="117" width="0.4013%" height="15" fill="rgb(209,103,24)" fg:x="1292" fg:w="11"/><text x="47.3861%" y="127.50"></text></g><g><title>libsystem_malloc.dylib`_realloc (11 samples, 0.40%)</title><rect x="47.1361%" y="101" width="0.4013%" height="15" fill="rgb(229,88,8)" fg:x="1292" fg:w="11"/><text x="47.3861%" y="111.50"></text></g><g><title>libsystem_malloc.dylib`szone_size (1 samples, 0.04%)</title><rect x="47.5009%" y="85" width="0.0365%" height="15" fill="rgb(213,181,19)" fg:x="1302" fg:w="1"/><text x="47.7509%" y="95.50"></text></g><g><title>libsystem_malloc.dylib`tiny_size (1 samples, 0.04%)</title><rect x="47.5009%" y="69" width="0.0365%" height="15" fill="rgb(254,191,54)" fg:x="1302" fg:w="1"/><text x="47.7509%" y="79.50"></text></g><g><title>libsystem_malloc.dylib`small_malloc_should_clear (2 samples, 0.07%)</title><rect x="47.5374%" y="117" width="0.0730%" height="15" fill="rgb(241,83,37)" fg:x="1303" fg:w="2"/><text x="47.7874%" y="127.50"></text></g><g><title>encaps`libcrux_kem::Ct::encode (4 samples, 0.15%)</title><rect x="47.5374%" y="133" width="0.1459%" height="15" fill="rgb(233,36,39)" fg:x="1303" fg:w="4"/><text x="47.7874%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`szone_malloc_should_clear (2 samples, 0.07%)</title><rect x="47.6104%" y="117" width="0.0730%" height="15" fill="rgb(226,3,54)" fg:x="1305" fg:w="2"/><text x="47.8604%" y="127.50"></text></g><g><title>libsystem_malloc.dylib`small_malloc_should_clear (2 samples, 0.07%)</title><rect x="47.6104%" y="101" width="0.0730%" height="15" fill="rgb(245,192,40)" fg:x="1305" fg:w="2"/><text x="47.8604%" y="111.50"></text></g><g><title>libsystem_malloc.dylib`small_malloc_from_free_list (1 samples, 0.04%)</title><rect x="47.6468%" y="85" width="0.0365%" height="15" fill="rgb(238,167,29)" fg:x="1306" fg:w="1"/><text x="47.8968%" y="95.50"></text></g><g><title>libsystem_malloc.dylib`small_free_list_remove_ptr_no_clear (1 samples, 0.04%)</title><rect x="47.6468%" y="69" width="0.0365%" height="15" fill="rgb(232,182,51)" fg:x="1306" fg:w="1"/><text x="47.8968%" y="79.50"></text></g><g><title>encaps`&lt;rand_chacha::chacha::ChaCha12Core as rand_core::block::BlockRngCore&gt;::generate (12 samples, 0.44%)</title><rect x="47.7198%" y="117" width="0.4378%" height="15" fill="rgb(231,60,39)" fg:x="1308" fg:w="12"/><text x="47.9698%" y="127.50"></text></g><g><title>encaps`DYLD-STUB$$memcpy (1 samples, 0.04%)</title><rect x="57.4243%" y="101" width="0.0365%" height="15" fill="rgb(208,69,12)" fg:x="1574" fg:w="1"/><text x="57.6743%" y="111.50"></text></g><g><title>encaps`libcrux_ml_kem::ind_cpa::encrypt (1,058 samples, 38.60%)</title><rect x="57.4608%" y="101" width="38.5991%" height="15" fill="rgb(235,93,37)" fg:x="1575" fg:w="1058"/><text x="57.7108%" y="111.50">encaps`libcrux_ml_kem::ind_cpa::encrypt</text></g><g><title>libsystem_platform.dylib`_platform_memmove (31 samples, 1.13%)</title><rect x="96.0598%" y="101" width="1.1310%" height="15" fill="rgb(213,116,39)" fg:x="2633" fg:w="31"/><text x="96.3098%" y="111.50"></text></g><g><title>encaps`libcrux_ml_kem::mlkem768::encapsulate (1,365 samples, 49.80%)</title><rect x="48.1576%" y="117" width="49.7993%" height="15" fill="rgb(222,207,29)" fg:x="1320" fg:w="1365"/><text