Refactoring in pqc.crypto.mldsa

- reduced allocations

Author: peterdettman

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java

@@ -269,7 +269,7 @@ byte[][] generateKeyPairInternal(byte[] seed)
 
         s1hat = new PolyVecL(this);
 
-        s1.copyPolyVecL(s1hat);
+        s1.copyTo(s1hat);
         s1hat.polyVecNtt();
 
         // System.out.println(s1hat.toString("s1hat"));
@@ -323,7 +323,7 @@ byte[] deriveT1(byte[] rho, byte[] key, byte[] tr, byte[] s1Enc, byte[] s2Enc, b
 
         s1hat = new PolyVecL(this);
 
-        s1.copyPolyVecL(s1hat);
+        s1.copyTo(s1hat);
         s1hat.polyVecNtt();
 
         // System.out.println(s1hat.toString("s1hat"));
@@ -382,7 +382,7 @@ void initVerify(byte[] rho, byte[] encT1, boolean isPreHash, byte[] ctx)
         }
     }
 
-    public byte[] signInternal(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
+    byte[] signInternal(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
     {
         SHAKEDigest shake256 = new SHAKEDigest(shake256Digest);
 
@@ -397,7 +397,6 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
 
         shake256Digest.doFinal(mu, 0, CrhBytes);
 
-        int n;
         byte[] outSig = new byte[CryptoBytes];
         byte[] rhoPrime = new byte[CrhBytes];
         short nonce = 0;
@@ -428,7 +427,7 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
             // Sample intermediate vector
             y.uniformGamma1(rhoPrime, nonce++);
 
-            y.copyPolyVecL(z);
+            y.copyTo(z);
             z.polyVecNtt();
 
             // Matrix-vector multiplication
@@ -440,13 +439,13 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
             w1.conditionalAddQ();
             w1.decompose(w0);
 
-            System.arraycopy(w1.packW1(), 0, outSig, 0, DilithiumK * DilithiumPolyW1PackedBytes);
+            w1.packW1(this, outSig, 0);
 
             shake256Digest.update(mu, 0, CrhBytes);
             shake256Digest.update(outSig, 0, DilithiumK * DilithiumPolyW1PackedBytes);
             shake256Digest.doFinal(outSig, 0, DilithiumCTilde);
 
-            cp.challenge(Arrays.copyOfRange(outSig, 0, DilithiumCTilde));  // uses only the first DilithiumCTilde bytes of sig
+            cp.challenge(outSig, 0, DilithiumCTilde);
             cp.polyNtt();
 
             // Compute z, reject if it reveals secret
@@ -478,235 +477,84 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
 
             w0.addPolyVecK(h);
             w0.conditionalAddQ();
-            n = h.makeHint(w0, w1);
+            int n = h.makeHint(w0, w1);
             if (n > DilithiumOmega)
             {
                 continue;
             }
 
-            return Packing.packSignature(outSig, z, h, this);
+            Packing.packSignature(outSig, z, h, this);
+            return outSig;
         }
 
+        // TODO[pqc] Shouldn't this throw an exception here (or in caller)?
         return null;
     }
 
-    public boolean verifyInternal(byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
+    boolean verifyInternal(byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
     {
         if (siglen != CryptoBytes)
         {
             return false;
         }
 
-        // System.out.println("publickey = ");
-        // Helper.printByteArray(publicKey);
-        byte[] buf,
-            mu = new byte[CrhBytes],
-            c,
-            c2 = new byte[DilithiumCTilde];
-        Poly cp = new Poly(this);
-        PolyVecMatrix aMatrix = new PolyVecMatrix(this);
+        PolyVecK h = new PolyVecK(this);
         PolyVecL z = new PolyVecL(this);
-        PolyVecK t1 = new PolyVecK(this), w1 = new PolyVecK(this), h = new PolyVecK(this);
-
-        t1 = Packing.unpackPublicKey(t1, encT1, this);
-
-        // System.out.println(t1.toString("t1"));
-
-        // System.out.println("rho = ");
-        // Helper.printByteArray(rho);
 
         if (!Packing.unpackSignature(z, h, sig, this))
         {
             return false;
         }
-        c = Arrays.copyOfRange(sig, 0, DilithiumCTilde);
-
-        // System.out.println(z.toString("z"));
-        // System.out.println(h.toString("h"));
 
         if (z.checkNorm(getDilithiumGamma1() - getDilithiumBeta()))
         {
             return false;
         }
 
