pub(crate) fn ml_kem_key_gen_internal<const K: usize, const ETA1_64: usize>(

    d: [u8; 32], z: [u8; 32], ek: &mut [u8], dk: &mut [u8],

) {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 16: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 16: dk len not 768 * K + 96");

    // 1: (ek_PKE , dk_PKE) ← K-PKE.KeyGen(𝑑)    ▷ run key generation for K-PKE

    // 2: ek ← ek_PKE    ▷ KEM encaps key is just the PKE encryption key

    let p1 = 384 * K;

    k_pke_key_gen::<K, ETA1_64>(d, ek, &mut dk[..p1]); // writes ek and first part of dk

    // 3: dk ← (dk_PKE ‖ ek ‖ H(ek) ‖ 𝑧)    ▷ KEM decaps key includes PKE decryption key

    let h_ek = h(ek);

    let p2 = p1 + ek.len();

    let p3 = p2 + h_ek.len();

    dk[p1..p2].copy_from_slice(ek);

    dk[p2..p3].copy_from_slice(&h_ek);

    dk[p3..].copy_from_slice(&z);

    // 4: return (ek, dk)

}

pub(crate) fn ml_kem_key_gen_internal<const K: usize, const ETA1_64: usize>(

    d: [u8; 32], z: [u8; 32], ek: &mut [u8], dk: &mut [u8],

) {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 16: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 16: dk len not 768 * K + 96");

    // 1: (ek_PKE , dk_PKE) ← K-PKE.KeyGen(𝑑)    ▷ run key generation for K-PKE

    // 2: ek ← ek_PKE    ▷ KEM encaps key is just the PKE encryption key

    let p1 = 384 * K;

    k_pke_key_gen::<K, ETA1_64>(d, ek, &mut dk[..p1]); // writes ek and first part of dk

    // 3: dk ← (dk_PKE ‖ ek ‖ H(ek) ‖ 𝑧)    ▷ KEM decaps key includes PKE decryption key

    let h_ek = h(ek);

    let p2 = p1 + ek.len();

    let p3 = p2 + h_ek.len();

    dk[p1..p2].copy_from_slice(ek);

    dk[p2..p3].copy_from_slice(&h_ek);

    dk[p3..].copy_from_slice(&z);

    // 4: return (ek, dk)

}

pub(crate) fn ml_kem_key_gen_internal<const K: usize, const ETA1_64: usize>(

    d: [u8; 32], z: [u8; 32], ek: &mut [u8], dk: &mut [u8],

) {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 16: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 16: dk len not 768 * K + 96");

    // 1: (ek_PKE , dk_PKE) ← K-PKE.KeyGen(𝑑)    ▷ run key generation for K-PKE

    // 2: ek ← ek_PKE    ▷ KEM encaps key is just the PKE encryption key

    let p1 = 384 * K;

    k_pke_key_gen::<K, ETA1_64>(d, ek, &mut dk[..p1]); // writes ek and first part of dk

    // 3: dk ← (dk_PKE ‖ ek ‖ H(ek) ‖ 𝑧)    ▷ KEM decaps key includes PKE decryption key

    let h_ek = h(ek);

    let p2 = p1 + ek.len();

    let p3 = p2 + h_ek.len();

    dk[p1..p2].copy_from_slice(ek);

    dk[p2..p3].copy_from_slice(&h_ek);

    dk[p3..].copy_from_slice(&z);

    // 4: return (ek, dk)

}

fn ml_kem_encaps_internal<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    du: u32, dv: u32, m: &[u8; 32], ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    // Note: this is only called via ml_kem_encaps() which validates slice sizes and correct decode

    // 1: (K, r) ← G(m ∥ H(ek))    ▷ derive shared secret key K and randomness r

    let h_ek = h(ek);

    let (k, r) = g(&[m, &h_ek]);

