updated HQC to match reference implementation 2024-10-30

Author: royb

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/FastFourierTransform.java

@@ -131,8 +131,8 @@ static void computeRadixBig(int[] f0, int[] f1, int[] f, int mf, int fft)
         n <<= (mf - 2);
         int fftSize = 1 << (fft - 2);
 
-        int Q[] = new int[2 * fftSize];
-        int R[] = new int[2 * fftSize];
+        int Q[] = new int[2 * fftSize + 1];
+        int R[] = new int[2 * fftSize + 1];
 
         int Q0[] = new int[fftSize];
         int Q1[] = new int[fftSize];

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java

@@ -2,6 +2,7 @@
 
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Pack;
+import org.bouncycastle.util.encoders.Hex;
 
 class HQCEngine
 {
@@ -20,8 +21,7 @@ class HQCEngine
 
     private int SEED_SIZE = 40;
     private byte G_FCT_DOMAIN = 3;
-    private byte H_FCT_DOMAIN = 4;
-    private byte K_FCT_DOMAIN = 5;
+    private byte K_FCT_DOMAIN = 4;
 
     private int N_BYTE;
     private int n1n2;
@@ -87,10 +87,12 @@ public void genKeyPair(byte[] pk, byte[] sk, byte[] seed)
     {
         // Randomly generate seeds for secret keys and public keys
         byte[] secretKeySeed = new byte[SEED_SIZE];
+        byte[] sigma = new byte[K_BYTE];
 
         KeccakRandomGenerator randomGenerator = new KeccakRandomGenerator(256);
         randomGenerator.randomGeneratorInit(seed, null, seed.length, 0);
         randomGenerator.squeeze(secretKeySeed, 40);
+        randomGenerator.squeeze(sigma, K_BYTE);
 
         // 1. Randomly generate secret keys x, y
         KeccakRandomGenerator secretKeySeedExpander = new KeccakRandomGenerator(256);
@@ -99,8 +101,8 @@ public void genKeyPair(byte[] pk, byte[] sk, byte[] seed)
         long[] xLongBytes = new long[N_BYTE_64];
         long[] yLongBytes = new long[N_BYTE_64];
 
-        generateRandomFixedWeight(xLongBytes, secretKeySeedExpander, w);
         generateRandomFixedWeight(yLongBytes, secretKeySeedExpander, w);
+        generateRandomFixedWeight(xLongBytes, secretKeySeedExpander, w);
 
         // 2. Randomly generate h
         byte[] publicKeySeed = new byte[SEED_SIZE];
@@ -120,7 +122,7 @@ public void genKeyPair(byte[] pk, byte[] sk, byte[] seed)
         Utils.fromLongArrayToByteArray(sBytes, s);
 
         byte[] tmpPk = Arrays.concatenate(publicKeySeed, sBytes);
-        byte[] tmpSk = Arrays.concatenate(secretKeySeed, tmpPk);
+        byte[] tmpSk = Arrays.concatenate(secretKeySeed, sigma, tmpPk);
 
         System.arraycopy(tmpPk, 0, pk, 0, tmpPk.length);
         System.arraycopy(tmpSk, 0, sk, 0, tmpSk.length);
@@ -133,12 +135,11 @@ public void genKeyPair(byte[] pk, byte[] sk, byte[] seed)
      *
      * @param u    u
      * @param v    v
-     * @param d    d
      * @param K    session key
      * @param pk   public key
      * @param seed seed
      **/
-    public void encaps(byte[] u, byte[] v, byte[] K, byte[] d, byte[] pk, byte[] seed, byte[] salt)
+    public void encaps(byte[] u, byte[] v, byte[] K, byte[] pk, byte[] seed, byte[] salt)
     {
         // 1. Randomly generate m
         byte[] m = new byte[K_BYTE];
@@ -148,6 +149,9 @@ public void encaps(byte[] u, byte[] v, byte[] K, byte[] d, byte[] pk, byte[] see
         randomGenerator.randomGeneratorInit(seed, null, seed.length, 0);
         randomGenerator.squeeze(secretKeySeed, 40);
 
+        byte[] sigma = new byte[K_BYTE];
+        randomGenerator.squeeze(sigma, K_BYTE);
+
         byte[] publicKeySeed = new byte[SEED_SIZE];
         randomGenerator.squeeze(publicKeySeed, 40);
 
