ML_KEM_RANDOM_BYTES
DECLARE_ML_KEM_KEYDATA(prvkey_##bits, ML_KEM_##bits##_RANK, ; scalar sbuf[ML_KEM_##bits##_RANK]; uint8_t zbuf[2 * ML_KEM_RANDOM_BYTES];)
typedef __owur int (*CBD_FUNC)(scalar *out, uint8_t in[ML_KEM_RANDOM_BYTES + 1],
#define PUBKEY_BYTES(b) (VECTOR_BYTES(b) + ML_KEM_RANDOM_BYTES)
uint8_t input[ML_KEM_RANDOM_BYTES + 2];
memcpy(input, key->rho, ML_KEM_RANDOM_BYTES);
input[ML_KEM_RANDOM_BYTES] = i;
input[ML_KEM_RANDOM_BYTES + 1] = j;
static __owur int cbd_2(scalar *out, uint8_t in[ML_KEM_RANDOM_BYTES + 1],
static __owur int cbd_3(scalar *out, uint8_t in[ML_KEM_RANDOM_BYTES + 1],
const uint8_t seed[ML_KEM_RANDOM_BYTES], int rank,
uint8_t input[ML_KEM_RANDOM_BYTES + 1];
memcpy(input, seed, ML_KEM_RANDOM_BYTES);
input[ML_KEM_RANDOM_BYTES] = (*counter)++;
const uint8_t seed[ML_KEM_RANDOM_BYTES], int rank,
uint8_t input[ML_KEM_RANDOM_BYTES + 1];
memcpy(input, seed, ML_KEM_RANDOM_BYTES);
input[ML_KEM_RANDOM_BYTES] = (*counter)++;
const uint8_t r[ML_KEM_RANDOM_BYTES], scalar *tmp,
uint8_t input[ML_KEM_RANDOM_BYTES + 1];
memcpy(input, r, ML_KEM_RANDOM_BYTES);
input[ML_KEM_RANDOM_BYTES] = counter;
memcpy(out + vinfo->vector_bytes, rho, ML_KEM_RANDOM_BYTES);
memcpy(out, key->z, ML_KEM_RANDOM_BYTES);
memcpy(key->rho, in + vinfo->vector_bytes, ML_KEM_RANDOM_BYTES);
memcpy(key->z, in, ML_KEM_RANDOM_BYTES);
uint8_t hashed[2 * ML_KEM_RANDOM_BYTES];
const uint8_t *const sigma = hashed + ML_KEM_RANDOM_BYTES;
uint8_t augmented_seed[ML_KEM_RANDOM_BYTES + 1];
memcpy(augmented_seed, seed, ML_KEM_RANDOM_BYTES);
augmented_seed[ML_KEM_RANDOM_BYTES] = (uint8_t)rank;
memcpy(key->rho, hashed, ML_KEM_RANDOM_BYTES);
CONSTTIME_DECLASSIFY(key->rho, ML_KEM_RANDOM_BYTES);
memcpy(key->z, seed + ML_KEM_RANDOM_BYTES, ML_KEM_RANDOM_BYTES);
key->d = key->z + ML_KEM_RANDOM_BYTES;
memcpy(key->d, seed, ML_KEM_RANDOM_BYTES);
OPENSSL_cleanse(key->d, ML_KEM_RANDOM_BYTES);
OPENSSL_cleanse((void *)augmented_seed, ML_KEM_RANDOM_BYTES);
OPENSSL_cleanse((void *)sigma, ML_KEM_RANDOM_BYTES);
const uint8_t entropy[ML_KEM_RANDOM_BYTES],
uint8_t input[ML_KEM_RANDOM_BYTES + ML_KEM_PKHASH_BYTES];
uint8_t Kr[ML_KEM_SHARED_SECRET_BYTES + ML_KEM_RANDOM_BYTES];
memcpy(input, entropy, ML_KEM_RANDOM_BYTES);
