Added aes variant to kyber

Author: royb

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberEngine.java

@@ -144,7 +144,7 @@ public int getKyberEta1()
         return KyberEta1;
     }
 
-    public KyberEngine(int k)
+    public KyberEngine(int k, boolean usingAes)
     {
         this.KyberK = k;
         switch (k)
@@ -185,7 +185,15 @@ public KyberEngine(int k)
         this.CryptoPublicKeyBytes = KyberPublicKeyBytes;
         this.CryptoCipherTextBytes = KyberCipherTextBytes;
 
-        symmetric = new Symmetric.ShakeSymmetric();
+        if(usingAes)
+        {
+            symmetric = new Symmetric.AesSymmetric();
+        }
+        else
+        {
+            symmetric = new Symmetric.ShakeSymmetric();
+        }
+
         this.indCpa = new KyberIndCpa(this);
 
 

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberIndCpa.java

@@ -29,6 +29,16 @@ public KyberIndCpa(KyberEngine engine)
         this.polyVecCompressedBytes = engine.getKyberPolyVecCompressedBytes();
         this.polyCompressedBytes = engine.getKyberPolyCompressedBytes();
         this.symmetric = engine.getSymmetric();
+
+        KyberGenerateMatrixNBlocks =
+            (
+                (
+                    12 * KyberEngine.KyberN
+                        / 8 * (1 << 12)
+                        / KyberEngine.KyberQ + symmetric.xofBlockBytes
+                )
+                    / symmetric.xofBlockBytes
+            );
     }
 
 
@@ -311,21 +321,13 @@ public void unpackSecretKey(PolyVec secretKeyPolyVec, byte[] secretKey)
         secretKeyPolyVec.fromBytes(secretKey);
     }
 
-    public final static int KyberGenerateMatrixNBlocks =
-        (
-            (
-                12 * KyberEngine.KyberN
-                    / 8 * (1 << 12)
-                    / KyberEngine.KyberQ + Symmetric.SHAKE128_rate
-            )
-                / Symmetric.SHAKE128_rate
-        );
+    public final int KyberGenerateMatrixNBlocks;
 
     public void generateMatrix(PolyVec[] aMatrix, byte[] seed, boolean transposed)
     {
         int i, j, k, ctr, off;
         SHAKEDigest kyberXOF;
-        byte[] buf = new byte[KyberGenerateMatrixNBlocks * Symmetric.SHAKE128_rate + 2];
+        byte[] buf = new byte[KyberGenerateMatrixNBlocks * symmetric.xofBlockBytes + 2];
         for (i = 0; i < kyberK; i++)
         {
             for (j = 0; j < kyberK; j++)
@@ -338,9 +340,9 @@ public void generateMatrix(PolyVec[] aMatrix, byte[] seed, boolean transposed)
                 {
                     symmetric.xofAbsorb(seed, (byte) j, (byte) i);
                 }
-                symmetric.xofSqueezeBlocks(buf, 0, Symmetric.SHAKE128_rate * KyberGenerateMatrixNBlocks);
+                symmetric.xofSqueezeBlocks(buf, 0, symmetric.xofBlockBytes * KyberGenerateMatrixNBlocks);
 
-                int buflen = KyberGenerateMatrixNBlocks * Symmetric.SHAKE128_rate;
+                int buflen = KyberGenerateMatrixNBlocks * symmetric.xofBlockBytes;
                 ctr = rejectionSampling(aMatrix[i].getVectorIndex(j), 0, KyberEngine.KyberN, buf, buflen);
 
                 while (ctr < KyberEngine.KyberN)
@@ -350,8 +352,8 @@ public void generateMatrix(PolyVec[] aMatrix, byte[] seed, boolean transposed)
                     {
                         buf[k] = buf[buflen - off + k];
                     }
-                    symmetric.xofSqueezeBlocks(buf, off, Symmetric.SHAKE128_rate * 2);
-                    buflen = off + Symmetric.SHAKE128_rate;
+                    symmetric.xofSqueezeBlocks(buf, off, symmetric.xofBlockBytes * 2);
+                    buflen = off + symmetric.xofBlockBytes;
                     // Error in code Section Unsure
                     ctr += rejectionSampling(aMatrix[i].getVectorIndex(j), ctr, KyberEngine.KyberN - ctr, buf, buflen);
                 }

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/KyberParameters.java

@@ -2,19 +2,24 @@
 
 public class KyberParameters
 {
-    public static final KyberParameters kyber512 = new KyberParameters("kyber512", 2, 128);
-    public static final KyberParameters kyber768 = new KyberParameters("kyber768", 3, 192);
-    public static final KyberParameters kyber1024 = new KyberParameters("kyber1024", 4, 256);
+    public static final KyberParameters kyber512 = new KyberParameters("kyber512", 2, 128, false);
+    public static final KyberParameters kyber768 = new KyberParameters("kyber768", 3, 192, false);
+    public static final KyberParameters kyber1024 = new KyberParameters("kyber1024", 4, 256, false);
+    public static final KyberParameters kyber512_aes = new KyberParameters("kyber512-aes", 2, 128, true);
+    public static final KyberParameters kyber768_aes = new KyberParameters("kyber768-aes", 3, 192, true);
+    public static final KyberParameters kyber1024_aes = new KyberParameters("kyber1024-aes", 4, 256, true);
 
     private final String name;
     private final int k;
     private final int sessionKeySize;
+    private final boolean usingAes;
 
-    private KyberParameters(String name, int k, int sessionKeySize)
+    private KyberParameters(String name, int k, int sessionKeySize, boolean usingAes)
     {
         this.name = name;
         this.k = k;
         this.sessionKeySize = sessionKeySize;
+        this.usingAes = usingAes;
     }
 
     public String getName()
@@ -24,7 +29,7 @@ public String getName()
 
