-- |
-- Module      : Internal
-- License     : BSD-3-Clause
-- Copyright   : (c) 2025 Olivier Chéron
--
-- ML-KEM main internal algorithms
--
{-# LANGUAGE BangPatterns #-}
{-# LANGUAGE CPP #-}
{-# LANGUAGE DataKinds #-}
{-# LANGUAGE FlexibleContexts #-}
{-# LANGUAGE GeneralizedNewtypeDeriving #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE TypeFamilies #-}
module Internal
    ( ParamSet(..), Params(..), Encode(..), Decode(..)
    , DecapsulationKey, EncapsulationKey, Ciphertext, SharedSecret
    , keyGen, toPublic, encaps, decaps
    ) where

import Control.DeepSeq (NFData(..))
import Control.Monad

import Data.ByteArray (ByteArray, ByteArrayAccess, Bytes, ScrubbedBytes)
import qualified Data.ByteArray as B

import Base
import qualified Builder
import qualified Crypto
import qualified K_PKE as K
import K_PKE (Params(..))
import Marking (Leak(..))

-- | The class of ML-KEM parameter sets.
class KnownNat (K a) => ParamSet a where
    type K a :: Nat
    getParams :: proxy a -> Params (K a)

-- | Utility class to serialize ML-KEM objects to byte arrays.
class Encode obj where
    -- | Serializes an object to a sequence of bytes.
    encode :: ByteArray ba => obj a -> ba

-- | Utility class to deserialize ML-KEM objects from byte arrays.
class Decode obj where
    -- | Deserializes an object from a sequence of bytes.
    decode :: (ParamSet a, ByteArrayAccess ba) => proxy a -> ba -> Maybe (obj a)

-- | An ML-KEM decapsulation key, aka private key.
data DecapsulationKey a = DK (K.DecryptionKey (K a)) (K.EncryptionKey (K a)) Bytes ScrubbedBytes

-- | An ML-KEM encapsulation key, aka public key.
data EncapsulationKey a = EK Bytes (K.EncryptionKey (K a))

-- | The ciphertext produced by the encapsulation function and consumed by the
-- decapsulation function.
newtype Ciphertext a = C Bytes deriving (Ciphertext a -> Ciphertext a -> Bool
(Ciphertext a -> Ciphertext a -> Bool)
-> (Ciphertext a -> Ciphertext a -> Bool) -> Eq (Ciphertext a)
forall a. Ciphertext a -> Ciphertext a -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
$c== :: forall a. Ciphertext a -> Ciphertext a -> Bool
== :: Ciphertext a -> Ciphertext a -> Bool
$c/= :: forall a. Ciphertext a -> Ciphertext a -> Bool
/= :: Ciphertext a -> Ciphertext a -> Bool
Eq, Ciphertext a -> Int
(Ciphertext a -> Int)
-> (forall p a. Ciphertext a -> (Ptr p -> IO a) -> IO a)
-> (forall p. Ciphertext a -> Ptr p -> IO ())
-> ByteArrayAccess (Ciphertext a)
forall a. Ciphertext a -> Int
forall p. Ciphertext a -> Ptr p -> IO ()
forall ba.
(ba -> Int)
-> (forall p a. ba -> (Ptr p -> IO a) -> IO a)
-> (forall p. ba -> Ptr p -> IO ())
-> ByteArrayAccess ba
forall a p. Ciphertext a -> Ptr p -> IO ()
forall p a. Ciphertext a -> (Ptr p -> IO a) -> IO a
forall a p a. Ciphertext a -> (Ptr p -> IO a) -> IO a
$clength :: forall a. Ciphertext a -> Int
length :: Ciphertext a -> Int
$cwithByteArray :: forall a p a. Ciphertext a -> (Ptr p -> IO a) -> IO a
withByteArray :: forall p a. Ciphertext a -> (Ptr p -> IO a) -> IO a
$ccopyByteArrayToPtr :: forall a p. Ciphertext a -> Ptr p -> IO ()
copyByteArrayToPtr :: forall p. Ciphertext a -> Ptr p -> IO ()
ByteArrayAccess)

