diff options
Diffstat (limited to 'core/src/main/java/org/spongycastle/pqc/crypto')
69 files changed, 14809 insertions, 0 deletions
diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/DigestingMessageSigner.java b/core/src/main/java/org/spongycastle/pqc/crypto/DigestingMessageSigner.java new file mode 100644 index 00000000..b58a5278 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/DigestingMessageSigner.java @@ -0,0 +1,117 @@ +package org.spongycastle.pqc.crypto; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.Signer; +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.crypto.params.ParametersWithRandom; + + +/** + * Implements the sign and verify functions for a Signature Scheme which can use a hash function. + */ +public class DigestingMessageSigner + implements Signer +{ + private final Digest messDigest; + private final MessageSigner messSigner; + private boolean forSigning; + + public DigestingMessageSigner(MessageSigner messSigner, Digest messDigest) + { + this.messSigner = messSigner; + this.messDigest = messDigest; + } + + public void init(boolean forSigning, + CipherParameters param) + { + + this.forSigning = forSigning; + AsymmetricKeyParameter k; + + if (param instanceof ParametersWithRandom) + { + k = (AsymmetricKeyParameter)((ParametersWithRandom)param).getParameters(); + } + else + { + k = (AsymmetricKeyParameter)param; + } + + if (forSigning && !k.isPrivate()) + { + throw new IllegalArgumentException("Signing Requires Private Key."); + } + + if (!forSigning && k.isPrivate()) + { + throw new IllegalArgumentException("Verification Requires Public Key."); + } + + reset(); + + messSigner.init(forSigning, param); + } + + + /** + * This function signs the message that has been updated, making use of the + * private key. + * + * @return the signature of the message. + */ + public byte[] generateSignature() + { + if (!forSigning) + { + throw new IllegalStateException("RainbowDigestSigner not initialised for signature generation."); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + + return messSigner.generateSignature(hash); + } + + /** + * This function verifies the signature of the message that has been + * updated, with the aid of the public key. + * + * @param signature the signature of the message is given as a byte array. + * @return true if the signature has been verified, false otherwise. + */ + public boolean verify(byte[] signature) + { + if (forSigning) + { + throw new IllegalStateException("RainbowDigestSigner not initialised for verification"); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + + return messSigner.verifySignature(hash, signature); + + } + + public void update(byte b) + { + messDigest.update(b); + } + + public void update(byte[] in, int off, int len) + { + messDigest.update(in, off, len); + } + + public void reset() + { + messDigest.reset(); + } + + public boolean verifySignature(byte[] signature) + { + return this.verify(signature); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/MessageEncryptor.java b/core/src/main/java/org/spongycastle/pqc/crypto/MessageEncryptor.java new file mode 100644 index 00000000..4d5ea6b2 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/MessageEncryptor.java @@ -0,0 +1,30 @@ +package org.spongycastle.pqc.crypto; + + +import org.spongycastle.crypto.CipherParameters; + +public interface MessageEncryptor +{ + + /** + * + * @param forEncrypting true if we are encrypting a signature, false + * otherwise. + * @param param key parameters for encryption or decryption. + */ + public void init(boolean forEncrypting, CipherParameters param); + + /** + * + * @param message the message to be signed. + * @throws Exception + */ + public byte[] messageEncrypt(byte[] message) throws Exception; + + /** + * + * @param cipher the cipher text of the message + * @throws Exception + */ + public byte[] messageDecrypt(byte[] cipher) throws Exception; +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/MessageSigner.java b/core/src/main/java/org/spongycastle/pqc/crypto/MessageSigner.java new file mode 100644 index 00000000..b09c6195 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/MessageSigner.java @@ -0,0 +1,32 @@ +package org.spongycastle.pqc.crypto; + +import org.spongycastle.crypto.CipherParameters; + +public interface MessageSigner +{ + /** + * initialise the signer for signature generation or signature + * verification. + * + * @param forSigning true if we are generating a signature, false + * otherwise. + * @param param key parameters for signature generation. + */ + public void init(boolean forSigning, CipherParameters param); + + /** + * sign the passed in message (usually the output of a hash function). + * + * @param message the message to be signed. + * @return the signature of the message + */ + public byte[] generateSignature(byte[] message); + + /** + * verify the message message against the signature values r and s. + * + * @param message the message that was supposed to have been signed. + * @param signature the signature of the message + */ + public boolean verifySignature(byte[] message, byte[] signature); +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSDigestProvider.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSDigestProvider.java new file mode 100644 index 00000000..373ca503 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSDigestProvider.java @@ -0,0 +1,8 @@ +package org.spongycastle.pqc.crypto.gmss; + +import org.spongycastle.crypto.Digest; + +public interface GMSSDigestProvider +{ + Digest get(); +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyGenerationParameters.java new file mode 100644 index 00000000..27d7b697 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyGenerationParameters.java @@ -0,0 +1,26 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.KeyGenerationParameters; + +public class GMSSKeyGenerationParameters + extends KeyGenerationParameters +{ + + private GMSSParameters params; + + public GMSSKeyGenerationParameters( + SecureRandom random, + GMSSParameters params) + { + // XXX key size? + super(random, 1); + this.params = params; + } + + public GMSSParameters getParameters() + { + return params; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyPairGenerator.java new file mode 100644 index 00000000..bb1ef36d --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyPairGenerator.java @@ -0,0 +1,476 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.security.SecureRandom; +import java.util.Vector; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.pqc.crypto.gmss.util.WinternitzOTSVerify; +import org.spongycastle.pqc.crypto.gmss.util.WinternitzOTSignature; + + +/** + * This class implements key pair generation of the generalized Merkle signature + * scheme (GMSS). + * + * @see GMSSSigner + */ +public class GMSSKeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + /** + * The source of randomness for OTS private key generation + */ + private GMSSRandom gmssRandom; + + /** + * The hash function used for the construction of the authentication trees + */ + private Digest messDigestTree; + + /** + * An array of the seeds for the PRGN (for main tree, and all current + * subtrees) + */ + private byte[][] currentSeeds; + + /** + * An array of seeds for the PRGN (for all subtrees after next) + */ + private byte[][] nextNextSeeds; + + /** + * An array of the RootSignatures + */ + private byte[][] currentRootSigs; + + /** + * Class of hash function to use + */ + private GMSSDigestProvider digestProvider; + + /** + * The length of the seed for the PRNG + */ + private int mdLength; + + /** + * the number of Layers + */ + private int numLayer; + + + /** + * Flag indicating if the class already has been initialized + */ + private boolean initialized = false; + + /** + * Instance of GMSSParameterset + */ + private GMSSParameters gmssPS; + + /** + * An array of the heights of the authentication trees of each layer + */ + private int[] heightOfTrees; + + /** + * An array of the Winternitz parameter 'w' of each layer + */ + private int[] otsIndex; + + /** + * The parameter K needed for the authentication path computation + */ + private int[] K; + + private GMSSKeyGenerationParameters gmssParams; + + /** + * The GMSS OID. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.3"; + + /** + * The standard constructor tries to generate the GMSS algorithm identifier + * with the corresponding OID. + * + * @param digestProvider provider for digest implementations. + */ + public GMSSKeyPairGenerator(GMSSDigestProvider digestProvider) + { + this.digestProvider = digestProvider; + messDigestTree = digestProvider.get(); + + // set mdLength + this.mdLength = messDigestTree.getDigestSize(); + // construct randomizer + this.gmssRandom = new GMSSRandom(messDigestTree); + + } + + /** + * Generates the GMSS key pair. The public key is an instance of + * JDKGMSSPublicKey, the private key is an instance of JDKGMSSPrivateKey. + * + * @return Key pair containing a JDKGMSSPublicKey and a JDKGMSSPrivateKey + */ + private AsymmetricCipherKeyPair genKeyPair() + { + if (!initialized) + { + initializeDefault(); + } + + // initialize authenticationPaths and treehash instances + byte[][][] currentAuthPaths = new byte[numLayer][][]; + byte[][][] nextAuthPaths = new byte[numLayer - 1][][]; + Treehash[][] currentTreehash = new Treehash[numLayer][]; + Treehash[][] nextTreehash = new Treehash[numLayer - 1][]; + + Vector[] currentStack = new Vector[numLayer]; + Vector[] nextStack = new Vector[numLayer - 1]; + + Vector[][] currentRetain = new Vector[numLayer][]; + Vector[][] nextRetain = new Vector[numLayer - 1][]; + + for (int i = 0; i < numLayer; i++) + { + currentAuthPaths[i] = new byte[heightOfTrees[i]][mdLength]; + currentTreehash[i] = new Treehash[heightOfTrees[i] - K[i]]; + + if (i > 0) + { + nextAuthPaths[i - 1] = new byte[heightOfTrees[i]][mdLength]; + nextTreehash[i - 1] = new Treehash[heightOfTrees[i] - K[i]]; + } + + currentStack[i] = new Vector(); + if (i > 0) + { + nextStack[i - 1] = new Vector(); + } + } + + // initialize roots + byte[][] currentRoots = new byte[numLayer][mdLength]; + byte[][] nextRoots = new byte[numLayer - 1][mdLength]; + // initialize seeds + byte[][] seeds = new byte[numLayer][mdLength]; + // initialize seeds[] by copying starting-seeds of first trees of each + // layer + for (int i = 0; i < numLayer; i++) + { + System.arraycopy(currentSeeds[i], 0, seeds[i], 0, mdLength); + } + + // initialize rootSigs + currentRootSigs = new byte[numLayer - 1][mdLength]; + + // ------------------------- + // ------------------------- + // --- calculation of current authpaths and current rootsigs (AUTHPATHS, + // SIG)------ + // from bottom up to the root + for (int h = numLayer - 1; h >= 0; h--) + { + GMSSRootCalc tree = new GMSSRootCalc(this.heightOfTrees[h], this.K[h], digestProvider); + try + { + // on lowest layer no lower root is available, so just call + // the method with null as first parameter + if (h == numLayer - 1) + { + tree = this.generateCurrentAuthpathAndRoot(null, currentStack[h], seeds[h], h); + } + else + // otherwise call the method with the former computed root + // value + { + tree = this.generateCurrentAuthpathAndRoot(currentRoots[h + 1], currentStack[h], seeds[h], h); + } + + } + catch (Exception e1) + { + e1.printStackTrace(); + } + + // set initial values needed for the private key construction + for (int i = 0; i < heightOfTrees[h]; i++) + { + System.arraycopy(tree.getAuthPath()[i], 0, currentAuthPaths[h][i], 0, mdLength); + } + currentRetain[h] = tree.getRetain(); + currentTreehash[h] = tree.getTreehash(); + System.arraycopy(tree.getRoot(), 0, currentRoots[h], 0, mdLength); + } + + // --- calculation of next authpaths and next roots (AUTHPATHS+, ROOTS+) + // ------ + for (int h = numLayer - 2; h >= 0; h--) + { + GMSSRootCalc tree = this.generateNextAuthpathAndRoot(nextStack[h], seeds[h + 1], h + 1); + + // set initial values needed for the private key construction + for (int i = 0; i < heightOfTrees[h + 1]; i++) + { + System.arraycopy(tree.getAuthPath()[i], 0, nextAuthPaths[h][i], 0, mdLength); + } + nextRetain[h] = tree.getRetain(); + nextTreehash[h] = tree.getTreehash(); + System.arraycopy(tree.getRoot(), 0, nextRoots[h], 0, mdLength); + + // create seed for the Merkle tree after next (nextNextSeeds) + // SEEDs++ + System.arraycopy(seeds[h + 1], 0, this.nextNextSeeds[h], 0, mdLength); + } + // ------------ + + // generate JDKGMSSPublicKey + GMSSPublicKeyParameters publicKey = new GMSSPublicKeyParameters(currentRoots[0], gmssPS); + + // generate the JDKGMSSPrivateKey + GMSSPrivateKeyParameters privateKey = new GMSSPrivateKeyParameters(currentSeeds, nextNextSeeds, currentAuthPaths, + nextAuthPaths, currentTreehash, nextTreehash, currentStack, nextStack, currentRetain, nextRetain, nextRoots, currentRootSigs, gmssPS, digestProvider); + + // return the KeyPair + return (new AsymmetricCipherKeyPair(publicKey, privateKey)); + } + + /** + * calculates the authpath for tree in layer h which starts with seed[h] + * additionally computes the rootSignature of underlaying root + * + * @param currentStack stack used for the treehash instance created by this method + * @param lowerRoot stores the root of the lower tree + * @param seed starting seeds + * @param h actual layer + */ + private GMSSRootCalc generateCurrentAuthpathAndRoot(byte[] lowerRoot, Vector currentStack, byte[] seed, int h) + { + byte[] help = new byte[mdLength]; + + byte[] OTSseed = new byte[mdLength]; + OTSseed = gmssRandom.nextSeed(seed); + + WinternitzOTSignature ots; + + // data structure that constructs the whole tree and stores + // the initial values for treehash, Auth and retain + GMSSRootCalc treeToConstruct = new GMSSRootCalc(this.heightOfTrees[h], this.K[h], digestProvider); + + treeToConstruct.initialize(currentStack); + + // generate the first leaf + if (h == numLayer - 1) + { + ots = new WinternitzOTSignature(OTSseed, digestProvider.get(), otsIndex[h]); + help = ots.getPublicKey(); + } + else + { + // for all layers except the lowest, generate the signature of the + // underlying root + // and reuse this signature to compute the first leaf of acual layer + // more efficiently (by verifiing the signature) + ots = new WinternitzOTSignature(OTSseed, digestProvider.get(), otsIndex[h]); + currentRootSigs[h] = ots.getSignature(lowerRoot); + WinternitzOTSVerify otsver = new WinternitzOTSVerify(digestProvider.get(), otsIndex[h]); + help = otsver.Verify(lowerRoot, currentRootSigs[h]); + } + // update the tree with the first leaf + treeToConstruct.update(help); + + int seedForTreehashIndex = 3; + int count = 0; + + // update the tree 2^(H) - 1 times, from the second to the last leaf + for (int i = 1; i < (1 << this.heightOfTrees[h]); i++) + { + // initialize the seeds for the leaf generation with index 3 * 2^h + if (i == seedForTreehashIndex && count < this.heightOfTrees[h] - this.K[h]) + { + treeToConstruct.initializeTreehashSeed(seed, count); + seedForTreehashIndex *= 2; + count++; + } + + OTSseed = gmssRandom.nextSeed(seed); + ots = new WinternitzOTSignature(OTSseed, digestProvider.get(), otsIndex[h]); + treeToConstruct.update(ots.getPublicKey()); + } + + if (treeToConstruct.wasFinished()) + { + return treeToConstruct; + } + System.err.println("Baum noch nicht fertig konstruiert!!!"); + return null; + } + + /** + * calculates the authpath and root for tree in layer h which starts with + * seed[h] + * + * @param nextStack stack used for the treehash instance created by this method + * @param seed starting seeds + * @param h actual layer + */ + private GMSSRootCalc generateNextAuthpathAndRoot(Vector nextStack, byte[] seed, int h) + { + byte[] OTSseed = new byte[numLayer]; + WinternitzOTSignature ots; + + // data structure that constructs the whole tree and stores + // the initial values for treehash, Auth and retain + GMSSRootCalc treeToConstruct = new GMSSRootCalc(this.heightOfTrees[h], this.K[h], this.digestProvider); + treeToConstruct.initialize(nextStack); + + int seedForTreehashIndex = 3; + int count = 0; + + // update the tree 2^(H) times, from the first to the last leaf + for (int i = 0; i < (1 << this.heightOfTrees[h]); i++) + { + // initialize the seeds for the leaf generation with index 3 * 2^h + if (i == seedForTreehashIndex && count < this.heightOfTrees[h] - this.K[h]) + { + treeToConstruct.initializeTreehashSeed(seed, count); + seedForTreehashIndex *= 2; + count++; + } + + OTSseed = gmssRandom.nextSeed(seed); + ots = new WinternitzOTSignature(OTSseed, digestProvider.get(), otsIndex[h]); + treeToConstruct.update(ots.getPublicKey()); + } + + if (treeToConstruct.wasFinished()) + { + return treeToConstruct; + } + System.err.println("N�chster Baum noch nicht fertig konstruiert!!!"); + return null; + } + + /** + * This method initializes the GMSS KeyPairGenerator using an integer value + * <code>keySize</code> as input. It provides a simple use of the GMSS for + * testing demands. + * <p> + * A given <code>keysize</code> of less than 10 creates an amount 2^10 + * signatures. A keySize between 10 and 20 creates 2^20 signatures. Given an + * integer greater than 20 the key pair generator creates 2^40 signatures. + * + * @param keySize Assigns the parameters used for the GMSS signatures. There are + * 3 choices:<br> + * 1. keysize <= 10: creates 2^10 signatures using the + * parameterset<br> + * P = (2, (5, 5), (3, 3), (3, 3))<br> + * 2. keysize > 10 and <= 20: creates 2^20 signatures using the + * parameterset<br> + * P = (2, (10, 10), (5, 4), (2, 2))<br> + * 3. keysize > 20: creates 2^40 signatures using the + * parameterset<br> + * P = (2, (10, 10, 10, 10), (9, 9, 9, 3), (2, 2, 2, 2)) + * @param secureRandom not used by GMSS, the SHA1PRNG of the SUN Provider is always + * used + */ + public void initialize(int keySize, SecureRandom secureRandom) + { + + KeyGenerationParameters kgp; + if (keySize <= 10) + { // create 2^10 keys + int[] defh = {10}; + int[] defw = {3}; + int[] defk = {2}; + // XXX sec random neede? + kgp = new GMSSKeyGenerationParameters(secureRandom, new GMSSParameters(defh.length, defh, defw, defk)); + } + else if (keySize <= 20) + { // create 2^20 keys + int[] defh = {10, 10}; + int[] defw = {5, 4}; + int[] defk = {2, 2}; + kgp = new GMSSKeyGenerationParameters(secureRandom, new GMSSParameters(defh.length, defh, defw, defk)); + } + else + { // create 2^40 keys, keygen lasts around 80 seconds + int[] defh = {10, 10, 10, 10}; + int[] defw = {9, 9, 9, 3}; + int[] defk = {2, 2, 2, 2}; + kgp = new GMSSKeyGenerationParameters(secureRandom, new GMSSParameters(defh.length, defh, defw, defk)); + } + + // call the initializer with the chosen parameters + this.initialize(kgp); + + } + + + /** + * Initalizes the key pair generator using a parameter set as input + */ + public void initialize(KeyGenerationParameters param) + { + + this.gmssParams = (GMSSKeyGenerationParameters)param; + + // generate GMSSParameterset + this.gmssPS = new GMSSParameters(gmssParams.getParameters().getNumOfLayers(), gmssParams.getParameters().getHeightOfTrees(), + gmssParams.getParameters().getWinternitzParameter(), gmssParams.getParameters().getK()); + + this.numLayer = gmssPS.getNumOfLayers(); + this.heightOfTrees = gmssPS.getHeightOfTrees(); + this.otsIndex = gmssPS.getWinternitzParameter(); + this.K = gmssPS.getK(); + + // seeds + this.currentSeeds = new byte[numLayer][mdLength]; + this.nextNextSeeds = new byte[numLayer - 1][mdLength]; + + // construct SecureRandom for initial seed generation + SecureRandom secRan = new SecureRandom(); + + // generation of initial seeds + for (int i = 0; i < numLayer; i++) + { + secRan.nextBytes(currentSeeds[i]); + gmssRandom.nextSeed(currentSeeds[i]); + } + + this.initialized = true; + } + + /** + * This method is called by generateKeyPair() in case that no other + * initialization method has been called by the user + */ + private void initializeDefault() + { + int[] defh = {10, 10, 10, 10}; + int[] defw = {3, 3, 3, 3}; + int[] defk = {2, 2, 2, 2}; + + KeyGenerationParameters kgp = new GMSSKeyGenerationParameters(new SecureRandom(), new GMSSParameters(defh.length, defh, defw, defk)); + this.initialize(kgp); + + } + + public void init(KeyGenerationParameters param) + { + this.initialize(param); + + } + + public AsymmetricCipherKeyPair generateKeyPair() + { + return genKeyPair(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyParameters.java new file mode 100644 index 00000000..d2dcbba7 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSKeyParameters.java @@ -0,0 +1,22 @@ +package org.spongycastle.pqc.crypto.gmss; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; + +public class GMSSKeyParameters + extends AsymmetricKeyParameter +{ + private GMSSParameters params; + + public GMSSKeyParameters( + boolean isPrivate, + GMSSParameters params) + { + super(isPrivate); + this.params = params; + } + + public GMSSParameters getParameters() + { + return params; + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSLeaf.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSLeaf.java new file mode 100644 index 00000000..ade340ad --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSLeaf.java @@ -0,0 +1,376 @@ +package org.spongycastle.pqc.crypto.gmss; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.util.Arrays; +import org.spongycastle.util.encoders.Hex; + + +/** + * This class implements the distributed computation of the public key of the + * Winternitz one-time signature scheme (OTSS). The class is used by the GMSS + * classes for calculation of upcoming leafs. + */ +public class GMSSLeaf +{ + + /** + * The hash function used by the OTS and the PRNG + */ + private Digest messDigestOTS; + + /** + * The length of the message digest and private key + */ + private int mdsize, keysize; + + /** + * The source of randomness for OTS private key generation + */ + private GMSSRandom gmssRandom; + + /** + * Byte array for distributed computation of the upcoming leaf + */ + private byte[] leaf; + + /** + * Byte array for storing the concatenated hashes of private key parts + */ + private byte[] concHashs; + + /** + * indices for distributed computation + */ + private int i, j; + + /** + * storing 2^w + */ + private int two_power_w; + + /** + * Winternitz parameter w + */ + private int w; + + /** + * the amount of distributed computation steps when updateLeaf is called + */ + private int steps; + + /** + * the internal seed + */ + private byte[] seed; + + /** + * the OTS privateKey parts + */ + byte[] privateKeyOTS; + + /** + * This constructor regenerates a prior GMSSLeaf object + * + * @param digest an array of strings, containing the name of the used hash + * function and PRNG and the name of the corresponding + * provider + * @param otsIndex status bytes + * @param numLeafs status ints + */ + public GMSSLeaf(Digest digest, byte[][] otsIndex, int[] numLeafs) + { + this.i = numLeafs[0]; + this.j = numLeafs[1]; + this.steps = numLeafs[2]; + this.w = numLeafs[3]; + + messDigestOTS = digest; + + gmssRandom = new GMSSRandom(messDigestOTS); + + // calulate keysize for private key and the help array + mdsize = messDigestOTS.getDigestSize(); + int mdsizeBit = mdsize << 3; + int messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + int checksumsize = getLog((messagesize << w) + 1); + this.keysize = messagesize + + (int)Math.ceil((double)checksumsize / (double)w); + this.two_power_w = 1 << w; + + // calculate steps + // ((2^w)-1)*keysize + keysize + 1 / (2^h -1) + + // initialize arrays + this.privateKeyOTS = otsIndex[0]; + this.seed = otsIndex[1]; + this.concHashs = otsIndex[2]; + this.leaf = otsIndex[3]; + } + + /** + * The constructor precomputes some needed variables for distributed leaf + * calculation + * + * @param digest an array of strings, containing the digest of the used hash + * function and PRNG and the digest of the corresponding + * provider + * @param w the winterniz parameter of that tree the leaf is computed + * for + * @param numLeafs the number of leafs of the tree from where the distributed + * computation is called + */ + GMSSLeaf(Digest digest, int w, int numLeafs) + { + this.w = w; + + messDigestOTS = digest; + + gmssRandom = new GMSSRandom(messDigestOTS); + + // calulate keysize for private key and the help array + mdsize = messDigestOTS.getDigestSize(); + int mdsizeBit = mdsize << 3; + int messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + int checksumsize = getLog((messagesize << w) + 1); + this.keysize = messagesize + + (int)Math.ceil((double)checksumsize / (double)w); + this.two_power_w = 1 << w; + + // calculate steps + // ((2^w)-1)*keysize + keysize + 1 / (2^h -1) + this.steps = (int)Math + .ceil((double)(((1 << w) - 1) * keysize + 1 + keysize) + / (double)(numLeafs)); + + // initialize arrays + this.seed = new byte[mdsize]; + this.leaf = new byte[mdsize]; + this.privateKeyOTS = new byte[mdsize]; + this.concHashs = new byte[mdsize * keysize]; + } + + public GMSSLeaf(Digest digest, int w, int numLeafs, byte[] seed0) + { + this.w = w; + + messDigestOTS = digest; + + gmssRandom = new GMSSRandom(messDigestOTS); + + // calulate keysize for private key and the help array + mdsize = messDigestOTS.getDigestSize(); + int mdsizeBit = mdsize << 3; + int messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + int checksumsize = getLog((messagesize << w) + 1); + this.keysize = messagesize + + (int)Math.ceil((double)checksumsize / (double)w); + this.two_power_w = 1 << w; + + // calculate steps + // ((2^w)-1)*keysize + keysize + 1 / (2^h -1) + this.steps = (int)Math + .ceil((double)(((1 << w) - 1) * keysize + 1 + keysize) + / (double)(numLeafs)); + + // initialize arrays + this.seed = new byte[mdsize]; + this.leaf = new byte[mdsize]; + this.privateKeyOTS = new byte[mdsize]; + this.concHashs = new byte[mdsize * keysize]; + + initLeafCalc(seed0); + } + + private GMSSLeaf(GMSSLeaf original) + { + this.messDigestOTS = original.messDigestOTS; + this.mdsize = original.mdsize; + this.keysize = original.keysize; + this.gmssRandom = original.gmssRandom; + this.leaf = Arrays.clone(original.leaf); + this.concHashs = Arrays.clone(original.concHashs); + this.i = original.i; + this.j = original.j; + this.two_power_w = original.two_power_w; + this.w = original.w; + this.steps = original.steps; + this.seed = Arrays.clone(original.seed); + this.privateKeyOTS = Arrays.clone(original.privateKeyOTS); + } + + /** + * initialize the distributed leaf calculation reset i,j and compute OTSseed + * with seed0 + * + * @param seed0 the starting seed + */ + // TODO: this really looks like it should be either always called from a constructor or nextLeaf. + void initLeafCalc(byte[] seed0) + { + this.i = 0; + this.j = 0; + byte[] dummy = new byte[mdsize]; + System.arraycopy(seed0, 0, dummy, 0, seed.length); + this.seed = gmssRandom.nextSeed(dummy); + } + + GMSSLeaf nextLeaf() + { + GMSSLeaf nextLeaf = new GMSSLeaf(this); + + nextLeaf.updateLeafCalc(); + + return nextLeaf; + } + + /** + * Processes <code>steps</code> steps of distributed leaf calculation + * + * @return true if leaf is completed, else false + */ + private void updateLeafCalc() + { + byte[] buf = new byte[messDigestOTS.getDigestSize()]; + + // steps times do + // TODO: this really needs to be looked at, the 10000 has been added as + // prior to this the leaf value always ended up as zeros. + for (int s = 0; s < steps + 10000; s++) + { + if (i == keysize && j == two_power_w - 1) + { // [3] at last hash the + // concatenation + messDigestOTS.update(concHashs, 0, concHashs.length); + leaf = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(leaf, 0); + return; + } + else if (i == 0 || j == two_power_w - 1) + { // [1] at the + // beginning and + // when [2] is + // finished: get the + // next private key + // part + i++; + j = 0; + // get next privKey part + this.privateKeyOTS = gmssRandom.nextSeed(seed); + } + else + { // [2] hash the privKey part + messDigestOTS.update(privateKeyOTS, 0, privateKeyOTS.length); + privateKeyOTS = buf; + messDigestOTS.doFinal(privateKeyOTS, 0); + j++; + if (j == two_power_w - 1) + { // after w hashes add to the + // concatenated array + System.arraycopy(privateKeyOTS, 0, concHashs, mdsize + * (i - 1), mdsize); + } + } + } + + throw new IllegalStateException("unable to updateLeaf in steps: " + steps + " " + i + " " + j); + } + + /** + * Returns the leaf value. + * + * @return the leaf value + */ + public byte[] getLeaf() + { + return Arrays.clone(leaf); + } + + /** + * This method returns the least integer that is greater or equal to the + * logarithm to the base 2 of an integer <code>intValue</code>. + * + * @param intValue an integer + * @return The least integer greater or equal to the logarithm to the base 2 + * of <code>intValue</code> + */ + private int getLog(int intValue) + { + int log = 1; + int i = 2; + while (i < intValue) + { + i <<= 1; + log++; + } + return log; + } + + /** + * Returns the status byte array used by the GMSSPrivateKeyASN.1 class + * + * @return The status bytes + */ + public byte[][] getStatByte() + { + + byte[][] statByte = new byte[4][]; + statByte[0] = new byte[mdsize]; + statByte[1] = new byte[mdsize]; + statByte[2] = new byte[mdsize * keysize]; + statByte[3] = new byte[mdsize]; + statByte[0] = privateKeyOTS; + statByte[1] = seed; + statByte[2] = concHashs; + statByte[3] = leaf; + + return statByte; + } + + /** + * Returns the status int array used by the GMSSPrivateKeyASN.1 class + * + * @return The status ints + */ + public int[] getStatInt() + { + + int[] statInt = new int[4]; + statInt[0] = i; + statInt[1] = j; + statInt[2] = steps; + statInt[3] = w; + return statInt; + } + + /** + * Returns a String representation of the main part of this element + * + * @return a String representation of the main part of this element + */ + public String toString() + { + String out = ""; + + for (int i = 0; i < 4; i++) + { + out = out + this.getStatInt()[i] + " "; + } + out = out + " " + this.mdsize + " " + this.keysize + " " + + this.two_power_w + " "; + + byte[][] temp = this.getStatByte(); + for (int i = 0; i < 4; i++) + { + if (temp[i] != null) + { + out = out + new String(Hex.encode(temp[i])) + " "; + } + else + { + out = out + "null "; + } + } + return out; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSParameters.java new file mode 100644 index 00000000..c78d50e3 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSParameters.java @@ -0,0 +1,155 @@ +package org.spongycastle.pqc.crypto.gmss; + +import org.spongycastle.util.Arrays; + +/** + * This class provides a specification for the GMSS parameters that are used by + * the GMSSKeyPairGenerator and GMSSSignature classes. + * + * @see org.spongycastle.pqc.crypto.gmss.GMSSKeyPairGenerator + */ +public class GMSSParameters +{ + /** + * The number of authentication tree layers. + */ + private int numOfLayers; + + /** + * The height of the authentication trees of each layer. + */ + private int[] heightOfTrees; + + /** + * The Winternitz Parameter 'w' of each layer. + */ + private int[] winternitzParameter; + + /** + * The parameter K needed for the authentication path computation + */ + private int[] K; + + /** + * The constructor for the parameters of the GMSSKeyPairGenerator. + * + * @param layers the number of authentication tree layers + * @param heightOfTrees the height of the authentication trees + * @param winternitzParameter the Winternitz Parameter 'w' of each layer + * @param K parameter for authpath computation + */ + public GMSSParameters(int layers, int[] heightOfTrees, int[] winternitzParameter, int[] K) + throws IllegalArgumentException + { + init(layers, heightOfTrees, winternitzParameter, K); + } + + private void init(int layers, int[] heightOfTrees, + int[] winternitzParameter, int[] K) + throws IllegalArgumentException + { + boolean valid = true; + String errMsg = ""; + this.numOfLayers = layers; + if ((numOfLayers != winternitzParameter.length) + || (numOfLayers != heightOfTrees.length) + || (numOfLayers != K.length)) + { + valid = false; + errMsg = "Unexpected parameterset format"; + } + for (int i = 0; i < numOfLayers; i++) + { + if ((K[i] < 2) || ((heightOfTrees[i] - K[i]) % 2 != 0)) + { + valid = false; + errMsg = "Wrong parameter K (K >= 2 and H-K even required)!"; + } + + if ((heightOfTrees[i] < 4) || (winternitzParameter[i] < 2)) + { + valid = false; + errMsg = "Wrong parameter H or w (H > 3 and w > 1 required)!"; + } + } + + if (valid) + { + this.heightOfTrees = Arrays.clone(heightOfTrees); + this.winternitzParameter = Arrays.clone(winternitzParameter); + this.K = Arrays.clone(K); + } + else + { + throw new IllegalArgumentException(errMsg); + } + } + + public GMSSParameters(int keySize) + throws IllegalArgumentException + { + if (keySize <= 10) + { // create 2^10 keys + int[] defh = {10}; + int[] defw = {3}; + int[] defk = {2}; + this.init(defh.length, defh, defw, defk); + } + else if (keySize <= 20) + { // create 2^20 keys + int[] defh = {10, 10}; + int[] defw = {5, 4}; + int[] defk = {2, 2}; + this.init(defh.length, defh, defw, defk); + } + else + { // create 2^40 keys, keygen lasts around 80 seconds + int[] defh = {10, 10, 10, 10}; + int[] defw = {9, 9, 9, 3}; + int[] defk = {2, 2, 2, 2}; + this.init(defh.length, defh, defw, defk); + } + } + + /** + * Returns the number of levels of the authentication trees. + * + * @return The number of levels of the authentication trees. + */ + public int getNumOfLayers() + { + return numOfLayers; + } + + /** + * Returns the array of height (for each layer) of the authentication trees + * + * @return The array of height (for each layer) of the authentication trees + */ + public int[] getHeightOfTrees() + { + return Arrays.clone(heightOfTrees); + } + + /** + * Returns the array of WinternitzParameter (for each layer) of the + * authentication trees + * + * @return The array of WinternitzParameter (for each layer) of the + * authentication trees + */ + public int[] getWinternitzParameter() + { + return Arrays.clone(winternitzParameter); + } + + /** + * Returns the parameter K needed for authentication path computation + * + * @return The parameter K needed for authentication path computation + */ + public int[] getK() + { + return Arrays.clone(K); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPrivateKeyParameters.java new file mode 100644 index 00000000..29e84b1f --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPrivateKeyParameters.java @@ -0,0 +1,1041 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.util.Vector; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.pqc.crypto.gmss.util.WinternitzOTSignature; +import org.spongycastle.util.Arrays; + + +/** + * This class provides a specification for a GMSS private key. + */ +public class GMSSPrivateKeyParameters + extends GMSSKeyParameters +{ + private int[] index; + + private byte[][] currentSeeds; + private byte[][] nextNextSeeds; + + private byte[][][] currentAuthPaths; + private byte[][][] nextAuthPaths; + + private Treehash[][] currentTreehash; + private Treehash[][] nextTreehash; + + private Vector[] currentStack; + private Vector[] nextStack; + + private Vector[][] currentRetain; + private Vector[][] nextRetain; + + private byte[][][] keep; + + private GMSSLeaf[] nextNextLeaf; + private GMSSLeaf[] upperLeaf; + private GMSSLeaf[] upperTreehashLeaf; + + private int[] minTreehash; + + private GMSSParameters gmssPS; + + private