Botan 3.11.0
Crypto and TLS for C&
frodokem.cpp
Go to the documentation of this file.
1/*
2 * FrodoKEM implementation
3 * Based on the MIT licensed reference implementation by the designers
4 * (https://github.com/microsoft/PQCrypto-LWEKE/tree/master)
5 *
6 * The Fellowship of the FrodoKEM:
7 * (C) 2023 Jack Lloyd
8 * 2023 René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity
9 *
10 * Botan is released under the Simplified BSD License (see license.txt)
11 */
12
13#include <botan/frodokem.h>
14
15#include <botan/assert.h>
16#include <botan/rng.h>
17#include <botan/xof.h>
18#include <botan/internal/buffer_slicer.h>
19#include <botan/internal/buffer_stuffer.h>
20#include <botan/internal/concat_util.h>
21#include <botan/internal/ct_utils.h>
22#include <botan/internal/frodo_constants.h>
23#include <botan/internal/frodo_matrix.h>
24#include <botan/internal/frodo_types.h>
25#include <botan/internal/pk_ops_impl.h>
26
27#include <memory>
28#include <tuple>
29#include <vector>
30
31namespace Botan {
32
33class FrodoKEM_PublicKeyInternal {
34 public:
35 FrodoKEM_PublicKeyInternal(FrodoKEMConstants constants, FrodoSeedA seed_a, FrodoMatrix b) :
36 m_constants(std::move(constants)), m_seed_a(std::move(seed_a)), m_b(std::move(b)) {
37 auto shake = m_constants.create_xof();
38 shake->update(serialize());
39 m_hash = shake->output<FrodoPublicKeyHash>(m_constants.len_sec_bytes());
40 }
41
42 const FrodoKEMConstants& constants() const { return m_constants; }
43
44 const FrodoSeedA& seed_a() const { return m_seed_a; }
45
46 const FrodoMatrix& b() const { return m_b; }
47
48 const FrodoPublicKeyHash& hash() const { return m_hash; }
49
50 std::vector<uint8_t> serialize() const { return concat<std::vector<uint8_t>>(seed_a(), b().pack(m_constants)); }
51
52 private:
53 FrodoKEMConstants m_constants;
54 FrodoSeedA m_seed_a;
55 FrodoMatrix m_b;
56 FrodoPublicKeyHash m_hash;
57};
58
59class FrodoKEM_PrivateKeyInternal {
60 public:
61 FrodoKEM_PrivateKeyInternal(FrodoSeedS s, FrodoMatrix s_trans) :
62 m_s(std::move(s)), m_s_trans(std::move(s_trans)) {}
63
64 const FrodoSeedS& s() const { return m_s; }
65
66 const FrodoMatrix& s_trans() const { return m_s_trans; }
67
68 constexpr void _const_time_poison() const { CT::poison_all(m_s, m_s_trans); }
69
70 constexpr void _const_time_unpoison() const { CT::unpoison_all(m_s, m_s_trans); }
71
72 private:
73 FrodoSeedS m_s;
74 FrodoMatrix m_s_trans;
75};
76
77//
78// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
79//
80
81namespace {
82
83class Frodo_KEM_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
84 public:
85 Frodo_KEM_Encryptor(std::shared_ptr<FrodoKEM_PublicKeyInternal> key, std::string_view kdf) :
86 KEM_Encryption_with_KDF(kdf), m_public_key(std::move(key)) {}
87
88 size_t raw_kem_shared_key_length() const override { return m_public_key->constants().len_sec_bytes(); }
89
90 size_t encapsulated_key_length() const override { return m_public_key->constants().len_ct_bytes(); }
91
92 void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
93 std::span<uint8_t> out_shared_key,
94 RandomNumberGenerator& rng) override {
95 const auto& constants = m_public_key->constants();
96 auto shake = constants.create_xof();
97 auto sample_generator = FrodoMatrix::make_sample_generator(constants, *shake);
