added seed based storage for ML-KEM and ML-DSA private keys.

dghgit · dghgit · commit 4257ff93674a · 2024-09-27T22:06:15.000+10:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java
@@ -227,7 +227,7 @@ else if (this.DilithiumGamma1 == (1 << 19))
     }
 
     //Internal functions are deterministic. No randomness is sampled inside them
-    private byte[][] generateKeyPairInternal(byte[] seed)
+    byte[][] generateKeyPairInternal(byte[] seed)
     {
         byte[] buf = new byte[2 * SeedBytes + CrhBytes];
         byte[] tr = new byte[TrBytes];
@@ -301,7 +301,7 @@ private byte[][] generateKeyPairInternal(byte[] seed)
 
         byte[][] sk = Packing.packSecretKey(rho, tr, key, t0, s1, s2, this);
 
-        return new byte[][]{sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1};
+        return new byte[][]{ sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1, seed};
     }
 
     SHAKEDigest getShake256Digest()
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAKeyPairGenerator.java
@@ -24,7 +24,7 @@ public AsymmetricCipherKeyPair generateKeyPair()
 
         byte[][] keyPair = engine.generateKeyPair();
         MLDSAPublicKeyParameters pubKey = new MLDSAPublicKeyParameters(dilithiumParams, keyPair[0], keyPair[6]);
-        MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6]);
+        MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6], keyPair[7]);
 
         return new AsymmetricCipherKeyPair(pubKey, privKey);
     }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAPrivateKeyParameters.java
@@ -13,8 +13,29 @@ public class MLDSAPrivateKeyParameters
     final byte[] t0;
 
     private final byte[] t1;
+    private final byte[] seed;
+
+    public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] seed)
+    {
+        super(true, params);
+        byte[][] keyDetails = params.getEngine(null).generateKeyPairInternal(seed);
+
+        this.rho = keyDetails[0];
+        this.k = keyDetails[1];
+        this.tr = keyDetails[2];
+        this.s1 = keyDetails[3];
+        this.s2 = keyDetails[4];
+        this.t0 = keyDetails[5];
+        this.t1 = keyDetails[6];
+        this.seed = keyDetails[7];
+    }
 
     public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] rho, byte[] K, byte[] tr, byte[] s1, byte[] s2, byte[] t0, byte[] t1)
+    {
+        this(params, rho, K, tr, s1, s2, t0, t1, null);
+    }
+
+    public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] rho, byte[] K, byte[] tr, byte[] s1, byte[] s2, byte[] t0, byte[] t1, byte[] seed)
     {
         super(true, params);
         this.rho = Arrays.clone(rho);
@@ -24,6 +45,7 @@ public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] rho, byte[] K, b
         this.s2 = Arrays.clone(s2);
         this.t0 = Arrays.clone(t0);
         this.t1 = Arrays.clone(t1);
+        this.seed = Arrays.clone(seed);
     }
 
     public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] encoding, MLDSAPublicKeyParameters pubKey)
@@ -32,15 +54,21 @@ public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] encoding, MLDSAP
 