-- | A shared secret returned by the encapsulation and decapsulation functions.
-- Length is 32 bytes for all defined parameter sets.
newtype SharedSecret a = S ScrubbedBytes deriving SharedSecret a -> Int
(SharedSecret a -> Int)
-> (forall p a. SharedSecret a -> (Ptr p -> IO a) -> IO a)
-> (forall p. SharedSecret a -> Ptr p -> IO ())
-> ByteArrayAccess (SharedSecret a)
forall a. SharedSecret a -> Int
forall p. SharedSecret a -> Ptr p -> IO ()
forall ba.
(ba -> Int)
-> (forall p a. ba -> (Ptr p -> IO a) -> IO a)
-> (forall p. ba -> Ptr p -> IO ())
-> ByteArrayAccess ba
forall a p. SharedSecret a -> Ptr p -> IO ()
forall p a. SharedSecret a -> (Ptr p -> IO a) -> IO a
forall a p a. SharedSecret a -> (Ptr p -> IO a) -> IO a
$clength :: forall a. SharedSecret a -> Int
length :: SharedSecret a -> Int
$cwithByteArray :: forall a p a. SharedSecret a -> (Ptr p -> IO a) -> IO a
withByteArray :: forall p a. SharedSecret a -> (Ptr p -> IO a) -> IO a
$ccopyByteArrayToPtr :: forall a p. SharedSecret a -> Ptr p -> IO ()
copyByteArrayToPtr :: forall p. SharedSecret a -> Ptr p -> IO ()
ByteArrayAccess

instance Eq (DecapsulationKey a) where
    DK DecryptionKey (K a)
dk1 EncryptionKey (K a)
ek1 Bytes
h1 ScrubbedBytes
z1 == :: DecapsulationKey a -> DecapsulationKey a -> Bool
== DK DecryptionKey (K a)
dk2 EncryptionKey (K a)
ek2 Bytes
h2 ScrubbedBytes
z2 = BoolW -> Bool
Crypto.toBool (BoolW -> Bool) -> BoolW -> Bool
forall a b. (a -> b) -> a -> b
$
        DecryptionKey (K a) -> DecryptionKey (K a) -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW DecryptionKey (K a)
dk1 DecryptionKey (K a)
dk2 BoolW -> BoolW -> BoolW
`Crypto.andW`
        EncryptionKey (K a) -> EncryptionKey (K a) -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW EncryptionKey (K a)
ek1 EncryptionKey (K a)
ek2 BoolW -> BoolW -> BoolW
`Crypto.andW`
        Bytes -> Bytes -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW Bytes
h1 Bytes
h2 BoolW -> BoolW -> BoolW
`Crypto.andW`
        ScrubbedBytes -> ScrubbedBytes -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW ScrubbedBytes
z1 ScrubbedBytes
z2

instance Eq (EncapsulationKey a) where
    EK Bytes
_ EncryptionKey (K a)
ek1 == :: EncapsulationKey a -> EncapsulationKey a -> Bool
== EK Bytes
_ EncryptionKey (K a)
ek2 = BoolW -> Bool
Crypto.toBool (BoolW -> Bool) -> BoolW -> Bool
forall a b. (a -> b) -> a -> b
$ EncryptionKey (K a) -> EncryptionKey (K a) -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW EncryptionKey (K a)
ek1 EncryptionKey (K a)
ek2

instance Eq (SharedSecret a) where
    S ScrubbedBytes
a == :: SharedSecret a -> SharedSecret a -> Bool
== S ScrubbedBytes
b = BoolW -> Bool
Crypto.toBool (BoolW -> Bool) -> BoolW -> Bool
forall a b. (a -> b) -> a -> b
$ ScrubbedBytes -> ScrubbedBytes -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW ScrubbedBytes
a ScrubbedBytes
b

instance Show (DecapsulationKey a) where
#ifdef ML_KEM_TESTING
    showsPrec d dk = showParen (d > 10) $
        showString "DecapsulationKey " . showsPrec 11 (encode dk :: Bytes)
#else
    showsPrec :: Int -> DecapsulationKey a -> ShowS
showsPrec Int
_ DecapsulationKey a
_ = String -> ShowS
showString String
"DecapsulationKey"
#endif