    // 2: c ← K-PKE.Encrypt(ek, m, r)    ▷ encrypt m using K-PKE with randomness r

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(du, dv, ek, m, &r, ct)?;

    // 3: return (K, c)  (note: ct is mutable input)

    Ok(SharedSecretKey(k))

}

fn ml_kem_encaps_internal<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    du: u32, dv: u32, m: &[u8; 32], ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    // Note: this is only called via ml_kem_encaps() which validates slice sizes and correct decode

    // 1: (K, r) ← G(m ∥ H(ek))    ▷ derive shared secret key K and randomness r

    let h_ek = h(ek);

    let (k, r) = g(&[m, &h_ek]);

    // 2: c ← K-PKE.Encrypt(ek, m, r)    ▷ encrypt m using K-PKE with randomness r

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(du, dv, ek, m, &r, ct)?;

    // 3: return (K, c)  (note: ct is mutable input)

    Ok(SharedSecretKey(k))

}

fn ml_kem_encaps_internal<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    du: u32, dv: u32, m: &[u8; 32], ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    // Note: this is only called via ml_kem_encaps() which validates slice sizes and correct decode

    // 1: (K, r) ← G(m ∥ H(ek))    ▷ derive shared secret key K and randomness r

    let h_ek = h(ek);

    let (k, r) = g(&[m, &h_ek]);

    // 2: c ← K-PKE.Encrypt(ek, m, r)    ▷ encrypt m using K-PKE with randomness r

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(du, dv, ek, m, &r, ct)?;

    // 3: return (K, c)  (note: ct is mutable input)

    Ok(SharedSecretKey(k))

}

fn ml_kem_decaps_internal<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 18: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: dk_PKE ← dk[0 : 384·k]    ▷ extract (from KEM decaps key) the PKE decryption key

    let dk_pke = &dk[0..384 * K];

    // 2: ek_PKE ← dk[384·k : 768·k + 32]    ▷ extract PKE encryption key

    let ek_pke = &dk[384 * K..768 * K + 32];

    // 3: h ← dk[768·k + 32 : 768·k + 64]    ▷ extract hash of PKE encryption key

    let h = &dk[768 * K + 32..768 * K + 64];

    // 4: z ← dk[768·k + 64 : 768·k + 96]    ▷ extract implicit rejection value

    let z = &dk[768 * K + 64..768 * K + 96];

    // 5: m′ ← K-PKE.Decrypt(dk_PKE,c)

    let m_prime = k_pke_decrypt::<K>(du, dv, dk_pke, ct)?;

    // 6: (K′, r′) ← G(m′ ∥ h)

    let (mut k_prime, r_prime) = g(&[&m_prime, h]);

    // 7: K̄ ← J(z ∥ c, 32)

    let k_bar = j(z.try_into().unwrap(), ct);

    // 8: c′ ← K-PKE.Encrypt(ek_PKE , m′ , r′ )    ▷ re-encrypt using the derived randomness r′

    let mut c_prime = [0u8; CT_LEN];

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(

        du,

        dv,

        ek_pke,

        &m_prime,

        &r_prime,

        &mut c_prime[0..ct.len()],

    )?;

    // 9:  if 𝑐 ≠ 𝑐 ′ then

    // 10:   𝐾 ′ ← 𝐾̄    ▷ if ciphertexts do not match, “implicitly reject”

    // 11: end if

    k_prime.conditional_assign(&k_bar, ct.ct_ne(&c_prime));

    // 12: return 𝐾 ′

    Ok(SharedSecretKey(k_prime))

}

fn ml_kem_decaps_internal<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 18: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: dk_PKE ← dk[0 : 384·k]    ▷ extract (from KEM decaps key) the PKE decryption key

    let dk_pke = &dk[0..384 * K];

    // 2: ek_PKE ← dk[384·k : 768·k + 32]    ▷ extract PKE encryption key

    let ek_pke = &dk[384 * K..768 * K + 32];