         MLDSAEngine eng = params.getEngine(null);
         int index = 0;
-        this.rho = Arrays.copyOfRange(encoding, 0, MLDSAEngine.SeedBytes); index += MLDSAEngine.SeedBytes;
-        this.k = Arrays.copyOfRange(encoding, index, index + MLDSAEngine.SeedBytes); index += MLDSAEngine.SeedBytes;
-        this.tr = Arrays.copyOfRange(encoding, index, index + MLDSAEngine.TrBytes); index += MLDSAEngine.TrBytes;
+        this.rho = Arrays.copyOfRange(encoding, 0, MLDSAEngine.SeedBytes);
+        index += MLDSAEngine.SeedBytes;
+        this.k = Arrays.copyOfRange(encoding, index, index + MLDSAEngine.SeedBytes);
+        index += MLDSAEngine.SeedBytes;
+        this.tr = Arrays.copyOfRange(encoding, index, index + MLDSAEngine.TrBytes);
+        index += MLDSAEngine.TrBytes;
         int delta = eng.getDilithiumL() * eng.getDilithiumPolyEtaPackedBytes();
-        this.s1 = Arrays.copyOfRange(encoding, index, index + delta); index += delta;
+        this.s1 = Arrays.copyOfRange(encoding, index, index + delta);
+        index += delta;
         delta = eng.getDilithiumK() * eng.getDilithiumPolyEtaPackedBytes();
-        this.s2 = Arrays.copyOfRange(encoding, index, index + delta); index += delta;
+        this.s2 = Arrays.copyOfRange(encoding, index, index + delta);
+        index += delta;
         delta = eng.getDilithiumK() * MLDSAEngine.DilithiumPolyT0PackedBytes;
-        this.t0 = Arrays.copyOfRange(encoding, index, index + delta); index += delta;
+        this.t0 = Arrays.copyOfRange(encoding, index, index + delta);
+        index += delta;
 
         if (pubKey != null)
         {
@@ -50,19 +78,22 @@ public MLDSAPrivateKeyParameters(MLDSAParameters params, byte[] encoding, MLDSAP
         {
             this.t1 = null;
         }
+        this.seed = null;
     }
 
     public byte[] getEncoded()
     {
-        return Arrays.concatenate(new byte[][]{ rho, k, tr, s1, s2, t0 });
+        return Arrays.concatenate(new byte[][]{rho, k, tr, s1, s2, t0});
     }
 
     public byte[] getK()
     {
         return Arrays.clone(k);
     }
 
-    /** @deprecated Use {@link #getEncoded()} instead. */
+    /**
+     * @deprecated Use {@link #getEncoded()} instead.
+     */
     public byte[] getPrivateKey()
     {
         return getEncoded();
@@ -73,6 +104,11 @@ public byte[] getPublicKey()
         return MLDSAPublicKeyParameters.getEncoded(rho, t1);
     }
 
+    public byte[] getSeed()
+    {
+        return Arrays.clone(seed);
+    }
+
     public MLDSAPublicKeyParameters getPublicKeyParameters()
     {
         return new MLDSAPublicKeyParameters(getParameters(), rho, t1);
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMEngine.java
@@ -202,7 +202,7 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
 
         byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];
         System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);
-        return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z };
+        return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z, Arrays.concatenate(d, z)};
     }
 
     public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMKeyPairGenerator.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMKeyPairGenerator.java
@@ -30,7 +30,7 @@ private AsymmetricCipherKeyPair genKeyPair()
         byte[][] keyPair = engine.generateKemKeyPair();
 
         MLKEMPublicKeyParameters pubKey = new MLKEMPublicKeyParameters(mlkemParams, keyPair[0], keyPair[1]);
-        MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams,  keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1]);
+        MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams,  keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1], keyPair[5]);
         
         return new AsymmetricCipherKeyPair(pubKey, privKey);
     }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMPrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMPrivateKeyParameters.java
@@ -10,8 +10,14 @@ public class MLKEMPrivateKeyParameters
     final byte[] nonce;
     final byte[] t;
     final byte[] rho;
-
+    final byte[] seed;
+    
     public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] s, byte[] hpk, byte[] nonce, byte[] t, byte[] rho)
+    {
+        this(params, s, hpk, nonce, t, rho, null);
+    }
+
+    public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] s, byte[] hpk, byte[] nonce, byte[] t, byte[] rho, byte[] seed)
     {
         super(true, params);
 
@@ -20,19 +26,40 @@ public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] s, byte[] hpk, b
         this.nonce = Arrays.clone(nonce);
         this.t = Arrays.clone(t);
         this.rho = Arrays.clone(rho);
+        this.seed = Arrays.clone(seed);
     }
 
     public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] encoding)
     {
         super(true, params);
 
