32#include "ext_headers.h"
51#define LC_KYBER_Q 3329
53#define LC_KYBER_SYMBYTES 32
54#define LC_KYBER_SSBYTES 32
56#define LC_KYBER_POLYBYTES 384
57#define LC_KYBER_POLYVECBYTES (LC_KYBER_K * LC_KYBER_POLYBYTES)
60#define LC_KYBER_ETA1 3
61#define LC_KYBER_POLYCOMPRESSEDBYTES 128
62#define LC_KYBER_POLYVECCOMPRESSEDBYTES (LC_KYBER_K * 320)
64#define LC_KYBER_ETA1 2
65#define LC_KYBER_POLYCOMPRESSEDBYTES 128
66#define LC_KYBER_POLYVECCOMPRESSEDBYTES (LC_KYBER_K * 320)
68#define LC_KYBER_ETA1 2
69#define LC_KYBER_POLYCOMPRESSEDBYTES 160
70#define LC_KYBER_POLYVECCOMPRESSEDBYTES (LC_KYBER_K * 352)
73#define LC_KYBER_ETA2 2
75#define LC_KYBER_INDCPA_MSGBYTES (LC_KYBER_SYMBYTES)
76#define LC_KYBER_INDCPA_PUBLICKEYBYTES \
77 (LC_KYBER_POLYVECBYTES + LC_KYBER_SYMBYTES)
78#define LC_KYBER_INDCPA_SECRETKEYBYTES (LC_KYBER_POLYVECBYTES)
79#define LC_KYBER_INDCPA_BYTES \
80 (LC_KYBER_POLYVECCOMPRESSEDBYTES + LC_KYBER_POLYCOMPRESSEDBYTES)
90#define LC_KYBER_PUBLICKEYBYTES (LC_KYBER_INDCPA_PUBLICKEYBYTES)
92#define LC_KYBER_SECRETKEYBYTES \
93 (LC_KYBER_INDCPA_SECRETKEYBYTES + LC_KYBER_INDCPA_PUBLICKEYBYTES + \
94 2 * LC_KYBER_SYMBYTES)
95#define LC_KYBER_CIPHERTEXTBYTES (LC_KYBER_INDCPA_BYTES)
97#define LC_CRYPTO_SECRETKEYBYTES LC_KYBER_SECRETKEYBYTES
98#define LC_CRYPTO_PUBLICKEYBYTES LC_KYBER_PUBLICKEYBYTES
99#define LC_CRYPTO_CIPHERTEXTBYTES LC_KYBER_CIPHERTEXTBYTES
100#define LC_CRYPTO_BYTES LC_KYBER_SSBYTES
117 uint8_t
sk[LC_KYBER_SECRETKEYBYTES];
124 uint8_t
pk[LC_KYBER_PUBLICKEYBYTES];
131 uint8_t
ct[LC_CRYPTO_CIPHERTEXTBYTES];
138 uint8_t
ss[LC_KYBER_SSBYTES];
188 struct lc_rng_ctx *rng_ctx);
212 const uint8_t *seed,
size_t seedlen);
377 size_t shared_secret_len,
const uint8_t *kdf_nonce,
378 size_t kdf_nonce_len,
401 const uint8_t *kdf_nonce,
size_t kdf_nonce_len,
498 uint8_t *shared_secret,
size_t shared_secret_len,
499 const uint8_t *kdf_nonce,
size_t kdf_nonce_len,
525 const uint8_t *kdf_nonce,
size_t kdf_nonce_len,
563 const uint8_t *plaintext, uint8_t *ciphertext,
564 size_t datalen,
const uint8_t *aad,
size_t aadlen,
565 uint8_t *tag,
size_t taglen,
struct lc_aead_ctx *aead);
595 const uint8_t *aad,
size_t aadlen);
619 const uint8_t *plaintext,
620 uint8_t *ciphertext,
size_t datalen)
645 uint8_t *tag,
size_t taglen)
678 const uint8_t *ciphertext, uint8_t *plaintext,
679 size_t datalen,
const uint8_t *aad,
size_t aadlen,
680 const uint8_t *tag,
size_t taglen,
681 struct lc_aead_ctx *aead);
711 const uint8_t *aad,
