[PATCH] Add Streamlined NTRU Prime sntrup761.

Simon Josefsson simon at josefsson.org
Fri May 19 23:52:00 CEST 2023

Stephan Mueller <smueller at chronox.de> writes:

>> gcry_error_t gcry_kem_enc (int algo,
>> 			   const void *pubkey,
>> 			   void *ciphertext,
>> 			   void *ss);
> May I suggest to add another parameter: size_t ss_len which shall specify the 
> caller-requested size of ss?

Is that to support variable-length outputs?  Or just to indicate the
buffer size?  Does kyber or some other popular KEM supports
variable-length outputs?

>> gcry_error_t gcry_kem_dec (int algo,
>> 			   const void *ciphertext,
>> 			   const void *seckey,
>> 			   void *ss);
> Same here.
> Kyber uses a KDF as the last step. I am aware of the fact that the Kyber 
> reference implementation returns 32 bytes statically. However, considering the 
> use of a true KDF which has the property of a pseudorandom behavior (either 
> SHAKE256 or AES-CTR is used), the KDF can produce arbitrary amounts of data. 
> By specifying an ss_len parameter, the caller can directly request the data 
> that may be needed as a key/IV/mac Key or similar for subsequent cipher 
> operations.

What does the specification says?  Is kyber specified as a
variable-length output, or output of 32 bytes?

One approach is to have another API for that use-case:

gcry_error_t gcry_kem_enc_kdf (int algo,
			      const void *pubkey,
			      void *ciphertext,
			      size_t sslen, void *ss);
gcry_error_t gcry_kem_dec_kdf (int algo,
			       const void *ciphertext,
			       const void *seckey,
			       size_t sslen, void *ss);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230519/98a7be83/attachment.sig>

More information about the Gcrypt-devel mailing list