Refactoring in ML-DSA, SLH-DSA

- FIx signer inits to set all fields

Author: peterdettman

core/src/main/java/org/bouncycastle/crypto/params/ParametersWithContext.java

@@ -13,15 +13,33 @@ public ParametersWithContext(
         CipherParameters parameters,
         byte[] context)
     {
+        if (context == null)
+        {
+            throw new NullPointerException("'context' cannot be null");
+        }
+
         this.parameters = parameters;
         this.context = Arrays.clone(context);
     }
 
+    public void copyContextTo(byte[] buf, int off, int len)
+    {
+        if (context.length != len)
+            throw new IllegalArgumentException("len");
+
+        System.arraycopy(context, 0, buf, off, len);
+    }
+
     public byte[] getContext()
     {
         return Arrays.clone(context);
     }
 
+    public int getContextLength()
+    {
+        return context.length;
+    }
+
     public CipherParameters getParameters()
     {
         return parameters;

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/dilithium/DilithiumEngine.java

@@ -2,15 +2,13 @@
 
 import java.security.SecureRandom;
 
-import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.util.Arrays;
 
 class DilithiumEngine
 {
     private final SecureRandom random;
 
-    private final SHAKEDigest shake128Digest = new SHAKEDigest(128);
     private final SHAKEDigest shake256Digest = new SHAKEDigest(256);
 
     public final static int DilithiumN = 256;
@@ -152,11 +150,6 @@ SHAKEDigest getShake256Digest()
         return this.shake256Digest;
     }
 
-    SHAKEDigest getShake128Digest()
-    {
-        return this.shake128Digest;
-    }
-
     DilithiumEngine(int mode, SecureRandom random, boolean usingAes)
     {
         this.DilithiumMode = mode;

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/HashMLDSASigner.java

@@ -15,89 +15,84 @@
 import org.bouncycastle.crypto.params.ParametersWithContext;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 import org.bouncycastle.pqc.crypto.DigestUtils;
-import org.bouncycastle.util.Arrays;
 
 public class HashMLDSASigner
     implements Signer
 {
     private static final byte[] EMPTY_CONTEXT = new byte[0];
-    
-    private MLDSAPrivateKeyParameters privKey;
+
     private MLDSAPublicKeyParameters pubKey;
+    private MLDSAPrivateKeyParameters privKey;
+    private SecureRandom random;
 
     private MLDSAEngine engine;
-    private SecureRandom random;
     private Digest digest;
-    private byte[] digestOidEncoding;
+    private byte[] digestOIDEncoding;
 
     public HashMLDSASigner()
     {
-        this.digest = new SHA512Digest();
     }
 
     public void init(boolean forSigning, CipherParameters param)
     {
-        byte[] ctx;
-
+        byte[] ctx = EMPTY_CONTEXT;
         if (param instanceof ParametersWithContext)
         {
-            ctx = ((ParametersWithContext)param).getContext();
-            param = ((ParametersWithContext)param).getParameters();
+            ParametersWithContext withContext = (ParametersWithContext)param;
+            ctx = withContext.getContext();
+            param = withContext.getParameters();
 
             if (ctx.length > 255)
             {
                 throw new IllegalArgumentException("context too long");
             }
         }
-        else
-        {
-            ctx = EMPTY_CONTEXT;
-        }
 
+        MLDSAParameters parameters;
         if (forSigning)
         {
+            pubKey = null;
+
             if (param instanceof ParametersWithRandom)
             {
-                privKey = (MLDSAPrivateKeyParameters)((ParametersWithRandom)param).getParameters();
-                random = ((ParametersWithRandom)param).getRandom();
+                ParametersWithRandom withRandom = (ParametersWithRandom)param;
+                privKey = (MLDSAPrivateKeyParameters)withRandom.getParameters();
+                random = withRandom.getRandom();
             }
             else
             {
                 privKey = (MLDSAPrivateKeyParameters)param;
                 random = null;
             }
 
-            engine = privKey.getParameters().getEngine(this.random);
+            parameters = privKey.getParameters();
+            engine = parameters.getEngine(random);
 
             engine.initSign(privKey.tr, true, ctx);
-
-            initDigest(privKey);
         }
         else
         {
             pubKey = (MLDSAPublicKeyParameters)param;
+            privKey = null;
+            random = null;
 
