added support for external-mu

dghgit · dghgit · commit 1503a6ce95e0 · 2025-03-21T13:59:39.000+11:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/HashMLDSASigner.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/HashMLDSASigner.java
@@ -119,8 +119,9 @@ public byte[] generateSignature() throws CryptoException, DataLengthException
         {
             random.nextBytes(rnd);
         }
+        byte[] mu = engine.generateMu(msgDigest);
 
-        return engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        return engine.generateSignature(mu, msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
     }
 
     public boolean verifySignature(byte[] signature)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java
@@ -388,15 +388,20 @@ byte[] signInternal(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] t0Enc
 
         shake256.update(msg, 0, msglen);
 
-        return generateSignature(shake256, rho, key, t0Enc, s1Enc, s2Enc, rnd);
+        return generateSignature(generateMu(shake256), shake256, rho, key, t0Enc, s1Enc, s2Enc, rnd);
     }
 
-    byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
+    byte[] generateMu(SHAKEDigest shake256Digest)
     {
         byte[] mu = new byte[CrhBytes];
 
         shake256Digest.doFinal(mu, 0, CrhBytes);
 
+        return mu;
+    }
+
+    byte[] generateSignature(byte[] mu, SHAKEDigest shake256Digest, byte[] rho, byte[] key, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
+    {
         byte[] outSig = new byte[CryptoBytes];
         byte[] rhoPrime = new byte[CrhBytes];
         short nonce = 0;
@@ -491,7 +496,36 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
         return null;
     }
 
+    boolean verifyInternalMu(byte[] providedMu)
+    {
+        byte[] mu = new byte[CrhBytes];
+
+        shake256Digest.doFinal(mu, 0);
+
+        return Arrays.constantTimeAreEqual(mu, providedMu);
+    }
+
+    boolean verifyInternalMuSignature(byte[] mu, byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
+    {
+        byte[] buf = new byte[Math.max(CrhBytes + DilithiumK * DilithiumPolyW1PackedBytes, DilithiumCTilde)];
+
+        // Mu
+        System.arraycopy(mu, 0, buf, 0, mu.length);
+
+        return doVerifyInternal(buf, sig, siglen, shake256Digest, rho, encT1);
+    }
+
     boolean verifyInternal(byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
+    {
+        byte[] buf = new byte[Math.max(CrhBytes + DilithiumK * DilithiumPolyW1PackedBytes, DilithiumCTilde)];
+
+        // Mu
+        shake256Digest.doFinal(buf, 0);
+
+        return doVerifyInternal(buf, sig, siglen, shake256Digest, rho, encT1);
+    }
+
+    private boolean doVerifyInternal(byte[] buf, byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
     {
         if (siglen != CryptoBytes)
         {
@@ -511,11 +545,6 @@ boolean verifyInternal(byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[
             return false;
         }
 
-        byte[] buf = new byte[Math.max(CrhBytes + DilithiumK * DilithiumPolyW1PackedBytes, DilithiumCTilde)];
-
-        // Mu
-        shake256Digest.doFinal(buf, 0);
-
         Poly cp = new Poly(this);
         PolyVecMatrix aMatrix = new PolyVecMatrix(this);
         PolyVecK t1 = new PolyVecK(this), w1 = new PolyVecK(this);
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSASigner.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSASigner.java
@@ -93,6 +93,34 @@ public void update(byte[] in, int off, int len)
         msgDigest.update(in, off, len);
     }
 
+    public byte[] generateMu()
+        throws CryptoException, DataLengthException
+    {
+        byte[] mu = engine.generateMu(msgDigest);
+
+        reset();
+
+        return mu;
+    }
+
+    public byte[] generateMuSignature(byte[] mu)
+        throws CryptoException, DataLengthException
+    {
+        byte[] rnd = new byte[MLDSAEngine.RndBytes];
+        if (random != null)
+        {
+            random.nextBytes(rnd);
+        }
+
+        msgDigest.reset();
+
+        byte[] sig = engine.generateSignature(mu, msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+
+        reset();
+
+        return sig;
+    }
+
     public byte[] generateSignature()
         throws CryptoException, DataLengthException
     {
@@ -102,13 +130,23 @@ public byte[] generateSignature()
             random.nextBytes(rnd);
         }
 
-        byte[] sig = engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        byte[] mu = engine.generateMu(msgDigest);
+        byte[] sig = engine.generateSignature(mu, msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
 
         reset();
 
         return sig;
     }
 
+    public boolean verifyMu(byte[] mu)
+    {
+        boolean isTrue = engine.verifyInternalMu(mu);
+
+        reset();
+
+        return isTrue;
+    }
+
     public boolean verifySignature(byte[] signature)
     {
         boolean isTrue = engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
@@ -118,6 +156,17 @@ public boolean verifySignature(byte[] signature)
         return isTrue;
     }
 