@@ -156,12 +160,12 @@ public void encaps(byte[] u, byte[] v, byte[] K, byte[] d, byte[] pk, byte[] see
 
         // 2. Generate theta
         byte[] theta = new byte[SHA512_BYTES];
-        byte[] tmp = new byte[K_BYTE + SEED_SIZE + SALT_SIZE_BYTES];
+        byte[] tmp = new byte[K_BYTE + (SALT_SIZE_BYTES * 2) + SALT_SIZE_BYTES];
         randomGenerator.squeeze(salt, SALT_SIZE_BYTES);
 
         System.arraycopy(m, 0, tmp, 0, m.length);
-        System.arraycopy(pk, 0, tmp, K_BYTE, SEED_SIZE);
-        System.arraycopy(salt, 0, tmp, K_BYTE + SEED_SIZE, SALT_SIZE_BYTES);
+        System.arraycopy(pk, 0, tmp, K_BYTE, SALT_SIZE_BYTES * 2);
+        System.arraycopy(salt, 0, tmp, K_BYTE + (SALT_SIZE_BYTES * 2), SALT_SIZE_BYTES);
         KeccakRandomGenerator shakeDigest = new KeccakRandomGenerator(256);
         shakeDigest.SHAKE256_512_ds(theta, tmp, tmp.length, new byte[]{G_FCT_DOMAIN});
 
@@ -176,13 +180,8 @@ public void encaps(byte[] u, byte[] v, byte[] K, byte[] d, byte[] pk, byte[] see
 
         Utils.fromLongArrayToByteArray(v, vTmp);
 
-        // 4. Compute d
-        shakeDigest.SHAKE256_512_ds(d, m, m.length, new byte[]{H_FCT_DOMAIN});
-
         // 5. Compute session key K
-        byte[] hashInputK = new byte[K_BYTE + N_BYTE + N1N2_BYTE];
-        hashInputK = Arrays.concatenate(m, u);
-        hashInputK = Arrays.concatenate(hashInputK, v);
+        byte[] hashInputK = Arrays.concatenate(m, u, v);
         shakeDigest.SHAKE256_512_ds(K, hashInputK, hashInputK.length, new byte[]{K_FCT_DOMAIN});
     }
 
@@ -194,32 +193,32 @@ public void encaps(byte[] u, byte[] v, byte[] K, byte[] d, byte[] pk, byte[] see
      * @param ss session key
      * @param ct ciphertext
      * @param sk secret key
+     * @return 0 if decapsulation is successful, -1 otherwise
      **/
-    public void decaps(byte[] ss, byte[] ct, byte[] sk)
+    public int decaps(byte[] ss, byte[] ct, byte[] sk)
     {
         //Extract Y and Public Keys from sk
-        long[] x = new long[N_BYTE_64];
         long[] y = new long[N_BYTE_64];
         byte[] pk = new byte[40 + N_BYTE];
-        extractKeysFromSecretKeys(x, y, pk, sk);
+        byte[] sigma = new byte[K_BYTE];
+        extractKeysFromSecretKeys(y, sigma, pk, sk);
 
         // Extract u, v, d from ciphertext
         byte[] u = new byte[N_BYTE];
         byte[] v = new byte[N1N2_BYTE];
-        byte[] d = new byte[SHA512_BYTES];
         byte[] salt = new byte[SALT_SIZE_BYTES];
-        extractCiphertexts(u, v, d, salt, ct);
+        extractCiphertexts(u, v, salt, ct);
 
         // 1. Decrypt -> m'
         byte[] mPrimeBytes = new byte[k];
-        decrypt(mPrimeBytes, mPrimeBytes, u, v, y);
+        int result = decrypt(mPrimeBytes, mPrimeBytes, sigma, u, v, y);
 
