MicrosoftDocs
diff --git a/‎sdk-api-src/content/bcrypt/nf-bcrypt-bcryptdecapsulate.md‎
Lines changed: 134 additions & 0 deletions b/‎sdk-api-src/content/bcrypt/nf-bcrypt-bcryptdecapsulate.md‎
Lines changed: 134 additions & 0 deletions
diff --git a/‎sdk-api-src/content/bcrypt/nf-bcrypt-bcryptencapsulate.md‎
Lines changed: 131 additions & 0 deletions b/‎sdk-api-src/content/bcrypt/nf-bcrypt-bcryptencapsulate.md‎
Lines changed: 131 additions & 0 deletions
@@ -0,0 +1,134 @@
+---
+UID: NF:bcrypt.BCryptDecapsulate
+title: BCryptDecapsulate function (bcrypt.h)
+description: Performs the Decapsulation operation of a KEM algorithm, decrypting a ciphertext and returning the shared secret key.
+helpviewer_keywords: ["BCryptDecapsulate","BCryptDecapsulate function [Security]","bcrypt/BCryptDecapsulate","security.bcryptdecapsulate", "BCrypt KEM"]
+old-location: security\bcryptdecapsulate.htm
+tech.root: security
+ms.assetid:
+ms.date: 5/22/2025
+ms.keywords: BCryptDecapsulate, BCryptDecapsulate function [Security], bcrypt/BCryptDecapsulate, security.bcryptdecapsulate, BCrypt KEM
+req.header: bcrypt.h
+req.include-header: 
+req.target-type: Windows
+req.target-min-winverclnt: Windows 11 24H2
+req.target-min-winversvr: Windows Server 2025
+req.kmdf-ver: 
+req.umdf-ver: 
+req.ddi-compliance: 
+req.unicode-ansi: 
+req.idl: 
+req.max-support: 
+req.namespace: 
+req.assembly: 
+req.type-library: 
+req.lib: Bcrypt.lib
+req.dll: Bcrypt.dll
+req.irql: 
+targetos: Windows
+req.typenames: 
+req.redist: 
+ms.custom: 24H2
+f1_keywords:
+ - BCryptDecapsulate
+ - bcrypt/BCryptDecapsulate
+dev_langs:
+ - c++
+topic_type:
+ - APIRef
+ - kbSyntax
+api_type:
+ - DllExport
+api_location:
+ - Bcrypt.dll
+api_name:
+ - BCryptDecapsulate
+---
+
+# BCryptDecapsulate function
+
+The **BCryptDecapsulate** function performs the Decapsulation operation of a Key Encapsulation Mechanism (KEM).
+It takes a KEM ciphertext and it decrypts with the provided private key, returning the shared secret key.
+
+If the ciphertext is correctly formatted but does not match the decapsulation key, this API will succeed but a random shared secret key will be generated.
+
+## Syntax
+
+```cpp
+NTSTATUS BCryptDecapsulate(
+  _In_  BCRYPT_KEY_HANDLE hKey,
+  _In_reads_bytes_(cbCipherText)
+        PUCHAR            pbCipherText,
+  _In_  ULONG             cbCipherText,
+  _Out_writes_bytes_to_opt_(cbSecretKey, *pcbSecretKey)
+        PUCHAR            pbSecretKey,
+  _In_  ULONG             cbSecretKey,
+  _Out_ ULONG             *pcbSecretKey,
+  _In_  ULONG             dwFlags
+);
+```
+
+## Parameters
+
+*hKey* `[in]`
+
+The handle of the key to use to decapsulate the KEM ciphertext. This must be the private (decapsulation) key which corresponds to the public (encapsulation) key used to produce the KEM ciphertext. The key handle is obtained from one of the keypair creation functions, such as [BCryptGenerateKeyPair](/windows/desktop/api/Bcrypt/nf-bcrypt-bcryptgeneratekeypair) or [BCryptImportKeyPair](/windows/desktop/api/Bcrypt/nf-bcrypt-bcryptimportkeypair).
+
+*pbCipherText* `[in]`
+
+A pointer to a buffer that contains the KEM ciphertext. The [BCryptEncapsulate](nf-bcrypt-bcryptencapsulate.md) function may be used to create a KEM ciphertext.
+
+*cbCipherText* `[in]`
+
+The size, in bytes, of the *pbCipherText* buffer.
+
+*pbSecretKey* `[out]`
+
+A pointer to a buffer that receives the shared secret key. See [remarks](#remarks) for more information.
+
+*cbSecretKey* `[in]`
+
+The size, in bytes, of the *pbSecretKey* buffer.
+
+*pcbSecretKey* `[out]`
+
+A pointer to a **ULONG** variable that the receives the number of bytes written to *pbSecretKey* buffer.
