package mlkem

Import Path
	crypto/internal/fips140/mlkem (on go.dev)

Dependency Relation
	imports 8 packages, and imported by one package

Involved Source Files

	    cast.go
	    field.go
	    mlkem1024.go
	  d mlkem768.go
		Package mlkem implements the quantum-resistant key encapsulation method
		ML-KEM (formerly known as Kyber), as specified in [NIST FIPS 203].
		
		[NIST FIPS 203]: https://doi.org/10.6028/NIST.FIPS.203
Package-Level Type Names (total 11, in which 4 are exported)

	/* sort exporteds by: alphabet | popularity */
	 type DecapsulationKey1024 (struct)
		A DecapsulationKey1024 is the secret key used to decapsulate a shared key from a
		ciphertext. It includes various precomputed values.

		Fields (total 9, none are exported)
			/* 9 unexporteds ... *//* 9 unexporteds: */
			d [32]byte
				// decapsulation key seed

			decryptionKey1024 decryptionKey1024
			decryptionKey1024.s [4]nttElement
				// ByteDecode₁₂(dk[:decryptionKey1024Size])

			encryptionKey1024 encryptionKey1024
			encryptionKey1024.a [16]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			encryptionKey1024.t [4]nttElement
				// ByteDecode₁₂(ek[:384k])

			h [32]byte
				// H(ek), stored for ML-KEM.Decaps_internal

			z [32]byte
				// implicit rejection sampling seed

			ρ [32]byte
				// sampleNTT seed for A, stored for the encapsulation key

		Methods (total 3, all are exported)
			(*DecapsulationKey1024) Bytes() []byte
				Bytes returns the decapsulation key as a 64-byte seed in the "d || z" form.
				
				The decapsulation key must be kept secret.

			(*DecapsulationKey1024) Decapsulate(ciphertext []byte) (sharedKey []byte, err error)
				Decapsulate generates a shared key from a ciphertext and a decapsulation key.
				If the ciphertext is not valid, Decapsulate returns an error.
				
				The shared key must be kept secret.

			(*DecapsulationKey1024) EncapsulationKey() *EncapsulationKey1024
				EncapsulationKey returns the public encapsulation key necessary to produce
				ciphertexts.

		As Outputs Of (at least 6, in which 4 are exported)
			func GenerateKey1024() (*DecapsulationKey1024, error)
			func GenerateKeyInternal1024(d, z *[32]byte) *DecapsulationKey1024
			func NewDecapsulationKey1024(seed []byte) (*DecapsulationKey1024, error)
			func TestingOnlyNewDecapsulationKey1024(b []byte) (*DecapsulationKey1024, error)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func generateKey1024(dk *DecapsulationKey1024) (*DecapsulationKey1024, error)
			func newKeyFromSeed1024(dk *DecapsulationKey1024, seed []byte) (*DecapsulationKey1024, error)
		As Inputs Of (at least 6, in which 1 is exported)
			func TestingOnlyExpandedBytes1024(dk *DecapsulationKey1024) []byte
			/* 5+ unexporteds ... *//* 5+ unexporteds: */
			func generateKey1024(dk *DecapsulationKey1024) (*DecapsulationKey1024, error)
			func kemDecaps1024(dk *DecapsulationKey1024, c *[1568]byte) (K []byte)
			func kemKeyGen1024(dk *DecapsulationKey1024, d, z *[32]byte)
			func kemPCT1024(dk *DecapsulationKey1024) error
			func newKeyFromSeed1024(dk *DecapsulationKey1024, seed []byte) (*DecapsulationKey1024, error)

	 type DecapsulationKey768 (struct)
		A DecapsulationKey768 is the secret key used to decapsulate a shared key from a
		ciphertext. It includes various precomputed values.

		Fields (total 9, none are exported)
			/* 9 unexporteds ... *//* 9 unexporteds: */
			d [32]byte
				// decapsulation key seed

			decryptionKey decryptionKey
			decryptionKey.s [3]nttElement
				// ByteDecode₁₂(dk[:decryptionKeySize])

			encryptionKey encryptionKey
			encryptionKey.a [9]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			encryptionKey.t [3]nttElement
				// ByteDecode₁₂(ek[:384k])

			h [32]byte
				// H(ek), stored for ML-KEM.Decaps_internal

			z [32]byte
				// implicit rejection sampling seed

			ρ [32]byte
				// sampleNTT seed for A, stored for the encapsulation key

		Methods (total 3, all are exported)
			(*DecapsulationKey768) Bytes() []byte
				Bytes returns the decapsulation key as a 64-byte seed in the "d || z" form.
				
