fixed kyber aes

royb · royb · commit c98505824119 · 2022-09-22T15:01:01.000-04:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java
@@ -55,8 +55,6 @@ public byte[][] generateKeyPair()
 
         byte[] d = new byte[32];
 
-        SHA3Digest sha3Digest512 = new SHA3Digest(512);
-
         // (p, sigma) <- G(d)
 
         engine.getRandomBytes(d);
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/Symmetric.java b/core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/Symmetric.java
@@ -38,20 +38,17 @@ static class ShakeSymmetric
         extends Symmetric
     {
         private final SHAKEDigest xof;
-        private final SHAKEDigest prf;
         private final SHA3Digest sha3Digest512;
         private final SHA3Digest sha3Digest256;
         private final SHAKEDigest shakeDigest;
 
-
         ShakeSymmetric()
         {
             super(168);
             this.xof = new SHAKEDigest(128);
-            this.prf = new SHAKEDigest(256);
+            this.shakeDigest = new SHAKEDigest(256);
             this.sha3Digest256 = new SHA3Digest(256);
             this.sha3Digest512 = new SHA3Digest(512);
-            this.shakeDigest = new SHAKEDigest(256);
         }
 
         @Override
@@ -91,8 +88,8 @@ void prf(byte[] out, byte[] seed, byte nonce)
             byte[] extSeed = new byte[seed.length + 1];
             System.arraycopy(seed, 0, extSeed, 0, seed.length);
             extSeed[seed.length] = nonce;
-            prf.update(extSeed, 0, extSeed.length);
-            prf.doFinal(out, 0, out.length);
+            shakeDigest.update(extSeed, 0, extSeed.length);
+            shakeDigest.doFinal(out, 0, out.length);
         }
 
         @Override
@@ -133,17 +130,13 @@ private void aes128(byte[] out, int offset, int size)
         @Override
         void hash_h(byte[] out, byte[] in, int outOffset)
         {
-            sha256Digest.update(in, 0, in.length);
-            sha256Digest.doFinal(out, outOffset);
-//            doDigest(sha256Digest, out, in, outOffset);
+            doDigest(sha256Digest, out, in, outOffset);
         }
 
         @Override
         void hash_g(byte[] out, byte[] in)
         {
-            sha512Digest.update(in, 0, in.length);
-            sha512Digest.doFinal(out, 0);
-//            doDigest(sha512Digest, out, in, 0);
+            doDigest(sha512Digest, out, in, 0);
         }
 
         @Override
@@ -166,23 +159,20 @@ void xofSqueezeBlocks(byte[] out, int outOffset, int outLen)
         @Override
         void prf(byte[] out, byte[] key, byte nonce)
         {
-            SICBlockCipher prf = new SICBlockCipher(new AESEngine());
             byte[] expnonce = new byte[12];
             expnonce[0] = nonce;
 
             ParametersWithIV kp = new ParametersWithIV(new KeyParameter(Arrays.copyOfRange(key, 0, 32)), expnonce);
-            prf.init(true, kp);
+            cipher.init(true, kp);
             aes128(out, 0, out.length);
-            byte[] buf = new byte[out.length];   // TODO: there might be a more efficient way of doing this...
-            prf.processBytes(buf, 0, out.length, out, 0);
         }
 
         @Override
         void kdf(byte[] out, byte[] in)
         {
-            sha256Digest.update(in, 0, in.length);
-            sha256Digest.doFinal(out, 0);
-//            doDigest(sha256Digest, out, in, 0);
+            byte[] buf = new byte[32];
+            doDigest(sha256Digest, buf, in, 0);
+            System.arraycopy(buf, 0, out, 0, out.length);
         }
     }
 }
diff --git a/core/src/test/java/org/bouncycastle/pqc/crypto/test/CrystalsKyberTest.java b/core/src/test/java/org/bouncycastle/pqc/crypto/test/CrystalsKyberTest.java
@@ -103,18 +103,18 @@ public void testVectors()
             KyberParameters.kyber512,
             KyberParameters.kyber768,
             KyberParameters.kyber1024,
-//            KyberParameters.kyber512,
-//            KyberParameters.kyber768,
-//            KyberParameters.kyber1024,
+            KyberParameters.kyber512_aes,
+            KyberParameters.kyber768_aes,
+            KyberParameters.kyber1024_aes,
         };
 
         String[] files = new String[]{
             "kyber512.rsp",
             "kyber768.rsp",
             "kyber1024.rsp",
-//            "kyber512aes.rsp",
-//            "kyber768aes.rsp",
-//            "kyber1024aes.rsp",
+            "kyber512aes.rsp",
+            "kyber768aes.rsp",
+            "kyber1024aes.rsp",
         };
 
         TestSampler sampler = new TestSampler();