98
99 BufferStuffer out_ct_bs(out_encapsulated_key);
100
101 auto c_1 = out_ct_bs.next<FrodoPackedMatrix>(constants.len_packed_b_bytes());
102 auto c_2 = out_ct_bs.next<FrodoPackedMatrix>(constants.len_packed_c_bytes());
103 auto salt = out_ct_bs.next<FrodoSalt>(constants.len_salt_bytes());
104
105 BOTAN_ASSERT_NOMSG(out_ct_bs.full());
106
107 const auto u = rng.random_vec<FrodoPlaintext>(constants.len_sec_bytes());
108 rng.randomize(salt);
109
110 CT::poison(u);
111
112 shake->update(m_public_key->hash());
113 shake->update(u);
114 shake->update(salt);
115 const auto seed_se = shake->output<FrodoSeedSE>(constants.len_se_bytes());
116 const auto k = shake->output<FrodoIntermediateSharedSecret>(constants.len_sec_bytes());
117 shake->clear();
118
119 shake->update(constants.encapsulation_domain_separator());
120 shake->update(seed_se);
121
122 const auto s_p = sample_generator(std::tuple(constants.n_bar(), constants.n()));
123
124 const auto e_p = sample_generator(std::tuple(constants.n_bar(), constants.n()));
125
126 const auto b_p = FrodoMatrix::mul_add_sa_plus_e(constants, s_p, e_p, m_public_key->seed_a());
127
128 b_p.pack(constants, c_1);
129
130 const auto e_pp = sample_generator(std::tuple(constants.n_bar(), constants.n_bar()));
131 shake->clear();
132
133 const auto v = FrodoMatrix::mul_add_sb_plus_e(constants, m_public_key->b(), s_p, e_pp);
134
135 const auto encoded = FrodoMatrix::encode(constants, u);
136
137 const auto c = FrodoMatrix::add(constants, v, encoded);
138
139 c.pack(constants, c_2);
140
141 shake->update(out_encapsulated_key);
142 shake->update(k);
143 shake->output(out_shared_key);
144
145 CT::unpoison_all(out_shared_key, out_encapsulated_key);
146 }
147
148 private:
149 std::shared_ptr<FrodoKEM_PublicKeyInternal> m_public_key;
150};
151
152class Frodo_KEM_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
153 public:
154 Frodo_KEM_Decryptor(std::shared_ptr<FrodoKEM_PublicKeyInternal> public_key,
155 std::shared_ptr<FrodoKEM_PrivateKeyInternal> private_key,
156 std::string_view kdf) :
157 KEM_Decryption_with_KDF(kdf), m_public_key(std::move(public_key)), m_private_key(std::move(private_key)) {}
158
159 size_t raw_kem_shared_key_length() const override { return m_public_key->constants().len_sec_bytes(); }
160
161 size_t encapsulated_key_length() const override { return m_public_key->constants().len_ct_bytes(); }
162
163 void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override {
164 auto scope = CT::scoped_poison(*m_private_key);
165
166 const auto& constants = m_public_key->constants();
167 auto shake = constants.create_xof();
168 auto sample_generator = FrodoMatrix::make_sample_generator(constants, *shake);
169
170 if(encapsulated_key.size() != constants.len_ct_bytes()) {
171 throw Invalid_Argument("FrodoKEM ciphertext does not have the correct byte count");
172 }
173
174 BufferSlicer ct_bs(encapsulated_key);
175 auto c_1 = ct_bs.take<FrodoPackedMatrix>(constants.len_packed_b_bytes());
176 auto c_2 = ct_bs.take<FrodoPackedMatrix>(constants.len_packed_c_bytes());
177 auto salt = ct_bs.take<FrodoSalt>(constants.len_salt_bytes());
178 BOTAN_ASSERT_NOMSG(ct_bs.empty());
179
180 const auto b_p = FrodoMatrix::unpack(constants, {constants.n_bar(), constants.n()}, c_1);
