23225340130

Committed 18 Mar 2026 01:53AM UTC coverage: 89.677% (-0.001%) from 89.678%

Build # 23225340130

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5456 from randombit/jack/clang-tidy-22

Fix various warnings from clang-tidy 22

Run Details

104438 of 116460 relevant lines covered (89.68%)

11819947.55 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

93.19

/src/tests/test_kyber.cpp

/*
 * Tests for Crystals Kyber
 * - simple roundtrip test
 * - KAT tests using the KAT vectors from
 *   https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/submissions/Kyber-Round3.zip
 *
 * (C) 2021-2024 Jack Lloyd
 * (C) 2021-2022 Manuel Glaser and Michael Boric, Rohde & Schwarz Cybersecurity
 * (C) 2021-2022 René Meusel and Hannes Rantzsch, neXenio GmbH
 * (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */

#include "test_pubkey_pqc.h"
#include "test_rng.h"
#include "tests.h"

#include <iterator>
#include <memory>

#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S) || defined(BOTAN_HAS_ML_KEM)
   #include "test_pubkey.h"
   #include <botan/hex.h>
   #include <botan/kyber.h>
   #include <botan/pubkey.h>
   #include <botan/rng.h>
   #include <botan/internal/concat_util.h>
   #include <botan/internal/fmt.h>
   #include <botan/internal/kyber_constants.h>
   #include <botan/internal/kyber_helpers.h>
#endif

namespace Botan_Tests {

namespace {

#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S) || defined(BOTAN_HAS_ML_KEM)

class KYBER_Tests final : public Test {
   public:
      static Test::Result run_kyber_test(const char* test_name, Botan::KyberMode mode, size_t strength, size_t psid) {
         Test::Result result(test_name);

         if(!mode.is_available()) {
            result.note_missing(mode.to_string());
            return result;
         }

         auto rng = Test::new_rng(test_name);

         const std::vector<uint8_t> empty_salt;

         // Alice
         const Botan::Kyber_PrivateKey priv_key(*rng, mode);
         const auto pub_key = priv_key.public_key();

         result.test_sz_eq("estimated strength private", priv_key.estimated_strength(), strength);
         result.test_sz_eq("estimated strength public", pub_key->estimated_strength(), strength);
         result.test_sz_eq("canonical parameter set identifier", priv_key.key_length(), psid);
         result.test_sz_eq("canonical parameter set identifier", pub_key->key_length(), psid);

         // Serialize
         const auto priv_key_bits = priv_key.private_key_bits();
         const auto pub_key_bits = pub_key->public_key_bits();

         // Bob (reading from serialized public key)
         const Botan::Kyber_PublicKey alice_pub_key(pub_key_bits, mode);
         auto enc = Botan::PK_KEM_Encryptor(alice_pub_key, "Raw", "base");
         const auto kem_result = enc.encrypt(*rng);

         // Alice (reading from serialized private key)
         const Botan::Kyber_PrivateKey alice_priv_key(priv_key_bits, mode);
         auto dec = Botan::PK_KEM_Decryptor(alice_priv_key, *rng, "Raw", "base");
         const auto key_alice = dec.decrypt(kem_result.encapsulated_shared_key(), 0 /* no KDF */, empty_salt);
         result.test_bin_eq("shared secrets are equal", key_alice, kem_result.shared_key());

         //
         // negative tests
         //

         // Broken cipher_text from Alice (wrong length)
         result.test_throws("fail to read cipher_text", "Kyber: unexpected ciphertext length", [&] {
            auto short_cipher_text = kem_result.encapsulated_shared_key();
            short_cipher_text.pop_back();
            dec.decrypt(short_cipher_text, 0, empty_salt);
         });

         // Invalid cipher_text from Alice
         Botan::secure_vector<uint8_t> reverse_cipher_text;
         std::copy(kem_result.encapsulated_shared_key().crbegin(),
                   kem_result.encapsulated_shared_key().crend(),
                   std::back_inserter(reverse_cipher_text));
         const auto key_alice_rev = dec.decrypt(reverse_cipher_text, 0, empty_salt);
         result.test_is_true("shared secrets are not equal", key_alice != key_alice_rev);

         // Try to decrypt the valid ciphertext again
         const auto key_alice_try2 = dec.decrypt(kem_result.encapsulated_shared_key(), 0 /* no KDF */, empty_salt);
         result.test_bin_eq("shared secrets are equal", key_alice_try2, kem_result.shared_key());

         return result;
      }

      std::vector<Test::Result> run() override {
         return {
            run_kyber_test("Kyber512_90s API", Botan::KyberMode::Kyber512_90s, 128, 512),
            run_kyber_test("Kyber768_90s API", Botan::KyberMode::Kyber768_90s, 192, 768),
            run_kyber_test("Kyber1024_90s API", Botan::KyberMode::Kyber1024_90s, 256, 1024),
            run_kyber_test("Kyber512 API", Botan::KyberMode::Kyber512_R3, 128, 512),
            run_kyber_test("Kyber768 API", Botan::KyberMode::Kyber768_R3, 192, 768),
            run_kyber_test("Kyber1024 API", Botan::KyberMode::Kyber1024_R3, 256, 1024),
            run_kyber_test("ML-KEM-512 API", Botan::KyberMode::ML_KEM_512, 128, 512),
            run_kyber_test("ML-KEM-768 API", Botan::KyberMode::ML_KEM_768, 192, 768),
            run_kyber_test("ML-KEM-1024 API", Botan::KyberMode::ML_KEM_1024, 256, 1024),
         };
      }
};