x="48.4076%" y="127.50">encaps`libcrux_ml_kem::mlkem768::encapsulate</text></g><g><title>libsystem_platform.dylib`_platform_memset (21 samples, 0.77%)</title><rect x="97.1908%" y="101" width="0.7661%" height="15" fill="rgb(206,96,30)" fg:x="2664" fg:w="21"/><text x="97.4408%" y="111.50"></text></g><g><title>encaps`libcrux_kem::PublicKey::encapsulate (1,380 samples, 50.35%)</title><rect x="47.6833%" y="133" width="50.3466%" height="15" fill="rgb(218,138,4)" fg:x="1307" fg:w="1380"/><text x="47.9333%" y="143.50">encaps`libcrux_kem::PublicKey::encapsulate</text></g><g><title>libsystem_platform.dylib`_platform_memmove (2 samples, 0.07%)</title><rect x="97.9570%" y="117" width="0.0730%" height="15" fill="rgb(250,191,14)" fg:x="2685" fg:w="2"/><text x="98.2070%" y="127.50"></text></g><g><title>encaps`libcrux_kem::Ss::encode (1 samples, 0.04%)</title><rect x="98.0299%" y="133" width="0.0365%" height="15" fill="rgb(239,60,40)" fg:x="2687" fg:w="1"/><text x="98.2799%" y="143.50"></text></g><g><title>encaps`libcrux_ml_kem::mlkem768::encapsulate (2 samples, 0.07%)</title><rect x="98.0664%" y="133" width="0.0730%" height="15" fill="rgb(206,27,48)" fg:x="2688" fg:w="2"/><text x="98.3164%" y="143.50"></text></g><g><title>libsystem_c.dylib`clock_gettime (5 samples, 0.18%)</title><rect x="98.1394%" y="133" width="0.1824%" height="15" fill="rgb(225,35,8)" fg:x="2690" fg:w="5"/><text x="98.3894%" y="143.50"></text></g><g><title>libsystem_c.dylib`gettimeofday (5 samples, 0.18%)</title><rect x="98.1394%" y="117" width="0.1824%" height="15" fill="rgb(250,213,24)" fg:x="2690" fg:w="5"/><text x="98.3894%" y="127.50"></text></g><g><title>libsystem_kernel.dylib`mach_absolute_time (5 samples, 0.18%)</title><rect x="98.1394%" y="101" width="0.1824%" height="15" fill="rgb(247,123,22)" fg:x="2690" fg:w="5"/><text x="98.3894%" y="111.50"></text></g><g><title>libsystem_malloc.dylib`_malloc_zone_malloc (2 samples, 0.07%)</title><rect x="98.3218%" y="133" width="0.0730%" height="15" fill="rgb(231,138,38)" fg:x="2695" fg:w="2"/><text x="98.5718%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`_nanov2_free (2 samples, 0.07%)</title><rect x="98.3947%" y="133" width="0.0730%" height="15" fill="rgb(231,145,46)" fg:x="2697" fg:w="2"/><text x="98.6447%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`_szone_free (1 samples, 0.04%)</title><rect x="98.4677%" y="133" width="0.0365%" height="15" fill="rgb(251,118,11)" fg:x="2699" fg:w="1"/><text x="98.7177%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`free_small (1 samples, 0.04%)</title><rect x="98.5042%" y="133" width="0.0365%" height="15" fill="rgb(217,147,25)" fg:x="2700" fg:w="1"/><text x="98.7542%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`nanov2_calloc (1 samples, 0.04%)</title><rect x="98.5407%" y="133" width="0.0365%" height="15" fill="rgb(247,81,37)" fg:x="2701" fg:w="1"/><text x="98.7907%" y="143.50"></text></g><g><title>libsystem_platform.dylib`__bzero (1 samples, 0.04%)</title><rect x="98.5772%" y="133" width="0.0365%" height="15" fill="rgb(209,12,38)" fg:x="2702" fg:w="1"/><text x="98.8272%" y="143.50"></text></g><g><title>libsystem_platform.dylib`_platform_memmove (7 samples, 0.26%)</title><rect x="98.6136%" y="133" width="0.2554%" height="15" fill="rgb(227,1,9)" fg:x="2703" fg:w="7"/><text x="98.8636%" y="143.50"></text></g><g><title>libsystem_platform.dylib`_platform_memset (4 samples, 0.15%)</title><rect x="98.8690%" y="133" width="0.1459%" height="15" fill="rgb(248,47,43)" fg:x="2710" fg:w="4"/><text x="99.1190%" y="143.50"></text></g><g><title>encaps`encaps::main (2,716 samples, 99.09%)</title><rect x="0.0000%" y="149" width="99.0879%" height="15" fill="rgb(221,10,30)" fg:x="0" fg:w="2716"/><text x="0.2500%" y="159.50">encaps`encaps::main</text></g><g><title>libsystem_pthread.dylib`___chkstk_darwin (2 samples, 0.07%)</title><rect x="99.0150%" y="133" width="0.0730%" height="15" fill="rgb(210,229,1)" fg:x="2714" fg:w="2"/><text x="99.2650%" y="143.50"></text></g><g><title>libsystem_malloc.dylib`_free (1 samples, 0.04%)</title><rect x="99.0879%" y="149" width="0.0365%" height="15" fill="rgb(222,148,37)" fg:x="2716" fg:w="1"/><text x="99.3379%" y="159.50"></text></g><g><title>dyld`start (2,740 samples, 99.96%)</title><rect x="0.0000%" y="197" width="99.9635%" height="15" fill="rgb(234,67,33)" fg:x="0" fg:w="2740"/><text x="0.2500%" y="207.50">dyld`start</text></g><g><title>encaps`main (2,740 samples, 99.96%)</title><rect x="0.0000%" y="181" width="99.9635%" height="15" fill="rgb(247,98,35)" fg:x="0" fg:w="2740"/><text x="0.2500%" y="191.50">encaps`main</text></g><g><title>encaps`std::sys_common::backtrace::__rust_begin_short_backtrace (2,740 samples, 99.96%)</title><rect x="0.0000%" y="165" width="99.9635%" height="15" fill="rgb(247,138,52)" fg:x="0" fg:w="2740"/><text x="0.2500%" y="175.50">encaps`std::sys_common::backtrace::__rust_begin_short_backtrace</text></g><g><title>libsystem_platform.dylib`_platform_memmove (23 samples, 0.84%)</title><rect x="99.1244%" y="149" width="0.8391%" height="15" fill="rgb(213,79,30)" fg:x="2717" fg:w="23"/><text x="99.3744%" y="159.50"></text></g><g><title>all (2,741 samples, 100%)</title><rect x="0.0000%" y="213" width="100.0000%" height="15" fill="rgb(246,177,23)" fg:x="0" fg:w="2741"/><text x="0.2500%" y="223.50"></text></g><g><title>libsystem_kernel.dylib`__exit (1 samples, 0.04%)</title><rect x="99.9635%" y="197" width="0.0365%" height="15" fill="rgb(230,62,27)" fg:x="2740" fg:w="1"/><text x="100.2135%" y="207.50"></text></g></svg></svg>
\ No newline at end of file
diff --git a/libcrux-psq/src/psq.rs b/libcrux-psq/src/psq.rs
new file mode 100644
index 000000000..cedb78f80
--- /dev/null
+++ b/libcrux-psq/src/psq.rs
@@ -0,0 +1,492 @@
+//! # PQ-PSK establishment protocol
+//!
+//! This crate implements a post-quantum (PQ) pre-shared key (PSK) establishment
+//! protocol.
+
+#![deny(missing_docs)]
+use std::time::{Duration, SystemTime};
+
+use classic_mceliece_rust::{decapsulate_boxed, encapsulate_boxed};
+use libcrux_hmac::hmac;
+use rand::{CryptoRng, Rng};
+
+const PSK_LENGTH: usize = 32;
+const K0_LENGTH: usize = 32;
+const KM_LENGTH: usize = 32;
+const MAC_LENGTH: usize = 32;
+
+const CONFIRMATION_CONTEXT: &[u8] = b"Confirmation";
+const PSK_CONTEXT: &[u8] = b"PSK";
+
+type Psk = [u8; PSK_LENGTH];
+type Mac = [u8; MAC_LENGTH];
+
+#[derive(Debug)]
+/// PSQ Errors.