181 const auto c = FrodoMatrix::unpack(constants, {constants.n_bar(), constants.n_bar()}, c_2);
182
183 const auto w = FrodoMatrix::mul_bs(constants, b_p, m_private_key->s_trans());
184 const auto m = FrodoMatrix::sub(constants, c, w);
185
186 const auto seed_u_p = m.decode(constants);
187
188 shake->update(m_public_key->hash());
189 shake->update(seed_u_p);
190 shake->update(salt);
191
192 const auto seed_se_p = shake->output<FrodoSeedSE>(constants.len_se_bytes());
193 const auto k_p = shake->output<FrodoIntermediateSharedSecret>(constants.len_sec_bytes());
194 shake->clear();
195
196 shake->update(constants.encapsulation_domain_separator());
197 shake->update(seed_se_p);
198 const auto s_p = sample_generator(std::tuple(constants.n_bar(), constants.n()));
199
200 const auto e_p = sample_generator(std::tuple(constants.n_bar(), constants.n()));
201
202 auto b_pp = FrodoMatrix::mul_add_sa_plus_e(constants, s_p, e_p, m_public_key->seed_a());
203
204 const auto e_pp = sample_generator(std::tuple(constants.n_bar(), constants.n_bar()));
205 shake->clear();
206
207 const auto v = FrodoMatrix::mul_add_sb_plus_e(constants, m_public_key->b(), s_p, e_pp);
208
209 const auto encoded = FrodoMatrix::encode(constants, seed_u_p);
210 auto c_p = FrodoMatrix::add(constants, v, encoded);
211
212 // b_p and c are unpacked values that are reduced by definition.
213 // b_pp and c_p are calculated values that need the reduction for
214 // an unambiguous comparison that is required next.
215 b_pp.reduce(constants);
216 c_p.reduce(constants);
217
218 // The spec concats the matrices b_p and c (b_pp and c_p respectively)
219 // and performs a single CT comparison. For convenience we compare the
220 // matrices individually in CT and CT-&& the resulting masks.
221 const auto cmp = b_p.constant_time_compare(b_pp) & c.constant_time_compare(c_p);
222
223 std::vector<uint8_t> k_bar(constants.len_sec_bytes(), 0);
224 CT::conditional_copy_mem(cmp, k_bar.data(), k_p.data(), m_private_key->s().data(), constants.len_sec_bytes());
225
226 shake->update(encapsulated_key);
227 shake->update(k_bar);
228 shake->output(out_shared_key);
229
230 CT::unpoison(out_shared_key);
231 }
232
233 private:
234 std::shared_ptr<FrodoKEM_PublicKeyInternal> m_public_key;
235 std::shared_ptr<FrodoKEM_PrivateKeyInternal> m_private_key;
236};
237
238} // namespace
239
240//
241// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
242//
243
244FrodoKEM_PublicKey::FrodoKEM_PublicKey(std::span<const uint8_t> pub_key, FrodoKEMMode mode) {
245 FrodoKEMConstants constants(mode);
246 if(pub_key.size() != constants.len_public_key_bytes()) {
247 throw Invalid_Argument("FrodoKEM public key does not have the correct byte count");
248 }
249
250 BufferSlicer pk_bs(pub_key);
251 auto seed_a = pk_bs.copy<FrodoSeedA>(constants.len_a_bytes());
252 const auto packed_b = pk_bs.take<FrodoPackedMatrix>(constants.d() * constants.n() * constants.n_bar() / 8);
253 BOTAN_ASSERT_NOMSG(pk_bs.empty());
254
255 auto b = FrodoMatrix::unpack(constants, std::tuple(constants.n(), constants.n_bar()), packed_b);
256
257 m_public = std::make_shared<FrodoKEM_PublicKeyInternal>(std::move(constants), std::move(seed_a), std::move(b));
258}
259
260FrodoKEM_PublicKey::FrodoKEM_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :
261 FrodoKEM_PublicKey(key_bits, FrodoKEMMode(alg_id.oid())) {}
262
263FrodoKEM_PublicKey::FrodoKEM_PublicKey(const FrodoKEM_PublicKey& other) {
264 m_public = std::make_shared<FrodoKEM_PublicKeyInternal>(
265 other.m_public->constants(), other.m_public->seed_a(), other.m_public->b());
266}
267
268FrodoKEM_PublicKey& FrodoKEM_PublicKey::operator=(const FrodoKEM_PublicKey& other) {
269 if(this != &other) {
270 m_public = std::make_shared<FrodoKEM_PublicKeyInternal>(
271 other.m_public->constants(), other.m_public->seed_a(), other.m_public->b());
272 }
273 return *this;
274}
275
279
280OID FrodoKEM_PublicKey::object_identifier() const {
281 return m_public->constants().mode().object_identifier();
282}
283
284size_t FrodoKEM_PublicKey::key_length() const {
285 return m_public->constants().n();
286}
287
288size_t FrodoKEM_PublicKey::estimated_strength() const {
289 return m_public->constants().estimated_strength();
290}
291
292std::vector<uint8_t> FrodoKEM_PublicKey::raw_public_key_bits() const {
293 return concat<std::vector<uint8_t>>(m_public->seed_a(), m_public->b().pack(m_public->constants()));
294}
295
296std::vector<uint8_t> FrodoKEM_PublicKey::public_key_bits() const {
297 // Currently, there isn't a finalized definition of an ASN.1 structure for
298 // FrodoKEM public keys. Therefore, we return the raw public key bits.
299 return raw_public_key_bits();
300}
301
302bool FrodoKEM_PublicKey::check_key(RandomNumberGenerator& /*rng*/, bool /*strong*/) const {
303 return true;
304}
305
306std::unique_ptr<Private_Key> FrodoKEM_PublicKey::generate_another(RandomNumberGenerator& rng) const {
307 return std::make_unique<FrodoKEM_PrivateKey>(rng, m_public->constants().mode());
308}
309
310std::unique_ptr<PK_Ops::KEM_Encryption> FrodoKEM_PublicKey::create_kem_encryption_op(std::string_view params,
311 std::string_view provider) const {
312 if(provider.empty() || provider == "base") {
313 return std::make_unique<Frodo_KEM_Encryptor>(m_public, params);
314 }
315 throw Provider_Not_Found(algo_name(), provider);
316}
317
318//
319// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
320//
321
322FrodoKEM_PrivateKey::FrodoKEM_PrivateKey(RandomNumberGenerator& rng, FrodoKEMMode mode) {
323 FrodoKEMConstants constants(mode);
324 auto shake = constants.create_xof();
325
326 auto s = rng.random_vec<FrodoSeedS>(constants.len_sec_bytes());
327 const auto seed_se = rng.random_vec<FrodoSeedSE>(constants.len_se_bytes());
328 const auto z = rng.random_vec<FrodoSeedZ>(constants.len_a_bytes());
329
330 CT::poison_all(s, seed_se);
331
332 shake->update(z);
333 auto seed_a = shake->output<FrodoSeedA>(constants.len_a_bytes());
334 shake->clear();
335
336 shake->update(constants.keygen_domain_separator());
337 shake->update(seed_se);
338
339 auto sample_generator = FrodoMatrix::make_sample_generator(constants, *shake);
340 auto s_trans = sample_generator(std::tuple(constants.n_bar(), constants.n()));
341 auto e = sample_generator(std::tuple(constants.n(), constants.n_bar()));
342 shake->clear();
343
344 auto b = FrodoMatrix::mul_add_as_plus_e(constants, s_trans, e, seed_a);
345
346 CT::unpoison_all(s, s_trans, b);
347
348 m_public = std::make_shared<FrodoKEM_PublicKeyInternal>(std::move(constants), std::move(seed_a), std::move(b));
