Botan 3.5.0
Crypto and TLS for C&
dilithium_aes.h
Go to the documentation of this file.
1/*
2* Asymmetric primitives for dilithium AES
3* (C) 2022 Jack Lloyd
4* (C) 2022 Manuel Glaser, Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#ifndef BOTAN_DILITHIUM_AES_SYM_PRIMITIVES_H_
10#define BOTAN_DILITHIUM_AES_SYM_PRIMITIVES_H_
11
12#include <botan/internal/dilithium_symmetric_primitives.h>
13
14#include <botan/internal/aes_crystals_xof.h>
15#include <botan/internal/loadstor.h>
16
17#include <array>
18#include <memory>
19#include <vector>
20
21namespace Botan {
22
24 public:
25 // AES mode always uses AES-256, regardless of the XofType
26 std::unique_ptr<Botan::XOF> XOF(XofType /* type */, std::span<const uint8_t> seed, uint16_t nonce) const final {
27 // Algorithm Spec V. 3.1 Section 5.3
28 // In the AES variant, the first 32 bytes of rhoprime are used as
29 // the key and i is extended to a 12 byte nonce for AES-256 in
30 // counter mode.
31 //
32 // I.e. when the XOF is used in "ExpandS" `seed` (aka rhoprime) will be
33 // 64 bytes long and must be truncated to the 32 most significant bytes.
34 BOTAN_ASSERT_NOMSG(seed.size() >= 32);
35
36 const std::array<uint8_t, 12> iv{get_byte<1>(nonce), get_byte<0>(nonce), 0};
37 const auto key = seed.first(32);
38
39 auto xof = std::make_unique<AES_256_CTR_XOF>();
40 xof->start(iv, key);
41 return xof;
42 }
43};
44
45} // namespace Botan
46
47#endif
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
std::unique_ptr< Botan::XOF > XOF(XofType, std::span< const uint8_t > seed, uint16_t nonce) const final
constexpr uint8_t get_byte(T input)
Definition loadstor.h:75