Merge branch 'main' into ascon-update

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPrivateKeyParameters.java

@@ -26,6 +26,23 @@ public class HSSPrivateKeyParameters
 
     private HSSPublicKeyParameters publicKey;
 
+    public HSSPrivateKeyParameters(LMSPrivateKeyParameters key, long index, long indexLimit)
+    {
+        super(true);
+
+        this.l = 1;
+        this.keys = Collections.singletonList(key);
+        this.sig = Collections.emptyList();
+        this.index = index;
+        this.indexLimit = indexLimit;
+        this.isShard = false;
+
+        //
+        // Correct Intermediate LMS values will be constructed during reset to index.
+        //
+        resetKeyToIndex();
+    }
+
     public HSSPrivateKeyParameters(int l, List<LMSPrivateKeyParameters> keys, List<LMSSignature> sig, long index, long indexLimit)
     {
         super(true);
@@ -104,7 +121,16 @@ else if (src instanceof byte[])
             try // 1.5 / 1.6 compatibility
             {
                 in = new DataInputStream(new ByteArrayInputStream((byte[])src));
-                return getInstance(in);
+                try
+                {
+                    return getInstance(in);
+                }
+                catch (Exception e)
+                {
+                    // old style single LMS key.
+                    LMSPrivateKeyParameters lmsKey = LMSPrivateKeyParameters.getInstance(src);
+                    return new HSSPrivateKeyParameters(lmsKey, lmsKey.getIndex(), lmsKey.getIndex() + lmsKey.getUsagesRemaining());
+                }
             }
             finally
             {

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java

@@ -300,7 +300,53 @@ byte[][] generateKeyPairInternal(byte[] seed)
 
         byte[][] sk = Packing.packSecretKey(rho, tr, key, t0, s1, s2, this);
 
-        return new byte[][]{ sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1, seed};
+        return new byte[][]{sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1, seed};
+    }
+
+    byte[] deriveT1(byte[] rho, byte[] key, byte[] tr, byte[] s1Enc, byte[] s2Enc, byte[] t0Enc)
+    {
+        PolyVecMatrix aMatrix = new PolyVecMatrix(this);
+
+        PolyVecL s1 = new PolyVecL(this), s1hat;
+        PolyVecK s2 = new PolyVecK(this), t1 = new PolyVecK(this), t0 = new PolyVecK(this);
+
+        Packing.unpackSecretKey(t0, s1, s2, t0Enc, s1Enc, s2Enc, this);
+
+        // System.out.print("rho = ");
+        // Helper.printByteArray(rho);
+
+        // System.out.println("key = ");
+        // Helper.printByteArray(key);
+
+        aMatrix.expandMatrix(rho);
+        // System.out.print(aMatrix.toString("aMatrix"));
+
+        s1hat = new PolyVecL(this);
+
+        s1.copyPolyVecL(s1hat);
+        s1hat.polyVecNtt();
+
+        // System.out.println(s1hat.toString("s1hat"));
+
+        aMatrix.pointwiseMontgomery(t1, s1hat);
+        // System.out.println(t1.toString("t1"));
+
+        t1.reduce();
+        t1.invNttToMont();
+
+        t1.addPolyVecK(s2);
+        // System.out.println(s2.toString("s2"));
+        // System.out.println(t1.toString("t1"));
+        t1.conditionalAddQ();
+        t1.power2Round(t0);
+
+        // System.out.println(t1.toString("t1"));
+        // System.out.println(t0.toString("t0"));
+
+        byte[] encT1 = Packing.packPublicKey(t1, this);
+        // System.out.println("enc t1 = ");
+        // Helper.printByteArray(encT1);
+        return encT1;
     }
 
     SHAKEDigest getShake256Digest()

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAPrivateKeyParameters.java

@@ -74,15 +74,16 @@ public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] encoding, MLDSAP
             delta = eng.getDilithiumK() * MLDSAEngine.DilithiumPolyT0PackedBytes;
             this.t0 = Arrays.copyOfRange(encoding, index, index + delta);
             index += delta;
+            this.t1 = eng.deriveT1(rho, k, tr, s1, s2, t0);
 
             if (pubKey != null)
             {
-                this.t1 = pubKey.getT1();
-            }
-            else
-            {
-                this.t1 = null;
+                if (!Arrays.constantTimeAreEqual(this.t1, pubKey.getT1()))
+                {
+                    throw new IllegalArgumentException("passed in public key does not match private values");
+                }
             }
+
             this.seed = null;
         }
     }
@@ -117,6 +118,11 @@ public byte[] getSeed()
 
     public MLDSAPublicKeyParameters getPublicKeyParameters()
     {
+        if (this.t1 == null)
+        {
+            return null;
+        }
+        
         return new MLDSAPublicKeyParameters(getParameters(), rho, t1);
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAPublicKeyParameters.java

@@ -18,11 +18,23 @@ public MLDSAPublicKeyParameters(MLDSAParameters params, byte[] encoding)
         super(false, params);
         this.rho = Arrays.copyOfRange(encoding, 0, MLDSAEngine.SeedBytes);
         this.t1 = Arrays.copyOfRange(encoding, MLDSAEngine.SeedBytes, encoding.length);
+        if (t1.length == 0)
+        {
+            throw new IllegalArgumentException("encoding too short");
+        }
     }
 
     public MLDSAPublicKeyParameters(MLDSAParameters params, byte[] rho, byte[] t1)
     {
         super(false, params);
+        if (rho == null)
+        {
+            throw new NullPointerException("rho cannot be null");
+        }
+        if (t1 == null)
+        {
+            throw new NullPointerException("t1 cannot be null");
+        }
         this.rho = Arrays.clone(rho);
         this.t1 = Arrays.clone(t1);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.pqc.crypto.util;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -12,7 +11,6 @@
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.ASN1Sequence;
-import org.bouncycastle.asn1.BERTags;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
@@ -45,7 +43,6 @@
 import org.bouncycastle.pqc.crypto.hqc.HQCParameters;
 import org.bouncycastle.pqc.crypto.hqc.HQCPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.lms.HSSPrivateKeyParameters;
-import org.bouncycastle.pqc.crypto.lms.LMSPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mldsa.MLDSAPublicKeyParameters;
@@ -156,29 +153,17 @@ else if (algOID.equals(PQCObjectIdentifiers.newHope))
         }
         else if (algOID.equals(PKCSObjectIdentifiers.id_alg_hss_lms_hashsig))
         {
-            byte[] keyEnc = ASN1OctetString.getInstance(keyInfo.parsePrivateKey()).getOctets();
+            ASN1OctetString lmsKey = parseOctetString(keyInfo.getPrivateKey(), 64);
+            byte[] keyEnc = lmsKey.getOctets();
             ASN1BitString pubKey = keyInfo.getPublicKeyData();
 
-            if (Pack.bigEndianToInt(keyEnc, 0) == 1)
+            if (pubKey != null)
             {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
+                byte[] pubEnc = pubKey.getOctets();
 
-                    return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), Arrays.copyOfRange(pubEnc, 4, pubEnc.length));
-                }
-                return LMSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
-            }
-            else
-            {
-                if (pubKey != null)
-                {
-                    byte[] pubEnc = pubKey.getOctets();
-
-                    return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
-                }
-                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
+                return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length), pubEnc);
             }
+            return HSSPrivateKeyParameters.getInstance(Arrays.copyOfRange(keyEnc, 4, keyEnc.length));
         }
         else if (algOID.on(BCObjectIdentifiers.sphincsPlus) || algOID.on(BCObjectIdentifiers.sphincsPlus_interop))
         {
@@ -466,6 +451,7 @@ else if (algOID.equals(PQCObjectIdentifiers.mcElieceCca2))
      * So it seems for the new PQC algorithms, there's a couple of approaches to what goes in the OCTET STRING
      */
     private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expectedLength)
+        throws IOException
     {
         byte[] data = octStr.getOctets();
         //
@@ -478,37 +464,15 @@ private static ASN1OctetString parseOctetString(ASN1OctetString octStr, int expe
 
         //
         // possible internal OCTET STRING, possibly long form with or without the internal OCTET STRING
-        ByteArrayInputStream bIn = new ByteArrayInputStream(data);
-
-        int tag = bIn.read();
-        int len = readLen(bIn);
-        if (tag == BERTags.OCTET_STRING)
+        data = Utils.readOctetString(data);
+        if (data != null)
         {
-            if (len == bIn.available())
-            {
-                return ASN1OctetString.getInstance(data);
-            }
+            return new DEROctetString(data);
         }
 
         return octStr;
     }
-
-    private static int readLen(ByteArrayInputStream bIn)
-    {
-        int length = bIn.read();
-        if (length != (length & 0x7f))
-        {
-            int count = length & 0x7f;
-            length = 0;
-            while (count-- != 0)
-            {
-                length = (length << 8) + bIn.read();
-            }
-        }
-
-        return length;
-    }
-
+    
     private static short[] convert(byte[] octets)
     {
         short[] rv = new short[octets.length / 2];