349 m_private = std::make_shared<FrodoKEM_PrivateKeyInternal>(std::move(s), std::move(s_trans));
350}
351
352FrodoKEM_PrivateKey::FrodoKEM_PrivateKey(std::span<const uint8_t> sk, FrodoKEMMode mode) {
353 FrodoKEMConstants constants(mode);
354
355 if(sk.size() != constants.len_private_key_bytes()) {
356 throw Invalid_Argument("FrodoKEM private key does not have the correct byte count");
357 }
358
359 BufferSlicer sk_bs(sk);
360 auto s = sk_bs.copy<FrodoSeedS>(constants.len_sec_bytes());
361 auto seed_a = sk_bs.copy<FrodoSeedA>(constants.len_a_bytes());
362 const auto packed_b = sk_bs.take<FrodoPackedMatrix>(constants.d() * constants.n() * constants.n_bar() / 8);
363 const auto s_trans_bytes = sk_bs.take<FrodoSerializedMatrix>(constants.n_bar() * constants.n() * 2);
364 const auto pkh = sk_bs.copy<FrodoPublicKeyHash>(constants.len_sec_bytes());
365 BOTAN_ASSERT_NOMSG(sk_bs.empty());
366
367 auto b = FrodoMatrix::unpack(constants, std::tuple(constants.n(), constants.n_bar()), packed_b);
368 auto s_trans = FrodoMatrix::deserialize({constants.n_bar(), constants.n()}, s_trans_bytes);
369
370 m_public = std::make_shared<FrodoKEM_PublicKeyInternal>(std::move(constants), std::move(seed_a), std::move(b));
371 m_private = std::make_shared<FrodoKEM_PrivateKeyInternal>(std::move(s), std::move(s_trans));
372
373 BOTAN_STATE_CHECK(pkh == m_public->hash());
374}
375
376FrodoKEM_PrivateKey::FrodoKEM_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits) :
377 FrodoKEM_PrivateKey(key_bits, FrodoKEMMode(alg_id.oid())) {}
378
379std::unique_ptr<Public_Key> FrodoKEM_PrivateKey::public_key() const {
380 return std::make_unique<FrodoKEM_PublicKey>(*this);
381}
382
383secure_vector<uint8_t> FrodoKEM_PrivateKey::private_key_bits() const {
384 return raw_private_key_bits(); // TODO: check if we need to do something else here
385}
386
387secure_vector<uint8_t> FrodoKEM_PrivateKey::raw_private_key_bits() const {
388 return concat<secure_vector<uint8_t>>(m_private->s(),
389 m_public->seed_a(),
390 m_public->b().pack(m_public->constants()),
391 m_private->s_trans().serialize(),
392 m_public->hash());
393}
394
395std::unique_ptr<PK_Ops::KEM_Decryption> FrodoKEM_PrivateKey::create_kem_decryption_op(RandomNumberGenerator& rng,
396 std::string_view params,
397 std::string_view provider) const {
398 BOTAN_UNUSED(rng);
399 if(provider.empty() || provider == "base") {
400 return std::make_unique<Frodo_KEM_Decryptor>(m_public, m_private, params);
401 }
402 throw Provider_Not_Found(algo_name(), provider);
403}
404
405} // namespace Botan
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:144
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
Botan::BufferSlicer::copy
auto copy(const size_t count)
Definition buffer_slicer.h:28
Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition buffer_slicer.h:37
Botan::FrodoKEMConstants::keygen_domain_separator
FrodoDomainSeparator keygen_domain_separator() const
Definition frodo_constants.h:77
Botan::FrodoKEMConstants::len_private_key_bytes
size_t len_private_key_bytes() const
Definition frodo_constants.h:67
Botan::FrodoKEMConstants::len_public_key_bytes
size_t len_public_key_bytes() const
Definition frodo_constants.h:65
Botan::FrodoKEMConstants::create_xof