+
+If *pbSecretKey* is `NULL`, this receives the size, in bytes, required for the shared secret key.
+See [remarks](#remarks) for more information.
+
+*dwFlags* `[in]`
+
+Reserved, must be zero.
+
+## Return value
+
+Returns a status code that indicates the success or failure of the function.
+
+Possible return codes include, but are not limited to, the following.
+
+| Return Code | Description |
+|--|--|
+| `STATUS_SUCCESS` | The function was successful. |
+| `STATUS_INVALID_PARAMETER` | One or more required parameters (*hKey*, *pcbSecretKey*, *pbCipherText*) is `NULL`, or one of the parameters has an invalid value. |
+| `STATUS_INVALID_BUFFER_SIZE` | A buffer size (*cbSecretKey*, *cbCipherText*) does not match the expected size for the KEM parameters associated with the decapsulation key. |
+| `STATUS_BUFFER_TOO_SMALL` | An output buffer size (*cbSecretKey*) is too small for the result decapsulation operation for the KEM parameters associated with the decapsulation key. *pcbSecretKey* receives the number of bytes required for *pbSecretKey*. |
+
+## Remarks
+
+To query the required size of the *pbSecretKey* buffer needed for the KEM shared secret key, call **BCryptDecapsulate** with a `NULL` *pbSecretKey*. The required size will be returned in *pcbSecretKey*. This query is efficient and returns the size without performing the decapsulation.
+Equivalently, use [BCryptGetProperty](/windows/desktop/api/Bcrypt/nf-bcrypt-bcryptgetproperty) to query the **BCRYPT_KEM_SHARED_SECRET_LENGTH** property of the algorithm or key handle.
+For currently supported KEM algorithms (ML-KEM), the shared secret length is a constant size for a given algorithm.
+
+### Additional remarks
+
+Given an invalid, but correctly-sized, ciphertext, the ML-KEM decapsulation operation will *implicitly reject* the ciphertext by returning success in equal time to a valid decapsulation operation, with pseudo-random shared secret key output. This forces higher-level protocols to fail later when symmetric keys of peers don't match. So, decapsulate will only ever fail if there are programming errors (i.e. incorrect size, use of uninitialized *hKey*), or something fundamentally goes wrong with the environment (i.e. internal memory allocation fails, or and internal consistency test detects hardware error).
+
+## Requirements
+
+| Requirement | Value |
+| ---- | ---- |
+| **Minimum supported client** | **Windows 11 24H2:** Support for ML-KEM begins. [desktop apps only] |
+| **Minimum supported server** | **Windows Server 2025:** Support for ML-KEM begins. [desktop apps only] |
+| **Library** | `Bcrypt.lib` |
+| **DLL** | `Bcrypt.dll` |
@@ -0,0 +1,131 @@
+---
+UID: NF:bcrypt.BCryptEncapsulate
+title: BCryptEncapsulate function (bcrypt.h)
+description: Uses a key encapsulation mechanism (KEM) to generate a shared secret key and encrypt it to produce a KEM ciphertext.
+helpviewer_keywords: ["BCryptEncapsulate","BCryptEncapsulate function [Security]","bcrypt/BCryptEncapsulate","security.bcryptencapsulate", "BCrypt KEM"]
+old-location: security\bcryptencapsulate.htm
+tech.root: security
+ms.assetid:
+ms.date: 5/22/2025
+ms.keywords: BCryptEncapsulate, BCryptEncapsulate function [Security], bcrypt/BCryptEncapsulate, security.bcryptencapsulate, BCrypt KEM
+req.header: bcrypt.h
+req.include-header: 
+req.target-type: Windows
+req.target-min-winverclnt: Windows 11 24H2
+req.target-min-winversvr: Windows Server 2025
+req.kmdf-ver: 
+req.umdf-ver: 
+req.ddi-compliance: 
+req.unicode-ansi: 
+req.idl: 
+req.max-support: 
+req.namespace: 
+req.assembly: 
+req.type-library: 
+req.lib: Bcrypt.lib
+req.dll: Bcrypt.dll
+req.irql: 
+targetos: Windows
+req.typenames: 
+req.redist: 
+ms.custom: 24H2
+f1_keywords:
+ - BCryptEncapsulate
+ - bcrypt/BCryptEncapsulate
+dev_langs:
+ - c++
+topic_type:
+ - APIRef
+ - kbSyntax
+api_type:
+ - DllExport
+api_location:
+ - Bcrypt.dll
+api_name:
+ - BCryptEncapsulate
+---
+
+# BCryptEncapsulate function
+
+The **BCryptEncapsulate** function performs the Encapsulation operation of a Key Encapsulation Mechanism (KEM). It generates a shared secret key and encrypts it with the provided public key to produce a KEM ciphertext, returning both the shared secret key and the KEM ciphertext.
