quantica/ml_kem/params.rs
1/// ML-KEM parameter sets as defined in FIPS 203 Section 8, Table 2.
2///
3/// Constants: n = 256, q = 3329 for all parameter sets.
4
5/// The polynomial ring dimension. All ML-KEM parameter sets use n = 256.
6pub const N: usize = 256;
7
8/// The modulus for the polynomial ring `R_q = Z_q[X]/(X^n + 1)`.
9///
10/// q = 3329 is chosen because it is prime and satisfies q ≡ 1 (mod 2n),
11/// enabling efficient NTT-based polynomial multiplication.
12pub const Q: u16 = 3329;
13
14/// Parameter set trait for ML-KEM security levels.
15///
16/// Implemented by [`MlKem512`], [`MlKem768`], and [`MlKem1024`], each
17/// providing the constants that define key sizes, ciphertext sizes, and
18/// sampling parameters for a specific NIST security category.
19///
20/// The derived constants ([`EK_LEN`](Params::EK_LEN), [`DK_LEN`](Params::DK_LEN),
21/// [`CT_LEN`](Params::CT_LEN), [`SS_LEN`](Params::SS_LEN)) are computed
22/// automatically from the core parameters.
23pub trait Params: 'static {
24 /// Module rank (number of polynomials per vector). Determines security level.
25 const K: usize;
26 /// CBD sampling parameter for secret key and first error vector.
27 const ETA1: usize;
28 /// CBD sampling parameter for second error vectors during encryption.
29 const ETA2: usize;
30 /// Compression bit-width for the `u` component of ciphertexts.
31 const DU: usize;
32 /// Compression bit-width for the `v` component of ciphertexts.
33 const DV: usize;
34
35 // Derived sizes (in bytes)
36 /// Encapsulation key size in bytes: 384*k + 32.
37 const EK_LEN: usize = 384 * Self::K + 32;
38 /// Decapsulation key size in bytes: 768*k + 96.
39 ///
40 /// Layout: `dk_pke || ek_pke || H(ek) || z` where `z` is the implicit
41 /// rejection seed.
42 const DK_LEN: usize = 768 * Self::K + 96;
43 /// Ciphertext size in bytes: 32*(du*k + dv).
44 const CT_LEN: usize = 32 * (Self::DU * Self::K + Self::DV);
45 /// Shared secret size in bytes. Always 32 (256 bits) for all parameter sets.
46 const SS_LEN: usize = 32;
47}
48
49/// ML-KEM-512 parameter set (NIST security category 1).
50///
51/// Provides 128-bit classical security. Smallest key and ciphertext sizes.
52///
53/// | Property | Value |
54/// |----------|-------|
55/// | `EK_LEN` | 800 bytes |
56/// | `DK_LEN` | 1632 bytes |
57/// | `CT_LEN` | 768 bytes |
58pub struct MlKem512;
59impl Params for MlKem512 {
60 const K: usize = 2;
61 const ETA1: usize = 3;
62 const ETA2: usize = 2;
63 const DU: usize = 10;
64 const DV: usize = 4;
65}
66
67/// ML-KEM-768 parameter set (NIST security category 3).
68///
69/// The NIST recommended default. Provides 192-bit classical security and
70/// balances performance with security margin.
71///
72/// | Property | Value |
73/// |----------|-------|
74/// | `EK_LEN` | 1184 bytes |
75/// | `DK_LEN` | 2400 bytes |
76/// | `CT_LEN` | 1088 bytes |
77pub struct MlKem768;
78impl Params for MlKem768 {
79 const K: usize = 3;
80 const ETA1: usize = 2;
81 const ETA2: usize = 2;
82 const DU: usize = 10;
83 const DV: usize = 4;
84}
85
86/// ML-KEM-1024 parameter set (NIST security category 5).
87///
88/// Provides 256-bit classical security. Largest key and ciphertext sizes,
89/// but highest security margin.
90///
91/// | Property | Value |
92/// |----------|-------|
93/// | `EK_LEN` | 1568 bytes |
94/// | `DK_LEN` | 3168 bytes |
95/// | `CT_LEN` | 1568 bytes |
96pub struct MlKem1024;
97impl Params for MlKem1024 {
98 const K: usize = 4;
99 const ETA1: usize = 2;
100 const ETA2: usize = 2;
101 const DU: usize = 11;
102 const DV: usize = 5;
103}