Derive keypair

CMakeLists.txt

@@ -109,6 +109,7 @@ else()
 endif()
 
 option(OQS_SPEED_USE_ARM_PMU "Use ARM Performance Monitor Unit during benchmarking" OFF)
+option(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR "Enable ability to derive KEM keypair from a seed" OFF)
 
 if(WIN32)
     set(CMAKE_GENERATOR_CC cl)

src/kem/kem.c

@@ -436,6 +436,16 @@ OQS_API OQS_STATUS OQS_KEM_keypair(const OQS_KEM *kem, uint8_t *public_key, uint
 	}
 }
 
+#if OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+OQS_API OQS_STATUS OQS_KEM_derive_keypair(const OQS_KEM *kem, const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key) {
+	if (kem == NULL) {
+		return OQS_ERROR;
+	} else {
+		return kem->derive_keypair(randomness, public_key, secret_key);
+	}
+}
+#endif
+
 OQS_API OQS_STATUS OQS_KEM_encaps(const OQS_KEM *kem, uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) {
 	if (kem == NULL) {
 		return OQS_ERROR;

src/kem/kem.h

@@ -156,6 +156,11 @@ typedef struct OQS_KEM {
 	size_t length_ciphertext;
 	/** The (maximum) length, in bytes, of shared secrets for this KEM. */
 	size_t length_shared_secret;
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+	/** The length, in bytes, of cryptographically suitable randomness
+	 * required for key derivation */
+	size_t length_randomness;
+#endif
 
 	/**
 	 * Keypair generation algorithm.
@@ -170,6 +175,27 @@ typedef struct OQS_KEM {
 	 */
 	OQS_STATUS (*keypair)(uint8_t *public_key, uint8_t *secret_key);
 
+#if OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+	/**
+	 * Deterministic derivation of keypair
+	 *
+	 * Caller is responsible to ensure that the randomness consists of sufficient
+	 * high entropy material that is cryptographically suitable to derive a
+	 * secret key from. The length required can be determined from the
+	 * `length_randomness' member in this object or the per-scheme
+	 * compile-time macro `OQS_KEM_*_length_randomness'.
+	 * Caller is responsible for allocating sufficient memory for `public_key` and
+	 * `secret_key`, based on the `length_*` members in this object or the per-scheme
+	 * compile-time macros `OQS_KEM_*_length_*`.
+	 *
+	 * @param[in] randomness The randomness used to derive the keypair
+	 * @param[out] public_key The public key represented as a byte string
+	 * @param[out] secret_key The secret key represented as a byte string
+	 * @return OQS_SUCCESS or OQS_ERROR
+	 */
+	OQS_STATUS (*derive_keypair)(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
+
 	/**
 	 * Encapsulation algorithm.
 	 *
@@ -225,6 +251,28 @@ OQS_API OQS_KEM *OQS_KEM_new(const char *method_name);
  */
 OQS_API OQS_STATUS OQS_KEM_keypair(const OQS_KEM *kem, uint8_t *public_key, uint8_t *secret_key);
 
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+/**
+ * Deterministic derivation of keypair
+ *
+ * Caller is responsible to ensure that the randomness consists of sufficient
+ * high entropy material that is cryptographically suitable to derive a
+ * secret key from. The length required can be determined from the
+ * `length_randomness' member in this object or the per-scheme
+ * compile-time macro `OQS_KEM_*_length_randomness'.
+ * Caller is responsible for allocating sufficient memory for `public_key` and
+ * `secret_key`, based on the `length_*` members in this object or the per-scheme
+ * compile-time macros `OQS_KEM_*_length_*`.
+ *
+ * @param[in] randomness The randomness used to derive the keypair
+ * @param[out] public_key The public key represented as a byte string
+ * @param[out] secret_key The secret key represented as a byte string
+ * @return OQS_SUCCESS or OQS_ERROR
+ */
+OQS_API OQS_STATUS OQS_KEM_derive_keypair(const OQS_KEM *kem, const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
+
+
 /**
  * Encapsulation algorithm.
  *

src/kem/kyber/CMakeLists.txt

@@ -11,6 +11,9 @@ if(OQS_ENABLE_KEM_kyber_512)
     target_include_directories(kyber_512_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber512_ref)
     target_include_directories(kyber_512_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_512_ref PUBLIC -DKYBER_K=2)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_512_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_ref>)
 endif()
 
@@ -20,6 +23,9 @@ if(OQS_ENABLE_KEM_kyber_512_avx2)
     target_include_directories(kyber_512_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_512_avx2 PRIVATE  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_512_avx2 PUBLIC -DKYBER_K=2)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_512_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_avx2>)
 endif()
 
@@ -30,6 +36,9 @@ if(OQS_ENABLE_KEM_kyber_512_aarch64)
     if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
         target_compile_definitions(kyber_512_aarch64 PRIVATE old_gas_syntax)
     endif()
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_512_aarch64 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_aarch64>)
 endif()
 