BOTAN_REGISTER_TEST("pubkey", "kyber_pairwise", KYBER_Tests);

namespace {

class Kyber_KAT_Tests : public PK_PQC_KEM_KAT_Test {
   protected:
      Kyber_KAT_Tests(const std::string& algo_name,
                      const std::string& kat_file,
                      const std::string& further_optional_keys = "") :
            PK_PQC_KEM_KAT_Test(algo_name, kat_file, further_optional_keys) {}

   private:
      Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }

      bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }

      std::vector<uint8_t> map_value(const std::string& mode,
                                     std::span<const uint8_t> value,
                                     VarType var_type) const final {
         if(var_type == VarType::SharedSecret) {
            return {value.begin(), value.end()};
         }

         // We use different hash functions for Kyber 90s, as those are
         // consistent with the algorithm requirements of the implementations.
         const std::string_view hash_name = get_mode(mode).is_90s() ? "SHA-256" : "SHAKE-256(128)";

         auto hash = Botan::HashFunction::create_or_throw(hash_name);
         const auto digest = hash->process(value);
         return {digest.begin(), digest.begin() + 16};
      }

      Fixed_Output_RNG rng_for_keygen(const std::string& mode, Botan::RandomNumberGenerator& rng) const final {
         if(get_mode(mode).is_kyber_round3()) {
            const auto seed = rng.random_vec(32);
            const auto z = rng.random_vec(32);
            return Fixed_Output_RNG(Botan::concat(seed, z));
         } else if(get_mode(mode).is_ml_kem()) {
            const auto z = rng.random_vec(32);
            const auto d = rng.random_vec(32);
            return Fixed_Output_RNG(Botan::concat(d, z));
         } else {
            return Fixed_Output_RNG(rng.random_vec(64));
         }
      }

      Fixed_Output_RNG rng_for_encapsulation(const std::string& /*mode*/,
                                             Botan::RandomNumberGenerator& rng) const final {
         return Fixed_Output_RNG(rng.random_vec(32));
      }
};

class KyberR3_KAT_Tests : public Kyber_KAT_Tests {
   public:
      KyberR3_KAT_Tests() : Kyber_KAT_Tests("Kyber", "pubkey/kyber_kat.vec") {}
};

class ML_KEM_KAT_Tests : public Kyber_KAT_Tests {
   public:
      ML_KEM_KAT_Tests() : Kyber_KAT_Tests("ML-KEM", "pubkey/ml_kem.vec", "CT_N,SS_N") {}
};

class ML_KEM_ACVP_KAT_KeyGen_Tests : public PK_PQC_KEM_ACVP_KAT_KeyGen_Test {
   public:
      ML_KEM_ACVP_KAT_KeyGen_Tests() :
            PK_PQC_KEM_ACVP_KAT_KeyGen_Test("ML-KEM", "pubkey/ml_kem_acvp_keygen.vec", "Z,D") {}

   private:
      Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }

      bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }

      Fixed_Output_RNG rng_for_keygen(const VarMap& vars) const override {
         const auto d = vars.get_req_bin("D");
         const auto z = vars.get_req_bin("Z");
         return Fixed_Output_RNG(Botan::concat(d, z));
      }
};

class ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test : public PK_PQC_KEM_ACVP_KAT_Encap_Test {
   public:
      ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test() : PK_PQC_KEM_ACVP_KAT_Encap_Test("ML-KEM", "pubkey/ml_kem_acvp_encap.vec") {}

   private:
      Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }

      bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }

      std::unique_ptr<Botan::Public_Key> load_public_key(const VarMap& vars, const std::string& mode) const final {
         return std::make_unique<Botan::Kyber_PublicKey>(vars.get_req_bin("EK"), get_mode(mode));
      }
};

}  // namespace

BOTAN_REGISTER_TEST("pubkey", "kyber_kat", KyberR3_KAT_Tests);
BOTAN_REGISTER_TEST("pubkey", "ml_kem_kat", ML_KEM_KAT_Tests);
BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_keygen", ML_KEM_ACVP_KAT_KeyGen_Tests);
BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_encap", ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test);

// Currently we cannot use the ACVP decapsulation tests because they do not
// provide the private key's seed values.
//BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_decap", ML_KEM_PQC_KEM_ACVP_KAT_Decap_Test);

class Kyber_Encoding_Test : public Text_Based_Test {
   public:
      Kyber_Encoding_Test() : Text_Based_Test("pubkey/kyber_encodings.vec", "PrivateRaw,PublicRaw", "Error") {}

   public:
      bool skip_this_test(const std::string& algo_name, const VarMap& /*vars*/) override {
         return !Botan::KyberMode(algo_name).is_available();
      }

