doxygen/kyber__round3__impl_8cpp_source.html

/*

 * Crystals Kyber key encapsulation mechanism and key codec

 *

 * (C) 2024 Jack Lloyd

 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/kyber_round3_impl.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/kyber_constants.h>

#include <botan/internal/kyber_symmetric_primitives.h>

#include <botan/internal/kyber_types.h>


namespace Botan {


/**

 * Crystals Kyber (Version 3.01), Algorithm 8 (Kyber.CCAKEM.Enc())

 */


void Kyber_KEM_Encryptor::encapsulate(StrongSpan<KyberCompressedCiphertext> out_encapsulated_key,

                                      StrongSpan<KyberSharedSecret> out_shared_key,

                                      RandomNumberGenerator& rng) {

   const auto& sym = m_public_key->mode().symmetric_primitives();


   const auto seed_m = rng.random_vec<KyberMessage>(KyberConstants::SEED_BYTES);

   CT::poison(seed_m);


   const auto m = sym.H(seed_m);

   const auto [K_bar, r] = sym.G(m, m_public_key->H_public_key_bits_raw());

   m_public_key->indcpa_encrypt(out_encapsulated_key, m, r, precomputed_matrix_At());


   sym.KDF(out_shared_key, K_bar, sym.H(out_encapsulated_key));

   CT::unpoison_all(out_shared_key, out_encapsulated_key);

}


/**

 * Crystals Kyber (Version 3.01), Algorithm 9 (Kyber.CCAKEM.Dec())

 */


void Kyber_KEM_Decryptor::decapsulate(StrongSpan<KyberSharedSecret> out_shared_key,

                                      StrongSpan<const KyberCompressedCiphertext> encapsulated_key) {

   auto scope = CT::scoped_poison(*m_private_key);


   const auto& sym = m_public_key->mode().symmetric_primitives();


   const auto& h = m_public_key->H_public_key_bits_raw();

   const auto& z = m_private_key->z();


   const auto m_prime = m_private_key->indcpa_decrypt(encapsulated_key);

   const auto [K_bar_prime, r_prime] = sym.G(m_prime, h);


   const auto c_prime = m_public_key->indcpa_encrypt(m_prime, r_prime, precomputed_matrix_At());


   KyberSharedSecret K(KyberConstants::SEED_BYTES);

   BOTAN_ASSERT_NOMSG(encapsulated_key.size() == c_prime.size());

   BOTAN_ASSERT_NOMSG(K_bar_prime.size() == K.size());

   const auto reencrypt_success = CT::is_equal(encapsulated_key.data(), c_prime.data(), encapsulated_key.size());

   CT::conditional_copy_mem(reencrypt_success, K.data(), K_bar_prime.data(), z.data(), K_bar_prime.size());


   sym.KDF(out_shared_key, K, sym.H(encapsulated_key));

   CT::unpoison(out_shared_key);

}


/**

 * Key decoding as specified in Crystals Kyber (Version 3.01),

 * Algorithms 4 (CPAPKE.KeyGen()), and 7 (CCAKEM.KeyGen())

 *

 * Public Key: pk  := (encode(t) || rho)

 * Secret Key: sk' := encode(s)

 *

 * Expanded Secret Key: sk  := (sk' || pk || H(pk) || z)

 */


KyberInternalKeypair Kyber_Expanded_Keypair_Codec::decode_keypair(std::span<const uint8_t> sk,

                                                                  KyberConstants mode) const {

   auto scope = CT::scoped_poison(sk);

   BufferSlicer s(sk);


   auto skpv = Kyber_Algos::decode_polynomial_vector(s.take(mode.polynomial_vector_bytes()), mode);

   auto pub_key = s.copy<KyberSerializedPublicKey>(mode.public_key_bytes());

   auto puk_key_hash = s.take<KyberHashedPublicKey>(KyberConstants::PUBLIC_KEY_HASH_BYTES);

   auto z = s.copy<KyberImplicitRejectionValue>(KyberConstants::SEED_BYTES);


   BOTAN_ASSERT_NOMSG(s.empty());


   CT::unpoison_all(pub_key, puk_key_hash, skpv, z);


   KyberInternalKeypair keypair{

      std::make_shared<Kyber_PublicKeyInternal>(mode, std::move(pub_key)),

      std::make_shared<Kyber_PrivateKeyInternal>(

         std::move(mode),

         std::move(skpv),

         KyberPrivateKeySeed{std::nullopt,  // Reading from an expanded and encoded

                                            // private key cannot reconstruct the

                                            // original seed from key generation.