+pub enum Error {
+    /// An invalid public key was provided
+    InvalidPublicKey,
+    /// An invalid private key was provided
+    InvalidPrivateKey,
+    /// An error during PSK encapsulation
+    GenerationError,
+    /// An error during PSK decapsulation
+    DerivationError,
+}
+
+/// The algorithm that should be used for the internal KEM.
+pub enum Algorithm {
+    /// An elliptic-curve Diffie-Hellman based KEM (Does not provide post-quantum security)
+    X25519,
+    /// ML-KEM 768, a lattice-based post-quantum KEM, as specified in FIPS 203 (Draft)
+    MlKem768,
+    /// A code-based post-quantum KEM & Round 4 candidate in the NIST PQ competition (Parameter Set `mceliece460896f`)
+    ClassicMcEliece,
+    /// A hybrid post-quantum KEM combining X25519 and ML-KEM 768
+    XWingKemDraft02,
+}
+
+enum Ciphertext {
+    X25519(libcrux_kem::Ct),
+    MlKem768(libcrux_kem::Ct),
+    XWingKemDraft02(libcrux_kem::Ct),
+    ClassicMcEliece(classic_mceliece_rust::Ciphertext),
+}
+
+/// A PSQ public key
+pub enum PublicKey<'a> {
+    ///  for use with X25519-based protocol
+    X25519(libcrux_kem::PublicKey),
+    /// for use with ML-KEM-768-based protocol
+    MlKem768(libcrux_kem::PublicKey),
+    /// for use with hybrid KEM XWingDraft02-based protocol
+    XWingKemDraft02(libcrux_kem::PublicKey),
+    /// for use with Classic McEliece-based protocol
+    ClassicMcEliece(classic_mceliece_rust::PublicKey<'a>),
+}
+
+/// A PSQ private key
+pub enum PrivateKey<'a> {
+    ///  for use with X25519-based protocol
+    X25519(libcrux_kem::PrivateKey),
+    /// for use with ML-KEM-768-based protocol
+    MlKem768(libcrux_kem::PrivateKey),
+    /// for use with hybrid KEM XWingDraft02-based protocol
+    XWingKemDraft02(libcrux_kem::PrivateKey),
+    /// for use with Classic McEliece-based protocol
+    ClassicMcEliece(classic_mceliece_rust::SecretKey<'a>),
+}
+
+enum SharedSecret<'a> {
+    X25519(libcrux_kem::Ss),
+    MlKem768(libcrux_kem::Ss),
+    XWingKemDraft02(libcrux_kem::Ss),
+    ClassicMcEliece(classic_mceliece_rust::SharedSecret<'a>),
+}
+
+impl SharedSecret<'_> {
+    fn encode(&self) -> Vec<u8> {
+        match self {
+            SharedSecret::X25519(ss) => ss.encode(),
+            SharedSecret::MlKem768(ss) => ss.encode(),
+            SharedSecret::ClassicMcEliece(ss) => ss.as_ref().to_owned(),
+            SharedSecret::XWingKemDraft02(ss) => ss.encode(),
+        }
+    }
+}
+
+impl Ciphertext {
+    fn encode(&self) -> Vec<u8> {
+        match self {
+            Ciphertext::X25519(ct) => ct.encode(),
+            Ciphertext::MlKem768(ct) => ct.encode(),
+            Ciphertext::ClassicMcEliece(ct) => ct.as_ref().to_owned(),
+            Ciphertext::XWingKemDraft02(ct) => ct.encode(),
+        }
+    }
+    fn decapsulate(&self, sk: &PrivateKey) -> Result<SharedSecret, Error> {
+        match self {
+            Ciphertext::X25519(ct) => {
+                if let PrivateKey::X25519(sk) = sk {
+                    let ss = ct.decapsulate(sk).unwrap();
+                    Ok(SharedSecret::X25519(ss))
+                } else {
+                    Err(Error::InvalidPrivateKey)
+                }
+            }
+            Ciphertext::MlKem768(ct) => {
+                if let PrivateKey::MlKem768(sk) = sk {
+                    let ss = ct.decapsulate(sk).unwrap();
+                    Ok(SharedSecret::MlKem768(ss))
+                } else {
+                    Err(Error::InvalidPrivateKey)
+                }
+            }
+            Ciphertext::ClassicMcEliece(ct) => {
+                if let PrivateKey::ClassicMcEliece(sk) = sk {
+                    let ss = decapsulate_boxed(ct, sk);
+                    Ok(SharedSecret::ClassicMcEliece(ss))
+                } else {
+                    Err(Error::InvalidPrivateKey)
+                }
+            }
+            Ciphertext::XWingKemDraft02(ct) => {
+                if let PrivateKey::XWingKemDraft02(sk) = sk {
+                    let ss = ct.decapsulate(sk).unwrap();
+                    Ok(SharedSecret::XWingKemDraft02(ss))
+                } else {
+                    Err(Error::InvalidPrivateKey)
+                }
+            }
+        }
+    }
+}
+
+impl From<Algorithm> for libcrux_kem::Algorithm {
+    fn from(val: Algorithm) -> Self {
+        match val {
+            Algorithm::X25519 => libcrux_kem::Algorithm::X25519,
+            Algorithm::MlKem768 => libcrux_kem::Algorithm::MlKem768,
+            Algorithm::ClassicMcEliece => {
+                unimplemented!("libcrux does not support Classic McEliece")
+            }
+            Algorithm::XWingKemDraft02 => libcrux_kem::Algorithm::XWingKemDraft02,
+        }
+    }
+}
+
+/// Generate a PSQ key pair.