         // 2. Compute theta'
         byte[] theta = new byte[SHA512_BYTES];
-        byte[] tmp = new byte[K_BYTE + SALT_SIZE_BYTES + SEED_SIZE];
+        byte[] tmp = new byte[K_BYTE + (SALT_SIZE_BYTES * 2) + SALT_SIZE_BYTES];
         System.arraycopy(mPrimeBytes, 0, tmp, 0, mPrimeBytes.length);
-        System.arraycopy(pk, 0, tmp, K_BYTE, SEED_SIZE);
-        System.arraycopy(salt, 0, tmp, K_BYTE + SEED_SIZE, SALT_SIZE_BYTES);
+        System.arraycopy(pk, 0, tmp, K_BYTE, SALT_SIZE_BYTES * 2);
+        System.arraycopy(salt, 0, tmp, K_BYTE + (SALT_SIZE_BYTES * 2), SALT_SIZE_BYTES);
 
         KeccakRandomGenerator shakeDigest = new KeccakRandomGenerator(256);
         shakeDigest.SHAKE256_512_ds(theta, tmp, tmp.length, new byte[]{G_FCT_DOMAIN});
@@ -236,40 +235,32 @@ public void decaps(byte[] ss, byte[] ct, byte[] sk)
         encrypt(u2Bytes, vTmp, h, s, mPrimeBytes, theta);
         Utils.fromLongArrayToByteArray(v2Bytes, vTmp);
 
-        // 4. Compute d' = H(m')
-        byte[] dPrime = new byte[SHA512_BYTES];
-        shakeDigest.SHAKE256_512_ds(dPrime, mPrimeBytes, mPrimeBytes.length, new byte[]{H_FCT_DOMAIN});
-
         // 5. Compute session key KPrime
         byte[] hashInputK = new byte[K_BYTE + N_BYTE + N1N2_BYTE];
-        hashInputK = Arrays.concatenate(mPrimeBytes, u);
-        hashInputK = Arrays.concatenate(hashInputK, v);
-        shakeDigest.SHAKE256_512_ds(ss, hashInputK, hashInputK.length, new byte[]{K_FCT_DOMAIN});
 
-        int result = 1;
         // Compare u, v, d
         if (!Arrays.constantTimeAreEqual(u, u2Bytes))
         {
-            result = 0;
+            result = 1;
         }
 
         if (!Arrays.constantTimeAreEqual(v, v2Bytes))
         {
-            result = 0;
+            result = 1;
         }
 
-        if (!Arrays.constantTimeAreEqual(d, dPrime))
+        result -= 1;
+
+        for (int i = 0; i < K_BYTE; i++)
         {
-            result = 0;
+            hashInputK[i] = (byte)(((mPrimeBytes[i] & result) ^ (sigma[i] & ~result)) & 0xff);
         }
+        System.arraycopy(u, 0, hashInputK, K_BYTE, N_BYTE);
+        System.arraycopy(v, 0, hashInputK, K_BYTE + N_BYTE, N1N2_BYTE);
 
-        if (result == 0)
-        { //abort
-            for (int i = 0; i < getSessionKeySize(); i++)
-            {
-                ss[i] = 0;
-            }
-        }
+        shakeDigest.SHAKE256_512_ds(ss, hashInputK, hashInputK.length, new byte[]{K_FCT_DOMAIN});
+
+        return -result;
     }
 
     int getSessionKeySize()
@@ -296,9 +287,9 @@ private void encrypt(byte[] u, long[] v, long[] h, byte[] s, byte[] m, byte[] th
         long[] e = new long[N_BYTE_64];
         long[] r1 = new long[N_BYTE_64];
         long[] r2 = new long[N_BYTE_64];
-        generateRandomFixedWeight(r1, randomGenerator, wr);
         generateRandomFixedWeight(r2, randomGenerator, wr);
         generateRandomFixedWeight(e, randomGenerator, we);
+        generateRandomFixedWeight(r1, randomGenerator, wr);
 
         // Calculate u
         long[] uLong = new long[N_BYTE_64];
@@ -327,7 +318,7 @@ private void encrypt(byte[] u, long[] v, long[] h, byte[] s, byte[] m, byte[] th
         Utils.resizeArray(v, n1n2, tmpLong, n, N1N2_BYTE_64, N1N2_BYTE_64);
     }
 
-    private void decrypt(byte[] output, byte[] m, byte[] u, byte[] v, long[] y)
+    private int decrypt(byte[] output, byte[] m, byte[] sigma, byte[] u, byte[] v, long[] y)
     {
         long[] uLongs = new long[N_BYTE_64];
         Utils.fromByteArrayToLongArray(uLongs, u);
@@ -348,6 +339,7 @@ private void decrypt(byte[] output, byte[] m, byte[] u, byte[] v, long[] y)
         ReedSolomon.decode(m, tmp, n1, fft, delta, k, g);
 