				The decapsulation key must be kept secret.

			(*DecapsulationKey768) Decapsulate(ciphertext []byte) (sharedKey []byte, err error)
				Decapsulate generates a shared key from a ciphertext and a decapsulation key.
				If the ciphertext is not valid, Decapsulate returns an error.
				
				The shared key must be kept secret.

			(*DecapsulationKey768) EncapsulationKey() *EncapsulationKey768
				EncapsulationKey returns the public encapsulation key necessary to produce
				ciphertexts.

		As Outputs Of (at least 6, in which 4 are exported)
			func GenerateKey768() (*DecapsulationKey768, error)
			func GenerateKeyInternal768(d, z *[32]byte) *DecapsulationKey768
			func NewDecapsulationKey768(seed []byte) (*DecapsulationKey768, error)
			func TestingOnlyNewDecapsulationKey768(b []byte) (*DecapsulationKey768, error)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func generateKey(dk *DecapsulationKey768) (*DecapsulationKey768, error)
			func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768, error)
		As Inputs Of (at least 6, in which 1 is exported)
			func TestingOnlyExpandedBytes768(dk *DecapsulationKey768) []byte
			/* 5+ unexporteds ... *//* 5+ unexporteds: */
			func generateKey(dk *DecapsulationKey768) (*DecapsulationKey768, error)
			func kemDecaps(dk *DecapsulationKey768, c *[1088]byte) (K []byte)
			func kemKeyGen(dk *DecapsulationKey768, d, z *[32]byte)
			func kemPCT(dk *DecapsulationKey768) error
			func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768, error)

	 type EncapsulationKey1024 (struct)
		An EncapsulationKey1024 is the public key used to produce ciphertexts to be
		decapsulated by the corresponding [DecapsulationKey1024].

		Fields (total 5, none are exported)
			/* 5 unexporteds ... *//* 5 unexporteds: */
			encryptionKey1024 encryptionKey1024
			encryptionKey1024.a [16]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			encryptionKey1024.t [4]nttElement
				// ByteDecode₁₂(ek[:384k])

			h [32]byte
				// H(ek)

			ρ [32]byte
				// sampleNTT seed for A

		Methods (total 5, in which 3 are exported)
			(*EncapsulationKey1024) Bytes() []byte
				Bytes returns the encapsulation key as a byte slice.

			(*EncapsulationKey1024) Encapsulate() (sharedKey, ciphertext []byte)
				Encapsulate generates a shared key and an associated ciphertext from an
				encapsulation key, drawing random bytes from a DRBG.
				
				The shared key must be kept secret.

			(*EncapsulationKey1024) EncapsulateInternal(m *[32]byte) (sharedKey, ciphertext []byte)
				EncapsulateInternal is a derandomized version of Encapsulate, exclusively for
				use in tests.

			/* 2 unexporteds ... *//* 2 unexporteds: */
			(*EncapsulationKey1024) bytes(b []byte) []byte
			(*EncapsulationKey1024) encapsulate(cc *[1568]byte) (sharedKey, ciphertext []byte)
		As Outputs Of (at least 3, in which 2 are exported)
			func NewEncapsulationKey1024(encapsulationKey []byte) (*EncapsulationKey1024, error)
			func (*DecapsulationKey1024).EncapsulationKey() *EncapsulationKey1024
			/* at least one unexported ... *//* at least one unexported: */
			func parseEK1024(ek *EncapsulationKey1024, ekPKE []byte) (*EncapsulationKey1024, error)
		As Inputs Of (at least 2, neither is exported)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func kemEncaps1024(cc *[1568]byte, ek *EncapsulationKey1024, m *[32]byte) (K, c []byte)
			func parseEK1024(ek *EncapsulationKey1024, ekPKE []byte) (*EncapsulationKey1024, error)

	 type EncapsulationKey768 (struct)
		An EncapsulationKey768 is the public key used to produce ciphertexts to be
		decapsulated by the corresponding [DecapsulationKey768].