    // 3: h ← dk[768·k + 32 : 768·k + 64]    ▷ extract hash of PKE encryption key

    let h = &dk[768 * K + 32..768 * K + 64];

    // 4: z ← dk[768·k + 64 : 768·k + 96]    ▷ extract implicit rejection value

    let z = &dk[768 * K + 64..768 * K + 96];

    // 5: m′ ← K-PKE.Decrypt(dk_PKE,c)

    let m_prime = k_pke_decrypt::<K>(du, dv, dk_pke, ct)?;

    // 6: (K′, r′) ← G(m′ ∥ h)

    let (mut k_prime, r_prime) = g(&[&m_prime, h]);

    // 7: K̄ ← J(z ∥ c, 32)

    let k_bar = j(z.try_into().unwrap(), ct);

    // 8: c′ ← K-PKE.Encrypt(ek_PKE , m′ , r′ )    ▷ re-encrypt using the derived randomness r′

    let mut c_prime = [0u8; CT_LEN];

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(

        du,

        dv,

        ek_pke,

        &m_prime,

        &r_prime,

        &mut c_prime[0..ct.len()],

    )?;

    // 9:  if 𝑐 ≠ 𝑐 ′ then

    // 10:   𝐾 ′ ← 𝐾̄    ▷ if ciphertexts do not match, “implicitly reject”

    // 11: end if

    k_prime.conditional_assign(&k_bar, ct.ct_ne(&c_prime));

    // 12: return 𝐾 ′

    Ok(SharedSecretKey(k_prime))

}

fn ml_kem_decaps_internal<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 18: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: dk_PKE ← dk[0 : 384·k]    ▷ extract (from KEM decaps key) the PKE decryption key

    let dk_pke = &dk[0..384 * K];

    // 2: ek_PKE ← dk[384·k : 768·k + 32]    ▷ extract PKE encryption key

    let ek_pke = &dk[384 * K..768 * K + 32];

    // 3: h ← dk[768·k + 32 : 768·k + 64]    ▷ extract hash of PKE encryption key

    let h = &dk[768 * K + 32..768 * K + 64];

    // 4: z ← dk[768·k + 64 : 768·k + 96]    ▷ extract implicit rejection value

    let z = &dk[768 * K + 64..768 * K + 96];

    // 5: m′ ← K-PKE.Decrypt(dk_PKE,c)

    let m_prime = k_pke_decrypt::<K>(du, dv, dk_pke, ct)?;

    // 6: (K′, r′) ← G(m′ ∥ h)

    let (mut k_prime, r_prime) = g(&[&m_prime, h]);

    // 7: K̄ ← J(z ∥ c, 32)

    let k_bar = j(z.try_into().unwrap(), ct);

    // 8: c′ ← K-PKE.Encrypt(ek_PKE , m′ , r′ )    ▷ re-encrypt using the derived randomness r′

    let mut c_prime = [0u8; CT_LEN];

    k_pke_encrypt::<K, ETA1_64, ETA2_64>(

        du,

        dv,

        ek_pke,

        &m_prime,

        &r_prime,

        &mut c_prime[0..ct.len()],

    )?;

    // 9:  if 𝑐 ≠ 𝑐 ′ then

    // 10:   𝐾 ′ ← 𝐾̄    ▷ if ciphertexts do not match, “implicitly reject”

    // 11: end if

    k_prime.conditional_assign(&k_bar, ct.ct_ne(&c_prime));

    // 12: return 𝐾 ′

    Ok(SharedSecretKey(k_prime))

}

pub(crate) fn ml_kem_key_gen<const K: usize, const ETA1_64: usize>(

    rng: &mut impl CryptoRngCore, ek: &mut [u8], dk: &mut [u8],

) -> Result<(), &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 19: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 19: dk len not 768 * K + 96");

    // 1: d ←− B^{32}    ▷ d is 32 random bytes (see Section 3.3)

    let mut d = [0u8; 32];

    rng.try_fill_bytes(&mut d).map_err(|_| "Alg 19: Random number generator failed for d")?;

