Botan 3.6.1
Crypto and TLS for C&
kyber_keys.cpp
Go to the documentation of this file.
1/*
2 * Crystals Kyber Internal Key Types
3 *
4 * (C) 2021-2024 Jack Lloyd
5 * (C) 2021-2022 Manuel Glaser and Michael Boric, Rohde & Schwarz Cybersecurity
6 * (C) 2021-2022 René Meusel and Hannes Rantzsch, neXenio GmbH
7 * (C) 2024 René Meusel, Fabian Albert, Rohde & Schwarz Cybersecurity
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 */
11
12#include <botan/internal/kyber_keys.h>
13
14#include <botan/internal/kyber_symmetric_primitives.h>
15#include <botan/internal/stl_util.h>
16
17namespace Botan {
18
19namespace {
20
21KyberSerializedPublicKey validate_public_key_length(KyberSerializedPublicKey public_key, size_t expected_length) {
22 if(public_key.size() != expected_length) {
23 throw Invalid_Argument("Public key does not have the correct byte count");
24 }
25 return public_key;
26}
27
28} // namespace
29
30Kyber_PublicKeyInternal::Kyber_PublicKeyInternal(KyberConstants mode, KyberSerializedPublicKey public_key) :
31 m_mode(std::move(mode)),
32 m_public_key_bits_raw(validate_public_key_length(std::move(public_key), m_mode.public_key_bytes())),
33 m_H_public_key_bits_raw(m_mode.symmetric_primitives().H(m_public_key_bits_raw)),
34 m_t(Kyber_Algos::decode_polynomial_vector(
35 std::span{m_public_key_bits_raw}.first(m_mode.polynomial_vector_bytes()), m_mode)),
36 m_rho(std::span{m_public_key_bits_raw}.last(Botan::KyberConstants::SEED_BYTES)) {}
37
38Kyber_PublicKeyInternal::Kyber_PublicKeyInternal(KyberConstants mode, KyberPolyVecNTT t, KyberSeedRho rho) :
39 m_mode(std::move(mode)),
40 m_public_key_bits_raw(concat(Kyber_Algos::encode_polynomial_vector<std::vector<uint8_t>>(t, m_mode), rho)),
41 m_H_public_key_bits_raw(m_mode.symmetric_primitives().H(m_public_key_bits_raw)),
42 m_t(std::move(t)),
43 m_rho(std::move(rho)) {}
44
45/**
46 * NIST FIPS 203, Algorithm 14 (K-PKE.Encrypt)
47 *
48 * In contrast to FIPS 203, the matrix @p At is not sampled for every invocation,
49 * instead it is precomputed and passed in as a parameter. Similarly, the t^T is
50 * already decoded and available as a member variable. This allows to reuse these
51 * structures for multiple encryptions.
52 *
53 * The sampling loops spelled out in FIPS 203 are hidden in the sample_* functions.
54 */
55void Kyber_PublicKeyInternal::indcpa_encrypt(StrongSpan<KyberCompressedCiphertext> out_ct,
56 StrongSpan<const KyberMessage> m,
57 StrongSpan<const KyberEncryptionRandomness> r,
58 const KyberPolyMat& At) const {
59 // The nonce N is handled internally by the PolynomialSampler
60 Kyber_Algos::PolynomialSampler ps(r, m_mode);
61 const auto y = ntt(ps.sample_polynomial_vector_cbd_eta1());
62 const auto e1 = ps.sample_polynomial_vector_cbd_eta2();
63 const auto e2 = ps.sample_polynomial_cbd_eta2();
64
65 auto u = inverse_ntt(At * y);
66 u += e1;
67 u.reduce();
68
69 const auto mu = Kyber_Algos::polynomial_from_message(m);
70 auto v = inverse_ntt(m_t * y);
71 v += e2;
72 v += mu;
73 v.reduce();
74
75 Kyber_Algos::compress_ciphertext(out_ct, u, v, m_mode);
76}
77
78/**
79 * NIST FIPS 203, Algorithm 15 (K-PKE.Decrypt)
80 *
81 * s^T is already decoded and available as a member variable. This allows to reuse
82 * the structure for multiple decryptions.
83 */
84KyberMessage Kyber_PrivateKeyInternal::indcpa_decrypt(StrongSpan<const KyberCompressedCiphertext> ct) const {
85 auto [u, v] = Kyber_Algos::decompress_ciphertext(ct, m_mode);
86 v -= inverse_ntt(m_s * ntt(std::move(u)));
87 v.reduce();
88 return Kyber_Algos::polynomial_to_message(v);
89}
90
91} // namespace Botan
Botan::Kyber_Algos::PolynomialSampler
Definition kyber_algos.h:65
Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_cbd_eta2
KyberPoly sample_polynomial_cbd_eta2()
Definition kyber_algos.h:78
Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_vector_cbd_eta1
KyberPolyVec sample_polynomial_vector_cbd_eta1()
Definition kyber_algos.h:70
Botan::Kyber_Algos::PolynomialSampler::sample_polynomial_vector_cbd_eta2
KyberPolyVec sample_polynomial_vector_cbd_eta2()
Definition kyber_algos.h:86
Botan::Kyber_PrivateKeyInternal::indcpa_decrypt
KyberMessage indcpa_decrypt(StrongSpan< const KyberCompressedCiphertext > ct) const
Definition kyber_keys.cpp:84
Botan::Kyber_PublicKeyInternal::indcpa_encrypt
void indcpa_encrypt(StrongSpan< KyberCompressedCiphertext > out_ct, StrongSpan< const KyberMessage > m, StrongSpan< const KyberEncryptionRandomness > r, const KyberPolyMat &At) const
Definition kyber_keys.cpp:55
Botan::Kyber_PublicKeyInternal::Kyber_PublicKeyInternal
Kyber_PublicKeyInternal()=delete
Botan::Kyber_Algos::polynomial_to_message
KyberMessage polynomial_to_message(const KyberPoly &p)
Definition kyber_algos.cpp:212
Botan::Kyber_Algos::compress_ciphertext
void compress_ciphertext(StrongSpan< KyberCompressedCiphertext > out, const KyberPolyVec &u, const KyberPoly &v, const KyberConstants &m_mode)
Definition kyber_algos.cpp:352
Botan::Kyber_Algos::polynomial_from_message
KyberPoly polynomial_from_message(StrongSpan< const KyberMessage > msg)
Definition kyber_algos.cpp:204
Botan::Kyber_Algos::decompress_ciphertext
std::pair< KyberPolyVec, KyberPoly > decompress_ciphertext(StrongSpan< const KyberCompressedCiphertext > ct, const KyberConstants &mode)
Definition kyber_algos.cpp:362
Botan::rho
constexpr T rho(T x)
Definition rotate.h:51
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263
Botan::KyberSerializedPublicKey
Strong< std::vector< uint8_t >, struct KyberSerializedPublicKey_ > KyberSerializedPublicKey
Public key in serialized form (t || rho)
Definition kyber_types.h:57
Generated by doxygen 1.12.0