      Test::Result run_one_test(const std::string& algo_name, const VarMap& vars) override {
         Test::Result result("kyber_encodings");

         const auto mode = Botan::KyberMode(algo_name);
         const auto pk_raw = Botan::hex_decode(vars.get_req_str("PublicRaw"));
         const auto sk_raw = Botan::hex_decode_locked(vars.get_req_str("PrivateRaw"));
         const auto error = vars.get_opt_str("Error", "");

         if(!error.empty()) {
            // negative tests

            result.test_throws("failing decoding", error, [&] {
               if(!sk_raw.empty()) {
                  Botan::Kyber_PrivateKey(sk_raw, mode);
               }
               if(!pk_raw.empty()) {
                  Botan::Kyber_PublicKey(pk_raw, mode);
               }
            });

            return result;
         } else {
            const auto skr = std::make_unique<Botan::Kyber_PrivateKey>(sk_raw, mode);
            const auto pkr = std::make_unique<Botan::Kyber_PublicKey>(pk_raw, mode);

            result.test_bin_eq("sk's encoding of pk", skr->public_key_bits(), pk_raw);
            result.test_bin_eq("sk's encoding of sk", skr->private_key_bits(), sk_raw);
            result.test_bin_eq("pk's encoding of pk", pkr->public_key_bits(), pk_raw);

            // expanded vs seed encoding
            if(skr->private_key_format() == Botan::MlPrivateKeyFormat::Seed) {
               result.test_bin_eq("sk's seed encoding of sk",
                                  skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Seed),
                                  sk_raw);
               const auto skr_expanded = std::make_unique<Botan::Kyber_PrivateKey>(
                  skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded), mode);
               result.test_bin_eq("sk's expanded encoding consistency",
                                  skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded),
                                  skr_expanded->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded));
               result.test_throws<Botan::Encoding_Error>("expect no seed in expanded sk", [&] {
                  skr_expanded->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Seed);
               });

               const auto encapsulation = Botan::PK_KEM_Encryptor(*pkr, "Raw").encrypt(rng());
               result.test_bin_eq(
                  "expanded sk decapsulation",
                  Botan::PK_KEM_Decryptor(*skr_expanded, rng(), "Raw").decrypt(encapsulation.encapsulated_shared_key()),
                  encapsulation.shared_key());

            } else {
               result.test_bin_eq("sk's expanded encoding of sk",
                                  skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded),
                                  sk_raw);
            }
         }

         return result;
      }
};

BOTAN_REGISTER_TEST("pubkey", "kyber_encodings", Kyber_Encoding_Test);

class Kyber_Keygen_Tests final : public PK_Key_Generation_Test {
   public:
      std::vector<std::string> keygen_params() const override {
         return {
   #if defined(BOTAN_HAS_KYBER_90S)
            "Kyber-512-90s-r3", "Kyber-768-90s-r3", "Kyber-1024-90s-r3",
   #endif
   #if defined(BOTAN_HAS_KYBER)
               "Kyber-512-r3", "Kyber-768-r3", "Kyber-1024-r3",
   #endif
   #if defined(BOTAN_HAS_ML_KEM)
               "ML-KEM-512", "ML-KEM-768", "ML-KEM-1024",
   #endif
         };
      }

      std::string algo_name(std::string_view param) const override {
         if(param.starts_with("Kyber-")) {
            return "Kyber";
         } else {
            return "ML-KEM";
         }
      }

      std::string algo_name() const override { throw Test_Error("No default algo name set for Kyber"); }

      std::unique_ptr<Botan::Public_Key> public_key_from_raw(std::string_view keygen_params,
                                                             std::string_view /* provider */,
                                                             std::span<const uint8_t> raw_pk) const override {
         return std::make_unique<Botan::Kyber_PublicKey>(raw_pk, Botan::KyberMode(keygen_params));
      }
};

BOTAN_REGISTER_TEST("pubkey", "kyber_keygen", Kyber_Keygen_Tests);

namespace {

template <size_t d>
void test_compress(Test::Result& res) {
   using namespace Botan;
   constexpr auto q = KyberConstants::Q;

   res.start_timer();

   for(uint16_t x = 0; x < q; ++x) {
      const uint32_t c = Kyber_Algos::compress<d>(x);
      constexpr auto twotothed = (uint32_t(1) << d);
      const auto e = ((twotothed * x + (q / 2)) / q) % twotothed;

      if(c != e) {
         res.test_failure(fmt("compress<{}>({}) = {}; expected {}", d, x, c, e));
         return;
      }
   }

   res.end_timer();
   res.test_success();
}

template <size_t d>
void test_decompress(Test::Result& result) {
   using namespace Botan;
   constexpr auto q = KyberConstants::Q;

   result.start_timer();

   using from_t = std::conditional_t<d <= 8, uint8_t, uint16_t>;
   const from_t twotothed = static_cast<from_t>(from_t(1) << d);

   for(from_t y = 0; y < twotothed; ++y) {
      const uint32_t c = Kyber_Algos::decompress<d>(y);
      const uint32_t e = (q * y + (twotothed / 2)) / twotothed;

      if(c != e) {
         result.test_failure(fmt("decompress<{}>({}) = {}; expected {}", d, static_cast<uint16_t>(y), c, e));
         return;
      }
   }

   result.end_timer();
   result.test_success();
}

template <size_t d>
void test_compress_roundtrip(Test::Result& result) {
   using namespace Botan;
   constexpr auto q = KyberConstants::Q;

   result.start_timer();

