1 /* 2 * NEWHOPE Ring-LWE scheme 3 * Based on the public domain reference implementation by the 4 * designers (https://github.com/tpoeppelmann/newhope) 5 * 6 * Further changes 7 * (C) 2016 Jack Lloyd 8 * 9 * Botan is released under the Simplified BSD License (see license.txt) 10 */ 11 12 #ifndef BOTAN_NEWHOPE_H_ 13 #define BOTAN_NEWHOPE_H_ 14 15 #include <botan/types.h> 16 17 namespace Botan { 18 19 class RandomNumberGenerator; 20 21 /* 22 * WARNING: This API is preliminary and will change 23 * Currently pubkey.h does not support a 2-phase KEM scheme of 24 * the sort NEWHOPE exports. 25 */ 26 27 // TODO: change to just a secure_vector 28 class BOTAN_UNSTABLE_API newhope_poly final 29 { 30 public: 31 uint16_t coeffs[1024]; 32 ~newhope_poly(); 33 }; 34 35 enum Newhope_Params 36 { 37 NEWHOPE_SENDABYTES = 1824, 38 NEWHOPE_SENDBBYTES = 2048, 39 40 NEWHOPE_OFFER_BYTES = 1824, 41 NEWHOPE_ACCEPT_BYTES = 2048, 42 NEWHOPE_SHARED_KEY_BYTES = 32, 43 44 NEWHOPE_SEED_BYTES = 32, 45 NEWHOPE_POLY_BYTES = 1792, 46 47 CECPQ1_OFFER_BYTES = NEWHOPE_OFFER_BYTES + 32, 48 CECPQ1_ACCEPT_BYTES = NEWHOPE_ACCEPT_BYTES + 32, 49 CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32 50 }; 51 52 /** 53 * This chooses the XOF + hash for NewHope 54 * The official NewHope specification and reference implementation use 55 * SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in 56 * CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode 57 */ 58 enum class Newhope_Mode 59 { 60 SHA3, 61 BoringSSL 62 }; 63 64 // offer 65 void BOTAN_PUBLIC_API(2,0) newhope_keygen(uint8_t send[NEWHOPE_SENDABYTES], 66 newhope_poly* sk, 67 RandomNumberGenerator& rng, 68 Newhope_Mode = Newhope_Mode::SHA3); 69 70 // accept 71 void BOTAN_PUBLIC_API(2,0) newhope_sharedb(uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES], 72 uint8_t send[], 73 const uint8_t* received, 74 RandomNumberGenerator& rng, 75 Newhope_Mode mode = Newhope_Mode::SHA3); 76 77 // finish 78 void BOTAN_PUBLIC_API(2,0) newhope_shareda(uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES], 79 const newhope_poly* ska, 80 const uint8_t* received, 81 Newhope_Mode mode = Newhope_Mode::SHA3); 82 83 } 84 85 #endif 86