@@ -39,6 +48,9 @@ if(OQS_ENABLE_KEM_kyber_768)
     target_include_directories(kyber_768_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber768_ref)
     target_include_directories(kyber_768_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_768_ref PUBLIC -DKYBER_K=3)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_768_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_ref>)
 endif()
 
@@ -48,6 +60,9 @@ if(OQS_ENABLE_KEM_kyber_768_avx2)
     target_include_directories(kyber_768_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_768_avx2 PRIVATE  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_768_avx2 PUBLIC -DKYBER_K=3)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_768_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_avx2>)
 endif()
 
@@ -58,6 +73,9 @@ if(OQS_ENABLE_KEM_kyber_768_aarch64)
     if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
         target_compile_definitions(kyber_768_aarch64 PRIVATE old_gas_syntax)
     endif()
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_768_aarch64 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_aarch64>)
 endif()
 
@@ -67,6 +85,9 @@ if(OQS_ENABLE_KEM_kyber_1024)
     target_include_directories(kyber_1024_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber1024_ref)
     target_include_directories(kyber_1024_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_1024_ref PUBLIC -DKYBER_K=4)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_1024_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_ref>)
 endif()
 
@@ -76,6 +97,9 @@ if(OQS_ENABLE_KEM_kyber_1024_avx2)
     target_include_directories(kyber_1024_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_1024_avx2 PRIVATE  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_1024_avx2 PUBLIC -DKYBER_K=4)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_1024_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_avx2>)
 endif()
 
@@ -86,6 +110,9 @@ if(OQS_ENABLE_KEM_kyber_1024_aarch64)
     if (CMAKE_SYSTEM_NAME STREQUAL "Darwin")
         target_compile_definitions(kyber_1024_aarch64 PRIVATE old_gas_syntax)
     endif()
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_1024_aarch64 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_aarch64>)
 endif()
 
@@ -95,6 +122,9 @@ if(OQS_ENABLE_KEM_kyber_512_90s)
     target_include_directories(kyber_512_90s_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber512-90s_ref)
     target_include_directories(kyber_512_90s_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_512_90s_ref PUBLIC -DKYBER_K=2 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_512_90s_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_90s_ref>)
 endif()
 
@@ -104,6 +134,9 @@ if(OQS_ENABLE_KEM_kyber_512_90s_avx2)
     target_include_directories(kyber_512_90s_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_512_90s_avx2 PRIVATE  -maes  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_512_90s_avx2 PUBLIC -DKYBER_K=2 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_512_90s_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_512_90s_avx2>)
 endif()
 
@@ -113,6 +146,9 @@ if(OQS_ENABLE_KEM_kyber_768_90s)
     target_include_directories(kyber_768_90s_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber768-90s_ref)
     target_include_directories(kyber_768_90s_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_768_90s_ref PUBLIC -DKYBER_K=3 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_768_90s_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_90s_ref>)
 endif()
 
@@ -122,6 +158,9 @@ if(OQS_ENABLE_KEM_kyber_768_90s_avx2)
     target_include_directories(kyber_768_90s_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_768_90s_avx2 PRIVATE  -maes  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_768_90s_avx2 PUBLIC -DKYBER_K=3 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_768_90s_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_768_90s_avx2>)
 endif()
 
@@ -131,6 +170,9 @@ if(OQS_ENABLE_KEM_kyber_1024_90s)
     target_include_directories(kyber_1024_90s_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-kyber_kyber1024-90s_ref)
     target_include_directories(kyber_1024_90s_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_1024_90s_ref PUBLIC -DKYBER_K=4 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_1024_90s_ref PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_90s_ref>)
 endif()
 
@@ -140,6 +182,9 @@ if(OQS_ENABLE_KEM_kyber_1024_90s_avx2)
     target_include_directories(kyber_1024_90s_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(kyber_1024_90s_avx2 PRIVATE  -maes  -mavx2  -mbmi2  -mpopcnt )
     target_compile_options(kyber_1024_90s_avx2 PUBLIC -DKYBER_K=4 -DKYBER_90S)
+    if(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+        target_compile_options(kyber_1024_90s_avx2 PUBLIC -DOQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+    endif()
     set(_KYBER_OBJS ${_KYBER_OBJS} $<TARGET_OBJECTS:kyber_1024_90s_avx2>)
 endif()
 