-            engine = pubKey.getParameters().getEngine(this.random);
-            
-            engine.initVerify(pubKey.rho, pubKey.t1, true, ctx);
+            parameters = pubKey.getParameters();
+            engine = parameters.getEngine(null);
 
-            initDigest(pubKey);
+            engine.initVerify(pubKey.rho, pubKey.t1, true, ctx);
         }
 
-        reset();
+        initDigest(parameters);
     }
 
-    private void initDigest(MLDSAKeyParameters key)
+    private void initDigest(MLDSAParameters parameters)
     {
-        if (key.getParameters().isPreHash())
-        {
-            digest = key.getParameters().createDigest();
-        }
+        digest = createDigest(parameters);
 
         ASN1ObjectIdentifier oid = DigestUtils.getDigestOid(digest.getAlgorithmName());
         try
         {
-            digestOidEncoding = oid.getEncoded(ASN1Encoding.DER);
+            digestOIDEncoding = oid.getEncoded(ASN1Encoding.DER);
         }
         catch (IOException e)
         {
@@ -110,69 +105,75 @@ public void update(byte b)
         digest.update(b);
     }
 
-    @Override
     public void update(byte[] in, int off, int len)
     {
         digest.update(in, off, len);
     }
 
-    @Override
     public byte[] generateSignature() throws CryptoException, DataLengthException
     {
-        SHAKEDigest msgDigest = engine.getShake256Digest();
+        SHAKEDigest msgDigest = finishPreHash();
 
         byte[] rnd = new byte[MLDSAEngine.RndBytes];
         if (random != null)
         {
             random.nextBytes(rnd);
         }
 
-        byte[] hash = new byte[digest.getDigestSize()];
-        digest.doFinal(hash, 0);
-
-        byte[] ds_message = Arrays.concatenate(digestOidEncoding, hash);
-
-        msgDigest.update(ds_message, 0, ds_message.length);
-
         return engine.generateSignature(msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
     }
 
-    @Override
     public boolean verifySignature(byte[] signature)
     {
-        SHAKEDigest msgDigest = engine.getShake256Digest();
-        byte[] hash = new byte[digest.getDigestSize()];
-
-        digest.doFinal(hash, 0);
-
-        byte[] ds_message = Arrays.concatenate(digestOidEncoding, hash);
-
-        msgDigest.update(ds_message, 0, ds_message.length);
+        SHAKEDigest msgDigest = finishPreHash();
 
         return engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
     }
 
     /**
      * reset the internal state
      */
-    @Override
     public void reset()
     {
         digest.reset();
     }
 
+    private SHAKEDigest finishPreHash()
+    {
+        byte[] hash = new byte[digest.getDigestSize()];
+        digest.doFinal(hash, 0);
+
+        SHAKEDigest msgDigest = engine.getShake256Digest();
+        // TODO It should be possible to include digestOIDEncoding in the memo'ed digest
+        msgDigest.update(digestOIDEncoding, 0, digestOIDEncoding.length);
+        msgDigest.update(hash, 0, hash.length);
+        return msgDigest;
+    }
+
 //    TODO: these are probably no longer correct and also need to be marked as protected
-//    public byte[] internalGenerateSignature(byte[] message, byte[] random)
+//    protected byte[] internalGenerateSignature(byte[] message, byte[] random)
 //    {
-//        MLDSAEngine engine = privKey.getParameters().getEngine(this.random);
+//        MLDSAEngine engine = privKey.getParameters().getEngine(random);
 //
 //        return engine.signInternal(message, message.length, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, random);
 //    }
 //
-//    public boolean internalVerifySignature(byte[] message, byte[] signature)
+//    protected boolean internalVerifySignature(byte[] message, byte[] signature)
 //    {
 //        MLDSAEngine engine = pubKey.getParameters().getEngine(random);
 //
 //        return engine.verifyInternal(signature, signature.length, message, message.length, pubKey.rho, pubKey.t1);
 //    }
+
+    private static Digest createDigest(MLDSAParameters parameters)
+    {
+        switch (parameters.getType())
+        {
+        case MLDSAParameters.TYPE_PURE:
+        case MLDSAParameters.TYPE_SHA2_512:
+            return new SHA512Digest();
+        default:
+            throw new IllegalArgumentException("unknown parameters type");
+        }
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java

