[PATCH] Add Streamlined NTRU Prime sntrup761.
Simon Josefsson
simon at josefsson.org
Fri May 19 23:52:00 CEST 2023
Stephan Mueller <smueller at chronox.de> writes:
>> gcry_error_t gcry_kem_enc (int algo,
>> const void *pubkey,
>> void *ciphertext,
>> void *ss);
>
> May I suggest to add another parameter: size_t ss_len which shall specify the
> caller-requested size of ss?
Is that to support variable-length outputs? Or just to indicate the
buffer size? Does kyber or some other popular KEM supports
variable-length outputs?
>> gcry_error_t gcry_kem_dec (int algo,
>> const void *ciphertext,
>> const void *seckey,
>> void *ss);
>
> Same here.
>
> Kyber uses a KDF as the last step. I am aware of the fact that the Kyber
> reference implementation returns 32 bytes statically. However, considering the
> use of a true KDF which has the property of a pseudorandom behavior (either
> SHAKE256 or AES-CTR is used), the KDF can produce arbitrary amounts of data.
> By specifying an ss_len parameter, the caller can directly request the data
> that may be needed as a key/IV/mac Key or similar for subsequent cipher
> operations.
What does the specification says? Is kyber specified as a
variable-length output, or output of 32 bytes?
One approach is to have another API for that use-case:
gcry_error_t gcry_kem_enc_kdf (int algo,
const void *pubkey,
void *ciphertext,
size_t sslen, void *ss);
gcry_error_t gcry_kem_dec_kdf (int algo,
const void *ciphertext,
const void *seckey,
size_t sslen, void *ss);
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20230519/98a7be83/attachment.sig>
More information about the Gcrypt-devel
mailing list