		Fields (total 5, none are exported)
			/* 5 unexporteds ... *//* 5 unexporteds: */
			encryptionKey encryptionKey
			encryptionKey.a [9]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			encryptionKey.t [3]nttElement
				// ByteDecode₁₂(ek[:384k])

			h [32]byte
				// H(ek)

			ρ [32]byte
				// sampleNTT seed for A

		Methods (total 5, in which 3 are exported)
			(*EncapsulationKey768) Bytes() []byte
				Bytes returns the encapsulation key as a byte slice.

			(*EncapsulationKey768) Encapsulate() (sharedKey, ciphertext []byte)
				Encapsulate generates a shared key and an associated ciphertext from an
				encapsulation key, drawing random bytes from a DRBG.
				
				The shared key must be kept secret.

			(*EncapsulationKey768) EncapsulateInternal(m *[32]byte) (sharedKey, ciphertext []byte)
				EncapsulateInternal is a derandomized version of Encapsulate, exclusively for
				use in tests.

			/* 2 unexporteds ... *//* 2 unexporteds: */
			(*EncapsulationKey768) bytes(b []byte) []byte
			(*EncapsulationKey768) encapsulate(cc *[1088]byte) (sharedKey, ciphertext []byte)
		As Outputs Of (at least 3, in which 2 are exported)
			func NewEncapsulationKey768(encapsulationKey []byte) (*EncapsulationKey768, error)
			func (*DecapsulationKey768).EncapsulationKey() *EncapsulationKey768
			/* at least one unexported ... *//* at least one unexported: */
			func parseEK(ek *EncapsulationKey768, ekPKE []byte) (*EncapsulationKey768, error)
		As Inputs Of (at least 2, neither is exported)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func kemEncaps(cc *[1088]byte, ek *EncapsulationKey768, m *[32]byte) (K, c []byte)
			func parseEK(ek *EncapsulationKey768, ekPKE []byte) (*EncapsulationKey768, error)

	/* 7 unexporteds ... *//* 7 unexporteds: */
	 type decryptionKey (struct)
		decryptionKey is the parsed and expanded form of a PKE decryption key.

		Fields (only one, which is unexported)
			/* one unexported ... *//* one unexported: */
			s [3]nttElement
				// ByteDecode₁₂(dk[:decryptionKeySize])

		As Inputs Of (at least one unexported)
			/* at least one unexported ... *//* at least one unexported: */
			func pkeDecrypt(dx *decryptionKey, c *[1088]byte) []byte

	 type decryptionKey1024 (struct)
		decryptionKey1024 is the parsed and expanded form of a PKE decryption key.

		Fields (only one, which is unexported)
			/* one unexported ... *//* one unexported: */
			s [4]nttElement
				// ByteDecode₁₂(dk[:decryptionKey1024Size])

		As Inputs Of (at least one unexported)
			/* at least one unexported ... *//* at least one unexported: */
			func pkeDecrypt1024(dx *decryptionKey1024, c *[1568]byte) []byte

	 type encryptionKey (struct)
		encryptionKey is the parsed and expanded form of a PKE encryption key.

		Fields (total 2, neither is exported)
			/* 2 unexporteds ... *//* 2 unexporteds: */
			a [9]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			t [3]nttElement
				// ByteDecode₁₂(ek[:384k])

		As Inputs Of (at least one unexported)
			/* at least one unexported ... *//* at least one unexported: */
			func pkeEncrypt(cc *[1088]byte, ex *encryptionKey, m *[32]byte, rnd []byte) []byte

	 type encryptionKey1024 (struct)
		encryptionKey1024 is the parsed and expanded form of a PKE encryption key.

		Fields (total 2, neither is exported)
			/* 2 unexporteds ... *//* 2 unexporteds: */
			a [16]nttElement
				// A[i*k+j] = sampleNTT(ρ, j, i)

			t [4]nttElement
				// ByteDecode₁₂(ek[:384k])

		As Inputs Of (at least one unexported)
			/* at least one unexported ... *//* at least one unexported: */
			func pkeEncrypt1024(cc *[1568]byte, ex *encryptionKey1024, m *[32]byte, rnd []byte) []byte

	 type fieldElement uint16 (basic type)
		fieldElement is an integer modulo q, an element of ℤ_q. It is always reduced.

