/*

 * Crystals Kyber Internal Algorithms

 * Based on the public domain reference implementation by the

 * designers (https://github.com/pq-crystals/kyber)

 *

 * Further changes

 * (C) 2021-2024 Jack Lloyd

 * (C) 2021-2022 Manuel Glaser and Michael Boric, Rohde & Schwarz Cybersecurity

 * (C) 2021-2022 René Meusel and Hannes Rantzsch, neXenio GmbH

 * (C) 2024 René Meusel, Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */

#ifndef BOTAN_KYBER_ALGOS_H_

#define BOTAN_KYBER_ALGOS_H_

#include <botan/xof.h>

#include <botan/internal/fmt.h>

#include <botan/internal/kyber_symmetric_primitives.h>

#include <botan/internal/kyber_types.h>

#include <botan/internal/loadstor.h>

namespace Botan::Kyber_Algos {

void encode_polynomial_vector(std::span<uint8_t> out, const KyberPolyVecNTT& p);

KyberPolyVecNTT decode_polynomial_vector(std::span<const uint8_t> a, const KyberConstants& mode);

KyberPoly polynomial_from_message(StrongSpan<const KyberMessage> msg);

KyberMessage polynomial_to_message(const KyberPoly& p);

KyberInternalKeypair expand_keypair(KyberPrivateKeySeed seed, KyberConstants mode);

void compress_ciphertext(StrongSpan<KyberCompressedCiphertext> out,

                         const KyberPolyVec& u,

                         const KyberPoly& v,

                         const KyberConstants& m_mode);

std::pair<KyberPolyVec, KyberPoly> decompress_ciphertext(StrongSpan<const KyberCompressedCiphertext> ct,

                                                         const KyberConstants& mode);

KyberPolyMat sample_matrix(StrongSpan<const KyberSeedRho> seed, bool transposed, const KyberConstants& mode);

void sample_polynomial_from_cbd(KyberPoly& poly,

                                KyberConstants::KyberEta eta,

                                const KyberSamplingRandomness& randomness);

template <concepts::resizable_byte_buffer T = secure_vector<uint8_t>>

T encode_polynomial_vector(const KyberPolyVecNTT& vec, const KyberConstants& mode) {

   T r(mode.polynomial_vector_bytes());

   encode_polynomial_vector(r, vec);

   return r;

}

Unexecuted instantiation: _ZN5Botan11Kyber_Algos24encode_polynomial_vectorITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS_16secure_allocatorIhEEEEEET_RKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS9_6DomainE1EEERKNS_14KyberConstantsE

Unexecuted instantiation: _ZN5Botan11Kyber_Algos24encode_polynomial_vectorITkNS_8concepts21resizable_byte_bufferENSt3__16vectorIhNS3_9allocatorIhEEEEEET_RKNS_8CRYSTALS16PolynomialVectorINS_15KyberPolyTraitsELNS9_6DomainE1EEERKNS_14KyberConstantsE

/**

 * Allows sampling multiple polynomials from a single seed via a XOF.

 *

 * Used in Algorithms 13 (K-PKE.KeyGen) and 14 (K-PKE.Encrypt), and takes care

 * of the continuous nonce value internally.

 */

template <typename SeedT>

   requires std::same_as<KyberSeedSigma, SeedT> || std::same_as<KyberEncryptionRandomness, SeedT>

class PolynomialSampler {

   public:

      PolynomialSampler(StrongSpan<const SeedT> seed, const KyberConstants& mode) :

            m_seed(seed), m_mode(mode), m_nonce(0) {}

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> >::PolynomialSampler(Botan::StrongSpan<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> const>, Botan::KyberConstants const&)

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> >::PolynomialSampler(Botan::StrongSpan<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> const>, Botan::KyberConstants const&)

      KyberPolyVec sample_polynomial_vector_cbd_eta1() {

         KyberPolyVec vec(m_mode.k());

         for(auto& poly : vec) {

            sample_poly_cbd(poly, m_mode.eta1());

         }

         return vec;

      }

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> >::sample_polynomial_vector_cbd_eta1()

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> >::sample_polynomial_vector_cbd_eta1()

      KyberPoly sample_polynomial_cbd_eta2()

         requires std::same_as<KyberEncryptionRandomness, SeedT>

      {

         KyberPoly poly;

         sample_poly_cbd(poly, m_mode.eta2());

         return poly;

      }

      KyberPolyVec sample_polynomial_vector_cbd_eta2()

         requires std::same_as<KyberEncryptionRandomness, SeedT>

      {

         KyberPolyVec vec(m_mode.k());

         for(auto& poly : vec) {

            sample_poly_cbd(poly, m_mode.eta2());

         }

         return vec;

      }

   private:

      KyberSamplingRandomness prf(size_t bytes) { return m_mode.symmetric_primitives().PRF(m_seed, m_nonce++, bytes); }

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> >::prf(unsigned long)

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> >::prf(unsigned long)

      void sample_poly_cbd(KyberPoly& poly, KyberConstants::KyberEta eta) {

         const auto randomness = [&] {

            switch(eta) {

               case KyberConstants::KyberEta::_2:

                  return prf(2 * poly.size() / 4);

               case KyberConstants::KyberEta::_3:

                  return prf(3 * poly.size() / 4);

            }

            BOTAN_ASSERT_UNREACHABLE();

         }();

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> >::sample_poly_cbd(Botan::CRYSTALS::Polynomial<Botan::KyberPolyTraits, (Botan::CRYSTALS::Domain)0>&, Botan::KyberConstants::KyberEta)::{lambda()#1}::operator()() const

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> >::sample_poly_cbd(Botan::CRYSTALS::Polynomial<Botan::KyberPolyTraits, (Botan::CRYSTALS::Domain)0>&, Botan::KyberConstants::KyberEta)::{lambda()#1}::operator()() const

         sample_polynomial_from_cbd(poly, eta, randomness);

      }

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberSeedSigma_> >::sample_poly_cbd(Botan::CRYSTALS::Polynomial<Botan::KyberPolyTraits, (Botan::CRYSTALS::Domain)0>&, Botan::KyberConstants::KyberEta)

Unexecuted instantiation: Botan::Kyber_Algos::PolynomialSampler<Botan::Strong<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, Botan::KyberEncryptionRandomness_> >::sample_poly_cbd(Botan::CRYSTALS::Polynomial<Botan::KyberPolyTraits, (Botan::CRYSTALS::Domain)0>&, Botan::KyberConstants::KyberEta)

   private:

      StrongSpan<const SeedT> m_seed;

      const KyberConstants& m_mode;

      uint8_t m_nonce;

};

template <typename T>

PolynomialSampler(T, const KyberConstants&) -> PolynomialSampler<T>;

}  // namespace Botan::Kyber_Algos

#endif