/src/botan/build/include/internal/botan/internal/dilithium_constants.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Crystals Dilithium Constants |
3 | | * |
4 | | * (C) 2022-2023 Jack Lloyd |
5 | | * (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity |
6 | | * (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity |
7 | | * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity |
8 | | * |
9 | | * Botan is released under the Simplified BSD License (see license.txt) |
10 | | */ |
11 | | |
12 | | #ifndef BOTAN_DILITHIUM_CONSTANTS_H_ |
13 | | #define BOTAN_DILITHIUM_CONSTANTS_H_ |
14 | | |
15 | | #include <botan/dilithium.h> |
16 | | |
17 | | namespace Botan { |
18 | | |
19 | | class Dilithium_Symmetric_Primitives_Base; |
20 | | class Dilithium_Keypair_Codec; |
21 | | |
22 | | /** |
23 | | * Algorithm constants and parameter-set dependent values |
24 | | */ |
25 | | class DilithiumConstants final { |
26 | | public: |
27 | | /// base data type for most calculations |
28 | | using T = int32_t; |
29 | | |
30 | | /// number of coefficients in a polynomial |
31 | | static constexpr T N = 256; |
32 | | |
33 | | /// modulus |
34 | | static constexpr T Q = 8380417; |
35 | | |
36 | | /// number of dropped bits from t (see FIPS 204 Section 5) |
37 | | static constexpr T D = 13; |
38 | | |
39 | | /// as specified in FIPS 204 (see Algorithm 36 (NTT^-1), f = 256^-1 mod Q) |
40 | | static constexpr T F = 8347681; |
41 | | |
42 | | /// the 512-th root of unity modulo Q (see FIPS 204 Section 8.5) |
43 | | static constexpr T ROOT_OF_UNITY = 1753; |
44 | | |
45 | | /// degree of the NTT polynomials |
46 | | static constexpr size_t NTT_Degree = 256; |
47 | | |
48 | | public: |
49 | | /// \name Byte length's of various hash outputs and seeds |
50 | | /// @{ |
51 | | |
52 | | static constexpr size_t SEED_RANDOMNESS_BYTES = 32; |
53 | | static constexpr size_t SEED_RHO_BYTES = 32; |
54 | | static constexpr size_t SEED_RHOPRIME_BYTES = 64; |
55 | | static constexpr size_t OPTIONAL_RANDOMNESS_BYTES = 32; |
56 | | static constexpr size_t SEED_SIGNING_KEY_BYTES = 32; |
57 | | static constexpr size_t MESSAGE_HASH_BYTES = 64; |
58 | | static constexpr size_t COMMITMENT_HASH_C1_BYTES = 32; |
59 | | |
60 | | /// @} |
61 | | |
62 | | /// \name Loop bounds for various rejection sampling loops (FIPS 204, Apx C) |
63 | | /// @{ |
64 | | |
65 | | static constexpr uint16_t SIGNING_LOOP_BOUND = 814; |
66 | | static constexpr uint16_t SAMPLE_POLY_FROM_XOF_BOUND = 481; |
67 | | static constexpr uint16_t SAMPLE_NTT_POLY_FROM_XOF_BOUND = 894; |
68 | | static constexpr uint16_t SAMPLE_IN_BALL_XOF_BOUND = 221; |
69 | | |
70 | | /// @} |
71 | | |
72 | | public: |
73 | | enum DilithiumTau : uint32_t { _39 = 39, _49 = 49, _60 = 60 }; |
74 | | |
75 | | enum DilithiumLambda : uint32_t { _128 = 128, _192 = 192, _256 = 256 }; |
76 | | |
77 | | enum DilithiumGamma1 : uint32_t { ToThe17th = (1 << 17), ToThe19th = (1 << 19) }; |
78 | | |
79 | | enum DilithiumGamma2 : uint32_t { Qminus1DevidedBy88 = (Q - 1) / 88, Qminus1DevidedBy32 = (Q - 1) / 32 }; |
80 | | |
81 | | enum DilithiumEta : uint32_t { _2 = 2, _4 = 4 }; |
82 | | |
83 | | enum DilithiumBeta : uint32_t { _78 = 78, _196 = 196, _120 = 120 }; |
84 | | |
85 | | enum DilithiumOmega : uint32_t { _80 = 80, _55 = 55, _75 = 75 }; |
86 | | |
87 | | DilithiumConstants(DilithiumMode dimension); |
88 | | ~DilithiumConstants(); |
89 | | |
90 | 0 | DilithiumConstants(const DilithiumConstants& other) : DilithiumConstants(other.m_mode) {} |
91 | | |
92 | 0 | DilithiumConstants(DilithiumConstants&& other) = default; |
93 | | DilithiumConstants& operator=(const DilithiumConstants& other) = delete; |
94 | | DilithiumConstants& operator=(DilithiumConstants&& other) = default; |
95 | | |
96 | 17 | bool is_modern() const { return m_mode.is_modern(); } |
97 | | |