		As Outputs Of (at least 9, none are exported)
			/* 9+ unexporteds ... *//* 9+ unexporteds: */
			func decompress(y uint16, d uint8) fieldElement
			func fieldAdd(a, b fieldElement) fieldElement
			func fieldAddMul(a, b, c, d fieldElement) fieldElement
			func fieldCheckReduced(a uint16) (fieldElement, error)
			func fieldMul(a, b fieldElement) fieldElement
			func fieldMulSub(a, b, c fieldElement) fieldElement
			func fieldReduce(a uint32) fieldElement
			func fieldReduceOnce(a uint16) fieldElement
			func fieldSub(a, b fieldElement) fieldElement
		As Inputs Of (at least 6, none are exported)
			/* 6+ unexporteds ... *//* 6+ unexporteds: */
			func compress(x fieldElement, d uint8) uint16
			func fieldAdd(a, b fieldElement) fieldElement
			func fieldAddMul(a, b, c, d fieldElement) fieldElement
			func fieldMul(a, b fieldElement) fieldElement
			func fieldMulSub(a, b, c fieldElement) fieldElement
			func fieldSub(a, b fieldElement) fieldElement

	 type nttElement ([...])
		nttElement is an NTT representation, an element of T_q, represented as an
		array according to FIPS 203, Section 2.4.4.

		As Outputs Of (at least 3, none are exported)
			/* 3+ unexporteds ... *//* 3+ unexporteds: */
			func ntt(f ringElement) nttElement
			func nttMul(f, g nttElement) nttElement
			func sampleNTT(rho []byte, ii, jj byte) nttElement
		As Inputs Of (at least 2, neither is exported)
			/* 2+ unexporteds ... *//* 2+ unexporteds: */
			func inverseNTT(f nttElement) ringElement
			func nttMul(f, g nttElement) nttElement

	 type ringElement ([...])
		ringElement is a polynomial, an element of R_q, represented as an array
		according to FIPS 203, Section 2.4.4.

		As Outputs Of (at least 8, none are exported)
			/* 8+ unexporteds ... *//* 8+ unexporteds: */
			func inverseNTT(f nttElement) ringElement
			func ringDecodeAndDecompress(b []byte, d uint8) ringElement
			func ringDecodeAndDecompress1(b *[32]byte) ringElement
			func ringDecodeAndDecompress10(bb *[320]byte) ringElement
			func ringDecodeAndDecompress11(bb *[352]byte) ringElement
			func ringDecodeAndDecompress4(b *[128]byte) ringElement
			func ringDecodeAndDecompress5(bb *[160]byte) ringElement
			func samplePolyCBD(s []byte, b byte) ringElement
		As Inputs Of (at least 7, none are exported)
			/* 7+ unexporteds ... *//* 7+ unexporteds: */
			func ntt(f ringElement) nttElement
			func ringCompressAndEncode(s []byte, f ringElement, d uint8) []byte
			func ringCompressAndEncode1(s []byte, f ringElement) []byte
			func ringCompressAndEncode10(s []byte, f ringElement) []byte
			func ringCompressAndEncode11(s []byte, f ringElement) []byte
			func ringCompressAndEncode4(s []byte, f ringElement) []byte
			func ringCompressAndEncode5(s []byte, f ringElement) []byte


Package-Level Functions (total 63, in which 12 are exported)

	 func GenerateKey1024() (*DecapsulationKey1024, error)
		GenerateKey1024 generates a new decapsulation key, drawing random bytes from
		a DRBG. The decapsulation key must be kept secret.

	 func GenerateKey768() (*DecapsulationKey768, error)
		GenerateKey768 generates a new decapsulation key, drawing random bytes from
		a DRBG. The decapsulation key must be kept secret.

	 func GenerateKeyInternal1024(d, z *[32]byte) *DecapsulationKey1024
		GenerateKeyInternal1024 is a derandomized version of GenerateKey1024,
		exclusively for use in tests.

	 func GenerateKeyInternal768(d, z *[32]byte) *DecapsulationKey768
		GenerateKeyInternal768 is a derandomized version of GenerateKey768,
		exclusively for use in tests.

	 func NewDecapsulationKey1024(seed []byte) (*DecapsulationKey1024, error)
		NewDecapsulationKey1024 parses a decapsulation key from a 64-byte
		seed in the "d || z" form. The seed must be uniformly random.

