doxygen/kyber__algos_8h_source.html

/*

 * Crystals Kyber Internal Algorithms

 * Based on the public domain reference implementation by the

 * designers (https://github.com/pq-crystals/kyber)

 *

 * Further changes

 * (C) 2021-2024 Jack Lloyd

 * (C) 2021-2022 Manuel Glaser and Michael Boric, Rohde & Schwarz Cybersecurity

 * (C) 2021-2022 René Meusel and Hannes Rantzsch, neXenio GmbH

 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#ifndef BOTAN_KYBER_ALGOS_H_

#define BOTAN_KYBER_ALGOS_H_


#include <botan/internal/kyber_symmetric_primitives.h>

#include <botan/internal/kyber_types.h>


namespace Botan::Kyber_Algos {


void encode_polynomial_vector(std::span<uint8_t> out, const KyberPolyVecNTT& p);


KyberPolyVecNTT decode_polynomial_vector(std::span<const uint8_t> a, const KyberConstants& mode);


KyberPoly polynomial_from_message(StrongSpan<const KyberMessage> msg);


KyberMessage polynomial_to_message(const KyberPoly& p);


KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode);


void compress_ciphertext(StrongSpan<KyberCompressedCiphertext> out,

                         const KyberPolyVec& u,

                         const KyberPoly& v,

                         const KyberConstants& m_mode);


std::pair<KyberPolyVec, KyberPoly> decompress_ciphertext(StrongSpan<const KyberCompressedCiphertext> ct,

                                                         const KyberConstants& mode);


KyberPolyMat sample_matrix(StrongSpan<const KyberSeedRho> seed, bool transposed, const KyberConstants& mode);


void sample_polynomial_from_cbd(KyberPoly& poly,

                                KyberConstants::KyberEta eta,

                                const KyberSamplingRandomness& randomness);


template <concepts::resizable_byte_buffer T = secure_vector<uint8_t>>


T encode_polynomial_vector(const KyberPolyVecNTT& vec, const KyberConstants& mode) {

   T r(mode.polynomial_vector_bytes());

   encode_polynomial_vector(r, vec);

   return r;

}


/**

 * Allows sampling multiple polynomials from a single seed via a XOF.

 *

 * Used in Algorithms 13 (K-PKE.KeyGen) and 14 (K-PKE.Encrypt), and takes care

 * of the continuous nonce value internally.

 */

template <typename SeedT>

   requires std::same_as<KyberSeedSigma, SeedT> || std::same_as<KyberEncryptionRandomness, SeedT>


class PolynomialSampler {

   public:


      PolynomialSampler(StrongSpan<const SeedT> seed, const KyberConstants& mode) :

            m_seed(seed), m_mode(mode), m_nonce(0) {}


      KyberPolyVec sample_polynomial_vector_cbd_eta1() {

         KyberPolyVec vec(m_mode.k());

         for(auto& poly : vec) {

            sample_poly_cbd(poly, m_mode.eta1());

         }

         return vec;

      }


      KyberPoly sample_polynomial_cbd_eta2()

         requires std::same_as<KyberEncryptionRandomness, SeedT>

      {

         KyberPoly poly;

         sample_poly_cbd(poly, m_mode.eta2());

         return poly;

      }


      KyberPolyVec sample_polynomial_vector_cbd_eta2()

         requires std::same_as<KyberEncryptionRandomness, SeedT>

      {

         KyberPolyVec vec(m_mode.k());

         for(auto& poly : vec) {

            sample_poly_cbd(poly, m_mode.eta2());

         }

         return vec;

      }


   private:

      KyberSamplingRandomness prf(size_t bytes) {

         const auto& sym = m_mode.symmetric_primitives();

         auto seed_span = m_seed.get();

         sym.setup_PRF(m_prf_xof, seed_span, m_nonce++);

         return m_prf_xof->output<KyberSamplingRandomness>(bytes);

      }


      void sample_poly_cbd(KyberPoly& poly, KyberConstants::KyberEta eta) {

         const auto randomness = [&] {

            switch(eta) {

               case KyberConstants::KyberEta::_2:

                  return prf(2 * poly.size() / 4);

               case KyberConstants::KyberEta::_3:

                  return prf(3 * poly.size() / 4);

            }


            BOTAN_ASSERT_UNREACHABLE();

         }();


         sample_polynomial_from_cbd(poly, eta, randomness);

      }


   private:

      StrongSpan<const SeedT> m_seed;

      const KyberConstants& m_mode;

      uint8_t m_nonce;

      std::unique_ptr<Botan::XOF> m_prf_xof;

};


template <typename T>

PolynomialSampler(T, const KyberConstants&) -> PolynomialSampler<T>;


}  // namespace Botan::Kyber_Algos


#endif

BOTAN_ASSERT_UNREACHABLE
#define BOTAN_ASSERT_UNREACHABLE()
Definition assert.h:163

Botan::CRYSTALS::Polynomial::size
constexpr size_t size() const
Definition pqcrystals.h:276