+pub fn generate_key_pair(
+    alg: Algorithm,
+    rng: &mut (impl CryptoRng + Rng),
+) -> Result<(PrivateKey<'static>, PublicKey<'static>), Error> {
+    match alg {
+        Algorithm::X25519 => {
+            let (sk, pk) = libcrux_kem::key_gen(alg.into(), rng).unwrap();
+            Ok((PrivateKey::X25519(sk), PublicKey::X25519(pk)))
+        }
+        Algorithm::MlKem768 => {
+            let (sk, pk) = libcrux_kem::key_gen(alg.into(), rng).unwrap();
+            Ok((PrivateKey::MlKem768(sk), PublicKey::MlKem768(pk)))
+        }
+        Algorithm::ClassicMcEliece => {
+            let (pk, sk) = classic_mceliece_rust::keypair_boxed(rng);
+            Ok((
+                PrivateKey::ClassicMcEliece(sk),
+                PublicKey::ClassicMcEliece(pk),
+            ))
+        }
+        Algorithm::XWingKemDraft02 => {
+            let (sk, pk) = libcrux_kem::key_gen(alg.into(), rng).unwrap();
+            Ok((
+                PrivateKey::XWingKemDraft02(sk),
+                PublicKey::XWingKemDraft02(pk),
+            ))
+        }
+    }
+}
+
+impl PublicKey<'_> {
+    /// Return the size (in bytes) of the PSQ public key.
+    pub fn size(&self) -> usize {
+        self.encode().len()
+    }
+    pub(crate) fn encode(&self) -> Vec<u8> {
+        match self {
+            PublicKey::X25519(k) => k.encode(),
+            PublicKey::MlKem768(k) => k.encode(),
+            PublicKey::XWingKemDraft02(k) => k.encode(),
+            PublicKey::ClassicMcEliece(k) => k.as_ref().to_vec(),
+        }
+    }
+
+    /// Use the underlying KEM to encapsulate a shared secret towards the receiver.
+    pub(crate) fn encapsulate(
+        &self,
+        rng: &mut (impl CryptoRng + Rng),
+    ) -> Result<(SharedSecret, Ciphertext), Error> {
+        match self {
+            PublicKey::X25519(pk) => {
+                let (ss, enc) = pk.encapsulate(rng).unwrap();
+                Ok((SharedSecret::X25519(ss), Ciphertext::X25519(enc)))
+            }
+            PublicKey::MlKem768(pk) => {
+                let (ss, enc) = pk.encapsulate(rng).unwrap();
+                Ok((SharedSecret::MlKem768(ss), Ciphertext::MlKem768(enc)))
+            }
+            PublicKey::ClassicMcEliece(pk) => {
+                let (enc, ss) = encapsulate_boxed(pk, rng);
+                Ok((
+                    SharedSecret::ClassicMcEliece(ss),
+                    Ciphertext::ClassicMcEliece(enc),
+                ))
+            }
+            PublicKey::XWingKemDraft02(pk) => {
+                let (ss, enc) = pk.encapsulate(rng).unwrap();
+                Ok((
+                    SharedSecret::XWingKemDraft02(ss),
+                    Ciphertext::XWingKemDraft02(enc),
+                ))
+            }
+        }
+    }
+
+    /// Generate a fresh PSK, and a message encapsulating it for the
+    /// receiver.