         MLKEMEngine eng = params.getEngine();
-        int index = 0;
-        this.s = Arrays.copyOfRange(encoding, 0, eng.getKyberIndCpaSecretKeyBytes()); index += eng.getKyberIndCpaSecretKeyBytes();
-        this.t = Arrays.copyOfRange(encoding, index, index + eng.getKyberIndCpaPublicKeyBytes() - MLKEMEngine.KyberSymBytes); index += eng.getKyberIndCpaPublicKeyBytes() - MLKEMEngine.KyberSymBytes;
-        this.rho = Arrays.copyOfRange(encoding, index, index + 32); index += 32;
-        this.hpk = Arrays.copyOfRange(encoding, index, index + 32); index += 32;
-        this.nonce = Arrays.copyOfRange(encoding, index, index + MLKEMEngine.KyberSymBytes);
+        if (encoding.length == MLKEMEngine.KyberSymBytes * 2)
+        {
+            byte[][] keyData = eng.generateKemKeyPairInternal(
+                Arrays.copyOfRange(encoding, 0, MLKEMEngine.KyberSymBytes),
+                Arrays.copyOfRange(encoding, MLKEMEngine.KyberSymBytes, encoding.length));
+            this.s = keyData[2];
+            this.hpk = keyData[3];
+            this.nonce = keyData[4];
+            this.t = keyData[0];
+            this.rho = keyData[1];
+            this.seed = keyData[5];
+        }
+        else
+        {
+            int index = 0;
+            this.s = Arrays.copyOfRange(encoding, 0, eng.getKyberIndCpaSecretKeyBytes());
+            index += eng.getKyberIndCpaSecretKeyBytes();
+            this.t = Arrays.copyOfRange(encoding, index, index + eng.getKyberIndCpaPublicKeyBytes() - MLKEMEngine.KyberSymBytes);
+            index += eng.getKyberIndCpaPublicKeyBytes() - MLKEMEngine.KyberSymBytes;
+            this.rho = Arrays.copyOfRange(encoding, index, index + 32);
+            index += 32;
+            this.hpk = Arrays.copyOfRange(encoding, index, index + 32);
+            index += 32;
+            this.nonce = Arrays.copyOfRange(encoding, index, index + MLKEMEngine.KyberSymBytes);
+            this.seed = null;
+        }
     }
 
     public byte[] getEncoded()
@@ -74,4 +101,9 @@ public byte[] getT()
     {
         return Arrays.clone(t);
     }
+
+    public byte[] getSeed()
+    {
+        return Arrays.clone(seed);
+    }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java b/core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyFactory.java
@@ -329,7 +329,7 @@ else if (keyObj instanceof DEROctetString)
                     MLDSAPublicKeyParameters pubParams = PublicKeyFactory.MLDSAConverter.getPublicKeyParams(spParams, keyInfo.getPublicKeyData());
                     return new MLDSAPrivateKeyParameters(spParams, data, pubParams);
                 }
-                return new MLDSAPrivateKeyParameters(spParams, data, null);
+                return new MLDSAPrivateKeyParameters(spParams, data);
             }
             else
             {
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyInfoFactory.java b/core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyInfoFactory.java
@@ -247,7 +247,15 @@ else if (privateKey instanceof MLKEMPrivateKeyParameters)
             
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mlkemOidLookup(params.getParameters()));
 
-            return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getEncoded()), attributes);
+            byte[] seed = params.getSeed();
+            if (seed == null)
+            {
+                return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getEncoded()), attributes);
+            }
+            else
+            {
+                return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(seed), attributes);
+            }
         }
         else if (privateKey instanceof NTRULPRimePrivateKeyParameters)
         {
@@ -286,9 +294,19 @@ else if (privateKey instanceof MLDSAPrivateKeyParameters)
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mldsaOidLookup(params.getParameters()));
 