+
+## Syntax
+
+```cpp
+NTSTATUS BCryptEncapsulate(
+  _In_  BCRYPT_KEY_HANDLE hKey,
+  _Out_writes_bytes_to_opt_(cbSecretKey ,*pcbSecretKey)
+        PUCHAR            pbSecretKey,
+  _In_  ULONG             cbSecretKey,
+  _Out_ ULONG             *pcbSecretKey,
+  _Out_writes_bytes_to_opt_(cbCipherText ,*pcbCipherText)
+        PUCHAR            pbCipherText,
+  _In_  ULONG             cbCipherText,
+  _Out_ ULONG             *pcbCipherText,
+  _In_  ULONG             dwFlags
+);
+```
+
+## Parameters
+
+*hKey*`[in]`
+
+The handle of the key to use for the encapsulation operation. This key must contain a public (encapsulation) key, and the handle would typically be obtained by using [BCryptImportKeyPair](/en-us/windows/desktop/api/Bcrypt/nf-bcrypt-bcryptimportkeypair) with a [public key](/en-us/windows/desktop/SecGloss/p-gly) BLOB for the KEM algorithm. It is also possible to use a private key handle for the encapsulation operation, as KEM private key handles represent a key pair.
+
+*pbSecretKey*`[out]`
+
+A pointer to a buffer that receives the shared secret key. See remarks for more information.
+
+*cbSecretKey*`[in]`
+
+The size, in bytes, of the *pbSecretKey* buffer.
+
+*pcbSecretKey*`[out]`
+
+A pointer to a **ULONG** variable that the receives the number of bytes written to *pbSecretKey* buffer.
+
+If *pbSecretKey* is `NULL`, this receives the size, in bytes, required for the shared secret key. See remarks for more information.
+
+*pbCipherText*`[out]`
+
+A pointer to a buffer that receives the KEM ciphertext. See remarks for more information.
+
+*cbCipherText*`[in]`
+
+The size, in bytes, of the *pbCipherText* buffer.
+
+*pcbCipherText*`[out]`
+
+A pointer to a **ULONG** variable that the receives the number of bytes written to *pbCipherText* buffer.
+
+If *pbCipherText* is `NULL`, this receives the size, in bytes, required for the KEM ciphertext. See remarks for more information.
+
+*dwFlags*`[in]`
+
+Reserved, must be zero.
+
+## Return value
+
+Returns a status code that indicates the success or failure of the function.
+
+Possible return codes include, but are not limited to, the following.
+
+| Return Code | Description |
+| --- | --- |
+| `STATUS_SUCCESS` | The function was successful. |
+| `STATUS_INVALID_PARAMETER` | One or more required parameters (*hKey*, *pcbSecretKey*, *pcbCipherText*) is `NULL`, or one of the parameters has an invalid value. |
+| `STATUS_INVALID_BUFFER_SIZE` | A buffer size (*cbSecretKey*, *cbCipherText*) does not match the expected size for the KEM parameters associated with the encapsulation key. *pcbSecretKey* receives the number of bytes required for *pbSecretKey*, *pcbCipherText* receives the number of bytes required for *pbCipherText*. |
+| `STATUS_BUFFER_TOO_SMALL` | An output buffer size (*cbSecretKey*, *cbCipherText*) is too small for the result encapsulation operation for the KEM parameters associated with the encapsulation key. *pcbSecretKey* receives the number of bytes required for *pbSecretKey*, *pcbCipherText* receives the number of bytes required for *pbCipherText*. |
+
+## Remarks
+
+To query the required sizes of the *pbSecretKey* and *pbCipherText* buffers, callers may call **BCryptEncapsulate** with `NULL`*pbSecretKey* and *pbCipherText*. The required sizes will be returned in *pcbSecretKey* and *pcbCipherText*, respectively. This query is efficient and returns the size without performing the encapsulation. Equivalently, use [BCryptGetProperty](/en-us/windows/desktop/api/Bcrypt/nf-bcrypt-bcryptgetproperty) to query the **BCRYPT_KEM_SHARED_SECRET_LENGTH** property of the algorithm or key handle, and the **BCRYPT_KEM_CIPHERTEXT_LENGTH** property of the key handle. For currently supported KEM algorithms (ML-KEM), the shared secret length is a constant size for a given algorithm and the KEM ciphertext length is a constant size for a given parameter set.
+
+## Requirements
+
+| Requirement | Value |
+| --- | --- |
+| **Minimum supported client** | **Windows 11 24H2:** Support for ML-KEM begins. [desktop apps only] |
+| **Minimum supported server** | **Windows Server 2025:** Support for ML-KEM begins. [desktop apps only] |
+| **Library** | `Bcrypt.lib` |
+| **DLL** | `Bcrypt.dll` |