instance Show (EncapsulationKey a) where
    showsPrec :: Int -> EncapsulationKey a -> ShowS
showsPrec Int
d EncapsulationKey a
ek = Bool -> ShowS -> ShowS
showParen (Int
d Int -> Int -> Bool
forall a. Ord a => a -> a -> Bool
> Int
10) (ShowS -> ShowS) -> ShowS -> ShowS
forall a b. (a -> b) -> a -> b
$
        String -> ShowS
showString String
"EncapsulationKey " ShowS -> ShowS -> ShowS
forall b c a. (b -> c) -> (a -> b) -> a -> c
. Int -> Bytes -> ShowS
forall a. Show a => Int -> a -> ShowS
showsPrec Int
11 (EncapsulationKey a -> Bytes
forall ba a. ByteArray ba => EncapsulationKey a -> ba
forall (obj :: * -> *) ba a.
(Encode obj, ByteArray ba) =>
obj a -> ba
encode EncapsulationKey a
ek :: Bytes)

instance Show (Ciphertext a) where
    showsPrec :: Int -> Ciphertext a -> ShowS
showsPrec Int
d (C Bytes
ct) = Bool -> ShowS -> ShowS
showParen (Int
d Int -> Int -> Bool
forall a. Ord a => a -> a -> Bool
> Int
10) (ShowS -> ShowS) -> ShowS -> ShowS
forall a b. (a -> b) -> a -> b
$
        String -> ShowS
showString String
"Ciphertext " ShowS -> ShowS -> ShowS
forall b c a. (b -> c) -> (a -> b) -> a -> c
. Int -> Bytes -> ShowS
forall a. Show a => Int -> a -> ShowS
showsPrec Int
11 Bytes
ct

instance Show (SharedSecret a) where
#ifdef ML_KEM_TESTING
    showsPrec d (S kk) = showParen (d > 10) $
        showString "SharedSecret " . showsPrec 11 kk
#else
    showsPrec :: Int -> SharedSecret a -> ShowS
showsPrec Int
_ SharedSecret a
_ = String -> ShowS
showString String
"SharedSecret"
#endif

instance NFData (DecapsulationKey a) where
    rnf :: DecapsulationKey a -> ()
rnf (DK DecryptionKey (K a)
dk EncryptionKey (K a)
ek Bytes
h ScrubbedBytes
z) = DecryptionKey (K a) -> ()
forall a. NFData a => a -> ()
rnf DecryptionKey (K a)
dk () -> () -> ()
forall a b. a -> b -> b
`seq` EncryptionKey (K a) -> ()
forall a. NFData a => a -> ()
rnf EncryptionKey (K a)
ek () -> () -> ()
forall a b. a -> b -> b
`seq` Bytes -> ()
forall a. NFData a => a -> ()
rnf Bytes
h () -> () -> ()
forall a b. a -> b -> b
`seq` ScrubbedBytes -> ()
forall a. NFData a => a -> ()
rnf ScrubbedBytes
z

instance NFData (EncapsulationKey a) where
    rnf :: EncapsulationKey a -> ()
rnf (EK Bytes
_ EncryptionKey (K a)
ek) = EncryptionKey (K a) -> ()
forall a. NFData a => a -> ()
rnf EncryptionKey (K a)
ek  -- h omitted because just for caching

instance NFData (Ciphertext a) where
    rnf :: Ciphertext a -> ()
rnf (C Bytes
c) = Bytes -> ()
forall a. NFData a => a -> ()
rnf Bytes
c

instance NFData (SharedSecret a) where
    rnf :: SharedSecret a -> ()
rnf (S ScrubbedBytes
kk) = ScrubbedBytes -> ()
forall a. NFData a => a -> ()
rnf ScrubbedBytes
kk

instance Encode EncapsulationKey where
    encode :: forall ba a. ByteArray ba => EncapsulationKey a -> ba
encode (EK Bytes
_ EncryptionKey (K a)
ek) = Builder 'Pub -> ba
forall ba. ByteArray ba => Builder 'Pub -> ba
Builder.runRelaxed (Builder 'Pub -> ba) -> Builder 'Pub -> ba
forall a b. (a -> b) -> a -> b
$ EncryptionKey (K a) -> Builder 'Pub
forall (k :: Nat). EncryptionKey k -> Builder 'Pub
K.ekEncode EncryptionKey (K a)
ek