	 func NewDecapsulationKey768(seed []byte) (*DecapsulationKey768, error)
		NewDecapsulationKey768 parses a decapsulation key from a 64-byte
		seed in the "d || z" form. The seed must be uniformly random.

	 func NewEncapsulationKey1024(encapsulationKey []byte) (*EncapsulationKey1024, error)
		NewEncapsulationKey1024 parses an encapsulation key from its encoded form.
		If the encapsulation key is not valid, NewEncapsulationKey1024 returns an error.

	 func NewEncapsulationKey768(encapsulationKey []byte) (*EncapsulationKey768, error)
		NewEncapsulationKey768 parses an encapsulation key from its encoded form.
		If the encapsulation key is not valid, NewEncapsulationKey768 returns an error.

	 func TestingOnlyExpandedBytes1024(dk *DecapsulationKey1024) []byte
		TestingOnlyExpandedBytes1024 returns the decapsulation key as a byte slice
		using the full expanded NIST encoding.
		
		This should only be used for ACVP testing. For all other purposes prefer
		the Bytes method that returns the (much smaller) seed.

	 func TestingOnlyExpandedBytes768(dk *DecapsulationKey768) []byte
		TestingOnlyExpandedBytes768 returns the decapsulation key as a byte slice
		using the full expanded NIST encoding.
		
		This should only be used for ACVP testing. For all other purposes prefer
		the Bytes method that returns the (much smaller) seed.

	 func TestingOnlyNewDecapsulationKey1024(b []byte) (*DecapsulationKey1024, error)
		TestingOnlyNewDecapsulationKey1024 parses a decapsulation key from its expanded NIST format.
		
		Bytes() must not be called on the returned key, as it will not produce the
		original seed.
		
		This function should only be used for ACVP testing. Prefer NewDecapsulationKey1024 for all
		other purposes.

	 func TestingOnlyNewDecapsulationKey768(b []byte) (*DecapsulationKey768, error)
		TestingOnlyNewDecapsulationKey768 parses a decapsulation key from its expanded NIST format.
		
		Bytes() must not be called on the returned key, as it will not produce the
		original seed.
		
		This function should only be used for ACVP testing. Prefer NewDecapsulationKey768 for all
		other purposes.

	/* 51 unexporteds ... *//* 51 unexporteds: */
	 func compress(x fieldElement, d uint8) uint16
		compress maps a field element uniformly to the range 0 to 2ᵈ-1, according to
		FIPS 203, Definition 4.7.

	 func decompress(y uint16, d uint8) fieldElement
		decompress maps a number x between 0 and 2ᵈ-1 uniformly to the full range of
		field elements, according to FIPS 203, Definition 4.8.

	 func fieldAdd(a, b fieldElement) fieldElement
	 func fieldAddMul(a, b, c, d fieldElement) fieldElement
		fieldAddMul returns a * b + c * d. This operation is fused to save a
		fieldReduceOnce and a fieldReduce.

	 func fieldCheckReduced(a uint16) (fieldElement, error)
		fieldCheckReduced checks that a value a is < q.

	 func fieldMul(a, b fieldElement) fieldElement
	 func fieldMulSub(a, b, c fieldElement) fieldElement
		fieldMulSub returns a * (b - c). This operation is fused to save a
		fieldReduceOnce after the subtraction.

	 func fieldReduce(a uint32) fieldElement
		fieldReduce reduces a value a < 2q² using Barrett reduction, to avoid
		potentially variable-time division.

	 func fieldReduceOnce(a uint16) fieldElement
		fieldReduceOnce reduces a value a < 2q.

	 func fieldSub(a, b fieldElement) fieldElement
	 func generateKey(dk *DecapsulationKey768) (*DecapsulationKey768, error)
	 func generateKey1024(dk *DecapsulationKey1024) (*DecapsulationKey1024, error)
	 func init()
	 func inverseNTT(f nttElement) ringElement
		inverseNTT maps a nttElement back to the ringElement it represents.
		
		It implements NTT⁻¹, according to FIPS 203, Algorithm 10.

	 func kemDecaps(dk *DecapsulationKey768, c *[1088]byte) (K []byte)
		kemDecaps produces a shared key from a ciphertext.
		
		It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18.

	 func kemDecaps1024(dk *DecapsulationKey1024, c *[1568]byte) (K []byte)
		kemDecaps1024 produces a shared key from a ciphertext.
		
