refactor of ML-DSA verification to use digest as accumulator.

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/HashMLDSASigner.java

@@ -63,6 +63,16 @@ public void init(boolean forSigning, CipherParameters param)
         {
             pubKey = (MLDSAPublicKeyParameters)param;
 
+            engine = pubKey.getParameters().getEngine(this.random);
+
+            byte[] ctx = pubKey.getContext();
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("context too long");
+            }
+
+            engine.initVerify(pubKey.rho, pubKey.t1, true, ctx);
+
             initDigest(pubKey);
         }
 
@@ -114,12 +124,23 @@ public byte[] generateSignature() throws CryptoException, DataLengthException
 
         byte[] ds_message = Arrays.concatenate(digestOidEncoding, hash);
 
-        return engine.signInternal(ds_message, ds_message.length, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        msgDigest.update(ds_message, 0, ds_message.length);
+
+        return engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
     }
 
     @Override
     public boolean verifySignature(byte[] signature)
     {
+        SHAKEDigest msgDigest = engine.getShake256Digest();
+        byte[] hash = new byte[digest.getDigestSize()];
+
+        digest.doFinal(hash, 0);
+
+        byte[] ds_message = Arrays.concatenate(digestOidEncoding, hash);
+
+        msgDigest.update(ds_message, 0, ds_message.length);
+
         MLDSAEngine engine = pubKey.getParameters().getEngine(random);
 
         byte[] ctx = pubKey.getContext();
@@ -128,17 +149,7 @@ public boolean verifySignature(byte[] signature)
             throw new RuntimeException("Context too long");
         }
 
-        byte[] hash = new byte[digest.getDigestSize()];
-        digest.doFinal(hash, 0);
-
-        byte[] ds_message = new byte[1 + 1 + ctx.length + + digestOidEncoding.length + hash.length];
-        ds_message[0] = 1;
-        ds_message[1] = (byte)ctx.length;
-        System.arraycopy(ctx, 0, ds_message, 2, ctx.length);
-        System.arraycopy(digestOidEncoding, 0, ds_message, 2 + ctx.length, digestOidEncoding.length);
-        System.arraycopy(hash, 0, ds_message, 2 + ctx.length + digestOidEncoding.length, hash.length);
-
-        return engine.verifyInternal(signature, signature.length, ds_message, ds_message.length, pubKey.rho, pubKey.t1);
+        return engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
     }
 
     /**

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java

@@ -309,6 +309,7 @@ SHAKEDigest getShake256Digest()
     {
         return new SHAKEDigest(shake256Digest);
     }
+
     void initSign(byte[] tr, boolean isPreHash, byte[] ctx)
     {
         this.shake256Digest.update(tr, 0, TrBytes);
@@ -320,6 +321,26 @@ void initSign(byte[] tr, boolean isPreHash, byte[] ctx)
         }
     }
 
+    void initVerify(byte[] rho, byte[] encT1, boolean isPreHash, byte[] ctx)
+    {
+        byte[] mu = new byte[TrBytes];
+
+        shake256Digest.update(rho, 0, rho.length);
+        shake256Digest.update(encT1, 0, encT1.length);
+        shake256Digest.doFinal(mu, 0, TrBytes);
+        // System.out.println("mu before = ");
+        // Helper.printByteArray(mu);
+
+        shake256Digest.update(mu, 0, TrBytes);
+
+        if (ctx != null)
+        {
+            this.shake256Digest.update((isPreHash) ? (byte)1 : (byte)0);
+            this.shake256Digest.update((byte)ctx.length);
+            this.shake256Digest.update(ctx, 0, ctx.length);
+        }
+    }
+
     public byte[] signInternal(byte[] msg, int msglen, byte[] rho, byte[] key, byte[] t0Enc, byte[] s1Enc, byte[] s2Enc, byte[] rnd)
     {
         SHAKEDigest shake256 = new SHAKEDigest(shake256Digest);
@@ -428,6 +449,107 @@ byte[] generateSignature(SHAKEDigest shake256Digest, byte[] rho, byte[] key, byt
         return null;
     }
 