src/kem/kyber/kem_kyber.h

@@ -14,6 +14,10 @@ OQS_KEM *OQS_KEM_kyber_512_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_512_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_512_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #ifdef OQS_ENABLE_KEM_kyber_768
@@ -25,6 +29,10 @@ OQS_KEM *OQS_KEM_kyber_768_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_768_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_768_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #ifdef OQS_ENABLE_KEM_kyber_1024
@@ -36,6 +44,10 @@ OQS_KEM *OQS_KEM_kyber_1024_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_1024_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_1024_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #ifdef OQS_ENABLE_KEM_kyber_512_90s
@@ -47,6 +59,10 @@ OQS_KEM *OQS_KEM_kyber_512_90s_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_512_90s_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_512_90s_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #ifdef OQS_ENABLE_KEM_kyber_768_90s
@@ -58,6 +74,10 @@ OQS_KEM *OQS_KEM_kyber_768_90s_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_768_90s_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_768_90s_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #ifdef OQS_ENABLE_KEM_kyber_1024_90s
@@ -69,6 +89,10 @@ OQS_KEM *OQS_KEM_kyber_1024_90s_new(void);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_keypair(uint8_t *public_key, uint8_t *secret_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key);
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_decaps(uint8_t *shared_secret, const uint8_t *ciphertext, const uint8_t *secret_key);
+#ifdef OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR
+#define OQS_KEM_kyber_1024_90s_length_randomness 64
+OQS_API OQS_STATUS OQS_KEM_kyber_1024_90s_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key);
+#endif
 #endif
 
 #endif

src/kem/kyber/kem_kyber_1024.c

@@ -27,23 +27,37 @@ OQS_KEM *OQS_KEM_kyber_1024_new(void) {
 	kem->encaps = OQS_KEM_kyber_1024_encaps;
 	kem->decaps = OQS_KEM_kyber_1024_decaps;
 
+#if defined(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+	kem->length_randomness = OQS_KEM_kyber_1024_length_randomness;
+	kem->derive_keypair = OQS_KEM_kyber_1024_derive_keypair;
+#endif
+
 	return kem;
 }
 
 extern int pqcrystals_kyber1024_ref_keypair(uint8_t *pk, uint8_t *sk);
 extern int pqcrystals_kyber1024_ref_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 extern int pqcrystals_kyber1024_ref_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+#if defined(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+extern int pqcrystals_kyber1024_ref_derive_keypair(const uint8_t *randomness, uint8_t *pk, uint8_t *sk);
+#endif
 
 #if defined(OQS_ENABLE_KEM_kyber_1024_avx2)
 extern int pqcrystals_kyber1024_avx2_keypair(uint8_t *pk, uint8_t *sk);
 extern int pqcrystals_kyber1024_avx2_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 extern int pqcrystals_kyber1024_avx2_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+#if defined(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+extern int pqcrystals_kyber1024_avx2_derive_keypair(const uint8_t *randomness, uint8_t *pk, uint8_t *sk);
+#endif
 #endif
 
 #if defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
 extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
 extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
 extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+#if defined(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+extern int PQCLEAN_KYBER1024_AARCH64_crypto_kem_derive_keypair(const uint8_t *randomness, uint8_t *pk, uint8_t *sk);
+#endif
 #endif
 
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secret_key) {
@@ -72,6 +86,35 @@ OQS_API OQS_STATUS OQS_KEM_kyber_1024_keypair(uint8_t *public_key, uint8_t *secr
 #endif
 }
 
+#if defined(OQS_HAZARDOUS_ENABLE_DERIVE_KEYPAIR)
+OQS_API OQS_STATUS OQS_KEM_kyber_1024_derive_keypair(const uint8_t *randomness, uint8_t *public_key, uint8_t *secret_key) {
+#if defined(OQS_ENABLE_KEM_kyber_1024_avx2)
+#if defined(OQS_DIST_BUILD)
+	if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_BMI2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+		return (OQS_STATUS) pqcrystals_kyber1024_avx2_derive_keypair(randomness, public_key, secret_key);
+#if defined(OQS_DIST_BUILD)
+
+	} else {
+		return (OQS_STATUS) pqcrystals_kyber1024_ref_derive_keypair(randomness, public_key, secret_key);
+	}
+#endif /* OQS_DIST_BUILD */
+#elif defined(OQS_ENABLE_KEM_kyber_1024_aarch64)
+#if defined(OQS_DIST_BUILD)
+	if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
+#endif /* OQS_DIST_BUILD */
+		return (OQS_STATUS) PQCLEAN_KYBER1024_AARCH64_crypto_kem_derive_keypair(randomness, public_key, secret_key);
+#if defined(OQS_DIST_BUILD)
+	} else {
+		return (OQS_STATUS) pqcrystals_kyber1024_ref_derive_keypair(randomness, public_key, secret_key);
+	}
+#endif /* OQS_DIST_BUILD */
+#else
+	return (OQS_STATUS) pqcrystals_kyber1024_ref_derive_keypair(randomness, public_key, secret_key);
+#endif
+}
+#endif
+
 OQS_API OQS_STATUS OQS_KEM_kyber_1024_encaps(uint8_t *ciphertext, uint8_t *shared_secret, const uint8_t *public_key) {
 #if defined(OQS_ENABLE_KEM_kyber_1024_avx2)
 #if defined(OQS_DIST_BUILD)