updated Kyber private key encoding.

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberEngine.java

@@ -3,19 +3,10 @@
 import java.security.SecureRandom;
 import java.util.Arrays;
 
-import org.bouncycastle.crypto.digests.SHA3Digest;
-import org.bouncycastle.crypto.digests.SHAKEDigest;
-
-
 class KyberEngine
 {
-
     private SecureRandom random;
     private KyberIndCpa indCpa;
-    private SHA3Digest sha3Digest256 = new SHA3Digest(256);
-    private SHA3Digest sha3Digest512 = new SHA3Digest(512);
-    private SHAKEDigest shakeDigest = new SHAKEDigest(256);
-
 
     // constant parameters
     public final static int KyberN = 256;
@@ -195,15 +186,6 @@ public KyberEngine(int k, boolean usingAes)
         }
 
         this.indCpa = new KyberIndCpa(this);
-
-
-
-        // Testing Random
-        // byte[] b = new byte[48];
-
-        // random.nextBytes(b);
-
-        // Helper.printByteArray(b);
     }
 
     public void init(SecureRandom random)
@@ -215,24 +197,20 @@ public byte[][] generateKemKeyPair()
     {
         byte[][] indCpaKeyPair = indCpa.generateKeyPair();
 
-        byte[] secretKey = new byte[KyberSecretKeyBytes];
+        byte[] s = new byte[KyberIndCpaSecretKeyBytes];
 
-        System.arraycopy(indCpaKeyPair[1], 0, secretKey, 0, KyberIndCpaSecretKeyBytes);
-        System.arraycopy(indCpaKeyPair[0], 0, secretKey, KyberIndCpaSecretKeyBytes, KyberIndCpaPublicKeyBytes);
+        System.arraycopy(indCpaKeyPair[1], 0, s, 0, KyberIndCpaSecretKeyBytes);
 
         byte[] hashedPublicKey = new byte[32];
 
         symmetric.hash_h(hashedPublicKey, indCpaKeyPair[0], 0);
 
-        System.arraycopy(hashedPublicKey, 0, secretKey, KyberSecretKeyBytes - 2 * KyberSymBytes, KyberSymBytes);
-
         byte[] z = new byte[KyberSymBytes];
         random.nextBytes(z);
-        System.arraycopy(z, 0, secretKey, KyberSecretKeyBytes - KyberSymBytes, KyberSymBytes);
 
         byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];
         System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);
-        return new byte[][]{outputPublicKey, secretKey};
+        return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z };
     }
 
     public byte[][] kemEncrypt(byte[] publicKeyInput)
@@ -278,7 +256,6 @@ public byte[] kemDecrypt(byte[] cipherText, byte[] secretKey)
         byte[] buf = new byte[2 * KyberSymBytes],
             kr = new byte[2 * KyberSymBytes];
 
-        int i;
         byte[] publicKey = Arrays.copyOfRange(secretKey, KyberIndCpaSecretKeyBytes, secretKey.length);
 
         System.arraycopy(indCpa.decrypt(cipherText, secretKey), 0, buf, 0, KyberSymBytes);
@@ -320,5 +297,4 @@ public void getRandomBytes(byte[] buf)
     {
         this.random.nextBytes(buf);
     }
-
 }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberKEMExtractor.java

@@ -26,7 +26,7 @@ private void initCipher(AsymmetricKeyParameter recipientKey)
     public byte[] extractSecret(byte[] encapsulation)
     {
         // Decryption
-        byte[] sharedSecret = engine.kemDecrypt(encapsulation, key.privateKey);
+        byte[] sharedSecret = engine.kemDecrypt(encapsulation, key.getPrivateKey());
         return sharedSecret;
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberKeyPairGenerator.java

@@ -29,8 +29,8 @@ private AsymmetricCipherKeyPair genKeyPair()
 
         byte[][] keyPair = engine.generateKemKeyPair();
 
-        KyberPublicKeyParameters pubKey = new KyberPublicKeyParameters(kyberParams, keyPair[0]);
-        KyberPrivateKeyParameters privKey = new KyberPrivateKeyParameters(kyberParams, keyPair[1],  keyPair[0]);
+        KyberPublicKeyParameters pubKey = new KyberPublicKeyParameters(kyberParams, keyPair[0], keyPair[1]);
+        KyberPrivateKeyParameters privKey = new KyberPrivateKeyParameters(kyberParams,  keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1]);
 
         return new AsymmetricCipherKeyPair(pubKey, privKey);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberPrivateKeyParameters.java

@@ -5,28 +5,59 @@
 public class KyberPrivateKeyParameters
     extends KyberKeyParameters
 {
-    final byte[] privateKey;
-    final byte[] publicKey;
+    final byte[] s;
+    final byte[] hpk;
+    final byte[] nonce;
+    final byte[] t;
+    final byte[] rho;
 
-    public KyberPrivateKeyParameters(KyberParameters params, byte[] privateKey, byte[] publicKey)
+    public KyberPrivateKeyParameters(KyberParameters params, byte[] s, byte[] hpk, byte[] nonce, byte[] t, byte[] rho)
     {
         super(true, params);
-        this.privateKey = Arrays.clone(privateKey);
-        this.publicKey = publicKey;
+        this.s = Arrays.clone(s);
+        this.hpk = Arrays.clone(hpk);
+        this.nonce = Arrays.clone(nonce);
+        this.t = Arrays.clone(t);
+        this.rho = Arrays.clone(rho);
+    }
+
+    public byte[] getT()
+    {
+        return Arrays.clone(t);
+    }
+
+    public byte[] getRho()
+    {
+        return Arrays.clone(rho);
     }
 
     public byte[] getPrivateKey()
     {
-        return Arrays.clone(privateKey);
+        return Arrays.concatenate(s, getPublicKey(), hpk, nonce);
     }
 
     public byte[] getEncoded()
     {
-        return Arrays.clone(privateKey);
+        return getPrivateKey();
     }
 
     public byte[] getPublicKey()
     {
-        return Arrays.clone(publicKey);
+        return Arrays.concatenate(t, rho);
+    }
+
+    public byte[] getS()
+    {
+        return Arrays.clone(s);
+    }
+
+    public byte[] getHPK()
+    {
+        return Arrays.clone(hpk);
+    }
+
+    public byte[] getNonce()
+    {
+        return Arrays.clone(nonce);
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberPublicKeyParameters.java

@@ -28,7 +28,7 @@ public KyberPublicKeyParameters(KyberParameters params, byte[] t, byte[] rho)
     public KyberPublicKeyParameters(KyberParameters params, byte[] encoding)
     {
         super(false, params);
-        this.t = Arrays.copyOfRange(encoding,0, encoding.length - KyberEngine.KyberSymBytes);
+        this.t = Arrays.copyOfRange(encoding, 0, encoding.length - KyberEngine.KyberSymBytes);
         this.rho = Arrays.copyOfRange(encoding, encoding.length - KyberEngine.KyberSymBytes, encoding.length);
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -10,6 +10,7 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
@@ -205,18 +206,35 @@ else if (algOID.on(BCObjectIdentifiers.pqc_kem_ntru))
         }
         else if (algOID.on(BCObjectIdentifiers.pqc_kem_kyber))
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePrivateKey()).getOctets();
+            ASN1Sequence keyEnc = ASN1Sequence.getInstance(keyInfo.parsePrivateKey());
+
             KyberParameters spParams = Utils.kyberParamsLookup(keyInfo.getPrivateKeyAlgorithm().getAlgorithm());
 
-            ASN1BitString pubKey = keyInfo.getPublicKeyData();
-            if (pubKey != null)
-            {
-                return new KyberPrivateKeyParameters(spParams, keyEnc, pubKey.getOctets());
-            }
-            else
+            int version = ASN1Integer.getInstance(keyEnc.getObjectAt(0)).intValueExact();
+            if (version != 0)
             {
-                return new KyberPrivateKeyParameters(spParams, keyEnc, null);
+                throw new IOException("unknown private key version: " + version);
             }
+ 
+             if (keyInfo.getPublicKeyData() != null)
+             {
+                 ASN1Sequence pubKey = ASN1Sequence.getInstance(keyInfo.getPublicKeyData().getOctets());
+                 return new KyberPrivateKeyParameters(spParams,
+                     DEROctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                     DEROctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                     DEROctetString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
+                     ASN1OctetString.getInstance(pubKey.getObjectAt(0)).getOctets(), // t
+                     ASN1OctetString.getInstance(pubKey.getObjectAt(1)).getOctets()); // rho
+             }
+             else
+             {
+                 return new KyberPrivateKeyParameters(spParams,
+                     ASN1OctetString.getInstance(keyEnc.getObjectAt(1)).getOctets(),
+                     ASN1OctetString.getInstance(keyEnc.getObjectAt(2)).getOctets(),
+                     ASN1OctetString.getInstance(keyEnc.getObjectAt(3)).getOctets(),
+                     null,
+                     null);
+             }
         }
         else if (algOID.on(BCObjectIdentifiers.pqc_kem_ntrulprime))
         {

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyInfoFactory.java

@@ -251,12 +251,21 @@ else if (privateKey instanceof FalconPrivateKeyParameters)
         else if (privateKey instanceof KyberPrivateKeyParameters)
         {
             KyberPrivateKeyParameters params = (KyberPrivateKeyParameters)privateKey;
+            
+            ASN1EncodableVector v = new ASN1EncodableVector();
 
-            byte[] encoding = params.getEncoded();
+            v.add(new ASN1Integer(0));
+            v.add(new DEROctetString(params.getS()));
+            v.add(new DEROctetString(params.getHPK()));
+            v.add(new DEROctetString(params.getNonce()));
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.kyberOidLookup(params.getParameters()));
 
-            return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(encoding), attributes, params.getPublicKey());
+            ASN1EncodableVector vPub = new ASN1EncodableVector();
+            vPub.add(new DEROctetString(params.getT()));
+            vPub.add(new DEROctetString(params.getRho()));
+
+            return new PrivateKeyInfo(algorithmIdentifier, new DERSequence(v), attributes, new DERSequence(vPub).getEncoded());
         }
         else if (privateKey instanceof NTRULPRimePrivateKeyParameters)
         {