         System.arraycopy(m, 0, output, 0, output.length);
+        return 0;
     }
 
     private void generateRandomFixedWeight(long[] output, KeccakRandomGenerator random, int weight)
@@ -427,26 +419,25 @@ private void extractPublicKeys(long[] h, byte[] s, byte[] pk)
         System.arraycopy(pk, 40, s, 0, s.length);
     }
 
-    private void extractKeysFromSecretKeys(long[] x, long[] y, byte[] pk, byte[] sk)
+    private void extractKeysFromSecretKeys(long[] y, byte[] sigma, byte[] pk, byte[] sk)
     {
         byte[] secretKeySeed = new byte[SEED_SIZE];
         System.arraycopy(sk, 0, secretKeySeed, 0, secretKeySeed.length);
+        System.arraycopy(sk, SEED_SIZE, sigma, 0, K_BYTE);
 
         // Randomly generate secret keys x, y
         KeccakRandomGenerator secretKeySeedExpander = new KeccakRandomGenerator(256);
         secretKeySeedExpander.seedExpanderInit(secretKeySeed, secretKeySeed.length);
 
-        generateRandomFixedWeight(x, secretKeySeedExpander, w);
         generateRandomFixedWeight(y, secretKeySeedExpander, w);
 
-        System.arraycopy(sk, SEED_SIZE, pk, 0, pk.length);
+        System.arraycopy(sk, SEED_SIZE + K_BYTE, pk, 0, pk.length);
     }
 
-    private void extractCiphertexts(byte[] u, byte[] v, byte[] d, byte[] salt, byte[] ct)
+    private void extractCiphertexts(byte[] u, byte[] v, byte[] salt, byte[] ct)
     {
         System.arraycopy(ct, 0, u, 0, u.length);
         System.arraycopy(ct, u.length, v, 0, v.length);
-        System.arraycopy(ct, u.length + v.length, d, 0, d.length);
-        System.arraycopy(ct, u.length + v.length + d.length, salt, 0, salt.length);
+        System.arraycopy(ct, u.length + v.length, salt, 0, salt.length);
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCKEMGenerator.java

@@ -26,16 +26,15 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
         byte[] K = new byte[key.getParameters().getSHA512_BYTES()];
         byte[] u = new byte[key.getParameters().getN_BYTES()];
         byte[] v = new byte[key.getParameters().getN1N2_BYTES()];
-        byte[] d = new byte[key.getParameters().getSHA512_BYTES()];
         byte[] salt = new byte[key.getParameters().getSALT_SIZE_BYTES()];
         byte[] pk = key.getPublicKey();
         byte[] seed = new byte[48];
 
         sr.nextBytes(seed);
 
-        engine.encaps(u, v, K, d, pk, seed, salt);
+        engine.encaps(u, v, K, pk, seed, salt);
 
-        byte[] cipherText = Arrays.concatenate(u, v, d, salt);
+        byte[] cipherText = Arrays.concatenate(u, v, salt);
 
         return new SecretWithEncapsulationImpl(Arrays.copyOfRange(K, 0, key.getParameters().getK()), cipherText);
     }

core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCKeyPairGenerator.java

@@ -45,7 +45,7 @@ private AsymmetricCipherKeyPair genKeyPair(byte[] seed)
     {
         HQCEngine engine = hqcKeyGenerationParameters.getParameters().getEngine();
         byte[] pk = new byte[40 + N_BYTE];
-        byte[] sk = new byte[40 + 40 + N_BYTE];
+        byte[] sk = new byte[40 + 40 + k + N_BYTE];
 
         engine.genKeyPair(pk, sk, seed);
 

core/src/test/java/org/bouncycastle/pqc/crypto/test/HQCTest.java

@@ -42,9 +42,9 @@ public void testVectors()
         String[] files;
         // test cases
         files = new String[]{
-                "hqc-128_kat.rsp",
-                "hqc-192_kat.rsp",
-                "hqc-256_kat.rsp",
+                "HQC-128.rsp",
+                "HQC-192.rsp",
+                "HQC-256.rsp",
         };
 
         HQCParameters[] listParams = new HQCParameters[]{