+    public boolean verifyInternal(byte[] sig, int siglen, SHAKEDigest shake256Digest, byte[] rho, byte[] encT1)
+    {
+        if (siglen != CryptoBytes)
+        {
+            return false;
+        }
+
+        // System.out.println("publickey = ");
+        // Helper.printByteArray(publicKey);
+        byte[] buf,
+            mu = new byte[CrhBytes],
+            c,
+            c2 = new byte[DilithiumCTilde];
+        Poly cp = new Poly(this);
+        PolyVecMatrix aMatrix = new PolyVecMatrix(this);
+        PolyVecL z = new PolyVecL(this);
+        PolyVecK t1 = new PolyVecK(this), w1 = new PolyVecK(this), h = new PolyVecK(this);
+
+        t1 = Packing.unpackPublicKey(t1, encT1, this);
+
+        // System.out.println(t1.toString("t1"));
+
+        // System.out.println("rho = ");
+        // Helper.printByteArray(rho);
+
+        if (!Packing.unpackSignature(z, h, sig, this))
+        {
+            return false;
+        }
+        c = Arrays.copyOfRange(sig, 0, DilithiumCTilde);
+
+        // System.out.println(z.toString("z"));
+        // System.out.println(h.toString("h"));
+
+        if (z.checkNorm(getDilithiumGamma1() - getDilithiumBeta()))
+        {
+            return false;
+        }
+
+        shake256Digest.doFinal(mu, 0);
+
+        // System.out.println("mu after = ");
+        // Helper.printByteArray(mu);
+
+        // Matrix-vector multiplication; compute Az - c2^dt1
+        cp.challenge(Arrays.copyOfRange(c, 0, DilithiumCTilde));  // use only first DilithiumCTilde of c.
+        // System.out.println("cp = ");
+        // System.out.println(cp.toString());
+
+        aMatrix.expandMatrix(rho);
+        // System.out.println(aMatrix.toString("aMatrix = "));
+
+
+        z.polyVecNtt();
+        aMatrix.pointwiseMontgomery(w1, z);
+
+        cp.polyNtt();
+        // System.out.println("cp = ");
+        // System.out.println(cp.toString());
+
+        t1.shiftLeft();
+        t1.polyVecNtt();
+        t1.pointwisePolyMontgomery(cp, t1);
+
+        // System.out.println(t1.toString("t1"));
+
+        w1.subtract(t1);
+        w1.reduce();
+        w1.invNttToMont();
+
+        // System.out.println(w1.toString("w1 before caddq"));
+
+        // Reconstruct w1
+        w1.conditionalAddQ();
+        // System.out.println(w1.toString("w1 before hint"));
+        w1.useHint(w1, h);
+        // System.out.println(w1.toString("w1"));
+
+        buf = w1.packW1();
+
+        // System.out.println("buf = ");
+        // Helper.printByteArray(buf);
+
+        // System.out.println("mu = ");
+        // Helper.printByteArray(mu);
+
+        SHAKEDigest shakeDigest256 = new SHAKEDigest(256);
+        shakeDigest256.update(mu, 0, CrhBytes);
+        shakeDigest256.update(buf, 0, DilithiumK * DilithiumPolyW1PackedBytes);
+        shakeDigest256.doFinal(c2, 0, DilithiumCTilde);
+
+        // System.out.println("c = ");
+        // Helper.printByteArray(c);
+
+        // System.out.println("c2 = ");
+        // Helper.printByteArray(c2);
+
+
+        return Arrays.constantTimeAreEqual(c, c2);
+    }
+
     public boolean verifyInternal(byte[] sig, int siglen, byte[] msg, int msglen, byte[] rho, byte[] encT1)
     {
         if (siglen != CryptoBytes)
@@ -468,13 +590,13 @@ public boolean verifyInternal(byte[] sig, int siglen, byte[] msg, int msglen, by
         }
 
         // Compute crh(crh(rho, t1), msg)
-        shake256Digest.update(rho, 0, rho.length);
-        shake256Digest.update(encT1, 0, encT1.length);
-        shake256Digest.doFinal(mu, 0, TrBytes);
+//        shake256Digest.update(rho, 0, rho.length);
+//        shake256Digest.update(encT1, 0, encT1.length);
+//        shake256Digest.doFinal(mu, 0, TrBytes);
         // System.out.println("mu before = ");
         // Helper.printByteArray(mu);
 
-        shake256Digest.update(mu, 0, TrBytes);
+        //shake256Digest.update(mu, 0, TrBytes);
         shake256Digest.update(msg, 0, msglen);
         shake256Digest.doFinal(mu, 0);
 

