Merge branch 'main' into 1857-1-javadoc

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/lms/HSSPrivateKeyParameters.java

@@ -129,7 +129,7 @@ else if (src instanceof byte[])
                 {
                     // old style single LMS key.
                     LMSPrivateKeyParameters lmsKey = LMSPrivateKeyParameters.getInstance(src);
-                    return new HSSPrivateKeyParameters(lmsKey, lmsKey.getIndex(), lmsKey.getIndex() + lmsKey.getUsagesRemaining());
+                    return new HSSPrivateKeyParameters(lmsKey, lmsKey.getIndex(), lmsKey.getIndexLimit());
                 }
             }
             finally
@@ -212,7 +212,7 @@ long getIndexLimit()
 
     public long getUsagesRemaining()
     {
-        return indexLimit - index;
+        return getIndexLimit() - getIndex();
     }
 
     LMSPrivateKeyParameters getRootKey()
@@ -233,32 +233,33 @@ public HSSPrivateKeyParameters extractKeyShard(int usageCount)
     {
         synchronized (this)
         {
-
-            if (getUsagesRemaining() < usageCount)
+            if (usageCount < 0)
+            {
+                throw new IllegalArgumentException("usageCount cannot be negative");
+            }
+            if (usageCount > indexLimit - index)
             {
                 throw new IllegalArgumentException("usageCount exceeds usages remaining in current leaf");
             }
 
-            long maxIndexForShard = index + usageCount;
-            long shardStartIndex = index;
+            long shardIndex = index;
+            long shardIndexLimit = index + usageCount;
 
-            //
-            // Move this keys index along
-            //
-            index += usageCount;
+            // Move this key's index along
+            index = shardIndexLimit;
 
             List<LMSPrivateKeyParameters> keys = new ArrayList<LMSPrivateKeyParameters>(this.getKeys());
             List<LMSSignature> sig = new ArrayList<LMSSignature>(this.getSig());
 
-            HSSPrivateKeyParameters shard = makeCopy(new HSSPrivateKeyParameters(l, keys, sig, shardStartIndex, maxIndexForShard, true));
+            HSSPrivateKeyParameters shard = makeCopy(
+                new HSSPrivateKeyParameters(l, keys, sig, shardIndex, shardIndexLimit, true));
 
             resetKeyToIndex();
 
             return shard;
         }
     }
 
-
     synchronized List<LMSPrivateKeyParameters> getKeys()
     {
         return keys;

core/src/main/java/org/bouncycastle/pqc/crypto/lms/LMSPrivateKeyParameters.java

@@ -253,14 +253,22 @@ public LMSPrivateKeyParameters extractKeyShard(int usageCount)
     {
         synchronized (this)
         {
-            if (q + usageCount >= maxQ)
+            if (usageCount < 0)
+            {
+                throw new IllegalArgumentException("usageCount cannot be negative");
+            }
+            if (usageCount > maxQ - q)
             {
                 throw new IllegalArgumentException("usageCount exceeds usages remaining");
             }
-            LMSPrivateKeyParameters keyParameters = new LMSPrivateKeyParameters(this, q, q + usageCount);
-            q += usageCount;
 
-            return keyParameters;
+            int shardIndex = q;
+            int shardIndexLimit = q + usageCount;
+
+            // Move this key's index along
+            q = shardIndexLimit;
+
+            return new LMSPrivateKeyParameters(this, shardIndex, shardIndexLimit);
         }
     }
 
@@ -284,9 +292,15 @@ public byte[] getMasterSecret()
         return Arrays.clone(masterSecret);
     }
 
+    public int getIndexLimit()
+    {
+        return maxQ;
+    }
+
+    // TODO Only needs 'int'
     public long getUsagesRemaining()
     {
-        return maxQ - getIndex();
+        return getIndexLimit() - getIndex();
     }
 
     public LMSPublicKeyParameters getPublicKey()

core/src/main/java/org/bouncycastle/pqc/crypto/lms/LMSSigner.java

@@ -15,11 +15,41 @@ public void init(boolean forSigning, CipherParameters param)
     {
          if (forSigning)
          {
-             privKey = (LMSPrivateKeyParameters)param;
+             if (param instanceof HSSPrivateKeyParameters)
+             {
+                 HSSPrivateKeyParameters hssPriv = (HSSPrivateKeyParameters)param;
+                 if (hssPriv.getL() == 1)
+                 {
+                     privKey = hssPriv.getRootKey();
+                 }
+                 else
+                 {
+                     throw new IllegalArgumentException("only a single level HSS key can be used with LMS");
+                 }
+             }
+             else
+             {
+                 privKey = (LMSPrivateKeyParameters)param;
+             }
          }
          else
          {
-             pubKey = (LMSPublicKeyParameters)param;
+             if (param instanceof HSSPublicKeyParameters)
+             {
+                 HSSPublicKeyParameters hssPub = (HSSPublicKeyParameters)param;
+                 if (hssPub.getL() == 1)
+                 {
+                     pubKey = hssPub.getLMSPublicKey();
+                 }
+                 else
+                 {
+                     throw new IllegalArgumentException("only a single level HSS key can be used with LMS");
+                 }
+             }
+             else
+             {
+                 pubKey = (LMSPublicKeyParameters)param;
+             }
          }
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/lms/LMSigParameters.java