instance Decode EncapsulationKey where
    decode :: forall a ba (proxy :: * -> *).
(ParamSet a, ByteArrayAccess ba) =>
proxy a -> ba -> Maybe (EncapsulationKey a)
decode proxy a
p ba
input = Bytes -> EncryptionKey (K a) -> EncapsulationKey a
forall a. Bytes -> EncryptionKey (K a) -> EncapsulationKey a
EK (ba -> Bytes
forall s. ByteArrayAccess s => s -> Bytes
Crypto.h ba
input) (EncryptionKey (K a) -> EncapsulationKey a)
-> Maybe (EncryptionKey (K a)) -> Maybe (EncapsulationKey a)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
<$> Params (K a) -> ba -> Maybe (EncryptionKey (K a))
forall (k :: Nat) ba.
(KnownNat k, ByteArrayAccess ba) =>
Params k -> ba -> Maybe (EncryptionKey k)
K.ekDecode Params (K a)
params ba
input
      where params :: Params (K a)
params = proxy a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams proxy a
p

instance Encode DecapsulationKey where
    encode :: forall ba a. ByteArray ba => DecapsulationKey a -> ba
encode (DK DecryptionKey (K a)
dk EncryptionKey (K a)
ek Bytes
h ScrubbedBytes
z) = Builder 'Pub -> ba
forall ba. ByteArray ba => Builder 'Pub -> ba
Builder.runRelaxed (Builder 'Pub -> ba) -> Builder 'Pub -> ba
forall a b. (a -> b) -> a -> b
$
        Builder 'Sec -> Builder 'Pub
forall (t :: SecurityMarking -> *). Leak t => t 'Sec -> t 'Pub
leak (DecryptionKey (K a) -> Builder 'Sec
forall (k :: Nat). DecryptionKey k -> Builder 'Sec
K.dkEncode DecryptionKey (K a)
dk) Builder 'Pub -> Builder 'Pub -> Builder 'Pub
forall a. Semigroup a => a -> a -> a
<> EncryptionKey (K a) -> Builder 'Pub
forall (k :: Nat). EncryptionKey k -> Builder 'Pub
K.ekEncode EncryptionKey (K a)
ek Builder 'Pub -> Builder 'Pub -> Builder 'Pub
forall a. Semigroup a => a -> a -> a
<> SecureBytes 'Pub -> Builder 'Pub
forall (marking :: SecurityMarking).
Classified marking =>
SecureBytes marking -> Builder marking
Builder.bytes Bytes
SecureBytes 'Pub
h Builder 'Pub -> Builder 'Pub -> Builder 'Pub
forall a. Semigroup a => a -> a -> a
<> Builder 'Sec -> Builder 'Pub
forall (t :: SecurityMarking -> *). Leak t => t 'Sec -> t 'Pub
leak (SecureBytes 'Sec -> Builder 'Sec
forall (marking :: SecurityMarking).
Classified marking =>
SecureBytes marking -> Builder marking
Builder.bytes ScrubbedBytes
SecureBytes 'Sec
z)