    // 2: z ←− B^{32}    ▷ z is 32 random bytes (see Section 3.3)

    let mut z = [0u8; 32];

    rng.try_fill_bytes(&mut z).map_err(|_| "Alg 19: Random number generator failed for z")?;

    // 3: if 𝑑 == NULL or 𝑧 == NULL then

    // 4:   return ⊥    ▷ return an error indication if random bit generation failed

    // 5: end if

    // Note: the above functionality is present in the map_err() in step 1 and 2

    // 6: (ek, dk) ← ML-KEM.KeyGen_internal(𝑑, 𝑧)    ▷ run internal key generation algorithm

    ml_kem_key_gen_internal::<K, ETA1_64>(d, z, ek, dk);

    // 7: return (ek, dk)

    Ok(())

}

pub(crate) fn ml_kem_key_gen<const K: usize, const ETA1_64: usize>(

    rng: &mut impl CryptoRngCore, ek: &mut [u8], dk: &mut [u8],

) -> Result<(), &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 19: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 19: dk len not 768 * K + 96");

    // 1: d ←− B^{32}    ▷ d is 32 random bytes (see Section 3.3)

    let mut d = [0u8; 32];

    rng.try_fill_bytes(&mut d).map_err(|_| "Alg 19: Random number generator failed for d")?;

    // 2: z ←− B^{32}    ▷ z is 32 random bytes (see Section 3.3)

    let mut z = [0u8; 32];

    rng.try_fill_bytes(&mut z).map_err(|_| "Alg 19: Random number generator failed for z")?;

    // 3: if 𝑑 == NULL or 𝑧 == NULL then

    // 4:   return ⊥    ▷ return an error indication if random bit generation failed

    // 5: end if

    // Note: the above functionality is present in the map_err() in step 1 and 2

    // 6: (ek, dk) ← ML-KEM.KeyGen_internal(𝑑, 𝑧)    ▷ run internal key generation algorithm

    ml_kem_key_gen_internal::<K, ETA1_64>(d, z, ek, dk);

    // 7: return (ek, dk)

    Ok(())

}

pub(crate) fn ml_kem_key_gen<const K: usize, const ETA1_64: usize>(

    rng: &mut impl CryptoRngCore, ek: &mut [u8], dk: &mut [u8],

) -> Result<(), &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 19: ek len not 384 * K + 32");

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 19: dk len not 768 * K + 96");

    // 1: d ←− B^{32}    ▷ d is 32 random bytes (see Section 3.3)

    let mut d = [0u8; 32];

    rng.try_fill_bytes(&mut d).map_err(|_| "Alg 19: Random number generator failed for d")?;

    // 2: z ←− B^{32}    ▷ z is 32 random bytes (see Section 3.3)

    let mut z = [0u8; 32];

    rng.try_fill_bytes(&mut z).map_err(|_| "Alg 19: Random number generator failed for z")?;

    // 3: if 𝑑 == NULL or 𝑧 == NULL then

    // 4:   return ⊥    ▷ return an error indication if random bit generation failed

    // 5: end if

    // Note: the above functionality is present in the map_err() in step 1 and 2

    // 6: (ek, dk) ← ML-KEM.KeyGen_internal(𝑑, 𝑧)    ▷ run internal key generation algorithm

    ml_kem_key_gen_internal::<K, ETA1_64>(d, z, ek, dk);

    // 7: return (ek, dk)

    Ok(())

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_encaps<const K: usize, const ETA1_64: usize, const ETA2_64: usize>(

    rng: &mut impl CryptoRngCore, du: u32, dv: u32, ek: &[u8], ct: &mut [u8],

) -> Result<SharedSecretKey, &'static str> {

    debug_assert_eq!(ek.len(), 384 * K + 32, "Alg 20: ek len not 384 * K + 32"); // also: size check at top level

    debug_assert_eq!(

        ct.len(),

        32 * (du as usize * K + dv as usize),

        "Alg 20: ct len not 32*(DU*K+DV)"

    ); // also: size check at top level

    // modulus check: perform/confirm the computation ek ← ByteEncode12(ByteDecode12(ek_tilde).

