{\rtf1\ansi\ansicpg1252\cocoartf1504\cocoasubrtf830
{\fonttbl\f0\fswiss\fcharset0 ArialMT;\f1\froman\fcharset0 Times-Roman;\f2\froman\fcharset0 TimesNewRomanPSMT;
\f3\fmodern\fcharset0 CourierNewPSMT;\f4\fswiss\fcharset0 Helvetica;}
{\colortbl;\red255\green255\blue255;}
{\*\expandedcolortbl;;}
\margl1440\margr1440\vieww17180\viewh12680\viewkind0
\deftab720
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 \expnd0\expndtw0\kerning0
PQC - API notes 
\f1\fs24 \

\f0\fs32 Most of the API information is derived from the 
\f1\b eBATS: ECRYPT Benchmarking of Asymmetric Systems 
\f0\b0 (https://bench.cr.yp.to/ebats.html). This has been done to facilitate benchmarking algorithm performance. Please look at the eBATS page for more information on how to submit an algorithm for performance benchmarking.\
 
\f1\fs24 \

\f0\b\fs32 Public-key Signatures
\b0  
\f1\fs24 \

\f0\fs32 See 
\f2\fs42 https://bench.cr.yp.to/call-sign.html 
\f0\fs32 for more information on Public-key Signature API and performance testing. 
\f1\fs24 \

\f0\fs32 The first thing to do is to create a file called 
\i api.h
\i0 . This file contains the following four lines (with the sizes set to the appropriate values): 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0      #define CRYPTO_SECRETKEYBYTES 256\
     #define CRYPTO_PUBLICKEYBYTES 85\
     #define CRYPTO_BYTES 128\
     #define CRYPTO_RANDOMBYTES 32\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 indicating that your software uses a 256-byte (2048-bit) secret key, an 85-byte (680-bit) public key, 
\i at most 
\i0 128 bytes of overhead in a signed message compared to the original message, and 32 bytes of random input. 
\f1\fs24 \

\f0\fs32 Then create a file called 
\i sign.c 
\i0 with the following function calls: \
	eBATS calls 
\f1\fs24 \
		
\f0\fs32 Generates a keypair - 
\i pk 
\i0 is the public key and 
\i sk 
\i0 is the secret key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_sign_keypair(\
              unsigned char *pk,\
              unsigned char *sk\
         )\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Sign a message: 
\i sm 
\i0 is the signed message, 
\i m 
\i0 is the original message, and 
\i sk 
\i0 is the secret key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_sign(\
              unsigned char *sm, unsigned long long *smlen,\
              const unsigned char *m, unsigned long long mlen,\
              const unsigned char *sk\
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 		  ) 
\f1\fs24 \
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Verify a message signature: 
\i m 
\i0 is the original message, 
\i sm 
\i0 is the signed message, 
\i pk 
\i0 is the public key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_sign_open(\
              const unsigned char *m, unsigned long long *mlen,\
              const unsigned char *sm, unsigned long long smlen,\
              const unsigned char *pk\
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 		  )  \

\f1\fs24 \
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\b\fs32 \cf0 Public-key Encryption
\b0  
\f1\fs24 \

\f0\fs32 See 
\f2\fs42 https://bench.cr.yp.to/call-encrypt.html 
\f0\fs32 for more information on Public-key Encryption API and performance testing. 
\f1\fs24 \

\f0\fs32 The first thing to do is to create a file called 
\i api.h
\i0 . This file contains the following four lines (with the sizes set to the appropriate values): 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0      #define CRYPTO_SECRETKEYBYTES 256\
     #define CRYPTO_PUBLICKEYBYTES 64\
     #define CRYPTO_BYTES 48\
     #define CRYPTO_RANDOMBYTES 32\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 indicating that your software uses a 256-byte (2048-bit) secret key, a 64-byte (512-bit) public key, 
\i at most 
\i0 48 bytes of overhead in an encrypted message compared to the original message, and 32 bytes of random input. 
\f1\fs24 \

\f0\fs32 Then create a file called 
\i encrypt.c 
\i0 with the following function calls: 
\f1\fs24 \

\f0\fs32 	eBATS calls\uc0\u8232 		Generates a keypair - 
\i pk 
\i0 is the public key and 
\i sk 
\i0 is the secret key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_encrypt_keypair(\
              unsigned char *pk,\
              unsigned char *sk\
         )\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Encrypt a plaintext: 
\i c 
\i0 is the ciphertext, 
\i m 
\i0 is the plaintext, and 
\i pk 
\i0 is the public key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_encrypt(\
              unsigned char *c, unsigned long long *clen,\
              const unsigned char *m, unsigned long long mlen,\
              const unsigned char *pk\
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 		  ) 
\f1\fs24 \
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Decrypt a ciphertext: 
\i m 
\i0 is the plaintext, 
\i c 
\i0 is the ciphertext, and 
\i sk 
\i0 is the secret key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_encrypt_open(\
              unsigned char *m, unsigned long long *mlen,\
              const unsigned char *c, unsigned long long clen,\
              const unsigned char *sk\
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 		  ) \