   // NOLINTNEXTLINE(*-redundant-expression)
   for(uint16_t x = 0; x < q && x < (1 << d); ++x) {
      const uint16_t c = Kyber_Algos::compress<d>(Kyber_Algos::decompress<d>(x));
      if(x != c) {
         result.test_failure(fmt("compress<{}>(decompress<{}>({})) != {}", d, d, x, c));
         return;
      }
   }

   result.end_timer();
   result.test_success();
}

std::vector<Test::Result> test_kyber_helpers() {
   return {
      Botan_Tests::CHECK("compress<1>", [](Test::Result& res) { test_compress<1>(res); }),
      Botan_Tests::CHECK("compress<4>", [](Test::Result& res) { test_compress<4>(res); }),
      Botan_Tests::CHECK("compress<5>", [](Test::Result& res) { test_compress<5>(res); }),
      Botan_Tests::CHECK("compress<10>", [](Test::Result& res) { test_compress<10>(res); }),
      Botan_Tests::CHECK("compress<11>", [](Test::Result& res) { test_compress<11>(res); }),

      Botan_Tests::CHECK("decompress<1>", [](Test::Result& res) { test_decompress<1>(res); }),
      Botan_Tests::CHECK("decompress<4>", [](Test::Result& res) { test_decompress<4>(res); }),
      Botan_Tests::CHECK("decompress<5>", [](Test::Result& res) { test_decompress<5>(res); }),
      Botan_Tests::CHECK("decompress<10>", [](Test::Result& res) { test_decompress<10>(res); }),
      Botan_Tests::CHECK("decompress<11>", [](Test::Result& res) { test_decompress<11>(res); }),

      Botan_Tests::CHECK("compress<1>(decompress())", [](Test::Result& res) { test_compress_roundtrip<1>(res); }),
      Botan_Tests::CHECK("compress<4>(decompress())", [](Test::Result& res) { test_compress_roundtrip<4>(res); }),
      Botan_Tests::CHECK("compress<5>(decompress())", [](Test::Result& res) { test_compress_roundtrip<5>(res); }),
      Botan_Tests::CHECK("compress<10>(decompress())>", [](Test::Result& res) { test_compress_roundtrip<10>(res); }),
      Botan_Tests::CHECK("compress<11>(decompress())>", [](Test::Result& res) { test_compress_roundtrip<11>(res); }),
   };
}

}  // namespace

BOTAN_REGISTER_TEST_FN("pubkey", "kyber_helpers", test_kyber_helpers);