instance Decode DecapsulationKey where
    decode :: forall a ba (proxy :: * -> *).
(ParamSet a, ByteArrayAccess ba) =>
proxy a -> ba -> Maybe (DecapsulationKey a)
decode proxy a
p ba
input = do
        -- decapsulation key type check:
        Bool -> Maybe ()
forall (f :: * -> *). Alternative f => Bool -> f ()
guard (ba -> Int
forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
input Int -> Int -> Bool
forall a. Eq a => a -> a -> Bool
== Int
768 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k Int -> Int -> Int
forall a. Num a => a -> a -> a
+ Int
96)
        let dks :: View ba
dks = ba -> Int -> Int -> View ba
forall bytes.
ByteArrayAccess bytes =>
bytes -> Int -> Int -> View bytes
B.view ba
input Int
0 (Int
384 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k)
            eks :: View ba
eks = ba -> Int -> Int -> View ba
forall bytes.
ByteArrayAccess bytes =>
bytes -> Int -> Int -> View bytes
B.view ba
input (Int
384 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k) (Int
384 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k Int -> Int -> Int
forall a. Num a => a -> a -> a
+ Int
32)
            !h :: Bytes
h = View ba -> Bytes
forall bin bout.
(ByteArrayAccess bin, ByteArray bout) =>
bin -> bout
B.convert (View ba -> Bytes) -> View ba -> Bytes
forall a b. (a -> b) -> a -> b
$ ba -> Int -> Int -> View ba
forall bytes.
ByteArrayAccess bytes =>
bytes -> Int -> Int -> View bytes
B.view ba
input (Int
768 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k Int -> Int -> Int
forall a. Num a => a -> a -> a
+ Int
32) Int
32
        -- hash check:
        Bool -> Maybe ()
forall (f :: * -> *). Alternative f => Bool -> f ()
guard (BoolW -> Bool
Crypto.toBool (BoolW -> Bool) -> BoolW -> Bool
forall a b. (a -> b) -> a -> b
$ Bytes -> Bytes -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW Bytes
h (View ba -> Bytes
forall s. ByteArrayAccess s => s -> Bytes
Crypto.h View ba
eks))
        let !dk :: DecryptionKey (K a)
dk = View ba -> DecryptionKey (K a)
forall (k :: Nat) ba.
(KnownNat k, ByteArrayAccess ba) =>
ba -> DecryptionKey k
K.dkDecode View ba
dks
        !ek <- Params (K a) -> View ba -> Maybe (EncryptionKey (K a))
forall (k :: Nat) ba.
(KnownNat k, ByteArrayAccess ba) =>
Params k -> ba -> Maybe (EncryptionKey k)
K.ekDecode Params (K a)
params View ba
eks
        let !z = View ba -> ScrubbedBytes
forall bin bout.
(ByteArrayAccess bin, ByteArray bout) =>
bin -> bout
B.convert (View ba -> ScrubbedBytes) -> View ba -> ScrubbedBytes
forall a b. (a -> b) -> a -> b
$ ba -> Int -> Int -> View ba
forall bytes.
ByteArrayAccess bytes =>
bytes -> Int -> Int -> View bytes
B.view ba
input (Int
768 Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k Int -> Int -> Int
forall a. Num a => a -> a -> a
+ Int
64) Int
32
        return (DK dk ek h z)
      where
        params :: Params (K a)
params = proxy a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams proxy a
p
        k :: Int
k = Params (K a) -> Int
forall (k :: Nat). KnownNat k => Params k -> Int
K.dimension Params (K a)
params

instance Decode Ciphertext where
    decode :: forall a ba (proxy :: * -> *).
(ParamSet a, ByteArrayAccess ba) =>
proxy a -> ba -> Maybe (Ciphertext a)
decode proxy a
p ba
input
        -- ciphertext type check:
        | ba -> Int
forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
input Int -> Int -> Bool
forall a. Eq a => a -> a -> Bool
== Int
32 Int -> Int -> Int
forall a. Num a => a -> a -> a
* (Int
du Int -> Int -> Int
forall a. Num a => a -> a -> a
* Int
k Int -> Int -> Int
forall a. Num a => a -> a -> a
+ Int
dv) = Ciphertext a -> Maybe (Ciphertext a)
forall a. a -> Maybe a
Just (Bytes -> Ciphertext a
forall a. Bytes -> Ciphertext a
C (Bytes -> Ciphertext a) -> Bytes -> Ciphertext a
forall a b. (a -> b) -> a -> b
$ ba -> Bytes
forall bin bout.
(ByteArrayAccess bin, ByteArray bout) =>
bin -> bout
B.convert ba
input)
        | Bool
otherwise = Maybe (Ciphertext a)
forall a. Maybe a
Nothing
      where
        params :: Params (K a)
params@Params{Int
Word
du :: Int
dv :: Int
eta1 :: Word
eta2 :: Word
du :: forall (k :: Nat). Params k -> Int
dv :: forall (k :: Nat). Params k -> Int
eta1 :: forall (k :: Nat). Params k -> Word
eta2 :: forall (k :: Nat). Params k -> Word
..} = proxy a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams proxy a
p
        k :: Int
k = Params (K a) -> Int
forall (k :: Nat). KnownNat k => Params k -> Int
K.dimension Params (K a)
params

