Always use a 32-byte shared secret for Kyber

Although the round-3 specification has a variable-length output, the
final ML-KEM construction is expected to use a fixed 32-byte output. To
simplify the future transition, we apply the same restriction.

Update-Note: The Kyber public APIs have changed slightly, but we do not
believe there are any users of them yet.

Change-Id: Iea4fb1b13ecfcc3fead62989cee79de011f413c5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64349
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/tool/speed.cc b/tool/speed.cc
index 942dcad..5473909 100644
--- a/tool/speed.cc
+++ b/tool/speed.cc
@@ -1094,8 +1094,8 @@ static bool SpeedKyber(const std::string &selected) {
         KYBER_private_key priv;
         uint8_t encoded_public_key[KYBER_PUBLIC_KEY_BYTES];
         KYBER_generate_key(encoded_public_key, &priv);
-        uint8_t shared_secret[32];
-        KYBER_decap(shared_secret, sizeof(shared_secret), ciphertext, &priv);
+        uint8_t shared_secret[KYBER_SHARED_SECRET_BYTES];
+        KYBER_decap(shared_secret, ciphertext, &priv);
         return true;
       })) {
     fprintf(stderr, "Failed to time KYBER_generate_key + KYBER_decap.\n");
@@ -1115,8 +1115,8 @@ static bool SpeedKyber(const std::string &selected) {
         if (!KYBER_parse_public_key(&pub, &encoded_public_key_cbs)) {
           return false;
         }
-        uint8_t shared_secret[32];
-        KYBER_encap(ciphertext, shared_secret, sizeof(shared_secret), &pub);
+        uint8_t shared_secret[KYBER_SHARED_SECRET_BYTES];
+        KYBER_encap(ciphertext, shared_secret, &pub);
         return true;
       })) {
     fprintf(stderr, "Failed to time KYBER_encap.\n");