Botan 3.5.0
Crypto and TLS for C&
kyber_encaps.cpp
Go to the documentation of this file.
1/*
2 * Crystals Kyber key encapsulation mechanism
3 *
4 * (C) 2024 Jack Lloyd
5 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9
10#include <botan/internal/kyber_encaps.h>
11
12#include <botan/internal/ct_utils.h>
13#include <botan/internal/kyber_constants.h>
14#include <botan/internal/kyber_structures.h>
15#include <botan/internal/kyber_symmetric_primitives.h>
16#include <botan/internal/kyber_types.h>
17
18namespace Botan {
19
20/**
21 * Crystals Kyber (Version 3.01), Algorithm 8 (Kyber.CCAKEM.Enc())
22 */
23void Kyber_KEM_Encryptor::encapsulate(StrongSpan<KyberCompressedCiphertext> out_encapsulated_key,
24 StrongSpan<KyberSharedSecret> out_shared_key,
25 RandomNumberGenerator& rng) {
26 const auto& sym = m_public_key->mode().symmetric_primitives();
27
28 const auto m = sym.H(rng.random_vec<KyberMessage>(KyberConstants::kSymBytes));
29 const auto [K_bar, r] = sym.G(m, m_public_key->H_public_key_bits_raw());
30 auto c = m_public_key->indcpa_encrypt(m, r);
31
32 c.to_bytes(out_encapsulated_key);
33 sym.KDF(out_shared_key, K_bar, sym.H(out_encapsulated_key));
34}
35
36/**
37 * Crystals Kyber (Version 3.01), Algorithm 9 (Kyber.CCAKEM.Dec())
38 */
39void Kyber_KEM_Decryptor::decapsulate(StrongSpan<KyberSharedSecret> out_shared_key,
40 StrongSpan<const KyberCompressedCiphertext> encapsulated_key) {
41 const auto& sym = m_public_key->mode().symmetric_primitives();
42
43 const auto& h = m_public_key->H_public_key_bits_raw();
44 const auto& z = m_private_key->z();
45
46 const auto m_prime = m_private_key->indcpa_decrypt(Ciphertext::from_bytes(encapsulated_key, m_private_key->mode()));
47 const auto [K_bar_prime, r_prime] = sym.G(m_prime, h);
48
49 const auto c_prime = m_public_key->indcpa_encrypt(m_prime, r_prime).to_bytes();
50
51 KyberSharedSecret K(KyberConstants::kSymBytes);
52 BOTAN_ASSERT_NOMSG(encapsulated_key.size() == c_prime.size());
53 BOTAN_ASSERT_NOMSG(K_bar_prime.size() == K.size());
54 const auto reencrypt_success = CT::is_equal(encapsulated_key.data(), c_prime.data(), encapsulated_key.size());
55 CT::conditional_copy_mem(reencrypt_success, K.data(), K_bar_prime.data(), z.data(), K_bar_prime.size());
56
57 sym.KDF(out_shared_key, K, sym.H(encapsulated_key));
58}
59
60} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
Botan::Ciphertext::from_bytes
static Ciphertext from_bytes(StrongSpan< const KyberCompressedCiphertext > buffer, const KyberConstants &mode)
Definition kyber_structures.h:561
Botan::KyberConstants::kSymBytes
static constexpr size_t kSymBytes
Definition kyber_constants.h:49
Botan::Kyber_KEM_Decryptor::decapsulate
void decapsulate(StrongSpan< KyberSharedSecret > out_shared_key, StrongSpan< const KyberCompressedCiphertext > encapsulated_key) override
Definition kyber_encaps.cpp:39
Botan::Kyber_KEM_Encryptor::encapsulate
void encapsulate(StrongSpan< KyberCompressedCiphertext > out_encapsulated_key, StrongSpan< KyberSharedSecret > out_shared_key, RandomNumberGenerator &rng) override
Definition kyber_encaps.cpp:23
Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:179
Botan::StrongSpan::data
decltype(auto) data() noexcept(noexcept(this->m_span.data()))
Definition strong_type.h:589
Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:593
Botan::CT::conditional_copy_mem
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *to, const T *from0, const T *from1, size_t elems)
Definition ct_utils.h:426
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:486
Generated by doxygen 1.11.0