byte[][] nextRoot; + private GMSSRootCalc[] nextNextRoot; + + private byte[][] currentRootSig; + private GMSSRootSig[] nextRootSig; + + private GMSSDigestProvider digestProvider; + + private boolean used = false; + + /** + * An array of the heights of the authentication trees of each layer + */ + private int[] heightOfTrees; + + /** + * An array of the Winternitz parameter 'w' of each layer + */ + private int[] otsIndex; + + /** + * The parameter K needed for the authentication path computation + */ + private int[] K; + + /** + * the number of Layers + */ + private int numLayer; + + /** + * The hash function used to construct the authentication trees + */ + private Digest messDigestTrees; + + /** + * The message digest length + */ + private int mdLength; + + /** + * The PRNG used for private key generation + */ + private GMSSRandom gmssRandom; + + + /** + * The number of leafs of one tree of each layer + */ + private int[] numLeafs; + + + /** + * Generates a new GMSS private key + * + * @param currentSeed seed for the generation of private OTS keys for the + * current subtrees + * @param nextNextSeed seed for the generation of private OTS keys for the next + * subtrees + * @param currentAuthPath array of current authentication paths + * @param nextAuthPath array of next authentication paths + * @param currentTreehash array of current treehash instances + * @param nextTreehash array of next treehash instances + * @param currentStack array of current shared stacks + * @param nextStack array of next shared stacks + * @param currentRetain array of current retain stacks + * @param nextRetain array of next retain stacks + * @param nextRoot the roots of the next subtree + * @param currentRootSig array of signatures of the roots of the current subtrees + * @param gmssParameterset the GMSS Parameterset + * @see org.spongycastle.pqc.crypto.gmss.GMSSKeyPairGenerator + */ + + public GMSSPrivateKeyParameters(byte[][] currentSeed, byte[][] nextNextSeed, + byte[][][] currentAuthPath, byte[][][] nextAuthPath, + Treehash[][] currentTreehash, Treehash[][] nextTreehash, + Vector[] currentStack, Vector[] nextStack, + Vector[][] currentRetain, Vector[][] nextRetain, byte[][] nextRoot, + byte[][] currentRootSig, GMSSParameters gmssParameterset, + GMSSDigestProvider digestProvider) + { + this(null, currentSeed, nextNextSeed, currentAuthPath, nextAuthPath, + null, currentTreehash, nextTreehash, currentStack, nextStack, + currentRetain, nextRetain, null, null, null, null, nextRoot, + null, currentRootSig, null, gmssParameterset, digestProvider); + } + + /** + * /** + * + * @param index tree indices + * @param keep keep array for the authPath algorithm + * @param currentTreehash treehash for authPath algorithm of current tree + * @param nextTreehash treehash for authPath algorithm of next tree (TREE+) + * @param currentStack shared stack for authPath algorithm of current tree + * @param nextStack shared stack for authPath algorithm of next tree (TREE+) + * @param currentRetain retain stack for authPath algorithm of current tree + * @param nextRetain retain stack for authPath algorithm of next tree (TREE+) + * @param nextNextLeaf array of upcoming leafs of the tree after next (LEAF++) of + * each layer + * @param upperLeaf needed for precomputation of upper nodes + * @param upperTreehashLeaf needed for precomputation of upper treehash nodes + * @param minTreehash index of next treehash instance to receive an update + * @param nextRoot the roots of the next trees (ROOT+) + * @param nextNextRoot the roots of the tree after next (ROOT++) + * @param currentRootSig array of signatures of the roots of the current subtrees + * (SIG) + * @param nextRootSig array of signatures of the roots of the next subtree + * (SIG+) + * @param gmssParameterset the GMSS Parameterset + */ + public GMSSPrivateKeyParameters(int[] index, byte[][] currentSeeds, + byte[][] nextNextSeeds, byte[][][] currentAuthPaths, + byte[][][] nextAuthPaths, byte[][][] keep, + Treehash[][] currentTreehash, Treehash[][] nextTreehash, + Vector[] currentStack, Vector[] nextStack, + Vector[][] currentRetain, Vector[][] nextRetain, + GMSSLeaf[] nextNextLeaf, GMSSLeaf[] upperLeaf, + GMSSLeaf[] upperTreehashLeaf, int[] minTreehash, byte[][] nextRoot, + GMSSRootCalc[] nextNextRoot, byte[][] currentRootSig, + GMSSRootSig[] nextRootSig, GMSSParameters gmssParameterset, + GMSSDigestProvider digestProvider) + { + + super(true, gmssParameterset); + + // construct message digest + + this.messDigestTrees = digestProvider.get(); + this.mdLength = messDigestTrees.getDigestSize(); + + + // Parameter + this.gmssPS = gmssParameterset; + this.otsIndex = gmssParameterset.getWinternitzParameter(); + this.K = gmssParameterset.getK(); + this.heightOfTrees = gmssParameterset.getHeightOfTrees(); + // initialize numLayer + this.numLayer = gmssPS.getNumOfLayers(); + + // initialize index if null + if (index == null) + { + this.index = new int[numLayer]; + for (int i = 0; i < numLayer; i++) + { + this.index[i] = 0; + } + } + else + { + this.index = index; + } + + this.currentSeeds = currentSeeds; + this.nextNextSeeds = nextNextSeeds; + + this.currentAuthPaths = currentAuthPaths; + this.nextAuthPaths = nextAuthPaths; + + // initialize keep if null + if (keep == null) + { + this.keep = new byte[numLayer][][]; + for (int i = 0; i < numLayer; i++) + { + this.keep[i] = new byte[(int)Math.floor(heightOfTrees[i] / 2)][mdLength]; + } + } + else + { + this.keep = keep; + } + + // initialize stack if null + if (currentStack == null) + { + this.currentStack = new Vector[numLayer]; + for (int i = 0; i < numLayer; i++) + { + this.currentStack[i] = new Vector(); + } + } + else + { + this.currentStack = currentStack; + } + + // initialize nextStack if null + if (nextStack == null) + { + this.nextStack = new Vector[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + this.nextStack[i] = new Vector(); + } + } + else + { + this.nextStack = nextStack; + } + + this.currentTreehash = currentTreehash; + this.nextTreehash = nextTreehash; + + this.currentRetain = currentRetain; + this.nextRetain = nextRetain; + + this.nextRoot = nextRoot; + + this.digestProvider = digestProvider; + + if (nextNextRoot == null) + { + this.nextNextRoot = new GMSSRootCalc[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + this.nextNextRoot[i] = new GMSSRootCalc( + this.heightOfTrees[i + 1], this.K[i + 1], this.digestProvider); + } + } + else + { + this.nextNextRoot = nextNextRoot; + } + this.currentRootSig = currentRootSig; + + // calculate numLeafs + numLeafs = new int[numLayer]; + for (int i = 0; i < numLayer; i++) + { + numLeafs[i] = 1 << heightOfTrees[i]; + } + // construct PRNG + this.gmssRandom = new GMSSRandom(messDigestTrees); + + if (numLayer > 1) + { + // construct the nextNextLeaf (LEAFs++) array for upcoming leafs in + // tree after next (TREE++) + if (nextNextLeaf == null) + { + this.nextNextLeaf = new GMSSLeaf[numLayer - 2]; + for (int i = 0; i < numLayer - 2; i++) + { + this.nextNextLeaf[i] = new GMSSLeaf(digestProvider.get(), otsIndex[i + 1], numLeafs[i + 2], this.nextNextSeeds[i]); + } + } + else + { + this.nextNextLeaf = nextNextLeaf; + } + } + else + { + this.nextNextLeaf = new GMSSLeaf[0]; + } + + // construct the upperLeaf array for upcoming leafs in tree over the + // actual + if (upperLeaf == null) + { + this.upperLeaf = new GMSSLeaf[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + this.upperLeaf[i] = new GMSSLeaf(digestProvider.get(), otsIndex[i], + numLeafs[i + 1], this.currentSeeds[i]); + } + } + else + { + this.upperLeaf = upperLeaf; + } + + // construct the leafs for upcoming leafs in treehashs in tree over the + // actual + if (upperTreehashLeaf == null) + { + this.upperTreehashLeaf = new GMSSLeaf[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + this.upperTreehashLeaf[i] = new GMSSLeaf(digestProvider.get(), otsIndex[i], numLeafs[i + 1]); + } + } + else + { + this.upperTreehashLeaf = upperTreehashLeaf; + } + + if (minTreehash == null) + { + this.minTreehash = new int[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + this.minTreehash[i] = -1; + } + } + else + { + this.minTreehash = minTreehash; + } + + // construct the nextRootSig (RootSig++) + byte[] dummy = new byte[mdLength]; + byte[] OTSseed = new byte[mdLength]; + if (nextRootSig == null) + { + this.nextRootSig = new GMSSRootSig[numLayer - 1]; + for (int i = 0; i < numLayer - 1; i++) + { + System.arraycopy(currentSeeds[i], 0, dummy, 0, mdLength); + gmssRandom.nextSeed(dummy); + OTSseed = gmssRandom.nextSeed(dummy); + this.nextRootSig[i] = new GMSSRootSig(digestProvider.get(), otsIndex[i], + heightOfTrees[i + 1]); + this.nextRootSig[i].initSign(OTSseed, nextRoot[i]); + } + } + else + { + this.nextRootSig = nextRootSig; + } + } + + // we assume this only gets called from nextKey so used is never copied. + private GMSSPrivateKeyParameters(GMSSPrivateKeyParameters original) + { + super(true, original.getParameters()); + + this.index = Arrays.clone(original.index); + this.currentSeeds = Arrays.clone(original.currentSeeds); + this.nextNextSeeds = Arrays.clone(original.nextNextSeeds); + this.currentAuthPaths = Arrays.clone(original.currentAuthPaths); + this.nextAuthPaths = Arrays.clone(original.nextAuthPaths); + this.currentTreehash = original.currentTreehash; + this.nextTreehash = original.nextTreehash; + this.currentStack = original.currentStack; + this.nextStack = original.nextStack; + this.currentRetain = original.currentRetain; + this.nextRetain = original.nextRetain; + this.keep = Arrays.clone(original.keep); + this.nextNextLeaf = original.nextNextLeaf; + this.upperLeaf = original.upperLeaf; + this.upperTreehashLeaf = original.upperTreehashLeaf; + this.minTreehash = original.minTreehash; + this.gmssPS = original.gmssPS; + this.nextRoot = Arrays.clone(original.nextRoot); + this.nextNextRoot = original.nextNextRoot; + this.currentRootSig = original.currentRootSig; + this.nextRootSig = original.nextRootSig; + this.digestProvider = original.digestProvider; + this.heightOfTrees = original.heightOfTrees; + this.otsIndex = original.otsIndex; + this.K = original.K; + this.numLayer = original.numLayer; + this.messDigestTrees = original.messDigestTrees; + this.mdLength = original.mdLength; + this.gmssRandom = original.gmssRandom; + this.numLeafs = original.numLeafs; + } + + public boolean isUsed() + { + return this.used; + } + + public void markUsed() + { + this.used = true; + } + + public GMSSPrivateKeyParameters nextKey() + { + GMSSPrivateKeyParameters nKey = new GMSSPrivateKeyParameters(this); + + nKey.nextKey(gmssPS.getNumOfLayers() - 1); + + return nKey; + } + + /** + * This method updates the GMSS private key for the next signature + * + * @param layer the layer where the next key is processed + */ + private void nextKey(int layer) + { + // only for lowest layer ( other layers indices are raised in nextTree() + // method ) + if (layer == numLayer - 1) + { + index[layer]++; + } // else System.out.println(" --- nextKey on layer " + layer + " + // index is now : " + index[layer]); + + // if tree of this layer is depleted + if (index[layer] == numLeafs[layer]) + { + if (numLayer != 1) + { + nextTree(layer); + index[layer] = 0; + } + } + else + { + updateKey(layer); + } + } + + /** + * Switch to next subtree if the current one is depleted + * + * @param layer the layer where the next tree is processed + */ + private void nextTree(int layer) + { + // System.out.println("NextTree method called on layer " + layer); + // dont create next tree for the top layer + if (layer > 0) + { + // raise index for upper layer + index[layer - 1]++; + + // test if it is already the last tree + boolean lastTree = true; + int z = layer; + do + { + z--; + if (index[z] < numLeafs[z]) + { + lastTree = false; + } + } + while (lastTree && (z > 0)); + + // only construct next subtree if last one is not already in use + if (!lastTree) + { + gmssRandom.nextSeed(currentSeeds[layer]); + + // last step of distributed signature calculation + nextRootSig[layer - 1].updateSign(); + + // last step of distributed leaf calculation for nextNextLeaf + if (layer > 1) + { + nextNextLeaf[layer - 1 - 1] = nextNextLeaf[layer - 1 - 1].nextLeaf(); + } + + // last step of distributed leaf calculation for upper leaf + upperLeaf[layer - 1] = upperLeaf[layer - 1].nextLeaf(); + + // last step of distributed leaf calculation for all treehashs + + if (minTreehash[layer - 1] >= 0) + { + upperTreehashLeaf[layer - 1] = upperTreehashLeaf[layer - 1].nextLeaf(); + byte[] leaf = this.upperTreehashLeaf[layer - 1].getLeaf(); + // if update is required use the precomputed leaf to update + // treehash + try + { + currentTreehash[layer - 1][minTreehash[layer - 1]] + .update(this.gmssRandom, leaf); + // System.out.println("UUUpdated TH " + + // minTreehash[layer - 1]); + if (currentTreehash[layer - 1][minTreehash[layer - 1]] + .wasFinished()) + { + // System.out.println("FFFinished TH " + + // minTreehash[layer - 1]); + } + } + catch (Exception e) + { + System.out.println(e); + } + } + + // last step of nextNextAuthRoot calculation + this.updateNextNextAuthRoot(layer); + + // ******************************************************** / + + // NOW: advance to next tree on layer 'layer' + + // NextRootSig --> currentRootSigs + this.currentRootSig[layer - 1] = nextRootSig[layer - 1] + .getSig(); + + // ----------------------- + + // nextTreehash --> currentTreehash + // nextNextTreehash --> nextTreehash + for (int i = 0; i < heightOfTrees[layer] - K[layer]; i++) + { + this.currentTreehash[layer][i] = this.nextTreehash[layer - 1][i]; + this.nextTreehash[layer - 1][i] = this.nextNextRoot[layer - 1] + .getTreehash()[i]; + } + + // NextAuthPath --> currentAuthPath + // nextNextAuthPath --> nextAuthPath + for (int i = 0; i < heightOfTrees[layer]; i++) + { + System.arraycopy(nextAuthPaths[layer - 1][i], 0, + currentAuthPaths[layer][i], 0, mdLength); + System.arraycopy(nextNextRoot[layer - 1].getAuthPath()[i], + 0, nextAuthPaths[layer - 1][i], 0, mdLength); + } + + // nextRetain --> currentRetain + // nextNextRetain --> nextRetain + for (int i = 0; i < K[layer] - 1; i++) + { + this.currentRetain[layer][i] = this.nextRetain[layer - 1][i]; + this.nextRetain[layer - 1][i] = this.nextNextRoot[layer - 1] + .getRetain()[i]; + } + + // nextStack --> currentStack + this.currentStack[layer] = this.nextStack[layer - 1]; + // nextNextStack --> nextStack + this.nextStack[layer - 1] = this.nextNextRoot[layer - 1] + .getStack(); + + // nextNextRoot --> nextRoot + this.nextRoot[layer - 1] = this.nextNextRoot[layer - 1] + .getRoot(); + // ----------------------- + + // ----------------- + byte[] OTSseed = new byte[mdLength]; + byte[] dummy = new byte[mdLength]; + // gmssRandom.setSeed(currentSeeds[layer]); + System + .arraycopy(currentSeeds[layer - 1], 0, dummy, 0, + mdLength); + OTSseed = gmssRandom.nextSeed(dummy); // only need OTSSeed + OTSseed = gmssRandom.nextSeed(dummy); + OTSseed = gmssRandom.nextSeed(dummy); + // nextWinSig[layer-1]=new + // GMSSWinSig(OTSseed,algNames,otsIndex[layer-1],heightOfTrees[layer],nextRoot[layer-1]); + nextRootSig[layer - 1].initSign(OTSseed, nextRoot[layer - 1]); + + // nextKey for upper layer + nextKey(layer - 1); + } + } + } + + /** + * This method computes the authpath (AUTH) for the current tree, + * Additionally the root signature for the next tree (SIG+), the authpath + * (AUTH++) and root (ROOT++) for the tree after next in layer + * <code>layer</code>, and the LEAF++^1 for the next next tree in the + * layer above are updated This method is used by nextKey() + * + * @param layer + */ + private void updateKey(int layer) + { + // ----------current tree processing of actual layer--------- + // compute upcoming authpath for current Tree (AUTH) + computeAuthPaths(layer); + + // -----------distributed calculations part------------ + // not for highest tree layer + if (layer > 0) + { + + // compute (partial) next leaf on TREE++ (not on layer 1 and 0) + if (layer > 1) + { + nextNextLeaf[layer - 1 - 1] = nextNextLeaf[layer - 1 - 1].nextLeaf(); + } + + // compute (partial) next leaf on tree above (not on layer 0) + upperLeaf[layer - 1] = upperLeaf[layer - 1].nextLeaf(); + + // compute (partial) next leaf for all treehashs on tree above (not + // on layer 0) + + int t = (int)Math + .floor((double)(this.getNumLeafs(layer) * 2) + / (double)(this.heightOfTrees[layer - 1] - this.K[layer - 1])); + + if (index[layer] % t == 1) + { + // System.out.println(" layer: " + layer + " index: " + + // index[layer] + " t : " + t); + + // take precomputed node for treehash update + // ------------------------------------------------ + if (index[layer] > 1 && minTreehash[layer - 1] >= 0) + { + byte[] leaf = this.upperTreehashLeaf[layer - 1].getLeaf(); + // if update is required use the precomputed leaf to update + // treehash + try + { + currentTreehash[layer - 1][minTreehash[layer - 1]] + .update(this.gmssRandom, leaf); + // System.out.println("Updated TH " + minTreehash[layer + // - 1]); + if (currentTreehash[layer - 1][minTreehash[layer - 1]] + .wasFinished()) + { + // System.out.println("Finished TH " + + // minTreehash[layer - 1]); + } + } + catch (Exception e) + { + System.out.println(e); + } + // ------------------------------------------------ + } + + // initialize next leaf precomputation + // ------------------------------------------------ + + // get lowest index of treehashs + this.minTreehash[layer - 1] = getMinTreehashIndex(layer - 1); + + if (this.minTreehash[layer - 1] >= 0) + { + // initialize leaf + byte[] seed = this.currentTreehash[layer - 1][this.minTreehash[layer - 1]] + .getSeedActive(); + this.upperTreehashLeaf[layer - 1] = new GMSSLeaf( + this.digestProvider.get(), this.otsIndex[layer - 1], t, seed); + this.upperTreehashLeaf[layer - 1] = this.upperTreehashLeaf[layer - 1].nextLeaf(); + // System.out.println("restarted treehashleaf (" + (layer - + // 1) + "," + this.minTreehash[layer - 1] + ")"); + } + // ------------------------------------------------ + + } + else + { + // update the upper leaf for the treehash one step + if (this.minTreehash[layer - 1] >= 0) + { + this.upperTreehashLeaf[layer - 1] = this.upperTreehashLeaf[layer - 1].nextLeaf(); + // if (minTreehash[layer - 1] > 3) + // System.out.print("#"); + } + } + + // compute (partial) the signature of ROOT+ (RootSig+) (not on top + // layer) + nextRootSig[layer - 1].updateSign(); + + // compute (partial) AUTHPATH++ & ROOT++ (not on top layer) + if (index[layer] == 1) + { + // init root and authpath calculation for tree after next + // (AUTH++, ROOT++) + this.nextNextRoot[layer - 1].initialize(new Vector()); + } + + // update root and authpath calculation for tree after next (AUTH++, + // ROOT++) + this.updateNextNextAuthRoot(layer); + } + // ----------- end distributed calculations part----------------- + } + + /** + * This method returns the index of the next Treehash instance that should + * receive an update + * + * @param layer the layer of the GMSS tree + * @return index of the treehash instance that should get the update + */ + private int getMinTreehashIndex(int layer) + { + int minTreehash = -1; + for (int h = 0; h < heightOfTrees[layer] - K[layer]; h++) + { + if (currentTreehash[layer][h].wasInitialized() + && !currentTreehash[layer][h].wasFinished()) + { + if (minTreehash == -1) + { + minTreehash = h; + } + else if (currentTreehash[layer][h].getLowestNodeHeight() < currentTreehash[layer][minTreehash] + .getLowestNodeHeight()) + { + minTreehash = h; + } + } + } + return minTreehash; + } + + /** + * Computes the upcoming currentAuthpath of layer <code>layer</code> using + * the revisited authentication path computation of Dahmen/Schneider 2008 + * + * @param layer the actual layer + */ + private void computeAuthPaths(int layer) + { + + int Phi = index[layer]; + int H = heightOfTrees[layer]; + int K = this.K[layer]; + + // update all nextSeeds for seed scheduling + for (int i = 0; i < H - K; i++) + { + currentTreehash[layer][i].updateNextSeed(gmssRandom); + } + + // STEP 1 of Algorithm + int Tau = heightOfPhi(Phi); + + byte[] OTSseed = new byte[mdLength]; + OTSseed = gmssRandom.nextSeed(currentSeeds[layer]); + + // STEP 2 of Algorithm + // if phi's parent on height tau + 1 if left node, store auth_tau + // in keep_tau. + // TODO check it, formerly was + // int L = Phi / (int) Math.floor(Math.pow(2, Tau + 1)); + // L %= 2; + int L = (Phi >>> (Tau + 1)) & 1; + + byte[] tempKeep = new byte[mdLength]; + // store the keep node not in keep[layer][tau/2] because it might be in + // use + // wait until the space is freed in step 4a + if (Tau < H - 1 && L == 0) + { + System.arraycopy(currentAuthPaths[layer][Tau], 0, tempKeep, 0, + mdLength); + } + + byte[] help = new byte[mdLength]; + // STEP 3 of Algorithm + // if phi is left child, compute and store leaf for next currentAuthPath + // path, + // (obtained by veriying current signature) + if (Tau == 0) + { + // LEAFCALC !!! + if (layer == numLayer - 1) + { // lowest layer computes the + // necessary leaf completely at this + // time + WinternitzOTSignature ots = new WinternitzOTSignature(OTSseed, + digestProvider.get(), otsIndex[layer]); + help = ots.getPublicKey(); + } + else + { // other layers use the precomputed leafs in + // nextNextLeaf + byte[] dummy = new byte[mdLength]; + System.arraycopy(currentSeeds[layer], 0, dummy, 0, mdLength); + gmssRandom.nextSeed(dummy); + help = upperLeaf[layer].getLeaf(); + this.upperLeaf[layer].initLeafCalc(dummy); + + // WinternitzOTSVerify otsver = new + // WinternitzOTSVerify(algNames, otsIndex[layer]); + // byte[] help2 = otsver.Verify(currentRoot[layer], + // currentRootSig[layer]); + // System.out.println(" --- " + layer + " " + + // ByteUtils.toHexString(help) + " " + + // ByteUtils.toHexString(help2)); + } + System.arraycopy(help, 0, currentAuthPaths[layer][0], 0, mdLength); + } + else + { + // STEP 4a of Algorithm + // get new left currentAuthPath node on height tau + byte[] toBeHashed = new byte[mdLength << 1]; + System.arraycopy(currentAuthPaths[layer][Tau - 1], 0, toBeHashed, + 0, mdLength); + // free the shared keep[layer][tau/2] + System.arraycopy(keep[layer][(int)Math.floor((Tau - 1) / 2)], 0, + toBeHashed, mdLength, mdLength); + messDigestTrees.update(toBeHashed, 0, toBeHashed.length); + currentAuthPaths[layer][Tau] = new byte[messDigestTrees.getDigestSize()]; + messDigestTrees.doFinal(currentAuthPaths[layer][Tau], 0); + + // STEP 4b and 4c of Algorithm + // copy right nodes to currentAuthPath on height 0..Tau-1 + for (int i = 0; i < Tau; i++) + { + + // STEP 4b of Algorithm + // 1st: copy from treehashs + if (i < H - K) + { + if (currentTreehash[layer][i].wasFinished()) + { + System.arraycopy(currentTreehash[layer][i] + .getFirstNode(), 0, currentAuthPaths[layer][i], + 0, mdLength); + currentTreehash[layer][i].destroy(); + } + else + { + System.err + .println("Treehash (" + + layer + + "," + + i + + ") not finished when needed in AuthPathComputation"); + } + } + + // 2nd: copy precomputed values from Retain + if (i < H - 1 && i >= H - K) + { + if (currentRetain[layer][i - (H - K)].size() > 0) + { + // pop element from retain + System.arraycopy(currentRetain[layer][i - (H - K)] + .lastElement(), 0, currentAuthPaths[layer][i], + 0, mdLength); + currentRetain[layer][i - (H - K)] + .removeElementAt(currentRetain[layer][i + - (H - K)].size() - 1); + } + } + + // STEP 4c of Algorithm + // initialize new stack at heights 0..Tau-1 + if (i < H - K) + { + // create stacks anew + int startPoint = Phi + 3 * (1 << i); + if (startPoint < numLeafs[layer]) + { + // if (layer < 2) { + // System.out.println("initialized TH " + i + " on layer + // " + layer); + // } + currentTreehash[layer][i].initialize(); + } + } + } + } + + // now keep space is free to use + if (Tau < H - 1 && L == 0) + { + System.arraycopy(tempKeep, 0, + keep[layer][(int)Math.floor(Tau / 2)], 0, mdLength); + } + + // only update empty stack at height h if all other stacks have + // tailnodes with height >h + // finds active stack with lowest node height, choses lower index in + // case of tie + + // on the lowest layer leafs must be computed at once, no precomputation + // is possible. So all treehash updates are done at once here + if (layer == numLayer - 1) + { + for (int tmp = 1; tmp <= (H - K) / 2; tmp++) + { + // index of the treehash instance that receives the next update + int minTreehash = getMinTreehashIndex(layer); + + // if active treehash is found update with a leaf + if (minTreehash >= 0) + { + try + { + byte[] seed = new byte[mdLength]; + System.arraycopy( + this.currentTreehash[layer][minTreehash] + .getSeedActive(), 0, seed, 0, mdLength); + byte[] seed2 = gmssRandom.nextSeed(seed); + WinternitzOTSignature ots = new WinternitzOTSignature( + seed2, this.digestProvider.get(), this.otsIndex[layer]); + byte[] leaf = ots.getPublicKey(); + currentTreehash[layer][minTreehash].update( + this.gmssRandom, leaf); + } + catch (Exception e) + { + System.out.println(e); + } + } + } + } + else + { // on higher layers the updates are done later + this.minTreehash[layer] = getMinTreehashIndex(layer); + } + } + + /** + * Returns the largest h such that 2^h | Phi + * + * @param Phi the leaf index + * @return The largest <code>h</code> with <code>2^h | Phi</code> if + * <code>Phi!=0</code> else return <code>-1</code> + */ + private int heightOfPhi(int Phi) + { + if (Phi == 0) + { + return -1; + } + int Tau = 0; + int modul = 1; + while (Phi % modul == 0) + { + modul *= 2; + Tau += 1; + } + return Tau - 1; + } + + /** + * Updates the authentication path and root calculation for the tree after + * next (AUTH++, ROOT++) in layer <code>layer</code> + * + * @param layer + */ + private void updateNextNextAuthRoot(int layer) + { + + byte[] OTSseed = new byte[mdLength]; + OTSseed = gmssRandom.nextSeed(nextNextSeeds[layer - 1]); + + // get the necessary leaf + if (layer == numLayer - 1) + { // lowest layer computes the necessary + // leaf completely at this time + WinternitzOTSignature ots = new WinternitzOTSignature(OTSseed, + digestProvider.get(), otsIndex[layer]); + this.nextNextRoot[layer - 1].update(nextNextSeeds[layer - 1], ots + .getPublicKey()); + } + else + { // other layers use the precomputed leafs in nextNextLeaf + this.nextNextRoot[layer - 1].update(nextNextSeeds[layer - 1], nextNextLeaf[layer - 1].getLeaf()); + this.nextNextLeaf[layer - 1].initLeafCalc(nextNextSeeds[layer - 1]); + } + } + + public int[] getIndex() + { + return index; + } + + /** + * @return The current index of layer i + */ + public int getIndex(int i) + { + return index[i]; + } + + public byte[][] getCurrentSeeds() + { + return Arrays.clone(currentSeeds); + } + + public byte[][][] getCurrentAuthPaths() + { + return Arrays.clone(currentAuthPaths); + } + + /** + * @return The one-time signature of the root of the current subtree + */ + public byte[] getSubtreeRootSig(int i) + { + return currentRootSig[i]; + } + + + public GMSSDigestProvider getName() + { + return digestProvider; + } + + /** + * @return The number of leafs of each tree of layer i + */ + public int getNumLeafs(int i) + { + return numLeafs[i]; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPublicKeyParameters.java new file mode 100644 index 00000000..381ed00b --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSPublicKeyParameters.java @@ -0,0 +1,33 @@ +package org.spongycastle.pqc.crypto.gmss; + + +public class GMSSPublicKeyParameters + extends GMSSKeyParameters +{ + /** + * The GMSS public key + */ + private byte[] gmssPublicKey; + + /** + * The constructor. + * + * @param key a raw GMSS public key + * @param gmssParameterSet an instance of GMSSParameterset + */ + public GMSSPublicKeyParameters(byte[] key, GMSSParameters gmssParameterSet) + { + super(false, gmssParameterSet); + this.gmssPublicKey = key; + } + + /** + * Returns the GMSS public key + * + * @return The GMSS public key + */ + public byte[] getPublicKey() + { + return gmssPublicKey; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootCalc.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootCalc.java new file mode 100644 index 00000000..88e87e9c --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootCalc.java @@ -0,0 +1,596 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.util.Enumeration; +import java.util.Vector; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.util.Arrays; +import org.spongycastle.util.Integers; +import org.spongycastle.util.encoders.Hex; + + +/** + * This class computes a whole Merkle tree and saves the needed values for + * AuthPath computation. It is used for precomputation of the root of a + * following tree. After initialization, 2^H updates are required to complete + * the root. Every update requires one leaf value as parameter. While computing + * the root all initial values for the authentication path algorithm (treehash, + * auth, retain) are stored for later use. + */ +public class GMSSRootCalc +{ + + /** + * max height of the tree + */ + private int heightOfTree; + + /** + * length of the messageDigest + */ + private int mdLength; + + /** + * the treehash instances of the tree + */ + private Treehash[] treehash; + + /** + * stores the retain nodes for authPath computation + */ + private Vector[] retain; + + /** + * finally stores the root of the tree when finished + */ + private byte[] root; + + /** + * stores the authentication path y_1(i), i = 0..H-1 + */ + private byte[][] AuthPath; + + /** + * the value K for the authentication path computation + */ + private int K; + + /** + * Vector element that stores the nodes on the stack + */ + private Vector tailStack; + + /** + * stores the height of all nodes laying on the tailStack + */ + private Vector heightOfNodes; + /** + * The hash function used for the construction of the authentication trees + */ + private Digest messDigestTree; + + /** + * An array of strings containing the name of the hash function used to + * construct the authentication trees and used by the OTS. + */ + private GMSSDigestProvider digestProvider; + + /** + * stores the index of the current node on each height of the tree + */ + private int[] index; + + /** + * true if instance was already initialized, false otherwise + */ + private boolean isInitialized; + + /** + * true it instance was finished + */ + private boolean isFinished; + + /** + * Integer that stores the index of the next seed that has to be omitted to + * the treehashs + */ + private int indexForNextSeed; + + /** + * temporary integer that stores the height of the next treehash instance + * that gets initialized with a seed + */ + private int heightOfNextSeed; + + /** + * This constructor regenerates a prior treehash object + * + * @param digest an array of strings, containing the digest of the used hash + * function and PRNG and the digest of the corresponding + * provider + * @param statByte status bytes + * @param statInt status ints + */ + public GMSSRootCalc(Digest digest, byte[][] statByte, int[] statInt, + Treehash[] treeH, Vector[] ret) + { + this.messDigestTree = digestProvider.get(); + this.digestProvider = digestProvider; + // decode statInt + this.heightOfTree = statInt[0]; + this.mdLength = statInt[1]; + this.K = statInt[2]; + this.indexForNextSeed = statInt[3]; + this.heightOfNextSeed = statInt[4]; + if (statInt[5] == 1) + { + this.isFinished = true; + } + else + { + this.isFinished = false; + } + if (statInt[6] == 1) + { + this.isInitialized = true; + } + else + { + this.isInitialized = false; + } + + int tailLength = statInt[7]; + + this.index = new int[heightOfTree]; + for (int i = 0; i < heightOfTree; i++) + { + this.index[i] = statInt[8 + i]; + } + + this.heightOfNodes = new Vector(); + for (int i = 0; i < tailLength; i++) + { + this.heightOfNodes.addElement(Integers.valueOf(statInt[8 + heightOfTree + + i])); + } + + // decode statByte + this.root = statByte[0]; + + this.AuthPath = new byte[heightOfTree][mdLength]; + for (int i = 0; i < heightOfTree; i++) + { + this.AuthPath[i] = statByte[1 + i]; + } + + this.tailStack = new Vector(); + for (int i = 0; i < tailLength; i++) + { + this.tailStack.addElement(statByte[1 + heightOfTree + i]); + } + + // decode treeH + this.treehash = GMSSUtils.clone(treeH); + + // decode ret + this.retain = GMSSUtils.clone(ret); + } + + /** + * Constructor + * + * @param heightOfTree maximal height of the tree + * @param digestProvider an array of strings, containing the name of the used hash + * function and PRNG and the name of the corresponding + * provider + */ + public GMSSRootCalc(int heightOfTree, int K, GMSSDigestProvider digestProvider) + { + this.heightOfTree = heightOfTree; + this.digestProvider = digestProvider; + this.messDigestTree = digestProvider.get(); + this.mdLength = messDigestTree.getDigestSize(); + this.K = K; + this.index = new int[heightOfTree]; + this.AuthPath = new byte[heightOfTree][mdLength]; + this.root = new byte[mdLength]; + // this.treehash = new Treehash[this.heightOfTree - this.K]; + this.retain = new Vector[this.K - 1]; + for (int i = 0; i < K - 1; i++) + { + this.retain[i] = new Vector(); + } + + } + + /** + * Initializes the calculation of a new root + * + * @param sharedStack the stack shared by all treehash instances of this tree + */ + public void initialize(Vector sharedStack) + { + this.treehash = new Treehash[this.heightOfTree - this.K]; + for (int i = 0; i < this.heightOfTree - this.K; i++) + { + this.treehash[i] = new Treehash(sharedStack, i, this.digestProvider.get()); + } + + this.index = new int[heightOfTree]; + this.AuthPath = new byte[heightOfTree][mdLength]; + this.root = new byte[mdLength]; + + this.tailStack = new Vector(); + this.heightOfNodes = new Vector(); + this.isInitialized = true; + this.isFinished = false; + + for (int i = 0; i < heightOfTree; i++) + { + this.index[i] = -1; + } + + this.retain = new Vector[this.K - 1]; + for (int i = 0; i < K - 1; i++) + { + this.retain[i] = new Vector(); + } + + this.indexForNextSeed = 3; + this.heightOfNextSeed = 0; + } + + /** + * updates the root with one leaf and stores needed values in retain, + * treehash or authpath. Additionally counts the seeds used. This method is + * used when performing the updates for TREE++. + * + * @param seed the initial seed for treehash: seedNext + * @param leaf the height of the treehash + */ + public void update(byte[] seed, byte[] leaf) + { + if (this.heightOfNextSeed < (this.heightOfTree - this.K) + && this.indexForNextSeed - 2 == index[0]) + { + this.initializeTreehashSeed(seed, this.heightOfNextSeed); + this.heightOfNextSeed++; + this.indexForNextSeed *= 2; + } + // now call the simple update + this.update(leaf); + } + + /** + * Updates the root with one leaf and stores the needed values in retain, + * treehash or authpath + */ + public void update(byte[] leaf) + { + + if (isFinished) + { + System.out.print("Too much updates for Tree!!"); + return; + } + if (!isInitialized) + { + System.err.println("GMSSRootCalc not initialized!"); + return; + } + + // a new leaf was omitted, so raise index on lowest layer + index[0]++; + + // store the nodes on the lowest layer in treehash or authpath + if (index[0] == 1) + { + System.arraycopy(leaf, 0, AuthPath[0], 0, mdLength); + } + else if (index[0] == 3) + { + // store in treehash only if K < H + if (heightOfTree > K) + { + treehash[0].setFirstNode(leaf); + } + } + + if ((index[0] - 3) % 