memcpy(input + ML_KEM_RANDOM_BYTES, key->pkhash, ML_KEM_PKHASH_BYTES);
uint8_t failure_key[ML_KEM_RANDOM_BYTES];
uint8_t Kr[ML_KEM_SHARED_SECRET_BYTES + ML_KEM_RANDOM_BYTES];
key->pkhash = key->seedbuf + ML_KEM_RANDOM_BYTES;
key->vinfo->rank * sizeof(scalar) + 2 * ML_KEM_RANDOM_BYTES);
ret->pkhash = ret->rho + ML_KEM_RANDOM_BYTES;
ret->d = ret->z + ML_KEM_RANDOM_BYTES;
memcpy(out, key->d, ML_KEM_RANDOM_BYTES);
out += ML_KEM_RANDOM_BYTES;
memcpy(out, key->z, ML_KEM_RANDOM_BYTES);
key->d = key->z + ML_KEM_RANDOM_BYTES;
memcpy(key->d, seed, ML_KEM_RANDOM_BYTES);
seed += ML_KEM_RANDOM_BYTES;
memcpy(key->z, seed, ML_KEM_RANDOM_BYTES);
#if ML_KEM_SEED_BYTES != ML_KEM_SHARED_SECRET_BYTES + ML_KEM_RANDOM_BYTES
CONSTTIME_DECLASSIFY(key->z, 2 * ML_KEM_RANDOM_BYTES);
|| entropy == NULL || elen != ML_KEM_RANDOM_BYTES
uint8_t r[ML_KEM_RANDOM_BYTES];
if (RAND_bytes_ex(key->libctx, r, ML_KEM_RANDOM_BYTES,
classify_bytes = 2 * sizeof(scalar) + ML_KEM_RANDOM_BYTES;
#if ML_KEM_SHARED_SECRET_BYTES != ML_KEM_RANDOM_BYTES
static __owur int prf(uint8_t *out, size_t len, const uint8_t in[ML_KEM_RANDOM_BYTES + 1],
&& single_keccak(out, len, in, ML_KEM_RANDOM_BYTES + 1, mdctx);
if (!EVP_DigestUpdate(mdctx, key->rho, ML_KEM_RANDOM_BYTES))
const uint8_t z[ML_KEM_RANDOM_BYTES],
&& EVP_DigestUpdate(mdctx, z, ML_KEM_RANDOM_BYTES)
#define ML_KEM_SEED_BYTES (ML_KEM_RANDOM_BYTES * 2) /* Keygen (d, z) */
#if ML_KEM_PKHASH_BYTES != ML_KEM_RANDOM_BYTES
OPENSSL_cleanse(ctx->entropy, ML_KEM_RANDOM_BYTES);
size_t len = ML_KEM_RANDOM_BYTES;
&& len == ML_KEM_RANDOM_BYTES)
ctx->entropy, ML_KEM_RANDOM_BYTES, key);
OPENSSL_cleanse(ctx->entropy, ML_KEM_RANDOM_BYTES);
uint8_t entropy_buf[ML_KEM_RANDOM_BYTES];
OPENSSL_cleanse(ctx->entropy, ML_KEM_RANDOM_BYTES);
size_t zlen = ML_KEM_RANDOM_BYTES;
puboff = prvlen - ML_KEM_RANDOM_BYTES - ML_KEM_PKHASH_BYTES - publen;
unsigned char entropy[ML_KEM_RANDOM_BYTES];
if (!TEST_mem_eq(rawpub + v->vector_bytes, ML_KEM_RANDOM_BYTES,
expected_rho[i], ML_KEM_RANDOM_BYTES))
ML_KEM_RANDOM_BYTES,
ML_KEM_RANDOM_BYTES))
static uint8_t ml_kem_expected_rho[3][ML_KEM_RANDOM_BYTES] = {
decap_entropy = ml_kem_public_entropy + ML_KEM_RANDOM_BYTES;