TODO: SnovaSigner

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoSigner.java

@@ -50,7 +50,6 @@ public class MayoSigner
     @Override
     public void init(boolean forSigning, CipherParameters param)
     {
-
         if (forSigning)
         {
             pubKey = null;

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaKeyPairGenerator.java

@@ -71,8 +71,8 @@ public AsymmetricCipherKeyPair generateKeyPair()
         }
 
         return new AsymmetricCipherKeyPair(
-            new SnovaPublicKeyParameters(pk),
-            new SnovaPrivateKeyParameters(sk)
+            new SnovaPublicKeyParameters(params, pk),
+            new SnovaPrivateKeyParameters(params, sk)
         );
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaParameters.java

@@ -177,4 +177,14 @@ public int getPrivateKeyLength()
         return ((l * l * (4 * o * alpha + o * (v * v + v * o + o * v) + v * o) + 1) >> 1)
             + SnovaKeyPairGenerator.privateSeedLength + SnovaKeyPairGenerator.publicSeedLength;
     }
+
+    public int getN()
+    {
+        return v + o;
+    }
+
+    public int getLsq()
+    {
+        return l * l;
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaPrivateKeyParameters.java

@@ -7,11 +7,13 @@ public class SnovaPrivateKeyParameters
     extends AsymmetricKeyParameter
 {
     private final byte[] privateKey;
+    private final SnovaParameters parameters;
 
-    public SnovaPrivateKeyParameters(byte[] privateKey)
+    public SnovaPrivateKeyParameters(SnovaParameters parameters, byte[] privateKey)
     {
         super(true);
         this.privateKey = Arrays.clone(privateKey);
+        this.parameters = parameters;
     }
 
     public byte[] getPrivateKey()
@@ -23,4 +25,9 @@ public byte[] getEncoded()
     {
         return Arrays.clone(privateKey);
     }
+
+    public SnovaParameters getParameters()
+    {
+        return parameters;
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaPublicKeyParameters.java

@@ -7,11 +7,13 @@ public class SnovaPublicKeyParameters
     extends AsymmetricKeyParameter
 {
     private final byte[] publicKey;
+    private final SnovaParameters parameters;
 
-    public SnovaPublicKeyParameters(byte[] publicKey)
+    public SnovaPublicKeyParameters(SnovaParameters parameters, byte[] publicKey)
     {
         super(false);
         this.publicKey = Arrays.clone(publicKey);
+        this.parameters = parameters;
     }
 
     public byte[] getPublicKey()
@@ -23,4 +25,9 @@ public byte[] getEncoded()
     {
         return Arrays.clone(publicKey);
     }
+
+    public SnovaParameters getParameters()
+    {
+        return parameters;
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaSigner.java