		It implements ML-KEM.Decaps_internal according to FIPS 203, Algorithm 18.

	 func kemEncaps(cc *[1088]byte, ek *EncapsulationKey768, m *[32]byte) (K, c []byte)
		kemEncaps generates a shared key and an associated ciphertext.
		
		It implements ML-KEM.Encaps_internal according to FIPS 203, Algorithm 17.

	 func kemEncaps1024(cc *[1568]byte, ek *EncapsulationKey1024, m *[32]byte) (K, c []byte)
		kemEncaps1024 generates a shared key and an associated ciphertext.
		
		It implements ML-KEM.Encaps_internal according to FIPS 203, Algorithm 17.

	 func kemKeyGen(dk *DecapsulationKey768, d, z *[32]byte)
		kemKeyGen generates a decapsulation key.
		
		It implements ML-KEM.KeyGen_internal according to FIPS 203, Algorithm 16, and
		K-PKE.KeyGen according to FIPS 203, Algorithm 13. The two are merged to save
		copies and allocations.

	 func kemKeyGen1024(dk *DecapsulationKey1024, d, z *[32]byte)
		kemKeyGen1024 generates a decapsulation key.
		
		It implements ML-KEM.KeyGen_internal according to FIPS 203, Algorithm 16, and
		K-PKE.KeyGen according to FIPS 203, Algorithm 13. The two are merged to save
		copies and allocations.

	 func kemPCT(dk *DecapsulationKey768) error
		kemPCT performs a Pairwise Consistency Test per FIPS 140-3 IG 10.3.A
		Additional Comment 1: "For key pairs generated for use with approved KEMs in
		FIPS 203, the PCT shall consist of applying the encapsulation key ek to
		encapsulate a shared secret K leading to ciphertext c, and then applying
		decapsulation key dk to retrieve the same shared secret K. The PCT passes if
		the two shared secret K values are equal. The PCT shall be performed either
		when keys are generated/imported, prior to the first exportation, or prior to
		the first operational use (if not exported before the first use)."

	 func kemPCT1024(dk *DecapsulationKey1024) error
		kemPCT1024 performs a Pairwise Consistency Test per FIPS 140-3 IG 10.3.A
		Additional Comment 1: "For key pairs generated for use with approved KEMs in
		FIPS 203, the PCT shall consist of applying the encapsulation key ek to
		encapsulate a shared secret K leading to ciphertext c, and then applying
		decapsulation key dk to retrieve the same shared secret K. The PCT passes if
		the two shared secret K values are equal. The PCT shall be performed either
		when keys are generated/imported, prior to the first exportation, or prior to
		the first operational use (if not exported before the first use)."

	 func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768, error)
	 func newKeyFromSeed1024(dk *DecapsulationKey1024, seed []byte) (*DecapsulationKey1024, error)
	 func ntt(f ringElement) nttElement
		ntt maps a ringElement to its nttElement representation.
		
		It implements NTT, according to FIPS 203, Algorithm 9.

	 func nttMul(f, g nttElement) nttElement
		nttMul multiplies two nttElements.
		
		It implements MultiplyNTTs, according to FIPS 203, Algorithm 11.

	 func parseEK(ek *EncapsulationKey768, ekPKE []byte) (*EncapsulationKey768, error)
		parseEK parses an encryption key from its encoded form.
		
		It implements the initial stages of K-PKE.Encrypt according to FIPS 203,
		Algorithm 14.

	 func parseEK1024(ek *EncapsulationKey1024, ekPKE []byte) (*EncapsulationKey1024, error)
		parseEK1024 parses an encryption key from its encoded form.
		
		It implements the initial stages of K-PKE.Encrypt according to FIPS 203,
		Algorithm 14.

	 func pkeDecrypt(dx *decryptionKey, c *[1088]byte) []byte
		pkeDecrypt decrypts a ciphertext.
		
		It implements K-PKE.Decrypt according to FIPS 203, Algorithm 15,
		although s is retained from kemKeyGen.

	 func pkeDecrypt1024(dx *decryptionKey1024, c *[1568]byte) []byte
		pkeDecrypt1024 decrypts a ciphertext.
		
		It implements K-PKE.Decrypt according to FIPS 203, Algorithm 15,
		although s is retained from kemKeyGen1024.

	 func pkeEncrypt(cc *[1088]byte, ex *encryptionKey, m *[32]byte, rnd []byte) []byte
		pkeEncrypt encrypt a plaintext message.
		
