Pqc MLDSA rejection testvectors

Author: ligefeiBouncycastle

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/HashMLDSASigner.java

@@ -4,14 +4,11 @@
 import java.security.SecureRandom;
 
 import org.bouncycastle.asn1.ASN1Encoding;
-import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.crypto.CipherParameters;
 import org.bouncycastle.crypto.CryptoException;
 import org.bouncycastle.crypto.DataLengthException;
 import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.Signer;
-import org.bouncycastle.crypto.digests.SHA512Digest;
-import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.crypto.params.ParametersWithContext;
 import org.bouncycastle.crypto.params.ParametersWithRandom;
 import org.bouncycastle.pqc.crypto.DigestUtils;
@@ -27,7 +24,6 @@ public class HashMLDSASigner
 
     private MLDSAEngine engine;
     private Digest digest;
-    private byte[] digestOIDEncoding;
 
     public HashMLDSASigner()
     {
@@ -67,37 +63,28 @@ public void init(boolean forSigning, CipherParameters param)
 
             parameters = privKey.getParameters();
             engine = parameters.getEngine(random);
-
             engine.initSign(privKey.tr, true, ctx);
         }
         else
         {
             pubKey = (MLDSAPublicKeyParameters)param;
             privKey = null;
             random = null;
-
             parameters = pubKey.getParameters();
             engine = parameters.getEngine(null);
-
             engine.initVerify(pubKey.rho, pubKey.t1, true, ctx);
         }
-
-        initDigest(parameters);
-    }
-
-    private void initDigest(MLDSAParameters parameters)
-    {
-        digest = createDigest(parameters);
-
-        ASN1ObjectIdentifier oid = DigestUtils.getDigestOid(digest.getAlgorithmName());
+        digest = engine.shake256Digest;
+        byte[] digestOIDEncoding;
         try
         {
-            digestOIDEncoding = oid.getEncoded(ASN1Encoding.DER);
+            digestOIDEncoding = DigestUtils.getDigestOid(digest.getAlgorithmName()).getEncoded(ASN1Encoding.DER);
         }
         catch (IOException e)
         {
             throw new IllegalStateException("oid encoding failed: " + e.getMessage());
         }
+        digest.update(digestOIDEncoding, 0, digestOIDEncoding.length);
     }
 
     public void update(byte b)
@@ -110,25 +97,22 @@ public void update(byte[] in, int off, int len)
         digest.update(in, off, len);
     }
 
-    public byte[] generateSignature() throws CryptoException, DataLengthException
+    public byte[] generateSignature()
+        throws CryptoException, DataLengthException
     {
-        SHAKEDigest msgDigest = finishPreHash();
-
         byte[] rnd = new byte[MLDSAEngine.RndBytes];
         if (random != null)
         {
             random.nextBytes(rnd);
         }
-        byte[] mu = engine.generateMu(msgDigest);
-
-        return engine.generateSignature(mu, msgDigest, privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
+        byte[] mu = engine.generateMu(engine.shake256Digest);
+        return engine.generateSignature(mu, engine.getShake256Digest(), privKey.rho, privKey.k, privKey.t0, privKey.s1, privKey.s2, rnd);
     }
 
     public boolean verifySignature(byte[] signature)
     {
-        SHAKEDigest msgDigest = finishPreHash();
-
-        return engine.verifyInternal(signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
+        byte[] mu = engine.generateMu(engine.shake256Digest);
+        return engine.verifyInternalMuSignature(mu, signature, signature.length, engine.getShake256Digest(), pubKey.rho, pubKey.t1);
     }
 
     /**
@@ -139,20 +123,8 @@ public void reset()
         digest.reset();
     }
 
-    private SHAKEDigest finishPreHash()
-    {
-        byte[] hash = new byte[digest.getDigestSize()];
-        digest.doFinal(hash, 0);
-
-        SHAKEDigest msgDigest = engine.getShake256Digest();
-        // TODO It should be possible to include digestOIDEncoding in the memo'ed digest
-        msgDigest.update(digestOIDEncoding, 0, digestOIDEncoding.length);
-        msgDigest.update(hash, 0, hash.length);
-        return msgDigest;
-    }
-
 //    TODO: these are probably no longer correct and also need to be marked as protected
-//    protected byte[] internalGenerateSignature(byte[] message, byte[] random)
+//    protected byte[] internalGenerateSignature(byte[] message, SecureRandom random)
 //    {
 //        MLDSAEngine engine = privKey.getParameters().getEngine(random);
 //
@@ -166,15 +138,19 @@ private SHAKEDigest finishPreHash()
 //        return engine.verifyInternal(signature, signature.length, message, message.length, pubKey.rho, pubKey.t1);
 //    }
 