@@ -0,0 +1,298 @@
+package org.bouncycastle.pqc.crypto.snova;
+
+import java.security.SecureRandom;
+import java.util.Arrays;
+
+import org.bouncycastle.crypto.CipherParameters;
+import org.bouncycastle.crypto.CryptoException;
+import org.bouncycastle.crypto.CryptoServicesRegistrar;
+import org.bouncycastle.crypto.DataLengthException;
+import org.bouncycastle.crypto.Signer;
+import org.bouncycastle.crypto.digests.SHAKEDigest;
+import org.bouncycastle.crypto.params.ParametersWithRandom;
+
+public class SnovaSigner
+    implements Signer
+{
+    private SnovaParameters params;
+    private SnovaEngine engine;
+    private SecureRandom random;
+    private final SHAKEDigest digest = new SHAKEDigest(256);
+
+    private SnovaPublicKeyParameters pubKey;
+    private SnovaPrivateKeyParameters privKey;
+
+    @Override
+    public void init(boolean forSigning, CipherParameters param)
+    {
+        if (forSigning)
+        {
+            pubKey = null;
+
+            if (param instanceof ParametersWithRandom)
+            {
+                ParametersWithRandom withRandom = (ParametersWithRandom)param;
+                privKey = (SnovaPrivateKeyParameters)withRandom.getParameters();
+                random = withRandom.getRandom();
+            }
+            else
+            {
+                privKey = (SnovaPrivateKeyParameters)param;
+                random = CryptoServicesRegistrar.getSecureRandom();
+            }
+            params = privKey.getParameters();
+        }
+        else
+        {
+            pubKey = (SnovaPublicKeyParameters)param;
+            params = pubKey.getParameters();
+            privKey = null;
+            random = null;
+        }
+    }
+
+    @Override
+    public void update(byte b)
+    {
+        digest.update(b);
+    }
+
+    @Override
+    public void update(byte[] in, int off, int len)
+    {
+        digest.update(in, off, len);
+    }
+
+    @Override
+    public byte[] generateSignature()
+        throws CryptoException, DataLengthException
+    {
+        return new byte[0];
+    }
+
+    @Override
+    public boolean verifySignature(byte[] signature)
+    {
+        return false;
+    }
+
+    @Override
+    public void reset()
+    {
+
+    }
+
+    public static void createSignedHash(
+        byte[] digest, int bytesDigest,
+        byte[] ptPublicKeySeed, int seedLengthPublic,
+        byte[] arraySalt, int bytesSalt,
+        byte[] signedHashOut, int bytesHash
+    )
+    {
+        // Initialize SHAKE256 XOF
+        SHAKEDigest shake = new SHAKEDigest(256);
+
+        // 1. Absorb public key seed
+        shake.update(ptPublicKeySeed, 0, seedLengthPublic);
+
+        // 2. Absorb message digest
+        shake.update(digest, 0, bytesDigest);
+
+        // 3. Absorb salt
+        shake.update(arraySalt, 0, bytesSalt);
+
+        // 4. Finalize absorption and squeeze output
+        shake.doFinal(signedHashOut, 0, bytesHash);
+    }
+
+    public void signDigestCore(byte[] ptSignature, byte[] digest, byte[] arraySalt,
+                               byte[][][][] Aalpha, byte[][][][] Balpha,
+                               byte[][][][] Qalpha1, byte[][][][] Qalpha2,
+                               byte[][][][] T12, byte[][][][] F11,
+                               byte[][][][] F12, byte[][][][] F21,
+                               byte[] ptPublicKeySeed, byte[] ptPrivateKeySeed)
+    {
+        // Initialize constants from parameters
+        final int m = params.getM();
+        final int lsq = params.getLsq();
+        final int alpha = params.getAlpha();
+        final int v = params.getV();
+        final int o = params.getO();
+        final int n = params.getN();
+        final int bytesHash = (o * lsq + 1) >>> 1;
+        final int bytesSalt = 16;
+
+        // Initialize matrices and arrays
+        byte[][] Gauss = new byte[m * lsq][m * lsq + 1];
+        byte[][] Temp = new byte[lsq][lsq];
+        byte[] solution = new byte[m * lsq];
+
+        byte[][][] Left = new byte[m][alpha][v];
+        byte[][][] Right = new byte[m][alpha][v];
+        byte[][] XInGF16Matrix = new byte[n][lsq];
+        byte[][] FvvGF16Matrix = new byte[m][lsq];
+        byte[] hashInGF16 = new byte[m * lsq];
+        byte[][] signatureGF16Matrix = new byte[n][lsq];
+
+        byte[] signedHash = new byte[bytesHash];
+        byte[] vinegarBytes = new byte[(v * lsq + 1) / 2];
+
+        // Temporary matrices
+        byte[] gf16mTemp0 = new byte[lsq];
+        byte[] gf16mTemp1 = new byte[lsq];
+        byte[] gf16mSecretTemp0 = new byte[lsq];
+
+        int flagRedo;
+        byte numSign = 0;
+
+        // Step 1: Create signed hash
+        createSignedHash(digest, digest.length, ptPublicKeySeed, ptPublicKeySeed.length,
+            arraySalt, arraySalt.length, signedHash, bytesHash);
+        GF16Utils.decode(signedHash, 0, hashInGF16, 0, hashInGF16.length);
+
+        do
+        {
+            // Initialize Gauss matrix
+            Arrays.stream(Gauss).forEach(row -> Arrays.fill(row, (byte)0));
+            numSign++;
+            flagRedo = 0;
+
+            // Fill last column of Gauss matrix
+            for (int i = 0; i < m * lsq; i++)
+            {
+                Gauss[i][m * lsq] = hashInGF16[i];
+            }
+
+            // Generate vinegar values
+            SHAKEDigest shake = new SHAKEDigest(256);
+            shake.update(ptPrivateKeySeed, 0, ptPrivateKeySeed.length);
+            shake.update(digest, 0, digest.length);
+            shake.update(arraySalt, 0, arraySalt.length);
+            shake.update(new byte[]{numSign}, 0, 1);
+            shake.doFinal(vinegarBytes, 0, vinegarBytes.length);
+            //GF16Utils.decode(vinegarBytes, 0, XInGF16Matrix, 0, v * lsq);
+
+            // Evaluate vinegar part of central map
+            for (int mi = 0; mi < m; mi++)
+            {
+                for (int a = 0; a < alpha; a++)
+                {
+                    for (int idx = 0; idx < v; idx++)
+                    {
+                        transposeGF16Matrix(XInGF16Matrix[idx], gf16mTemp0);
+//                        multiplyGF16Matrices(gf16mTemp0, Qalpha1[mi][a], gf16mTemp1);
+//                        multiplyGF16Matrices(Aalpha[mi][a], gf16mTemp1, Left[mi][a][idx]);
+//
+//                        multiplyGF16Matrices(Qalpha2[mi][a], XInGF16Matrix[idx], gf16mTemp1);
+//                        multiplyGF16Matrices(gf16mTemp1, Balpha[mi][a], Right[mi][a][idx]);
+                    }
+                }
+            }
+
+            // Matrix operations for Fvv
+            Arrays.stream(FvvGF16Matrix).forEach(row -> Arrays.fill(row, (byte)0));
+            for (int mi = 0; mi < m; mi++)
+            {
+                for (int a = 0; a < alpha; a++)
+                {
+                    int miPrime = iPrime(mi, a);
+                    for (int j = 0; j < v; j++)
+                    {
+                        for (int k = 0; k < v; k++)
+                        {
+//                            multiplyGF16Matrices(Left[mi][a][j], F11[miPrime][j][k], gf16mTemp0);
+//                            multiplyGF16Matrices(gf16mTemp0, Right[mi][a][k], gf16mTemp1);
+                            //GF16Utils.addGF16Matrices(FvvGF16Matrix[mi], gf16mTemp1, FvvGF16Matrix[mi]);
+                        }
+                    }
+                }
+            }
+
+            // Gaussian elimination setup
+            for (int i = 0; i < m; i++)
+            {
+                for (int j = 0; j < params.getL(); j++)
+                {
+                    for (int k = 0; k < params.getL(); k++)
+                    {
+                        int idx1 = i * lsq + j * params.getL() + k;
+                        Gauss[idx1][m * lsq] = GF16Utils.add(
+                            Gauss[idx1][m * lsq],
+                            engine.getGF16m(FvvGF16Matrix[i], j, k)
+                        );
+                    }
+                }
+            }
+
+            // Gaussian elimination implementation
+            flagRedo = performGaussianElimination(Gauss, solution, m * lsq);
+
+        }
+        while (flagRedo != 0);
+
+        // Build final signature
+        buildSignature(XInGF16Matrix, signatureGF16Matrix, T12, v, o, lsq);
+        convertGF16MatrixToBytes(ptSignature, signatureGF16Matrix, n * lsq);
+        //System.arraycopy(arraySalt, 0, ptSignature, params.getBytesSignature(), bytesSalt);
+
+        // Clear sensitive data
+        Arrays.fill(gf16mSecretTemp0, (byte)0);
+    }
+
+    private void transposeGF16Matrix(byte[] src, byte[] dest)
+    {
+        for (int i = 0; i < params.getL(); i++)
+        {
+            for (int j = 0; j < params.getL(); j++)
+            {
+                engine.setGF16m(dest, i, j, engine.getGF16m(src, j, i));
+            }
+        }
+    }
+
+    private void multiplyGF16Matrices(byte[] a, byte[] b, byte[] result)
+    {
+        Arrays.fill(result, (byte)0);
+        for (int i = 0; i < params.getL(); i++)
+        {
+            for (int j = 0; j < params.getL(); j++)
+            {
+                byte sum = 0;
+                for (int k = 0; k < params.getL(); k++)
+                {
+                    sum = GF16Utils.add(sum, GF16Utils.mul(
+                        engine.getGF16m(a, i, k),
+                        engine.getGF16m(b, k, j)
+                    ));
+                }
+                engine.setGF16m(result, i, j, sum);
+            }
+        }
+    }
+
+    private int performGaussianElimination(byte[][] Gauss, byte[] solution, int size)
+    {
+        // Implementation of Gaussian elimination with GF16 arithmetic
+        // ... (similar structure to C code's elimination steps)
+        return 0; // Return 0 if successful, 1 if needs redo
+    }
+
+    private void buildSignature(byte[][] XIn, byte[][] signature,
+                                byte[][][][] T12, int v, int o, int lsq)
+    {
+        // Implementation of signature construction
+        // ... (similar to C code's final matrix operations)
+    }
+
+    private void convertGF16MatrixToBytes(byte[] output, byte[][] matrix, int totalElements)
+    {
+        // Conversion implementation using GF16Utils.encode
+    }
+
+    private int iPrime(int mi, int alpha)
+    {
+        // Implement index calculation based on SNOVA specification
+        return (mi + alpha) % params.getM();
+    }
+
+}

core/src/test/java/org/bouncycastle/pqc/crypto/test/SnovaTest.java

@@ -13,6 +13,7 @@
 import org.bouncycastle.pqc.crypto.snova.SnovaParameters;
 import org.bouncycastle.pqc.crypto.snova.SnovaPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.snova.SnovaPublicKeyParameters;
+import org.bouncycastle.pqc.crypto.snova.SnovaSigner;
 
 
 public class SnovaTest
@@ -158,7 +159,7 @@ public byte[] getPrivateKeyEncoded(CipherParameters privParams)
             @Override
             public Signer getSigner()
             {
-                return null;
+                return new SnovaSigner();
             }
 
             @Override