std::unique_ptr< XOF > create_xof() const
Definition frodo_constants.cpp:100
Botan::FrodoKEM_PrivateKey::FrodoKEM_PrivateKey
FrodoKEM_PrivateKey(RandomNumberGenerator &rng, FrodoKEMMode mode)
Definition frodokem.cpp:322
Botan::FrodoKEM_PrivateKey::create_kem_decryption_op
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition frodokem.cpp:395
Botan::FrodoKEM_PrivateKey::raw_private_key_bits
secure_vector< uint8_t > raw_private_key_bits() const override
Definition frodokem.cpp:387
Botan::FrodoKEM_PrivateKey::private_key_bits
secure_vector< uint8_t > private_key_bits() const override
Definition frodokem.cpp:383
Botan::FrodoKEM_PrivateKey::public_key
std::unique_ptr< Public_Key > public_key() const override
Definition frodokem.cpp:379
Botan::FrodoKEM_PublicKey::estimated_strength
size_t estimated_strength() const override
Definition frodokem.cpp:288
Botan::FrodoKEM_PublicKey::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const override
Definition frodokem.cpp:276
Botan::FrodoKEM_PublicKey::create_kem_encryption_op
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
Definition frodokem.cpp:310
Botan::FrodoKEM_PublicKey::key_length
size_t key_length() const override
Definition frodokem.cpp:284
Botan::FrodoKEM_PublicKey::m_public
std::shared_ptr< FrodoKEM_PublicKeyInternal > m_public
Definition frodokem.h:75
Botan::FrodoKEM_PublicKey::FrodoKEM_PublicKey
FrodoKEM_PublicKey(std::span< const uint8_t > pub_key, FrodoKEMMode mode)
Definition frodokem.cpp:244
Botan::FrodoKEM_PublicKey::generate_another
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Definition frodokem.cpp:306
Botan::FrodoKEM_PublicKey::public_key_bits
std::vector< uint8_t > public_key_bits() const override
Definition frodokem.cpp:296
Botan::FrodoKEM_PublicKey::operator=
FrodoKEM_PublicKey & operator=(const FrodoKEM_PublicKey &other)
Definition frodokem.cpp:268
Botan::FrodoKEM_PublicKey::algo_name
std::string algo_name() const override
Definition frodokem.h:46
Botan::FrodoKEM_PublicKey::check_key
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Definition frodokem.cpp:302
Botan::FrodoKEM_PublicKey::raw_public_key_bits
std::vector< uint8_t > raw_public_key_bits() const override
Definition frodokem.cpp:292
Botan::FrodoKEM_PublicKey::FrodoKEM_PublicKey
FrodoKEM_PublicKey()=default
Botan::FrodoKEM_PublicKey::object_identifier
OID object_identifier() const override
Definition frodokem.cpp:280
Botan::FrodoMatrix::mul_add_sa_plus_e
static FrodoMatrix mul_add_sa_plus_e(const FrodoKEMConstants &constants, const FrodoMatrix &s, const FrodoMatrix &e, StrongSpan< const FrodoSeedA > seed_a)
Definition frodo_matrix.cpp:166
Botan::FrodoMatrix::make_sample_generator
static std::function< FrodoMatrix(const Dimensions &dimensions)> make_sample_generator(const FrodoKEMConstants &constants, Botan::XOF &shake)
Definition frodo_matrix.cpp:94
Botan::FrodoMatrix::mul_add_sb_plus_e
static FrodoMatrix mul_add_sb_plus_e(const FrodoKEMConstants &constants, const FrodoMatrix &b, const FrodoMatrix &s, const FrodoMatrix &e)
Definition frodo_matrix.cpp:224
Botan::FrodoMatrix::mul_add_as_plus_e
static FrodoMatrix mul_add_as_plus_e(const FrodoKEMConstants &constants, const FrodoMatrix &s, const FrodoMatrix &e, StrongSpan< const FrodoSeedA > seed_a)
Definition frodo_matrix.cpp:106
