doxygen/kyber__round3__impl_8cpp_source.html

/*

 * Crystals Kyber key encapsulation mechanism and key codec

 *

 * (C) 2024 Jack Lloyd

 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/kyber_round3_impl.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/kyber_constants.h>

#include <botan/internal/kyber_symmetric_primitives.h>

#include <botan/internal/kyber_types.h>


namespace Botan {


/**

 * Crystals Kyber (Version 3.01), Algorithm 8 (Kyber.CCAKEM.Enc())

 */


void Kyber_KEM_Encryptor::encapsulate(StrongSpan<KyberCompressedCiphertext> out_encapsulated_key,

                                      StrongSpan<KyberSharedSecret> out_shared_key,

                                      RandomNumberGenerator& rng) {

   const auto& sym = m_public_key->mode().symmetric_primitives();


   const auto seed_m = rng.random_vec<KyberMessage>(KyberConstants::SEED_BYTES);

   CT::poison(seed_m);


   const auto m = sym.H(seed_m);

   const auto [K_bar, r] = sym.G(m, m_public_key->H_public_key_bits_raw());

   m_public_key->indcpa_encrypt(out_encapsulated_key, m, r, precomputed_matrix_At());


   sym.KDF(out_shared_key, K_bar, sym.H(out_encapsulated_key));

   CT::unpoison_all(out_shared_key, out_encapsulated_key);

}


/**

 * Crystals Kyber (Version 3.01), Algorithm 9 (Kyber.CCAKEM.Dec())

 */


void Kyber_KEM_Decryptor::decapsulate(StrongSpan<KyberSharedSecret> out_shared_key,

                                      StrongSpan<const KyberCompressedCiphertext> encapsulated_key) {

   auto scope = CT::scoped_poison(*m_private_key);


   const auto& sym = m_public_key->mode().symmetric_primitives();


   const auto& h = m_public_key->H_public_key_bits_raw();

   const auto& z = m_private_key->z();


   const auto m_prime = m_private_key->indcpa_decrypt(encapsulated_key);

   const auto [K_bar_prime, r_prime] = sym.G(m_prime, h);


   const auto c_prime = m_public_key->indcpa_encrypt(m_prime, r_prime, precomputed_matrix_At());


   KyberSharedSecret K(KyberConstants::SEED_BYTES);

   BOTAN_ASSERT_NOMSG(encapsulated_key.size() == c_prime.size());

   BOTAN_ASSERT_NOMSG(K_bar_prime.size() == K.size());

   const auto reencrypt_success = CT::is_equal(encapsulated_key.data(), c_prime.data(), encapsulated_key.size());

   CT::conditional_copy_mem(reencrypt_success, K.data(), K_bar_prime.data(), z.data(), K_bar_prime.size());


   sym.KDF(out_shared_key, K, sym.H(encapsulated_key));

   CT::unpoison(out_shared_key);

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::KyberConstants::SEED_BYTES
static constexpr size_t SEED_BYTES
Definition kyber_constants.h:43

Botan::Kyber_KEM_Decryptor::decapsulate
void decapsulate(StrongSpan< KyberSharedSecret > out_shared_key, StrongSpan< const KyberCompressedCiphertext > encapsulated_key) override
Definition kyber_round3_impl.cpp:41

Botan::Kyber_KEM_Encryptor::encapsulate
void encapsulate(StrongSpan< KyberCompressedCiphertext > out_encapsulated_key, StrongSpan< KyberSharedSecret > out_shared_key, RandomNumberGenerator &rng) override
Definition kyber_round3_impl.cpp:22

Botan::Kyber_KEM_Operation_Base::precomputed_matrix_At
const KyberPolyMat & precomputed_matrix_At() const
Definition kyber_encaps_base.h:23

Botan::RandomNumberGenerator
Definition rng.h:30

Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:199

Botan::StrongSpan
Definition strong_type.h:640

Botan::StrongSpan::data
decltype(auto) data() noexcept(noexcept(this->m_span.data()))
Definition strong_type.h:691

Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:695

Botan::detail::Container_Strong_Adapter_Base::size
size_type size() const noexcept(noexcept(this->get().size()))
Definition strong_type.h:108

Botan::detail::Strong_Adapter< T >::data
decltype(auto) data() noexcept(noexcept(this->get().data()))
Definition strong_type.h:179

Botan::CT::conditional_copy_mem
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *dest, const T *if_set, const T *if_unset, size_t elems)
Definition ct_utils.h:760

Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:220

Botan::CT::unpoison_all
constexpr void unpoison_all(const Ts &... ts)
Definition ct_utils.h:205

Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:826

Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:65

Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:54

Botan
Definition alg_id.cpp:13

Botan::KyberMessage
Strong< secure_vector< uint8_t >, struct KyberMessage_ > KyberMessage
Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
Definition kyber_types.h:45

Botan::KyberSharedSecret
Strong< secure_vector< uint8_t >, struct KyberSharedSecret_ > KyberSharedSecret
Shared secret value generated during encapsulation and recovered during decapsulation.
Definition kyber_types.h:54