doxygen/ml__kem__impl_8cpp_source.html

/*

 * Module-Lattice Key Encapsulation Mechanism (ML-KEM), Initial Public Draft

 *

 * (C) 2024 Jack Lloyd

 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/ml_kem_impl.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/kyber_constants.h>

#include <botan/internal/kyber_types.h>


namespace Botan {


/**

 * NIST FIPS 203, Algorithm 17 (ML-KEM.Encaps_internal), and 20 (ML-KEM.Encaps)

 *

 * Generation of the random value is inlined with its usage. The public matrix

 * A^T as well as H(pk) are precomputed and readily available.

 */


void ML_KEM_Encryptor::encapsulate(StrongSpan<KyberCompressedCiphertext> out_encapsulated_key,

                                   StrongSpan<KyberSharedSecret> out_shared_key,

                                   RandomNumberGenerator& rng) {

   const auto& sym = mode().symmetric_primitives();


   const auto m = rng.random_vec<KyberMessage>(KyberConstants::SEED_BYTES);

   auto scope = CT::scoped_poison(m);


   const auto [K, r] = sym.G(m, m_public_key->H_public_key_bits_raw());

   m_public_key->indcpa_encrypt(out_encapsulated_key, m, r, precomputed_matrix_At(), mode());


   // TODO: avoid this copy by letting sym.G() directly write to the span.

   copy_mem(out_shared_key, K);

   CT::unpoison_all(out_shared_key, out_encapsulated_key);

}


/**

 * NIST FIPS 203, Algorithm 18 (ML-KEM.Decaps_internal) and 21 (ML-KEM.Decaps)

 *

 * The public and private keys are readily available as member variables and

 * don't need to be decoded. The checks stated in FIPS 203, Section 7.3 are

 * performed before decoding the keys and the ciphertext.

 */


void ML_KEM_Decryptor::decapsulate(StrongSpan<KyberSharedSecret> out_shared_key,

                                   StrongSpan<const KyberCompressedCiphertext> c) {

   auto scope = CT::scoped_poison(*m_private_key);


   const auto& sym = mode().symmetric_primitives();


   const auto& h = m_public_key->H_public_key_bits_raw();

   const auto& z = m_private_key->z();


   const auto m_prime = m_private_key->indcpa_decrypt(c);

   const auto [K_prime, r_prime] = sym.G(m_prime, h);


   const auto K_bar = sym.J(z, c);

   const auto c_prime = m_public_key->indcpa_encrypt(m_prime, r_prime, precomputed_matrix_At(), mode());


   BOTAN_ASSERT_NOMSG(c.size() == c_prime.size());

   BOTAN_ASSERT_NOMSG(K_prime.size() == K_bar.size() && out_shared_key.size() == K_bar.size());

   const auto reencrypt_success = CT::is_equal<uint8_t>(c, c_prime);

   CT::conditional_copy_mem(reencrypt_success, out_shared_key.data(), K_prime.data(), K_bar.data(), K_prime.size());


   CT::unpoison(out_shared_key);

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::KyberConstants::SEED_BYTES
static constexpr size_t SEED_BYTES
Definition kyber_constants.h:42

Botan::KyberConstants::symmetric_primitives
Kyber_Symmetric_Primitives & symmetric_primitives() const
Definition kyber_constants.h:125

Botan::Kyber_KEM_Operation_Base::precomputed_matrix_At
const KyberPolyMat & precomputed_matrix_At() const
Definition kyber_encaps_base.h:25

Botan::Kyber_KEM_Operation_Base::mode
const KyberConstants & mode() const
Definition kyber_encaps_base.h:23

Botan::Kyber_Symmetric_Primitives::G
std::pair< KyberSeedRho, KyberSeedSigma > G(StrongSpan< const KyberSeedRandomness > seed, const KyberConstants &mode) const
Definition kyber_symmetric_primitives.h:44

Botan::ML_KEM_Decryptor::decapsulate
void decapsulate(StrongSpan< KyberSharedSecret > out_shared_key, StrongSpan< const KyberCompressedCiphertext > encapsulated_key) override
Definition ml_kem_impl.cpp:47

Botan::ML_KEM_Encryptor::encapsulate
void encapsulate(StrongSpan< KyberCompressedCiphertext > out_encapsulated_key, StrongSpan< KyberSharedSecret > out_shared_key, RandomNumberGenerator &rng) override
Definition ml_kem_impl.cpp:24

Botan::RandomNumberGenerator
Definition rng.h:39

Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:204

Botan::StrongSpan
Definition strong_type.h:659

Botan::StrongSpan::data
decltype(auto) data() noexcept(noexcept(this->m_span.data()))
Definition strong_type.h:710

Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:714

Botan::CT::conditional_copy_mem
constexpr Mask< T > conditional_copy_mem(Mask< T > mask, T *dest, const T *if_set, const T *if_unset, size_t elems)
Definition ct_utils.h:732

Botan::CT::scoped_poison
constexpr auto scoped_poison(const Ts &... xs)
Definition ct_utils.h:222

Botan::CT::unpoison_all
constexpr void unpoison_all(const Ts &... ts)
Definition ct_utils.h:207

Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:798

Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:67

Botan
Definition alg_id.cpp:13

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144

Botan::KyberMessage
Strong< secure_vector< uint8_t >, struct KyberMessage_ > KyberMessage
Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
Definition kyber_types.h:45