		It implements K-PKE.Encrypt according to FIPS 203, Algorithm 14, although the
		computation of t and AT is done in parseEK.

	 func pkeEncrypt1024(cc *[1568]byte, ex *encryptionKey1024, m *[32]byte, rnd []byte) []byte
		pkeEncrypt1024 encrypt a plaintext message.
		
		It implements K-PKE.Encrypt according to FIPS 203, Algorithm 14, although the
		computation of t and AT is done in parseEK1024.

	 func polyAdd[T](a, b T) (s T)

		Type Parameters:
			T: ~[256]fieldElement

		polyAdd adds two ringElements or nttElements.

	 func polyByteDecode[T](b []byte) (T, error)

		Type Parameters:
			T: ~[256]fieldElement

		polyByteDecode decodes the 384-byte encoding of a polynomial, checking that
		all the coefficients are properly reduced. This fulfills the "Modulus check"
		step of ML-KEM Encapsulation.
		
		It implements ByteDecode₁₂, according to FIPS 203, Algorithm 6.

	 func polyByteEncode[T](b []byte, f T) []byte

		Type Parameters:
			T: ~[256]fieldElement

		polyByteEncode appends the 384-byte encoding of f to b.
		
		It implements ByteEncode₁₂, according to FIPS 203, Algorithm 5.

	 func polySub[T](a, b T) (s T)

		Type Parameters:
			T: ~[256]fieldElement

		polySub subtracts two ringElements or nttElements.

	 func ringCompressAndEncode(s []byte, f ringElement, d uint8) []byte
		ringCompressAndEncode appends an encoding of a ring element to s,
		compressing each coefficient to d bits.
		
		It implements Compress, according to FIPS 203, Definition 4.7,
		followed by ByteEncode, according to FIPS 203, Algorithm 5.

	 func ringCompressAndEncode1(s []byte, f ringElement) []byte
		ringCompressAndEncode1 appends a 32-byte encoding of a ring element to s,
		compressing one coefficients per bit.
		
		It implements Compress₁, according to FIPS 203, Definition 4.7,
		followed by ByteEncode₁, according to FIPS 203, Algorithm 5.

	 func ringCompressAndEncode10(s []byte, f ringElement) []byte
		ringCompressAndEncode10 appends a 320-byte encoding of a ring element to s,
		compressing four coefficients per five bytes.
		
		It implements Compress₁₀, according to FIPS 203, Definition 4.7,
		followed by ByteEncode₁₀, according to FIPS 203, Algorithm 5.

	 func ringCompressAndEncode11(s []byte, f ringElement) []byte
		ringCompressAndEncode11 appends a 352-byte encoding of a ring element to s,
		compressing eight coefficients per eleven bytes.
		
		It implements Compress₁₁, according to FIPS 203, Definition 4.7,
		followed by ByteEncode₁₁, according to FIPS 203, Algorithm 5.

	 func ringCompressAndEncode4(s []byte, f ringElement) []byte
		ringCompressAndEncode4 appends a 128-byte encoding of a ring element to s,
		compressing two coefficients per byte.
		
		It implements Compress₄, according to FIPS 203, Definition 4.7,
		followed by ByteEncode₄, according to FIPS 203, Algorithm 5.

	 func ringCompressAndEncode5(s []byte, f ringElement) []byte
		ringCompressAndEncode5 appends a 160-byte encoding of a ring element to s,
		compressing eight coefficients per five bytes.
		
		It implements Compress₅, according to FIPS 203, Definition 4.7,
		followed by ByteEncode₅, according to FIPS 203, Algorithm 5.

	 func ringDecodeAndDecompress(b []byte, d uint8) ringElement
		ringDecodeAndDecompress decodes an encoding of a ring element where
		each d bits are mapped to an equidistant distribution.
		
		It implements ByteDecode, according to FIPS 203, Algorithm 6,
		followed by Decompress, according to FIPS 203, Definition 4.8.

	 func ringDecodeAndDecompress1(b *[32]byte) ringElement
		ringDecodeAndDecompress1 decodes a 32-byte slice to a ring element where each
		bit is mapped to 0 or ⌈q/2⌋.
		
