Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java

@@ -2,6 +2,7 @@
 
 import java.security.SecureRandom;
 
+import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.util.Arrays;
 
@@ -244,24 +245,28 @@ else if (this.DilithiumGamma1 == (1 << 19))
         }
     }
 
-    public byte[][] generateKeyPair()
+    //Internal functions are deterministic. No randomness is sampled inside them
+    public byte[][] generateKeyPairInternal(byte[] seed)
     {
-        byte[] seedBuf = new byte[SeedBytes];
         byte[] buf = new byte[2 * SeedBytes + CrhBytes];
         byte[] tr = new byte[TrBytes];
 
         byte[] rho = new byte[SeedBytes],
-            rhoPrime = new byte[CrhBytes],
-            key = new byte[SeedBytes];
+                rhoPrime = new byte[CrhBytes],
+                key = new byte[SeedBytes];
 
         PolyVecMatrix aMatrix = new PolyVecMatrix(this);
 
         PolyVecL s1 = new PolyVecL(this), s1hat;
         PolyVecK s2 = new PolyVecK(this), t1 = new PolyVecK(this), t0 = new PolyVecK(this);
 
-        random.nextBytes(seedBuf);
 
-        shake256Digest.update(seedBuf, 0, SeedBytes);
+
+        shake256Digest.update(seed, 0, SeedBytes);
+
+        //Domain separation
+        shake256Digest.update((byte)DilithiumK);
+        shake256Digest.update((byte)DilithiumL);
 
         shake256Digest.doFinal(buf, 0, 2 * SeedBytes + CrhBytes);
         // System.out.print("buf = ");
@@ -315,11 +320,11 @@ public byte[][] generateKeyPair()
         shake256Digest.doFinal(tr, 0, TrBytes);
 
         byte[][] sk = Packing.packSecretKey(rho, tr, key, t0, s1, s2, this);
-        
+
         return new byte[][]{ sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1};
     }
 
-    public byte[] signSignature(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] tr, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc)
+    public byte[] signSignatureInternal(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] tr, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
     {
         int n;
         byte[] outSig = new byte[CryptoBytes + msglen];
@@ -336,11 +341,7 @@ public byte[] signSignature(byte[] msg, int msglen, byte[] rho, byte[] key, byte
         this.shake256Digest.update(msg, 0, msglen);
         this.shake256Digest.doFinal(mu, 0, CrhBytes);
 
-        byte[] rnd = new byte[RndBytes];
-        if (random != null)
-        {
-            random.nextBytes(rnd);
-        }
+
 
         byte[] keyMu = Arrays.copyOf(key, SeedBytes + RndBytes + CrhBytes);
         System.arraycopy(rnd, 0, keyMu, SeedBytes, RndBytes);
@@ -424,17 +425,12 @@ public byte[] signSignature(byte[] msg, int msglen, byte[] rho, byte[] key, byte
         return null;
     }
 
-    public byte[] sign(byte[] msg, int mlen, byte[] rho, byte[] key, byte[] tr, byte[] t0, byte[] s1, byte[] s2)
-    {
-        return signSignature(msg, mlen, rho, key, tr, t0, s1, s2);
-    }
-
-    public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[] rho, byte[] encT1)
+    public boolean signVerifyInternal(byte[] sig, int siglen, byte[] msg, int msglen, byte[] rho, byte[] encT1)
     {
         byte[] buf,
-            mu = new byte[CrhBytes],
-            c,
-            c2 = new byte[DilithiumCTilde];
+                mu = new byte[CrhBytes],
+                c,
+                c2 = new byte[DilithiumCTilde];
         Poly cp = new Poly(this);
         PolyVecMatrix aMatrix = new PolyVecMatrix(this);
         PolyVecL z = new PolyVecL(this);
@@ -540,8 +536,50 @@ public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[]
         return Arrays.constantTimeAreEqual(c, c2);
     }
 
