added choice key encodings similar to ML-DSA

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMPrivateKeyParameters.java

@@ -5,13 +5,19 @@
 public class MLKEMPrivateKeyParameters
     extends MLKEMKeyParameters
 {
+    public static final int BOTH = 0;
+    public static final int SEED_ONLY = 1;
+    public static final int EXPANDED_KEY = 2;
+
     final byte[] s;
     final byte[] hpk;
     final byte[] nonce;
     final byte[] t;
     final byte[] rho;
     final byte[] seed;
-    
+
+    private final int prefFormat;
+
     public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] s, byte[] hpk, byte[] nonce, byte[] t, byte[] rho)
     {
         this(params, s, hpk, nonce, t, rho, null);
@@ -27,6 +33,7 @@ public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] s, byte[] hpk, b
         this.t = Arrays.clone(t);
         this.rho = Arrays.clone(rho);
         this.seed = Arrays.clone(seed);
+        this.prefFormat = BOTH;
     }
 
     public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] encoding)
@@ -60,6 +67,35 @@ public MLKEMPrivateKeyParameters(MLKEMParameters params, byte[] encoding)
             this.nonce = Arrays.copyOfRange(encoding, index, index + MLKEMEngine.KyberSymBytes);
             this.seed = null;
         }
+
+        this.prefFormat = BOTH;
+    }
+
+    private MLKEMPrivateKeyParameters(MLKEMPrivateKeyParameters params, int preferredFormat)
+    {
+        super(true, params.getParameters());
+
+        this.s = params.s;
+        this.t = params.t;
+        this.rho = params.rho;
+        this.hpk = params.hpk;
+        this.nonce = params.nonce;
+        this.seed = params.seed;
+        this.prefFormat = preferredFormat;
+    }
+
+    public MLKEMPrivateKeyParameters getParametersWithFormat(int format)
+    {
+        if (this.seed == null && format == SEED_ONLY)
+        {
+            throw new IllegalArgumentException("no seed available");
+        }
+        return new MLKEMPrivateKeyParameters(this, format);
+    }
+
+    public int getPreferredFormat()
+    {
+        return prefFormat;
     }
 
     public byte[] getEncoded()

core/src/main/java/org/bouncycastle/pqc/crypto/util/PrivateKeyInfoFactory.java

@@ -53,7 +53,6 @@
 import org.bouncycastle.pqc.legacy.crypto.mceliece.McElieceCCA2PrivateKeyParameters;
 import org.bouncycastle.pqc.legacy.crypto.qtesla.QTESLAPrivateKeyParameters;
 import org.bouncycastle.util.Pack;
-import org.bouncycastle.util.Properties;
 
 /**
  * Factory to create ASN.1 private key info objects from lightweight private keys.
@@ -249,16 +248,15 @@ else if (privateKey instanceof MLKEMPrivateKeyParameters)
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mlkemOidLookup(params.getParameters()));
 
-            byte[] seed = params.getSeed();
-            if (Properties.isOverrideSet("org.bouncycastle.mlkem.seedOnly"))
+            if (params.getPreferredFormat() == MLKEMPrivateKeyParameters.SEED_ONLY)
             {
-                if (seed == null)    // very difficult to imagine, but...
-                {
-                    throw new IOException("no seed available");
-                }
-                return new PrivateKeyInfo(algorithmIdentifier, seed, attributes);
+                return new PrivateKeyInfo(algorithmIdentifier, new DERTaggedObject(false, 0, new DEROctetString(params.getSeed())), attributes);
             }
-            return new PrivateKeyInfo(algorithmIdentifier, getBasicPQCEncoding(seed, params.getEncoded()), attributes);
+            else if (params.getPreferredFormat() == MLKEMPrivateKeyParameters.EXPANDED_KEY)
+            {
+                return new PrivateKeyInfo(algorithmIdentifier, new DEROctetString(params.getEncoded()), attributes);
+            }
+            return new PrivateKeyInfo(algorithmIdentifier, getBasicPQCEncoding(params.getSeed(), params.getEncoded()), attributes);
         }
         else if (privateKey instanceof NTRULPRimePrivateKeyParameters)
         {
@@ -297,7 +295,6 @@ else if (privateKey instanceof MLDSAPrivateKeyParameters)
 
             AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(Utils.mldsaOidLookup(params.getParameters()));
 