size_t aadlen);
735 const uint8_t *ciphertext,
736 uint8_t *plaintext,
size_t datalen)
761 const uint8_t *tag,
size_t taglen)
774#define LC_KYBER_X25519_KEM
775#ifdef LC_KYBER_X25519_KEM
777#include "lc_x25519.h"
824 struct lc_rng_ctx *rng_ctx);
920 uint8_t *shared_secret,
921 size_t shared_secret_len,
922 const uint8_t *kdf_nonce,
923 size_t kdf_nonce_len,
946 size_t shared_secret_len,
947 const uint8_t *kdf_nonce,
948 size_t kdf_nonce_len,
997 uint8_t *shared_secret,
998 size_t shared_secret_len,
999 const uint8_t *kdf_nonce,
1000 size_t kdf_nonce_len,
1026 size_t shared_secret_len,
1027 const uint8_t *kdf_nonce,
1028 size_t kdf_nonce_len,
1066 const uint8_t *plaintext, uint8_t *ciphertext,
1067 size_t datalen,
const uint8_t *aad,
size_t aadlen,
1068 uint8_t *tag,
size_t taglen,
1069 struct lc_aead_ctx *aead);
1100 const uint8_t *aad,
size_t aadlen);
1122 const uint8_t *plaintext,
1123 uint8_t *ciphertext,
1149 uint8_t *tag,
size_t taglen)
1184 const uint8_t *ciphertext, uint8_t *plaintext,
1185 size_t datalen,
const uint8_t *aad,
size_t aadlen,
1186 const uint8_t *tag,
size_t taglen,
1187 struct lc_aead_ctx *aead);
1218 const uint8_t *aad,
size_t aadlen);
1242 const uint8_t *ciphertext,
1284#ifndef LC_KYBER_INTERNAL
1288#undef LC_KYBER_SYMBYTES
1289#undef LC_KYBER_SSBYTES
1290#undef LC_KYBER_POLYBYTES
1291#undef LC_KYBER_POLYVECBYTES
1293#undef LC_KYBER_POLYCOMPRESSEDBYTES
1294#undef LC_KYBER_POLYVECCOMPRESSEDBYTES
1296#undef LC_KYBER_INDCPA_MSGBYTES
1297#undef LC_KYBER_INDCPA_PUBLICKEYBYTES
1298#undef LC_KYBER_INDCPA_SECRETKEYBYTES
1299#undef LC_KYBER_INDCPA_BYTES
1300#undef LC_KYBER_PUBLICKEYBYTES
1301#undef LC_KYBER_SECRETKEYBYTES
1302#undef LC_KYBER_CIPHERTEXTBYTES
1303#undef LC_CRYPTO_SECRETKEYBYTES
1304#undef LC_CRYPTO_PUBLICKEYBYTES
1305#undef LC_CRYPTO_CIPHERTEXTBYTES
1306#undef LC_CRYPTO_BYTES
static int lc_aead_dec_update(struct lc_aead_ctx *ctx, const uint8_t *ciphertext, uint8_t *plaintext, size_t datalen)
AEAD-decrypt data - send partial data.
static int lc_aead_dec_final(struct lc_aead_ctx *ctx, const uint8_t *tag, size_t taglen)
AEAD-decrypt data - Perform authentication.
static int lc_aead_enc_update(struct lc_aead_ctx *ctx, const uint8_t *plaintext, uint8_t *ciphertext, size_t datalen)
AEAD-encrypt data - send partial data.
static int lc_aead_enc_final(struct lc_aead_ctx *ctx, uint8_t *tag, size_t taglen)
Complete AEAD encryption - Obtain the authentication tag from the encryption operation.