+    ///
+    /// The encapsulated PSK is valid for the given duration
+    /// `psk_ttl`, based on milliseconds since the UNIX epoch until
+    /// current system time. Parameter `sctx` is used to
+    /// cryptographically bind the generated PSK to a given outer
+    /// protocol context and may be considered public.
+    pub fn send_psk(
+        &self,
+        sctx: &[u8],
+        psk_ttl: Duration,
+        rng: &mut (impl CryptoRng + Rng),
+    ) -> Result<(Psk, PskMessage), Error> {
+        let (ik, enc) = self.encapsulate(rng).map_err(|_| Error::GenerationError)?;
+        let mut info = self.encode();
+        info.extend_from_slice(&enc.encode());
+        info.extend_from_slice(sctx);
+
+        let k0 = libcrux_hkdf::expand(
+            libcrux_hkdf::Algorithm::Sha256,
+            ik.encode(),
+            info,
+            K0_LENGTH,
+        )
+        .map_err(|_| Error::GenerationError)?;
+
+        let km = libcrux_hkdf::expand(
+            libcrux_hkdf::Algorithm::Sha256,
+            &k0,
+            CONFIRMATION_CONTEXT,
+            KM_LENGTH,
+        )
+        .map_err(|_| Error::GenerationError)?;
+
+        let psk: Psk = libcrux_hkdf::expand(
+            libcrux_hkdf::Algorithm::Sha256,
+            &k0,
+            PSK_CONTEXT,
+            PSK_LENGTH,
+        )
+        .map_err(|_| Error::GenerationError)?
+        .try_into()
+        .expect("should receive the correct number of bytes from HKDF");
+
+        let now = SystemTime::now();
+        let ts = now.duration_since(SystemTime::UNIX_EPOCH).unwrap();
+        let ts_seconds = ts.as_secs();
+        let ts_subsec_millis = ts.subsec_millis();
+        let mut mac_input = ts_seconds.to_be_bytes().to_vec();
+        mac_input.extend_from_slice(&ts_subsec_millis.to_be_bytes());
+        mac_input.extend_from_slice(&psk_ttl.as_millis().to_be_bytes());
+
+        let mac: Mac = hmac(
+            libcrux_hmac::Algorithm::Sha256,
+            &km,
+            &mac_input,
+            Some(MAC_LENGTH),
+        )
+        .try_into()
+        .expect("should receive the correct number of bytes from HMAC");
+
+        Ok((
+            psk,
+            PskMessage {
+                enc,
+                ts: (ts_seconds, ts_subsec_millis),
+                psk_ttl,
+                mac,
+            },
+        ))
+    }
+}
+
+impl PrivateKey<'_> {
+    /// Derive a PSK from a PSQ message.
+    ///
+    /// Can error, if the given PSQ message is invalid, i.e. beyond
+    /// its TTL or cryptographically invalid.
