Kyber example

[yanboti]

Hello, I would like to understand why src/example/kyber.cpp uses "HKDF(SHA-512)" as the KDF. Should it not be SHAKE-256 as in the standard as specified in the submission?

[reneme]

There are two layers here: Internally, Kyber uses SHAKE for various things (including key derivation), and SHA-3 for ordinary hashing. The specified KDF in the example (src/examples/kyber.cpp) is applied to the shared secret that is output by Kyber. This does not alter the Kyber algorithm itself. If you want to obtain the verbatim output of Kyber, pass "Raw" instead of "HKDF(SHA-512)" (and omit passing a salt to encrypt() and/or decrypt()).

Botan generally allows passing the output of any key agreement (or key encapsulation) mechanism through a KDF. Historically (e.g. for Diffie-Hellman) this was generally a good idea. For Kyber you don't have to do that anymore, but the library still allows you to do it for API consistency.

[yanboti]

Hello there, thank you for the reply.

const std::string kdf = "Raw";

Did not work for me. May I know what exactly is the syntax?

[reneme]

Perhaps you need to remove the salt from the encrypt() and decrypt() calls? The following works for me:

#include <botan/kyber.h>
#include <botan/pubkey.h>
#include <botan/system_rng.h>
#include <array>
#include <iostream>

int main() {
   const size_t shared_key_len = 32;
   const std::string kdf = "Raw";

   Botan::System_RNG rng;

   Botan::Kyber_PrivateKey priv_key(rng, Botan::KyberMode::Kyber512_R3);
   auto pub_key = priv_key.public_key();

   Botan::PK_KEM_Encryptor enc(*pub_key, kdf);

   const auto kem_result = enc.encrypt(rng, shared_key_len);

   Botan::PK_KEM_Decryptor dec(priv_key, rng, kdf);

   auto dec_shared_key = dec.decrypt(kem_result.encapsulated_shared_key(), shared_key_len);

   if(dec_shared_key != kem_result.shared_key()) {
      std::cerr << "Shared keys differ\n";
      return 1;
   }

   return 0;
}

[yanboti]

Removing the salt works for me, but I would like to keep that too.

[reneme]

Not sure I understand. The salt is an input to the KDF (i.e. HKDF(SHA-512)). If you don't use a KDF (by passing "Raw"), you basically use vanilla Kyber and Kyber doesn't have the option to use a user-defined salt.

[yanboti]

I managed it by following the example in src/test/test_kyber.cpp and managed to get what I needed. Thank you for your help!