+    public boolean verifyMuSignature(byte[] mu, byte[] signature)
+    {
+        msgDigest.reset();
+        
+        boolean isTrue = engine.verifyInternalMuSignature(mu, signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
+
+        reset();
+
+        return isTrue;
+    }
+
     public void reset()
     {
         msgDigest = engine.getShake256Digest();
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/MLDSAProxyPrivateKey.java b/prov/src/main/java/org/bouncycastle/jcajce/MLDSAProxyPrivateKey.java
@@ -0,0 +1,73 @@
+package org.bouncycastle.jcajce;
+
+import java.security.PublicKey;
+
+import org.bouncycastle.jcajce.interfaces.MLDSAPrivateKey;
+import org.bouncycastle.jcajce.interfaces.MLDSAPublicKey;
+import org.bouncycastle.jcajce.spec.MLDSAParameterSpec;
+
+/**
+ * An ML-DSA private key wrapper which acts as a proxy to allow an ML-DSA public key
+ * to be passed in for external-mu calculation.
+ */
+public class MLDSAProxyPrivateKey
+    implements MLDSAPrivateKey
+{
+    private final MLDSAPublicKey publicKey;
+
+    public MLDSAProxyPrivateKey(PublicKey publicKey)
+    {
+        if (!(publicKey instanceof MLDSAPublicKey))
+        {
+            throw new IllegalArgumentException("public key must be an ML-DSA public key");
+        }
+        this.publicKey = (MLDSAPublicKey)publicKey;
+    }
+
+    public MLDSAPublicKey getPublicKey()
+    {
+        return publicKey;
+    }
+
+    @Override
+    public String getAlgorithm()
+    {
+        return publicKey.getAlgorithm();
+    }
+
+    @Override
+    public String getFormat()
+    {
+        return null;
+    }
+
+    @Override
+    public byte[] getEncoded()
+    {
+        return new byte[0];
+    }
+
+    @Override
+    public MLDSAParameterSpec getParameterSpec()
+    {
+        return publicKey.getParameterSpec();
+    }
+
+    @Override
+    public byte[] getPrivateData()
+    {
+        return new byte[0];
+    }
+
+    @Override
+    public byte[] getSeed()
+    {
+        return new byte[0];
+    }
+
+    @Override
+    public MLDSAPrivateKey getPrivateKey(boolean preferSeedOnly)
+    {
+        return null;
+    }
+}
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/MLDSA.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/MLDSA.java
@@ -49,6 +49,12 @@ public void configure(ConfigurableProvider provider)
             addSignatureAlgorithm(provider, "ML-DSA-87", PREFIX + "SignatureSpi$MLDSA87", NISTObjectIdentifiers.id_ml_dsa_87);
             provider.addAlgorithm("Alg.Alias.Signature.MLDSA", "ML-DSA");
 
+            addSignatureAlgorithm(provider, "ML-DSA-CALCULATE-MU", PREFIX + "SignatureSpi$MLDSACalcMu", (ASN1ObjectIdentifier)null);
+            provider.addAlgorithm("Alg.Alias.Signature.MLDSA-CALCULATE-MU", "ML-DSA-CALCULATE-MU");
+
+            addSignatureAlgorithm(provider, "ML-DSA-EXTERNAL-MU", PREFIX + "SignatureSpi$MLDSAExtMu", (ASN1ObjectIdentifier)null);
+            provider.addAlgorithm("Alg.Alias.Signature.MLDSA-EXTERNAL-MU", "ML-DSA-EXTERNAL-MU");
+
             addSignatureAlgorithm(provider, "HASH-ML-DSA", PREFIX + "HashSignatureSpi$MLDSA", (ASN1ObjectIdentifier)null);
             addSignatureAlgorithm(provider, "ML-DSA-44-WITH-SHA512", PREFIX + "HashSignatureSpi$MLDSA44", NISTObjectIdentifiers.id_hash_ml_dsa_44_with_sha512);
             addSignatureAlgorithm(provider, "ML-DSA-65-WITH-SHA512", PREFIX + "HashSignatureSpi$MLDSA65", NISTObjectIdentifiers.id_hash_ml_dsa_65_with_sha512);
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/mldsa/SignatureSpi.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/mldsa/SignatureSpi.java
diff --git a/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLDSATest.java b/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLDSATest.java

Original file line number	Diff line number	Diff line change
`@@ -119,8 +119,9 @@ public byte[] generateSignature() throws CryptoException, DataLengthException`
`119`	`119`	`{`
`120`	`120`	`random.nextBytes(rnd);`
`121`	`121`	`}`
	`122`	`+ byte[] mu = engine.generateMu(msgDigest);`
`122`	`123`
`123`		`- return engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);`
	`124`	`+ return engine.generateSignature(mu, msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);`
`124`	`125`	`}`
`125`	`126`
`126`	`127`	`public boolean verifySignature(byte[] signature)`