2 == 0 && index[0] >= 3) + { + // store in retain if K = H + if (heightOfTree == K) + // TODO: check it + { + retain[0].insertElementAt(leaf, 0); + } + } + + // if first update to this tree is made + if (index[0] == 0) + { + tailStack.addElement(leaf); + heightOfNodes.addElement(Integers.valueOf(0)); + } + else + { + + byte[] help = new byte[mdLength]; + byte[] toBeHashed = new byte[mdLength << 1]; + + // store the new leaf in help + System.arraycopy(leaf, 0, help, 0, mdLength); + int helpHeight = 0; + // while top to nodes have same height + while (tailStack.size() > 0 + && helpHeight == ((Integer)heightOfNodes.lastElement()) + .intValue()) + { + + // help <-- hash(stack top element || help) + System.arraycopy(tailStack.lastElement(), 0, toBeHashed, 0, + mdLength); + tailStack.removeElementAt(tailStack.size() - 1); + heightOfNodes.removeElementAt(heightOfNodes.size() - 1); + System.arraycopy(help, 0, toBeHashed, mdLength, mdLength); + + messDigestTree.update(toBeHashed, 0, toBeHashed.length); + help = new byte[messDigestTree.getDigestSize()]; + messDigestTree.doFinal(help, 0); + + // the new help node is one step higher + helpHeight++; + if (helpHeight < heightOfTree) + { + index[helpHeight]++; + + // add index 1 element to initial authpath + if (index[helpHeight] == 1) + { + System.arraycopy(help, 0, AuthPath[helpHeight], 0, + mdLength); + } + + if (helpHeight >= heightOfTree - K) + { + if (helpHeight == 0) + { + System.out.println("M���P"); + } + // add help element to retain stack if it is a right + // node + // and not stored in treehash + if ((index[helpHeight] - 3) % 2 == 0 + && index[helpHeight] >= 3) + // TODO: check it + { + retain[helpHeight - (heightOfTree - K)] + .insertElementAt(help, 0); + } + } + else + { + // if element is third in his line add it to treehash + if (index[helpHeight] == 3) + { + treehash[helpHeight].setFirstNode(help); + } + } + } + } + // push help element to the stack + tailStack.addElement(help); + heightOfNodes.addElement(Integers.valueOf(helpHeight)); + + // is the root calculation finished? + if (helpHeight == heightOfTree) + { + isFinished = true; + isInitialized = false; + root = (byte[])tailStack.lastElement(); + } + } + + } + + /** + * initializes the seeds for the treehashs of the tree precomputed by this + * class + * + * @param seed the initial seed for treehash: seedNext + * @param index the height of the treehash + */ + public void initializeTreehashSeed(byte[] seed, int index) + { + treehash[index].initializeSeed(seed); + } + + /** + * Method to check whether the instance has been initialized or not + * + * @return true if treehash was already initialized + */ + public boolean wasInitialized() + { + return isInitialized; + } + + /** + * Method to check whether the instance has been finished or not + * + * @return true if tree has reached its maximum height + */ + public boolean wasFinished() + { + return isFinished; + } + + /** + * returns the authentication path of the first leaf of the tree + * + * @return the authentication path of the first leaf of the tree + */ + public byte[][] getAuthPath() + { + return GMSSUtils.clone(AuthPath); + } + + /** + * returns the initial treehash instances, storing value y_3(i) + * + * @return the initial treehash instances, storing value y_3(i) + */ + public Treehash[] getTreehash() + { + return GMSSUtils.clone(treehash); + } + + /** + * returns the retain stacks storing all right nodes near to the root + * + * @return the retain stacks storing all right nodes near to the root + */ + public Vector[] getRetain() + { + return GMSSUtils.clone(retain); + } + + /** + * returns the finished root value + * + * @return the finished root value + */ + public byte[] getRoot() + { + return Arrays.clone(root); + } + + /** + * returns the shared stack + * + * @return the shared stack + */ + public Vector getStack() + { + Vector copy = new Vector(); + for (Enumeration en = tailStack.elements(); en.hasMoreElements();) + { + copy.addElement(en.nextElement()); + } + return copy; + } + + /** + * Returns the status byte array used by the GMSSPrivateKeyASN.1 class + * + * @return The status bytes + */ + public byte[][] getStatByte() + { + + int tailLength; + if (tailStack == null) + { + tailLength = 0; + } + else + { + tailLength = tailStack.size(); + } + byte[][] statByte = new byte[1 + heightOfTree + tailLength][64]; //FIXME: messDigestTree.getByteLength() + statByte[0] = root; + + for (int i = 0; i < heightOfTree; i++) + { + statByte[1 + i] = AuthPath[i]; + } + for (int i = 0; i < tailLength; i++) + { + statByte[1 + heightOfTree + i] = (byte[])tailStack.elementAt(i); + } + + return statByte; + } + + /** + * Returns the status int array used by the GMSSPrivateKeyASN.1 class + * + * @return The status ints + */ + public int[] getStatInt() + { + + int tailLength; + if (tailStack == null) + { + tailLength = 0; + } + else + { + tailLength = tailStack.size(); + } + int[] statInt = new int[8 + heightOfTree + tailLength]; + statInt[0] = heightOfTree; + statInt[1] = mdLength; + statInt[2] = K; + statInt[3] = indexForNextSeed; + statInt[4] = heightOfNextSeed; + if (isFinished) + { + statInt[5] = 1; + } + else + { + statInt[5] = 0; + } + if (isInitialized) + { + statInt[6] = 1; + } + else + { + statInt[6] = 0; + } + statInt[7] = tailLength; + + for (int i = 0; i < heightOfTree; i++) + { + statInt[8 + i] = index[i]; + } + for (int i = 0; i < tailLength; i++) + { + statInt[8 + heightOfTree + i] = ((Integer)heightOfNodes + .elementAt(i)).intValue(); + } + + return statInt; + } + + /** + * @return a human readable version of the structure + */ + public String toString() + { + String out = ""; + int tailLength; + if (tailStack == null) + { + tailLength = 0; + } + else + { + tailLength = tailStack.size(); + } + + for (int i = 0; i < 8 + heightOfTree + tailLength; i++) + { + out = out + getStatInt()[i] + " "; + } + for (int i = 0; i < 1 + heightOfTree + tailLength; i++) + { + out = out + new String(Hex.encode(getStatByte()[i])) + " "; + } + out = out + " " + digestProvider.get().getDigestSize(); + return out; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootSig.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootSig.java new file mode 100644 index 00000000..f08529cf --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSRootSig.java @@ -0,0 +1,666 @@ +package org.spongycastle.pqc.crypto.gmss; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.util.encoders.Hex; + + +/** + * This class implements the distributed signature generation of the Winternitz + * one-time signature scheme (OTSS), described in C.Dods, N.P. Smart, and M. + * Stam, "Hash Based Digital Signature Schemes", LNCS 3796, pages 96–115, + * 2005. The class is used by the GMSS classes. + */ +public class GMSSRootSig +{ + + /** + * The hash function used by the OTS + */ + private Digest messDigestOTS; + + /** + * The length of the message digest and private key + */ + private int mdsize, keysize; + + /** + * The private key + */ + private byte[] privateKeyOTS; + + /** + * The message bytes + */ + private byte[] hash; + + /** + * The signature bytes + */ + private byte[] sign; + + /** + * The Winternitz parameter + */ + private int w; + + /** + * The source of randomness for OTS private key generation + */ + private GMSSRandom gmssRandom; + + /** + * Sizes of the message + */ + private int messagesize; + + /** + * Some precalculated values + */ + private int k; + + /** + * Some variables for storing the actual status of distributed signing + */ + private int r, test, counter, ii; + + /** + * variables for storing big numbers for the actual status of distributed + * signing + */ + private long test8, big8; + + /** + * The necessary steps of each updateSign() call + */ + private int steps; + + /** + * The checksum part + */ + private int checksum; + + /** + * The height of the tree + */ + private int height; + + /** + * The current intern OTSseed + */ + private byte[] seed; + + /** + * This constructor regenerates a prior GMSSRootSig object used by the + * GMSSPrivateKeyASN.1 class + * + * @param digest an array of strings, containing the digest of the used hash + * function, the digest of the PRGN and the names of the + * corresponding providers + * @param statByte status byte array + * @param statInt status int array + */ + public GMSSRootSig(Digest digest, byte[][] statByte, int[] statInt) + { + messDigestOTS = digest; + gmssRandom = new GMSSRandom(messDigestOTS); + + this.counter = statInt[0]; + this.test = statInt[1]; + this.ii = statInt[2]; + this.r = statInt[3]; + this.steps = statInt[4]; + this.keysize = statInt[5]; + this.height = statInt[6]; + this.w = statInt[7]; + this.checksum = statInt[8]; + + this.mdsize = messDigestOTS.getDigestSize(); + + this.k = (1 << w) - 1; + + int mdsizeBit = mdsize << 3; + this.messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + + this.privateKeyOTS = statByte[0]; + this.seed = statByte[1]; + this.hash = statByte[2]; + + this.sign = statByte[3]; + + this.test8 = ((statByte[4][0] & 0xff)) + | ((long)(statByte[4][1] & 0xff) << 8) + | ((long)(statByte[4][2] & 0xff) << 16) + | ((long)(statByte[4][3] & 0xff)) << 24 + | ((long)(statByte[4][4] & 0xff)) << 32 + | ((long)(statByte[4][5] & 0xff)) << 40 + | ((long)(statByte[4][6] & 0xff)) << 48 + | ((long)(statByte[4][7] & 0xff)) << 56; + + this.big8 = ((statByte[4][8] & 0xff)) + | ((long)(statByte[4][9] & 0xff) << 8) + | ((long)(statByte[4][10] & 0xff) << 16) + | ((long)(statByte[4][11] & 0xff)) << 24 + | ((long)(statByte[4][12] & 0xff)) << 32 + | ((long)(statByte[4][13] & 0xff)) << 40 + | ((long)(statByte[4][14] & 0xff)) << 48 + | ((long)(statByte[4][15] & 0xff)) << 56; + } + + /** + * The constructor generates the PRNG and initializes some variables + * + * @param digest an array of strings, containing the digest of the used hash + * function, the digest of the PRGN and the names of the + * corresponding providers + * @param w the winternitz parameter + * @param height the heigth of the tree + */ + public GMSSRootSig(Digest digest, int w, int height) + { + messDigestOTS = digest; + gmssRandom = new GMSSRandom(messDigestOTS); + + this.mdsize = messDigestOTS.getDigestSize(); + this.w = w; + this.height = height; + + this.k = (1 << w) - 1; + + int mdsizeBit = mdsize << 3; + this.messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + } + + /** + * This method initializes the distributed sigature calculation. Variables + * are reseted and necessary steps are calculated + * + * @param seed0 the initial OTSseed + * @param message the massage which will be signed + */ + public void initSign(byte[] seed0, byte[] message) + { + + // create hash of message m + this.hash = new byte[mdsize]; + messDigestOTS.update(message, 0, message.length); + this.hash = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(this.hash, 0); + + // variables for calculation of steps + byte[] messPart = new byte[mdsize]; + System.arraycopy(hash, 0, messPart, 0, mdsize); + int checkPart = 0; + int sumH = 0; + int checksumsize = getLog((messagesize << w) + 1); + + // ------- calculation of necessary steps ------ + if (8 % w == 0) + { + int dt = 8 / w; + // message part + for (int a = 0; a < mdsize; a++) + { + // count necessary hashs in 'sumH' + for (int b = 0; b < dt; b++) + { + sumH += messPart[a] & k; + messPart[a] = (byte)(messPart[a] >>> w); + } + } + // checksum part + this.checksum = (messagesize << w) - sumH; + checkPart = checksum; + // count necessary hashs in 'sumH' + for (int b = 0; b < checksumsize; b += w) + { + sumH += checkPart & k; + checkPart >>>= w; + } + } // end if ( 8 % w == 0 ) + else if (w < 8) + { + long big8; + int ii = 0; + int dt = mdsize / w; + + // first d*w bytes of hash (main message part) + for (int i = 0; i < dt; i++) + { + big8 = 0; + for (int j = 0; j < w; j++) + { + big8 ^= (messPart[ii] & 0xff) << (j << 3); + ii++; + } + // count necessary hashs in 'sumH' + for (int j = 0; j < 8; j++) + { + sumH += (int)(big8 & k); + big8 >>>= w; + } + } + // rest of message part + dt = mdsize % w; + big8 = 0; + for (int j = 0; j < dt; j++) + { + big8 ^= (messPart[ii] & 0xff) << (j << 3); + ii++; + } + dt <<= 3; + // count necessary hashs in 'sumH' + for (int j = 0; j < dt; j += w) + { + sumH += (int)(big8 & k); + big8 >>>= w; + } + // checksum part + this.checksum = (messagesize << w) - sumH; + checkPart = checksum; + // count necessary hashs in 'sumH' + for (int i = 0; i < checksumsize; i += w) + { + sumH += checkPart & k; + checkPart >>>= w; + } + }// end if(w<8) + else if (w < 57) + { + long big8; + int r = 0; + int s, f, rest, ii; + + // first a*w bits of hash where a*w <= 8*mdsize < (a+1)*w (main + // message part) + while (r <= ((mdsize << 3) - w)) + { + s = r >>> 3; + rest = r % 8; + r += w; + f = (r + 7) >>> 3; + big8 = 0; + ii = 0; + for (int j = s; j < f; j++) + { + big8 ^= (messPart[j] & 0xff) << (ii << 3); + ii++; + } + big8 >>>= rest; + // count necessary hashs in 'sumH' + sumH += (big8 & k); + + } + // rest of message part + s = r >>> 3; + if (s < mdsize) + { + rest = r % 8; + big8 = 0; + ii = 0; + for (int j = s; j < mdsize; j++) + { + big8 ^= (messPart[j] & 0xff) << (ii << 3); + ii++; + } + + big8 >>>= rest; + // count necessary hashs in 'sumH' + sumH += (big8 & k); + } + // checksum part + this.checksum = (messagesize << w) - sumH; + checkPart = checksum; + // count necessary hashs in 'sumH' + for (int i = 0; i < checksumsize; i += w) + { + sumH += (checkPart & k); + checkPart >>>= w; + } + }// end if(w<57) + + // calculate keysize + this.keysize = messagesize + + (int)Math.ceil((double)checksumsize / (double)w); + + // calculate steps: 'keysize' times PRNG, 'sumH' times hashing, + // (1<<height)-1 updateSign() calls + this.steps = (int)Math.ceil((double)(keysize + sumH) + / (double)((1 << height))); + // ---------------------------- + + // reset variables + this.sign = new byte[keysize * mdsize]; + this.counter = 0; + this.test = 0; + this.ii = 0; + this.test8 = 0; + this.r = 0; + // define the private key messagesize + this.privateKeyOTS = new byte[mdsize]; + // copy the seed + this.seed = new byte[mdsize]; + System.arraycopy(seed0, 0, this.seed, 0, mdsize); + + } + + /** + * This Method performs <code>steps</code> steps of distributed signature + * calculaion + * + * @return true if signature is generated completly, else false + */ + public boolean updateSign() + { + // steps times do + + for (int s = 0; s < steps; s++) + { // do 'step' times + + if (counter < keysize) + { // generate the private key or perform + // the next hash + oneStep(); + } + if (counter == keysize) + {// finish + return true; + } + } + + return false; // leaf not finished yet + } + + /** + * @return The private OTS key + */ + public byte[] getSig() + { + + return sign; + } + + /** + * @return The one-time signature of the message, generated step by step + */ + private void oneStep() + { + // -------- if (8 % w == 0) ---------- + if (8 % w == 0) + { + if (test == 0) + { + // get current OTSprivateKey + this.privateKeyOTS = gmssRandom.nextSeed(seed); + // System.arraycopy(privateKeyOTS, 0, hlp, 0, mdsize); + + if (ii < mdsize) + { // for main message part + test = hash[ii] & k; + hash[ii] = (byte)(hash[ii] >>> w); + } + else + { // for checksum part + test = checksum & k; + checksum >>>= w; + } + } + else if (test > 0) + { // hash the private Key 'test' times (on + // time each step) + messDigestOTS.update(privateKeyOTS, 0, privateKeyOTS.length); + privateKeyOTS = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(privateKeyOTS, 0); + test--; + } + if (test == 0) + { // if all hashes done copy result to siganture + // array + System.arraycopy(privateKeyOTS, 0, sign, counter * mdsize, + mdsize); + counter++; + + if (counter % (8 / w) == 0) + { // raise array index for main + // massage part + ii++; + } + } + + }// ----- end if (8 % w == 0) ----- + // ---------- if ( w < 8 ) ---------------- + else if (w < 8) + { + + if (test == 0) + { + if (counter % 8 == 0 && ii < mdsize) + { // after every 8th "add + // to signature"-step + big8 = 0; + if (counter < ((mdsize / w) << 3)) + {// main massage + // (generate w*8 Bits + // every time) part + for (int j = 0; j < w; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + } + else + { // rest of massage part (once) + for (int j = 0; j < mdsize % w; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + } + } + if (counter == messagesize) + { // checksum part (once) + big8 = checksum; + } + + test = (int)(big8 & k); + // generate current OTSprivateKey + this.privateKeyOTS = gmssRandom.nextSeed(seed); + // System.arraycopy(privateKeyOTS, 0, hlp, 0, mdsize); + + } + else if (test > 0) + { // hash the private Key 'test' times (on + // time each step) + messDigestOTS.update(privateKeyOTS, 0, privateKeyOTS.length); + privateKeyOTS = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(privateKeyOTS, 0); + test--; + } + if (test == 0) + { // if all hashes done copy result to siganture + // array + System.arraycopy(privateKeyOTS, 0, sign, counter * mdsize, + mdsize); + big8 >>>= w; + counter++; + } + + }// ------- end if(w<8)-------------------------------- + // --------- if w < 57 ----------------------------- + else if (w < 57) + { + + if (test8 == 0) + { + int s, f, rest; + big8 = 0; + ii = 0; + rest = r % 8; + s = r >>> 3; + // --- message part--- + if (s < mdsize) + { + if (r <= ((mdsize << 3) - w)) + { // first message part + r += w; + f = (r + 7) >>> 3; + } + else + { // rest of message part (once) + f = mdsize; + r += w; + } + // generate long 'big8' with minimum w next bits of the + // message array + for (int i = s; i < f; i++) + { + big8 ^= (hash[i] & 0xff) << (ii << 3); + ii++; + } + // delete bits on the right side, which were used already by + // the last loop + big8 >>>= rest; + test8 = (big8 & k); + } + // --- checksum part + else + { + test8 = (checksum & k); + checksum >>>= w; + } + // generate current OTSprivateKey + this.privateKeyOTS = gmssRandom.nextSeed(seed); + // System.arraycopy(privateKeyOTS, 0, hlp, 0, mdsize); + + } + else if (test8 > 0) + { // hash the private Key 'test' times (on + // time each step) + messDigestOTS.update(privateKeyOTS, 0, privateKeyOTS.length); + privateKeyOTS = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(privateKeyOTS, 0); + test8--; + } + if (test8 == 0) + { // if all hashes done copy result to siganture + // array + System.arraycopy(privateKeyOTS, 0, sign, counter * mdsize, + mdsize); + counter++; + } + + } + } + + /** + * This method returns the least integer that is greater or equal to the + * logarithm to the base 2 of an integer <code>intValue</code>. + * + * @param intValue an integer + * @return The least integer greater or equal to the logarithm to the base 2 + * of <code>intValue</code> + */ + public int getLog(int intValue) + { + int log = 1; + int i = 2; + while (i < intValue) + { + i <<= 1; + log++; + } + return log; + } + + /** + * This method returns the status byte array + * + * @return statBytes + */ + public byte[][] getStatByte() + { + + byte[][] statByte = new byte[5][mdsize]; + statByte[0] = privateKeyOTS; + statByte[1] = seed; + statByte[2] = hash; + statByte[3] = sign; + statByte[4] = this.getStatLong(); + + return statByte; + } + + /** + * This method returns the status int array + * + * @return statInt + */ + public int[] getStatInt() + { + int[] statInt = new int[9]; + statInt[0] = counter; + statInt[1] = test; + statInt[2] = ii; + statInt[3] = r; + statInt[4] = steps; + statInt[5] = keysize; + statInt[6] = height; + statInt[7] = w; + statInt[8] = checksum; + return statInt; + } + + /** + * Converts the long parameters into byte arrays to store it in + * statByte-Array + */ + public byte[] getStatLong() + { + byte[] bytes = new byte[16]; + + bytes[0] = (byte)((test8) & 0xff); + bytes[1] = (byte)((test8 >> 8) & 0xff); + bytes[2] = (byte)((test8 >> 16) & 0xff); + bytes[3] = (byte)((test8 >> 24) & 0xff); + bytes[4] = (byte)((test8) >> 32 & 0xff); + bytes[5] = (byte)((test8 >> 40) & 0xff); + bytes[6] = (byte)((test8 >> 48) & 0xff); + bytes[7] = (byte)((test8 >> 56) & 0xff); + + bytes[8] = (byte)((big8) & 0xff); + bytes[9] = (byte)((big8 >> 8) & 0xff); + bytes[10] = (byte)((big8 >> 16) & 0xff); + bytes[11] = (byte)((big8 >> 24) & 0xff); + bytes[12] = (byte)((big8) >> 32 & 0xff); + bytes[13] = (byte)((big8 >> 40) & 0xff); + bytes[14] = (byte)((big8 >> 48) & 0xff); + bytes[15] = (byte)((big8 >> 56) & 0xff); + + return bytes; + } + + /** + * returns a string representation of the instance + * + * @return a string representation of the instance + */ + public String toString() + { + String out = "" + this.big8 + " "; + int[] statInt = new int[9]; + statInt = this.getStatInt(); + byte[][] statByte = new byte[5][mdsize]; + statByte = this.getStatByte(); + for (int i = 0; i < 9; i++) + { + out = out + statInt[i] + " "; + } + for (int i = 0; i < 5; i++) + { + out = out + new String(Hex.encode(statByte[i])) + " "; + } + + return out; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSSigner.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSSigner.java new file mode 100644 index 00000000..2a78d385 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSSigner.java @@ -0,0 +1,403 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageSigner; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.pqc.crypto.gmss.util.GMSSUtil; +import org.spongycastle.pqc.crypto.gmss.util.WinternitzOTSVerify; +import org.spongycastle.pqc.crypto.gmss.util.WinternitzOTSignature; +import org.spongycastle.util.Arrays; + +/** + * This class implements the GMSS signature scheme. + */ +public class GMSSSigner + implements MessageSigner +{ + + /** + * Instance of GMSSParameterSpec + */ + //private GMSSParameterSpec gmssParameterSpec; + + /** + * Instance of GMSSUtilities + */ + private GMSSUtil gmssUtil = new GMSSUtil(); + + + /** + * The raw GMSS public key + */ + private byte[] pubKeyBytes; + + /** + * Hash function for the construction of the authentication trees + */ + private Digest messDigestTrees; + + /** + * The length of the hash function output + */ + private int mdLength; + + /** + * The number of tree layers + */ + private int numLayer; + + /** + * The hash function used by the OTS + */ + private Digest messDigestOTS; + + /** + * An instance of the Winternitz one-time signature + */ + private WinternitzOTSignature ots; + + /** + * Array of strings containing the name of the hash function used by the OTS + * and the corresponding provider name + */ + private GMSSDigestProvider digestProvider; + + /** + * The current main tree and subtree indices + */ + private int[] index; + + /** + * Array of the authentication paths for the current trees of all layers + */ + private byte[][][] currentAuthPaths; + + /** + * The one-time signature of the roots of the current subtrees + */ + private byte[][] subtreeRootSig; + + + /** + * The GMSSParameterset + */ + private GMSSParameters gmssPS; + + /** + * The PRNG + */ + private GMSSRandom gmssRandom; + + GMSSKeyParameters key; + + // XXX needed? Source of randomness + private SecureRandom random; + + + /** + * The standard constructor tries to generate the MerkleTree Algorithm + * identifier with the corresponding OID. + * + * @param digest the digest to use + */ + // TODO + public GMSSSigner(GMSSDigestProvider digest) + { + digestProvider = digest; + messDigestTrees = digest.get(); + messDigestOTS = messDigestTrees; + mdLength = messDigestTrees.getDigestSize(); + gmssRandom = new GMSSRandom(messDigestTrees); + } + + public void init(boolean forSigning, + CipherParameters param) + { + + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + // XXX random needed? + this.random = rParam.getRandom(); + this.key = (GMSSPrivateKeyParameters)rParam.getParameters(); + initSign(); + + } + else + { + + this.random = new SecureRandom(); + this.key = (GMSSPrivateKeyParameters)param; + initSign(); + } + } + else + { + this.key = (GMSSPublicKeyParameters)param; + initVerify(); + + } + + } + + + /** + * Initializes the signature algorithm for signing a message. + */ + private void initSign() + { + messDigestTrees.reset(); + // set private key and take from it ots key, auth, tree and key + // counter, rootSign + GMSSPrivateKeyParameters gmssPrivateKey = (GMSSPrivateKeyParameters)key; + + if (gmssPrivateKey.isUsed()) + { + throw new IllegalStateException("Private key already used"); + } + + // check if last signature has been generated + if (gmssPrivateKey.getIndex(0) >= gmssPrivateKey.getNumLeafs(0)) + { + throw new IllegalStateException("No more signatures can be generated"); + } + + // get Parameterset + this.gmssPS = gmssPrivateKey.getParameters(); + // get numLayer + this.numLayer = gmssPS.getNumOfLayers(); + + // get OTS Instance of lowest layer + byte[] seed = gmssPrivateKey.getCurrentSeeds()[numLayer - 1]; + byte[] OTSSeed = new byte[mdLength]; + byte[] dummy = new byte[mdLength]; + System.arraycopy(seed, 0, dummy, 0, mdLength); + OTSSeed = gmssRandom.nextSeed(dummy); // secureRandom.nextBytes(currentSeeds[currentSeeds.length-1]);secureRandom.nextBytes(OTSseed); + this.ots = new WinternitzOTSignature(OTSSeed, digestProvider.get(), gmssPS.getWinternitzParameter()[numLayer - 1]); + + byte[][][] helpCurrentAuthPaths = gmssPrivateKey.getCurrentAuthPaths(); + currentAuthPaths = new byte[numLayer][][]; + + // copy the main tree authentication path + for (int j = 0; j < numLayer; j++) + { + currentAuthPaths[j] = new byte[helpCurrentAuthPaths[j].length][mdLength]; + for (int i = 0; i < helpCurrentAuthPaths[j].length; i++) + { + System.arraycopy(helpCurrentAuthPaths[j][i], 0, currentAuthPaths[j][i], 0, mdLength); + } + } + + // copy index + index = new int[numLayer]; + System.arraycopy(gmssPrivateKey.getIndex(), 0, index, 0, numLayer); + + // copy subtreeRootSig + byte[] helpSubtreeRootSig; + subtreeRootSig = new byte[numLayer - 1][]; + for (int i = 0; i < numLayer - 1; i++) + { + helpSubtreeRootSig = gmssPrivateKey.getSubtreeRootSig(i); + subtreeRootSig[i] = new byte[helpSubtreeRootSig.length]; + System.arraycopy(helpSubtreeRootSig, 0, subtreeRootSig[i], 0, helpSubtreeRootSig.length); + } + + gmssPrivateKey.markUsed(); + } + + /** + * Signs a message. + * + * @return the signature. + */ + public byte[] generateSignature(byte[] message) + { + + byte[] otsSig = new byte[mdLength]; + byte[] authPathBytes; + byte[] indexBytes; + + otsSig = ots.getSignature(message); + + // get concatenated lowest layer tree authentication path + authPathBytes = gmssUtil.concatenateArray(currentAuthPaths[numLayer - 1]); + + // put lowest layer index into a byte array + indexBytes = gmssUtil.intToBytesLittleEndian(index[numLayer - 1]); + + // create first part of GMSS signature + byte[] gmssSigFirstPart = new byte[indexBytes.length + otsSig.length + authPathBytes.length]; + System.arraycopy(indexBytes, 0, gmssSigFirstPart, 0, indexBytes.length); + System.arraycopy(otsSig, 0, gmssSigFirstPart, indexBytes.length, otsSig.length); + System.arraycopy(authPathBytes, 0, gmssSigFirstPart, (indexBytes.length + otsSig.length), authPathBytes.length); + // --- end first part + + // --- next parts of the signature + // create initial array with length 0 for iteration + byte[] gmssSigNextPart = new byte[0]; + + for (int i = numLayer - 1 - 1; i >= 0; i--) + { + + // get concatenated next tree authentication path + authPathBytes = gmssUtil.concatenateArray(currentAuthPaths[i]); + + // put next tree index into a byte array + indexBytes = gmssUtil.intToBytesLittleEndian(index[i]); + + // create next part of GMSS signature + + // create help array and copy actual gmssSig into it + byte[] helpGmssSig = new byte[gmssSigNextPart.length]; + System.arraycopy(gmssSigNextPart, 0, helpGmssSig, 0, gmssSigNextPart.length); + // adjust length of gmssSigNextPart for adding next part + gmssSigNextPart = new byte[helpGmssSig.length + indexBytes.length + subtreeRootSig[i].length + authPathBytes.length]; + + // copy old data (help array) and new data in gmssSigNextPart + System.arraycopy(helpGmssSig, 0, gmssSigNextPart, 0, helpGmssSig.length); + System.arraycopy(indexBytes, 0, gmssSigNextPart, helpGmssSig.length, indexBytes.length); + System.arraycopy(subtreeRootSig[i], 0, gmssSigNextPart, (helpGmssSig.length + indexBytes.length), subtreeRootSig[i].length); + System.arraycopy(authPathBytes, 0, gmssSigNextPart, (helpGmssSig.length + indexBytes.length + subtreeRootSig[i].length), authPathBytes.length); + + } + // --- end next parts + + // concatenate the two parts of the GMSS signature + byte[] gmssSig = new byte[gmssSigFirstPart.length + gmssSigNextPart.length]; + System.arraycopy(gmssSigFirstPart, 0, gmssSig, 0, gmssSigFirstPart.length); + System.arraycopy(gmssSigNextPart, 0, gmssSig, gmssSigFirstPart.length, gmssSigNextPart.length); + + // return the GMSS signature + return gmssSig; + } + + /** + * Initializes the signature algorithm for verifying a signature. + */ + private void initVerify() + { + messDigestTrees.reset(); + + GMSSPublicKeyParameters gmssPublicKey = (GMSSPublicKeyParameters)key; + pubKeyBytes = gmssPublicKey.getPublicKey(); + gmssPS = gmssPublicKey.getParameters(); + // get numLayer + this.numLayer = gmssPS.getNumOfLayers(); + + + } + + /** + * This function verifies the signature of the message that has been + * updated, with the aid of the public key. + * + * @param message the message + * @param signature the signature associated with the message + * @return true if the signature has been verified, false otherwise. + */ + public boolean verifySignature(byte[] message, byte[] signature) + { + + boolean success = false; + // int halfSigLength = signature.length >>> 1; + messDigestOTS.reset(); + WinternitzOTSVerify otsVerify; + int otsSigLength; + + byte[] help = message; + + byte[] otsSig; + byte[] otsPublicKey; + byte[][] authPath; + byte[] dest; + int nextEntry = 0; + int index; + // Verify signature + + // --- begin with message = 'message that was signed' + // and then in each step message = subtree root + for (int j = numLayer - 1; j >= 0; j--) + { + otsVerify = new WinternitzOTSVerify(digestProvider.get(), gmssPS.getWinternitzParameter()[j]); + otsSigLength = otsVerify.getSignatureLength(); + + message = help; + // get the subtree index + index = gmssUtil.bytesToIntLittleEndian(signature, nextEntry); + + // 4 is the number of bytes in integer + nextEntry += 4; + + // get one-time signature + otsSig = new byte[otsSigLength]; + System.arraycopy(signature, nextEntry, otsSig, 0, otsSigLength); + nextEntry += otsSigLength; + + // compute public OTS key from the one-time signature + otsPublicKey = otsVerify.Verify(message, otsSig); + + // test if OTSsignature is correct + if (otsPublicKey == null) + { + System.err.println("OTS Public Key is null in GMSSSignature.verify"); + return false; + } + + // get authentication path from the signature + authPath = new byte[gmssPS.getHeightOfTrees()[j]][mdLength]; + for (int i = 0; i < authPath.length; i++) + { + System.arraycopy(signature, nextEntry, authPath[i], 0, mdLength); + nextEntry = nextEntry + mdLength; + } + + // compute the root of the subtree from the authentication path + help = new byte[mdLength]; + + help = otsPublicKey; + + int count = 1 << authPath.length; + count = count + index; + + for (int i = 0; i < authPath.length; i++) + { + dest = new byte[mdLength << 1]; + + if ((count % 2) == 0) + { + System.arraycopy(help, 0, dest, 0, mdLength); + System.arraycopy(authPath[i], 0, dest, mdLength, mdLength); + count = count / 2; + } + else + { + System.arraycopy(authPath[i], 0, dest, 0, mdLength); + System.arraycopy(help, 0, dest, mdLength, help.length); + count = (count - 1) / 2; + } + messDigestTrees.update(dest, 0, dest.length); + help = new byte[messDigestTrees.getDigestSize()]; + messDigestTrees.doFinal(help, 0); + } + } + + // now help contains the root of the maintree + + // test if help is equal to the GMSS public key + if (Arrays.areEqual(pubKeyBytes, help)) + { + success = true; + } + + return success; + } + + +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSUtils.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSUtils.java new file mode 100644 index 00000000..1f79bdde --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/GMSSUtils.java @@ -0,0 +1,145 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.util.Enumeration; +import java.util.Vector; + +import org.spongycastle.util.Arrays; + +class GMSSUtils +{ + static GMSSLeaf[] clone(GMSSLeaf[] data) + { + if (data == null) + { + return null; + } + GMSSLeaf[] copy = new GMSSLeaf[data.length]; + + System.arraycopy(data, 0, copy, 0, data.length); + + return copy; + } + + static GMSSRootCalc[] clone(GMSSRootCalc[] data) + { + if (data == null) + { + return null; + } + GMSSRootCalc[] copy = new GMSSRootCalc[data.length]; + + System.arraycopy(data, 0, copy, 0, data.length); + + return copy; + } + + static GMSSRootSig[] clone(GMSSRootSig[] data) + { + if (data == null) + { + return null; + } + GMSSRootSig[] copy = new GMSSRootSig[data.length]; + + System.arraycopy(data, 0, copy, 0, data.length); + + return copy; + } + + static byte[][] clone(byte[][] data) + { + if (data == null) + { + return null; + } + byte[][] copy = new byte[data.length][]; + + for (int i = 0; i != data.length; i++) + { + copy[i] = Arrays.clone(data[i]); + } + + return copy; + } + + static byte[][][] clone(byte[][][] data) + { + if (data == null) + { + return null; + } + byte[][][] copy = new byte[data.length][][]; + + for (int i = 0; i != data.length; i++) + { + copy[i] = clone(data[i]); + } + + return copy; + } + + static Treehash[] clone(Treehash[] data) + { + if (data == null) + { + return null; + } + Treehash[] copy = new Treehash[data.length]; + + System.arraycopy(data, 0, copy, 0, data.length); + + return copy; + } + + static Treehash[][] clone(Treehash[][] data) + { + if (data == null) + { + return null; + } + Treehash[][] copy = new Treehash[data.length][]; + + for (int i = 0; i != data.length; i++) + { + copy[i] = clone(data[i]); + } + + return copy; + } + + static Vector[] clone(Vector[] data) + { + if (data == null) + { + return null; + } + Vector[] copy = new Vector[data.length]; + + for (int i = 0; i != data.length; i++) + { + copy[i] = new Vector(); + for (Enumeration en = data[i].elements(); en.hasMoreElements();) + { + copy[i].addElement(en.nextElement()); + } + } + + return copy; + } + + static Vector[][] clone(Vector[][] data) + { + if (data == null) + { + return null; + } + Vector[][] copy = new Vector[data.length][]; + + for (int i = 0; i != data.length; i++) + { + copy[i] = clone(data[i]); + } + + return copy; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/Treehash.