kyber_symmetric_primitives.h

Go to the documentation of this file.

/*
 * Symmetric primitives for Kyber (modern)
 * (C) 2022 Jack Lloyd
 * (C) 2022 Hannes Rantzsch, René Meusel, neXenio GmbH
 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
 
#ifndef BOTAN_KYBER_SYMMETRIC_PRIMITIVES_H_
#define BOTAN_KYBER_SYMMETRIC_PRIMITIVES_H_
 
#include <botan/hash.h>
#include <botan/secmem.h>
#include <botan/xof.h>
 
#include <botan/internal/kyber_constants.h>
#include <botan/internal/kyber_types.h>
#include <botan/internal/stl_util.h>
 
#include <span>
#include <tuple>
 
namespace Botan {
 
/**
 * Adapter class that uses polymorphy to distinguish
 * Kyber "modern" from Kyber "90s" modes.
 */
class Kyber_Symmetric_Primitives {
   public:
      virtual ~Kyber_Symmetric_Primitives() = default;
 
      // TODO: remove this once Kyber-R3 is removed
      KyberMessage H(StrongSpan<const KyberMessage> m) const { return get_H().process<KyberMessage>(m); }
 
      // TODO: remove this once Kyber-R3 is removed
      KyberHashedCiphertext H(StrongSpan<const KyberCompressedCiphertext> r) const {
         return get_H().process<KyberHashedCiphertext>(r);
      }
 
      KyberHashedPublicKey H(StrongSpan<const KyberSerializedPublicKey> pk) const {
         return get_H().process<KyberHashedPublicKey>(pk);
      }
 
      std::pair<KyberSeedRho, KyberSeedSigma> G(StrongSpan<const KyberSeedRandomness> seed,
                                                const KyberConstants& mode) const {
         if(auto domsep = seed_expansion_domain_separator(mode)) {
            return G_split<KyberSeedRho, KyberSeedSigma>(seed, *domsep);
         } else {
            return G_split<KyberSeedRho, KyberSeedSigma>(seed);
         }
      }
 
      std::pair<KyberSharedSecret, KyberEncryptionRandomness> G(
         StrongSpan<const KyberMessage> msg, StrongSpan<const KyberHashedPublicKey> pubkey_hash) const {
         return G_split<KyberSharedSecret, KyberEncryptionRandomness>(msg, pubkey_hash);
      }
 
      KyberSharedSecret J(StrongSpan<const KyberImplicitRejectionValue> rejection_value,
                          StrongSpan<const KyberCompressedCiphertext> ciphertext) const {
         auto& j = get_J();
         j.update(rejection_value);
         j.update(ciphertext);
         return j.final<KyberSharedSecret>();
      }
 
      // TODO: remove this once Kyber-R3 is removed
      void KDF(StrongSpan<KyberSharedSecret> out,
               StrongSpan<const KyberSharedSecret> shared_secret,
               StrongSpan<const KyberHashedCiphertext> hashed_ciphertext) const {
         auto& kdf = get_KDF();
         kdf.update(shared_secret);
         kdf.update(hashed_ciphertext);
         kdf.final(out);
      }
 
      KyberSamplingRandomness PRF(KyberSigmaOrEncryptionRandomness seed,
                                  const uint8_t nonce,
                                  const size_t outlen) const {
         auto bare_seed_span = std::visit([&](const auto s) { return s.get(); }, seed);
         return get_PRF(bare_seed_span, nonce).output<KyberSamplingRandomness>(outlen);
      }
 
      Botan::XOF& XOF(StrongSpan<const KyberSeedRho> seed, std::tuple<uint8_t, uint8_t> matrix_position) const {
         return get_XOF(seed, matrix_position);
      }
 
   private:
      template <concepts::contiguous_strong_type T1,
                concepts::contiguous_strong_type T2,
                ranges::contiguous_range... InputTs>
      std::pair<T1, T2> G_split(InputTs&&... inputs) const {
         auto& g = get_G();
         (g.update(inputs), ...);
         auto s = g.final();
 
         BufferSlicer bs(s);
         std::pair<T1, T2> result;
         result.first = bs.copy<T1>(KyberConstants::SEED_BYTES);
         result.second = bs.copy<T2>(KyberConstants::SEED_BYTES);
         BOTAN_ASSERT_NOMSG(bs.empty());
         return result;
      }
 
   protected:
      virtual std::optional<std::array<uint8_t, 1>> seed_expansion_domain_separator(
         const KyberConstants& mode) const = 0;
 
      virtual HashFunction& get_G() const = 0;
      virtual HashFunction& get_H() const = 0;
      virtual HashFunction& get_J() const = 0;
      virtual HashFunction& get_KDF() const = 0;
      virtual Botan::XOF& get_PRF(std::span<const uint8_t> seed, uint8_t nonce) const = 0;
      virtual Botan::XOF& get_XOF(std::span<const uint8_t> seed,
                                  std::tuple<uint8_t, uint8_t> matrix_position) const = 0;
};
 
}  // namespace Botan
 
#endif