instance Decode SharedSecret where
    decode :: forall a ba (proxy :: * -> *).
(ParamSet a, ByteArrayAccess ba) =>
proxy a -> ba -> Maybe (SharedSecret a)
decode proxy a
_ ba
input
        | ba -> Int
forall ba. ByteArrayAccess ba => ba -> Int
B.length ba
input Int -> Int -> Bool
forall a. Eq a => a -> a -> Bool
== Int
32 = SharedSecret a -> Maybe (SharedSecret a)
forall a. a -> Maybe a
Just (ScrubbedBytes -> SharedSecret a
forall a. ScrubbedBytes -> SharedSecret a
S (ScrubbedBytes -> SharedSecret a)
-> ScrubbedBytes -> SharedSecret a
forall a b. (a -> b) -> a -> b
$ ba -> ScrubbedBytes
forall bin bout.
(ByteArrayAccess bin, ByteArray bout) =>
bin -> bout
B.convert ba
input)
        | Bool
otherwise = Maybe (SharedSecret a)
forall a. Maybe a
Nothing

-- Uses randomness to generate an encapsulation key and a corresponding decapsulation key
keyGen :: (ParamSet a, ByteArrayAccess d) => proxy a -> d -> ScrubbedBytes -> (EncapsulationKey a, DecapsulationKey a)
keyGen :: forall a d (proxy :: * -> *).
(ParamSet a, ByteArrayAccess d) =>
proxy a
-> d -> ScrubbedBytes -> (EncapsulationKey a, DecapsulationKey a)
keyGen proxy a
p d
d ScrubbedBytes
z = (Bytes -> EncryptionKey (K a) -> EncapsulationKey a
forall a. Bytes -> EncryptionKey (K a) -> EncapsulationKey a
EK Bytes
h EncryptionKey (K a)
ek, DecryptionKey (K a)
-> EncryptionKey (K a)
-> Bytes
-> ScrubbedBytes
-> DecapsulationKey a
forall a.
DecryptionKey (K a)
-> EncryptionKey (K a)
-> Bytes
-> ScrubbedBytes
-> DecapsulationKey a
DK DecryptionKey (K a)
dk EncryptionKey (K a)
ek Bytes
h ScrubbedBytes
z)
  where
    params :: Params (K a)
params = proxy a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams proxy a
p
    (EncryptionKey (K a)
ek, DecryptionKey (K a)
dk) = Params (K a) -> d -> (EncryptionKey (K a), DecryptionKey (K a))
forall (k :: Nat) d.
(KnownNat k, ByteArrayAccess d) =>
Params k -> d -> (EncryptionKey k, DecryptionKey k)
K.keyGen Params (K a)
params d
d
    h :: Bytes
h = Bytes -> Bytes
forall s. ByteArrayAccess s => s -> Bytes
Crypto.h (Bytes -> Bytes) -> Bytes -> Bytes
forall a b. (a -> b) -> a -> b
$ Builder 'Pub -> SecureBytes 'Pub
forall (marking :: SecurityMarking).
Classified marking =>
Builder marking -> SecureBytes marking
Builder.run (EncryptionKey (K a) -> Builder 'Pub
forall (k :: Nat). EncryptionKey k -> Builder 'Pub
K.ekEncode EncryptionKey (K a)
ek)

-- | Returns the encapsulation key embedded in the given decapsulation key.
-- Note that they may not necessarily match when the decapsulation key was
-- decoded from an untrusted source.
toPublic :: DecapsulationKey a -> EncapsulationKey a
toPublic :: forall a. DecapsulationKey a -> EncapsulationKey a
toPublic (DK DecryptionKey (K a)
_ EncryptionKey (K a)
ek Bytes
h ScrubbedBytes
_) = Bytes -> EncryptionKey (K a) -> EncapsulationKey a
forall a. Bytes -> EncryptionKey (K a) -> EncapsulationKey a
EK Bytes
h EncryptionKey (K a)
ek