int lc_kyber_512_x25519_ies_enc(const struct lc_kyber_512_x25519_pk *pk, struct lc_kyber_512_x25519_ct *ct, const uint8_t *plaintext, uint8_t *ciphertext, size_t datalen, const uint8_t *aad, size_t aadlen, uint8_t *tag, size_t taglen, struct lc_aead_ctx *aead)
lc_kyber_x25519_ies_enc - KyberIES encryption oneshot
int lc_kyber_512_x25519_ies_dec_init(struct lc_aead_ctx *aead, const struct lc_kyber_512_x25519_sk *sk, const struct lc_kyber_512_x25519_ct *ct, const uint8_t *aad, size_t aadlen)
lc_kyber_x25519_ies_dec_init - KyberIES decryption stream operation initialization
int lc_kyber_512_enc_kdf(struct lc_kyber_512_ct *ct, uint8_t *ss, size_t ss_len, const struct lc_kyber_512_pk *pk)
lc_kyber_512_enc_kdf - Key encapsulation with KDF applied to shared secret
static int lc_kyber_512_ies_enc_final(struct lc_aead_ctx *aead, uint8_t *tag, size_t taglen)
lc_kyber_ies_enc_final - KyberIES encryption stream operation finalization / integrity test
static int lc_kyber_512_x25519_ies_dec_update(struct lc_aead_ctx *aead, const uint8_t *ciphertext, uint8_t *plaintext, size_t datalen)
lc_kyber_x25519_ies_dec_update - KyberIES decryption stream operation add more data
int lc_kyber_512_x25519_enc_kdf(struct lc_kyber_512_x25519_ct *ct, uint8_t *ss, size_t ss_len, const struct lc_kyber_512_x25519_pk *pk)
lc_kyber_x25519_enc_kdf - Key encapsulation with KDF applied to shared secret
int lc_kyber_512_x25519_dec_kdf(uint8_t *ss, size_t ss_len, const struct lc_kyber_512_x25519_ct *ct, const struct lc_kyber_512_x25519_sk *sk)
lc_kyber_x25519_dec_kdf - Key decapsulation with KDF applied to shared secret
struct lc_x25519_ss ss_x25519
int lc_kex_512_x25519_ake_initiator_init(struct lc_kyber_512_x25519_pk *pk_e_i, struct lc_kyber_512_x25519_ct *ct_e_i, struct lc_kyber_512_x25519_ss *tk, struct lc_kyber_512_x25519_sk *sk_e, const struct lc_kyber_512_x25519_pk *pk_r)
lc_kex_x25519_ake_initiator_init - Initialize authenticated key exchange
static LC_PURE unsigned int lc_kyber_512_pk_size(void)
Return the size of the Kyber public key.
struct lc_x25519_pk pk_x25519
static int lc_kyber_512_x25519_ies_dec_final(struct lc_aead_ctx *aead, const uint8_t *tag, size_t taglen)
lc_kyber _x25519_ies_dec_final - KyberIES decryption stream operation finalization / integrity test
static int lc_kyber_512_ies_dec_final(struct lc_aead_ctx *aead, const uint8_t *tag, size_t taglen)
lc_kyber_ies_dec_final - KyberIES decryption stream operation finalization / integrity test
int lc_kex_512_uake_initiator_ss(uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_ct *ct_e_r, const struct lc_kyber_512_ss *tk, const struct lc_kyber_512_sk *sk_e)
lc_kex_uake_initiator_ss - Responder's shared secret generation
int lc_kyber_512_ies_dec_init(struct lc_aead_ctx *aead, const struct lc_kyber_512_sk *sk, const struct lc_kyber_512_ct *ct, const uint8_t *aad, size_t aadlen)
lc_kyber_ies_dec_init - KyberIES decryption stream operation initialization
int lc_kex_512_x25519_uake_initiator_init(struct lc_kyber_512_x25519_pk *pk_e_i, struct lc_kyber_512_x25519_ct *ct_e_i, struct lc_kyber_512_x25519_ss *tk, struct lc_kyber_512_x25519_sk *sk_e, const struct lc_kyber_512_x25519_pk *pk_r)
lc_kex_x25519_uake_initiator_init - Initialize unilaterally authenticated key exchange
static LC_PURE unsigned int lc_kyber_512_ct_size(void)
Return the size of the Kyber ciphertext.