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSASigner.java

@@ -1,6 +1,5 @@
 package org.bouncycastle.pqc.crypto.mldsa;
 
-import java.io.ByteArrayOutputStream;
 import java.security.SecureRandom;
 
 import org.bouncycastle.crypto.CipherParameters;
@@ -21,9 +20,6 @@ public class MLDSASigner
 
     private SecureRandom random;
 
-    // TODO: temporary
-    private ByteArrayOutputStream bOut = new ByteArrayOutputStream();
-
     public MLDSASigner()
     {
     }
@@ -62,8 +58,19 @@ public void init(boolean forSigning, CipherParameters param)
         else
         {
             pubKey = (MLDSAPublicKeyParameters)param;
-            engine = null;
-            msgDigest =  null;
+
+            engine = pubKey.getParameters().getEngine(random);
+
+            byte[] ctx = pubKey.getContext();
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("context too long");
+            }
+
+            engine.initVerify(pubKey.rho, pubKey.t1, false, ctx);
+
+            msgDigest = engine.getShake256Digest();
+
             isPreHash = pubKey.getParameters().isPreHash();
         }
 
@@ -75,26 +82,12 @@ public void init(boolean forSigning, CipherParameters param)
 
     public void update(byte b)
     {
-        if (msgDigest != null)
-        {
-            msgDigest.update(b);
-        }
-        else
-        {
-            bOut.write(b);
-        }
+        msgDigest.update(b);
     }
 
     public void update(byte[] in, int off, int len)
     {
-        if (msgDigest != null)
-        {
-            msgDigest.update(in, off, len);
-        }
-        else
-        {
-            bOut.write(in, off, len);
-        }
+        msgDigest.update(in, off, len);
     }
 
     public byte[] generateSignature()
@@ -106,32 +99,25 @@ public byte[] generateSignature()
             random.nextBytes(rnd);
         }
 
-        return engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        byte[] sig = engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+
+        reset();
+
+        return sig;
     }
 
     public boolean verifySignature(byte[] signature)
     {
-        boolean isTrue = verifySignature(bOut.toByteArray(), signature);
-
-        bOut.reset();
+        boolean isTrue = engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
 
+        reset();
+                                                 
         return isTrue;
     }
 
     public void reset()
     {
-        bOut.reset();
-    }
-
-    byte[] generateSignature(byte[] message)
-    {
-        byte[] rnd = new byte[MLDSAEngine.RndBytes];
-        if (random != null)
-        {
-            random.nextBytes(rnd);
-        }
-
-        return engine.signInternal(message, message.length, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        msgDigest = engine.getShake256Digest();
     }
 
     protected byte[] internalGenerateSignature(byte[] message, byte[] random)
@@ -143,29 +129,16 @@ protected byte[] internalGenerateSignature(byte[] message, byte[] random)
         return engine.signInternal(message, message.length, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, random);
     }
 
-    boolean verifySignature(byte[] message, byte[] signature)
+    protected boolean internalVerifySignature(byte[] message, byte[] signature)
     {
         MLDSAEngine engine = pubKey.getParameters().getEngine(random);
 
-        byte[] ctx = pubKey.getContext();
-        if (ctx.length > 255)
-        {
-            throw new RuntimeException("Context too long");
-        }
+        engine.initVerify(pubKey.rho, pubKey.t1, false, null);
 
-        byte[] ds_message = new byte[1 + 1 + ctx.length + message.length];
-        ds_message[0] = 0;
-        ds_message[1] = (byte)ctx.length;
-        System.arraycopy(ctx, 0, ds_message, 2, ctx.length);
-        System.arraycopy(message, 0, ds_message, 2 + ctx.length, message.length);
+        SHAKEDigest msgDigest = engine.getShake256Digest();
 
-        return engine.verifyInternal(signature, signature.length, ds_message, ds_message.length, pubKey.rho, pubKey.t1);
-    }
-
-    public boolean internalVerifySignature(byte[] message, byte[] signature)
-    {
-        MLDSAEngine engine = pubKey.getParameters().getEngine(random);
+        msgDigest.update(message, 0, message.length);
 
-        return engine.verifyInternal(signature, signature.length, message, message.length, pubKey.rho, pubKey.t1);
+        return engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
     }
 }