15#include <botan/kyber.h>
17#include <botan/assert.h>
18#include <botan/mem_ops.h>
19#include <botan/pubkey.h>
21#include <botan/secmem.h>
23#include <botan/internal/ct_utils.h>
24#include <botan/internal/fmt.h>
25#include <botan/internal/kyber_algos.h>
26#include <botan/internal/kyber_constants.h>
27#include <botan/internal/kyber_keys.h>
28#include <botan/internal/kyber_symmetric_primitives.h>
29#include <botan/internal/kyber_types.h>
30#include <botan/internal/stl_util.h>
32#if defined(BOTAN_HAS_KYBER)
33 #include <botan/internal/kyber_modern.h>
36#if defined(BOTAN_HAS_KYBER_90S)
37 #include <botan/internal/kyber_90s.h>
40#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
41 #include <botan/internal/kyber_round3_impl.h>
44#if defined(BOTAN_HAS_ML_KEM)
45 #include <botan/internal/ml_kem_impl.h>
56 if(str ==
"Kyber-512-90s-r3") {
59 if(str ==
"Kyber-768-90s-r3") {
62 if(str ==
"Kyber-1024-90s-r3") {
65 if(str ==
"Kyber-512-r3") {
68 if(str ==
"Kyber-768-r3") {
71 if(str ==
"Kyber-1024-r3") {
74 if(str ==
"ML-KEM-512") {
77 if(str ==
"ML-KEM-768") {
80 if(str ==
"ML-KEM-1024") {
102 return "Kyber-512-90s-r3";
104 return "Kyber-768-90s-r3";
106 return "Kyber-1024-90s-r3";
108 return "Kyber-512-r3";
110 return "Kyber-768-r3";
112 return "Kyber-1024-r3";
118 return "ML-KEM-1024";
142#if defined(BOTAN_HAS_KYBER)
148#if defined(BOTAN_HAS_KYBER_90S)
154#if defined(BOTAN_HAS_ML_KEM)
184 return m_public->mode().estimated_strength();
199 return m_public->public_key_bits_raw().get();
209 return m_public->mode().canonical_parameter_set_identifier();
218 std::vector<uint8_t> test(
m_public->mode().polynomial_vector_bytes());
221 const auto& serialized_pubkey =
m_public->public_key_bits_raw();
222 return test.size() < serialized_pubkey.size() && std::equal(test.begin(), test.end(), serialized_pubkey.begin());
226 return std::make_unique<Kyber_PrivateKey>(rng,
mode());
245 if(
mode.mode().is_ml_kem() && sk.size() ==
mode.seed_private_key_bytes()) {
247 }
else if(sk.size() ==
mode.expanded_private_key_bytes()) {
249 }
else if(!
mode.mode().is_ml_kem() && sk.size() ==
mode.seed_private_key_bytes()) {
250 throw Invalid_Argument(
"Kyber round 3 private keys do not support the seed format");
257 return std::make_unique<Kyber_PublicKey>(*
this);
284 const auto K_prime = dec.decrypt(c);
290 std::string_view provider)
const {
291 if(provider.empty() || provider ==
"base") {
292#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
293 if(
mode().is_kyber_round3()) {
294 return std::make_unique<Kyber_KEM_Encryptor>(
m_public, params);
298#if defined(BOTAN_HAS_ML_KEM)
299 if(
mode().is_ml_kem()) {
300 return std::make_unique<ML_KEM_Encryptor>(
m_public, params);
310 std::string_view params,
311 std::string_view provider)
const {
313 if(provider.empty() || provider ==
"base") {
314#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
315 if(
mode().is_kyber_round3()) {
316 return std::make_unique<Kyber_KEM_Decryptor>(m_private,
m_public, params);
320#if defined(BOTAN_HAS_ML_KEM)
321 if(
mode().is_ml_kem()) {
322 return std::make_unique<ML_KEM_Decryptor>(m_private,
m_public, params);
332 if(
mode().is_ml_kem() && m_private->seed().d.has_value()) {
340 throw Encoding_Error(
"Expanded private keys do not support the seed format");
342 const auto codec = [&]() -> std::unique_ptr<Kyber_Keypair_Codec> {
345 return std::make_unique<Seed_Expanding_Keypair_Codec>();
347 return std::make_unique<Expanded_Keypair_Codec>();
351 return codec->encode_keypair({
m_public, m_private});
#define BOTAN_ASSERT_UNREACHABLE()
Codec for expanded private keys (as specified in FIPS 203)
KyberInternalKeypair decode_keypair(std::span< const uint8_t > buffer, KyberConstants mode) const override
static std::pair< std::vector< uint8_t >, secure_vector< uint8_t > > destructure(KEM_Encapsulation &&kem)
static constexpr size_t SEED_BYTES
bool is_available() const
bool is_kyber_round3() const
std::string to_string() const
OID object_identifier() const
MlPrivateKeyFormat private_key_format() const
secure_vector< uint8_t > private_key_bits_with_format(MlPrivateKeyFormat format) const
std::unique_ptr< PK_Ops::KEM_Decryption > create_kem_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
std::unique_ptr< Public_Key > public_key() const override
bool check_key(RandomNumberGenerator &rng, bool strong) const override
Kyber_PrivateKey(RandomNumberGenerator &rng, KyberMode mode)
secure_vector< uint8_t > raw_private_key_bits() const override
secure_vector< uint8_t > private_key_bits() const override
std::vector< uint8_t > public_key_bits() const override
std::vector< uint8_t > raw_public_key_bits() const override
bool check_key(RandomNumberGenerator &rng, bool strong) const override
std::string algo_name() const override
std::shared_ptr< Kyber_PublicKeyInternal > m_public
size_t key_length() const override
AlgorithmIdentifier algorithm_identifier() const override
Kyber_PublicKey()=default
std::unique_ptr< PK_Ops::KEM_Encryption > create_kem_encryption_op(std::string_view params, std::string_view provider) const override
OID object_identifier() const override
std::unique_ptr< Private_Key > generate_another(RandomNumberGenerator &rng) const final
Kyber_PublicKey(std::span< const uint8_t > pub_key, KyberMode mode)
size_t estimated_strength() const override
static OID from_string(std::string_view str)
void random_vec(std::span< uint8_t > v)
Codec for private keys as 64-byte seeds: d || z.
KyberInternalKeypair decode_keypair(std::span< const uint8_t > buffer, KyberConstants mode) const override
void encode_polynomial_vector(std::span< uint8_t > out, const KyberPolyVecNTT &vec)
KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode)
Strong< secure_vector< uint8_t >, struct KyberImplicitRejectionValue_ > KyberImplicitRejectionValue
Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.
std::string fmt(std::string_view format, const T &... args)
Strong< secure_vector< uint8_t >, struct KyberSeedRandomness_ > KyberSeedRandomness
Principal seed used to generate Kyber key pairs.
std::vector< T, secure_allocator< T > > secure_vector
MlPrivateKeyFormat
Byte encoding format of ML-KEM and ML-DSA the private key.
@ Expanded
The expanded format, i.e., the format specified in FIPS-203/204.
Strong< std::vector< uint8_t >, struct KyberSerializedPublicKey_ > KyberSerializedPublicKey
Public key in serialized form (t || rho)