#endif

}  // namespace

}  // namespace Botan_Tests

1	/*
2	* Tests for Crystals Kyber
3	* - simple roundtrip test
4	* - KAT tests using the KAT vectors from
5	* https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/submissions/Kyber-Round3.zip
6	*
7	* (C) 2021-2024 Jack Lloyd
8	* (C) 2021-2022 Manuel Glaser and Michael Boric, Rohde & Schwarz Cybersecurity
9	* (C) 2021-2022 René Meusel and Hannes Rantzsch, neXenio GmbH
10	* (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
11	*
12	* Botan is released under the Simplified BSD License (see license.txt)
13	*/
14
15	#include "test_pubkey_pqc.h"
16	#include "test_rng.h"
17	#include "tests.h"
18
19	#include <iterator>
20	#include <memory>
21
22	#if defined(BOTAN_HAS_KYBER) \|\| defined(BOTAN_HAS_KYBER_90S) \|\| defined(BOTAN_HAS_ML_KEM)
23	#include "test_pubkey.h"
24	#include <botan/hex.h>
25	#include <botan/kyber.h>
26	#include <botan/pubkey.h>
27	#include <botan/rng.h>
28	#include <botan/internal/concat_util.h>
29	#include <botan/internal/fmt.h>
30	#include <botan/internal/kyber_constants.h>
31	#include <botan/internal/kyber_helpers.h>
32	#endif
33
34	namespace Botan_Tests {
35
36	namespace {
37
38	#if defined(BOTAN_HAS_KYBER) \|\| defined(BOTAN_HAS_KYBER_90S) \|\| defined(BOTAN_HAS_ML_KEM)
39
40	class KYBER_Tests final : public Test {	1✔
41	public:
42	static Test::Result run_kyber_test(const char* test_name, Botan::KyberMode mode, size_t strength, size_t psid) {	9✔
43	Test::Result result(test_name);	9✔
44
45	if(!mode.is_available()) {	9✔
46	result.note_missing(mode.to_string());	×
47	return result;	×
48	}
49
50	auto rng = Test::new_rng(test_name);	9✔
51
52	const std::vector<uint8_t> empty_salt;	9✔
53
54	// Alice
55	const Botan::Kyber_PrivateKey priv_key(*rng, mode);	9✔
56	const auto pub_key = priv_key.public_key();	9✔
57
58	result.test_sz_eq("estimated strength private", priv_key.estimated_strength(), strength);	9✔
59	result.test_sz_eq("estimated strength public", pub_key->estimated_strength(), strength);	9✔
60	result.test_sz_eq("canonical parameter set identifier", priv_key.key_length(), psid);	9✔
61	result.test_sz_eq("canonical parameter set identifier", pub_key->key_length(), psid);	9✔
62
63	// Serialize
64	const auto priv_key_bits = priv_key.private_key_bits();	9✔
65	const auto pub_key_bits = pub_key->public_key_bits();	9✔
66
67	// Bob (reading from serialized public key)
68	const Botan::Kyber_PublicKey alice_pub_key(pub_key_bits, mode);	9✔
69	auto enc = Botan::PK_KEM_Encryptor(alice_pub_key, "Raw", "base");	9✔
70	const auto kem_result = enc.encrypt(*rng);	9✔
71
72	// Alice (reading from serialized private key)
73	const Botan::Kyber_PrivateKey alice_priv_key(priv_key_bits, mode);	9✔
74	auto dec = Botan::PK_KEM_Decryptor(alice_priv_key, *rng, "Raw", "base");	9✔
75	const auto key_alice = dec.decrypt(kem_result.encapsulated_shared_key(), 0 /* no KDF */, empty_salt);	9✔
76	result.test_bin_eq("shared secrets are equal", key_alice, kem_result.shared_key());	9✔
77
78	//
79	// negative tests
80	//
81
82	// Broken cipher_text from Alice (wrong length)
83	result.test_throws("fail to read cipher_text", "Kyber: unexpected ciphertext length", [&] {	9✔
84	auto short_cipher_text = kem_result.encapsulated_shared_key();	9✔
85	short_cipher_text.pop_back();	9✔
86	dec.decrypt(short_cipher_text, 0, empty_salt);	9✔
87	});	9✔
88
89	// Invalid cipher_text from Alice
90	Botan::secure_vector<uint8_t> reverse_cipher_text;	9✔
91	std::copy(kem_result.encapsulated_shared_key().crbegin(),	9✔
92	kem_result.encapsulated_shared_key().crend(),	9✔
93	std::back_inserter(reverse_cipher_text));
94	const auto key_alice_rev = dec.decrypt(reverse_cipher_text, 0, empty_salt);	9✔
95	result.test_is_true("shared secrets are not equal", key_alice != key_alice_rev);	9✔
96
97	// Try to decrypt the valid ciphertext again
98	const auto key_alice_try2 = dec.decrypt(kem_result.encapsulated_shared_key(), 0 /* no KDF */, empty_salt);	9✔
99	result.test_bin_eq("shared secrets are equal", key_alice_try2, kem_result.shared_key());	9✔
100
101	return result;	9✔
102	}	63✔
103
104	std::vector<Test::Result> run() override {	1✔
105	return {	1✔
106	run_kyber_test("Kyber512_90s API", Botan::KyberMode::Kyber512_90s, 128, 512),
107	run_kyber_test("Kyber768_90s API", Botan::KyberMode::Kyber768_90s, 192, 768),