+
+
+    public byte[][] generateKeyPair()
+    {
+        byte[] seedBuf = new byte[SeedBytes];
+        random.nextBytes(seedBuf);
+        return generateKeyPairInternal(seedBuf);
+
+    }
+
+    public byte[] signSignature(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] tr, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc)
+    {
+        byte[] rnd = new byte[RndBytes];
+        if (random != null)
+        {
+            random.nextBytes(rnd);
+        }
+        return signSignatureInternal(msg, msglen, rho, key, tr, t0Enc, s1Enc, s2Enc, rnd);
+    }
+
+    public byte[] sign(byte[] msg, int mlen, byte[] rho, byte[] key, byte[] tr, byte[] t0, byte[] s1, byte[] s2)
+    {
+        return signSignature(msg, mlen, rho, key, tr, t0, s1, s2);
+    }
+
+    public boolean signVerify(byte[] sig, int siglen, byte[] msg, int msglen, byte[] rho, byte[] encT1)
+    {
+        //TODO: add domain separation
+        // M' <- BytesToBits( IntegerToBytes(0, 1) || IntegerToBytes(|ctx|, 1) || ctx ) || M
+        return signVerifyInternal(sig, siglen, msg, msglen, rho, encT1);
+    }
+
     public boolean signOpen(byte[] msg, byte[] signedMsg, int signedMsglen, byte[] rho, byte[] t1)
     {
+        //TODO: add domain separation
+        // M' <- BytesToBits( IntegerToBytes(0, 1) || IntegerToBytes(|ctx|, 1) || ctx ) || M
         return signVerify(signedMsg, signedMsglen, msg, msg.length, rho, t1);
     }
+
+    // HashML-DSA
+    //TODO: Generate a "pre-hash" ML-DSA signature
+//    public byte[] hashSign(byte[] sk, byte[] message, byte[] ctx, Digest ph) {}
+    //TODO: Verify a pre-hash HashML-DSA signature
+//    public boolean hashVerify(byte[] pk, byte[] message, byte[] sig) {}
+
+
 }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumKeyPairGenerator.java

@@ -44,4 +44,17 @@ public AsymmetricCipherKeyPair generateKeyPair()
     {
         return genKeyPair();
     }
+    public AsymmetricCipherKeyPair internalGenerateKeyPair(byte[] seed)
+    {
+        DilithiumEngine engine = dilithiumParams.getEngine(random);
+
+        byte[][] keyPair = engine.generateKeyPairInternal(seed);
+        // System.out.println("pk gen = ");
+        // Helper.printByteArray(keyPair[0]);
+
+        DilithiumPublicKeyParameters pubKey = new DilithiumPublicKeyParameters(dilithiumParams, keyPair[0], keyPair[6]);
+        DilithiumPrivateKeyParameters privKey = new DilithiumPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6]);
+
+        return new AsymmetricCipherKeyPair(pubKey, privKey);
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumSigner.java

@@ -45,6 +45,12 @@ public byte[] generateSignature(byte[] message)
 
         return engine.sign(message, message.length, privKey.rho, privKey.k, privKey.tr, privKey.t0, privKey.s1, privKey.s2);
     }
+    public byte[] internalGenerateSignature(byte[] message, byte[] random)
+    {
+        DilithiumEngine engine = privKey.getParameters().getEngine(this.random);
+
+        return engine.signSignatureInternal(message, message.length, privKey.rho, privKey.k, privKey.tr, privKey.t0, privKey.s1, privKey.s2, random);
+    }
 
     public boolean verifySignature(byte[] message, byte[] signature)
     {

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberEngine.java

@@ -209,7 +209,6 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
 
         symmetric.hash_h(hashedPublicKey, indCpaKeyPair[0], 0);
 
-
         byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];
         System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);
         return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z };

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java

@@ -55,11 +55,9 @@ byte[][] generateKeyPair(byte[] d)
         // (p, sigma) <- G(d || k)
 
         byte[] buf = new byte[64];
-        //TODO: specs specifies K to be concatenated to with d but acvp tests says otherwise
-        symmetric.hash_g(buf, d);
-//        byte[] k = new byte[1];
-//        k[0] = (byte)kyberK;
-//        symmetric.hash_g(buf, Arrays.concatenate(d, k));
+        byte[] k = new byte[1];
+        k[0] = (byte)kyberK;
+        symmetric.hash_g(buf, Arrays.concatenate(d, k));
 
         byte[] publicSeed = new byte[32]; // p in docs
         byte[] noiseSeed = new byte[32]; // sigma in docs