+    pub fn receive_psk(
+        &self,
+        pk: &PublicKey,
+        message: &PskMessage,
+        sctx: &[u8],
+    ) -> Result<Psk, Error> {
+        let PskMessage {
+            enc,
+            ts: (ts_seconds, ts_subsec_millis),
+            psk_ttl,
+            mac,
+        } = message;
+
+        let now = SystemTime::now();
+        let ts_since_epoch =
+            Duration::from_secs(*ts_seconds) + Duration::from_millis((*ts_subsec_millis).into());
+        if now.duration_since(SystemTime::UNIX_EPOCH).unwrap() - ts_since_epoch >= *psk_ttl {
+            Err(Error::DerivationError)
+        } else {
+            let ik = enc.decapsulate(self).map_err(|_| Error::DerivationError)?;
+
+            let mut info = pk.encode();
+            info.extend_from_slice(&enc.encode());
+            info.extend_from_slice(sctx);
+
+            let k0 = libcrux_hkdf::expand(
+                libcrux_hkdf::Algorithm::Sha256,
+                ik.encode(),
+                info,
+                K0_LENGTH,
+            )
+            .map_err(|_| Error::DerivationError)?;
+
+            let km = libcrux_hkdf::expand(
+                libcrux_hkdf::Algorithm::Sha256,
+                &k0,
+                CONFIRMATION_CONTEXT,
+                KM_LENGTH,
+            )
+            .map_err(|_| Error::DerivationError)?;
+
+            let mut mac_input = ts_seconds.to_be_bytes().to_vec();
+            mac_input.extend_from_slice(&ts_subsec_millis.to_be_bytes());
+            mac_input.extend_from_slice(&psk_ttl.as_millis().to_be_bytes());
+
+            let recomputed_mac: Mac = hmac(
+                libcrux_hmac::Algorithm::Sha256,
+                &km,
+                &mac_input,
+                Some(MAC_LENGTH),
+            )
+            .try_into()
+            .expect("should receive the correct number of bytes from HMAC");
+
+            if recomputed_mac != *mac {
+                Err(Error::DerivationError)
+            } else {
+                let psk: Psk = libcrux_hkdf::expand(
+                    libcrux_hkdf::Algorithm::Sha256,
+                    &k0,
+                    PSK_CONTEXT,
+                    PSK_LENGTH,
+                )
+                .map_err(|_| Error::DerivationError)?
+                .try_into()
+                .expect("should receive the correct number of bytes from HKDF");
+
+                Ok(psk)
+            }
+        }
+    }
+}
+
+/// A message that encapsulates as post-quantum PSK of a certain
+/// lifetime, tied to a specific outer protocol context.
+pub struct PskMessage {
+    enc: Ciphertext,
+    ts: (u64, u32),
+    psk_ttl: Duration,
+    mac: Mac,
+}
+
+impl PskMessage {
+    /// Returns the size (in bytes) of the ciphertext enclosed in the message.
+    pub fn ct_size(&self) -> usize {
+        self.enc.encode().len()
+    }
+    /// Returns the total size (in bytes) of the message.
+    pub fn size(&self) -> usize {
+        self.ct_size()
+            + MAC_LENGTH // self.mac.len()
+            + 8 // self.ts.to_be_bytes().len()
+            + 8 // self.psk_ttl.num_milliseconds().to_be_bytes().len()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::thread::sleep;
+
+    use super::*;
+
+    #[test]
+    fn simple_x25519() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::X25519, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (psk_initiator, message) = pk
+            .send_psk(sctx, Duration::from_secs(2 * 3600), &mut rng)
+            .unwrap();
+
+        let psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+        assert_eq!(psk_initiator, psk_responder);
+    }
+
+    #[test]
+    #[should_panic]
+    fn zero_ttl() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::X25519, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (_psk_initiator, message) =
+            pk.send_psk(sctx, Duration::from_secs(0), &mut rng).unwrap();
+
+        let _psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+    }
+
+    #[test]
+    #[should_panic]
+    fn expired_timestamp() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::X25519, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (_psk_initiator, message) =
+            pk.send_psk(sctx, Duration::from_secs(1), &mut rng).unwrap();
+
+        sleep(Duration::from_secs(2));
+
+        let _psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+    }
+
+    #[test]
+    fn simple_mlkem768() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::MlKem768, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (psk_initiator, message) = pk
+            .send_psk(sctx, Duration::from_secs(2 * 3600), &mut rng)
+            .unwrap();
+
+        let psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+        assert_eq!(psk_initiator, psk_responder);
+    }
+
+    #[test]
+    fn simple_xwing() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::XWingKemDraft02, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (psk_initiator, message) = pk
+            .send_psk(sctx, Duration::from_secs(2 * 3600), &mut rng)
+            .unwrap();
+
+        let psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+        assert_eq!(psk_initiator, psk_responder);
+    }
+
+    #[test]
+    fn simple_classic_mceliece() {
+        let mut rng = rand::thread_rng();
+        let (sk, pk) = generate_key_pair(Algorithm::ClassicMcEliece, &mut rng).unwrap();
+        let sctx = b"test context";
+        let (psk_initiator, message) = pk
+            .send_psk(sctx, Duration::from_secs(2 * 3600), &mut rng)
+            .unwrap();
+
+        let psk_responder = sk.receive_psk(&pk, &message, sctx).unwrap();
+        assert_eq!(psk_initiator, psk_responder);
+    }
+}