Original file line number	Diff line number	Diff line change
`@@ -38,20 +38,17 @@ static class ShakeSymmetric`
`38`	`38`	`extends Symmetric`
`39`	`39`	`{`
`40`	`40`	`private final SHAKEDigest xof;`
`41`		`- private final SHAKEDigest prf;`
`42`	`41`	`private final SHA3Digest sha3Digest512;`
`43`	`42`	`private final SHA3Digest sha3Digest256;`
`44`	`43`	`private final SHAKEDigest shakeDigest;`
`45`	`44`
`46`		`-`
`47`	`45`	`ShakeSymmetric()`
`48`	`46`	`{`
`49`	`47`	`super(168);`
`50`	`48`	`this.xof = new SHAKEDigest(128);`
`51`		`- this.prf = new SHAKEDigest(256);`
	`49`	`+ this.shakeDigest = new SHAKEDigest(256);`
`52`	`50`	`this.sha3Digest256 = new SHA3Digest(256);`
`53`	`51`	`this.sha3Digest512 = new SHA3Digest(512);`
`54`		`- this.shakeDigest = new SHAKEDigest(256);`
`55`	`52`	`}`
`56`	`53`
`57`	`54`	`@Override`
`@@ -91,8 +88,8 @@ void prf(byte[] out, byte[] seed, byte nonce)`
`91`	`88`	`byte[] extSeed = new byte[seed.length + 1];`
`92`	`89`	`System.arraycopy(seed, 0, extSeed, 0, seed.length);`
`93`	`90`	`extSeed[seed.length] = nonce;`
`94`		`- prf.update(extSeed, 0, extSeed.length);`
`95`		`- prf.doFinal(out, 0, out.length);`
	`91`	`+ shakeDigest.update(extSeed, 0, extSeed.length);`
	`92`	`+ shakeDigest.doFinal(out, 0, out.length);`
`96`	`93`	`}`
`97`	`94`
`98`	`95`	`@Override`
`@@ -133,17 +130,13 @@ private void aes128(byte[] out, int offset, int size)`
`133`	`130`	`@Override`
`134`	`131`	`void hash_h(byte[] out, byte[] in, int outOffset)`
`135`	`132`	`{`
`136`		`- sha256Digest.update(in, 0, in.length);`
`137`		`- sha256Digest.doFinal(out, outOffset);`
`138`		`-// doDigest(sha256Digest, out, in, outOffset);`
	`133`	`+ doDigest(sha256Digest, out, in, outOffset);`
`139`	`134`	`}`
`140`	`135`
`141`	`136`	`@Override`
`142`	`137`	`void hash_g(byte[] out, byte[] in)`
`143`	`138`	`{`
`144`		`- sha512Digest.update(in, 0, in.length);`
`145`		`- sha512Digest.doFinal(out, 0);`
`146`		`-// doDigest(sha512Digest, out, in, 0);`
	`139`	`+ doDigest(sha512Digest, out, in, 0);`
`147`	`140`	`}`
`148`	`141`
`149`	`142`	`@Override`
`@@ -166,23 +159,20 @@ void xofSqueezeBlocks(byte[] out, int outOffset, int outLen)`
`166`	`159`	`@Override`
`167`	`160`	`void prf(byte[] out, byte[] key, byte nonce)`
`168`	`161`	`{`
`169`		`- SICBlockCipher prf = new SICBlockCipher(new AESEngine());`
`170`	`162`	`byte[] expnonce = new byte[12];`
`171`	`163`	`expnonce[0] = nonce;`
`172`	`164`
`173`	`165`	`ParametersWithIV kp = new ParametersWithIV(new KeyParameter(Arrays.copyOfRange(key, 0, 32)), expnonce);`
`174`		`- prf.init(true, kp);`
	`166`	`+ cipher.init(true, kp);`
`175`	`167`	`aes128(out, 0, out.length);`
`176`		`- byte[] buf = new byte[out.length]; // TODO: there might be a more efficient way of doing this...`
`177`		`- prf.processBytes(buf, 0, out.length, out, 0);`
`178`	`168`	`}`
`179`	`169`
`180`	`170`	`@Override`
`181`	`171`	`void kdf(byte[] out, byte[] in)`
`182`	`172`	`{`
`183`		`- sha256Digest.update(in, 0, in.length);`
`184`		`- sha256Digest.doFinal(out, 0);`
`185`		`-// doDigest(sha256Digest, out, in, 0);`
	`173`	`+ byte[] buf = new byte[32];`
	`174`	`+ doDigest(sha256Digest, buf, in, 0);`
	`175`	`+ System.arraycopy(buf, 0, out, 0, out.length);`
`186`	`176`	`}`
`187`	`177`	`}`
`188`	`178`	`}`