108	run_kyber_test("Kyber1024_90s API", Botan::KyberMode::Kyber1024_90s, 256, 1024),
109	run_kyber_test("Kyber512 API", Botan::KyberMode::Kyber512_R3, 128, 512),
110	run_kyber_test("Kyber768 API", Botan::KyberMode::Kyber768_R3, 192, 768),
111	run_kyber_test("Kyber1024 API", Botan::KyberMode::Kyber1024_R3, 256, 1024),
112	run_kyber_test("ML-KEM-512 API", Botan::KyberMode::ML_KEM_512, 128, 512),
113	run_kyber_test("ML-KEM-768 API", Botan::KyberMode::ML_KEM_768, 192, 768),
114	run_kyber_test("ML-KEM-1024 API", Botan::KyberMode::ML_KEM_1024, 256, 1024),
115	};	10✔
116	}	2✔
117	};
118
119	BOTAN_REGISTER_TEST("pubkey", "kyber_pairwise", KYBER_Tests);
120
121	namespace {
122
123	class Kyber_KAT_Tests : public PK_PQC_KEM_KAT_Test {
124	protected:
125	Kyber_KAT_Tests(const std::string& algo_name,	2✔
126	const std::string& kat_file,
127	const std::string& further_optional_keys = "") :	2✔
128	PK_PQC_KEM_KAT_Test(algo_name, kat_file, further_optional_keys) {}	2✔
129
130	private:
131	Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }	2,400✔
132
133	bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }	225✔
134
135	std::vector<uint8_t> map_value(const std::string& mode,	900✔
136	std::span<const uint8_t> value,
137	VarType var_type) const final {
138	if(var_type == VarType::SharedSecret) {	900✔
139	return {value.begin(), value.end()};	225✔
140	}
141
142	// We use different hash functions for Kyber 90s, as those are
143	// consistent with the algorithm requirements of the implementations.
144	const std::string_view hash_name = get_mode(mode).is_90s() ? "SHA-256" : "SHAKE-256(128)";	675✔
145
146	auto hash = Botan::HashFunction::create_or_throw(hash_name);	675✔
147	const auto digest = hash->process(value);	675✔
148	return {digest.begin(), digest.begin() + 16};	675✔
149	}	1,350✔
150
151	Fixed_Output_RNG rng_for_keygen(const std::string& mode, Botan::RandomNumberGenerator& rng) const final {	225✔
152	if(get_mode(mode).is_kyber_round3()) {	225✔
153	const auto seed = rng.random_vec(32);	150✔
154	const auto z = rng.random_vec(32);	150✔
155	return Fixed_Output_RNG(Botan::concat(seed, z));	300✔
156	} else if(get_mode(mode).is_ml_kem()) {	375✔
157	const auto z = rng.random_vec(32);	75✔
158	const auto d = rng.random_vec(32);	75✔
159	return Fixed_Output_RNG(Botan::concat(d, z));	150✔
160	} else {	150✔
161	return Fixed_Output_RNG(rng.random_vec(64));	×
162	}
163	}
164
165	Fixed_Output_RNG rng_for_encapsulation(const std::string& /mode/,	225✔
166	Botan::RandomNumberGenerator& rng) const final {
167	return Fixed_Output_RNG(rng.random_vec(32));	450✔
168	}
169	};
170
171	class KyberR3_KAT_Tests : public Kyber_KAT_Tests {
172	public:
173	KyberR3_KAT_Tests() : Kyber_KAT_Tests("Kyber", "pubkey/kyber_kat.vec") {}	2✔
174	};
175
176	class ML_KEM_KAT_Tests : public Kyber_KAT_Tests {
177	public:
178	ML_KEM_KAT_Tests() : Kyber_KAT_Tests("ML-KEM", "pubkey/ml_kem.vec", "CT_N,SS_N") {}	2✔
179	};
180
181	class ML_KEM_ACVP_KAT_KeyGen_Tests : public PK_PQC_KEM_ACVP_KAT_KeyGen_Test {
182	public:
183	ML_KEM_ACVP_KAT_KeyGen_Tests() :	1✔
184	PK_PQC_KEM_ACVP_KAT_KeyGen_Test("ML-KEM", "pubkey/ml_kem_acvp_keygen.vec", "Z,D") {}	1✔
185
186	private:
187	Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }	150✔
188
189	bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }	75✔
190
191	Fixed_Output_RNG rng_for_keygen(const VarMap& vars) const override {	75✔
192	const auto d = vars.get_req_bin("D");	75✔
193	const auto z = vars.get_req_bin("Z");	75✔
194	return Fixed_Output_RNG(Botan::concat(d, z));	150✔
195	}	75✔
196	};
197
198	class ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test : public PK_PQC_KEM_ACVP_KAT_Encap_Test {
199	public:
200	ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test() : PK_PQC_KEM_ACVP_KAT_Encap_Test("ML-KEM", "pubkey/ml_kem_acvp_encap.vec") {}	2✔
201
202	private:
203	Botan::KyberMode get_mode(const std::string& mode) const { return Botan::KyberMode(mode); }	300✔
204
205	bool is_available(const std::string& mode) const final { return get_mode(mode).is_available(); }	75✔
206
207	std::unique_ptr<Botan::Public_Key> load_public_key(const VarMap& vars, const std::string& mode) const final {	75✔
208	return std::make_unique<Botan::Kyber_PublicKey>(vars.get_req_bin("EK"), get_mode(mode));	150✔
209	}
210	};