		It implements ByteDecode₁, according to FIPS 203, Algorithm 6,
		followed by Decompress₁, according to FIPS 203, Definition 4.8.

	 func ringDecodeAndDecompress10(bb *[320]byte) ringElement
		ringDecodeAndDecompress10 decodes a 320-byte encoding of a ring element where
		each ten bits are mapped to an equidistant distribution.
		
		It implements ByteDecode₁₀, according to FIPS 203, Algorithm 6,
		followed by Decompress₁₀, according to FIPS 203, Definition 4.8.

	 func ringDecodeAndDecompress11(bb *[352]byte) ringElement
		ringDecodeAndDecompress11 decodes a 352-byte encoding of a ring element where
		each eleven bits are mapped to an equidistant distribution.
		
		It implements ByteDecode₁₁, according to FIPS 203, Algorithm 6,
		followed by Decompress₁₁, according to FIPS 203, Definition 4.8.

	 func ringDecodeAndDecompress4(b *[128]byte) ringElement
		ringDecodeAndDecompress4 decodes a 128-byte encoding of a ring element where
		each four bits are mapped to an equidistant distribution.
		
		It implements ByteDecode₄, according to FIPS 203, Algorithm 6,
		followed by Decompress₄, according to FIPS 203, Definition 4.8.

	 func ringDecodeAndDecompress5(bb *[160]byte) ringElement
		ringDecodeAndDecompress5 decodes a 160-byte encoding of a ring element where
		each five bits are mapped to an equidistant distribution.
		
		It implements ByteDecode₅, according to FIPS 203, Algorithm 6,
		followed by Decompress₅, according to FIPS 203, Definition 4.8.

	 func sampleNTT(rho []byte, ii, jj byte) nttElement
		sampleNTT draws a uniformly random nttElement from a stream of uniformly
		random bytes generated by the XOF function, according to FIPS 203,
		Algorithm 7.

	 func samplePolyCBD(s []byte, b byte) ringElement
		samplePolyCBD draws a ringElement from the special Dη distribution given a
		stream of random bytes generated by the PRF function, according to FIPS 203,
		Algorithm 8 and Definition 4.3.

	 func sliceForAppend(in []byte, n int) (head, tail []byte)
		sliceForAppend takes a slice and a requested number of bytes. It returns a
		slice with the contents of the given slice followed by that many bytes and a
		second slice that aliases into it and contains only the extra bytes. If the
		original slice has sufficient capacity then no allocation is performed.


Package-Level Variables (total 2, neither is exported)

	/* 2 unexporteds ... *//* 2 unexporteds: */
	  var gammas [128]fieldElement
		gammas are the values ζ^2BitRev7(i)+1 mod q for each index i, according to
		FIPS 203, Appendix A (with negative values reduced to positive).

	  var zetas [128]fieldElement
		zetas are the values ζ^BitRev7(k) mod q for each index k, according to FIPS
		203, Appendix A.


Package-Level Constants (total 21, in which 6 are exported)

	const CiphertextSize1024 = 1568
		ML-KEM-1024 parameters.

	const CiphertextSize768 = 1088
		ML-KEM-768 parameters.

	const EncapsulationKeySize1024 = 1568
		ML-KEM-1024 parameters.

	const EncapsulationKeySize768 = 1184
		ML-KEM-768 parameters.

	const SeedSize = 64
	const SharedKeySize = 32
	/* 15 unexporteds ... *//* 15 unexporteds: */
	const barrettMultiplier = 5039 // 2¹² * 2¹² / q
	const barrettShift = 24 // log₂(2¹² * 2¹²)
	const decapsulationKeySize1024 = 3168
		ML-KEM-1024 parameters.

	const decapsulationKeySize768 = 2400
		ML-KEM-768 parameters.

	const encodingSize1 = 32
	const encodingSize10 = 320
	const encodingSize11 = 352
	const encodingSize12 = 384
		encodingSizeX is the byte size of a ringElement or nttElement encoded
		by ByteEncode_X (FIPS 203, Algorithm 5).

	const encodingSize4 = 128
	const encodingSize5 = 160
	const k = 3
		ML-KEM-768 parameters.

	const k1024 = 4
		ML-KEM-1024 parameters.

	const messageSize = 32
	const n = 256
		ML-KEM global constants.

	const q = 3329

The pages are generated with Golds v0.7.6. (GOOS=linux GOARCH=amd64)