-            byte[] seed = params.getSeed();
             if (params.getPreferredFormat() == MLDSAPrivateKeyParameters.SEED_ONLY)
             {
                 return new PrivateKeyInfo(algorithmIdentifier, new DERTaggedObject(false, 0, new DEROctetString(params.getSeed())), attributes);

prov/src/main/java/org/bouncycastle/jcajce/interfaces/MLKEMPrivateKey.java

@@ -25,4 +25,12 @@ public interface MLKEMPrivateKey
      * @return the seed for the private key, null if not available.
      */
     byte[] getSeed();
+
+    /**
+     * Return a privateKey which will encode as seed-only or as an expanded-key.
+     *
+     * @param preferSeedOnly if true, return a privateKey which will encode to seed-only if possible.
+     * @return a new MLKEMPrivateKey which encodes to either seed-only or expanded-key.
+     */
+    MLKEMPrivateKey getPrivateKey(boolean preferSeedOnly);
 }

prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/mlkem/BCMLKEMPrivateKey.java

@@ -9,6 +9,7 @@
 import org.bouncycastle.jcajce.interfaces.MLKEMPrivateKey;
 import org.bouncycastle.jcajce.interfaces.MLKEMPublicKey;
 import org.bouncycastle.jcajce.spec.MLKEMParameterSpec;
+import org.bouncycastle.pqc.crypto.mldsa.MLDSAPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.mlkem.MLKEMPrivateKeyParameters;
 import org.bouncycastle.pqc.crypto.util.PrivateKeyFactory;
 import org.bouncycastle.pqc.crypto.util.PrivateKeyInfoFactory;
@@ -120,6 +121,21 @@ public byte[] getSeed()
         return params.getSeed();
     }
 
+    @Override
+    public MLKEMPrivateKey getPrivateKey(boolean preferSeedOnly)
+    {
+        if (preferSeedOnly)
+        {
+            byte[] seed = params.getSeed();
+            if (seed != null)
+            {
+                return new BCMLKEMPrivateKey(this.params.getParametersWithFormat(MLDSAPrivateKeyParameters.SEED_ONLY));
+            }
+        }
+
+        return new BCMLKEMPrivateKey(this.params.getParametersWithFormat(MLDSAPrivateKeyParameters.EXPANDED_KEY));
+    }
+
     public MLKEMParameterSpec getParameterSpec()
     {
         return MLKEMParameterSpec.fromName(params.getParameters().getName());

prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLKEMTest.java

@@ -21,6 +21,7 @@
 import junit.framework.TestCase;
 import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.ASN1TaggedObject;
 import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
 import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
 import org.bouncycastle.jcajce.SecretKeyWithEncapsulation;
@@ -155,16 +156,35 @@ public void testSeedPrivateKeyEncoding()
             + "300102030405060708090a0b0c0d0e0f");
         kpGen512.initialize(MLKEMParameterSpec.ml_kem_512, new FixedSecureRandom(seed));
         KeyPair kp512 = kpGen512.generateKeyPair();
-        Security.setProperty("org.bouncycastle.mlkem.seedOnly", "true");
 
-        PrivateKeyInfo privInfo = PrivateKeyInfo.getInstance(kp512.getPrivate().getEncoded());
+        PrivateKeyInfo privInfo = PrivateKeyInfo.getInstance(((MLKEMPrivateKey)kp512.getPrivate()).getPrivateKey(true).getEncoded());
 
-        Security.setProperty("org.bouncycastle.mlkem.seedOnly", "false");
-        ASN1OctetString k = privInfo.getPrivateKey();
+        ASN1OctetString k = ASN1OctetString.getInstance((ASN1TaggedObject)privInfo.parsePrivateKey(), false);
 