211
212	} // namespace
213
214	BOTAN_REGISTER_TEST("pubkey", "kyber_kat", KyberR3_KAT_Tests);
215	BOTAN_REGISTER_TEST("pubkey", "ml_kem_kat", ML_KEM_KAT_Tests);
216	BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_keygen", ML_KEM_ACVP_KAT_KeyGen_Tests);
217	BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_encap", ML_KEM_PQC_KEM_ACVP_KAT_Encap_Test);
218
219	// Currently we cannot use the ACVP decapsulation tests because they do not
220	// provide the private key's seed values.
221	//BOTAN_REGISTER_TEST("pubkey", "ml_kem_acvp_kat_decap", ML_KEM_PQC_KEM_ACVP_KAT_Decap_Test);
222
223	class Kyber_Encoding_Test : public Text_Based_Test {	×
224	public:
225	Kyber_Encoding_Test() : Text_Based_Test("pubkey/kyber_encodings.vec", "PrivateRaw,PublicRaw", "Error") {}	2✔
226
227	public:
228	bool skip_this_test(const std::string& algo_name, const VarMap& /vars/) override {	17✔
229	return !Botan::KyberMode(algo_name).is_available();	17✔
230	}
231
232	Test::Result run_one_test(const std::string& algo_name, const VarMap& vars) override {	17✔
233	Test::Result result("kyber_encodings");	17✔
234
235	const auto mode = Botan::KyberMode(algo_name);	17✔
236	const auto pk_raw = Botan::hex_decode(vars.get_req_str("PublicRaw"));	17✔
237	const auto sk_raw = Botan::hex_decode_locked(vars.get_req_str("PrivateRaw"));	17✔
238	const auto error = vars.get_opt_str("Error", "");	17✔
239
240	if(!error.empty()) {	17✔
241	// negative tests
242
243	result.test_throws("failing decoding", error, [&] {	6✔
244	if(!sk_raw.empty()) {	6✔
245	Botan::Kyber_PrivateKey(sk_raw, mode);	5✔
246	}
247	if(!pk_raw.empty()) {	3✔
248	Botan::Kyber_PublicKey(pk_raw, mode);	3✔
249	}
250	});	×
251
252	return result;	6✔
253	} else {
254	const auto skr = std::make_unique<Botan::Kyber_PrivateKey>(sk_raw, mode);	11✔
255	const auto pkr = std::make_unique<Botan::Kyber_PublicKey>(pk_raw, mode);	11✔
256
257	result.test_bin_eq("sk's encoding of pk", skr->public_key_bits(), pk_raw);	11✔
258	result.test_bin_eq("sk's encoding of sk", skr->private_key_bits(), sk_raw);	11✔
259	result.test_bin_eq("pk's encoding of pk", pkr->public_key_bits(), pk_raw);	11✔
260
261	// expanded vs seed encoding
262	if(skr->private_key_format() == Botan::MlPrivateKeyFormat::Seed) {	11✔
263	result.test_bin_eq("sk's seed encoding of sk",	3✔
264	skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Seed),	3✔
265	sk_raw);
266	const auto skr_expanded = std::make_unique<Botan::Kyber_PrivateKey>(	3✔
267	skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded), mode);	3✔
268	result.test_bin_eq("sk's expanded encoding consistency",	3✔
269	skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded),	6✔
270	skr_expanded->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded));	3✔
271	result.test_throws<Botan::Encoding_Error>("expect no seed in expanded sk", [&] {	3✔
272	skr_expanded->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Seed);	3✔
273	});	×
274
275	const auto encapsulation = Botan::PK_KEM_Encryptor(*pkr, "Raw").encrypt(rng());	3✔
276	result.test_bin_eq(	3✔
277	"expanded sk decapsulation",
278	Botan::PK_KEM_Decryptor(*skr_expanded, rng(), "Raw").decrypt(encapsulation.encapsulated_shared_key()),	6✔
279	encapsulation.shared_key());	3✔
280
281	} else {	3✔
282	result.test_bin_eq("sk's expanded encoding of sk",	8✔
283	skr->private_key_bits_with_format(Botan::MlPrivateKeyFormat::Expanded),	16✔
284	sk_raw);
285	}
286	}	11✔
287
288	return result;	11✔
289	}	34✔
290	};
291
292	BOTAN_REGISTER_TEST("pubkey", "kyber_encodings", Kyber_Encoding_Test);
293
294	class Kyber_Keygen_Tests final : public PK_Key_Generation_Test {	1✔
295	public:
296	std::vector<std::string> keygen_params() const override {	1✔
297	return {	1✔
298	#if defined(BOTAN_HAS_KYBER_90S)
299	"Kyber-512-90s-r3", "Kyber-768-90s-r3", "Kyber-1024-90s-r3",
300	#endif
301	#if defined(BOTAN_HAS_KYBER)
302	"Kyber-512-r3", "Kyber-768-r3", "Kyber-1024-r3",
303	#endif
304	#if defined(BOTAN_HAS_ML_KEM)
305	"ML-KEM-512", "ML-KEM-768", "ML-KEM-1024",
306	#endif
307	};	1✔
308	}
309
310	std::string algo_name(std::string_view param) const override {	9✔
311	if(param.starts_with("Kyber-")) {	9✔
312	return "Kyber";	6✔
313	} else {
314	return "ML-KEM";	3✔
315	}
316	}
317
318	std::string algo_name() const override { throw Test_Error("No default algo name set for Kyber"); }	×