-        shake256Digest.doFinal(mu, 0);
-
-        // System.out.println("mu after = ");
-        // Helper.printByteArray(mu);
-
-        // Matrix-vector multiplication; compute Az - c2^dt1
-        cp.challenge(Arrays.copyOfRange(c, 0, DilithiumCTilde));  // use only first DilithiumCTilde of c.
-        // System.out.println("cp = ");
-        // System.out.println(cp.toString());
-
-        aMatrix.expandMatrix(rho);
-        // System.out.println(aMatrix.toString("aMatrix = "));
-
-
-        z.polyVecNtt();
-        aMatrix.pointwiseMontgomery(w1, z);
-
-        cp.polyNtt();
-        // System.out.println("cp = ");
-        // System.out.println(cp.toString());
-
-        t1.shiftLeft();
-        t1.polyVecNtt();
-        t1.pointwisePolyMontgomery(cp, t1);
-
-        // System.out.println(t1.toString("t1"));
-
-        w1.subtract(t1);
-        w1.reduce();
-        w1.invNttToMont();
-
-        // System.out.println(w1.toString("w1 before caddq"));
-
-        // Reconstruct w1
-        w1.conditionalAddQ();
-        // System.out.println(w1.toString("w1 before hint"));
-        w1.useHint(w1, h);
-        // System.out.println(w1.toString("w1"));
-
-        buf = w1.packW1();
-
-        // System.out.println("buf = ");
-        // Helper.printByteArray(buf);
-
-        // System.out.println("mu = ");
-        // Helper.printByteArray(mu);
-
-        SHAKEDigest shakeDigest256 = new SHAKEDigest(256);
-        shakeDigest256.update(mu, 0, CrhBytes);
-        shakeDigest256.update(buf, 0, DilithiumK * DilithiumPolyW1PackedBytes);
-        shakeDigest256.doFinal(c2, 0, DilithiumCTilde);
-
-        // System.out.println("c = ");
-        // Helper.printByteArray(c);
+        byte[] buf = new byte[Math.max(CrhBytes + DilithiumK * DilithiumPolyW1PackedBytes, DilithiumCTilde)];
 
-        // System.out.println("c2 = ");
-        // Helper.printByteArray(c2);
+        // Mu
+        shake256Digest.doFinal(buf, 0);
 
-
-        return Arrays.constantTimeAreEqual(c, c2);
-    }
-
-    public boolean verifyInternal(byte[] sig, int siglen, byte[] msg, int msglen, byte[] rho, byte[] encT1)
-    {
-        if (siglen != CryptoBytes)
-        {
-            return false;
-        }
-
-        // System.out.println("publickey = ");
-        // Helper.printByteArray(publicKey);
-        byte[] buf,
-            mu = new byte[CrhBytes],
-            c,
-            c2 = new byte[DilithiumCTilde];
         Poly cp = new Poly(this);
         PolyVecMatrix aMatrix = new PolyVecMatrix(this);
-        PolyVecL z = new PolyVecL(this);
-        PolyVecK t1 = new PolyVecK(this), w1 = new PolyVecK(this), h = new PolyVecK(this);
+        PolyVecK t1 = new PolyVecK(this), w1 = new PolyVecK(this);
 
         t1 = Packing.unpackPublicKey(t1, encT1, this);
 
-        // System.out.println(t1.toString("t1"));
-
-        // System.out.println("rho = ");
-        // Helper.printByteArray(rho);
-
-        if (!Packing.unpackSignature(z, h, sig, this))
-        {
-            return false;
-        }
-        c = Arrays.copyOfRange(sig, 0, DilithiumCTilde);
-
-        // System.out.println(z.toString("z"));
-        // System.out.println(h.toString("h"));
-
-        if (z.checkNorm(getDilithiumGamma1() - getDilithiumBeta()))
-        {
-            return false;
-        }
-
-        // Compute crh(crh(rho, t1), msg)
-//        shake256Digest.update(rho, 0, rho.length);
-//        shake256Digest.update(encT1, 0, encT1.length);
-//        shake256Digest.doFinal(mu, 0, TrBytes);
-        // System.out.println("mu before = ");
-        // Helper.printByteArray(mu);
-
-        //shake256Digest.update(mu, 0, TrBytes);
-        shake256Digest.update(msg, 0, msglen);
-        shake256Digest.doFinal(mu, 0);
-
-        // System.out.println("mu after = ");
-        // Helper.printByteArray(mu);
-
         // Matrix-vector multiplication; compute Az - c2^dt1
-        cp.challenge(Arrays.copyOfRange(c, 0, DilithiumCTilde));  // use only first DilithiumCTilde of c.
-        // System.out.println("cp = ");
-        // System.out.println(cp.toString());
+        cp.challenge(sig, 0, DilithiumCTilde);
 
         aMatrix.expandMatrix(rho);
-        // System.out.println(aMatrix.toString("aMatrix = "));
-
 
         z.polyVecNtt();
         aMatrix.pointwiseMontgomery(w1, z);
 
         cp.polyNtt();
-        // System.out.println("cp = ");
-        // System.out.println(cp.toString());
 
         t1.shiftLeft();
         t1.polyVecNtt();
         t1.pointwisePolyMontgomery(cp, t1);
 
-        // System.out.println(t1.toString("t1"));
-
         w1.subtract(t1);
         w1.reduce();
         w1.invNttToMont();
 
-        // System.out.println(w1.toString("w1 before caddq"));
-
-        // Reconstruct w1
         w1.conditionalAddQ();
-        // System.out.println(w1.toString("w1 before hint"));
         w1.useHint(w1, h);
-        // System.out.println(w1.toString("w1"));
-
-        buf = w1.packW1();
-
-        // System.out.println("buf = ");
-        // Helper.printByteArray(buf);
 
-        // System.out.println("mu = ");
-        // Helper.printByteArray(mu);
+        w1.packW1(this, buf, CrhBytes);
 
-        SHAKEDigest shakeDigest256 = new SHAKEDigest(256);
-        shakeDigest256.update(mu, 0, CrhBytes);
-        shakeDigest256.update(buf, 0, DilithiumK * DilithiumPolyW1PackedBytes);
-        shakeDigest256.doFinal(c2, 0, DilithiumCTilde);
+        shake256Digest.update(buf, 0, CrhBytes + DilithiumK * DilithiumPolyW1PackedBytes);
+        shake256Digest.doFinal(buf, 0, DilithiumCTilde);
 
-        // System.out.println("c = ");
-        // Helper.printByteArray(c);
-
-        // System.out.println("c2 = ");
-        // Helper.printByteArray(c2);
-
-
-        return Arrays.constantTimeAreEqual(c, c2);
+        return Arrays.constantTimeAreEqual(DilithiumCTilde, sig, 0, buf, 0);
     }
 
-    public byte[][] generateKeyPair()
+    byte[][] generateKeyPair()
     {
         byte[] seedBuf = new byte[SeedBytes];
         random.nextBytes(seedBuf);
         return generateKeyPairInternal(seedBuf);
-
     }
-
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/Packing.java

@@ -4,7 +4,6 @@
 
 class Packing
 {
-
     static byte[] packPublicKey(PolyVecK t1, MLDSAEngine engine)
     {
         byte[] out = new byte[engine.getCryptoPublicKeyBytes() - MLDSAEngine.SeedBytes];
@@ -62,7 +61,6 @@ static byte[][] packSecretKey(byte[] rho, byte[] tr, byte[] key, PolyVecK t0, Po
      * @param engine
      * @return Byte matrix where byte[0] = rho, byte[1] = tr, byte[2] = key
      */
-
     static void unpackSecretKey(PolyVecK t0, PolyVecL s1, PolyVecK s2, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, MLDSAEngine engine)
     {
         for (int i = 0; i < engine.getDilithiumL(); ++i)
@@ -81,40 +79,32 @@ static void unpackSecretKey(PolyVecK t0, PolyVecL s1, PolyVecK s2, byte[] t0Enc,
         }
     }
 
-    static byte[] packSignature(byte[] c, PolyVecL z, PolyVecK h, MLDSAEngine engine)
+    static void packSignature(byte[] sig, PolyVecL z, PolyVecK h, MLDSAEngine engine)
     {
-        int i, j, k, end = 0;
-        byte[] outBytes = new byte[engine.getCryptoBytes()];
-
-        System.arraycopy(c, 0, outBytes, 0, engine.getDilithiumCTilde());
-        end += engine.getDilithiumCTilde();
-
-        for (i = 0; i < engine.getDilithiumL(); ++i)
+        int end = engine.getDilithiumCTilde();
+        for (int i = 0; i < engine.getDilithiumL(); ++i)
         {
-            System.arraycopy(z.getVectorIndex(i).zPack(), 0, outBytes, end + i * engine.getDilithiumPolyZPackedBytes(), engine.getDilithiumPolyZPackedBytes());
+            z.getVectorIndex(i).zPack(sig, end);
+            end += engine.getDilithiumPolyZPackedBytes();
         }
-        end += engine.getDilithiumL() * engine.getDilithiumPolyZPackedBytes();
 
-        for (i = 0; i < engine.getDilithiumOmega() + engine.getDilithiumK(); ++i)
+        for (int i = 0; i < engine.getDilithiumOmega() + engine.getDilithiumK(); ++i)
         {
-            outBytes[end + i] = 0;
+            sig[end + i] = 0;
         }
 
-        k = 0;
-        for (i = 0; i < engine.getDilithiumK(); ++i)
+        int k = 0;
+        for (int i = 0; i < engine.getDilithiumK(); ++i)
         {
-            for (j = 0; j < MLDSAEngine.DilithiumN; ++j)
+            for (int j = 0; j < MLDSAEngine.DilithiumN; ++j)
             {
                 if (h.getVectorIndex(i).getCoeffIndex(j) != 0)
                 {
-                    outBytes[end + k++] = (byte)j;
+                    sig[end + k++] = (byte)j;
                 }
             }
-            outBytes[end + engine.getDilithiumOmega() + i] = (byte)k;
+            sig[end + engine.getDilithiumOmega() + i] = (byte)k;
         }
-
-        return outBytes;
-
     }
 
     static boolean unpackSignature(PolyVecL z, PolyVecK h, byte[] sig, MLDSAEngine engine)
@@ -161,5 +151,4 @@ static boolean unpackSignature(PolyVecL z, PolyVecK h, byte[] sig, MLDSAEngine e
         }
         return true;
     }
-
 }