     KyberEngine getEngine()
     {
-        return new KyberEngine(k);
+        return new KyberEngine(k, usingAes);
     }
 
     public int getSessionKeySize()

core/src/main/java/org/bouncycastle/pqc/crypto/crystals/kyber/Symmetric.java

@@ -1,7 +1,15 @@
 package org.bouncycastle.pqc.crypto.crystals.kyber;
 
+import org.bouncycastle.crypto.ExtendedDigest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
 import org.bouncycastle.crypto.digests.SHA3Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
 import org.bouncycastle.crypto.digests.SHAKEDigest;
+import org.bouncycastle.crypto.engines.AESEngine;
+import org.bouncycastle.crypto.modes.SICBlockCipher;
+import org.bouncycastle.crypto.params.KeyParameter;
+import org.bouncycastle.crypto.params.ParametersWithIV;
+import org.bouncycastle.util.Arrays;
 
 abstract class Symmetric
 {
@@ -93,71 +101,82 @@ void kdf(byte[] out, byte[] in)
     static class AesSymmetric
         extends Symmetric
     {
-        AesSymmetric()
-        {
+        private final SHA256Digest sha256Digest;
+        private final SHA512Digest sha512Digest;
+        private final SICBlockCipher cipher;
+
+        AesSymmetric() {
             super(64);
+            this.sha256Digest = new SHA256Digest();
+            this.sha512Digest = new SHA512Digest();
+            this.cipher = new SICBlockCipher(new AESEngine());
+        }
+
+        private void doDigest(ExtendedDigest digest, byte[] out, byte[] in, int outOffset)
+        {
+            digest.update(in, 0, in.length);
+            digest.doFinal(out, outOffset);
+        }
+
+        private void aes128(byte[] out, int offset, int size)
+        {
+            byte[] buf = new byte[size];   // TODO: there might be a more efficient way of doing this...
+            cipher.processBytes(buf, 0, size, out, offset);
         }
 
         @Override
         void hash_h(byte[] out, byte[] in, int outOffset)
         {
-
+            sha256Digest.update(in, 0, in.length);
+            sha256Digest.doFinal(out, outOffset);
+//            doDigest(sha256Digest, out, in, outOffset);
         }
 
         @Override
         void hash_g(byte[] out, byte[] in)
         {
-
+            sha512Digest.update(in, 0, in.length);
+            sha512Digest.doFinal(out, 0);
+//            doDigest(sha512Digest, out, in, 0);
         }
 
         @Override
-        void xofAbsorb(byte[] seed, byte x, byte y)
+        void xofAbsorb(byte[] key, byte x, byte y)
         {
+            byte[] expnonce = new byte[12];
+            expnonce[0] = x;
+            expnonce[1] = y;
 
+            ParametersWithIV kp = new ParametersWithIV(new KeyParameter(Arrays.copyOfRange(key, 0, 32)), expnonce);
+            cipher.init(true, kp);
         }
 
         @Override
         void xofSqueezeBlocks(byte[] out, int outOffset, int outLen)
         {
-
+            aes128(out, outOffset, outLen);
         }
 
         @Override
         void prf(byte[] out, byte[] key, byte nonce)
         {
-
+            SICBlockCipher prf = new SICBlockCipher(new AESEngine());
+            byte[] expnonce = new byte[12];
+            expnonce[0] = nonce;
+
+            ParametersWithIV kp = new ParametersWithIV(new KeyParameter(Arrays.copyOfRange(key, 0, 32)), expnonce);
+            prf.init(true, kp);
+            aes128(out, 0, out.length);
+            byte[] buf = new byte[out.length];   // TODO: there might be a more efficient way of doing this...
+            prf.processBytes(buf, 0, out.length, out, 0);
         }
 
         @Override
         void kdf(byte[] out, byte[] in)
         {
-
+            sha256Digest.update(in, 0, in.length);
+            sha256Digest.doFinal(out, 0);
+//            doDigest(sha256Digest, out, in, 0);
         }
     }
-    public static SHAKEDigest KyberXOF(byte[] seed, int a, int b)
-    {
-        SHAKEDigest xof = new SHAKEDigest(128);
-        byte[] buf = new byte[seed.length + 2];
-        System.arraycopy(seed, 0, buf, 0, seed.length);
-        buf[seed.length] = (byte)a;
-        buf[seed.length + 1] = (byte)b;
-
-        xof.update(buf, 0, seed.length + 2);
-
-
-        return xof;
-    }
-
-    public final static int SHAKE128_rate = 168;
-
-    public static SHAKEDigest KyberPRF(byte[] seed, byte nonce)
-    {
-        SHAKEDigest prf = new SHAKEDigest(256);
-
-        byte[] extSeed = new byte[seed.length + 1];
-        System.arraycopy(seed, 0, extSeed, 0, seed.length);
-        extSeed[seed.length] = nonce;
-        prf.update(extSeed, 0, extSeed.length);
-        return prf;
-    }
 }

core/src/test/java/org/bouncycastle/pqc/crypto/test/CrystalsKyberTest.java

@@ -103,12 +103,18 @@ public void testVectors()
             KyberParameters.kyber512,
             KyberParameters.kyber768,
             KyberParameters.kyber1024,
+//            KyberParameters.kyber512,
+//            KyberParameters.kyber768,
+//            KyberParameters.kyber1024,
         };
 
         String[] files = new String[]{
             "kyber512.rsp",
             "kyber768.rsp",
             "kyber1024.rsp",
+//            "kyber512aes.rsp",
+//            "kyber768aes.rsp",
+//            "kyber1024aes.rsp",
         };
 
         TestSampler sampler = new TestSampler();