-rw-r--r-- 5232 libmceliece-20240726/doc/man/mceliece.3 raw
.\" Automatically generated by Pandoc 2.17.1.1
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "mceliece" "3" "" "" ""
.hy
.SS NAME
.PP
mceliece - C API for the libmceliece implementation of the Classic
McEliece cryptosystem
.SS SYNOPSIS
.PP
Using libmceliece:
.IP
.nf
\f[C]
#include <mceliece.h>
\f[R]
.fi
.PP
Link with \f[V]-lmceliece\f[R].
.PP
Key generation (for, e.g., \f[V]mceliece6960119\f[R]):
.IP
.nf
\f[C]
unsigned char pk[mceliece6960119_PUBLICKEYBYTES];
unsigned char sk[mceliece6960119_SECRETKEYBYTES];

mceliece6960119_keypair(pk,sk);
\f[R]
.fi
.PP
Encapsulation (for, e.g., \f[V]mceliece6960119\f[R]):
.IP
.nf
\f[C]
unsigned char ct[mceliece6960119_CIPHERTEXTBYTES];
unsigned char k[mceliece6960119_BYTES];
const unsigned char pk[mceliece6960119_PUBLICKEYBYTES];
int ret;

ret = mceliece6960119_enc(ct,k,pk);
\f[R]
.fi
.PP
Decapsulation (for, e.g., \f[V]mceliece6960119\f[R]):
.IP
.nf
\f[C]
unsigned char k[mceliece6960119_BYTES];
const unsigned char ct[mceliece6960119_CIPHERTEXTBYTES];
const unsigned char sk[mceliece6960119_SECRETKEYBYTES];
int ret;

ret = mceliece6960119_dec(k,ct,sk);
\f[R]
.fi
.SS DESCRIPTION
.PP
libmceliece is an implementation of the Classic
McEliece (https://classic.mceliece.org) cryptosystem.
The C API for libmceliece provides the following functions:
.IP
.nf
\f[C]
mceliece{6960119,6688128,8192128,460896,348864}_keypair
mceliece{6960119,6688128,8192128,460896,348864}_enc
mceliece{6960119,6688128,8192128,460896,348864}_dec
mceliece{6960119,6688128,8192128,460896,348864}f_keypair
mceliece{6960119,6688128,8192128,460896,348864}f_enc
mceliece{6960119,6688128,8192128,460896,348864}f_dec
\f[R]
.fi
.PP
All of these functions follow the SUPERCOP API for
KEMs (https://bench.cr.yp.to/call-kem.html) except that
.IP \[bu] 2
the function names are libmceliece-specific instead of
\f[V]crypto_kem_*\f[R],
.IP \[bu] 2
message lengths are \f[V]long long\f[R] instead of
\f[V]unsigned long long\f[R], and
.IP \[bu] 2
the \f[V]keypair\f[R] functions return \f[V]void\f[R] instead of
\f[V]int\f[R].
.PP
The details below use \f[V]mceliece6960119\f[R] as an example.
.SS KEY GENERATION
.PP
The \f[V]mceliece6960119_keypair\f[R] function randomly generates
Alice\[cq]s secret key \f[V]sk[0]\f[R], \f[V]sk[1]\f[R], \&...,
\f[V]sk[mceliece6960119_SECRETKEYBYTES-1]\f[R] and Alice\[cq]s
corresponding public key \f[V]pk[0]\f[R], \f[V]pk[1]\f[R], \&...,
\f[V]pk[mceliece6960119_PUBLICKEYBYTES-1]\f[R].
.SS ENCAPSULATION
.PP
The \f[V]mceliece6960119_enc\f[R] function randomly generates a
ciphertext \f[V]ct[0]\f[R], \f[V]ct[1]\f[R], \&...,
\f[V]ct[mceliece6960119_CIPHERTEXTBYTES-1]\f[R] and the corresponding
session key \f[V]k[0]\f[R], \f[V]k[1]\f[R], \&...,
\f[V]k[mceliece6960119_BYTES-1]\f[R] given Alice\[cq]s public key
\f[V]pk[0]\f[R], \f[V]pk[1]\f[R], \&...,
\f[V]pk[mceliece6960119_PUBLICKEYBYTES-1]\f[R].
This function then returns \f[V]0\f[R].
.PP
Exception: If the input public key is not \[lq]narrowly decodable\[rq]
(i.e., if bits at particular positions in \f[V]pk\f[R] are set), this
function returns \f[V]-1\f[R].
Currently the function also handles such public keys by clearing
\f[V]ct\f[R] and \f[V]k\f[R], but callers should not rely on this.
.PP
For \f[V]{6688128,8192128,460896,348864}{,f}\f[R], all byte strings of
the correct length are narrowly decodable, and the return value is
always \f[V]0\f[R].
For \f[V]6960119{,f}\f[R], the return value can be \f[V]-1\f[R].
.SS DECAPSULATION
.PP
The \f[V]mceliece6960119_dec\f[R] function, given Alice\[cq]s secret key
\f[V]sk[0]\f[R], \f[V]sk[1]\f[R], \&...,
\f[V]sk[mceliece6960119_SECRETKEYBYTES-1]\f[R], computes the session key
\f[V]k[0]\f[R], \f[V]k[1]\f[R], \&...,
\f[V]k[mceliece6960119_BYTES-1]\f[R] corresponding to a ciphertext
\f[V]ct[0]\f[R], \f[V]ct[1]\f[R], \&...,
\f[V]ct[mceliece6960119_CIPHERTEXTBYTES-1]\f[R] that was encapsulated to
Alice.
This function then returns \f[V]0\f[R].
.PP
Exception: If the input ciphertext is not \[lq]narrowly decodable\[rq]
(i.e., if bits at particular positions in \f[V]ct\f[R] are set), this
function returns \f[V]-1\f[R].
Currently this function also handles such ciphertexts by setting all
bytes of \f[V]k\f[R] to \f[V]255\f[R], but callers should not rely on
this.
.PP
For \f[V]{6688128,8192128,460896,348864}{,f}\f[R], all byte strings of
the correct length are narrowly decodable, and the return value is
always \f[V]0\f[R].
For \f[V]6960119{,f}\f[R], the return value can be \f[V]-1\f[R].
.SS THE f VARIANTS
.PP
The \f[V]f\f[R] variants are internally more complicated than the
non-\f[V]f\f[R] variants but provide faster key generation.
The \f[V]f\f[R] variants are interoperable with the non-\f[V]f\f[R]
variants: for example, a key generated with
\f[V]mceliece6960119f_keypair\f[R] can decapsulate ciphertexts that were
encapsulated with \f[V]mceliece6960119_enc\f[R].
The secret-key sizes (and formats) are the same, the \f[V]enc\f[R]
functions are the same, and the \f[V]dec\f[R] functions are the same.
.SS SEE ALSO
.PP
\f[B]mceliece\f[R](1), \f[B]randombytes\f[R](3)