    // Note: An *external* ek can only arrive via try_from_bytes() which does this validation already.

    // As such, this check is redundant but is left in for caution and as a fuzz target, as it is

    // removed in release builds anyway. It also supports quicker changes if the spec moves...

    debug_assert!(

        {

            let mut pass = true;

            for i in 0..K {

                let mut ek_tilde = [0u8; 384];

                let ek_hat = byte_decode(12, &ek[384 * i..384 * (i + 1)]).unwrap(); // btw, going to panic

                byte_encode(12, &ek_hat, &mut ek_tilde);

                pass &= ek_tilde == ek[384 * i..384 * (i + 1)];

            }

            pass

        },

        "Alg 20: ek fails modulus check"

    );

    // 1: m ← B^{32}          ▷ m is 32 random bytes (see Section 3.3)

    // 2: if 𝑚 == NULL then

    // 3:   return ⊥    ▷ return an error indication if random bit generation failed

    // 4: end if

    let mut m = [0u8; 32];

    rng.try_fill_bytes(&mut m).map_err(|_| "Alg 20: random number generator failed")?;

    let k = ml_kem_encaps_internal::<K, ETA1_64, ETA2_64>(du, dv, &m, ek, ct)?;

    Ok(k)

}

pub(crate) fn ml_kem_decaps<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Ciphertext type check

    debug_assert_eq!(ct.len(), 32 * (du as usize * K + dv as usize), "Alg 21: ct len not 32 * ...");

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 21: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: 𝐾 ′ ← ML-KEM.Decaps_internal(dk, 𝑐)    ▷ run internal decapsulation algorithm

    // 2: return 𝐾 ′

    ml_kem_decaps_internal::<K, ETA1_64, ETA2_64, J_LEN, CT_LEN>(du, dv, dk, ct)

}

pub(crate) fn ml_kem_decaps<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Ciphertext type check

    debug_assert_eq!(ct.len(), 32 * (du as usize * K + dv as usize), "Alg 21: ct len not 32 * ...");

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 21: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: 𝐾 ′ ← ML-KEM.Decaps_internal(dk, 𝑐)    ▷ run internal decapsulation algorithm

    // 2: return 𝐾 ′

    ml_kem_decaps_internal::<K, ETA1_64, ETA2_64, J_LEN, CT_LEN>(du, dv, dk, ct)

}

pub(crate) fn ml_kem_decaps<

    const K: usize,

    const ETA1_64: usize,

    const ETA2_64: usize,

    const J_LEN: usize,

    const CT_LEN: usize,

>(

    du: u32, dv: u32, dk: &[u8], ct: &[u8; CT_LEN],

) -> Result<SharedSecretKey, &'static str> {

    // Ciphertext type check

    debug_assert_eq!(ct.len(), 32 * (du as usize * K + dv as usize), "Alg 21: ct len not 32 * ...");

    // Decapsulation key type check

    debug_assert_eq!(dk.len(), 768 * K + 96, "Alg 21: dk len not 768 ...");

    // Note: decaps key is either correctly sourced from KeyGen, or validated by try_from_bytes(). As

    // such, the two above checks are redundant but will be removed in release builds. The are left

    // here for A) caution, B) give guardrails for future changes

    // 1: 𝐾 ′ ← ML-KEM.Decaps_internal(dk, 𝑐)    ▷ run internal decapsulation algorithm

    // 2: return 𝐾 ′

    ml_kem_decaps_internal::<K, ETA1_64, ETA2_64, J_LEN, CT_LEN>(du, dv, dk, ct)

}