-            MLDSAPublicKeyParameters pubParams = params.getPublicKeyParameters();
+            byte[] seed = params.getSeed();
+            if (seed == null)
+            {
+                MLDSAPublicKeyParameters pubParams = params.getPublicKeyParameters();
+
+                return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getEncoded()), attributes, pubParams.getEncoded());
+            }
+            else
+            {
+                MLDSAPublicKeyParameters pubParams = params.getPublicKeyParameters();
 
-            return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getEncoded()), attributes, pubParams.getEncoded());
+                return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getSeed()), attributes);
+            }
         }
         else if (privateKey instanceof DilithiumPrivateKeyParameters)
         {
diff --git a/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLDSATest.java b/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLDSATest.java
diff --git a/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLKEMKeyPairGeneratorTest.java b/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLKEMKeyPairGeneratorTest.java

Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ else if (this.DilithiumGamma1 == (1 << 19))`
`227`	`227`	`}`
`228`	`228`
`229`	`229`	`//Internal functions are deterministic. No randomness is sampled inside them`
`230`		`- private byte[][] generateKeyPairInternal(byte[] seed)`
	`230`	`+ byte[][] generateKeyPairInternal(byte[] seed)`
`231`	`231`	`{`
`232`	`232`	`byte[] buf = new byte[2 * SeedBytes + CrhBytes];`
`233`	`233`	`byte[] tr = new byte[TrBytes];`
`@@ -301,7 +301,7 @@ private byte[][] generateKeyPairInternal(byte[] seed)`
`301`	`301`
`302`	`302`	`byte[][] sk = Packing.packSecretKey(rho, tr, key, t0, s1, s2, this);`
`303`	`303`
`304`		`- return new byte[][]{sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1};`
	`304`	`+ return new byte[][]{ sk[0], sk[1], sk[2], sk[3], sk[4], sk[5], encT1, seed};`
`305`	`305`	`}`
`306`	`306`
`307`	`307`	`SHAKEDigest getShake256Digest()`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ public AsymmetricCipherKeyPair generateKeyPair()`
`24`	`24`
`25`	`25`	`byte[][] keyPair = engine.generateKeyPair();`
`26`	`26`	`MLDSAPublicKeyParameters pubKey = new MLDSAPublicKeyParameters(dilithiumParams, keyPair[0], keyPair[6]);`
`27`		`- MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6]);`
	`27`	`+ MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6], keyPair[7]);`
`28`	`28`
`29`	`29`	`return new AsymmetricCipherKeyPair(pubKey, privKey);`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)`
`202`	`202`
`203`	`203`	`byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];`
`204`	`204`	`System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);`
`205`		`- return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z };`
	`205`	`+ return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z, Arrays.concatenate(d, z)};`
`206`	`206`	`}`
`207`	`207`
`208`	`208`	`public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ private AsymmetricCipherKeyPair genKeyPair()`
`30`	`30`	`byte[][] keyPair = engine.generateKemKeyPair();`
`31`	`31`
`32`	`32`	`MLKEMPublicKeyParameters pubKey = new MLKEMPublicKeyParameters(mlkemParams, keyPair[0], keyPair[1]);`
`33`		`- MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams, keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1]);`
	`33`	`+ MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams, keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1], keyPair[5]);`
`34`	`34`
`35`	`35`	`return new AsymmetricCipherKeyPair(pubKey, privKey);`
`36`	`36`	`}`
Original file line number	Diff line number	Diff line change
`@@ -329,7 +329,7 @@ else if (keyObj instanceof DEROctetString)`
`329`	`329`	`MLDSAPublicKeyParameters pubParams = PublicKeyFactory.MLDSAConverter.getPublicKeyParams(spParams, keyInfo.getPublicKeyData());`
`330`	`330`	`return new MLDSAPrivateKeyParameters(spParams, data, pubParams);`
`331`	`331`	`}`
`332`		`- return new MLDSAPrivateKeyParameters(spParams, data, null);`
	`332`	`+ return new MLDSAPrivateKeyParameters(spParams, data);`
`333`	`333`	`}`
`334`	`334`	`else`
`335`	`335`	`{`