1 /*
2 * NEWHOPE Ring-LWE scheme
3 * Based on the public domain reference implementation by the
4 * designers (https://github.com/tpoeppelmann/newhope)
5 *
6 * Further changes
7 * (C) 2016 Jack Lloyd
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 */
11 
12 #ifndef BOTAN_NEWHOPE_H_
13 #define BOTAN_NEWHOPE_H_
14 
15 #include <botan/types.h>
16 
17 namespace Botan {
18 
19 class RandomNumberGenerator;
20 
21 /*
22 * WARNING: This API is preliminary and will change
23 * Currently pubkey.h does not support a 2-phase KEM scheme of
24 * the sort NEWHOPE exports.
25 */
26 
27 // TODO: change to just a secure_vector
28 class BOTAN_UNSTABLE_API newhope_poly final
29    {
30    public:
31       uint16_t coeffs[1024];
32       ~newhope_poly();
33    };
34 
35 enum Newhope_Params
36    {
37    NEWHOPE_SENDABYTES = 1824,
38    NEWHOPE_SENDBBYTES = 2048,
39 
40    NEWHOPE_OFFER_BYTES  = 1824,
41    NEWHOPE_ACCEPT_BYTES = 2048,
42    NEWHOPE_SHARED_KEY_BYTES = 32,
43 
44    NEWHOPE_SEED_BYTES = 32,
45    NEWHOPE_POLY_BYTES = 1792,
46 
47    CECPQ1_OFFER_BYTES   = NEWHOPE_OFFER_BYTES + 32,
48    CECPQ1_ACCEPT_BYTES  = NEWHOPE_ACCEPT_BYTES + 32,
49    CECPQ1_SHARED_KEY_BYTES = NEWHOPE_SHARED_KEY_BYTES + 32
50    };
51 
52 /**
53 * This chooses the XOF + hash for NewHope
54 * The official NewHope specification and reference implementation use
55 * SHA-3 and SHAKE-128. BoringSSL instead uses SHA-256 and AES-128 in
56 * CTR mode. CECPQ1 (x25519+NewHope) always uses BoringSSL's mode
57 */
58 enum class Newhope_Mode
59    {
60    SHA3,
61    BoringSSL
62    };
63 
64 // offer
65 void BOTAN_PUBLIC_API(2,0) newhope_keygen(uint8_t send[NEWHOPE_SENDABYTES],
66                               newhope_poly* sk,
67                               RandomNumberGenerator& rng,
68                               Newhope_Mode = Newhope_Mode::SHA3);
69 
70 // accept
71 void BOTAN_PUBLIC_API(2,0) newhope_sharedb(uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES],
72                                uint8_t send[],
73                                const uint8_t* received,
74                                RandomNumberGenerator& rng,
75                                Newhope_Mode mode = Newhope_Mode::SHA3);
76 
77 // finish
78 void BOTAN_PUBLIC_API(2,0) newhope_shareda(uint8_t sharedkey[NEWHOPE_SHARED_KEY_BYTES],
79                                const newhope_poly* ska,
80                                const uint8_t* received,
81                                Newhope_Mode mode = Newhope_Mode::SHA3);
82 
83 }
84 
85 #endif
86