uint8_t sk[LC_KYBER_SECRETKEYBYTES]
int lc_kex_512_uake_responder_ss(struct lc_kyber_512_ct *ct_e_r, uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_pk *pk_e_i, const struct lc_kyber_512_ct *ct_e_i, const struct lc_kyber_512_sk *sk_r)
lc_kex_uake_responder_ss - Initiator's shared secret generation
int lc_kyber_512_enc(struct lc_kyber_512_ct *ct, struct lc_kyber_512_ss *ss, const struct lc_kyber_512_pk *pk)
lc_kyber_enc - Key encapsulation
static int lc_kyber_512_ies_enc_update(struct lc_aead_ctx *aead, const uint8_t *plaintext, uint8_t *ciphertext, size_t datalen)
lc_kyber_ies_enc_update - KyberIES encryption stream operation add more data
int lc_kyber_512_keypair_from_seed(struct lc_kyber_512_pk *pk, struct lc_kyber_512_sk *sk, const uint8_t *seed, size_t seedlen)
lc_kyber__keypair_from_seed - Generates Kyber public and private key from a given seed.
struct lc_kyber_512_ss ss
struct lc_kyber_512_pk pk
int lc_kex_512_ake_initiator_init(struct lc_kyber_512_pk *pk_e_i, struct lc_kyber_512_ct *ct_e_i, struct lc_kyber_512_ss *tk, struct lc_kyber_512_sk *sk_e, const struct lc_kyber_512_pk *pk_r)
lc_kex_ake_initiator_init - Initialize authenticated key exchange
struct lc_kyber_512_sk sk
int lc_kex_512_ake_responder_ss(struct lc_kyber_512_ct *ct_e_r_1, struct lc_kyber_512_ct *ct_e_r_2, uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_pk *pk_e_i, const struct lc_kyber_512_ct *ct_e_i, const struct lc_kyber_512_sk *sk_r, const struct lc_kyber_512_pk *pk_i)
lc_kex_ake_responder_ss - Initiator's shared secret generation
int lc_kex_512_x25519_uake_initiator_ss(uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_x25519_ct *ct_e_r, const struct lc_kyber_512_x25519_ss *tk, const struct lc_kyber_512_x25519_sk *sk_e)
lc_kex_x25519_uake_initiator_ss - Responder's shared secret generation
static int lc_kyber_512_x25519_ies_enc_update(struct lc_aead_ctx *aead, const uint8_t *plaintext, uint8_t *ciphertext, size_t datalen)
lc_kyber_x25519_ies_enc_update - KyberIES encryption stream operation add more data
struct lc_kyber_512_ct ct
int lc_kex_512_uake_initiator_init(struct lc_kyber_512_pk *pk_e_i, struct lc_kyber_512_ct *ct_e_i, struct lc_kyber_512_ss *tk, struct lc_kyber_512_sk *sk_e, const struct lc_kyber_512_pk *pk_r)
lc_kex_uake_initiator_init - Initialize unilaterally authenticated key exchange
int lc_kex_512_x25519_uake_responder_ss(struct lc_kyber_512_x25519_ct *ct_e_r, uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_x25519_pk *pk_e_i, const struct lc_kyber_512_x25519_ct *ct_e_i, const struct lc_kyber_512_x25519_sk *sk_r)
lc_kex_x25519_uake_responder_ss - Initiator's shared secret generation
static int lc_kyber_512_x25519_ies_enc_final(struct lc_aead_ctx *aead, uint8_t *tag, size_t taglen)
lc_kyber_x25519_ies_enc_final - KyberIES encryption stream operation finalization / integrity test
int lc_kyber_512_keypair(struct lc_kyber_512_pk *pk, struct lc_kyber_512_sk *sk, struct lc_rng_ctx *rng_ctx)
lc_kyber_keypair - Generates public and private key for IND-CCA2-secure Kyber key encapsulation mecha...
int lc_kyber_512_x25519_ies_dec(const struct lc_kyber_512_x25519_sk *sk, const struct lc_kyber_512_x25519_ct *ct, const uint8_t *ciphertext, uint8_t *plaintext, size_t datalen, const uint8_t *aad, size_t aadlen, const uint8_t *tag, size_t taglen, struct lc_aead_ctx *aead)
lc_kyber_x25519_ies_dec - KyberIES decryption oneshot
static LC_PURE unsigned int lc_kyber_512_ss_size(void)
Return the size of the Kyber shared secret.