Botan::FrodoMatrix::sub
static FrodoMatrix sub(const FrodoKEMConstants &constants, const FrodoMatrix &a, const FrodoMatrix &b)
Definition frodo_matrix.cpp:290
Botan::FrodoMatrix::add
static FrodoMatrix add(const FrodoKEMConstants &constants, const FrodoMatrix &a, const FrodoMatrix &b)
Definition frodo_matrix.cpp:275
Botan::FrodoMatrix::encode
static FrodoMatrix encode(const FrodoKEMConstants &constants, StrongSpan< const FrodoPlaintext > in)
Definition frodo_matrix.cpp:252
Botan::FrodoMatrix::unpack
static FrodoMatrix unpack(const FrodoKEMConstants &constants, const Dimensions &dimensions, StrongSpan< const FrodoPackedMatrix > packed_bytes)
Definition frodo_matrix.cpp:417
Botan::FrodoMatrix::mul_bs
static FrodoMatrix mul_bs(const FrodoKEMConstants &constants, const FrodoMatrix &b_p, const FrodoMatrix &s)
Definition frodo_matrix.cpp:313
Botan::FrodoMatrix::deserialize
static FrodoMatrix deserialize(const Dimensions &dimensions, StrongSpan< const FrodoSerializedMatrix > bytes)
Definition frodo_matrix.cpp:474
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::PK_Ops::KEM_Decryption_with_KDF
Definition pk_ops_impl.h:149
Botan::PK_Ops::KEM_Encryption_with_KDF
Definition pk_ops_impl.h:124
Botan::Provider_Not_Found
Definition exceptn.h:263
Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:204
Botan::CT::poison_all
constexpr void poison_all(const Ts &... ts)
Definition ct_utils.h:201
Botan::CT::conditional_copy_mem
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *dest, const T *if_set, const T *if_unset, size_t elems)
Definition ct_utils.h:732
Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:222
Botan::CT::unpoison_all
constexpr void unpoison_all(const Ts &... ts)
Definition ct_utils.h:207
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:67
Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:56
Botan::FrodoSeedSE
Strong< secure_vector< uint8_t >, struct FrodoSeedSE_ > FrodoSeedSE
Definition frodo_types.h:29
Botan::FrodoSerializedMatrix
Strong< secure_vector< uint8_t >, struct FrodoSerializedMatrix_ > FrodoSerializedMatrix
Definition frodo_types.h:44
Botan::FrodoSeedZ
Strong< std::vector< uint8_t >, struct FrodoSeedZ_ > FrodoSeedZ
Definition frodo_types.h:32
Botan::FrodoIntermediateSharedSecret
Strong< secure_vector< uint8_t >, struct FrodoIntermediateSharedSecret_ > FrodoIntermediateSharedSecret
Definition frodo_types.h:56
Botan::FrodoPublicKeyHash
Strong< std::vector< uint8_t >, struct FrodoPublicKeyHash_ > FrodoPublicKeyHash
Definition frodo_types.h:38
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition concat_util.h:90
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::FrodoSeedA
Strong< std::vector< uint8_t >, struct FrodoSeedA_ > FrodoSeedA
Definition frodo_types.h:23
Botan::FrodoPlaintext
Strong< secure_vector< uint8_t >, struct FrodoPlaintext_ > FrodoPlaintext
Definition frodo_types.h:50
Botan::FrodoSalt
Strong< std::vector< uint8_t >, struct FrodoSalt_ > FrodoSalt
Definition frodo_types.h:53
Botan::FrodoPackedMatrix
Strong< std::vector< uint8_t >, struct FrodoPackedMatrix_ > FrodoPackedMatrix
Definition frodo_types.h:41
Botan::FrodoSeedS
Strong< secure_vector< uint8_t >, struct FrodoSeedS_ > FrodoSeedS
Definition frodo_types.h:26
Generated by doxygen 1.15.0