fips203ipd
C11 implementation of FIPS 203 initial public draft (IPD).
Macros | Functions
KEM768

KEM768 constants and functions. More...

Macros

#define FIPS203IPD_KEM768_EK_SIZE   1184
 Size of KEM768 encapsulation key, in bytes (384 * K + 32).
 
#define FIPS203IPD_KEM768_DK_SIZE   2400
 Size of KEM768 decapsulation key, in bytes (768 * K + 96).
 
#define FIPS203IPD_KEM768_CT_SIZE   1088
 Size of KEM768 ciphertext, in bytes (32 * (DU * K + DV)).
 

Functions

void fips203ipd_kem768_keygen (uint8_t ek[static FIPS203IPD_KEM768_EK_SIZE], uint8_t dk[static FIPS203IPD_KEM768_DK_SIZE], const uint8_t seed[static FIPS203IPD_KEYGEN_SEED_SIZE])
 Generate KEM768 encapsulation key ek and decapsulation key dk from 64 byte random seed seed. More...
 
void fips203ipd_kem768_encaps (uint8_t key[static FIPS203IPD_KEY_SIZE], uint8_t ct[static FIPS203IPD_KEM768_CT_SIZE], const uint8_t ek[static FIPS203IPD_KEM768_EK_SIZE], const uint8_t seed[static FIPS203IPD_ENCAPS_SEED_SIZE])
 Generate KEM768 shared key key and ciphertext ct from given encapsulation key ek and randomness seed. More...
 
void fips203ipd_kem768_decaps (uint8_t key[static FIPS203IPD_KEY_SIZE], const uint8_t ct[static FIPS203IPD_KEM768_CT_SIZE], const uint8_t dk[static FIPS203IPD_KEM768_DK_SIZE])
 Decapsulate shared key key from ciphertext ct using KEM768 decapsulation key dk with implicit rejection. More...
 

Detailed Description

KEM768 constants and functions.

Function Documentation

◆ fips203ipd_kem768_decaps()

void fips203ipd_kem768_decaps ( uint8_t  key[static FIPS203IPD_KEY_SIZE],
const uint8_t  ct[static FIPS203IPD_KEM768_CT_SIZE],
const uint8_t  dk[static FIPS203IPD_KEM768_DK_SIZE] 
)

Decapsulate shared key key from ciphertext ct using KEM768 decapsulation key dk with implicit rejection.

Note
Implicit rejection means that when this function is given an invalid ciphertext, it will return a key which is unpredictable to the attacker rather than an error. This is intended to provide IND-CCA2 security, as discussed in section 3.2 of the FIPS 203 initial public draft.
Parameters
[out]keyShared key (32 bytes).
[out]ctCiphertext (1088 bytes).
[in]dkKEM768 decapsulation key (2400 bytes).

Example:

// alice: decapsulate shared secret from ciphertext
uint8_t a_key[32] = { 0 }; // decapsulated key
fips203ipd_kem768_decaps(a_key, ct, dk);
fips203ipd_kem768_decaps
void fips203ipd_kem768_decaps(uint8_t key[static FIPS203IPD_KEY_SIZE], const uint8_t ct[static FIPS203IPD_KEM768_CT_SIZE], const uint8_t dk[static FIPS203IPD_KEM768_DK_SIZE])
Decapsulate shared key key from ciphertext ct using KEM768 decapsulation key dk with implicit rejecti...

◆ fips203ipd_kem768_encaps()

void fips203ipd_kem768_encaps ( uint8_t  key[static FIPS203IPD_KEY_SIZE],
uint8_t  ct[static FIPS203IPD_KEM768_CT_SIZE],
const uint8_t  ek[static FIPS203IPD_KEM768_EK_SIZE],
const uint8_t  seed[static FIPS203IPD_ENCAPS_SEED_SIZE] 
)

Generate KEM768 shared key key and ciphertext ct from given encapsulation key ek and randomness seed.