         assertTrue(Arrays.areEqual(k.getOctets(), seed));
     }
 
+    public void testExpandedPrivateKeyEncoding()
+        throws Exception
+    {
+        KeyPairGenerator kpGen512 = KeyPairGenerator.getInstance("ML-KEM-512", "BC");
+
+        byte[] seed = Hex.decode("000102030405060708090a0b0c0d0e0f"
+            + "100102030405060708090a0b0c0d0e0f"
+            + "200102030405060708090a0b0c0d0e0f"
+            + "300102030405060708090a0b0c0d0e0f");
+        byte[] expanded = Base64.decode("WCF6H9yVm+nHHlpz1fOL8Oibz2GOuXSDQhwXrSnDraa2fYB0LxV12Tsp7FggB1xmvIg+GBXJoJcJ6APDuDCqE/RtW5eSZwKLI/cqeubNablS7SCQSORrZiNuVkoGgPikT9hzUDhvDhdE7tuD+cF1UfpECGZOFDFfaKeFufJlX/kcIAwFjgXOPqJrBiUd3BUsb2G81kxyJHfEODauV3p58dAWReW4Wfwzm8CP+OXMAsUiZTlHCzJxbaXFPwCBaokc/8XBd6FUOBLHAjxbVRKvuTQS8JEJLFTHvqYtehik66hEdNUJBfSpRGFalRFjvXp8acFXmluVTQsO6eoTL5pO0nZ1fhetf0RKgzeI07G0xIherqxln1dwj7VtM6WsW6WxZcFHkBQMWFiRUitxJ1QIbqY/1Po6uBEp/YYOPEoe7qMw2hxvadNEf7KiRPq6R+oxDMwnthex94O78ZNoDHiM5PdU4WKj8EkrySo49uS+d/YUnxxGZbSSY+uzTYY7D+w7zcapr0sgmmUIHtYEU6WxmCMFA8NmABySw0xOhJaDBsk5EWK1aZqkM+eqbhYfRwIpFvrKapAi86i6jAadcwm8ASRjmyZmRfCYkevG8kisVQg44TFbP6RYoXoFHzXI3BguJCmbGBS7YFSfwHcIiOybuJWQLqxIZZkPdzlGmnMr25uimbBxyzIB4Zw7HsZfGEGQ3xdAsCRhFskQw0XDHIVWZ9IZN/pofqUlNhqqeGCC6RaRkgDMdrLE8bBeB8WUt0SyXKgCZeXJBshKa3dhZeOq1yWNt5hB/rZKDgszqPmwv+hiZxURg6VUJPEoiXaAsbHBZKWROywm7WeK8ghdsyazhGFbJMdKhAOSYKBgWIBCcUBHZMLEhtm3gNLHdzGx4DtC4dGmJHxMRhFoH5cX/ARlO+RcKteNZTcyT+hlSIgyU/wBgxzBhIwsVmkMYiuPGnmqEAF0+LI79VqrTDJFmdBYGJsdShOV8Ey4JGulmoRN3oyOtvsPPpJ8Qfl0xgJLn6Ns87KcI/MUaXtilMpeYwxS1AwFnvJZGzDKh1GxTtKD87iTzErIgiV0AFojsEZ59AkvjGmFw1jPvhSIXsF900EMc8O2oWArKHIYzXWL2AmfDmmmjFxTW4Ic5xyQejkibiolbHhAb0RYYesI1ZmUnXCjyiBSz/CpgIyFIjqVXAOxGmy5XJdMobDJbhh0xnV3uytNGXuRiYqjnaQTzVEpbNUYXbAdVoFuHfwMKfy6eHIBXoLJFnpdLOEYnYireCYv1mrGYjWsH9MY4Ys17vvIcFSia/Rc+VtH9CJk2bqgEVqK2TsV6KgREaJgDBmj0BRp8ourO/YAFMslxLcLQDqrKtA4JhGcAzhsYjpzQlBXljSlqmFKWmjCIBRFrFaMG+xv76YBaqh+0aEQKOVT2JwNyADG3SonhoUDovo+J9UlaGljwmeaAQCouQZDCXELgreKpHOFaMK7RpQHNjtlv+FuV+k7WnudORs9Nde92Kw13SRSulmQtao1SHJf0VRcvuQu3eMzLLsjluElKqEpvDZX/Cg76XgEptYaEqlMQNSa6fh30bc+GhoyFRGx3zk3zvbGrtrEWiPIacCMeQKMmieN8apjragAiZsGdpMCsfxq1xAJraHB4cMGSix3ZOp8riKumiO4EQwDhtJGu4NXbLC459JkqaEP1HTA/jNpwiIRBsHE3dlOaFE7iJk+znrMXzcG+1fHAXhDatwPEizALupyhTxAiJsCWzxctKFbzouzbwcuXAKqJbldNdRsx+ESaugoN+QKLmEJOJlpjWKFIORE4daWXpoCz4WPw1ADCTiDQ3WzTPQn46tlgDDFwTx60eJk+CAn48Q+eYM3W6SDCtqLKYgUjLlJcakdKMmKJVdIL1A66gtH3jA/oJurjNGNaHK+ZNKDm9NxKrWQ9PmmBAiHsPKqIosLR4sZ6oANC4mtVHK3lZmYz9LI/ejIfLgd7aw1INBupOPPpGmrQqA4LcGgd0mMCVRLKxEqPBRuTDaLBAI8HdJUwsgwI3GrH1ZkAsNHBhmvUdSNjicplOoWHcNYi9U4FZkIifBjHUgGUNUhmw4Mkf3IfeYtJoLtjpYOIjQ3yFH8zzdEKBY74ILHT+BSWiakAyABAgMEBQYHCAkKCwwNDg8wAQIDBAUGBwgJCgsMDQ4P");
+
+        kpGen512.initialize(MLKEMParameterSpec.ml_kem_512, new FixedSecureRandom(seed));
+        KeyPair kp512 = kpGen512.generateKeyPair();
+
+        PrivateKeyInfo privInfo = PrivateKeyInfo.getInstance(((MLKEMPrivateKey)kp512.getPrivate()).getPrivateKey(false).getEncoded());
+
+        ASN1OctetString k = ASN1OctetString.getInstance(privInfo.parsePrivateKey());
+
+        assertTrue(Arrays.areEqual(k.getOctets(), expanded));
+    }
+
     public void testPrivateKeyRecoding()
         throws Exception
     {