\f1\fs24 \
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\b\fs32 \cf0 Key Encapsulation Mechanism (KEM)
\b0 \uc0\u8232 \
The calls in the eBATS specification do not meet the calls specified in the call for algorithms. However, attempts were made to match the specifications for the other algorithms. 
\f1\fs24 \

\f0\fs32 The first thing to do is to create a file called 
\i api.h
\i0 . This file contains the following four lines (with the sizes set to the appropriate values): 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0      #define CRYPTO_SECRETKEYBYTES 192\
     #define CRYPTO_PUBLICKEYBYTES 64\
     #define CRYPTO_BYTES 64\
     #define CRYPTO_CIPHERTEXTBYTES 128\
     #define CRYPTO_RANDOMBYTES 32\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 indicating that your software uses a 192-byte (1536-bit) secret key, a 64-byte (512-bit) public key, a 64-byte (512-bit) shared secret, at most a 128-byte (1024-bit) ciphertext, and 32 bytes of random input. 
\f1\fs24 \

\f0\fs32 Then create a file called 
\i kem.c 
\i0 with the following function calls: \
	eBATS-like calls 
\f1\fs24 \

\f0\fs32 		Generates a keypair - 
\i pk 
\i0 is the public key and 
\i sk 
\i0 is the secret key. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_kem_keygenerate(\
              unsigned char *pk,\
              unsigned char *sk\
         )\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Encrypt - 
\i pk 
\i0 is the public key, 
\i ct 
\i0 is a key encapsulation message (ciphertext), 
\i ss 
\i0 is the shared secret. 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_kem_enc(\
              unsigned char *ct,\
              unsigned char *ss,\
              const unsigned char *pk\
         )\
\pard\pardeftab720\sl360\sa240\partightenfactor0

\f0\fs32 \cf0 		Decrypt - 
\i ct 
\i0 is a key encapsulation message (ciphertext), 
\i sk 
\i0 is the private key, 
\i ss 
\i0 is the shared secret 
\f1\fs24 \
\pard\pardeftab720\sl380\partightenfactor0

\f3\fs34 \cf0          int crypto_kem_dec(\
              unsigned char *ss,\
              const unsigned char *ct,\
              const unsigned char *sk\
         )\
\

\f1\fs24 \
\pard\pardeftab720\sl380\sa240\partightenfactor0

\f0\b\fs32 \cf0 Additional functions
\b0 \
A function, 
\i randombytes()
\i0 , will be available to obtain random input. This function simulates an entropy source for testing purposes. The function prototype comes from the SUPERCOP package (https://bench.cr.yp.to/supercop.html). The type for the length argument is more than needed, but is left for consistency with the SUPERCOP package. The calling function shall allocate the storage for 
\i x
\i0  and the 
\i xlen
\i0  parameter specifies a number of bytes.\
\pard\pardeftab720\partightenfactor0

\f4\fs24 \cf0 \
\pard\pardeftab720\partightenfactor0

\f3\fs34 \cf0 		  void randombytes(unsigned char *x, unsigned long long xlen)\
\pard\pardeftab720\partightenfactor0

\f0\fs32 \cf0 \
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 A function, 
\i CTR_DRBG()
\i0 , will be available to generate seed material. The calling function shall allocate the storage for 
\i seed
\i0  and the 
\i xlen
\i0  parameter specifies a number of bytes. The data from 
\i randombytes()
\i0  is used as the 
\i entropy_input
\i0  during the CTR_DRBG instantiation process (see http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf section 10.2.1.5.1).\
\pard\pardeftab720\partightenfactor0

\f4\fs24 \cf0 \
\pard\pardeftab720\partightenfactor0

\f3\fs34 \cf0 		  void CTR_DRBG(unsigned char *seed, unsigned long long xlen)\
\pard\pardeftab720\partightenfactor0

\f0\fs32 \cf0 \
\pard\pardeftab720\sl380\sa240\partightenfactor0
\cf0 A function, 
\i SeedExpander()
\i0 , will be available to generate additional pseudorandom material. The calling function shall allocate the storage for 
\i x
\i0  and the 
\i xlen
\i0  parameter specifies a number of bytes. This function is used to generate data of arbitrary length with the additional feature that two calls for 8 bytes will produce the same data as a single call for 16 bytes.\
\pard\pardeftab720\partightenfactor0

\f4\fs24 \cf0 \
\pard\pardeftab720\partightenfactor0

\f3\fs34 \cf0 		  void SeedExpander(unsigned char *x, unsigned long long xlen)\
}