@@ -94,7 +94,7 @@ public ASN1ObjectIdentifier getDigestOID()
         return digestOid;
     }
 
-    static LMSigParameters getParametersForType(int type)
+    public static LMSigParameters getParametersForType(int type)
     {
         return paramBuilders.get(type);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMEngine.java

@@ -187,6 +187,16 @@ public void init(SecureRandom random)
         this.random = random;
     }
 
+    public byte[][] generateKemKeyPair()
+    {
+        byte[] d = new byte[KyberSymBytes];
+        byte[] z = new byte[KyberSymBytes];
+        random.nextBytes(d);
+        random.nextBytes(z);
+
+        return generateKemKeyPairInternal(d, z);
+    }
+
     //Internal functions are deterministic. No randomness is sampled inside them
     public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
     {
@@ -202,7 +212,15 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
 
         byte[] outputPublicKey = new byte[KyberIndCpaPublicKeyBytes];
         System.arraycopy(indCpaKeyPair[0], 0, outputPublicKey, 0, KyberIndCpaPublicKeyBytes);
-        return new byte[][]{ Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32), Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length), s, hashedPublicKey, z, Arrays.concatenate(d, z)};
+        return new byte[][]
+        {
+            Arrays.copyOfRange(outputPublicKey, 0, outputPublicKey.length - 32),
+            Arrays.copyOfRange(outputPublicKey, outputPublicKey.length - 32, outputPublicKey.length),
+            s,
+            hashedPublicKey,
+            z,
+            Arrays.concatenate(d, z)
+        };
     }
 
     public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)
@@ -263,16 +281,6 @@ public byte[] kemDecryptInternal(byte[] secretKey, byte[] cipherText)
         return Arrays.copyOfRange(kr, 0, sessionKeyLength);
     }
 
-    public byte[][] generateKemKeyPair()
-    {
-        byte[] d = new byte[KyberSymBytes];
-        byte[] z = new byte[KyberSymBytes];
-        random.nextBytes(d);
-        random.nextBytes(z);
-
-        return generateKemKeyPairInternal(d, z);
-    }
-
     public byte[][] kemEncrypt(byte[] publicKeyInput, byte[] randBytes)
     {
         //TODO: do input validation elsewhere?

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMIndCpa.java

@@ -1,13 +1,11 @@
 package org.bouncycastle.pqc.crypto.mlkem;
 
-import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.util.Arrays;
 
 class MLKEMIndCpa
 {
     private MLKEMEngine engine;
     private int kyberK;
-    private int eta1;
     private int indCpaPublicKeyBytes;
     private int polyVecBytes;
     private int indCpaBytes;
@@ -20,7 +18,6 @@ public MLKEMIndCpa(MLKEMEngine engine)
     {
         this.engine = engine;
         this.kyberK = engine.getKyberK();
-        this.eta1 = engine.getKyberEta1();
         this.indCpaPublicKeyBytes = engine.getKyberPublicKeyBytes();
         this.polyVecBytes = engine.getKyberPolyVecBytes();
         this.indCpaBytes = engine.getKyberIndCpaBytes();
@@ -54,9 +51,7 @@ byte[][] generateKeyPair(byte[] d)
         // (p, sigma) <- G(d || k)
 
         byte[] buf = new byte[64];
-        byte[] k = new byte[1];
-        k[0] = (byte)kyberK;
-        symmetric.hash_g(buf, Arrays.concatenate(d, k));
+        symmetric.hash_g(buf, Arrays.append(d, (byte)kyberK));
 
         byte[] publicSeed = new byte[32]; // p in docs
         byte[] noiseSeed = new byte[32]; // sigma in docs
@@ -320,7 +315,6 @@ public void unpackSecretKey(PolyVec secretKeyPolyVec, byte[] secretKey)
     public void generateMatrix(PolyVec[] aMatrix, byte[] seed, boolean transposed)
     {
         int i, j, k, ctr, off;
-        SHAKEDigest kyberXOF;
         byte[] buf = new byte[KyberGenerateMatrixNBlocks * symmetric.xofBlockBytes + 2];
         for (i = 0; i < kyberK; i++)
         {
@@ -383,7 +377,6 @@ private static int rejectionSampling(Poly outputBuffer, int coeffOff, int len, b
 
     public byte[] decrypt(byte[] secretKey, byte[] cipherText)
     {
-        int i;
         byte[] outputMessage = new byte[MLKEMEngine.getKyberIndCpaMsgBytes()];
 