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/Treehash.java new file mode 100644 index 00000000..82784e34 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/Treehash.java @@ -0,0 +1,525 @@ +package org.spongycastle.pqc.crypto.gmss; + +import java.util.Vector; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.pqc.crypto.gmss.util.GMSSRandom; +import org.spongycastle.util.Integers; +import org.spongycastle.util.encoders.Hex; + + +/** + * This class implements a treehash instance for the Merkle tree traversal + * algorithm. The first node of the stack is stored in this instance itself, + * additional tail nodes are stored on a tailstack. + */ +public class Treehash +{ + + /** + * max height of current treehash instance. + */ + private int maxHeight; + + /** + * Vector element that stores the nodes on the stack + */ + private Vector tailStack; + + /** + * Vector element that stores the height of the nodes on the stack + */ + private Vector heightOfNodes; + + /** + * the first node is stored in the treehash instance itself, not on stack + */ + private byte[] firstNode; + + /** + * seedActive needed for the actual node + */ + private byte[] seedActive; + + /** + * the seed needed for the next re-initialization of the treehash instance + */ + private byte[] seedNext; + + /** + * number of nodes stored on the stack and belonging to this treehash + * instance + */ + private int tailLength; + + /** + * the height in the tree of the first node stored in treehash + */ + private int firstNodeHeight; + + /** + * true if treehash instance was already initialized, false otherwise + */ + private boolean isInitialized; + + /** + * true if the first node's height equals the maxHeight of the treehash + */ + private boolean isFinished; + + /** + * true if the nextSeed has been initialized with index 3*2^h needed for the + * seed scheduling + */ + private boolean seedInitialized; + + /** + * denotes the Message Digest used by the tree to create nodes + */ + private Digest messDigestTree; + + /** + * This constructor regenerates a prior treehash object + * + * @param name an array of strings, containing the name of the used hash + * function and PRNG and the name of the corresponding provider + * @param statByte status bytes + * @param statInt status ints + */ + public Treehash(Digest name, byte[][] statByte, int[] statInt) + { + this.messDigestTree = name; + + // decode statInt + this.maxHeight = statInt[0]; + this.tailLength = statInt[1]; + this.firstNodeHeight = statInt[2]; + + if (statInt[3] == 1) + { + this.isFinished = true; + } + else + { + this.isFinished = false; + } + if (statInt[4] == 1) + { + this.isInitialized = true; + } + else + { + this.isInitialized = false; + } + if (statInt[5] == 1) + { + this.seedInitialized = true; + } + else + { + this.seedInitialized = false; + } + + this.heightOfNodes = new Vector(); + for (int i = 0; i < tailLength; i++) + { + this.heightOfNodes.addElement(Integers.valueOf(statInt[6 + i])); + } + + // decode statByte + this.firstNode = statByte[0]; + this.seedActive = statByte[1]; + this.seedNext = statByte[2]; + + this.tailStack = new Vector(); + for (int i = 0; i < tailLength; i++) + { + this.tailStack.addElement(statByte[3 + i]); + } + } + + /** + * Constructor + * + * @param tailStack a vector element where the stack nodes are stored + * @param maxHeight maximal height of the treehash instance + * @param digest an array of strings, containing the name of the used hash + * function and PRNG and the name of the corresponding provider + */ + public Treehash(Vector tailStack, int maxHeight, Digest digest) + { + this.tailStack = tailStack; + this.maxHeight = maxHeight; + this.firstNode = null; + this.isInitialized = false; + this.isFinished = false; + this.seedInitialized = false; + this.messDigestTree = digest; + + this.seedNext = new byte[messDigestTree.getDigestSize()]; + this.seedActive = new byte[messDigestTree.getDigestSize()]; + } + + /** + * Method to initialize the seeds needed for the precomputation of right + * nodes. Should be initialized with index 3*2^i for treehash_i + * + * @param seedIn + */ + public void initializeSeed(byte[] seedIn) + { + System.arraycopy(seedIn, 0, this.seedNext, 0, this.messDigestTree + .getDigestSize()); + this.seedInitialized = true; + } + + /** + * initializes the treehash instance. The seeds must already have been + * initialized to work correctly. + */ + public void initialize() + { + if (!this.seedInitialized) + { + System.err.println("Seed " + this.maxHeight + " not initialized"); + return; + } + + this.heightOfNodes = new Vector(); + this.tailLength = 0; + this.firstNode = null; + this.firstNodeHeight = -1; + this.isInitialized = true; + System.arraycopy(this.seedNext, 0, this.seedActive, 0, messDigestTree + .getDigestSize()); + } + + /** + * Calculates one update of the treehash instance, i.e. creates a new leaf + * and hashes if possible + * + * @param gmssRandom an instance of the PRNG + * @param leaf The byte value of the leaf needed for the update + */ + public void update(GMSSRandom gmssRandom, byte[] leaf) + { + + if (this.isFinished) + { + System.err + .println("No more update possible for treehash instance!"); + return; + } + if (!this.isInitialized) + { + System.err + .println("Treehash instance not initialized before update"); + return; + } + + byte[] help = new byte[this.messDigestTree.getDigestSize()]; + int helpHeight = -1; + + gmssRandom.nextSeed(this.seedActive); + + // if treehash gets first update + if (this.firstNode == null) + { + this.firstNode = leaf; + this.firstNodeHeight = 0; + } + else + { + // store the new node in help array, do not push it on the stack + help = leaf; + helpHeight = 0; + + // hash the nodes on the stack if possible + while (this.tailLength > 0 + && helpHeight == ((Integer)heightOfNodes.lastElement()) + .intValue()) + { + // put top element of the stack and help node in array + // 'tobehashed' + // and hash them together, put result again in help array + byte[] toBeHashed = new byte[this.messDigestTree + .getDigestSize() << 1]; + + // pop element from stack + System.arraycopy(this.tailStack.lastElement(), 0, toBeHashed, + 0, this.messDigestTree.getDigestSize()); + this.tailStack.removeElementAt(this.tailStack.size() - 1); + this.heightOfNodes + .removeElementAt(this.heightOfNodes.size() - 1); + + System.arraycopy(help, 0, toBeHashed, this.messDigestTree + .getDigestSize(), this.messDigestTree + .getDigestSize()); + messDigestTree.update(toBeHashed, 0, toBeHashed.length); + help = new byte[messDigestTree.getDigestSize()]; + messDigestTree.doFinal(help, 0); + + // increase help height, stack was reduced by one element + helpHeight++; + this.tailLength--; + } + + // push the new node on the stack + this.tailStack.addElement(help); + this.heightOfNodes.addElement(Integers.valueOf(helpHeight)); + this.tailLength++; + + // finally check whether the top node on stack and the first node + // in treehash have same height. If so hash them together + // and store them in treehash + if (((Integer)heightOfNodes.lastElement()).intValue() == this.firstNodeHeight) + { + byte[] toBeHashed = new byte[this.messDigestTree + .getDigestSize() << 1]; + System.arraycopy(this.firstNode, 0, toBeHashed, 0, + this.messDigestTree.getDigestSize()); + + // pop element from tailStack and copy it into help2 array + System.arraycopy(this.tailStack.lastElement(), 0, toBeHashed, + this.messDigestTree.getDigestSize(), + this.messDigestTree.getDigestSize()); + this.tailStack.removeElementAt(this.tailStack.size() - 1); + this.heightOfNodes + .removeElementAt(this.heightOfNodes.size() - 1); + + // store new element in firstNode, stack is then empty + messDigestTree.update(toBeHashed, 0, toBeHashed.length); + this.firstNode = new byte[messDigestTree.getDigestSize()]; + messDigestTree.doFinal(this.firstNode, 0); + this.firstNodeHeight++; + + // empty the stack + this.tailLength = 0; + } + } + + // check if treehash instance is completed + if (this.firstNodeHeight == this.maxHeight) + { + this.isFinished = true; + } + } + + /** + * Destroys a treehash instance after the top node was taken for + * authentication path. + */ + public void destroy() + { + this.isInitialized = false; + this.isFinished = false; + this.firstNode = null; + this.tailLength = 0; + this.firstNodeHeight = -1; + } + + /** + * Returns the height of the lowest node stored either in treehash or on the + * stack. It must not be set to infinity (as mentioned in the paper) because + * this cases are considered in the computeAuthPaths method of + * JDKGMSSPrivateKey + * + * @return Height of the lowest node + */ + public int getLowestNodeHeight() + { + if (this.firstNode == null) + { + return this.maxHeight; + } + else if (this.tailLength == 0) + { + return this.firstNodeHeight; + } + else + { + return Math.min(this.firstNodeHeight, ((Integer)heightOfNodes + .lastElement()).intValue()); + } + } + + /** + * Returns the top node height + * + * @return Height of the first node, the top node + */ + public int getFirstNodeHeight() + { + if (firstNode == null) + { + return maxHeight; + } + return firstNodeHeight; + } + + /** + * Method to check whether the instance has been initialized or not + * + * @return true if treehash was already initialized + */ + public boolean wasInitialized() + { + return this.isInitialized; + } + + /** + * Method to check whether the instance has been finished or not + * + * @return true if treehash has reached its maximum height + */ + public boolean wasFinished() + { + return this.isFinished; + } + + /** + * returns the first node stored in treehash instance itself + * + * @return the first node stored in treehash instance itself + */ + public byte[] getFirstNode() + { + return this.firstNode; + } + + /** + * returns the active seed + * + * @return the active seed + */ + public byte[] getSeedActive() + { + return this.seedActive; + } + + /** + * This method sets the first node stored in the treehash instance itself + * + * @param hash + */ + public void setFirstNode(byte[] hash) + { + if (!this.isInitialized) + { + this.initialize(); + } + this.firstNode = hash; + this.firstNodeHeight = this.maxHeight; + this.isFinished = true; + } + + /** + * updates the nextSeed of this treehash instance one step needed for the + * schedulng of the seeds + * + * @param gmssRandom the prng used for the seeds + */ + public void updateNextSeed(GMSSRandom gmssRandom) + { + gmssRandom.nextSeed(seedNext); + } + + /** + * Returns the tailstack + * + * @return the tailstack + */ + public Vector getTailStack() + { + return this.tailStack; + } + + /** + * Returns the status byte array used by the GMSSPrivateKeyASN.1 class + * + * @return The status bytes + */ + public byte[][] getStatByte() + { + + byte[][] statByte = new byte[3 + tailLength][this.messDigestTree + .getDigestSize()]; + statByte[0] = firstNode; + statByte[1] = seedActive; + statByte[2] = seedNext; + for (int i = 0; i < tailLength; i++) + { + statByte[3 + i] = (byte[])tailStack.elementAt(i); + } + return statByte; + } + + /** + * Returns the status int array used by the GMSSPrivateKeyASN.1 class + * + * @return The status ints + */ + public int[] getStatInt() + { + + int[] statInt = new int[6 + tailLength]; + statInt[0] = maxHeight; + statInt[1] = tailLength; + statInt[2] = firstNodeHeight; + if (this.isFinished) + { + statInt[3] = 1; + } + else + { + statInt[3] = 0; + } + if (this.isInitialized) + { + statInt[4] = 1; + } + else + { + statInt[4] = 0; + } + if (this.seedInitialized) + { + statInt[5] = 1; + } + else + { + statInt[5] = 0; + } + for (int i = 0; i < tailLength; i++) + { + statInt[6 + i] = ((Integer)heightOfNodes.elementAt(i)).intValue(); + } + return statInt; + } + + /** + * returns a String representation of the treehash instance + */ + public String toString() + { + String out = "Treehash : "; + for (int i = 0; i < 6 + tailLength; i++) + { + out = out + this.getStatInt()[i] + " "; + } + for (int i = 0; i < 3 + tailLength; i++) + { + if (this.getStatByte()[i] != null) + { + out = out + new String(Hex.encode((this.getStatByte()[i]))) + " "; + } + else + { + out = out + "null "; + } + } + out = out + " " + this.messDigestTree.getDigestSize(); + return out; + } + +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSRandom.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSRandom.java new file mode 100644 index 00000000..367aae0e --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSRandom.java @@ -0,0 +1,78 @@ +package org.spongycastle.pqc.crypto.gmss.util; + +import org.spongycastle.crypto.Digest; + +/** + * This class provides a PRNG for GMSS + */ +public class GMSSRandom +{ + /** + * Hash function for the construction of the authentication trees + */ + private Digest messDigestTree; + + /** + * Constructor + * + * @param messDigestTree2 + */ + public GMSSRandom(Digest messDigestTree2) + { + + this.messDigestTree = messDigestTree2; + } + + /** + * computes the next seed value, returns a random byte array and sets + * outseed to the next value + * + * @param outseed byte array in which ((1 + SEEDin +RAND) mod 2^n) will be + * stored + * @return byte array of H(SEEDin) + */ + public byte[] nextSeed(byte[] outseed) + { + // RAND <-- H(SEEDin) + byte[] rand = new byte[outseed.length]; + messDigestTree.update(outseed, 0, outseed.length); + rand = new byte[messDigestTree.getDigestSize()]; + messDigestTree.doFinal(rand, 0); + + // SEEDout <-- (1 + SEEDin +RAND) mod 2^n + addByteArrays(outseed, rand); + addOne(outseed); + + // System.arraycopy(outseed, 0, outseed, 0, outseed.length); + + return rand; + } + + private void addByteArrays(byte[] a, byte[] b) + { + + byte overflow = 0; + int temp; + + for (int i = 0; i < a.length; i++) + { + temp = (0xFF & a[i]) + (0xFF & b[i]) + overflow; + a[i] = (byte)temp; + overflow = (byte)(temp >> 8); + } + } + + private void addOne(byte[] a) + { + + byte overflow = 1; + int temp; + + for (int i = 0; i < a.length; i++) + { + temp = (0xFF & a[i]) + overflow; + a[i] = (byte)temp; + overflow = (byte)(temp >> 8); + } + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSUtil.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSUtil.java new file mode 100644 index 00000000..57678d85 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/GMSSUtil.java @@ -0,0 +1,151 @@ +package org.spongycastle.pqc.crypto.gmss.util; + +/** + * This class provides several methods that are required by the GMSS classes. + */ +public class GMSSUtil +{ + /** + * Converts a 32 bit integer into a byte array beginning at + * <code>offset</code> (little-endian representation) + * + * @param value the integer to convert + */ + public byte[] intToBytesLittleEndian(int value) + { + byte[] bytes = new byte[4]; + + bytes[0] = (byte)((value) & 0xff); + bytes[1] = (byte)((value >> 8) & 0xff); + bytes[2] = (byte)((value >> 16) & 0xff); + bytes[3] = (byte)((value >> 24) & 0xff); + return bytes; + } + + /** + * Converts a byte array beginning at <code>offset</code> into a 32 bit + * integer (little-endian representation) + * + * @param bytes the byte array + * @return The resulting integer + */ + public int bytesToIntLittleEndian(byte[] bytes) + { + + return ((bytes[0] & 0xff)) | ((bytes[1] & 0xff) << 8) + | ((bytes[2] & 0xff) << 16) | ((bytes[3] & 0xff)) << 24; + } + + /** + * Converts a byte array beginning at <code>offset</code> into a 32 bit + * integer (little-endian representation) + * + * @param bytes the byte array + * @param offset the integer offset into the byte array + * @return The resulting integer + */ + public int bytesToIntLittleEndian(byte[] bytes, int offset) + { + return ((bytes[offset++] & 0xff)) | ((bytes[offset++] & 0xff) << 8) + | ((bytes[offset++] & 0xff) << 16) + | ((bytes[offset] & 0xff)) << 24; + } + + /** + * This method concatenates a 2-dimensional byte array into a 1-dimensional + * byte array + * + * @param arraycp a 2-dimensional byte array. + * @return 1-dimensional byte array with concatenated input array + */ + public byte[] concatenateArray(byte[][] arraycp) + { + byte[] dest = new byte[arraycp.length * arraycp[0].length]; + int indx = 0; + for (int i = 0; i < arraycp.length; i++) + { + System.arraycopy(arraycp[i], 0, dest, indx, arraycp[i].length); + indx = indx + arraycp[i].length; + } + return dest; + } + + /** + * This method prints the values of a 2-dimensional byte array + * + * @param text a String + * @param array a 2-dimensional byte array + */ + public void printArray(String text, byte[][] array) + { + System.out.println(text); + int counter = 0; + for (int i = 0; i < array.length; i++) + { + for (int j = 0; j < array[0].length; j++) + { + System.out.println(counter + "; " + array[i][j]); + counter++; + } + } + } + + /** + * This method prints the values of a 1-dimensional byte array + * + * @param text a String + * @param array a 1-dimensional byte array. + */ + public void printArray(String text, byte[] array) + { + System.out.println(text); + int counter = 0; + for (int i = 0; i < array.length; i++) + { + System.out.println(counter + "; " + array[i]); + counter++; + } + } + + /** + * This method tests if an integer is a power of 2. + * + * @param testValue an integer + * @return <code>TRUE</code> if <code>testValue</code> is a power of 2, + * <code>FALSE</code> otherwise + */ + public boolean testPowerOfTwo(int testValue) + { + int a = 1; + while (a < testValue) + { + a <<= 1; + } + if (testValue == a) + { + return true; + } + + return false; + } + + /** + * This method returns the least integer that is greater or equal to the + * logarithm to the base 2 of an integer <code>intValue</code>. + * + * @param intValue an integer + * @return The least integer greater or equal to the logarithm to the base 2 + * of <code>intValue</code> + */ + public int getLog(int intValue) + { + int log = 1; + int i = 2; + while (i < intValue) + { + i <<= 1; + log++; + } + return log; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSVerify.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSVerify.java new file mode 100644 index 00000000..0a1e52eb --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSVerify.java @@ -0,0 +1,344 @@ +package org.spongycastle.pqc.crypto.gmss.util; + +import org.spongycastle.crypto.Digest; + +/** + * This class implements signature verification of the Winternitz one-time + * signature scheme (OTSS), described in C.Dods, N.P. Smart, and M. Stam, "Hash + * Based Digital Signature Schemes", LNCS 3796, pages 96–115, 2005. The + * class is used by the GMSS classes. + */ +public class WinternitzOTSVerify +{ + + private Digest messDigestOTS; + + /** + * The Winternitz parameter + */ + private int w; + + /** + * The constructor + * + * @param digest the name of the hash function used by the OTS and the provider + * name of the hash function + * @param w the Winternitz parameter + */ + public WinternitzOTSVerify(Digest digest, int w) + { + this.w = w; + + messDigestOTS = digest; + } + + /** + * @return The length of the one-time signature + */ + public int getSignatureLength() + { + int mdsize = messDigestOTS.getDigestSize(); + int size = ((mdsize << 3) + (w - 1)) / w; + int logs = getLog((size << w) + 1); + size += (logs + w - 1) / w; + + return mdsize * size; + } + + /** + * This method computes the public OTS key from the one-time signature of a + * message. This is *NOT* a complete OTS signature verification, but it + * suffices for usage with CMSS. + * + * @param message the message + * @param signature the one-time signature + * @return The public OTS key + */ + public byte[] Verify(byte[] message, byte[] signature) + { + + int mdsize = messDigestOTS.getDigestSize(); + byte[] hash = new byte[mdsize]; // hash of message m + + // create hash of message m + messDigestOTS.update(message, 0, message.length); + hash = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hash, 0); + + int size = ((mdsize << 3) + (w - 1)) / w; + int logs = getLog((size << w) + 1); + int keysize = size + (logs + w - 1) / w; + + int testKeySize = mdsize * keysize; + + if (testKeySize != signature.length) + { + return null; + } + + byte[] testKey = new byte[testKeySize]; + + int c = 0; + int counter = 0; + int test; + + if (8 % w == 0) + { + int d = 8 / w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + + // verify signature + for (int i = 0; i < hash.length; i++) + { + for (int j = 0; j < d; j++) + { + test = hash[i] & k; + c += test; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + hash[i] = (byte)(hash[i] >>> w); + counter++; + } + } + + c = (size << w) - c; + for (int i = 0; i < logs; i += w) + { + test = c & k; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test++; + } + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + } + else if (w < 8) + { + int d = mdsize / w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + long big8; + int ii = 0; + // create signature + // first d*w bytes of hash + for (int i = 0; i < d; i++) + { + big8 = 0; + for (int j = 0; j < w; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + for (int j = 0; j < 8; j++) + { + test = (int)(big8 & k); + c += test; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + big8 >>>= w; + counter++; + } + } + // rest of hash + d = mdsize % w; + big8 = 0; + for (int j = 0; j < d; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + d <<= 3; + for (int j = 0; j < d; j += w) + { + test = (int)(big8 & k); + c += test; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + big8 >>>= w; + counter++; + } + + // check bytes + c = (size << w) - c; + for (int i = 0; i < logs; i += w) + { + test = c & k; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + }// end if(w<8) + else if (w < 57) + { + int d = (mdsize << 3) - w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + long big8, test8; + int r = 0; + int s, f, rest, ii; + // create signature + // first a*w bits of hash where a*w <= 8*mdsize < (a+1)*w + while (r <= d) + { + s = r >>> 3; + rest = r % 8; + r += w; + f = (r + 7) >>> 3; + big8 = 0; + ii = 0; + for (int j = s; j < f; j++) + { + big8 ^= (hash[j] & 0xff) << (ii << 3); + ii++; + } + + big8 >>>= rest; + test8 = (big8 & k); + c += test8; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test8 < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + counter++; + + } + // rest of hash + s = r >>> 3; + if (s < mdsize) + { + rest = r % 8; + big8 = 0; + ii = 0; + for (int j = s; j < mdsize; j++) + { + big8 ^= (hash[j] & 0xff) << (ii << 3); + ii++; + } + + big8 >>>= rest; + test8 = (big8 & k); + c += test8; + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test8 < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + counter++; + } + // check bytes + c = (size << w) - c; + for (int i = 0; i < logs; i += w) + { + test8 = (c & k); + + System.arraycopy(signature, counter * mdsize, hlp, 0, mdsize); + + while (test8 < k) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8++; + } + + System.arraycopy(hlp, 0, testKey, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + }// end if(w<57) + + byte[] TKey = new byte[mdsize]; + messDigestOTS.update(testKey, 0, testKey.length); + TKey = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(TKey, 0); + + return TKey; + + } + + /** + * This method returns the least integer that is greater or equal to the + * logarithm to the base 2 of an integer <code>intValue</code>. + * + * @param intValue an integer + * @return The least integer greater or equal to the logarithm to the base + * 256 of <code>intValue</code> + */ + public int getLog(int intValue) + { + int log = 1; + int i = 2; + while (i < intValue) + { + i <<= 1; + log++; + } + return log; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSignature.java b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSignature.java new file mode 100644 index 00000000..2ec2c1ad --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/gmss/util/WinternitzOTSignature.java @@ -0,0 +1,404 @@ +package org.spongycastle.pqc.crypto.gmss.util; + +import org.spongycastle.crypto.Digest; + +/** + * This class implements key pair generation and signature generation of the + * Winternitz one-time signature scheme (OTSS), described in C.Dods, N.P. Smart, + * and M. Stam, "Hash Based Digital Signature Schemes", LNCS 3796, pages + * 96–115, 2005. The class is used by the GMSS classes. + */ + +public class WinternitzOTSignature +{ + + /** + * The hash function used by the OTS + */ + private Digest messDigestOTS; + + /** + * The length of the message digest and private key + */ + private int mdsize, keysize; + + /** + * An array of strings, containing the name of the used hash function, the + * name of the PRGN and the names of the corresponding providers + */ + // private String[] name = new String[2]; + /** + * The private key + */ + private byte[][] privateKeyOTS; + + /** + * The Winternitz parameter + */ + private int w; + + /** + * The source of randomness for OTS private key generation + */ + private GMSSRandom gmssRandom; + + /** + * Sizes of the message and the checksum, both + */ + private int messagesize, checksumsize; + + /** + * The constructor generates an OTS key pair, using <code>seed0</code> and + * the PRNG + * + * @param seed0 the seed for the PRGN + * @param digest an array of strings, containing the name of the used hash + * function, the name of the PRGN and the names of the + * corresponding providers + * @param w the Winternitz parameter + */ + public WinternitzOTSignature(byte[] seed0, Digest digest, int w) + { + // this.name = name; + this.w = w; + + messDigestOTS = digest; + + gmssRandom = new GMSSRandom(messDigestOTS); + + // calulate keysize for private and public key and also the help + // array + + mdsize = messDigestOTS.getDigestSize(); + int mdsizeBit = mdsize << 3; + messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w); + + checksumsize = getLog((messagesize << w) + 1); + + keysize = messagesize + + (int)Math.ceil((double)checksumsize / (double)w); + + /* + * mdsize = messDigestOTS.getDigestLength(); messagesize = + * ((mdsize<<3)+(w-1))/w; + * + * checksumsize = getlog((messagesize<<w)+1); + * + * keysize = messagesize + (checksumsize+w-1)/w; + */ + // define the private key messagesize + privateKeyOTS = new byte[keysize][mdsize]; + + // gmssRandom.setSeed(seed0); + byte[] dummy = new byte[mdsize]; + System.arraycopy(seed0, 0, dummy, 0, dummy.length); + + // generate random bytes and + // assign them to the private key + for (int i = 0; i < keysize; i++) + { + privateKeyOTS[i] = gmssRandom.nextSeed(dummy); + } + } + + /** + * @return The private OTS key + */ + public byte[][] getPrivateKey() + { + return privateKeyOTS; + } + + /** + * @return The public OTS key + */ + public byte[] getPublicKey() + { + byte[] helppubKey = new byte[keysize * mdsize]; + + byte[] help = new byte[mdsize]; + int two_power_t = 1 << w; + + for (int i = 0; i < keysize; i++) + { + // hash w-1 time the private key and assign it to the public key + messDigestOTS.update(privateKeyOTS[i], 0, privateKeyOTS[i].length); + help = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(help, 0); + for (int j = 2; j < two_power_t; j++) + { + messDigestOTS.update(help, 0, help.length); + help = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(help, 0); + } + System.arraycopy(help, 0, helppubKey, mdsize * i, mdsize); + } + + messDigestOTS.update(helppubKey, 0, helppubKey.length); + byte[] tmp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(tmp, 0); + return tmp; + } + + /** + * @return The one-time signature of the message, generated with the private + * key + */ + public byte[] getSignature(byte[] message) + { + byte[] sign = new byte[keysize * mdsize]; + // byte [] message; // message m as input + byte[] hash = new byte[mdsize]; // hash of message m + int counter = 0; + int c = 0; + int test = 0; + // create hash of message m + messDigestOTS.update(message, 0, message.length); + hash = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hash, 0); + + if (8 % w == 0) + { + int d = 8 / w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + + // create signature + for (int i = 0; i < hash.length; i++) + { + for (int j = 0; j < d; j++) + { + test = hash[i] & k; + c += test; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + hash[i] = (byte)(hash[i] >>> w); + counter++; + } + } + + c = (messagesize << w) - c; + for (int i = 0; i < checksumsize; i += w) + { + test = c & k; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + } + else if (w < 8) + { + int d = mdsize / w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + long big8; + int ii = 0; + // create signature + // first d*w bytes of hash + for (int i = 0; i < d; i++) + { + big8 = 0; + for (int j = 0; j < w; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + for (int j = 0; j < 8; j++) + { + test = (int)(big8 & k); + c += test; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + big8 >>>= w; + counter++; + } + } + // rest of hash + d = mdsize % w; + big8 = 0; + for (int j = 0; j < d; j++) + { + big8 ^= (hash[ii] & 0xff) << (j << 3); + ii++; + } + d <<= 3; + for (int j = 0; j < d; j += w) + { + test = (int)(big8 & k); + c += test; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + big8 >>>= w; + counter++; + } + + // check bytes + c = (messagesize << w) - c; + for (int i = 0; i < checksumsize; i += w) + { + test = c & k; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + }// end if(w<8) + else if (w < 57) + { + int d = (mdsize << 3) - w; + int k = (1 << w) - 1; + byte[] hlp = new byte[mdsize]; + long big8, test8; + int r = 0; + int s, f, rest, ii; + // create signature + // first a*w bits of hash where a*w <= 8*mdsize < (a+1)*w + while (r <= d) + { + s = r >>> 3; + rest = r % 8; + r += w; + f = (r + 7) >>> 3; + big8 = 0; + ii = 0; + for (int j = s; j < f; j++) + { + big8 ^= (hash[j] & 0xff) << (ii << 3); + ii++; + } + + big8 >>>= rest; + test8 = (big8 & k); + c += test8; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + while (test8 > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + counter++; + + } + // rest of hash + s = r >>> 3; + if (s < mdsize) + { + rest = r % 8; + big8 = 0; + ii = 0; + for (int j = s; j < mdsize; j++) + { + big8 ^= (hash[j] & 0xff) << (ii << 3); + ii++; + } + + big8 >>>= rest; + test8 = (big8 & k); + c += test8; + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + while (test8 > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + counter++; + } + // check bytes + c = (messagesize << w) - c; + for (int i = 0; i < checksumsize; i += w) + { + test8 = (c & k); + + System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize); + + while (test8 > 0) + { + messDigestOTS.update(hlp, 0, hlp.length); + hlp = new byte[messDigestOTS.getDigestSize()]; + messDigestOTS.doFinal(hlp, 0); + test8--; + } + System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize); + c >>>= w; + counter++; + } + }// end if(w<57) + + return sign; + } + + /** + * This method returns the least integer that is greater or equal to the + * logarithm to the base 2 of an integer <code>intValue</code>. + * + * @param intValue an integer + * @return The least integer greater or equal to the logarithm to the base 2 + * of <code>intValue</code> + */ + public int getLog(int intValue) + { + int log = 1; + int i = 2; + while (i < intValue) + { + i <<= 1; + log++; + } + return log; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/Conversions.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/Conversions.java new file mode 100644 index 00000000..9772d018 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/Conversions.java @@ -0,0 +1,236 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.math.BigInteger; + +import org.spongycastle.pqc.math.linearalgebra.BigIntUtils; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; +import org.spongycastle.pqc.math.linearalgebra.IntegerFunctions; + + +/** + * Provides methods for CCA2-Secure Conversions of McEliece PKCS + */ +final class Conversions +{ + private static final BigInteger ZERO = BigInteger.valueOf(0); + private static final BigInteger ONE = BigInteger.valueOf(1); + + /** + * Default constructor (private). + */ + private Conversions() + { + } + + /** + * Encode a number between 0 and (n|t) (binomial coefficient) into a binary + * vector of length n with weight t. The number is given as a byte array. + * Only the first s bits are used, where s = floor[log(n|t)]. + * + * @param n integer + * @param t integer + * @param m the message as a byte array + * @return the encoded message as {@link GF2Vector} + */ + public static GF2Vector encode(final int n, final int t, final byte[] m) + { + if (n < t) + { + throw new IllegalArgumentException("n < t"); + } + + // compute the binomial c = (n|t) + BigInteger c = IntegerFunctions.binomial(n, t); + // get the number encoded in m + BigInteger i = new BigInteger(1, m); + // compare + if (i.compareTo(c) >= 0) + { + throw new IllegalArgumentException("Encoded number too large."); + } + + GF2Vector result = new GF2Vector(n); + + int nn = n; + int tt = t; + for (int j = 0; j < n; j++) + { + c = c.multiply(BigInteger.valueOf(nn - tt)).divide( + BigInteger.valueOf(nn)); + nn--; + if (c.compareTo(i) <= 0) + { + result.setBit(j); + i = i.subtract(c); + tt--; + if (nn == tt) + { + c = ONE; + } + else + { + c = (c.multiply(BigInteger.valueOf(tt + 1))) + .divide(BigInteger.valueOf(nn - tt)); + } + } + } + + return result; + } + + /** + * Decode a binary vector of length n and weight t into a number between 0 + * and (n|t) (binomial coefficient). The result is given as a byte array of + * length floor[(s+7)/8], where s = floor[log(n|t)]. + * + * @param n integer + * @param t integer + * @param vec the binary vector + * @return the decoded vector as a byte array + */ + public static byte[] decode(int n, int t, GF2Vector vec) + { + if ((vec.getLength() != n) || (vec.getHammingWeight() != t)) + { + throw new IllegalArgumentException( + "vector has wrong length or hamming weight"); + } + int[] vecArray = vec.getVecArray(); + + BigInteger bc = IntegerFunctions.binomial(n, t); + BigInteger d = ZERO; + int nn = n; + int tt = t; + for (int i = 0; i < n; i++) + { + bc = bc.multiply(BigInteger.valueOf(nn - tt)).divide( + BigInteger.valueOf(nn)); + nn--; + + int q = i >> 5; + int e = vecArray[q] & (1 << (i & 0x1f)); + if (e != 0) + { + d = d.add(bc); + tt--; + if (nn == tt) + { + bc = ONE; + } + else + { + bc = bc.multiply(BigInteger.valueOf(tt + 1)).divide( + BigInteger.valueOf(nn - tt)); + } + + } + } + + return BigIntUtils.toMinimalByteArray(d); + } + + /** + * Compute a message representative of a message given as a vector of length + * <tt>n</tt> bit and of hamming weight <tt>t</tt>. The result is a + * byte array of length <tt>(s+7)/8</tt>, where + * <tt>s = floor[log(n|t)]</tt>. + * + * @param n integer + * @param t integer + * @param m the message vector as a byte array + * @return a message representative for <tt>m</tt> + */ + public static byte[] signConversion(int n, int t, byte[] m) + { + if (n < t) + { + throw new IllegalArgumentException("n < t"); + } + + BigInteger bc = IntegerFunctions.binomial(n, t); + // finds s = floor[log(binomial(n,t))] + int s = bc.bitLength() - 1; + // s = sq*8 + sr; + int sq = s >> 3; + int sr = s & 7; + if (sr == 0) + { + sq--; + sr = 8; + } + + // n = nq*8+nr; + int nq = n >> 3; + int nr = n & 7; + if (nr == 0) + { + nq--; + nr = 8; + } + // take s bit from m + byte[] data = new byte[nq + 1]; + if (m.length < data.length) + { + System.arraycopy(m, 0, data, 0, m.length); + for (int i = m.length; i < data.length; i++) + { + data[i] = 0; + } + } + else + { + System.arraycopy(m, 0, data, 0, nq); + int h = (1 << nr) - 1; + data[nq] = (byte)(h & m[nq]); + } + + BigInteger d = ZERO; + int nn = n; + int tt = t; + for (int i = 0; i < n; i++) + { + bc = (bc.multiply(new BigInteger(Integer.toString(nn - tt)))) + .divide(new BigInteger(Integer.toString(nn))); + nn--; + + int q = i >>> 3; + int r = i & 7; + r = 1 << r; + byte e = (byte)(r & data[q]); + if (e != 0) + { + d = d.add(bc); + tt--; + if (nn == tt) + { + bc = ONE; + } + else + { + bc = (bc + .multiply(new BigInteger(Integer.toString(tt + 1)))) + .divide(new BigInteger(Integer.toString(nn - tt))); + } + } + } + + byte[] result = new byte[sq + 1]; + byte[] help = d.toByteArray(); + if (help.length < result.length) + { + System.arraycopy(help, 0, result, 0, help.length); + for (int i = help.length; i < result.length; i++) + { + result[i] = 0; + } + } + else + { + System.arraycopy(help, 0, result, 0, sq); + result[sq] = (byte)(((1 << sr) - 1) & help[sq]); + } + + return result; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyGenerationParameters.java new file mode 100644 index 00000000..8095d291 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyGenerationParameters.java @@ -0,0 +1,25 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.KeyGenerationParameters; + +public class McElieceCCA2KeyGenerationParameters + extends KeyGenerationParameters +{ + private McElieceCCA2Parameters params; + + public McElieceCCA2KeyGenerationParameters( + SecureRandom random, + McElieceCCA2Parameters params) + { + // XXX key size? + super(random, 128); + this.params = params; + } + + public McElieceCCA2Parameters getParameters() + { + return params; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyPairGenerator.java new file mode 100644 index 00000000..c950bda7 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyPairGenerator.java @@ -0,0 +1,119 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import java.security.SecureRandom; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode.MaMaPe; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; +import org.spongycastle.pqc.math.linearalgebra.PolynomialRingGF2m; + + +/** + * This class implements key pair generation of the McEliece Public Key + * Cryptosystem (McEliecePKC). + */ +public class McElieceCCA2KeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + + + /** + * The OID of the algorithm. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.2"; + + private McElieceCCA2KeyGenerationParameters mcElieceCCA2Params; + + // the extension degree of the finite field GF(2^m) + private int m; + + // the length of the code + private int n; + + // the error correction capability + private int t; + + // the field polynomial + private int fieldPoly; + + // the source of randomness + private SecureRandom random; + + // flag indicating whether the key pair generator has been initialized + private boolean initialized = false; + + /** + * Default initialization of the key pair generator. + */ + private void initializeDefault() + { + McElieceCCA2KeyGenerationParameters mcCCA2Params = new McElieceCCA2KeyGenerationParameters(new SecureRandom(), new McElieceCCA2Parameters()); + init(mcCCA2Params); + } + + // TODO + public void init( + KeyGenerationParameters param) + { + this.mcElieceCCA2Params = (McElieceCCA2KeyGenerationParameters)param; + + // set source of randomness + this.random = new SecureRandom(); + + this.m = this.mcElieceCCA2Params.getParameters().getM(); + this.n = this.mcElieceCCA2Params.getParameters().getN(); + this.t = this.mcElieceCCA2Params.getParameters().getT(); + this.fieldPoly = this.mcElieceCCA2Params.getParameters().getFieldPoly(); + this.initialized = true; + } + + + public AsymmetricCipherKeyPair generateKeyPair() + { + + if (!initialized) + { + initializeDefault(); + } + + // finite field GF(2^m) + GF2mField field = new GF2mField(m, fieldPoly); + + // irreducible Goppa polynomial + PolynomialGF2mSmallM gp = new PolynomialGF2mSmallM(field, t, + PolynomialGF2mSmallM.RANDOM_IRREDUCIBLE_POLYNOMIAL, random); + PolynomialRingGF2m ring = new PolynomialRingGF2m(field, gp); + + // matrix for computing square roots in (GF(2^m))^t + PolynomialGF2mSmallM[] qInv = ring.getSquareRootMatrix(); + + // generate canonical check matrix + GF2Matrix h = GoppaCode.createCanonicalCheckMatrix(field, gp); + + // compute short systematic form of check matrix + MaMaPe mmp = GoppaCode.computeSystematicForm(h, random); + GF2Matrix shortH = mmp.getSecondMatrix(); + Permutation p = mmp.getPermutation(); + + // compute short systematic form of generator matrix + GF2Matrix shortG = (GF2Matrix)shortH.computeTranspose(); + + // obtain number of rows of G (= dimension of the code) + int k = shortG.getNumRows(); + + // generate keys + McElieceCCA2PublicKeyParameters pubKey = new McElieceCCA2PublicKeyParameters(OID, n, t, shortG, mcElieceCCA2Params.getParameters()); + McElieceCCA2PrivateKeyParameters privKey = new McElieceCCA2PrivateKeyParameters(OID, n, k, + field, gp, p, h, qInv, mcElieceCCA2Params.getParameters()); + + // return key pair + return new AsymmetricCipherKeyPair(pubKey, privKey); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyParameters.java new file mode 100644 index 00000000..4dc3b8d2 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2KeyParameters.java @@ -0,0 +1,25 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; + + +public class McElieceCCA2KeyParameters + extends AsymmetricKeyParameter +{ + private McElieceCCA2Parameters params; + + public McElieceCCA2KeyParameters( + boolean isPrivate, + McElieceCCA2Parameters params) + { + super(isPrivate); + this.params = params; + } + + + public McElieceCCA2Parameters getParameters() + { + return params; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Parameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Parameters.java new file mode 100644 index 00000000..11eae2e0 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Parameters.java @@ -0,0 +1,51 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA256Digest; + +/** + * This class provides a specification for the parameters of the CCA2-secure + * variants of the McEliece PKCS that are used with + * {@link McElieceFujisakiCipher}, {@link McElieceKobaraImaiCipher}, and + * {@link McEliecePointchevalCipher}. + * + * @see McElieceFujisakiCipher + * @see McElieceKobaraImaiCipher + * @see McEliecePointchevalCipher + */ +public class McElieceCCA2Parameters + extends McElieceParameters +{ + + + public Digest digest; + + + /** + * Construct the default parameters. + * The default message digest is SHA256. + */ + public McElieceCCA2Parameters() + { + this.digest = new SHA256Digest(); + } + + public McElieceCCA2Parameters(int m, int t) + { + super(m, t); + this.digest = new SHA256Digest(); + } + + public McElieceCCA2Parameters(Digest digest) + { + this.digest = digest; + } + + public Digest getDigest() + { + return this.digest; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Primitives.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Primitives.java new file mode 100644 index 00000000..66c163a2 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2Primitives.java @@ -0,0 +1,86 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; +import org.spongycastle.pqc.math.linearalgebra.Vector; + +/** + * Core operations for the CCA-secure variants of McEliece. + */ +public final class McElieceCCA2Primitives +{ + + /** + * Default constructor (private). + */ + private McElieceCCA2Primitives() + { + } + + /** + * The McEliece encryption primitive. + * + * @param pubKey the public key + * @param m the message vector + * @param z the error vector + * @return <tt>m*G + z</tt> + */ + + + public static GF2Vector encryptionPrimitive(McElieceCCA2PublicKeyParameters pubKey, + GF2Vector m, GF2Vector z) + { + + GF2Matrix matrixG = pubKey.getMatrixG(); + Vector mG = matrixG.leftMultiplyLeftCompactForm(m); + return (GF2Vector)mG.add(z); + } + + /** + * The McEliece decryption primitive. + * + * @param privKey the private key + * @param c the ciphertext vector <tt>c = m*G + z</tt> + * @return the message vector <tt>m</tt> and the error vector <tt>z</tt> + */ + public static GF2Vector[] decryptionPrimitive( + McElieceCCA2PrivateKeyParameters privKey, GF2Vector c) + { + + // obtain values from private key + int k = privKey.getK(); + Permutation p = privKey.getP(); + GF2mField field = privKey.getField(); + PolynomialGF2mSmallM gp = privKey.getGoppaPoly(); + GF2Matrix h = privKey.getH(); + PolynomialGF2mSmallM[] q = privKey.getQInv(); + + // compute inverse permutation P^-1 + Permutation pInv = p.computeInverse(); + + // multiply c with permutation P^-1 + GF2Vector cPInv = (GF2Vector)c.multiply(pInv); + + // compute syndrome of cP^-1 + GF2Vector syndVec = (GF2Vector)h.rightMultiply(cPInv); + + // decode syndrome + GF2Vector errors = GoppaCode.syndromeDecode(syndVec, field, gp, q); + GF2Vector mG = (GF2Vector)cPInv.add(errors); + + // multiply codeword and error vector with P + mG = (GF2Vector)mG.multiply(p); + errors = (GF2Vector)errors.multiply(p); + + // extract plaintext vector (last k columns of mG) + GF2Vector m = mG.extractRightVector(k); + + // return vectors + return new GF2Vector[]{m, errors}; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PrivateKeyParameters.java new file mode 100644 index 00000000..a19a267b --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PrivateKeyParameters.java @@ -0,0 +1,172 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; + +/** + * + * + * + */ +public class McElieceCCA2PrivateKeyParameters + extends McElieceCCA2KeyParameters +{ + + // the OID of the algorithm + private String oid; + + // the length of the code + private int n; + + // the dimension of the code + private int k; + + // the finte field GF(2^m) + private GF2mField field; + + // the irreducible Goppa polynomial + private PolynomialGF2mSmallM goppaPoly; + + // the permutation + private Permutation p; + + // the canonical check matrix + private GF2Matrix h; + + // the matrix used to compute square roots in (GF(2^m))^t + private PolynomialGF2mSmallM[] qInv; + + /** + * Constructor. + * + * @param n the length of the code + * @param k the dimension of the code + * @param field the finite field <tt>GF(2<sup>m</sup>)</tt> + * @param gp the irreducible Goppa polynomial + * @param p the permutation + * @param h the canonical check matrix + * @param qInv the matrix used to compute square roots in + * <tt>(GF(2^m))^t</tt> + * @param params McElieceCCA2Parameters + */ + public McElieceCCA2PrivateKeyParameters(String oid, int n, int k, GF2mField field, + PolynomialGF2mSmallM gp, Permutation p, GF2Matrix h, + PolynomialGF2mSmallM[] qInv, McElieceCCA2Parameters params) + { + super(true, params); + this.oid = oid; + this.n = n; + this.k = k; + this.field = field; + this.goppaPoly = gp; + this.p = p; + this.h = h; + this.qInv = qInv; + } + + /** + * Constructor used by the {@link McElieceKeyFactory}. + * + * @param n the length of the code + * @param k the dimension of the code + * @param encFieldPoly the encoded field polynomial defining the finite field + * <tt>GF(2<sup>m</sup>)</tt> + * @param encGoppaPoly the encoded irreducible Goppa polynomial + * @param encP the encoded permutation + * @param encH the encoded canonical check matrix + * @param encQInv the encoded matrix used to compute square roots in + * <tt>(GF(2^m))^t</tt> + * @param params McElieceCCA2Parameters + */ + public McElieceCCA2PrivateKeyParameters(String oid, int n, int k, byte[] encFieldPoly, + byte[] encGoppaPoly, byte[] encP, byte[] encH, byte[][] encQInv, McElieceCCA2Parameters params) + { + super(true, params); + this.oid = oid; + this.n = n; + this.k = k; + field = new GF2mField(encFieldPoly); + goppaPoly = new PolynomialGF2mSmallM(field, encGoppaPoly); + p = new Permutation(encP); + h = new GF2Matrix(encH); + qInv = new PolynomialGF2mSmallM[encQInv.length]; + for (int i = 0; i < encQInv.length; i++) + { + qInv[i] = new PolynomialGF2mSmallM(field, encQInv[i]); + } + } + + /** + * @return the length of the code + */ + public int getN() + { + return n; + } + + /** + * @return the dimension of the code + */ + public int getK() + { + return k; + } + + /** + * @return the degree of the Goppa polynomial (error correcting capability) + */ + public int getT() + { + return goppaPoly.getDegree(); + } + + /** + * @return the finite field + */ + public GF2mField getField() + { + return field; + } + + /** + * @return the irreducible Goppa polynomial + */ + public PolynomialGF2mSmallM getGoppaPoly() + { + return goppaPoly; + } + + /** + * @return the permutation P + */ + public Permutation getP() + { + return p; + } + + /** + * @return the canonical check matrix H + */ + public GF2Matrix getH() + { + return h; + } + + /** + * @return the matrix used to compute square roots in <tt>(GF(2^m))^t</tt> + */ + public PolynomialGF2mSmallM[] getQInv() + { + return qInv; + } + + public String getOIDString() + { + return oid; + + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PublicKeyParameters.java new file mode 100644 index 00000000..9b5ba0a6 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceCCA2PublicKeyParameters.java @@ -0,0 +1,97 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; + +/** + * + * + * + */ +public class McElieceCCA2PublicKeyParameters + extends McElieceCCA2KeyParameters +{ + + // the OID of the algorithm + private String oid; + + // the length of the code + private int n; + + // the error correction capability of the code + private int t; + + // the generator matrix + private GF2Matrix matrixG; + + /** + * Constructor. + * + * @param n length of the code + * @param t error correction capability + * @param matrix generator matrix + * @param params McElieceCCA2Parameters + */ + public McElieceCCA2PublicKeyParameters(String oid, int n, int t, GF2Matrix matrix, McElieceCCA2Parameters params) + { + super(false, params); + this.oid = oid; + this.n = n; + this.t = t; + this.matrixG = new GF2Matrix(matrix); + } + + /** + * Constructor (used by {@link McElieceKeyFactory}). + * + * @param n length of the code + * @param t error correction capability of the code + * @param encMatrix encoded generator matrix + * @param params McElieceCCA2Parameters + */ + public McElieceCCA2PublicKeyParameters(String oid, int n, int t, byte[] encMatrix, McElieceCCA2Parameters params) + { + super(false, params); + this.oid = oid; + this.n = n; + this.t = t; + this.matrixG = new GF2Matrix(encMatrix); + } + + /** + * @return the length of the code + */ + public int getN() + { + return n; + } + + /** + * @return the error correction capability of the code + */ + public int getT() + { + return t; + } + + /** + * @return the generator matrix + */ + public GF2Matrix getMatrixG() + { + return matrixG; + } + + /** + * @return the dimension of the code + */ + public int getK() + { + return matrixG.getNumRows(); + } + + public String getOIDString() + { + return oid; + + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiCipher.java new file mode 100644 index 00000000..810a69c8 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiCipher.java @@ -0,0 +1,218 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA1Digest; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.crypto.prng.DigestRandomGenerator; +import org.spongycastle.pqc.crypto.MessageEncryptor; +import org.spongycastle.pqc.math.linearalgebra.ByteUtils; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; + +/** + * This class implements the Fujisaki/Okamoto conversion of the McEliecePKCS. + * Fujisaki and Okamoto propose hybrid encryption that merges a symmetric + * encryption scheme which is secure in the find-guess model with an asymmetric + * one-way encryption scheme which is sufficiently probabilistic to obtain a + * public key cryptosystem which is CCA2-secure. For details, see D. Engelbert, + * R. Overbeck, A. Schmidt, "A summary of the development of the McEliece + * Cryptosystem", technical report. + */ +public class McElieceFujisakiCipher + implements MessageEncryptor +{ + + + /** + * The OID of the algorithm. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.2.1"; + + private static final String DEFAULT_PRNG_NAME = "SHA1PRNG"; + + private Digest messDigest; + + private SecureRandom sr; + + /** + * The McEliece main parameters + */ + private int n, k, t; + + McElieceCCA2KeyParameters key; + + + public void init(boolean forSigning, + CipherParameters param) + { + + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + this.sr = rParam.getRandom(); + this.key = (McElieceCCA2PublicKeyParameters)rParam.getParameters(); + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + + } + else + { + this.sr = new SecureRandom(); + this.key = (McElieceCCA2PublicKeyParameters)param; + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + } + } + else + { + this.key = (McElieceCCA2PrivateKeyParameters)param; + this.initCipherDecrypt((McElieceCCA2PrivateKeyParameters)key); + } + + } + + + public int getKeySize(McElieceCCA2KeyParameters key) + throws IllegalArgumentException + { + + if (key instanceof McElieceCCA2PublicKeyParameters) + { + return ((McElieceCCA2PublicKeyParameters)key).getN(); + + } + if (key instanceof McElieceCCA2PrivateKeyParameters) + { + return ((McElieceCCA2PrivateKeyParameters)key).getN(); + } + throw new IllegalArgumentException("unsupported type"); + + } + + + private void initCipherEncrypt(McElieceCCA2PublicKeyParameters pubKey) + { + this.sr = sr != null ? sr : new SecureRandom(); + this.messDigest = pubKey.getParameters().getDigest(); + n = pubKey.getN(); + k = pubKey.getK(); + t = pubKey.getT(); + } + + + public void initCipherDecrypt(McElieceCCA2PrivateKeyParameters privKey) + { + this.messDigest = privKey.getParameters().getDigest(); + n = privKey.getN(); + t = privKey.getT(); + } + + + public byte[] messageEncrypt(byte[] input) + throws Exception + { + + // generate random vector r of length k bits + GF2Vector r = new GF2Vector(k, sr); + + // convert r to byte array + byte[] rBytes = r.getEncoded(); + + // compute (r||input) + byte[] rm = ByteUtils.concatenate(rBytes, input); + + // compute H(r||input) + messDigest.update(rm, 0, rm.length); + byte[] hrm = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hrm, 0); + + // convert H(r||input) to error vector z + GF2Vector z = Conversions.encode(n, t, hrm); + + // compute c1 = E(r, z) + byte[] c1 = McElieceCCA2Primitives.encryptionPrimitive((McElieceCCA2PublicKeyParameters)key, r, z) + .getEncoded(); + + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(rBytes); + + // generate random c2 + byte[] c2 = new byte[input.length]; + sr0.nextBytes(c2); + + // XOR with input + for (int i = 0; i < input.length; i++) + { + c2[i] ^= input[i]; + } + + // return (c1||c2) + return ByteUtils.concatenate(c1, c2); + } + + public byte[] messageDecrypt(byte[] input) + throws Exception + { + + int c1Len = (n + 7) >> 3; + int c2Len = input.length - c1Len; + + // split ciphertext (c1||c2) + byte[][] c1c2 = ByteUtils.split(input, c1Len); + byte[] c1 = c1c2[0]; + byte[] c2 = c1c2[1]; + + // decrypt c1 ... + GF2Vector hrmVec = GF2Vector.OS2VP(n, c1); + GF2Vector[] decC1 = McElieceCCA2Primitives.decryptionPrimitive((McElieceCCA2PrivateKeyParameters)key, + hrmVec); + byte[] rBytes = decC1[0].getEncoded(); + // ... and obtain error vector z + GF2Vector z = decC1[1]; + + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(rBytes); + + // generate random sequence + byte[] mBytes = new byte[c2Len]; + sr0.nextBytes(mBytes); + + // XOR with c2 to obtain m + for (int i = 0; i < c2Len; i++) + { + mBytes[i] ^= c2[i]; + } + + // compute H(r||m) + byte[] rmBytes = ByteUtils.concatenate(rBytes, mBytes); + byte[] hrm = new byte[messDigest.getDigestSize()]; + messDigest.update(rmBytes, 0, rmBytes.length); + messDigest.doFinal(hrm, 0); + + + // compute Conv(H(r||m)) + hrmVec = Conversions.encode(n, t, hrm); + + // check that Conv(H(m||r)) = z + if (!hrmVec.equals(z)) + { + + throw new Exception("Bad Padding: invalid ciphertext"); + + } + + // return plaintext m + return mBytes; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiDigestCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiDigestCipher.java new file mode 100644 index 00000000..9a5577ce --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceFujisakiDigestCipher.java @@ -0,0 +1,128 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageEncryptor; + +// TODO should implement some interface? +public class McElieceFujisakiDigestCipher +{ + + private final Digest messDigest; + + private final MessageEncryptor mcElieceCCA2Cipher; + + private boolean forEncrypting; + + + public McElieceFujisakiDigestCipher(MessageEncryptor mcElieceCCA2Cipher, Digest messDigest) + { + this.mcElieceCCA2Cipher = mcElieceCCA2Cipher; + this.messDigest = messDigest; + } + + + public void init(boolean forEncrypting, + CipherParameters param) + { + + this.forEncrypting = forEncrypting; + AsymmetricKeyParameter k; + + if (param instanceof ParametersWithRandom) + { + k = (AsymmetricKeyParameter)((ParametersWithRandom)param).getParameters(); + } + else + { + k = (AsymmetricKeyParameter)param; + } + + if (forEncrypting && k.isPrivate()) + { + throw new IllegalArgumentException("Encrypting Requires Public Key."); + } + + if (!forEncrypting && !k.isPrivate()) + { + throw new IllegalArgumentException("Decrypting Requires Private Key."); + } + + reset(); + + mcElieceCCA2Cipher.init(forEncrypting, param); + } + + + public byte[] messageEncrypt() + { + if (!forEncrypting) + { + throw new IllegalStateException("McElieceFujisakiDigestCipher not initialised for encrypting."); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + byte[] enc = null; + + try + { + enc = mcElieceCCA2Cipher.messageEncrypt(hash); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return enc; + } + + + public byte[] messageDecrypt(byte[] ciphertext) + { + byte[] output = null; + if (forEncrypting) + { + throw new IllegalStateException("McElieceFujisakiDigestCipher not initialised for decrypting."); + } + + + try + { + output = mcElieceCCA2Cipher.messageDecrypt(ciphertext); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return output; + } + + + public void update(byte b) + { + messDigest.update(b); + + } + + public void update(byte[] in, int off, int len) + { + messDigest.update(in, off, len); + + } + + + public void reset() + { + messDigest.reset(); + + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyGenerationParameters.java new file mode 100644 index 00000000..129a704c --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyGenerationParameters.java @@ -0,0 +1,25 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.KeyGenerationParameters; + +public class McElieceKeyGenerationParameters + extends KeyGenerationParameters +{ + private McElieceParameters params; + + public McElieceKeyGenerationParameters( + SecureRandom random, + McElieceParameters params) + { + // XXX key size? + super(random, 256); + this.params = params; + } + + public McElieceParameters getParameters() + { + return params; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyPairGenerator.java new file mode 100644 index 00000000..07db4cd6 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyPairGenerator.java @@ -0,0 +1,151 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode.MaMaPe; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; +import org.spongycastle.pqc.math.linearalgebra.PolynomialRingGF2m; + + +/** + * This class implements key pair generation of the McEliece Public Key + * Cryptosystem (McEliecePKC). + */ +public class McElieceKeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + + + public McElieceKeyPairGenerator() + { + + } + + + /** + * The OID of the algorithm. + */ + private static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.1"; + + private McElieceKeyGenerationParameters mcElieceParams; + + // the extension degree of the finite field GF(2^m) + private int m; + + // the length of the code + private int n; + + // the error correction capability + private int t; + + // the field polynomial + private int fieldPoly; + + // the source of randomness + private SecureRandom random; + + // flag indicating whether the key pair generator has been initialized + private boolean initialized = false; + + + /** + * Default initialization of the key pair generator. + */ + private void initializeDefault() + { + McElieceKeyGenerationParameters mcParams = new McElieceKeyGenerationParameters(new SecureRandom(), new McElieceParameters()); + initialize(mcParams); + } + + private void initialize( + KeyGenerationParameters param) + { + this.mcElieceParams = (McElieceKeyGenerationParameters)param; + + // set source of randomness + this.random = new SecureRandom(); + + this.m = this.mcElieceParams.getParameters().getM(); + this.n = this.mcElieceParams.getParameters().getN(); + this.t = this.mcElieceParams.getParameters().getT(); + this.fieldPoly = this.mcElieceParams.getParameters().getFieldPoly(); + this.initialized = true; + } + + + private AsymmetricCipherKeyPair genKeyPair() + { + + if (!initialized) + { + initializeDefault(); + } + + // finite field GF(2^m) + GF2mField field = new GF2mField(m, fieldPoly); + + // irreducible Goppa polynomial + PolynomialGF2mSmallM gp = new PolynomialGF2mSmallM(field, t, + PolynomialGF2mSmallM.RANDOM_IRREDUCIBLE_POLYNOMIAL, random); + PolynomialRingGF2m ring = new PolynomialRingGF2m(field, gp); + + // matrix used to compute square roots in (GF(2^m))^t + PolynomialGF2mSmallM[] sqRootMatrix = ring.getSquareRootMatrix(); + + // generate canonical check matrix + GF2Matrix h = GoppaCode.createCanonicalCheckMatrix(field, gp); + + // compute short systematic form of check matrix + MaMaPe mmp = GoppaCode.computeSystematicForm(h, random); + GF2Matrix shortH = mmp.getSecondMatrix(); + Permutation p1 = mmp.getPermutation(); + + // compute short systematic form of generator matrix + GF2Matrix shortG = (GF2Matrix)shortH.computeTranspose(); + + // extend to full systematic form + GF2Matrix gPrime = shortG.extendLeftCompactForm(); + + // obtain number of rows of G (= dimension of the code) + int k = shortG.getNumRows(); + + // generate random invertible (k x k)-matrix S and its inverse S^-1 + GF2Matrix[] matrixSandInverse = GF2Matrix + .createRandomRegularMatrixAndItsInverse(k, random); + + // generate random permutation P2 + Permutation p2 = new Permutation(n, random); + + // compute public matrix G=S*G'*P2 + GF2Matrix g = (GF2Matrix)matrixSandInverse[0].rightMultiply(gPrime); + g = (GF2Matrix)g.rightMultiply(p2); + + + // generate keys + McEliecePublicKeyParameters pubKey = new McEliecePublicKeyParameters(OID, n, t, g, mcElieceParams.getParameters()); + McEliecePrivateKeyParameters privKey = new McEliecePrivateKeyParameters(OID, n, k, + field, gp, matrixSandInverse[1], p1, p2, h, sqRootMatrix, mcElieceParams.getParameters()); + + // return key pair + return new AsymmetricCipherKeyPair(pubKey, privKey); + } + + public void init(KeyGenerationParameters param) + { + this.initialize(param); + + } + + public AsymmetricCipherKeyPair generateKeyPair() + { + return genKeyPair(); + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyParameters.java new file mode 100644 index 00000000..a8b2ce84 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKeyParameters.java @@ -0,0 +1,25 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; + + +public class McElieceKeyParameters + extends AsymmetricKeyParameter +{ + private McElieceParameters params; + + public McElieceKeyParameters( + boolean isPrivate, + McElieceParameters params) + { + super(isPrivate); + this.params = params; + } + + + public McElieceParameters getParameters() + { + return params; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiCipher.java new file mode 100644 index 00000000..0be981be --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiCipher.java @@ -0,0 +1,319 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA1Digest; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.crypto.prng.DigestRandomGenerator; +import org.spongycastle.pqc.crypto.MessageEncryptor; +import org.spongycastle.pqc.math.linearalgebra.ByteUtils; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; +import org.spongycastle.pqc.math.linearalgebra.IntegerFunctions; + +/** + * This class implements the Kobara/Imai conversion of the McEliecePKCS. This is + * a conversion of the McEliecePKCS which is CCA2-secure. For details, see D. + * Engelbert, R. Overbeck, A. Schmidt, "A summary of the development of the + * McEliece Cryptosystem", technical report. + */ +public class McElieceKobaraImaiCipher + implements MessageEncryptor +{ + + /** + * The OID of the algorithm. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.2.3"; + + private static final String DEFAULT_PRNG_NAME = "SHA1PRNG"; + + /** + * A predetermined public constant. + */ + public static final byte[] PUBLIC_CONSTANT = "a predetermined public constant" + .getBytes(); + + + private Digest messDigest; + + private SecureRandom sr; + + McElieceCCA2KeyParameters key; + + /** + * The McEliece main parameters + */ + private int n, k, t; + + + public void init(boolean forSigning, + CipherParameters param) + { + + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + this.sr = rParam.getRandom(); + this.key = (McElieceCCA2PublicKeyParameters)rParam.getParameters(); + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + + } + else + { + this.sr = new SecureRandom(); + this.key = (McElieceCCA2PublicKeyParameters)param; + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + } + } + else + { + this.key = (McElieceCCA2PrivateKeyParameters)param; + this.initCipherDecrypt((McElieceCCA2PrivateKeyParameters)key); + } + + } + + /** + * Return the key size of the given key object. + * + * @param key the McElieceCCA2KeyParameters object + * @return the key size of the given key object + */ + public int getKeySize(McElieceCCA2KeyParameters key) + { + if (key instanceof McElieceCCA2PublicKeyParameters) + { + return ((McElieceCCA2PublicKeyParameters)key).getN(); + + } + if (key instanceof McElieceCCA2PrivateKeyParameters) + { + return ((McElieceCCA2PrivateKeyParameters)key).getN(); + } + throw new IllegalArgumentException("unsupported type"); + } + + private void initCipherEncrypt(McElieceCCA2PublicKeyParameters pubKey) + { + this.messDigest = pubKey.getParameters().getDigest(); + n = pubKey.getN(); + k = pubKey.getK(); + t = pubKey.getT(); + + } + + public void initCipherDecrypt(McElieceCCA2PrivateKeyParameters privKey) + { + this.messDigest = privKey.getParameters().getDigest(); + n = privKey.getN(); + k = privKey.getK(); + t = privKey.getT(); + } + + public byte[] messageEncrypt(byte[] input) + throws Exception + { + + int c2Len = messDigest.getDigestSize(); + int c4Len = k >> 3; + int c5Len = (IntegerFunctions.binomial(n, t).bitLength() - 1) >> 3; + + + int mLen = c4Len + c5Len - c2Len - PUBLIC_CONSTANT.length; + if (input.length > mLen) + { + mLen = input.length; + } + + int c1Len = mLen + PUBLIC_CONSTANT.length; + int c6Len = c1Len + c2Len - c4Len - c5Len; + + // compute (m||const) + byte[] mConst = new byte[c1Len]; + System.arraycopy(input, 0, mConst, 0, input.length); + System.arraycopy(PUBLIC_CONSTANT, 0, mConst, mLen, + PUBLIC_CONSTANT.length); + + // generate random r of length c2Len bytes + byte[] r = new byte[c2Len]; + sr.nextBytes(r); + + // get PRNG object + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(r); + + // generate random sequence ... + byte[] c1 = new byte[c1Len]; + sr0.nextBytes(c1); + + // ... and XOR with (m||const) to obtain c1 + for (int i = c1Len - 1; i >= 0; i--) + { + c1[i] ^= mConst[i]; + } + + // compute H(c1) ... + byte[] c2 = new byte[messDigest.getDigestSize()]; + messDigest.update(c1, 0, c1.length); + messDigest.doFinal(c2, 0); + + // ... and XOR with r + for (int i = c2Len - 1; i >= 0; i--) + { + c2[i] ^= r[i]; + } + + // compute (c2||c1) + byte[] c2c1 = ByteUtils.concatenate(c2, c1); + + // split (c2||c1) into (c6||c5||c4), where c4Len is k/8 bytes, c5Len is + // floor[log(n|t)]/8 bytes, and c6Len is c1Len+c2Len-c4Len-c5Len (may be + // 0). + byte[] c6 = new byte[0]; + if (c6Len > 0) + { + c6 = new byte[c6Len]; + System.arraycopy(c2c1, 0, c6, 0, c6Len); + } + + byte[] c5 = new byte[c5Len]; + System.arraycopy(c2c1, c6Len, c5, 0, c5Len); + + byte[] c4 = new byte[c4Len]; + System.arraycopy(c2c1, c6Len + c5Len, c4, 0, c4Len); + + // convert c4 to vector over GF(2) + GF2Vector c4Vec = GF2Vector.OS2VP(k, c4); + + // convert c5 to error vector z + GF2Vector z = Conversions.encode(n, t, c5); + + // compute encC4 = E(c4, z) + byte[] encC4 = McElieceCCA2Primitives.encryptionPrimitive((McElieceCCA2PublicKeyParameters)key, + c4Vec, z).getEncoded(); + + // if c6Len > 0 + if (c6Len > 0) + { + // return (c6||encC4) + return ByteUtils.concatenate(c6, encC4); + } + // else, return encC4 + return encC4; + } + + + public byte[] messageDecrypt(byte[] input) + throws Exception + { + + int nDiv8 = n >> 3; + + if (input.length < nDiv8) + { + throw new Exception("Bad Padding: Ciphertext too short."); + } + + int c2Len = messDigest.getDigestSize(); + int c4Len = k >> 3; + int c6Len = input.length - nDiv8; + + // split cipher text (c6||encC4), where c6 may be empty + byte[] c6, encC4; + if (c6Len > 0) + { + byte[][] c6EncC4 = ByteUtils.split(input, c6Len); + c6 = c6EncC4[0]; + encC4 = c6EncC4[1]; + } + else + { + c6 = new byte[0]; + encC4 = input; + } + + // convert encC4 into vector over GF(2) + GF2Vector encC4Vec = GF2Vector.OS2VP(n, encC4); + + // decrypt encC4Vec to obtain c4 and error vector z + GF2Vector[] c4z = McElieceCCA2Primitives.decryptionPrimitive((McElieceCCA2PrivateKeyParameters)key, + encC4Vec); + byte[] c4 = c4z[0].getEncoded(); + GF2Vector z = c4z[1]; + + // if length of c4 is greater than c4Len (because of padding) ... + if (c4.length > c4Len) + { + // ... truncate the padding bytes + c4 = ByteUtils.subArray(c4, 0, c4Len); + } + + // compute c5 = Conv^-1(z) + byte[] c5 = Conversions.decode(n, t, z); + + // compute (c6||c5||c4) + byte[] c6c5c4 = ByteUtils.concatenate(c6, c5); + c6c5c4 = ByteUtils.concatenate(c6c5c4, c4); + + // split (c6||c5||c4) into (c2||c1), where c2Len = mdLen and c1Len = + // input.length-c2Len bytes. + int c1Len = c6c5c4.length - c2Len; + byte[][] c2c1 = ByteUtils.split(c6c5c4, c2Len); + byte[] c2 = c2c1[0]; + byte[] c1 = c2c1[1]; + + // compute H(c1) ... + byte[] rPrime = new byte[messDigest.getDigestSize()]; + messDigest.update(c1, 0, c1.length); + messDigest.doFinal(rPrime, 0); + + // ... and XOR with c2 to obtain r' + for (int i = c2Len - 1; i >= 0; i--) + { + rPrime[i] ^= c2[i]; + } + + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(rPrime); + + // generate random sequence R(r') ... + byte[] mConstPrime = new byte[c1Len]; + sr0.nextBytes(mConstPrime); + + // ... and XOR with c1 to obtain (m||const') + for (int i = c1Len - 1; i >= 0; i--) + { + mConstPrime[i] ^= c1[i]; + } + + if (mConstPrime.length < c1Len) + { + throw new Exception("Bad Padding: invalid ciphertext"); + } + + byte[][] temp = ByteUtils.split(mConstPrime, c1Len + - PUBLIC_CONSTANT.length); + byte[] mr = temp[0]; + byte[] constPrime = temp[1]; + + if (!ByteUtils.equals(constPrime, PUBLIC_CONSTANT)) + { + throw new Exception("Bad Padding: invalid ciphertext"); + } + + return mr; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiDigestCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiDigestCipher.java new file mode 100644 index 00000000..7df9cc0d --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceKobaraImaiDigestCipher.java @@ -0,0 +1,128 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageEncryptor; + +// TODO should implement some interface? +public class McElieceKobaraImaiDigestCipher +{ + + private final Digest messDigest; + + private final MessageEncryptor mcElieceCCA2Cipher; + + private boolean forEncrypting; + + + public McElieceKobaraImaiDigestCipher(MessageEncryptor mcElieceCCA2Cipher, Digest messDigest) + { + this.mcElieceCCA2Cipher = mcElieceCCA2Cipher; + this.messDigest = messDigest; + } + + + public void init(boolean forEncrypting, + CipherParameters param) + { + + this.forEncrypting = forEncrypting; + AsymmetricKeyParameter k; + + if (param instanceof ParametersWithRandom) + { + k = (AsymmetricKeyParameter)((ParametersWithRandom)param).getParameters(); + } + else + { + k = (AsymmetricKeyParameter)param; + } + + if (forEncrypting && k.isPrivate()) + { + throw new IllegalArgumentException("Encrypting Requires Public Key."); + } + + if (!forEncrypting && !k.isPrivate()) + { + throw new IllegalArgumentException("Decrypting Requires Private Key."); + } + + reset(); + + mcElieceCCA2Cipher.init(forEncrypting, param); + } + + + public byte[] messageEncrypt() + { + if (!forEncrypting) + { + throw new IllegalStateException("McElieceKobaraImaiDigestCipher not initialised for encrypting."); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + byte[] enc = null; + + try + { + enc = mcElieceCCA2Cipher.messageEncrypt(hash); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return enc; + } + + + public byte[] messageDecrypt(byte[] ciphertext) + { + byte[] output = null; + if (forEncrypting) + { + throw new IllegalStateException("McElieceKobaraImaiDigestCipher not initialised for decrypting."); + } + + + try + { + output = mcElieceCCA2Cipher.messageDecrypt(ciphertext); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return output; + } + + + public void update(byte b) + { + messDigest.update(b); + + } + + public void update(byte[] in, int off, int len) + { + messDigest.update(in, off, len); + + } + + + public void reset() + { + messDigest.reset(); + + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSCipher.java new file mode 100644 index 00000000..2e843aa0 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSCipher.java @@ -0,0 +1,224 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageEncryptor; +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.GoppaCode; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; +import org.spongycastle.pqc.math.linearalgebra.Vector; + +/** + * This class implements the McEliece Public Key cryptosystem (McEliecePKCS). It + * was first described in R.J. McEliece, "A public key cryptosystem based on + * algebraic coding theory", DSN progress report, 42-44:114-116, 1978. The + * McEliecePKCS is the first cryptosystem which is based on error correcting + * codes. The trapdoor for the McEliece cryptosystem using Goppa codes is the + * knowledge of the Goppa polynomial used to generate the code. + */ +public class McEliecePKCSCipher + implements MessageEncryptor +{ + + /** + * The OID of the algorithm. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.1"; + + + // the source of randomness + private SecureRandom sr; + + // the McEliece main parameters + private int n, k, t; + + // The maximum number of bytes the cipher can decrypt + public int maxPlainTextSize; + + // The maximum number of bytes the cipher can encrypt + public int cipherTextSize; + + McElieceKeyParameters key; + + + public void init(boolean forSigning, + CipherParameters param) + { + + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + this.sr = rParam.getRandom(); + this.key = (McEliecePublicKeyParameters)rParam.getParameters(); + this.initCipherEncrypt((McEliecePublicKeyParameters)key); + + } + else + { + this.sr = new SecureRandom(); + this.key = (McEliecePublicKeyParameters)param; + this.initCipherEncrypt((McEliecePublicKeyParameters)key); + } + } + else + { + this.key = (McEliecePrivateKeyParameters)param; + this.initCipherDecrypt((McEliecePrivateKeyParameters)key); + } + + } + + + /** + * Return the key size of the given key object. + * + * @param key the McElieceKeyParameters object + * @return the keysize of the given key object + */ + + public int getKeySize(McElieceKeyParameters key) + { + + if (key instanceof McEliecePublicKeyParameters) + { + return ((McEliecePublicKeyParameters)key).getN(); + + } + if (key instanceof McEliecePrivateKeyParameters) + { + return ((McEliecePrivateKeyParameters)key).getN(); + } + throw new IllegalArgumentException("unsupported type"); + + } + + + public void initCipherEncrypt(McEliecePublicKeyParameters pubKey) + { + this.sr = sr != null ? sr : new SecureRandom(); + n = pubKey.getN(); + k = pubKey.getK(); + t = pubKey.getT(); + cipherTextSize = n >> 3; + maxPlainTextSize = (k >> 3); + } + + + public void initCipherDecrypt(McEliecePrivateKeyParameters privKey) + { + n = privKey.getN(); + k = privKey.getK(); + + maxPlainTextSize = (k >> 3); + cipherTextSize = n >> 3; + } + + /** + * Encrypt a plain text. + * + * @param input the plain text + * @return the cipher text + */ + public byte[] messageEncrypt(byte[] input) + { + GF2Vector m = computeMessageRepresentative(input); + GF2Vector z = new GF2Vector(n, t, sr); + + GF2Matrix g = ((McEliecePublicKeyParameters)key).getG(); + Vector mG = g.leftMultiply(m); + GF2Vector mGZ = (GF2Vector)mG.add(z); + + return mGZ.getEncoded(); + } + + private GF2Vector computeMessageRepresentative(byte[] input) + { + byte[] data = new byte[maxPlainTextSize + ((k & 0x07) != 0 ? 1 : 0)]; + System.arraycopy(input, 0, data, 0, input.length); + data[input.length] = 0x01; + return GF2Vector.OS2VP(k, data); + } + + /** + * Decrypt a cipher text. + * + * @param input the cipher text + * @return the plain text + * @throws Exception if the cipher text is invalid. + */ + public byte[] messageDecrypt(byte[] input) + throws Exception + { + GF2Vector vec = GF2Vector.OS2VP(n, input); + McEliecePrivateKeyParameters privKey = (McEliecePrivateKeyParameters)key; + GF2mField field = privKey.getField(); + PolynomialGF2mSmallM gp = privKey.getGoppaPoly(); + GF2Matrix sInv = privKey.getSInv(); + Permutation p1 = privKey.getP1(); + Permutation p2 = privKey.getP2(); + GF2Matrix h = privKey.getH(); + PolynomialGF2mSmallM[] qInv = privKey.getQInv(); + + // compute permutation P = P1 * P2 + Permutation p = p1.rightMultiply(p2); + + // compute P^-1 + Permutation pInv = p.computeInverse(); + + // compute c P^-1 + GF2Vector cPInv = (GF2Vector)vec.multiply(pInv); + + // compute syndrome of c P^-1 + GF2Vector syndrome = (GF2Vector)h.rightMultiply(cPInv); + + // decode syndrome + GF2Vector z = GoppaCode.syndromeDecode(syndrome, field, gp, qInv); + GF2Vector mSG = (GF2Vector)cPInv.add(z); + + // multiply codeword with P1 and error vector with P + mSG = (GF2Vector)mSG.multiply(p1); + z = (GF2Vector)z.multiply(p); + + // extract mS (last k columns of mSG) + GF2Vector mS = mSG.extractRightVector(k); + + // compute plaintext vector + GF2Vector mVec = (GF2Vector)sInv.leftMultiply(mS); + + // compute and return plaintext + return computeMessage(mVec); + } + + private byte[] computeMessage(GF2Vector mr) + throws Exception + { + byte[] mrBytes = mr.getEncoded(); + // find first non-zero byte + int index; + for (index = mrBytes.length - 1; index >= 0 && mrBytes[index] == 0; index--) + { + ; + } + + // check if padding byte is valid + if (mrBytes[index] != 0x01) + { + throw new Exception("Bad Padding: invalid ciphertext"); + } + + // extract and return message + byte[] mBytes = new byte[index]; + System.arraycopy(mrBytes, 0, mBytes, 0, index); + return mBytes; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSDigestCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSDigestCipher.java new file mode 100644 index 00000000..901fe688 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePKCSDigestCipher.java @@ -0,0 +1,128 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageEncryptor; + +// TODO should implement some interface? +public class McEliecePKCSDigestCipher +{ + + private final Digest messDigest; + + private final MessageEncryptor mcElieceCipher; + + private boolean forEncrypting; + + + public McEliecePKCSDigestCipher(MessageEncryptor mcElieceCipher, Digest messDigest) + { + this.mcElieceCipher = mcElieceCipher; + this.messDigest = messDigest; + } + + + public void init(boolean forEncrypting, + CipherParameters param) + { + + this.forEncrypting = forEncrypting; + AsymmetricKeyParameter k; + + if (param instanceof ParametersWithRandom) + { + k = (AsymmetricKeyParameter)((ParametersWithRandom)param).getParameters(); + } + else + { + k = (AsymmetricKeyParameter)param; + } + + if (forEncrypting && k.isPrivate()) + { + throw new IllegalArgumentException("Encrypting Requires Public Key."); + } + + if (!forEncrypting && !k.isPrivate()) + { + throw new IllegalArgumentException("Decrypting Requires Private Key."); + } + + reset(); + + mcElieceCipher.init(forEncrypting, param); + } + + + public byte[] messageEncrypt() + { + if (!forEncrypting) + { + throw new IllegalStateException("McEliecePKCSDigestCipher not initialised for encrypting."); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + byte[] enc = null; + + try + { + enc = mcElieceCipher.messageEncrypt(hash); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return enc; + } + + + public byte[] messageDecrypt(byte[] ciphertext) + { + byte[] output = null; + if (forEncrypting) + { + throw new IllegalStateException("McEliecePKCSDigestCipher not initialised for decrypting."); + } + + + try + { + output = mcElieceCipher.messageDecrypt(ciphertext); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return output; + } + + + public void update(byte b) + { + messDigest.update(b); + + } + + public void update(byte[] in, int off, int len) + { + messDigest.update(in, off, len); + + } + + + public void reset() + { + messDigest.reset(); + + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceParameters.java new file mode 100644 index 00000000..d49f9279 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McElieceParameters.java @@ -0,0 +1,181 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.pqc.math.linearalgebra.PolynomialRingGF2; + +public class McElieceParameters + implements CipherParameters +{ + + /** + * The default extension degree + */ + public static final int DEFAULT_M = 11; + + /** + * The default error correcting capability. + */ + public static final int DEFAULT_T = 50; + + /** + * extension degree of the finite field GF(2^m) + */ + private int m; + + /** + * error correction capability of the code + */ + private int t; + + /** + * length of the code + */ + private int n; + + /** + * the field polynomial + */ + private int fieldPoly; + + /** + * Constructor. Set the default parameters: extension degree. + */ + public McElieceParameters() + { + this(DEFAULT_M, DEFAULT_T); + } + + /** + * Constructor. + * + * @param keysize the length of a Goppa code + * @throws IllegalArgumentException if <tt>keysize < 1</tt>. + */ + public McElieceParameters(int keysize) + throws IllegalArgumentException + { + if (keysize < 1) + { + throw new IllegalArgumentException("key size must be positive"); + } + m = 0; + n = 1; + while (n < keysize) + { + n <<= 1; + m++; + } + t = n >>> 1; + t /= m; + fieldPoly = PolynomialRingGF2.getIrreduciblePolynomial(m); + } + + /** + * Constructor. + * + * @param m degree of the finite field GF(2^m) + * @param t error correction capability of the code + * @throws IllegalArgumentException if <tt>m < 1</tt> or <tt>m > 32</tt> or + * <tt>t < 0</tt> or <tt>t > n</tt>. + */ + public McElieceParameters(int m, int t) + throws IllegalArgumentException + { + if (m < 1) + { + throw new IllegalArgumentException("m must be positive"); + } + if (m > 32) + { + throw new IllegalArgumentException("m is too large"); + } + this.m = m; + n = 1 << m; + if (t < 0) + { + throw new IllegalArgumentException("t must be positive"); + } + if (t > n) + { + throw new IllegalArgumentException("t must be less than n = 2^m"); + } + this.t = t; + fieldPoly = PolynomialRingGF2.getIrreduciblePolynomial(m); + } + + /** + * Constructor. + * + * @param m degree of the finite field GF(2^m) + * @param t error correction capability of the code + * @param poly the field polynomial + * @throws IllegalArgumentException if <tt>m < 1</tt> or <tt>m > 32</tt> or + * <tt>t < 0</tt> or <tt>t > n</tt> or + * <tt>poly</tt> is not an irreducible field polynomial. + */ + public McElieceParameters(int m, int t, int poly) + throws IllegalArgumentException + { + this.m = m; + if (m < 1) + { + throw new IllegalArgumentException("m must be positive"); + } + if (m > 32) + { + throw new IllegalArgumentException(" m is too large"); + } + this.n = 1 << m; + this.t = t; + if (t < 0) + { + throw new IllegalArgumentException("t must be positive"); + } + if (t > n) + { + throw new IllegalArgumentException("t must be less than n = 2^m"); + } + if ((PolynomialRingGF2.degree(poly) == m) + && (PolynomialRingGF2.isIrreducible(poly))) + { + this.fieldPoly = poly; + } + else + { + throw new IllegalArgumentException( + "polynomial is not a field polynomial for GF(2^m)"); + } + } + + /** + * @return the extension degree of the finite field GF(2^m) + */ + public int getM() + { + return m; + } + + /** + * @return the length of the code + */ + public int getN() + { + return n; + } + + /** + * @return the error correction capability of the code + */ + public int getT() + { + return t; + } + + /** + * @return the field polynomial + */ + public int getFieldPoly() + { + return fieldPoly; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalCipher.java new file mode 100644 index 00000000..ba58258b --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalCipher.java @@ -0,0 +1,241 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA1Digest; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.crypto.prng.DigestRandomGenerator; +import org.spongycastle.pqc.crypto.MessageEncryptor; +import org.spongycastle.pqc.math.linearalgebra.ByteUtils; +import org.spongycastle.pqc.math.linearalgebra.GF2Vector; + +/** + * This class implements the Pointcheval conversion of the McEliecePKCS. + * Pointcheval presents a generic technique to make a CCA2-secure cryptosystem + * from any partially trapdoor one-way function in the random oracle model. For + * details, see D. Engelbert, R. Overbeck, A. Schmidt, "A summary of the + * development of the McEliece Cryptosystem", technical report. + */ +public class McEliecePointchevalCipher + implements MessageEncryptor +{ + + + /** + * The OID of the algorithm. + */ + public static final String OID = "1.3.6.1.4.1.8301.3.1.3.4.2.2"; + + private Digest messDigest; + + private SecureRandom sr; + + /** + * The McEliece main parameters + */ + private int n, k, t; + + McElieceCCA2KeyParameters key; + + public void init(boolean forSigning, + CipherParameters param) + { + + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + this.sr = rParam.getRandom(); + this.key = (McElieceCCA2PublicKeyParameters)rParam.getParameters(); + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + + } + else + { + this.sr = new SecureRandom(); + this.key = (McElieceCCA2PublicKeyParameters)param; + this.initCipherEncrypt((McElieceCCA2PublicKeyParameters)key); + } + } + else + { + this.key = (McElieceCCA2PrivateKeyParameters)param; + this.initCipherDecrypt((McElieceCCA2PrivateKeyParameters)key); + } + + } + + /** + * Return the key size of the given key object. + * + * @param key the McElieceCCA2KeyParameters object + * @return the key size of the given key object + * @throws IllegalArgumentException if the key is invalid + */ + public int getKeySize(McElieceCCA2KeyParameters key) + throws IllegalArgumentException + { + + if (key instanceof McElieceCCA2PublicKeyParameters) + { + return ((McElieceCCA2PublicKeyParameters)key).getN(); + + } + if (key instanceof McElieceCCA2PrivateKeyParameters) + { + return ((McElieceCCA2PrivateKeyParameters)key).getN(); + } + throw new IllegalArgumentException("unsupported type"); + + } + + + protected int decryptOutputSize(int inLen) + { + return 0; + } + + protected int encryptOutputSize(int inLen) + { + return 0; + } + + + public void initCipherEncrypt(McElieceCCA2PublicKeyParameters pubKey) + { + this.sr = sr != null ? sr : new SecureRandom(); + this.messDigest = pubKey.getParameters().getDigest(); + n = pubKey.getN(); + k = pubKey.getK(); + t = pubKey.getT(); + } + + public void initCipherDecrypt(McElieceCCA2PrivateKeyParameters privKey) + { + this.messDigest = privKey.getParameters().getDigest(); + n = privKey.getN(); + k = privKey.getK(); + t = privKey.getT(); + } + + public byte[] messageEncrypt(byte[] input) + throws Exception + { + + int kDiv8 = k >> 3; + + // generate random r of length k div 8 bytes + byte[] r = new byte[kDiv8]; + sr.nextBytes(r); + + // generate random vector r' of length k bits + GF2Vector rPrime = new GF2Vector(k, sr); + + // convert r' to byte array + byte[] rPrimeBytes = rPrime.getEncoded(); + + // compute (input||r) + byte[] mr = ByteUtils.concatenate(input, r); + + // compute H(input||r) + messDigest.update(mr, 0, mr.length); + byte[] hmr = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hmr, 0); + + + // convert H(input||r) to error vector z + GF2Vector z = Conversions.encode(n, t, hmr); + + // compute c1 = E(rPrime, z) + byte[] c1 = McElieceCCA2Primitives.encryptionPrimitive((McElieceCCA2PublicKeyParameters)key, rPrime, + z).getEncoded(); + + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(rPrimeBytes); + + // generate random c2 + byte[] c2 = new byte[input.length + kDiv8]; + sr0.nextBytes(c2); + + // XOR with input + for (int i = 0; i < input.length; i++) + { + c2[i] ^= input[i]; + } + // XOR with r + for (int i = 0; i < kDiv8; i++) + { + c2[input.length + i] ^= r[i]; + } + + // return (c1||c2) + return ByteUtils.concatenate(c1, c2); + } + + public byte[] messageDecrypt(byte[] input) + throws Exception + { + + int c1Len = (n + 7) >> 3; + int c2Len = input.length - c1Len; + + // split cipher text (c1||c2) + byte[][] c1c2 = ByteUtils.split(input, c1Len); + byte[] c1 = c1c2[0]; + byte[] c2 = c1c2[1]; + + // decrypt c1 ... + GF2Vector c1Vec = GF2Vector.OS2VP(n, c1); + GF2Vector[] c1Dec = McElieceCCA2Primitives.decryptionPrimitive((McElieceCCA2PrivateKeyParameters)key, + c1Vec); + byte[] rPrimeBytes = c1Dec[0].getEncoded(); + // ... and obtain error vector z + GF2Vector z = c1Dec[1]; + + // get PRNG object + DigestRandomGenerator sr0 = new DigestRandomGenerator(new SHA1Digest()); + + // seed PRNG with r' + sr0.addSeedMaterial(rPrimeBytes); + + // generate random sequence + byte[] mrBytes = new byte[c2Len]; + sr0.nextBytes(mrBytes); + + // XOR with c2 to obtain (m||r) + for (int i = 0; i < c2Len; i++) + { + mrBytes[i] ^= c2[i]; + } + + // compute H(m||r) + messDigest.update(mrBytes, 0, mrBytes.length); + byte[] hmr = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hmr, 0); + + // compute Conv(H(m||r)) + c1Vec = Conversions.encode(n, t, hmr); + + // check that Conv(H(m||r)) = z + if (!c1Vec.equals(z)) + { + throw new Exception("Bad Padding: Invalid ciphertext."); + } + + // split (m||r) to obtain m + int kDiv8 = k >> 3; + byte[][] mr = ByteUtils.split(mrBytes, c2Len - kDiv8); + + // return plain text m + return mr[0]; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalDigestCipher.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalDigestCipher.java new file mode 100644 index 00000000..bcfd1d87 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePointchevalDigestCipher.java @@ -0,0 +1,128 @@ +package org.spongycastle.pqc.crypto.mceliece; + + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageEncryptor; + +// TODO should implement some interface? +public class McEliecePointchevalDigestCipher +{ + + private final Digest messDigest; + + private final MessageEncryptor mcElieceCCA2Cipher; + + private boolean forEncrypting; + + + public McEliecePointchevalDigestCipher(MessageEncryptor mcElieceCCA2Cipher, Digest messDigest) + { + this.mcElieceCCA2Cipher = mcElieceCCA2Cipher; + this.messDigest = messDigest; + } + + + public void init(boolean forEncrypting, + CipherParameters param) + { + + this.forEncrypting = forEncrypting; + AsymmetricKeyParameter k; + + if (param instanceof ParametersWithRandom) + { + k = (AsymmetricKeyParameter)((ParametersWithRandom)param).getParameters(); + } + else + { + k = (AsymmetricKeyParameter)param; + } + + if (forEncrypting && k.isPrivate()) + { + throw new IllegalArgumentException("Encrypting Requires Public Key."); + } + + if (!forEncrypting && !k.isPrivate()) + { + throw new IllegalArgumentException("Decrypting Requires Private Key."); + } + + reset(); + + mcElieceCCA2Cipher.init(forEncrypting, param); + } + + + public byte[] messageEncrypt() + { + if (!forEncrypting) + { + throw new IllegalStateException("McEliecePointchevalDigestCipher not initialised for encrypting."); + } + + byte[] hash = new byte[messDigest.getDigestSize()]; + messDigest.doFinal(hash, 0); + byte[] enc = null; + + try + { + enc = mcElieceCCA2Cipher.messageEncrypt(hash); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return enc; + } + + + public byte[] messageDecrypt(byte[] ciphertext) + { + byte[] output = null; + if (forEncrypting) + { + throw new IllegalStateException("McEliecePointchevalDigestCipher not initialised for decrypting."); + } + + + try + { + output = mcElieceCCA2Cipher.messageDecrypt(ciphertext); + } + catch (Exception e) + { + e.printStackTrace(); + } + + + return output; + } + + + public void update(byte b) + { + messDigest.update(b); + + } + + public void update(byte[] in, int off, int len) + { + messDigest.update(in, off, len); + + } + + + public void reset() + { + messDigest.reset(); + + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePrivateKeyParameters.java new file mode 100644 index 00000000..3c4ef324 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePrivateKeyParameters.java @@ -0,0 +1,197 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; +import org.spongycastle.pqc.math.linearalgebra.GF2mField; +import org.spongycastle.pqc.math.linearalgebra.Permutation; +import org.spongycastle.pqc.math.linearalgebra.PolynomialGF2mSmallM; + + +public class McEliecePrivateKeyParameters + extends McElieceKeyParameters +{ + + // the OID of the algorithm + private String oid; + + // the length of the code + private int n; + + // the dimension of the code, where <tt>k >= n - mt</tt> + private int k; + + // the underlying finite field + private GF2mField field; + + // the irreducible Goppa polynomial + private PolynomialGF2mSmallM goppaPoly; + + // a k x k random binary non-singular matrix + private GF2Matrix sInv; + + // the permutation used to generate the systematic check matrix + private Permutation p1; + + // the permutation used to compute the public generator matrix + private Permutation p2; + + // the canonical check matrix of the code + private GF2Matrix h; + + // the matrix used to compute square roots in <tt>(GF(2^m))^t</tt> + private PolynomialGF2mSmallM[] qInv; + + /** + * Constructor. + * + * @param oid + * @param n the length of the code + * @param k the dimension of the code + * @param field the field polynomial defining the finite field + * <tt>GF(2<sup>m</sup>)</tt> + * @param goppaPoly the irreducible Goppa polynomial + * @param sInv the matrix <tt>S<sup>-1</sup></tt> + * @param p1 the permutation used to generate the systematic check + * matrix + * @param p2 the permutation used to compute the public generator + * matrix + * @param h the canonical check matrix + * @param qInv the matrix used to compute square roots in + * <tt>(GF(2<sup>m</sup>))<sup>t</sup></tt> + * @param params McElieceParameters + */ + public McEliecePrivateKeyParameters(String oid, int n, int k, GF2mField field, + PolynomialGF2mSmallM goppaPoly, GF2Matrix sInv, Permutation p1, + Permutation p2, GF2Matrix h, PolynomialGF2mSmallM[] qInv, McElieceParameters params) + { + super(true, params); + this.oid = oid; + this.k = k; + this.n = n; + this.field = field; + this.goppaPoly = goppaPoly; + this.sInv = sInv; + this.p1 = p1; + this.p2 = p2; + this.h = h; + this.qInv = qInv; + } + + /** + * Constructor (used by the {@link McElieceKeyFactory}). + * + * @param oid + * @param n the length of the code + * @param k the dimension of the code + * @param encField the encoded field polynomial defining the finite field + * <tt>GF(2<sup>m</sup>)</tt> + * @param encGoppaPoly the encoded irreducible Goppa polynomial + * @param encSInv the encoded matrix <tt>S<sup>-1</sup></tt> + * @param encP1 the encoded permutation used to generate the systematic + * check matrix + * @param encP2 the encoded permutation used to compute the public + * generator matrix + * @param encH the encoded canonical check matrix + * @param encQInv the encoded matrix used to compute square roots in + * <tt>(GF(2<sup>m</sup>))<sup>t</sup></tt> + * @param params McElieceParameters + */ + public McEliecePrivateKeyParameters(String oid, int n, int k, byte[] encField, + byte[] encGoppaPoly, byte[] encSInv, byte[] encP1, byte[] encP2, + byte[] encH, byte[][] encQInv, McElieceParameters params) + { + super(true, params); + this.oid = oid; + this.n = n; + this.k = k; + field = new GF2mField(encField); + goppaPoly = new PolynomialGF2mSmallM(field, encGoppaPoly); + sInv = new GF2Matrix(encSInv); + p1 = new Permutation(encP1); + p2 = new Permutation(encP2); + h = new GF2Matrix(encH); + qInv = new PolynomialGF2mSmallM[encQInv.length]; + for (int i = 0; i < encQInv.length; i++) + { + qInv[i] = new PolynomialGF2mSmallM(field, encQInv[i]); + } + } + + /** + * @return the length of the code + */ + public int getN() + { + return n; + } + + /** + * @return the dimension of the code + */ + public int getK() + { + return k; + } + + /** + * @return the finite field <tt>GF(2<sup>m</sup>)</tt> + */ + public GF2mField getField() + { + return field; + } + + /** + * @return the irreducible Goppa polynomial + */ + public PolynomialGF2mSmallM getGoppaPoly() + { + return goppaPoly; + } + + /** + * @return the k x k random binary non-singular matrix S^-1 + */ + public GF2Matrix getSInv() + { + return sInv; + } + + /** + * @return the permutation used to generate the systematic check matrix + */ + public Permutation getP1() + { + return p1; + } + + /** + * @return the permutation used to compute the public generator matrix + */ + public Permutation getP2() + { + return p2; + } + + /** + * @return the canonical check matrix H + */ + public GF2Matrix getH() + { + return h; + } + + /** + * @return the matrix used to compute square roots in + * <tt>(GF(2<sup>m</sup>))<sup>t</sup></tt> + */ + public PolynomialGF2mSmallM[] getQInv() + { + return qInv; + } + + public String getOIDString() + { + return oid; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePublicKeyParameters.java new file mode 100644 index 00000000..9f011243 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/mceliece/McEliecePublicKeyParameters.java @@ -0,0 +1,96 @@ +package org.spongycastle.pqc.crypto.mceliece; + +import org.spongycastle.pqc.math.linearalgebra.GF2Matrix; + + +public class McEliecePublicKeyParameters + extends McElieceKeyParameters +{ + + // the OID of the algorithm + private String oid; + + // the length of the code + private int n; + + // the error correction capability of the code + private int t; + + // the generator matrix + private GF2Matrix g; + + /** + * Constructor (used by {@link McElieceKeyFactory}). + * + * @param oid + * @param n the length of the code + * @param t the error correction capability of the code + * @param g the generator matrix + * @param params McElieceParameters + */ + public McEliecePublicKeyParameters(String oid, int n, int t, GF2Matrix g, McElieceParameters params) + { + super(false, params); + this.oid = oid; + this.n = n; + this.t = t; + this.g = new GF2Matrix(g); + } + + /** + * Constructor (used by {@link McElieceKeyFactory}). + * + * @param oid + * @param n the length of the code + * @param t the error correction capability of the code + * @param encG the encoded generator matrix + * @param params McElieceParameters + */ + public McEliecePublicKeyParameters(String oid, int t, int n, byte[] encG, McElieceParameters params) + { + super(false, params); + this.oid = oid; + this.n = n; + this.t = t; + this.g = new GF2Matrix(encG); + } + + /** + * @return the length of the code + */ + public int getN() + { + return n; + } + + /** + * @return the error correction capability of the code + */ + public int getT() + { + return t; + } + + /** + * @return the generator matrix + */ + public GF2Matrix getG() + { + return g; + } + + public String getOIDString() + { + return oid; + + } + + /** + * @return the dimension of the code + */ + public int getK() + { + return g.getNumRows(); + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/IndexGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/IndexGenerator.java new file mode 100644 index 00000000..01caf970 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/IndexGenerator.java @@ -0,0 +1,239 @@ +package org.spongycastle.pqc.crypto.ntru; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.util.Arrays; + +/** + * An implementation of the Index Generation Function in IEEE P1363.1. + */ +public class IndexGenerator +{ + private byte[] seed; + private int N; + private int c; + private int minCallsR; + private int totLen; + private int remLen; + private BitString buf; + private int counter; + private boolean initialized; + private Digest hashAlg; + private int hLen; + + /** + * Constructs a new index generator. + * + * @param seed a seed of arbitrary length to initialize the index generator with + * @param params NtruEncrypt parameters + */ + IndexGenerator(byte[] seed, NTRUEncryptionParameters params) + { + this.seed = seed; + N = params.N; + c = params.c; + minCallsR = params.minCallsR; + + totLen = 0; + remLen = 0; + counter = 0; + hashAlg = params.hashAlg; + + hLen = hashAlg.getDigestSize(); // hash length + initialized = false; + } + + /** + * Returns a number <code>i</code> such that <code>0 <= i < N</code>. + * + * @return + */ + int nextIndex() + { + if (!initialized) + { + buf = new BitString(); + byte[] hash = new byte[hashAlg.getDigestSize()]; + while (counter < minCallsR) + { + appendHash(buf, hash); + counter++; + } + totLen = minCallsR * 8 * hLen; + remLen = totLen; + initialized = true; + } + + while (true) + { + totLen += c; + BitString M = buf.getTrailing(remLen); + if (remLen < c) + { + int tmpLen = c - remLen; + int cThreshold = counter + (tmpLen + hLen - 1) / hLen; + byte[] hash = new byte[hashAlg.getDigestSize()]; + while (counter < cThreshold) + { + appendHash(M, hash); + counter++; + if (tmpLen > 8 * hLen) + { + tmpLen -= 8 * hLen; + } + } + remLen = 8 * hLen - tmpLen; + buf = new BitString(); + buf.appendBits(hash); + } + else + { + remLen -= c; + } + + int i = M.getLeadingAsInt(c); // assume c<32 + if (i < (1 << c) - ((1 << c) % N)) + { + return i % N; + } + } + } + + private void appendHash(BitString m, byte[] hash) + { + hashAlg.update(seed, 0, seed.length); + + putInt(hashAlg, counter); + + hashAlg.doFinal(hash, 0); + + m.appendBits(hash); + } + + private void putInt(Digest hashAlg, int counter) + { + hashAlg.update((byte)(counter >> 24)); + hashAlg.update((byte)(counter >> 16)); + hashAlg.update((byte)(counter >> 8)); + hashAlg.update((byte)counter); + } + + /** + * Represents a string of bits and supports appending, reading the head, and reading the tail. + */ + public static class BitString + { + byte[] bytes = new byte[4]; + int numBytes; // includes the last byte even if only some of its bits are used + int lastByteBits; // lastByteBits <= 8 + + /** + * Appends all bits in a byte array to the end of the bit string. + * + * @param bytes a byte array + */ + void appendBits(byte[] bytes) + { + for (int i = 0; i != bytes.length; i++) + { + appendBits(bytes[i]); + } + } + + /** + * Appends all bits in a byte to the end of the bit string. + * + * @param b a byte + */ + public void appendBits(byte b) + { + if (numBytes == bytes.length) + { + bytes = copyOf(bytes, 2 * bytes.length); + } + + if (numBytes == 0) + { + numBytes = 1; + bytes[0] = b; + lastByteBits = 8; + } + else if (lastByteBits == 8) + { + bytes[numBytes++] = b; + } + else + { + int s = 8 - lastByteBits; + bytes[numBytes - 1] |= (b & 0xFF) << lastByteBits; + bytes[numBytes++] = (byte)((b & 0xFF) >> s); + } + } + + /** + * Returns the last <code>numBits</code> bits from the end of the bit string. + * + * @param numBits number of bits + * @return a new <code>BitString</code> of length <code>numBits</code> + */ + public BitString getTrailing(int numBits) + { + BitString newStr = new BitString(); + newStr.numBytes = (numBits + 7) / 8; + newStr.bytes = new byte[newStr.numBytes]; + for (int i = 0; i < newStr.numBytes; i++) + { + newStr.bytes[i] = bytes[i]; + } + + newStr.lastByteBits = numBits % 8; + if (newStr.lastByteBits == 0) + { + newStr.lastByteBits = 8; + } + else + { + int s = 32 - newStr.lastByteBits; + newStr.bytes[newStr.numBytes - 1] = (byte)(newStr.bytes[newStr.numBytes - 1] << s >>> s); + } + + return newStr; + } + + /** + * Returns up to 32 bits from the beginning of the bit string. + * + * @param numBits number of bits + * @return an <code>int</code> whose lower <code>numBits</code> bits are the beginning of the bit string + */ + public int getLeadingAsInt(int numBits) + { + int startBit = (numBytes - 1) * 8 + lastByteBits - numBits; + int startByte = startBit / 8; + + int startBitInStartByte = startBit % 8; + int sum = (bytes[startByte] & 0xFF) >>> startBitInStartByte; + int shift = 8 - startBitInStartByte; + for (int i = startByte + 1; i < numBytes; i++) + { + sum |= (bytes[i] & 0xFF) << shift; + shift += 8; + } + + return sum; + } + + public byte[] getBytes() + { + return Arrays.clone(bytes); + } + } + + private static byte[] copyOf(byte[] src, int len) + { + byte[] tmp = new byte[len]; + + System.arraycopy(src, 0, tmp, 0, len < src.length ? len : src.length); + + return tmp; + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyGenerationParameters.java new file mode 100644 index 00000000..76cb839d --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyGenerationParameters.java @@ -0,0 +1,463 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.SecureRandom; +import java.util.Arrays; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.crypto.digests.SHA256Digest; +import org.spongycastle.crypto.digests.SHA512Digest; + +/** + * A set of parameters for NtruEncrypt. Several predefined parameter sets are available and new ones can be created as well. + */ +public class NTRUEncryptionKeyGenerationParameters + extends KeyGenerationParameters + implements Cloneable +{ + /** + * A conservative (in terms of security) parameter set that gives 256 bits of security and is optimized for key size. + */ + public static final NTRUEncryptionKeyGenerationParameters EES1087EP2 = new NTRUEncryptionKeyGenerationParameters(1087, 2048, 120, 120, 256, 13, 25, 14, true, new byte[]{0, 6, 3}, true, false, new SHA512Digest()); + + /** + * A conservative (in terms of security) parameter set that gives 256 bits of security and is a tradeoff between key size and encryption/decryption speed. + */ + public static final NTRUEncryptionKeyGenerationParameters EES1171EP1 = new NTRUEncryptionKeyGenerationParameters(1171, 2048, 106, 106, 256, 13, 20, 15, true, new byte[]{0, 6, 4}, true, false, new SHA512Digest()); + + /** + * A conservative (in terms of security) parameter set that gives 256 bits of security and is optimized for encryption/decryption speed. + */ + public static final NTRUEncryptionKeyGenerationParameters EES1499EP1 = new