@@ -9,7 +9,6 @@ class MLDSAEngine
 {
     private final SecureRandom random;
 
-    private final SHAKEDigest shake128Digest = new SHAKEDigest(128);
     private final SHAKEDigest shake256Digest = new SHAKEDigest(256);
 
     public final static int DilithiumN = 256;
@@ -311,12 +310,12 @@ SHAKEDigest getShake256Digest()
 
     void initSign(byte[] tr, boolean isPreHash, byte[] ctx)
     {
-        this.shake256Digest.update(tr, 0, TrBytes);
+        shake256Digest.update(tr, 0, TrBytes);
         if (ctx != null)
         {
-            this.shake256Digest.update((isPreHash) ? (byte)1 : (byte)0);
-            this.shake256Digest.update((byte)ctx.length);
-            this.shake256Digest.update(ctx, 0, ctx.length);
+            shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
+            shake256Digest.update((byte)ctx.length);
+            shake256Digest.update(ctx, 0, ctx.length);
         }
     }
 
@@ -327,16 +326,13 @@ void initVerify(byte[] rho, byte[] encT1, boolean isPreHash, byte[] ctx)
         shake256Digest.update(rho, 0, rho.length);
         shake256Digest.update(encT1, 0, encT1.length);
         shake256Digest.doFinal(mu, 0, TrBytes);
-        // System.out.println("mu before = ");
-        // Helper.printByteArray(mu);
 
         shake256Digest.update(mu, 0, TrBytes);
-
         if (ctx != null)
         {
-            this.shake256Digest.update((isPreHash) ? (byte)1 : (byte)0);
-            this.shake256Digest.update((byte)ctx.length);
-            this.shake256Digest.update(ctx, 0, ctx.length);
+            shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
+            shake256Digest.update((byte)ctx.length);
+            shake256Digest.update(ctx, 0, ctx.length);
         }
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAKeyPairGenerator.java

@@ -9,22 +9,22 @@
 public class MLDSAKeyPairGenerator
     implements AsymmetricCipherKeyPairGenerator
 {
-    private MLDSAParameters dilithiumParams;
+    private MLDSAParameters parameters;
     private SecureRandom random;
 
     public void init(KeyGenerationParameters param)
     {
-        this.dilithiumParams = ((MLDSAKeyGenerationParameters)param).getParameters();
+        this.parameters = ((MLDSAKeyGenerationParameters)param).getParameters();
         this.random = param.getRandom();
     }
 
     public AsymmetricCipherKeyPair generateKeyPair()
     {
-        MLDSAEngine engine = dilithiumParams.getEngine(random);
+        MLDSAEngine engine = parameters.getEngine(random);
 
         byte[][] keyPair = engine.generateKeyPair();
-        MLDSAPublicKeyParameters pubKey = new MLDSAPublicKeyParameters(dilithiumParams, keyPair[0], keyPair[6]);
-        MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(dilithiumParams, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6], keyPair[7]);
+        MLDSAPublicKeyParameters pubKey = new MLDSAPublicKeyParameters(parameters, keyPair[0], keyPair[6]);
+        MLDSAPrivateKeyParameters privKey = new MLDSAPrivateKeyParameters(parameters, keyPair[0], keyPair[1], keyPair[2], keyPair[3], keyPair[4], keyPair[5], keyPair[6], keyPair[7]);
 
         return new AsymmetricCipherKeyPair(pubKey, privKey);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAParameters.java

@@ -2,9 +2,6 @@
 
 import java.security.SecureRandom;
 
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA512Digest;
-
 public class MLDSAParameters
 {
     public static final int TYPE_PURE = 0;
@@ -38,11 +35,6 @@ public int getType()
     {
         return preHashDigest;
     }
-    
-    Digest createDigest()
-    {
-        return preHashDigest == TYPE_PURE ? null : new SHA512Digest();
-    }
 
     MLDSAEngine getEngine(SecureRandom random)
     {