                             std::move(z)}),

   };


   BOTAN_ASSERT(keypair.first && keypair.second, "reading private key encoding");

   BOTAN_ARG_CHECK(keypair.first->H_public_key_bits_raw().size() == puk_key_hash.size() &&

                      std::equal(keypair.first->H_public_key_bits_raw().begin(),

                                 keypair.first->H_public_key_bits_raw().end(),

                                 puk_key_hash.begin()),

                   "public key's hash does not match the stored hash");


   return keypair;

}


secure_vector<uint8_t> Kyber_Expanded_Keypair_Codec::encode_keypair(KyberInternalKeypair keypair) const {

   BOTAN_ASSERT_NONNULL(keypair.first);

   BOTAN_ASSERT_NONNULL(keypair.second);

   const auto& mode = keypair.first->mode();

   auto scope = CT::scoped_poison(*keypair.second);

   auto result = concat(Kyber_Algos::encode_polynomial_vector(keypair.second->s().reduce(), mode),

                        keypair.first->public_key_bits_raw(),

                        keypair.first->H_public_key_bits_raw(),

                        keypair.second->z());

   CT::unpoison(result);

   return result;

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59

BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:86

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50

Botan::BufferSlicer
Definition stl_util.h:84

Botan::BufferSlicer::copy
auto copy(const size_t count)
Definition stl_util.h:89

Botan::BufferSlicer::empty
bool empty() const
Definition stl_util.h:129

Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:98

Botan::KyberConstants
Definition kyber_constants.h:22

Botan::KyberConstants::SEED_BYTES
static constexpr size_t SEED_BYTES
Definition kyber_constants.h:43

Botan::KyberConstants::public_key_bytes
size_t public_key_bytes() const
byte length of an encoded public key
Definition kyber_constants.h:111

Botan::KyberConstants::polynomial_vector_bytes
size_t polynomial_vector_bytes() const
byte length of an encoded polynomial vector
Definition kyber_constants.h:96

Botan::KyberConstants::PUBLIC_KEY_HASH_BYTES
static constexpr size_t PUBLIC_KEY_HASH_BYTES
Definition kyber_constants.h:44

Botan::Kyber_Expanded_Keypair_Codec::decode_keypair
KyberInternalKeypair decode_keypair(std::span< const uint8_t > buffer, KyberConstants mode) const override
Definition kyber_round3_impl.cpp:74

Botan::Kyber_Expanded_Keypair_Codec::encode_keypair
secure_vector< uint8_t > encode_keypair(KyberInternalKeypair private_key) const override
Definition kyber_round3_impl.cpp:109

Botan::Kyber_KEM_Decryptor::decapsulate
void decapsulate(StrongSpan< KyberSharedSecret > out_shared_key, StrongSpan< const KyberCompressedCiphertext > encapsulated_key) override
Definition kyber_round3_impl.cpp:41

Botan::Kyber_KEM_Encryptor::encapsulate
void encapsulate(StrongSpan< KyberCompressedCiphertext > out_encapsulated_key, StrongSpan< KyberSharedSecret > out_shared_key, RandomNumberGenerator &rng) override
Definition kyber_round3_impl.cpp:22

Botan::Kyber_KEM_Operation_Base::precomputed_matrix_At
const KyberPolyMat & precomputed_matrix_At() const
Definition kyber_encaps_base.h:23

Botan::RandomNumberGenerator
Definition rng.h:31

Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:180

Botan::StrongSpan
Definition strong_type.h:614

Botan::StrongSpan::data
decltype(auto) data() noexcept(noexcept(this->m_span.data()))
Definition strong_type.h:659

Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:663

Botan::Strong
Definition strong_type.h:172

Botan::CT::unpoison_all
constexpr void unpoison_all(Ts &&... ts)
Definition ct_utils.h:201

Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:216

Botan::CT::conditional_copy_mem
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *to, const T *from0, const T *from1, size_t elems)
Definition ct_utils.h:699

Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:759

Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64

Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:53

Botan::Kyber_Algos::encode_polynomial_vector
void encode_polynomial_vector(std::span< uint8_t > out, const KyberPolyVecNTT &vec)
Definition kyber_algos.cpp:184

Botan::Kyber_Algos::decode_polynomial_vector
KyberPolyVecNTT decode_polynomial_vector(std::span< const uint8_t > a, const KyberConstants &mode)
Definition kyber_algos.cpp:192

Botan
Definition alg_id.cpp:13

Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263

Botan::KyberInternalKeypair
std::pair< std::shared_ptr< Kyber_PublicKeyInternal >, std::shared_ptr< Kyber_PrivateKeyInternal > > KyberInternalKeypair
Definition kyber_types.h:73

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::KyberPrivateKeySeed
Definition kyber_types.h:79