NTRUEncryptionKeyGenerationParameters(1499, 2048, 79, 79, 256, 13, 17, 19, true, new byte[]{0, 6, 5}, true, false, new SHA512Digest()); + + /** + * A parameter set that gives 128 bits of security and uses simple ternary polynomials. + */ + public static final NTRUEncryptionKeyGenerationParameters APR2011_439 = new NTRUEncryptionKeyGenerationParameters(439, 2048, 146, 130, 128, 9, 32, 9, true, new byte[]{0, 7, 101}, true, false, new SHA256Digest()); + + /** + * Like <code>APR2011_439</code>, this parameter set gives 128 bits of security but uses product-form polynomials and <code>f=1+pF</code>. + */ + public static final NTRUEncryptionKeyGenerationParameters APR2011_439_FAST = new NTRUEncryptionKeyGenerationParameters(439, 2048, 9, 8, 5, 130, 128, 9, 32, 9, true, new byte[]{0, 7, 101}, true, true, new SHA256Digest()); + + /** + * A parameter set that gives 256 bits of security and uses simple ternary polynomials. + */ + public static final NTRUEncryptionKeyGenerationParameters APR2011_743 = new NTRUEncryptionKeyGenerationParameters(743, 2048, 248, 220, 256, 10, 27, 14, true, new byte[]{0, 7, 105}, false, false, new SHA512Digest()); + + /** + * Like <code>APR2011_743</code>, this parameter set gives 256 bits of security but uses product-form polynomials and <code>f=1+pF</code>. + */ + public static final NTRUEncryptionKeyGenerationParameters APR2011_743_FAST = new NTRUEncryptionKeyGenerationParameters(743, 2048, 11, 11, 15, 220, 256, 10, 27, 14, true, new byte[]{0, 7, 105}, false, true, new SHA512Digest()); + + public int N, q, df, df1, df2, df3; + public int dr; + public int dr1; + public int dr2; + public int dr3; + public int dg; + int llen; + public int maxMsgLenBytes; + public int db; + public int bufferLenBits; + int bufferLenTrits; + public int dm0; + public int pkLen; + public int c; + public int minCallsR; + public int minCallsMask; + public boolean hashSeed; + public byte[] oid; + public boolean sparse; + public boolean fastFp; + public int polyType; + public Digest hashAlg; + + /** + * Constructs a parameter set that uses ternary private keys (i.e. <code>polyType=SIMPLE</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param df number of ones in the private polynomial <code>f</code> + * @param dm0 minimum acceptable number of -1's, 0's, and 1's in the polynomial <code>m'</code> in the last encryption step + * @param db number of random bits to prepend to the message + * @param c a parameter for the Index Generation Function ({@link org.spongycastle.pqc.crypto.ntru.IndexGenerator}) + * @param minCallsR minimum number of hash calls for the IGF to make + * @param minCallsMask minimum number of calls to generate the masking polynomial + * @param hashSeed whether to hash the seed in the MGF first (true) or use the seed directly (false) + * @param oid three bytes that uniquely identify the parameter set + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param fastFp whether <code>f=1+p*F</code> for a ternary <code>F</code> (true) or <code>f</code> is ternary (false) + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUEncryptionKeyGenerationParameters(int N, int q, int df, int dm0, int db, int c, int minCallsR, int minCallsMask, boolean hashSeed, byte[] oid, boolean sparse, boolean fastFp, Digest hashAlg) + { + super(new SecureRandom(), db); + this.N = N; + this.q = q; + this.df = df; + this.db = db; + this.dm0 = dm0; + this.c = c; + this.minCallsR = minCallsR; + this.minCallsMask = minCallsMask; + this.hashSeed = hashSeed; + this.oid = oid; + this.sparse = sparse; + this.fastFp = fastFp; + this.polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE; + this.hashAlg = hashAlg; + init(); + } + + /** + * Constructs a parameter set that uses product-form private keys (i.e. <code>polyType=PRODUCT</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param df1 number of ones in the private polynomial <code>f1</code> + * @param df2 number of ones in the private polynomial <code>f2</code> + * @param df3 number of ones in the private polynomial <code>f3</code> + * @param dm0 minimum acceptable number of -1's, 0's, and 1's in the polynomial <code>m'</code> in the last encryption step + * @param db number of random bits to prepend to the message + * @param c a parameter for the Index Generation Function ({@link org.spongycastle.pqc.crypto.ntru.IndexGenerator}) + * @param minCallsR minimum number of hash calls for the IGF to make + * @param minCallsMask minimum number of calls to generate the masking polynomial + * @param hashSeed whether to hash the seed in the MGF first (true) or use the seed directly (false) + * @param oid three bytes that uniquely identify the parameter set + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param fastFp whether <code>f=1+p*F</code> for a ternary <code>F</code> (true) or <code>f</code> is ternary (false) + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code> + */ + public NTRUEncryptionKeyGenerationParameters(int N, int q, int df1, int df2, int df3, int dm0, int db, int c, int minCallsR, int minCallsMask, boolean hashSeed, byte[] oid, boolean sparse, boolean fastFp, Digest hashAlg) + { + super(new SecureRandom(), db); + + this.N = N; + this.q = q; + this.df1 = df1; + this.df2 = df2; + this.df3 = df3; + this.db = db; + this.dm0 = dm0; + this.c = c; + this.minCallsR = minCallsR; + this.minCallsMask = minCallsMask; + this.hashSeed = hashSeed; + this.oid = oid; + this.sparse = sparse; + this.fastFp = fastFp; + this.polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT; + this.hashAlg = hashAlg; + init(); + } + + private void init() + { + dr = df; + dr1 = df1; + dr2 = df2; + dr3 = df3; + dg = N / 3; + llen = 1; // ceil(log2(maxMsgLenBytes)) + maxMsgLenBytes = N * 3 / 2 / 8 - llen - db / 8 - 1; + bufferLenBits = (N * 3 / 2 + 7) / 8 * 8 + 1; + bufferLenTrits = N - 1; + pkLen = db; + } + + /** + * Reads a parameter set from an input stream. + * + * @param is an input stream + * @throws java.io.IOException + */ + public NTRUEncryptionKeyGenerationParameters(InputStream is) + throws IOException + { + super(new SecureRandom(), -1); + DataInputStream dis = new DataInputStream(is); + N = dis.readInt(); + q = dis.readInt(); + df = dis.readInt(); + df1 = dis.readInt(); + df2 = dis.readInt(); + df3 = dis.readInt(); + db = dis.readInt(); + dm0 = dis.readInt(); + c = dis.readInt(); + minCallsR = dis.readInt(); + minCallsMask = dis.readInt(); + hashSeed = dis.readBoolean(); + oid = new byte[3]; + dis.read(oid); + sparse = dis.readBoolean(); + fastFp = dis.readBoolean(); + polyType = dis.read(); + + String alg = dis.readUTF(); + + if ("SHA-512".equals(alg)) + { + hashAlg = new SHA512Digest(); + } + else if ("SHA-256".equals(alg)) + { + hashAlg = new SHA256Digest(); + } + + init(); + } + + public NTRUEncryptionParameters getEncryptionParameters() + { + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + return new NTRUEncryptionParameters(N, q, df, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + else + { + return new NTRUEncryptionParameters(N, q, df1, df2, df3, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + } + + public NTRUEncryptionKeyGenerationParameters clone() + { + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + return new NTRUEncryptionKeyGenerationParameters(N, q, df, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + else + { + return new NTRUEncryptionKeyGenerationParameters(N, q, df1, df2, df3, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + } + + /** + * Returns the maximum length a plaintext message can be with this parameter set. + * + * @return the maximum length in bytes + */ + public int getMaxMessageLength() + { + return maxMsgLenBytes; + } + + /** + * Writes the parameter set to an output stream + * + * @param os an output stream + * @throws java.io.IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + DataOutputStream dos = new DataOutputStream(os); + dos.writeInt(N); + dos.writeInt(q); + dos.writeInt(df); + dos.writeInt(df1); + dos.writeInt(df2); + dos.writeInt(df3); + dos.writeInt(db); + dos.writeInt(dm0); + dos.writeInt(c); + dos.writeInt(minCallsR); + dos.writeInt(minCallsMask); + dos.writeBoolean(hashSeed); + dos.write(oid); + dos.writeBoolean(sparse); + dos.writeBoolean(fastFp); + dos.write(polyType); + dos.writeUTF(hashAlg.getAlgorithmName()); + } + + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + N; + result = prime * result + bufferLenBits; + result = prime * result + bufferLenTrits; + result = prime * result + c; + result = prime * result + db; + result = prime * result + df; + result = prime * result + df1; + result = prime * result + df2; + result = prime * result + df3; + result = prime * result + dg; + result = prime * result + dm0; + result = prime * result + dr; + result = prime * result + dr1; + result = prime * result + dr2; + result = prime * result + dr3; + result = prime * result + (fastFp ? 1231 : 1237); + result = prime * result + ((hashAlg == null) ? 0 : hashAlg.getAlgorithmName().hashCode()); + result = prime * result + (hashSeed ? 1231 : 1237); + result = prime * result + llen; + result = prime * result + maxMsgLenBytes; + result = prime * result + minCallsMask; + result = prime * result + minCallsR; + result = prime * result + Arrays.hashCode(oid); + result = prime * result + pkLen; + result = prime * result + polyType; + result = prime * result + q; + result = prime * result + (sparse ? 1231 : 1237); + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (getClass() != obj.getClass()) + { + return false; + } + NTRUEncryptionKeyGenerationParameters other = (NTRUEncryptionKeyGenerationParameters)obj; + if (N != other.N) + { + return false; + } + if (bufferLenBits != other.bufferLenBits) + { + return false; + } + if (bufferLenTrits != other.bufferLenTrits) + { + return false; + } + if (c != other.c) + { + return false; + } + if (db != other.db) + { + return false; + } + if (df != other.df) + { + return false; + } + if (df1 != other.df1) + { + return false; + } + if (df2 != other.df2) + { + return false; + } + if (df3 != other.df3) + { + return false; + } + if (dg != other.dg) + { + return false; + } + if (dm0 != other.dm0) + { + return false; + } + if (dr != other.dr) + { + return false; + } + if (dr1 != other.dr1) + { + return false; + } + if (dr2 != other.dr2) + { + return false; + } + if (dr3 != other.dr3) + { + return false; + } + if (fastFp != other.fastFp) + { + return false; + } + if (hashAlg == null) + { + if (other.hashAlg != null) + { + return false; + } + } + else if (!hashAlg.getAlgorithmName().equals(other.hashAlg.getAlgorithmName())) + { + return false; + } + if (hashSeed != other.hashSeed) + { + return false; + } + if (llen != other.llen) + { + return false; + } + if (maxMsgLenBytes != other.maxMsgLenBytes) + { + return false; + } + if (minCallsMask != other.minCallsMask) + { + return false; + } + if (minCallsR != other.minCallsR) + { + return false; + } + if (!Arrays.equals(oid, other.oid)) + { + return false; + } + if (pkLen != other.pkLen) + { + return false; + } + if (polyType != other.polyType) + { + return false; + } + if (q != other.q) + { + return false; + } + if (sparse != other.sparse) + { + return false; + } + return true; + } + + public String toString() + { + StringBuilder output = new StringBuilder("EncryptionParameters(N=" + N + " q=" + q); + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + output.append(" polyType=SIMPLE df=" + df); + } + else + { + output.append(" polyType=PRODUCT df1=" + df1 + " df2=" + df2 + " df3=" + df3); + } + output.append(" dm0=" + dm0 + " db=" + db + " c=" + c + " minCallsR=" + minCallsR + " minCallsMask=" + minCallsMask + + " hashSeed=" + hashSeed + " hashAlg=" + hashAlg + " oid=" + Arrays.toString(oid) + " sparse=" + sparse + ")"); + return output.toString(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyPairGenerator.java new file mode 100644 index 00000000..fd483f09 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyPairGenerator.java @@ -0,0 +1,113 @@ +package org.spongycastle.pqc.crypto.ntru; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; +import org.spongycastle.pqc.math.ntru.polynomial.ProductFormPolynomial; +import org.spongycastle.pqc.math.ntru.util.Util; + +/** + * Generates key pairs.<br> + * The parameter p is hardcoded to 3. + */ +public class NTRUEncryptionKeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + private NTRUEncryptionKeyGenerationParameters params; + + /** + * Constructs a new instance with a set of encryption parameters. + * + * @param param encryption parameters + */ + public void init(KeyGenerationParameters param) + { + this.params = (NTRUEncryptionKeyGenerationParameters)param; + } + + /** + * Generates a new encryption key pair. + * + * @return a key pair + */ + public AsymmetricCipherKeyPair generateKeyPair() + { + int N = params.N; + int q = params.q; + int df = params.df; + int df1 = params.df1; + int df2 = params.df2; + int df3 = params.df3; + int dg = params.dg; + boolean fastFp = params.fastFp; + boolean sparse = params.sparse; + + Polynomial t; + IntegerPolynomial fq; + IntegerPolynomial fp = null; + + // choose a random f that is invertible mod 3 and q + while (true) + { + IntegerPolynomial f; + + // choose random t, calculate f and fp + if (fastFp) + { + // if fastFp=true, f is always invertible mod 3 + t = params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE ? Util.generateRandomTernary(N, df, df, sparse, params.getRandom()) : ProductFormPolynomial.generateRandom(N, df1, df2, df3, df3, params.getRandom()); + f = t.toIntegerPolynomial(); + f.mult(3); + f.coeffs[0] += 1; + } + else + { + t = params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE ? Util.generateRandomTernary(N, df, df - 1, sparse, params.getRandom()) : ProductFormPolynomial.generateRandom(N, df1, df2, df3, df3 - 1, params.getRandom()); + f = t.toIntegerPolynomial(); + fp = f.invertF3(); + if (fp == null) + { + continue; + } + } + + fq = f.invertFq(q); + if (fq == null) + { + continue; + } + break; + } + + // if fastFp=true, fp=1 + if (fastFp) + { + fp = new IntegerPolynomial(N); + fp.coeffs[0] = 1; + } + + // choose a random g that is invertible mod q + DenseTernaryPolynomial g; + while (true) + { + g = DenseTernaryPolynomial.generateRandom(N, dg, dg - 1, params.getRandom()); + if (g.invertFq(q) != null) + { + break; + } + } + + IntegerPolynomial h = g.mult(fq, q); + h.mult3(q); + h.ensurePositive(q); + g.clear(); + fq.clear(); + + NTRUEncryptionPrivateKeyParameters priv = new NTRUEncryptionPrivateKeyParameters(h, t, fp, params.getEncryptionParameters()); + NTRUEncryptionPublicKeyParameters pub = new NTRUEncryptionPublicKeyParameters(h, params.getEncryptionParameters()); + return new AsymmetricCipherKeyPair(pub, priv); + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyParameters.java new file mode 100644 index 00000000..a22eb286 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionKeyParameters.java @@ -0,0 +1,20 @@ +package org.spongycastle.pqc.crypto.ntru; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; + +public class NTRUEncryptionKeyParameters + extends AsymmetricKeyParameter +{ + final protected NTRUEncryptionParameters params; + + public NTRUEncryptionKeyParameters(boolean privateKey, NTRUEncryptionParameters params) + { + super(privateKey); + this.params = params; + } + + public NTRUEncryptionParameters getParameters() + { + return params; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionParameters.java new file mode 100644 index 00000000..86dabae8 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionParameters.java @@ -0,0 +1,410 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.util.Arrays; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA256Digest; +import org.spongycastle.crypto.digests.SHA512Digest; + +/** + * A set of parameters for NtruEncrypt. Several predefined parameter sets are available and new ones can be created as well. + */ +public class NTRUEncryptionParameters + implements Cloneable +{ + + public int N, q, df, df1, df2, df3; + public int dr; + public int dr1; + public int dr2; + public int dr3; + public int dg; + int llen; + public int maxMsgLenBytes; + public int db; + public int bufferLenBits; + int bufferLenTrits; + public int dm0; + public int pkLen; + public int c; + public int minCallsR; + public int minCallsMask; + public boolean hashSeed; + public byte[] oid; + public boolean sparse; + public boolean fastFp; + public int polyType; + public Digest hashAlg; + + /** + * Constructs a parameter set that uses ternary private keys (i.e. <code>polyType=SIMPLE</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param df number of ones in the private polynomial <code>f</code> + * @param dm0 minimum acceptable number of -1's, 0's, and 1's in the polynomial <code>m'</code> in the last encryption step + * @param db number of random bits to prepend to the message + * @param c a parameter for the Index Generation Function ({@link org.spongycastle.pqc.crypto.ntru.IndexGenerator}) + * @param minCallsR minimum number of hash calls for the IGF to make + * @param minCallsMask minimum number of calls to generate the masking polynomial + * @param hashSeed whether to hash the seed in the MGF first (true) or use the seed directly (false) + * @param oid three bytes that uniquely identify the parameter set + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param fastFp whether <code>f=1+p*F</code> for a ternary <code>F</code> (true) or <code>f</code> is ternary (false) + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUEncryptionParameters(int N, int q, int df, int dm0, int db, int c, int minCallsR, int minCallsMask, boolean hashSeed, byte[] oid, boolean sparse, boolean fastFp, Digest hashAlg) + { + this.N = N; + this.q = q; + this.df = df; + this.db = db; + this.dm0 = dm0; + this.c = c; + this.minCallsR = minCallsR; + this.minCallsMask = minCallsMask; + this.hashSeed = hashSeed; + this.oid = oid; + this.sparse = sparse; + this.fastFp = fastFp; + this.polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE; + this.hashAlg = hashAlg; + init(); + } + + /** + * Constructs a parameter set that uses product-form private keys (i.e. <code>polyType=PRODUCT</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param df1 number of ones in the private polynomial <code>f1</code> + * @param df2 number of ones in the private polynomial <code>f2</code> + * @param df3 number of ones in the private polynomial <code>f3</code> + * @param dm0 minimum acceptable number of -1's, 0's, and 1's in the polynomial <code>m'</code> in the last encryption step + * @param db number of random bits to prepend to the message + * @param c a parameter for the Index Generation Function ({@link org.spongycastle.pqc.crypto.ntru.IndexGenerator}) + * @param minCallsR minimum number of hash calls for the IGF to make + * @param minCallsMask minimum number of calls to generate the masking polynomial + * @param hashSeed whether to hash the seed in the MGF first (true) or use the seed directly (false) + * @param oid three bytes that uniquely identify the parameter set + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param fastFp whether <code>f=1+p*F</code> for a ternary <code>F</code> (true) or <code>f</code> is ternary (false) + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code> + */ + public NTRUEncryptionParameters(int N, int q, int df1, int df2, int df3, int dm0, int db, int c, int minCallsR, int minCallsMask, boolean hashSeed, byte[] oid, boolean sparse, boolean fastFp, Digest hashAlg) + { + this.N = N; + this.q = q; + this.df1 = df1; + this.df2 = df2; + this.df3 = df3; + this.db = db; + this.dm0 = dm0; + this.c = c; + this.minCallsR = minCallsR; + this.minCallsMask = minCallsMask; + this.hashSeed = hashSeed; + this.oid = oid; + this.sparse = sparse; + this.fastFp = fastFp; + this.polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT; + this.hashAlg = hashAlg; + init(); + } + + private void init() + { + dr = df; + dr1 = df1; + dr2 = df2; + dr3 = df3; + dg = N / 3; + llen = 1; // ceil(log2(maxMsgLenBytes)) + maxMsgLenBytes = N * 3 / 2 / 8 - llen - db / 8 - 1; + bufferLenBits = (N * 3 / 2 + 7) / 8 * 8 + 1; + bufferLenTrits = N - 1; + pkLen = db; + } + + /** + * Reads a parameter set from an input stream. + * + * @param is an input stream + * @throws IOException + */ + public NTRUEncryptionParameters(InputStream is) + throws IOException + { + DataInputStream dis = new DataInputStream(is); + N = dis.readInt(); + q = dis.readInt(); + df = dis.readInt(); + df1 = dis.readInt(); + df2 = dis.readInt(); + df3 = dis.readInt(); + db = dis.readInt(); + dm0 = dis.readInt(); + c = dis.readInt(); + minCallsR = dis.readInt(); + minCallsMask = dis.readInt(); + hashSeed = dis.readBoolean(); + oid = new byte[3]; + dis.read(oid); + sparse = dis.readBoolean(); + fastFp = dis.readBoolean(); + polyType = dis.read(); + + String alg = dis.readUTF(); + + if ("SHA-512".equals(alg)) + { + hashAlg = new SHA512Digest(); + } + else if ("SHA-256".equals(alg)) + { + hashAlg = new SHA256Digest(); + } + + init(); + } + + public NTRUEncryptionParameters clone() + { + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + return new NTRUEncryptionParameters(N, q, df, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + else + { + return new NTRUEncryptionParameters(N, q, df1, df2, df3, dm0, db, c, minCallsR, minCallsMask, hashSeed, oid, sparse, fastFp, hashAlg); + } + } + + /** + * Returns the maximum length a plaintext message can be with this parameter set. + * + * @return the maximum length in bytes + */ + public int getMaxMessageLength() + { + return maxMsgLenBytes; + } + + /** + * Writes the parameter set to an output stream + * + * @param os an output stream + * @throws IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + DataOutputStream dos = new DataOutputStream(os); + dos.writeInt(N); + dos.writeInt(q); + dos.writeInt(df); + dos.writeInt(df1); + dos.writeInt(df2); + dos.writeInt(df3); + dos.writeInt(db); + dos.writeInt(dm0); + dos.writeInt(c); + dos.writeInt(minCallsR); + dos.writeInt(minCallsMask); + dos.writeBoolean(hashSeed); + dos.write(oid); + dos.writeBoolean(sparse); + dos.writeBoolean(fastFp); + dos.write(polyType); + dos.writeUTF(hashAlg.getAlgorithmName()); + } + + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + N; + result = prime * result + bufferLenBits; + result = prime * result + bufferLenTrits; + result = prime * result + c; + result = prime * result + db; + result = prime * result + df; + result = prime * result + df1; + result = prime * result + df2; + result = prime * result + df3; + result = prime * result + dg; + result = prime * result + dm0; + result = prime * result + dr; + result = prime * result + dr1; + result = prime * result + dr2; + result = prime * result + dr3; + result = prime * result + (fastFp ? 1231 : 1237); + result = prime * result + ((hashAlg == null) ? 0 : hashAlg.getAlgorithmName().hashCode()); + result = prime * result + (hashSeed ? 1231 : 1237); + result = prime * result + llen; + result = prime * result + maxMsgLenBytes; + result = prime * result + minCallsMask; + result = prime * result + minCallsR; + result = prime * result + Arrays.hashCode(oid); + result = prime * result + pkLen; + result = prime * result + polyType; + result = prime * result + q; + result = prime * result + (sparse ? 1231 : 1237); + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (getClass() != obj.getClass()) + { + return false; + } + NTRUEncryptionParameters other = (NTRUEncryptionParameters)obj; + if (N != other.N) + { + return false; + } + if (bufferLenBits != other.bufferLenBits) + { + return false; + } + if (bufferLenTrits != other.bufferLenTrits) + { + return false; + } + if (c != other.c) + { + return false; + } + if (db != other.db) + { + return false; + } + if (df != other.df) + { + return false; + } + if (df1 != other.df1) + { + return false; + } + if (df2 != other.df2) + { + return false; + } + if (df3 != other.df3) + { + return false; + } + if (dg != other.dg) + { + return false; + } + if (dm0 != other.dm0) + { + return false; + } + if (dr != other.dr) + { + return false; + } + if (dr1 != other.dr1) + { + return false; + } + if (dr2 != other.dr2) + { + return false; + } + if (dr3 != other.dr3) + { + return false; + } + if (fastFp != other.fastFp) + { + return false; + } + if (hashAlg == null) + { + if (other.hashAlg != null) + { + return false; + } + } + else if (!hashAlg.getAlgorithmName().equals(other.hashAlg.getAlgorithmName())) + { + return false; + } + if (hashSeed != other.hashSeed) + { + return false; + } + if (llen != other.llen) + { + return false; + } + if (maxMsgLenBytes != other.maxMsgLenBytes) + { + return false; + } + if (minCallsMask != other.minCallsMask) + { + return false; + } + if (minCallsR != other.minCallsR) + { + return false; + } + if (!Arrays.equals(oid, other.oid)) + { + return false; + } + if (pkLen != other.pkLen) + { + return false; + } + if (polyType != other.polyType) + { + return false; + } + if (q != other.q) + { + return false; + } + if (sparse != other.sparse) + { + return false; + } + return true; + } + + public String toString() + { + StringBuilder output = new StringBuilder("EncryptionParameters(N=" + N + " q=" + q); + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + output.append(" polyType=SIMPLE df=" + df); + } + else + { + output.append(" polyType=PRODUCT df1=" + df1 + " df2=" + df2 + " df3=" + df3); + } + output.append(" dm0=" + dm0 + " db=" + db + " c=" + c + " minCallsR=" + minCallsR + " minCallsMask=" + minCallsMask + + " hashSeed=" + hashSeed + " hashAlg=" + hashAlg + " oid=" + Arrays.toString(oid) + " sparse=" + sparse + ")"); + return output.toString(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPrivateKeyParameters.java new file mode 100644 index 00000000..5b0adbea --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPrivateKeyParameters.java @@ -0,0 +1,199 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; + +import org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; +import org.spongycastle.pqc.math.ntru.polynomial.ProductFormPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial; + +/** + * A NtruEncrypt private key is essentially a polynomial named <code>f</code> + * which takes different forms depending on whether product-form polynomials are used, + * and on <code>fastP</code><br> + * The inverse of <code>f</code> modulo <code>p</code> is precomputed on initialization. + */ +public class NTRUEncryptionPrivateKeyParameters + extends NTRUEncryptionKeyParameters +{ + public Polynomial t; + public IntegerPolynomial fp; + public IntegerPolynomial h; + + /** + * Constructs a new private key from a polynomial + * + * @param h the public polynomial for the key. + * @param t the polynomial which determines the key: if <code>fastFp=true</code>, <code>f=1+3t</code>; otherwise, <code>f=t</code> + * @param fp the inverse of <code>f</code> + * @param params the NtruEncrypt parameters to use + */ + public NTRUEncryptionPrivateKeyParameters(IntegerPolynomial h, Polynomial t, IntegerPolynomial fp, NTRUEncryptionParameters params) + { + super(true, params); + + this.h = h; + this.t = t; + this.fp = fp; + } + + /** + * Converts a byte array to a polynomial <code>f</code> and constructs a new private key + * + * @param b an encoded polynomial + * @param params the NtruEncrypt parameters to use + * @see #getEncoded() + */ + public NTRUEncryptionPrivateKeyParameters(byte[] b, NTRUEncryptionParameters params) + throws IOException + { + this(new ByteArrayInputStream(b), params); + } + + /** + * Reads a polynomial <code>f</code> from an input stream and constructs a new private key + * + * @param is an input stream + * @param params the NtruEncrypt parameters to use + * @see #writeTo(OutputStream) + */ + public NTRUEncryptionPrivateKeyParameters(InputStream is, NTRUEncryptionParameters params) + throws IOException + { + super(true, params); + + if (params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT) + { + int N = params.N; + int df1 = params.df1; + int df2 = params.df2; + int df3Ones = params.df3; + int df3NegOnes = params.fastFp ? params.df3 : params.df3 - 1; + h = IntegerPolynomial.fromBinary(is, params.N, params.q); + t = ProductFormPolynomial.fromBinary(is, N, df1, df2, df3Ones, df3NegOnes); + } + else + { + h = IntegerPolynomial.fromBinary(is, params.N, params.q); + IntegerPolynomial fInt = IntegerPolynomial.fromBinary3Tight(is, params.N); + t = params.sparse ? new SparseTernaryPolynomial(fInt) : new DenseTernaryPolynomial(fInt); + } + + init(); + } + + /** + * Initializes <code>fp</code> from t. + */ + private void init() + { + if (params.fastFp) + { + fp = new IntegerPolynomial(params.N); + fp.coeffs[0] = 1; + } + else + { + fp = t.toIntegerPolynomial().invertF3(); + } + } + + /** + * Converts the key to a byte array + * + * @return the encoded key + * @see #NTRUEncryptionPrivateKeyParameters(byte[], NTRUEncryptionParameters) + */ + public byte[] getEncoded() + { + byte[] hBytes = h.toBinary(params.q); + byte[] tBytes; + + if (t instanceof ProductFormPolynomial) + { + tBytes = ((ProductFormPolynomial)t).toBinary(); + } + else + { + tBytes = t.toIntegerPolynomial().toBinary3Tight(); + } + + byte[] res = new byte[hBytes.length + tBytes.length]; + + System.arraycopy(hBytes, 0, res, 0, hBytes.length); + System.arraycopy(tBytes, 0, res, hBytes.length, tBytes.length); + + return res; + } + + /** + * Writes the key to an output stream + * + * @param os an output stream + * @throws IOException + * @see #NTRUEncryptionPrivateKeyParameters(InputStream, NTRUEncryptionParameters) + */ + public void writeTo(OutputStream os) + throws IOException + { + os.write(getEncoded()); + } + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + ((params == null) ? 0 : params.hashCode()); + result = prime * result + ((t == null) ? 0 : t.hashCode()); + result = prime * result + ((h == null) ? 0 : h.hashCode()); + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (!(obj instanceof NTRUEncryptionPrivateKeyParameters)) + { + return false; + } + NTRUEncryptionPrivateKeyParameters other = (NTRUEncryptionPrivateKeyParameters)obj; + if (params == null) + { + if (other.params != null) + { + return false; + } + } + else if (!params.equals(other.params)) + { + return false; + } + if (t == null) + { + if (other.t != null) + { + return false; + } + } + else if (!t.equals(other.t)) + { + return false; + } + if (!h.equals(other.h)) + { + return false; + } + return true; + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPublicKeyParameters.java new file mode 100644 index 00000000..0f3abd9c --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEncryptionPublicKeyParameters.java @@ -0,0 +1,131 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; + +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; + +/** + * A NtruEncrypt public key is essentially a polynomial named <code>h</code>. + */ +public class NTRUEncryptionPublicKeyParameters + extends NTRUEncryptionKeyParameters +{ + public IntegerPolynomial h; + + /** + * Constructs a new public key from a polynomial + * + * @param h the polynomial <code>h</code> which determines the key + * @param params the NtruEncrypt parameters to use + */ + public NTRUEncryptionPublicKeyParameters(IntegerPolynomial h, NTRUEncryptionParameters params) + { + super(false, params); + + this.h = h; + } + + /** + * Converts a byte array to a polynomial <code>h</code> and constructs a new public key + * + * @param b an encoded polynomial + * @param params the NtruEncrypt parameters to use + * @see #getEncoded() + */ + public NTRUEncryptionPublicKeyParameters(byte[] b, NTRUEncryptionParameters params) + { + super(false, params); + + h = IntegerPolynomial.fromBinary(b, params.N, params.q); + } + + /** + * Reads a polynomial <code>h</code> from an input stream and constructs a new public key + * + * @param is an input stream + * @param params the NtruEncrypt parameters to use + * @see #writeTo(OutputStream) + */ + public NTRUEncryptionPublicKeyParameters(InputStream is, NTRUEncryptionParameters params) + throws IOException + { + super(false, params); + + h = IntegerPolynomial.fromBinary(is, params.N, params.q); + } + + /** + * Converts the key to a byte array + * + * @return the encoded key + * @see #NTRUEncryptionPublicKeyParameters(byte[], NTRUEncryptionParameters) + */ + public byte[] getEncoded() + { + return h.toBinary(params.q); + } + + /** + * Writes the key to an output stream + * + * @param os an output stream + * @throws IOException + * @see #NTRUEncryptionPublicKeyParameters(InputStream, NTRUEncryptionParameters) + */ + public void writeTo(OutputStream os) + throws IOException + { + os.write(getEncoded()); + } + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + ((h == null) ? 0 : h.hashCode()); + result = prime * result + ((params == null) ? 0 : params.hashCode()); + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (!(obj instanceof NTRUEncryptionPublicKeyParameters)) + { + return false; + } + NTRUEncryptionPublicKeyParameters other = (NTRUEncryptionPublicKeyParameters)obj; + if (h == null) + { + if (other.h != null) + { + return false; + } + } + else if (!h.equals(other.h)) + { + return false; + } + if (params == null) + { + if (other.params != null) + { + return false; + } + } + else if (!params.equals(other.params)) + { + return false; + } + return true; + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEngine.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEngine.java new file mode 100644 index 00000000..571057e2 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUEngine.java @@ -0,0 +1,495 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.AsymmetricBlockCipher; +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.DataLengthException; +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.InvalidCipherTextException; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; +import org.spongycastle.pqc.math.ntru.polynomial.ProductFormPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.TernaryPolynomial; +import org.spongycastle.util.Arrays; + +/** + * Encrypts, decrypts data and generates key pairs.<br> + * The parameter p is hardcoded to 3. + */ +public class NTRUEngine + implements AsymmetricBlockCipher +{ + private boolean forEncryption; + private NTRUEncryptionParameters params; + private NTRUEncryptionPublicKeyParameters pubKey; + private NTRUEncryptionPrivateKeyParameters privKey; + private SecureRandom random; + + /** + * Constructs a new instance with a set of encryption parameters. + * + */ + public NTRUEngine() + { + } + + public void init(boolean forEncryption, CipherParameters parameters) + { + this.forEncryption = forEncryption; + if (forEncryption) + { + if (parameters instanceof ParametersWithRandom) + { + ParametersWithRandom p = (ParametersWithRandom)parameters; + + this.random = p.getRandom(); + this.pubKey = (NTRUEncryptionPublicKeyParameters)p.getParameters(); + } + else + { + this.random = new SecureRandom(); + this.pubKey = (NTRUEncryptionPublicKeyParameters)parameters; + } + + this.params = pubKey.getParameters(); + } + else + { + this.privKey = (NTRUEncryptionPrivateKeyParameters)parameters; + this.params = privKey.getParameters(); + } + } + + public int getInputBlockSize() + { + return params.maxMsgLenBytes; + } + + public int getOutputBlockSize() + { + return ((params.N * log2(params.q)) + 7) / 8; + } + + public byte[] processBlock(byte[] in, int inOff, int len) + throws InvalidCipherTextException + { + byte[] tmp = new byte[len]; + + System.arraycopy(in, inOff, tmp, 0, len); + + if (forEncryption) + { + return encrypt(tmp, pubKey); + } + else + { + return decrypt(tmp, privKey); + } + } + + /** + * Encrypts a message.