Botan::KyberConstants
Definition kyber_constants.h:21

Botan::KyberConstants::KyberEta
KyberEta
Definition kyber_constants.h:52

Botan::KyberConstants::_3
@ _3
Definition kyber_constants.h:52

Botan::KyberConstants::_2
@ _2
Definition kyber_constants.h:52

Botan::KyberConstants::polynomial_vector_bytes
size_t polynomial_vector_bytes() const
byte length of an encoded polynomial vector
Definition kyber_constants.h:99

Botan::KyberConstants::symmetric_primitives
Kyber_Symmetric_Primitives & symmetric_primitives() const
Definition kyber_constants.h:125

Botan::Kyber_Algos::PolynomialSampler
Definition kyber_algos.h:62

Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_cbd_eta2
KyberPoly sample_polynomial_cbd_eta2()
Definition kyber_algos.h:75

Botan::Kyber_Algos::PolynomialSampler::PolynomialSampler
PolynomialSampler(StrongSpan< const SeedT > seed, const KyberConstants &mode)
Definition kyber_algos.h:64

Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_vector_cbd_eta1
KyberPolyVec sample_polynomial_vector_cbd_eta1()
Definition kyber_algos.h:67

Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_vector_cbd_eta2
KyberPolyVec sample_polynomial_vector_cbd_eta2()
Definition kyber_algos.h:83

Botan::StrongSpan
Definition strong_type.h:659

Botan::StrongSpan::get
underlying_span get() const
Definition strong_type.h:703

Botan::Kyber_Algos
Definition kyber_algos.cpp:27

Botan::Kyber_Algos::PolynomialSampler
PolynomialSampler(T, const KyberConstants &) -> PolynomialSampler< T >

Botan::Kyber_Algos::encode_polynomial_vector
void encode_polynomial_vector(std::span< uint8_t > out, const KyberPolyVecNTT &vec)
Definition kyber_algos.cpp:186

Botan::Kyber_Algos::polynomial_to_message
KyberMessage polynomial_to_message(const KyberPoly &p)
Definition kyber_algos.cpp:214

Botan::Kyber_Algos::sample_matrix
KyberPolyMat sample_matrix(StrongSpan< const KyberSeedRho > seed, bool transposed, const KyberConstants &mode)
Definition kyber_algos.cpp:382

Botan::Kyber_Algos::compress_ciphertext
void compress_ciphertext(StrongSpan< KyberCompressedCiphertext > out, const KyberPolyVec &u, const KyberPoly &v, const KyberConstants &m_mode)
Definition kyber_algos.cpp:354

Botan::Kyber_Algos::expand_keypair
KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode)
Definition kyber_algos.cpp:323

Botan::Kyber_Algos::polynomial_from_message
KyberPoly polynomial_from_message(StrongSpan< const KyberMessage > msg)
Definition kyber_algos.cpp:206

Botan::Kyber_Algos::sample_polynomial_from_cbd
void sample_polynomial_from_cbd(KyberPoly &poly, KyberConstants::KyberEta eta, const KyberSamplingRandomness &randomness)
Definition kyber_algos.cpp:407

Botan::Kyber_Algos::decompress_ciphertext
std::pair< KyberPolyVec, KyberPoly > decompress_ciphertext(StrongSpan< const KyberCompressedCiphertext > ct, const KyberConstants &mode)
Definition kyber_algos.cpp:364

Botan::Kyber_Algos::decode_polynomial_vector
KyberPolyVecNTT decode_polynomial_vector(std::span< const uint8_t > a, const KyberConstants &mode)
Definition kyber_algos.cpp:194

Botan::KyberEncryptionRandomness
Strong< secure_vector< uint8_t >, struct KyberEncryptionRandomness_ > KyberEncryptionRandomness
Random value used to generate the Kyber ciphertext.
Definition kyber_types.h:48

Botan::KyberMessage
Strong< secure_vector< uint8_t >, struct KyberMessage_ > KyberMessage
Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
Definition kyber_types.h:45

Botan::KyberPoly
Botan::CRYSTALS::Polynomial< KyberPolyTraits, Botan::CRYSTALS::Domain::Normal > KyberPoly
Definition kyber_types.h:29

Botan::KyberPolyVecNTT
Botan::CRYSTALS::PolynomialVector< KyberPolyTraits, Botan::CRYSTALS::Domain::NTT > KyberPolyVecNTT
Definition kyber_types.h:26

Botan::KyberSamplingRandomness
Strong< secure_vector< uint8_t >, struct KyberSamplingRandomness_ > KyberSamplingRandomness
PRF value used for sampling of error polynomials.
Definition kyber_types.h:51

Botan::KyberInternalKeypair
std::pair< std::shared_ptr< Kyber_PublicKeyInternal >, std::shared_ptr< Kyber_PrivateKeyInternal > > KyberInternalKeypair
Definition kyber_types.h:73

Botan::KyberPolyMat
Botan::CRYSTALS::PolynomialMatrix< KyberPolyTraits > KyberPolyMat
Definition kyber_types.h:27

Botan::KyberPolyVec
Botan::CRYSTALS::PolynomialVector< KyberPolyTraits, Botan::CRYSTALS::Domain::Normal > KyberPolyVec
Definition kyber_types.h:30