Warning
seed must be 32 random bytes generated by a cryptographically secure pseudorandom number generator (CSPRNG). Specifically, section 3.3 of the FIPS 203 initial public draft requires an approved random bit generator (RBG) with at least 192 bits of strength.
Note
Encapsulation key polynomial coefficients are reduced modulo Q during deserialization, as per option #2 in this pqc-forum discussion.
Parameters
[out]keyShared key (32 bytes).
[out]ctCiphertext (1088 bytes).
[in]ekKEM768 encapsulation key (1184 bytes).
[in]seedRandom seed (32 bytes).

Example:

// bob: get 32 random bytes for encaps()
uint8_t encaps_seed[32] = { 0 };
rand_bytes(encaps_seed, sizeof(encaps_seed));
// bob: generate shared secret and ciphertext from encapsulation key and seed
uint8_t b_key[32] = { 0 }; // shared secret
uint8_t ct[FIPS203IPD_KEM768_CT_SIZE] = { 0 }; // ciphertext
fips203ipd_kem768_encaps(b_key, ct, ek, encaps_seed);
fips203ipd_kem768_encaps
void fips203ipd_kem768_encaps(uint8_t key[static FIPS203IPD_KEY_SIZE], uint8_t ct[static FIPS203IPD_KEM768_CT_SIZE], const uint8_t ek[static FIPS203IPD_KEM768_EK_SIZE], const uint8_t seed[static FIPS203IPD_ENCAPS_SEED_SIZE])
Generate KEM768 shared key key and ciphertext ct from given encapsulation key ek and randomness seed.
FIPS203IPD_KEM768_CT_SIZE
#define FIPS203IPD_KEM768_CT_SIZE
Size of KEM768 ciphertext, in bytes (32 * (DU * K + DV)).
Definition: fips203ipd.h:189

◆ fips203ipd_kem768_keygen()

void fips203ipd_kem768_keygen ( uint8_t  ek[static FIPS203IPD_KEM768_EK_SIZE],
uint8_t  dk[static FIPS203IPD_KEM768_DK_SIZE],
const uint8_t  seed[static FIPS203IPD_KEYGEN_SEED_SIZE] 
)

Generate KEM768 encapsulation key ek and decapsulation key dk from 64 byte random seed seed.

Warning
seed must be 64 random bytes generated by a cryptographically secure pseudorandom number generator (CSPRNG). Specifically, section 3.3 of the FIPS 203 initial public draft requires an approved random bit generator (RBG) with at least 192 bits of strength.
Parameters
[out]ekKEM768 encapsulation key (1184 bytes).
[out]dkKEM768 decapsulation key (2400 bytes).
[in]seedRandom seed (64 bytes).

Example:

// alice: get 64 random bytes for keygen()
uint8_t keygen_seed[64] = { 0 };
rand_bytes(keygen_seed, sizeof(keygen_seed));
// alice: generate encapsulation/decapsulation key pair from seed
uint8_t ek[FIPS203IPD_KEM768_EK_SIZE] = { 0 }; // encapsulation key
uint8_t dk[FIPS203IPD_KEM768_DK_SIZE] = { 0 }; // decapsulation key
fips203ipd_kem768_keygen(ek, dk, keygen_seed);
FIPS203IPD_KEM768_EK_SIZE
#define FIPS203IPD_KEM768_EK_SIZE
Size of KEM768 encapsulation key, in bytes (384 * K + 32).
Definition: fips203ipd.h:177
fips203ipd_kem768_keygen
void fips203ipd_kem768_keygen(uint8_t ek[static FIPS203IPD_KEM768_EK_SIZE], uint8_t dk[static FIPS203IPD_KEM768_DK_SIZE], const uint8_t seed[static FIPS203IPD_KEYGEN_SEED_SIZE])
Generate KEM768 encapsulation key ek and decapsulation key dk from 64 byte random seed seed.
FIPS203IPD_KEM768_DK_SIZE
#define FIPS203IPD_KEM768_DK_SIZE
Size of KEM768 decapsulation key, in bytes (768 * K + 96).
Definition: fips203ipd.h:183
Generated by doxygen 1.9.4