-    private static Digest createDigest(MLDSAParameters parameters)
-    {
-        switch (parameters.getType())
-        {
-        case MLDSAParameters.TYPE_PURE:
-        case MLDSAParameters.TYPE_SHA2_512:
-            return new SHA512Digest();
-        default:
-            throw new IllegalArgumentException("unknown parameters type");
-        }
-    }
+//    private static Digest createDigest(MLDSAParameters parameters)
+//    {
+    //TODO: MLDSA44 may use SHA2-256, SHA3-256, SHAKE128
+    //      MLDSA65 may use SHA3-384, SHA2-512
+    //      MLDSA44/65/87 may use SHA2-512, SHA3-512, SHAKE256
+
+//        switch (parameters.getType())
+//        {
+//        case MLDSAParameters.TYPE_PURE:
+//        case MLDSAParameters.TYPE_SHA2_512:
+//            return new SHAKEDigest(256);
+//        default:
+//            throw new IllegalArgumentException("unknown parameters type");
+//        }
+//    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSAEngine.java

@@ -2,20 +2,20 @@
 
 import java.security.SecureRandom;
 
+import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.util.Arrays;
 
 class MLDSAEngine
 {
     private final SecureRandom random;
-
-    private final SHAKEDigest shake256Digest = new SHAKEDigest(256);
+    final SHAKEDigest shake256Digest = new SHAKEDigest(256);
 
     public final static int DilithiumN = 256;
     public final static int DilithiumQ = 8380417;
     public final static int DilithiumQinv = 58728449; // q^(-1) mod 2^32
     public final static int DilithiumD = 13;
-    public final static int DilithiumRootOfUnity = 1753;
+    //public final static int DilithiumRootOfUnity = 1753;
     public final static int SeedBytes = 32;
     public final static int CrhBytes = 64;
     public final static int RndBytes = 32;
@@ -55,10 +55,10 @@ protected Symmetric GetSymmetric()
         return symmetric;
     }
 
-    int getDilithiumPolyVecHPackedBytes()
-    {
-        return DilithiumPolyVecHPackedBytes;
-    }
+//    int getDilithiumPolyVecHPackedBytes()
+//    {
+//        return DilithiumPolyVecHPackedBytes;
+//    }
 
     int getDilithiumPolyZPackedBytes()
     {
@@ -75,10 +75,10 @@ int getDilithiumPolyEtaPackedBytes()
         return DilithiumPolyEtaPackedBytes;
     }
 
-    int getDilithiumMode()
-    {
-        return DilithiumMode;
-    }
+//    int getDilithiumMode()
+//    {
+//        return DilithiumMode;
+//    }
 
     int getDilithiumK()
     {
@@ -130,15 +130,15 @@ int getCryptoPublicKeyBytes()
         return CryptoPublicKeyBytes;
     }
 
-    int getCryptoSecretKeyBytes()
-    {
-        return CryptoSecretKeyBytes;
-    }
-
-    int getCryptoBytes()
-    {
-        return CryptoBytes;
-    }
+//    int getCryptoSecretKeyBytes()
+//    {
+//        return CryptoSecretKeyBytes;
+//    }
+//
+//    int getCryptoBytes()
+//    {
+//        return CryptoBytes;
+//    }
 
     int getPolyUniformGamma1NBlocks()
     {
@@ -357,12 +357,7 @@ SHAKEDigest getShake256Digest()
     void initSign(byte[] tr, boolean isPreHash, byte[] ctx)
     {
         shake256Digest.update(tr, 0, TrBytes);
-        if (ctx != null)
-        {
-            shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
-            shake256Digest.update((byte)ctx.length);
-            shake256Digest.update(ctx, 0, ctx.length);
-        }
+        absorbCtx(isPreHash, ctx);
     }
 
     void initVerify(byte[] rho, byte[] encT1, boolean isPreHash, byte[] ctx)
@@ -374,6 +369,11 @@ void initVerify(byte[] rho, byte[] encT1, boolean isPreHash, byte[] ctx)
         shake256Digest.doFinal(mu, 0, TrBytes);
 
         shake256Digest.update(mu, 0, TrBytes);
+        absorbCtx(isPreHash, ctx);
+    }
+
+    void absorbCtx(boolean isPreHash, byte[] ctx)
+    {
         if (ctx != null)
         {
             shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
@@ -396,7 +396,6 @@ byte[] generateMu(SHAKEDigest shake256Digest)
         byte[] mu = new byte[CrhBytes];
 
         shake256Digest.doFinal(mu, 0, CrhBytes);
-
         return mu;
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/mldsa/MLDSASigner.java

@@ -14,11 +14,9 @@ public class MLDSASigner
     implements Signer
 {
     private static final byte[] EMPTY_CONTEXT = new byte[0];
-
     private MLDSAPublicKeyParameters pubKey;
     private MLDSAPrivateKeyParameters privKey;
     private SecureRandom random;
-
     private MLDSAEngine engine;
     private SHAKEDigest msgDigest;
 
@@ -148,7 +146,7 @@ public boolean verifyMu(byte[] mu)
         {
             throw new DataLengthException("mu value must be " + MLDSAEngine.CrhBytes + " bytes");
         }
-        
+
         boolean isTrue = engine.verifyInternalMu(mu);
 
         reset();
@@ -171,9 +169,9 @@ public boolean verifyMuSignature(byte[] mu, byte[] signature)
         {
             throw new DataLengthException("mu value must be " + MLDSAEngine.CrhBytes + " bytes");
         }
-        
+
         msgDigest.reset();
-        
+
         boolean isTrue = engine.verifyInternalMuSignature(mu, signature, signature.length, msgDigest, pubKey.rho, pubKey.t1);
 
         reset();