lib-q-double-kem 0.0.6

PROVISIONAL double ML-KEM-768 encapsulation profile with constrained wire budget
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

//! Core MAUL-v1 double encapsulation operations.

use lib_q_ml_kem::{
    B32,
    Ciphertext,
    Decapsulate,
    Encapsulate,
    EncapsulateDeterministic,
    KemCore,
    MlKem768,
};
use lib_q_sha3::{
    Digest,
    Sha3_256,
};
use rand_core::{
    CryptoRng,
    Rng,
};
use subtle::ConstantTimeEq;
use zeroize::Zeroize;

use crate::error::DoubleKemError;
use crate::profile::{
    MAUL_HINT_BYTES,
    MAUL_WIRE_BODY_BYTES,
    MaulProfileV1,
};
use crate::wire::MaulEncapWire;

const DOMAIN_SECOND_MESSAGE: &[u8] = b"libq-double-kem-maul-v1-m2";
const DOMAIN_CK_FO_UPGRADE: &[u8] = b"libq-double-kem-maul-v1-kdf";

fn derive_second_message(body: &[u8; MAUL_WIRE_BODY_BYTES], hint: &[u8; MAUL_HINT_BYTES]) -> B32 {
    let mut hasher = Sha3_256::new();
    Digest::update(&mut hasher, DOMAIN_SECOND_MESSAGE);
    Digest::update(&mut hasher, hint);
    Digest::update(&mut hasher, body);
    let digest: [u8; 32] = hasher.finalize().into();
    digest.into_iter().collect()
}

fn body_to_ciphertext(body: &[u8; MAUL_WIRE_BODY_BYTES]) -> Ciphertext<MlKem768> {
    body.iter().copied().collect()
}

fn shared_key_to_array(shared: &lib_q_ml_kem::SharedKey<MlKem768>) -> [u8; 32] {
    let mut out = [0u8; 32];
    out.copy_from_slice(shared.as_ref());
    out
}

/// Upgrade two ML-KEM shared secrets with a domain-separated CK/FO KDF.
#[must_use]
pub fn ck_fo_upgrade(ss_a: &[u8; 32], ss_b: &[u8; 32]) -> [u8; 32] {
    let mut hasher = Sha3_256::new();
    Digest::update(&mut hasher, DOMAIN_CK_FO_UPGRADE);
    Digest::update(&mut hasher, ss_a);
    Digest::update(&mut hasher, ss_b);
    hasher.finalize().into()
}

/// Perform MAUL-v1 double encapsulation and return fixed-size wire payload plus upgraded secret.
pub fn double_encap<R: CryptoRng + Rng + ?Sized>(
    _profile: MaulProfileV1,
    ek_a: &<MlKem768 as KemCore>::EncapsulationKey,
    ek_b: &<MlKem768 as KemCore>::EncapsulationKey,
    rng: &mut R,
) -> Result<(MaulEncapWire, [u8; 32]), DoubleKemError> {
    let (ct_a, ss_a) = ek_a
        .encapsulate(rng)
        .map_err(|_| DoubleKemError::EncapsulationFailed)?;

    let mut hint = [0u8; MAUL_HINT_BYTES];
    rng.fill_bytes(&mut hint);

    let mut body = [0u8; MAUL_WIRE_BODY_BYTES];
    body.copy_from_slice(ct_a.as_ref());

    let m2 = derive_second_message(&body, &hint);
    let (_ct_b, ss_b) = ek_b
        .encapsulate_deterministic(&m2)
        .map_err(|_| DoubleKemError::EncapsulationFailed)?;

    let ss_a_arr = shared_key_to_array(&ss_a);
    let ss_b_arr = shared_key_to_array(&ss_b);
    let upgraded = ck_fo_upgrade(&ss_a_arr, &ss_b_arr);

    Ok((MaulEncapWire::from_parts(hint, body), upgraded))
}

/// Decapsulate MAUL-v1 wire payload and recover the upgraded shared secret.
pub fn double_decap(
    _profile: MaulProfileV1,
    wire: &MaulEncapWire,
    dk_a: &<MlKem768 as KemCore>::DecapsulationKey,
    dk_b: &<MlKem768 as KemCore>::DecapsulationKey,
) -> Result<[u8; 32], DoubleKemError> {
    let ct_a = body_to_ciphertext(&wire.body);
    let ss_a = dk_a
        .decapsulate(&ct_a)
        .map_err(|_| DoubleKemError::DecapsulationFailed)?;

    let m2 = derive_second_message(&wire.body, &wire.hint);
    let ek_b = dk_b.encapsulation_key();
    let (_ct_b, ss_b) = ek_b
        .encapsulate_deterministic(&m2)
        .map_err(|_| DoubleKemError::EncapsulationFailed)?;

    let mut ss_a_arr = shared_key_to_array(&ss_a);
    let mut ss_b_arr = shared_key_to_array(&ss_b);
    let upgraded = ck_fo_upgrade(&ss_a_arr, &ss_b_arr);

    ss_a_arr.zeroize();
    ss_b_arr.zeroize();

    let choice = upgraded.ct_eq(&upgraded);
    if bool::from(choice) {
        Ok(upgraded)
    } else {
        Err(DoubleKemError::InvalidWireEncoding)
    }
}