-- Uses the encapsulation key and randomness to generate a key and an associated ciphertext
encaps :: (ParamSet a, ByteArrayAccess m) => EncapsulationKey a -> m -> (SharedSecret a, Ciphertext a)
encaps :: forall a m.
(ParamSet a, ByteArrayAccess m) =>
EncapsulationKey a -> m -> (SharedSecret a, Ciphertext a)
encaps p :: EncapsulationKey a
p@(EK Bytes
h EncryptionKey (K a)
ek) m
m = (ScrubbedBytes -> SharedSecret a
forall a. ScrubbedBytes -> SharedSecret a
S ScrubbedBytes
kk, Bytes -> Ciphertext a
forall a. Bytes -> Ciphertext a
C Bytes
c)
  where
    params :: Params (K a)
params = EncapsulationKey a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams EncapsulationKey a
p
    (ScrubbedBytes
kk, View ScrubbedBytes
r) = ScrubbedBytes -> (ScrubbedBytes, View ScrubbedBytes)
forall ba.
ByteArray ba =>
ScrubbedBytes -> (ba, View ScrubbedBytes)
Crypto.g (m
m m -> Bytes -> ScrubbedBytes
forall a b.
(ByteArrayAccess a, ByteArrayAccess b) =>
a -> b -> ScrubbedBytes
`Crypto.append` Bytes
h)
    c :: Bytes
c = Params (K a)
-> EncryptionKey (K a) -> m -> View ScrubbedBytes -> Bytes
forall (k :: Nat) m r.
(KnownNat k, ByteArrayAccess m, ByteArrayAccess r) =>
Params k -> EncryptionKey k -> m -> r -> Bytes
K.encrypt Params (K a)
params EncryptionKey (K a)
ek m
m View ScrubbedBytes
r

-- Uses the decapsulation key to produce a shared secret key from a ciphertext
decaps :: ParamSet a => DecapsulationKey a -> Ciphertext a -> SharedSecret a
decaps :: forall a.
ParamSet a =>
DecapsulationKey a -> Ciphertext a -> SharedSecret a
decaps p :: DecapsulationKey a
p@(DK DecryptionKey (K a)
dk EncryptionKey (K a)
ek Bytes
h ScrubbedBytes
z) (C Bytes
c) = ScrubbedBytes -> SharedSecret a
forall a. ScrubbedBytes -> SharedSecret a
S (ScrubbedBytes -> SharedSecret a)
-> ScrubbedBytes -> SharedSecret a
forall a b. (a -> b) -> a -> b
$
    BoolW -> ScrubbedBytes -> ScrubbedBytes -> ScrubbedBytes
Crypto.constSelectBytes
        (Bytes -> Bytes -> BoolW
forall a. ConstEqW a => a -> a -> BoolW
Crypto.constEqW Bytes
c Bytes
c')            -- condition
        ScrubbedBytes
kk'                               -- when equal
        (ScrubbedBytes -> ScrubbedBytes
Crypto.j (ScrubbedBytes
z ScrubbedBytes -> Bytes -> ScrubbedBytes
forall a b.
(ByteArrayAccess a, ByteArrayAccess b) =>
a -> b -> ScrubbedBytes
`Crypto.append` Bytes
c))  -- when different
  where
    params :: Params (K a)
params    = DecapsulationKey a -> Params (K a)
forall a (proxy :: * -> *). ParamSet a => proxy a -> Params (K a)
forall (proxy :: * -> *). proxy a -> Params (K a)
getParams DecapsulationKey a
p
    m' :: ScrubbedBytes
m'        = Params (K a) -> DecryptionKey (K a) -> Bytes -> ScrubbedBytes
forall (k :: Nat).
KnownNat k =>
Params k -> DecryptionKey k -> Bytes -> ScrubbedBytes
K.decrypt Params (K a)
params DecryptionKey (K a)
dk Bytes
c
    (ScrubbedBytes
kk', View ScrubbedBytes
r') = ScrubbedBytes -> (ScrubbedBytes, View ScrubbedBytes)
forall ba.
ByteArray ba =>
ScrubbedBytes -> (ba, View ScrubbedBytes)
Crypto.g (ScrubbedBytes
m' ScrubbedBytes -> Bytes -> ScrubbedBytes
forall a b.
(ByteArrayAccess a, ByteArrayAccess b) =>
a -> b -> ScrubbedBytes
`Crypto.append` Bytes
h)
    c' :: Bytes
c'        = Params (K a)
-> EncryptionKey (K a)
-> ScrubbedBytes
-> View ScrubbedBytes
-> Bytes
forall (k :: Nat) m r.
(KnownNat k, ByteArrayAccess m, ByteArrayAccess r) =>
Params k -> EncryptionKey k -> m -> r -> Bytes
K.encrypt Params (K a)
params EncryptionKey (K a)
ek ScrubbedBytes
m' View ScrubbedBytes
r'