98 | 17 | bool is_aes() const { return m_mode.is_aes(); } |
99 | | |
100 | 34 | bool is_ml_dsa() const { return m_mode.is_ml_dsa(); } |
101 | | |
102 | | public: |
103 | | /// \name Foundational constants |
104 | | /// @{ |
105 | | |
106 | | /// hamming weight of the polynomial 'c' sampled from the commitment's hash |
107 | 0 | DilithiumTau tau() const { return m_tau; } |
108 | | |
109 | | /// collision strength of the commitment hash function |
110 | 0 | DilithiumLambda lambda() const { return m_lambda; } |
111 | | |
112 | | /// coefficient range of the randomly sampled mask 'y' |
113 | 0 | DilithiumGamma1 gamma1() const { return m_gamma1; } |
114 | | |
115 | | /// low-order rounding range for decomposing the commitment from polynomial vector 'w' |
116 | 0 | DilithiumGamma2 gamma2() const { return m_gamma2; } |
117 | | |
118 | | /// dimensions of the expanded matrix A |
119 | 17 | uint8_t k() const { return m_k; } |
120 | | |
121 | | /// dimensions of the expanded matrix A |
122 | 17 | uint8_t l() const { return m_l; } |
123 | | |
124 | | /// coefficient range of the private key's polynomial vectors 's1' and 's2' |
125 | 0 | DilithiumEta eta() const { return m_eta; } |
126 | | |
127 | | /// tau * eta |
128 | 0 | DilithiumBeta beta() const { return m_beta; } |
129 | | |
130 | | /// maximal hamming weight of the hint polynomial vector 'h' |
131 | 0 | DilithiumOmega omega() const { return m_omega; } |
132 | | |
133 | | /// length of the public key hash 'tr' in bytes (differs between R3 and ML-DSA) |
134 | 17 | size_t public_key_hash_bytes() const { return m_public_key_hash_bytes; } |
135 | | |
136 | | /// length of the entire commitment hash 'c~' in bytes (differs between R3 and ML-DSA) |
137 | 17 | size_t commitment_hash_full_bytes() const { return m_commitment_hash_full_bytes; } |
138 | | |
139 | | /// @} |
140 | | |
141 | | /// \name Sizes of encoded data structures |
142 | | /// @{ |
143 | | |
144 | | /// byte length of the encoded signature |
145 | 0 | size_t signature_bytes() const { return m_signature_bytes; } |
146 | | |
147 | | /// byte length of the encoded public key |
148 | 17 | size_t public_key_bytes() const { return m_public_key_bytes; } |
149 | | |
150 | | /// byte length of the encoded private key |
151 | 0 | size_t private_key_bytes() const { return m_private_key_bytes; } |
152 | | |
153 | | /// byte length of the packed commitment polynomial vector 'w1' |
154 | 0 | size_t serialized_commitment_bytes() const { return m_serialized_commitment_bytes; } |
155 | | |
156 | | /// @} |
157 | | |
158 | 34 | DilithiumMode mode() const { return m_mode; } |
159 | | |
160 | | /// @returns one of {44, 65, 87} |
161 | 0 | size_t canonical_parameter_set_identifier() const { return k() * 10 + l(); } |
162 | | |
163 | 0 | Dilithium_Symmetric_Primitives_Base& symmetric_primitives() const { return *m_symmetric_primitives; } |
164 | | |
165 | 0 | Dilithium_Keypair_Codec& keypair_codec() const { return *m_keypair_codec; } |
166 | | |
167 | | private: |
168 | | DilithiumMode m_mode; |
169 | | |
170 | | DilithiumTau m_tau; |
171 | | DilithiumLambda m_lambda; |
172 | | DilithiumGamma1 m_gamma1; |
173 | | DilithiumGamma2 m_gamma2; |
174 | | uint8_t m_k; |
175 | | uint8_t m_l; |
176 | | DilithiumEta m_eta; |
177 | | DilithiumBeta m_beta; |
178 | | DilithiumOmega m_omega; |
179 | | uint32_t m_public_key_hash_bytes; |
180 | | uint32_t m_commitment_hash_full_bytes; |
181 | | |
182 | | uint32_t m_private_key_bytes; |
183 | | uint32_t m_public_key_bytes; |
184 | | uint32_t m_signature_bytes; |
185 | | uint32_t m_serialized_commitment_bytes; |
186 | | |
187 | | // Mode dependent primitives |
188 | | std::unique_ptr<Dilithium_Symmetric_Primitives_Base> m_symmetric_primitives; |
189 | | std::unique_ptr<Dilithium_Keypair_Codec> m_keypair_codec; |
190 | | }; |
191 | | |
192 | | } // namespace Botan |
193 | | |
194 | | #endif |