struct lc_x25519_sk sk_x25519
int lc_kex_512_x25519_ake_responder_ss(struct lc_kyber_512_x25519_ct *ct_e_r_1, struct lc_kyber_512_x25519_ct *ct_e_r_2, uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_x25519_pk *pk_e_i, const struct lc_kyber_512_x25519_ct *ct_e_i, const struct lc_kyber_512_x25519_sk *sk_r, const struct lc_kyber_512_x25519_pk *pk_i)
lc_kex_x25519_ake_responder_ss - Initiator's shared secret generation
uint8_t ss[LC_KYBER_SSBYTES]
int lc_kyber_512_x25519_keypair(struct lc_kyber_512_x25519_pk *pk, struct lc_kyber_512_x25519_sk *sk, struct lc_rng_ctx *rng_ctx)
lc_kyber_x25519_keypair - Generates public and private key for IND-CCA2-secure Kyber key encapsulatio...
int lc_kyber_512_dec(struct lc_kyber_512_ss *ss, const struct lc_kyber_512_ct *ct, const struct lc_kyber_512_sk *sk)
lc_kyber_dec - Key decapsulation
int lc_kex_512_x25519_ake_initiator_ss(uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_x25519_ct *ct_e_r_1, const struct lc_kyber_512_x25519_ct *ct_e_r_2, const struct lc_kyber_512_x25519_ss *tk, const struct lc_kyber_512_x25519_sk *sk_e, const struct lc_kyber_512_x25519_sk *sk_i)
lc_kex_x25519_ake_initiator_ss - Responder's shared secret generation
int lc_kyber_512_ies_dec(const struct lc_kyber_512_sk *sk, const struct lc_kyber_512_ct *ct, const uint8_t *ciphertext, uint8_t *plaintext, size_t datalen, const uint8_t *aad, size_t aadlen, const uint8_t *tag, size_t taglen, struct lc_aead_ctx *aead)
lc_kyber_ies_dec - KyberIES decryption oneshot
uint8_t pk[LC_KYBER_PUBLICKEYBYTES]
int lc_kex_512_ake_initiator_ss(uint8_t *shared_secret, size_t shared_secret_len, const uint8_t *kdf_nonce, size_t kdf_nonce_len, const struct lc_kyber_512_ct *ct_e_r_1, const struct lc_kyber_512_ct *ct_e_r_2, const struct lc_kyber_512_ss *tk, const struct lc_kyber_512_sk *sk_e, const struct lc_kyber_512_sk *sk_i)
lc_kex_ake_initiator_ss - Responder's shared secret generation
int lc_kyber_512_ies_enc_init(struct lc_aead_ctx *aead, const struct lc_kyber_512_pk *pk, struct lc_kyber_512_ct *ct, const uint8_t *aad, size_t aadlen)
lc_kyber_ies_enc_init - KyberIES encryption stream operation initialization
struct lc_x25519_pk pk_x25519
static LC_PURE unsigned int lc_kyber_512_sk_size(void)
Return the size of the Kyber secret key.
int lc_kyber_512_ies_enc(const struct lc_kyber_512_pk *pk, struct lc_kyber_512_ct *ct, const uint8_t *plaintext, uint8_t *ciphertext, size_t datalen, const uint8_t *aad, size_t aadlen, uint8_t *tag, size_t taglen, struct lc_aead_ctx *aead)
lc_kyber_ies_enc - KyberIES encryption oneshot
uint8_t ct[LC_CRYPTO_CIPHERTEXTBYTES]
static int lc_kyber_512_ies_dec_update(struct lc_aead_ctx *aead, const uint8_t *ciphertext, uint8_t *plaintext, size_t datalen)
lc_kyber_ies_dec_update - KyberIES decryption stream operation add more data
int lc_kyber_512_x25519_ies_enc_init(struct lc_aead_ctx *aead, const struct lc_kyber_512_x25519_pk *pk, struct lc_kyber_512_x25519_ct *ct, const uint8_t *aad, size_t aadlen)
lc_kyber_x25519_ies_enc_init - KyberIES encryption stream operation initialization
int lc_kyber_512_dec_kdf(uint8_t *ss, size_t ss_len, const struct lc_kyber_512_ct *ct, const struct lc_kyber_512_sk *sk)
lc_kyber_dec_kdf - Key decapsulation with KDF applied to shared secret