319
320	std::unique_ptr<Botan::Public_Key> public_key_from_raw(std::string_view keygen_params,	9✔
321	std::string_view /* provider */,
322	std::span<const uint8_t> raw_pk) const override {
323	return std::make_unique<Botan::Kyber_PublicKey>(raw_pk, Botan::KyberMode(keygen_params));	9✔
324	}
325	};
326
327	BOTAN_REGISTER_TEST("pubkey", "kyber_keygen", Kyber_Keygen_Tests);
328
329	namespace {
330
331	template <size_t d>
332	void test_compress(Test::Result& res) {	5✔
333	using namespace Botan;
334	constexpr auto q = KyberConstants::Q;	5✔
335
336	res.start_timer();	5✔
337
338	for(uint16_t x = 0; x < q; ++x) {	16,650✔
339	const uint32_t c = Kyber_Algos::compress<d>(x);	16,645✔
340	constexpr auto twotothed = (uint32_t(1) << d);	16,645✔
341	const auto e = ((twotothed * x + (q / 2)) / q) % twotothed;	16,645✔
342
343	if(c != e) {	16,645✔
344	res.test_failure(fmt("compress<{}>({}) = {}; expected {}", d, x, c, e));	×
345	return;	×
346	}
347	}
348
349	res.end_timer();	5✔
350	res.test_success();	5✔
351	}
352
353	template <size_t d>
354	void test_decompress(Test::Result& result) {	5✔
355	using namespace Botan;
356	constexpr auto q = KyberConstants::Q;	5✔
357
358	result.start_timer();	5✔
359
360	using from_t = std::conditional_t<d <= 8, uint8_t, uint16_t>;
361	const from_t twotothed = static_cast<from_t>(from_t(1) << d);	5✔
362
363	for(from_t y = 0; y < twotothed; ++y) {	3,127✔
364	const uint32_t c = Kyber_Algos::decompress<d>(y);	3,122✔
365	const uint32_t e = (q * y + (twotothed / 2)) / twotothed;	3,122✔
366
367	if(c != e) {	3,122✔
368	result.test_failure(fmt("decompress<{}>({}) = {}; expected {}", d, static_cast<uint16_t>(y), c, e));	×
369	return;	×
370	}
371	}
372
373	result.end_timer();	5✔
374	result.test_success();	5✔
375	}
376
377	template <size_t d>
378	void test_compress_roundtrip(Test::Result& result) {	5✔
379	using namespace Botan;
380	constexpr auto q = KyberConstants::Q;	5✔
381
382	result.start_timer();	5✔
383
384	// NOLINTNEXTLINE(*-redundant-expression)
385	for(uint16_t x = 0; x < q && x < (1 << d); ++x) {	3,127✔
386	const uint16_t c = Kyber_Algos::compress<d>(Kyber_Algos::decompress<d>(x));	3,122✔
387	if(x != c) {	3,122✔
388	result.test_failure(fmt("compress<{}>(decompress<{}>({})) != {}", d, d, x, c));	×
389	return;	×
390	}
391	}
392
393	result.end_timer();	5✔
394	result.test_success();	5✔
395	}
396
397	std::vector<Test::Result> test_kyber_helpers() {	1✔
398	return {	1✔
399	Botan_Tests::CHECK("compress<1>", [](Test::Result& res) { test_compress<1>(res); }),	1✔
400	Botan_Tests::CHECK("compress<4>", [](Test::Result& res) { test_compress<4>(res); }),	1✔
401	Botan_Tests::CHECK("compress<5>", [](Test::Result& res) { test_compress<5>(res); }),	1✔
402	Botan_Tests::CHECK("compress<10>", [](Test::Result& res) { test_compress<10>(res); }),	1✔
403	Botan_Tests::CHECK("compress<11>", [](Test::Result& res) { test_compress<11>(res); }),	1✔
404
405	Botan_Tests::CHECK("decompress<1>", [](Test::Result& res) { test_decompress<1>(res); }),	1✔
406	Botan_Tests::CHECK("decompress<4>", [](Test::Result& res) { test_decompress<4>(res); }),	1✔
407	Botan_Tests::CHECK("decompress<5>", [](Test::Result& res) { test_decompress<5>(res); }),	1✔
408	Botan_Tests::CHECK("decompress<10>", [](Test::Result& res) { test_decompress<10>(res); }),	1✔
409	Botan_Tests::CHECK("decompress<11>", [](Test::Result& res) { test_decompress<11>(res); }),	1✔
410
411	Botan_Tests::CHECK("compress<1>(decompress())", [](Test::Result& res) { test_compress_roundtrip<1>(res); }),	1✔
412	Botan_Tests::CHECK("compress<4>(decompress())", [](Test::Result& res) { test_compress_roundtrip<4>(res); }),	1✔
413	Botan_Tests::CHECK("compress<5>(decompress())", [](Test::Result& res) { test_compress_roundtrip<5>(res); }),	1✔
414	Botan_Tests::CHECK("compress<10>(decompress())>", [](Test::Result& res) { test_compress_roundtrip<10>(res); }),	1✔
415	Botan_Tests::CHECK("compress<11>(decompress())>", [](Test::Result& res) { test_compress_roundtrip<11>(res); }),	1✔
416	};	16✔
417	}	1✔
418
419	} // namespace
420
421	BOTAN_REGISTER_TEST_FN("pubkey", "kyber_helpers", test_kyber_helpers);
422
423	#endif
424
425	} // namespace
426
427	} // namespace Botan_Tests

randombit / botan / 23225340130

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous