Pass the test vectors for signing of Snova.

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/snova/PublicKey.java

@@ -2,7 +2,7 @@
 
 class PublicKey
 {
-    public final byte[] publicKeySeed;
+    public byte[] publicKeySeed;
     public final byte[] P22;
 
     public PublicKey(SnovaParameters params)

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaEngine.java

@@ -1,5 +1,12 @@
 package org.bouncycastle.pqc.crypto.snova;
 
+import org.bouncycastle.crypto.BlockCipher;
+import org.bouncycastle.crypto.digests.SHAKEDigest;
+import org.bouncycastle.crypto.engines.AESEngine;
+import org.bouncycastle.crypto.modes.CTRModeCipher;
+import org.bouncycastle.crypto.modes.SICBlockCipher;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.bouncycastle.crypto.params.ParametersWithIV;
 import org.bouncycastle.util.Arrays;
 
 public class SnovaEngine
@@ -470,4 +477,170 @@ public void genP22(byte[] outP22, byte[][][] T12, byte[][][][] P21, byte[][][][]
             Arrays.fill(temp2, (byte)0);
         }
     }
+
+    void genSeedsAndT12(byte[][][] T12, byte[] skSeed)
+    {
+        int bytesPrngPrivate = (params.getV() * params.getO() * params.getL() + 1) >>> 1;
+        int gf16sPrngPrivate = params.getV() * params.getO() * params.getL();
+        byte[] prngOutput = new byte[bytesPrngPrivate];
+
+        // Generate PRNG output using SHAKE-256
+        SHAKEDigest shake = new SHAKEDigest(256);
+        shake.update(skSeed, 0, skSeed.length);
+        shake.doFinal(prngOutput, 0, prngOutput.length);
+
+        // Convert bytes to GF16 array
+        byte[] gf16PrngOutput = new byte[gf16sPrngPrivate];
+        GF16Utils.decode(prngOutput, gf16PrngOutput, gf16sPrngPrivate);
+
+        // Generate T12 matrices
+        int ptArray = 0;
+        int l = params.getL();
+        for (int j = 0; j < params.getV(); j++)
+        {
+            for (int k = 0; k < params.getO(); k++)
+            {
+                //gen_a_FqS_ct
+                genAFqSCT(gf16PrngOutput, ptArray, T12[j][k]);
+                ptArray += l;
+            }
+        }
+    }
+
+    void genABQP(MapGroup1 map1, byte[] pkSeed, byte[] fixedAbq)
+    {
+        int l = params.getL();
+        int lsq = l * l;
+        int m = params.getM();
+        int alpha = params.getAlpha();
+        int v = params.getV();
+        int o = params.getO();
+        int n = v + o;
+
+        int gf16sPrngPublic = lsq * (2 * m * alpha + m * (n * n - m * m)) + l * 2 * m * alpha;
+        byte[] qTemp = new byte[(m * alpha * lsq + m * alpha * lsq) / l];
+        byte[] prngOutput = new byte[(gf16sPrngPublic + 1) >> 1];
+
+        if (params.isPkExpandShake())
+        {
+            snovaShake(pkSeed, prngOutput.length, prngOutput);
+        }
+        else
+        {
+            // Create a 16-byte IV (all zeros)
+            byte[] iv = new byte[16]; // automatically zero-initialized
+            // AES-CTR-based expansion
+            // Set up AES engine in CTR (SIC) mode.
+            BlockCipher aesEngine = AESEngine.newInstance();
+            // SICBlockCipher implements CTR mode for AES.
+            CTRModeCipher ctrCipher = SICBlockCipher.newInstance(aesEngine);
+            ParametersWithIV params = new ParametersWithIV(new KeyParameter(pkSeed), iv);
+            ctrCipher.init(true, params);
+            int blockSize = ctrCipher.getBlockSize(); // typically 16 bytes
+            byte[] zeroBlock = new byte[blockSize];     // block of zeros
+            byte[] blockOut = new byte[blockSize];
+
+            int offset = 0;
+            // Process full blocks
+            while (offset + blockSize <= prngOutput.length)
+            {
+                ctrCipher.processBlock(zeroBlock, 0, blockOut, 0);
+                System.arraycopy(blockOut, 0, prngOutput, offset, blockSize);
+                offset += blockSize;
+            }
+            // Process any remaining partial block.
+            if (offset < prngOutput.length)
+            {
+                ctrCipher.processBlock(zeroBlock, 0, blockOut, 0);
+                int remaining = prngOutput.length - offset;
+                System.arraycopy(blockOut, 0, prngOutput, offset, remaining);
+            }
+        }
+        byte[] temp = new byte[gf16sPrngPublic - qTemp.length];
+        GF16Utils.decode(prngOutput, temp, temp.length);
+        map1.fill(temp);
+        if (l >= 4)
+        {
+            GF16Utils.decode(prngOutput, temp.length >> 1, qTemp, 0, qTemp.length);
+
+            // Post-processing for invertible matrices
+            for (int pi = 0; pi < m; ++pi)
+            {
+                for (int a = 0; a < alpha; ++a)
+                {
+                    makeInvertibleByAddingAS(map1.aAlpha[pi][a], 0);
+                }
+            }
+            for (int pi = 0; pi < m; ++pi)
+            {
+                for (int a = 0; a < alpha; ++a)
+                {
+                    makeInvertibleByAddingAS(map1.bAlpha[pi][a], 0);
+                }
+            }
+
+            int ptArray = 0;
+            for (int pi = 0; pi < m; ++pi)
+            {
+                for (int a = 0; a < alpha; ++a)
+                {
+                    genAFqS(qTemp, ptArray, map1.qAlpha1[pi][a], 0);
+                    ptArray += l;
+                }
+            }
+            for (int pi = 0; pi < m; ++pi)
+            {
+                for (int a = 0; a < alpha; ++a)
+                {
+                    genAFqS(qTemp, ptArray, map1.qAlpha2[pi][a], 0);
+                    ptArray += l;
+                }
+            }
+        }
+        else
+        {
+            MapGroup1.fillAlpha(fixedAbq, 0, map1.aAlpha, m * o * alpha * lsq);
+            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq, map1.bAlpha, (m - 1) * o * alpha * lsq);
+            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq * 2, map1.qAlpha1, (m - 2) * o * alpha * lsq);
+            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq * 3, map1.qAlpha2, (m - 3) * o * alpha * lsq);
+        }
+    }
+
+    public static void snovaShake(byte[] ptSeed, int outputBytes, byte[] out)
+    {
+        final int SHAKE128_RATE = 168; // 1344-bit rate = 168 bytes
+        long blockCounter = 0;
+        int offset = 0;
+        int remaining = outputBytes;
+
+        while (remaining > 0)
+        {
+            SHAKEDigest shake = new SHAKEDigest(128);
+
+            // Process seed + counter
+            shake.update(ptSeed, 0, ptSeed.length);
+            updateWithCounter(shake, blockCounter);
+
+            // Calculate bytes to generate in this iteration
+            int bytesToGenerate = Math.min(remaining, SHAKE128_RATE);
+
+            // Generate output (XOF mode)
+            shake.doFinal(out, offset, bytesToGenerate);
+
+            offset += bytesToGenerate;
+            remaining -= bytesToGenerate;
+            blockCounter++;
+        }
+    }
+
+    private static void updateWithCounter(SHAKEDigest shake, long counter)
+    {
+        byte[] counterBytes = new byte[8];
+        // Little-endian conversion
+        for (int i = 0; i < 8; i++)
+        {
+            counterBytes[i] = (byte)(counter >> (i * 8));
+        }
+        shake.update(counterBytes, 0, 8);
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaKeyPairGenerator.java

@@ -4,14 +4,7 @@
 
 import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
 import org.bouncycastle.crypto.AsymmetricCipherKeyPairGenerator;
-import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.KeyGenerationParameters;
-import org.bouncycastle.crypto.digests.SHAKEDigest;
-import org.bouncycastle.crypto.engines.AESEngine;
-import org.bouncycastle.crypto.modes.CTRModeCipher;
-import org.bouncycastle.crypto.modes.SICBlockCipher;
-import org.bouncycastle.crypto.params.KeyParameter;
-import org.bouncycastle.crypto.params.ParametersWithIV;
 import org.bouncycastle.util.Arrays;
 
 public class SnovaKeyPairGenerator
@@ -79,181 +72,15 @@ public AsymmetricCipherKeyPair generateKeyPair()
     private void generateKeysCore(SnovaKeyElements keyElements, byte[] pkSeed, byte[] skSeed)
     {
         // Generate T12 matrix
-        genSeedsAndT12(keyElements.T12, skSeed);
+        engine.genSeedsAndT12(keyElements.T12, skSeed);
 
         // Generate map components
-        genABQP(keyElements.map1, pkSeed, keyElements.fixedAbq);
+        engine.genABQP(keyElements.map1, pkSeed, keyElements.fixedAbq);
 
         // Generate F matrices
         engine.genF(keyElements.map2, keyElements.map1, keyElements.T12);
 
         // Generate P22 matrix
         engine.genP22(keyElements.publicKey.P22, keyElements.T12, keyElements.map1.p21, keyElements.map2.f12);
     }
-
-    private void genSeedsAndT12(byte[][][] T12, byte[] skSeed)
-    {
-        int bytesPrngPrivate = (params.getV() * params.getO() * params.getL() + 1) >>> 1;
-        int gf16sPrngPrivate = params.getV() * params.getO() * params.getL();
-        byte[] prngOutput = new byte[bytesPrngPrivate];
-
-        // Generate PRNG output using SHAKE-256
-        SHAKEDigest shake = new SHAKEDigest(256);
-        shake.update(skSeed, 0, skSeed.length);
-        shake.doFinal(prngOutput, 0, prngOutput.length);
-
-        // Convert bytes to GF16 array
-        byte[] gf16PrngOutput = new byte[gf16sPrngPrivate];
-        GF16Utils.decode(prngOutput, gf16PrngOutput, gf16sPrngPrivate);
-
-        // Generate T12 matrices
-        int ptArray = 0;
-        int l = params.getL();
-        for (int j = 0; j < params.getV(); j++)
-        {
-            for (int k = 0; k < params.getO(); k++)
-            {
-                //gen_a_FqS_ct
-                engine.genAFqSCT(gf16PrngOutput, ptArray, T12[j][k]);
-                ptArray += l;
-            }
-        }
-    }
-
-    private void genABQP(MapGroup1 map1, byte[] pkSeed, byte[] fixedAbq)
-    {
-        int l = params.getL();
-        int lsq = l * l;
-        int m = params.getM();
-        int alpha = params.getAlpha();
-        int v = params.getV();
-        int o = params.getO();
-        int n = v + o;
-
-        int gf16sPrngPublic = lsq * (2 * m * alpha + m * (n * n - m * m)) + l * 2 * m * alpha;
-        byte[] qTemp = new byte[(m * alpha * lsq + m * alpha * lsq) / l];
-        byte[] prngOutput = new byte[(gf16sPrngPublic + 1) >> 1];
-
-        if (params.isPkExpandShake())
-        {
-            snovaShake(pkSeed, prngOutput.length, prngOutput);
-        }
-        else
-        {
-            // Create a 16-byte IV (all zeros)
-            byte[] iv = new byte[16]; // automatically zero-initialized
-            // AES-CTR-based expansion
-            // Set up AES engine in CTR (SIC) mode.
-            BlockCipher aesEngine = AESEngine.newInstance();
-            // SICBlockCipher implements CTR mode for AES.
-            CTRModeCipher ctrCipher = SICBlockCipher.newInstance(aesEngine);
-            ParametersWithIV params = new ParametersWithIV(new KeyParameter(pkSeed), iv);
-            ctrCipher.init(true, params);
-            int blockSize = ctrCipher.getBlockSize(); // typically 16 bytes
-            byte[] zeroBlock = new byte[blockSize];     // block of zeros
-            byte[] blockOut = new byte[blockSize];
-
-            int offset = 0;
-            // Process full blocks
-            while (offset + blockSize <= prngOutput.length)
-            {
-                ctrCipher.processBlock(zeroBlock, 0, blockOut, 0);
-                System.arraycopy(blockOut, 0, prngOutput, offset, blockSize);
-                offset += blockSize;
-            }
-            // Process any remaining partial block.
-            if (offset < prngOutput.length)
-            {
-                ctrCipher.processBlock(zeroBlock, 0, blockOut, 0);
-                int remaining = prngOutput.length - offset;
-                System.arraycopy(blockOut, 0, prngOutput, offset, remaining);
-            }
-        }
-        byte[] temp = new byte[gf16sPrngPublic - qTemp.length];
-        GF16Utils.decode(prngOutput, temp, temp.length);
-        map1.fill(temp);
-        if (l >= 4)
-        {
-            GF16Utils.decode(prngOutput, temp.length >> 1, qTemp, 0, qTemp.length);
-
-            // Post-processing for invertible matrices
-            for (int pi = 0; pi < m; ++pi)
-            {
-                for (int a = 0; a < alpha; ++a)
-                {
-                    engine.makeInvertibleByAddingAS(map1.aAlpha[pi][a], 0);
-                }
-            }
-            for (int pi = 0; pi < m; ++pi)
-            {
-                for (int a = 0; a < alpha; ++a)
-                {
-                    engine.makeInvertibleByAddingAS(map1.bAlpha[pi][a], 0);
-                }
-            }
-
-            int ptArray = 0;
-            for (int pi = 0; pi < m; ++pi)
-            {
-                for (int a = 0; a < alpha; ++a)
-                {
-                    engine.genAFqS(qTemp, ptArray, map1.qAlpha1[pi][a], 0);
-                    ptArray += l;
-                }
-            }
-            for (int pi = 0; pi < m; ++pi)
-            {
-                for (int a = 0; a < alpha; ++a)
-                {
-                    engine.genAFqS(qTemp, ptArray, map1.qAlpha2[pi][a], 0);
-                    ptArray += l;
-                }
-            }
-        }
-        else
-        {
-            MapGroup1.fillAlpha(fixedAbq, 0, map1.aAlpha, m * o * alpha * lsq);
-            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq, map1.bAlpha, (m - 1) * o * alpha * lsq);
-            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq * 2, map1.qAlpha1, (m - 2) * o * alpha * lsq);
-            MapGroup1.fillAlpha(fixedAbq, o * alpha * lsq * 3, map1.qAlpha2, (m - 3) * o * alpha * lsq);
-        }
-    }
-
-    public static void snovaShake(byte[] ptSeed, int outputBytes, byte[] out)
-    {
-        final int SHAKE128_RATE = 168; // 1344-bit rate = 168 bytes
-        long blockCounter = 0;
-        int offset = 0;
-        int remaining = outputBytes;
-
-        while (remaining > 0)
-        {
-            SHAKEDigest shake = new SHAKEDigest(128);
-
-            // Process seed + counter
-            shake.update(ptSeed, 0, ptSeed.length);
-            updateWithCounter(shake, blockCounter);
-
-            // Calculate bytes to generate in this iteration
-            int bytesToGenerate = Math.min(remaining, SHAKE128_RATE);
-
-            // Generate output (XOF mode)
-            shake.doFinal(out, offset, bytesToGenerate);
-
-            offset += bytesToGenerate;
-            remaining -= bytesToGenerate;
-            blockCounter++;
-        }
-    }
-
-    private static void updateWithCounter(SHAKEDigest shake, long counter)
-    {
-        byte[] counterBytes = new byte[8];
-        // Little-endian conversion
-        for (int i = 0; i < 8; i++)
-        {
-            counterBytes[i] = (byte)(counter >> (i * 8));
-        }
-        shake.update(counterBytes, 0, 8);
-    }
 }