         PolyVec bp = new PolyVec(engine), secretKeyPolyVec = new PolyVec(engine);

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMKeyPairGenerator.java

@@ -50,9 +50,8 @@ public AsymmetricCipherKeyPair internalGenerateKeyPair(byte[] d, byte[] z)
         byte[][] keyPair = mlkemParams.getEngine().generateKemKeyPairInternal(d, z);
 
         MLKEMPublicKeyParameters pubKey = new MLKEMPublicKeyParameters(mlkemParams, keyPair[0], keyPair[1]);
-        MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams,  keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1]);
+        MLKEMPrivateKeyParameters privKey = new MLKEMPrivateKeyParameters(mlkemParams,  keyPair[2], keyPair[3], keyPair[4], keyPair[0], keyPair[1], keyPair[5]);
 
         return new AsymmetricCipherKeyPair(pubKey, privKey);
     }
-
 }

core/src/main/java/org/bouncycastle/pqc/crypto/ntru/NTRUKEMExtractor.java

@@ -11,7 +11,6 @@
 public class NTRUKEMExtractor
     implements EncapsulatedSecretExtractor
 {
-    private final NTRUParameters params;
     private final NTRUPrivateKeyParameters ntruPrivateKey;
 
     /**
@@ -22,53 +21,50 @@ public class NTRUKEMExtractor
      */
     public NTRUKEMExtractor(NTRUPrivateKeyParameters ntruPrivateKey)
     {
-        this.params = ntruPrivateKey.getParameters();
+        if (ntruPrivateKey == null)
+        {
+            throw new NullPointerException("'ntruPrivateKey' cannot be null");
+        }
+
         this.ntruPrivateKey = ntruPrivateKey;
     }
 
-
-    @Override
     public byte[] extractSecret(byte[] encapsulation)
     {
-//        assert this.ntruPrivateKey != null;
-        NTRUParameterSet parameterSet = this.params.parameterSet;
+        NTRUParameterSet parameterSet = ntruPrivateKey.getParameters().getParameterSet();
+
+        if (encapsulation == null)
+        {
+            throw new NullPointerException("'encapsulation' cannot be null");
+        }
+        if (encapsulation.length != parameterSet.ntruCiphertextBytes())
+        {
+            throw new IllegalArgumentException("encapsulation");
+        }
 
         byte[] sk = this.ntruPrivateKey.privateKey;
-        int i, fail;
-        byte[] rm;
-        byte[] buf = new byte[parameterSet.prfKeyBytes() + parameterSet.ntruCiphertextBytes()];
 
         NTRUOWCPA owcpa = new NTRUOWCPA(parameterSet);
-        OWCPADecryptResult owcpaResult = owcpa.decrypt(encapsulation, ntruPrivateKey.privateKey);
-        rm = owcpaResult.rm;
-        fail = owcpaResult.fail;
+        OWCPADecryptResult owcpaResult = owcpa.decrypt(encapsulation, sk);
+        byte[] rm = owcpaResult.rm;
+        int fail = owcpaResult.fail;
         /* If fail = 0 then c = Enc(h, rm). There is no need to re-encapsulate. */
         /* See comment in owcpa_dec for details.                                */
 
         SHA3Digest sha3256 = new SHA3Digest(256);
-
         byte[] k = new byte[sha3256.getDigestSize()];
 
         sha3256.update(rm, 0, rm.length);
         sha3256.doFinal(k, 0);
 
         /* shake(secret PRF key || input ciphertext) */
-        for (i = 0; i < parameterSet.prfKeyBytes(); i++)
-        {
-            buf[i] = sk[i + parameterSet.owcpaSecretKeyBytes()];
-        }
-        for (i = 0; i < parameterSet.ntruCiphertextBytes(); i++)
-        {
-            buf[parameterSet.prfKeyBytes() + i] = encapsulation[i];
-        }
-        sha3256.reset();
-        sha3256.update(buf, 0, buf.length);
+        sha3256.update(sk, parameterSet.owcpaSecretKeyBytes(), parameterSet.prfKeyBytes());
+        sha3256.update(encapsulation, 0, encapsulation.length);
         sha3256.doFinal(rm, 0);
 
         cmov(k, rm, (byte)fail);
 
         byte[] sharedKey = Arrays.copyOfRange(k, 0, parameterSet.sharedKeyBytes());
-
         Arrays.clear(k);
 
         return sharedKey;
@@ -85,6 +81,6 @@ private void cmov(byte[] r, byte[] x, byte b)
 
     public int getEncapsulationLength()
     {
-        return params.parameterSet.ntruCiphertextBytes();
+        return ntruPrivateKey.getParameters().getParameterSet().ntruCiphertextBytes();
     }
 }