<br/> + * See P1363.1 section 9.2.2. + * + * @param m The message to encrypt + * @param pubKey the public key to encrypt the message with + * @return the encrypted message + */ + private byte[] encrypt(byte[] m, NTRUEncryptionPublicKeyParameters pubKey) + { + IntegerPolynomial pub = pubKey.h; + int N = params.N; + int q = params.q; + + int maxLenBytes = params.maxMsgLenBytes; + int db = params.db; + int bufferLenBits = params.bufferLenBits; + int dm0 = params.dm0; + int pkLen = params.pkLen; + int minCallsMask = params.minCallsMask; + boolean hashSeed = params.hashSeed; + byte[] oid = params.oid; + + int l = m.length; + if (maxLenBytes > 255) + { + throw new IllegalArgumentException("llen values bigger than 1 are not supported"); + } + if (l > maxLenBytes) + { + throw new DataLengthException("Message too long: " + l + ">" + maxLenBytes); + } + + while (true) + { + // M = b|octL|m|p0 + byte[] b = new byte[db / 8]; + random.nextBytes(b); + byte[] p0 = new byte[maxLenBytes + 1 - l]; + byte[] M = new byte[bufferLenBits / 8]; + + System.arraycopy(b, 0, M, 0, b.length); + M[b.length] = (byte)l; + System.arraycopy(m, 0, M, b.length + 1, m.length); + System.arraycopy(p0, 0, M, b.length + 1 + m.length, p0.length); + + IntegerPolynomial mTrin = IntegerPolynomial.fromBinary3Sves(M, N); + + // sData = OID|m|b|hTrunc + byte[] bh = pub.toBinary(q); + byte[] hTrunc = copyOf(bh, pkLen / 8); + byte[] sData = buildSData(oid, m, l, b, hTrunc); + + Polynomial r = generateBlindingPoly(sData, M); + IntegerPolynomial R = r.mult(pub, q); + IntegerPolynomial R4 = (IntegerPolynomial)R.clone(); + R4.modPositive(4); + byte[] oR4 = R4.toBinary(4); + IntegerPolynomial mask = MGF(oR4, N, minCallsMask, hashSeed); + mTrin.add(mask); + mTrin.mod3(); + + if (mTrin.count(-1) < dm0) + { + continue; + } + if (mTrin.count(0) < dm0) + { + continue; + } + if (mTrin.count(1) < dm0) + { + continue; + } + + R.add(mTrin, q); + R.ensurePositive(q); + return R.toBinary(q); + } + } + + private byte[] buildSData(byte[] oid, byte[] m, int l, byte[] b, byte[] hTrunc) + { + byte[] sData = new byte[oid.length + l + b.length + hTrunc.length]; + + System.arraycopy(oid, 0, sData, 0, oid.length); + System.arraycopy(m, 0, sData, oid.length, m.length); + System.arraycopy(b, 0, sData, oid.length + m.length, b.length); + System.arraycopy(hTrunc, 0, sData, oid.length + m.length + b.length, hTrunc.length); + return sData; + } + + protected IntegerPolynomial encrypt(IntegerPolynomial m, TernaryPolynomial r, IntegerPolynomial pubKey) + { + IntegerPolynomial e = r.mult(pubKey, params.q); + e.add(m, params.q); + e.ensurePositive(params.q); + return e; + } + + /** + * Deterministically generates a blinding polynomial from a seed and a message representative. + * + * @param seed + * @param M message representative + * @return a blinding polynomial + */ + private Polynomial generateBlindingPoly(byte[] seed, byte[] M) + { + IndexGenerator ig = new IndexGenerator(seed, params); + + if (params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT) + { + SparseTernaryPolynomial r1 = new SparseTernaryPolynomial(generateBlindingCoeffs(ig, params.dr1)); + SparseTernaryPolynomial r2 = new SparseTernaryPolynomial(generateBlindingCoeffs(ig, params.dr2)); + SparseTernaryPolynomial r3 = new SparseTernaryPolynomial(generateBlindingCoeffs(ig, params.dr3)); + return new ProductFormPolynomial(r1, r2, r3); + } + else + { + int dr = params.dr; + boolean sparse = params.sparse; + int[] r = generateBlindingCoeffs(ig, dr); + if (sparse) + { + return new SparseTernaryPolynomial(r); + } + else + { + return new DenseTernaryPolynomial(r); + } + } + } + + /** + * Generates an <code>int</code> array containing <code>dr</code> elements equal to <code>1</code> + * and <code>dr</code> elements equal to <code>-1</code> using an index generator. + * + * @param ig an index generator + * @param dr number of ones / negative ones + * @return an array containing numbers between <code>-1</code> and <code>1</code> + */ + private int[] generateBlindingCoeffs(IndexGenerator ig, int dr) + { + int N = params.N; + + int[] r = new int[N]; + for (int coeff = -1; coeff <= 1; coeff += 2) + { + int t = 0; + while (t < dr) + { + int i = ig.nextIndex(); + if (r[i] == 0) + { + r[i] = coeff; + t++; + } + } + } + + return r; + } + + /** + * An implementation of MGF-TP-1 from P1363.1 section 8.4.1.1. + * + * @param seed + * @param N + * @param minCallsR + * @param hashSeed whether to hash the seed + * @return + */ + private IntegerPolynomial MGF(byte[] seed, int N, int minCallsR, boolean hashSeed) + { + Digest hashAlg = params.hashAlg; + int hashLen = hashAlg.getDigestSize(); + byte[] buf = new byte[minCallsR * hashLen]; + byte[] Z = hashSeed ? calcHash(hashAlg, seed) : seed; + int counter = 0; + while (counter < minCallsR) + { + hashAlg.update(Z, 0, Z.length); + putInt(hashAlg, counter); + + byte[] hash = calcHash(hashAlg); + System.arraycopy(hash, 0, buf, counter * hashLen, hashLen); + counter++; + } + + IntegerPolynomial i = new IntegerPolynomial(N); + while (true) + { + int cur = 0; + for (int index = 0; index != buf.length; index++) + { + int O = (int)buf[index] & 0xFF; + if (O >= 243) // 243 = 3^5 + { + continue; + } + + for (int terIdx = 0; terIdx < 4; terIdx++) + { + int rem3 = O % 3; + i.coeffs[cur] = rem3 - 1; + cur++; + if (cur == N) + { + return i; + } + O = (O - rem3) / 3; + } + + i.coeffs[cur] = O - 1; + cur++; + if (cur == N) + { + return i; + } + } + + if (cur >= N) + { + return i; + } + + hashAlg.update(Z, 0, Z.length); + putInt(hashAlg, counter); + + byte[] hash = calcHash(hashAlg); + + buf = hash; + + counter++; + } + } + + private void putInt(Digest hashAlg, int counter) + { + hashAlg.update((byte)(counter >> 24)); + hashAlg.update((byte)(counter >> 16)); + hashAlg.update((byte)(counter >> 8)); + hashAlg.update((byte)counter); + } + + private byte[] calcHash(Digest hashAlg) + { + byte[] tmp = new byte[hashAlg.getDigestSize()]; + + hashAlg.doFinal(tmp, 0); + + return tmp; + } + + private byte[] calcHash(Digest hashAlg, byte[] input) + { + byte[] tmp = new byte[hashAlg.getDigestSize()]; + + hashAlg.update(input, 0, input.length); + hashAlg.doFinal(tmp, 0); + + return tmp; + } + /** + * Decrypts a message.<br/> + * See P1363.1 section 9.2.3. + * + * @param data The message to decrypt + * @param privKey the corresponding private key + * @return the decrypted message + * @throws InvalidCipherTextException if the encrypted data is invalid, or <code>maxLenBytes</code> is greater than 255 + */ + private byte[] decrypt(byte[] data, NTRUEncryptionPrivateKeyParameters privKey) + throws InvalidCipherTextException + { + Polynomial priv_t = privKey.t; + IntegerPolynomial priv_fp = privKey.fp; + IntegerPolynomial pub = privKey.h; + int N = params.N; + int q = params.q; + int db = params.db; + int maxMsgLenBytes = params.maxMsgLenBytes; + int dm0 = params.dm0; + int pkLen = params.pkLen; + int minCallsMask = params.minCallsMask; + boolean hashSeed = params.hashSeed; + byte[] oid = params.oid; + + if (maxMsgLenBytes > 255) + { + throw new DataLengthException("maxMsgLenBytes values bigger than 255 are not supported"); + } + + int bLen = db / 8; + + IntegerPolynomial e = IntegerPolynomial.fromBinary(data, N, q); + IntegerPolynomial ci = decrypt(e, priv_t, priv_fp); + + if (ci.count(-1) < dm0) + { + throw new InvalidCipherTextException("Less than dm0 coefficients equal -1"); + } + if (ci.count(0) < dm0) + { + throw new InvalidCipherTextException("Less than dm0 coefficients equal 0"); + } + if (ci.count(1) < dm0) + { + throw new InvalidCipherTextException("Less than dm0 coefficients equal 1"); + } + + IntegerPolynomial cR = (IntegerPolynomial)e.clone(); + cR.sub(ci); + cR.modPositive(q); + IntegerPolynomial cR4 = (IntegerPolynomial)cR.clone(); + cR4.modPositive(4); + byte[] coR4 = cR4.toBinary(4); + IntegerPolynomial mask = MGF(coR4, N, minCallsMask, hashSeed); + IntegerPolynomial cMTrin = ci; + cMTrin.sub(mask); + cMTrin.mod3(); + byte[] cM = cMTrin.toBinary3Sves(); + + byte[] cb = new byte[bLen]; + System.arraycopy(cM, 0, cb, 0, bLen); + int cl = cM[bLen] & 0xFF; // llen=1, so read one byte + if (cl > maxMsgLenBytes) + { + throw new InvalidCipherTextException("Message too long: " + cl + ">" + maxMsgLenBytes); + } + byte[] cm = new byte[cl]; + System.arraycopy(cM, bLen + 1, cm, 0, cl); + byte[] p0 = new byte[cM.length - (bLen + 1 + cl)]; + System.arraycopy(cM, bLen + 1 + cl, p0, 0, p0.length); + if (!Arrays.areEqual(p0, new byte[p0.length])) + { + throw new InvalidCipherTextException("The message is not followed by zeroes"); + } + + // sData = OID|m|b|hTrunc + byte[] bh = pub.toBinary(q); + byte[] hTrunc = copyOf(bh, pkLen / 8); + byte[] sData = buildSData(oid, cm, cl, cb, hTrunc); + + Polynomial cr = generateBlindingPoly(sData, cm); + IntegerPolynomial cRPrime = cr.mult(pub); + cRPrime.modPositive(q); + if (!cRPrime.equals(cR)) + { + throw new InvalidCipherTextException("Invalid message encoding"); + } + + return cm; + } + + /** + * @param e + * @param priv_t a polynomial such that if <code>fastFp=true</code>, <code>f=1+3*priv_t</code>; otherwise, <code>f=priv_t</code> + * @param priv_fp + * @return + */ + protected IntegerPolynomial decrypt(IntegerPolynomial e, Polynomial priv_t, IntegerPolynomial priv_fp) + { + IntegerPolynomial a; + if (params.fastFp) + { + a = priv_t.mult(e, params.q); + a.mult(3); + a.add(e); + } + else + { + a = priv_t.mult(e, params.q); + } + a.center0(params.q); + a.mod3(); + + IntegerPolynomial c = params.fastFp ? a : new DenseTernaryPolynomial(a).mult(priv_fp, 3); + c.center0(3); + return c; + } + + private byte[] copyOf(byte[] src, int len) + { + byte[] tmp = new byte[len]; + + System.arraycopy(src, 0, tmp, 0, len < src.length ? len : src.length); + + return tmp; + } + + private int log2(int value) + { + if (value == 2048) + { + return 11; + } + + throw new IllegalStateException("log2 not fully implemented"); + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUParameters.java new file mode 100644 index 00000000..3ce2154d --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUParameters.java @@ -0,0 +1,7 @@ +package org.spongycastle.pqc.crypto.ntru; + +public class NTRUParameters +{ + public static final int TERNARY_POLYNOMIAL_TYPE_SIMPLE = 0; + public static final int TERNARY_POLYNOMIAL_TYPE_PRODUCT = 1; +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigner.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigner.java new file mode 100644 index 00000000..0886cff1 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigner.java @@ -0,0 +1,263 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.nio.ByteBuffer; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.Digest; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; + +/** +* Signs, verifies data and generates key pairs. +* @deprecated the NTRUSigner algorithm was broken in 2012 by Ducas and Nguyen. See +* <a href="http://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf"> +* http://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf</a> +* for details. +*/ +public class NTRUSigner +{ + private NTRUSigningParameters params; + private Digest hashAlg; + private NTRUSigningPrivateKeyParameters signingKeyPair; + private NTRUSigningPublicKeyParameters verificationKey; + + /** + * Constructs a new instance with a set of signature parameters. + * + * @param params signature parameters + */ + public NTRUSigner(NTRUSigningParameters params) + { + this.params = params; + } + + /** + * Resets the engine for signing a message. + * + * @param forSigning + * @param params + */ + public void init(boolean forSigning, CipherParameters params) + { + if (forSigning) + { + this.signingKeyPair = (NTRUSigningPrivateKeyParameters)params; + } + else + { + this.verificationKey = (NTRUSigningPublicKeyParameters)params; + } + hashAlg = this.params.hashAlg; + hashAlg.reset(); + } + + /** + * Adds data to sign or verify. + * + * @param b data + */ + public void update(byte b) + { + if (hashAlg == null) + { + throw new IllegalStateException("Call initSign or initVerify first!"); + } + + hashAlg.update(b); + } + + /** + * Adds data to sign or verify. + * + * @param m data + * @param off offset + * @param length number of bytes + */ + public void update(byte[] m, int off, int length) + { + if (hashAlg == null) + { + throw new IllegalStateException("Call initSign or initVerify first!"); + } + + hashAlg.update(m, off, length); + } + + /** + * Adds data to sign and computes a signature over this data and any data previously added via {@link #update(byte[], int, int)}. + * + * @return a signature + * @throws IllegalStateException if <code>initSign</code> was not called + */ + public byte[] generateSignature() + { + if (hashAlg == null || signingKeyPair == null) + { + throw new IllegalStateException("Call initSign first!"); + } + + byte[] msgHash = new byte[hashAlg.getDigestSize()]; + + hashAlg.doFinal(msgHash, 0); + return signHash(msgHash, signingKeyPair); + } + + private byte[] signHash(byte[] msgHash, NTRUSigningPrivateKeyParameters kp) + { + int r = 0; + IntegerPolynomial s; + IntegerPolynomial i; + + NTRUSigningPublicKeyParameters kPub = kp.getPublicKey(); + do + { + r++; + if (r > params.signFailTolerance) + { + throw new IllegalStateException("Signing failed: too many retries (max=" + params.signFailTolerance + ")"); + } + i = createMsgRep(msgHash, r); + s = sign(i, kp); + } + while (!verify(i, s, kPub.h)); + + byte[] rawSig = s.toBinary(params.q); + ByteBuffer sbuf = ByteBuffer.allocate(rawSig.length + 4); + sbuf.put(rawSig); + sbuf.putInt(r); + return sbuf.array(); + } + + private IntegerPolynomial sign(IntegerPolynomial i, NTRUSigningPrivateKeyParameters kp) + { + int N = params.N; + int q = params.q; + int perturbationBases = params.B; + + NTRUSigningPrivateKeyParameters kPriv = kp; + NTRUSigningPublicKeyParameters kPub = kp.getPublicKey(); + + IntegerPolynomial s = new IntegerPolynomial(N); + int iLoop = perturbationBases; + while (iLoop >= 1) + { + Polynomial f = kPriv.getBasis(iLoop).f; + Polynomial fPrime = kPriv.getBasis(iLoop).fPrime; + + IntegerPolynomial y = f.mult(i); + y.div(q); + y = fPrime.mult(y); + + IntegerPolynomial x = fPrime.mult(i); + x.div(q); + x = f.mult(x); + + IntegerPolynomial si = y; + si.sub(x); + s.add(si); + + IntegerPolynomial hi = (IntegerPolynomial)kPriv.getBasis(iLoop).h.clone(); + if (iLoop > 1) + { + hi.sub(kPriv.getBasis(iLoop - 1).h); + } + else + { + hi.sub(kPub.h); + } + i = si.mult(hi, q); + + iLoop--; + } + + Polynomial f = kPriv.getBasis(0).f; + Polynomial fPrime = kPriv.getBasis(0).fPrime; + + IntegerPolynomial y = f.mult(i); + y.div(q); + y = fPrime.mult(y); + + IntegerPolynomial x = fPrime.mult(i); + x.div(q); + x = f.mult(x); + + y.sub(x); + s.add(y); + s.modPositive(q); + return s; + } + + /** + * Verifies a signature for any data previously added via {@link #update(byte[], int, int)}. + * + * @param sig a signature + * @return whether the signature is valid + * @throws IllegalStateException if <code>initVerify</code> was not called + */ + public boolean verifySignature(byte[] sig) + { + if (hashAlg == null || verificationKey == null) + { + throw new IllegalStateException("Call initVerify first!"); + } + + byte[] msgHash = new byte[hashAlg.getDigestSize()]; + + hashAlg.doFinal(msgHash, 0); + + return verifyHash(msgHash, sig, verificationKey); + } + + private boolean verifyHash(byte[] msgHash, byte[] sig, NTRUSigningPublicKeyParameters pub) + { + ByteBuffer sbuf = ByteBuffer.wrap(sig); + byte[] rawSig = new byte[sig.length - 4]; + sbuf.get(rawSig); + IntegerPolynomial s = IntegerPolynomial.fromBinary(rawSig, params.N, params.q); + int r = sbuf.getInt(); + return verify(createMsgRep(msgHash, r), s, pub.h); + } + + private boolean verify(IntegerPolynomial i, IntegerPolynomial s, IntegerPolynomial h) + { + int q = params.q; + double normBoundSq = params.normBoundSq; + double betaSq = params.betaSq; + + IntegerPolynomial t = h.mult(s, q); + t.sub(i); + long centeredNormSq = (long)(s.centeredNormSq(q) + betaSq * t.centeredNormSq(q)); + return centeredNormSq <= normBoundSq; + } + + protected IntegerPolynomial createMsgRep(byte[] msgHash, int r) + { + int N = params.N; + int q = params.q; + + int c = 31 - Integer.numberOfLeadingZeros(q); + int B = (c + 7) / 8; + IntegerPolynomial i = new IntegerPolynomial(N); + + ByteBuffer cbuf = ByteBuffer.allocate(msgHash.length + 4); + cbuf.put(msgHash); + cbuf.putInt(r); + NTRUSignerPrng prng = new NTRUSignerPrng(cbuf.array(), params.hashAlg); + + for (int t = 0; t < N; t++) + { + byte[] o = prng.nextBytes(B); + int hi = o[o.length - 1]; + hi >>= 8 * B - c; + hi <<= 8 * B - c; + o[o.length - 1] = (byte)hi; + + ByteBuffer obuf = ByteBuffer.allocate(4); + obuf.put(o); + obuf.rewind(); + // reverse byte order so it matches the endianness of java ints + i.coeffs[t] = Integer.reverseBytes(obuf.getInt()); + } + return i; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSignerPrng.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSignerPrng.java new file mode 100644 index 00000000..c9278dd5 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSignerPrng.java @@ -0,0 +1,64 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.nio.ByteBuffer; + +import org.spongycastle.crypto.Digest; + +/** + * An implementation of the deterministic pseudo-random generator in EESS section 3.7.3.1 + */ +public class NTRUSignerPrng +{ + private int counter; + private byte[] seed; + private Digest hashAlg; + + /** + * Constructs a new PRNG and seeds it with a byte array. + * + * @param seed a seed + * @param hashAlg the hash algorithm to use + */ + NTRUSignerPrng(byte[] seed, Digest hashAlg) + { + counter = 0; + this.seed = seed; + this.hashAlg = hashAlg; + } + + /** + * Returns <code>n</code> random bytes + * + * @param n number of bytes to return + * @return the next <code>n</code> random bytes + */ + byte[] nextBytes(int n) + { + ByteBuffer buf = ByteBuffer.allocate(n); + + while (buf.hasRemaining()) + { + ByteBuffer cbuf = ByteBuffer.allocate(seed.length + 4); + cbuf.put(seed); + cbuf.putInt(counter); + byte[] array = cbuf.array(); + byte[] hash = new byte[hashAlg.getDigestSize()]; + + hashAlg.update(array, 0, array.length); + + hashAlg.doFinal(hash, 0); + + if (buf.remaining() < hash.length) + { + buf.put(hash, 0, buf.remaining()); + } + else + { + buf.put(hash); + } + counter++; + } + + return buf.array(); + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyGenerationParameters.java new file mode 100644 index 00000000..f9c17f1c --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyGenerationParameters.java @@ -0,0 +1,407 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.security.SecureRandom; +import java.text.DecimalFormat; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.crypto.digests.SHA256Digest; +import org.spongycastle.crypto.digests.SHA512Digest; + +/** + * A set of parameters for NtruSign. Several predefined parameter sets are available and new ones can be created as well. + */ +public class NTRUSigningKeyGenerationParameters + extends KeyGenerationParameters + implements Cloneable +{ + public static final int BASIS_TYPE_STANDARD = 0; + public static final int BASIS_TYPE_TRANSPOSE = 1; + + public static final int KEY_GEN_ALG_RESULTANT = 0; + public static final int KEY_GEN_ALG_FLOAT = 1; + + /** + * Gives 128 bits of security + */ + public static final NTRUSigningKeyGenerationParameters APR2011_439 = new NTRUSigningKeyGenerationParameters(439, 2048, 146, 1, BASIS_TYPE_TRANSPOSE, 0.165, 490, 280, false, true, KEY_GEN_ALG_RESULTANT, new SHA256Digest()); + + /** + * Like <code>APR2011_439</code>, this parameter set gives 128 bits of security but uses product-form polynomials + */ + public static final NTRUSigningKeyGenerationParameters APR2011_439_PROD = new NTRUSigningKeyGenerationParameters(439, 2048, 9, 8, 5, 1, BASIS_TYPE_TRANSPOSE, 0.165, 490, 280, false, true, KEY_GEN_ALG_RESULTANT, new SHA256Digest()); + + /** + * Gives 256 bits of security + */ + public static final NTRUSigningKeyGenerationParameters APR2011_743 = new NTRUSigningKeyGenerationParameters(743, 2048, 248, 1, BASIS_TYPE_TRANSPOSE, 0.127, 560, 360, true, false, KEY_GEN_ALG_RESULTANT, new SHA512Digest()); + + /** + * Like <code>APR2011_439</code>, this parameter set gives 256 bits of security but uses product-form polynomials + */ + public static final NTRUSigningKeyGenerationParameters APR2011_743_PROD = new NTRUSigningKeyGenerationParameters(743, 2048, 11, 11, 15, 1, BASIS_TYPE_TRANSPOSE, 0.127, 560, 360, true, false, KEY_GEN_ALG_RESULTANT, new SHA512Digest()); + + /** + * Generates key pairs quickly. Use for testing only. + */ + public static final NTRUSigningKeyGenerationParameters TEST157 = new NTRUSigningKeyGenerationParameters(157, 256, 29, 1, BASIS_TYPE_TRANSPOSE, 0.38, 200, 80, false, false, KEY_GEN_ALG_RESULTANT, new SHA256Digest()); + /** + * Generates key pairs quickly. Use for testing only. + */ + public static final NTRUSigningKeyGenerationParameters TEST157_PROD = new NTRUSigningKeyGenerationParameters(157, 256, 5, 5, 8, 1, BASIS_TYPE_TRANSPOSE, 0.38, 200, 80, false, false, KEY_GEN_ALG_RESULTANT, new SHA256Digest()); + + + public int N; + public int q; + public int d, d1, d2, d3, B; + double beta; + public double betaSq; + double normBound; + public double normBoundSq; + public int signFailTolerance = 100; + double keyNormBound; + public double keyNormBoundSq; + public boolean primeCheck; // true if N and 2N+1 are prime + public int basisType; + int bitsF = 6; // max #bits needed to encode one coefficient of the polynomial F + public boolean sparse; // whether to treat ternary polynomials as sparsely populated + public int keyGenAlg; + public Digest hashAlg; + public int polyType; + + /** + * Constructs a parameter set that uses ternary private keys (i.e. <code>polyType=SIMPLE</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param d number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param B number of perturbations + * @param basisType whether to use the standard or transpose lattice + * @param beta balancing factor for the transpose lattice + * @param normBound maximum norm for valid signatures + * @param keyNormBound maximum norm for the ploynomials <code>F</code> and <code>G</code> + * @param primeCheck whether <code>2N+1</code> is prime + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param keyGenAlg <code>RESULTANT</code> produces better bases, <code>FLOAT</code> is slightly faster. <code>RESULTANT</code> follows the EESS standard while <code>FLOAT</code> is described in Hoffstein et al: An Introduction to Mathematical Cryptography. + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUSigningKeyGenerationParameters(int N, int q, int d, int B, int basisType, double beta, double normBound, double keyNormBound, boolean primeCheck, boolean sparse, int keyGenAlg, Digest hashAlg) + { + super(new SecureRandom(), N); + this.N = N; + this.q = q; + this.d = d; + this.B = B; + this.basisType = basisType; + this.beta = beta; + this.normBound = normBound; + this.keyNormBound = keyNormBound; + this.primeCheck = primeCheck; + this.sparse = sparse; + this.keyGenAlg = keyGenAlg; + this.hashAlg = hashAlg; + polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE; + init(); + } + + /** + * Constructs a parameter set that uses product-form private keys (i.e. <code>polyType=PRODUCT</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param d1 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param d2 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param d3 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param B number of perturbations + * @param basisType whether to use the standard or transpose lattice + * @param beta balancing factor for the transpose lattice + * @param normBound maximum norm for valid signatures + * @param keyNormBound maximum norm for the ploynomials <code>F</code> and <code>G</code> + * @param primeCheck whether <code>2N+1</code> is prime + * @param sparse whether to treat ternary polynomials as sparsely populated ({@link org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial} vs {@link org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial}) + * @param keyGenAlg <code>RESULTANT</code> produces better bases, <code>FLOAT</code> is slightly faster. <code>RESULTANT</code> follows the EESS standard while <code>FLOAT</code> is described in Hoffstein et al: An Introduction to Mathematical Cryptography. + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUSigningKeyGenerationParameters(int N, int q, int d1, int d2, int d3, int B, int basisType, double beta, double normBound, double keyNormBound, boolean primeCheck, boolean sparse, int keyGenAlg, Digest hashAlg) + { + super(new SecureRandom(), N); + this.N = N; + this.q = q; + this.d1 = d1; + this.d2 = d2; + this.d3 = d3; + this.B = B; + this.basisType = basisType; + this.beta = beta; + this.normBound = normBound; + this.keyNormBound = keyNormBound; + this.primeCheck = primeCheck; + this.sparse = sparse; + this.keyGenAlg = keyGenAlg; + this.hashAlg = hashAlg; + polyType = NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT; + init(); + } + + private void init() + { + betaSq = beta * beta; + normBoundSq = normBound * normBound; + keyNormBoundSq = keyNormBound * keyNormBound; + } + + /** + * Reads a parameter set from an input stream. + * + * @param is an input stream + * @throws java.io.IOException + */ + public NTRUSigningKeyGenerationParameters(InputStream is) + throws IOException + { + super(new SecureRandom(), 0); // TODO: + DataInputStream dis = new DataInputStream(is); + N = dis.readInt(); + q = dis.readInt(); + d = dis.readInt(); + d1 = dis.readInt(); + d2 = dis.readInt(); + d3 = dis.readInt(); + B = dis.readInt(); + basisType = dis.readInt(); + beta = dis.readDouble(); + normBound = dis.readDouble(); + keyNormBound = dis.readDouble(); + signFailTolerance = dis.readInt(); + primeCheck = dis.readBoolean(); + sparse = dis.readBoolean(); + bitsF = dis.readInt(); + keyGenAlg = dis.read(); + String alg = dis.readUTF(); + if ("SHA-512".equals(alg)) + { + hashAlg = new SHA512Digest(); + } + else if ("SHA-256".equals(alg)) + { + hashAlg = new SHA256Digest(); + } + polyType = dis.read(); + init(); + } + + /** + * Writes the parameter set to an output stream + * + * @param os an output stream + * @throws java.io.IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + DataOutputStream dos = new DataOutputStream(os); + dos.writeInt(N); + dos.writeInt(q); + dos.writeInt(d); + dos.writeInt(d1); + dos.writeInt(d2); + dos.writeInt(d3); + dos.writeInt(B); + dos.writeInt(basisType); + dos.writeDouble(beta); + dos.writeDouble(normBound); + dos.writeDouble(keyNormBound); + dos.writeInt(signFailTolerance); + dos.writeBoolean(primeCheck); + dos.writeBoolean(sparse); + dos.writeInt(bitsF); + dos.write(keyGenAlg); + dos.writeUTF(hashAlg.getAlgorithmName()); + dos.write(polyType); + } + + public NTRUSigningParameters getSigningParameters() + { + return new NTRUSigningParameters(N, q, d, B, beta, normBound, hashAlg); + } + + public NTRUSigningKeyGenerationParameters clone() + { + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + return new NTRUSigningKeyGenerationParameters(N, q, d, B, basisType, beta, normBound, keyNormBound, primeCheck, sparse, keyGenAlg, hashAlg); + } + else + { + return new NTRUSigningKeyGenerationParameters(N, q, d1, d2, d3, B, basisType, beta, normBound, keyNormBound, primeCheck, sparse, keyGenAlg, hashAlg); + } + } + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + B; + result = prime * result + N; + result = prime * result + basisType; + long temp; + temp = Double.doubleToLongBits(beta); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(betaSq); + result = prime * result + (int)(temp ^ (temp >>> 32)); + result = prime * result + bitsF; + result = prime * result + d; + result = prime * result + d1; + result = prime * result + d2; + result = prime * result + d3; + result = prime * result + ((hashAlg == null) ? 0 : hashAlg.getAlgorithmName().hashCode()); + result = prime * result + keyGenAlg; + temp = Double.doubleToLongBits(keyNormBound); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(keyNormBoundSq); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(normBound); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(normBoundSq); + result = prime * result + (int)(temp ^ (temp >>> 32)); + result = prime * result + polyType; + result = prime * result + (primeCheck ? 1231 : 1237); + result = prime * result + q; + result = prime * result + signFailTolerance; + result = prime * result + (sparse ? 1231 : 1237); + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (!(obj instanceof NTRUSigningKeyGenerationParameters)) + { + return false; + } + NTRUSigningKeyGenerationParameters other = (NTRUSigningKeyGenerationParameters)obj; + if (B != other.B) + { + return false; + } + if (N != other.N) + { + return false; + } + if (basisType != other.basisType) + { + return false; + } + if (Double.doubleToLongBits(beta) != Double.doubleToLongBits(other.beta)) + { + return false; + } + if (Double.doubleToLongBits(betaSq) != Double.doubleToLongBits(other.betaSq)) + { + return false; + } + if (bitsF != other.bitsF) + { + return false; + } + if (d != other.d) + { + return false; + } + if (d1 != other.d1) + { + return false; + } + if (d2 != other.d2) + { + return false; + } + if (d3 != other.d3) + { + return false; + } + if (hashAlg == null) + { + if (other.hashAlg != null) + { + return false; + } + } + else if (!hashAlg.getAlgorithmName().equals(other.hashAlg.getAlgorithmName())) + { + return false; + } + if (keyGenAlg != other.keyGenAlg) + { + return false; + } + if (Double.doubleToLongBits(keyNormBound) != Double.doubleToLongBits(other.keyNormBound)) + { + return false; + } + if (Double.doubleToLongBits(keyNormBoundSq) != Double.doubleToLongBits(other.keyNormBoundSq)) + { + return false; + } + if (Double.doubleToLongBits(normBound) != Double.doubleToLongBits(other.normBound)) + { + return false; + } + if (Double.doubleToLongBits(normBoundSq) != Double.doubleToLongBits(other.normBoundSq)) + { + return false; + } + if (polyType != other.polyType) + { + return false; + } + if (primeCheck != other.primeCheck) + { + return false; + } + if (q != other.q) + { + return false; + } + if (signFailTolerance != other.signFailTolerance) + { + return false; + } + if (sparse != other.sparse) + { + return false; + } + return true; + } + + public String toString() + { + DecimalFormat format = new DecimalFormat("0.00"); + + StringBuilder output = new StringBuilder("SignatureParameters(N=" + N + " q=" + q); + if (polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE) + { + output.append(" polyType=SIMPLE d=" + d); + } + else + { + output.append(" polyType=PRODUCT d1=" + d1 + " d2=" + d2 + " d3=" + d3); + } + output.append(" B=" + B + " basisType=" + basisType + " beta=" + format.format(beta) + + " normBound=" + format.format(normBound) + " keyNormBound=" + format.format(keyNormBound) + + " prime=" + primeCheck + " sparse=" + sparse + " keyGenAlg=" + keyGenAlg + " hashAlg=" + hashAlg + ")"); + return output.toString(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyPairGenerator.java new file mode 100644 index 00000000..eac283aa --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningKeyPairGenerator.java @@ -0,0 +1,357 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.math.BigDecimal; +import java.math.BigInteger; +import java.security.SecureRandom; +import java.util.ArrayList; +import java.util.List; +import java.util.concurrent.Callable; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.util.concurrent.Future; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.math.ntru.euclid.BigIntEuclidean; +import org.spongycastle.pqc.math.ntru.polynomial.BigDecimalPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.BigIntPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; +import org.spongycastle.pqc.math.ntru.polynomial.ProductFormPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Resultant; + +import static java.math.BigInteger.ONE; +import static java.math.BigInteger.ZERO; + +public class NTRUSigningKeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + private NTRUSigningKeyGenerationParameters params; + + public void init(KeyGenerationParameters param) + { + this.params = (NTRUSigningKeyGenerationParameters)param; + } + + /** + * Generates a new signature key pair. Starts <code>B+1</code> threads. + * + * @return a key pair + */ + public AsymmetricCipherKeyPair generateKeyPair() + { + NTRUSigningPublicKeyParameters pub = null; + ExecutorService executor = Executors.newCachedThreadPool(); + List<Future<NTRUSigningPrivateKeyParameters.Basis>> bases = new ArrayList<Future<NTRUSigningPrivateKeyParameters.Basis>>(); + for (int k = params.B; k >= 0; k--) + { + bases.add(executor.submit(new BasisGenerationTask())); + } + executor.shutdown(); + + List<NTRUSigningPrivateKeyParameters.Basis> basises = new ArrayList<NTRUSigningPrivateKeyParameters.Basis>(); + + for (int k = params.B; k >= 0; k--) + { + Future<NTRUSigningPrivateKeyParameters.Basis> basis = bases.get(k); + try + { + basises.add(basis.get()); + if (k == params.B) + { + pub = new NTRUSigningPublicKeyParameters(basis.get().h, params.getSigningParameters()); + } + } + catch (Exception e) + { + throw new IllegalStateException(e); + } + } + NTRUSigningPrivateKeyParameters priv = new NTRUSigningPrivateKeyParameters(basises, pub); + AsymmetricCipherKeyPair kp = new AsymmetricCipherKeyPair(pub, priv); + return kp; + } + + /** + * Generates a new signature key pair. Runs in a single thread. + * + * @return a key pair + */ + public AsymmetricCipherKeyPair generateKeyPairSingleThread() + { + List<NTRUSigningPrivateKeyParameters.Basis> basises = new ArrayList<NTRUSigningPrivateKeyParameters.Basis>(); + NTRUSigningPublicKeyParameters pub = null; + for (int k = params.B; k >= 0; k--) + { + NTRUSigningPrivateKeyParameters.Basis basis = generateBoundedBasis(); + basises.add(basis); + if (k == 0) + { + pub = new NTRUSigningPublicKeyParameters(basis.h, params.getSigningParameters()); + } + } + NTRUSigningPrivateKeyParameters priv = new NTRUSigningPrivateKeyParameters(basises, pub); + return new AsymmetricCipherKeyPair(pub, priv); + } + + + /** + * Implementation of the optional steps 20 through 26 in EESS1v2.pdf, section 3.5.1.1. + * This doesn't seem to have much of an effect and sometimes actually increases the + * norm of F, but on average it slightly reduces the norm.<br/> + * This method changes <code>F</code> and <code>g</code> but leaves <code>f</code> and + * <code>g</code> unchanged. + * + * @param f + * @param g + * @param F + * @param G + * @param N + */ + private void minimizeFG(IntegerPolynomial f, IntegerPolynomial g, IntegerPolynomial F, IntegerPolynomial G, int N) + { + int E = 0; + for (int j = 0; j < N; j++) + { + E += 2 * N * (f.coeffs[j] * f.coeffs[j] + g.coeffs[j] * g.coeffs[j]); + } + + // [f(1)+g(1)]^2 = 4 + E -= 4; + + IntegerPolynomial u = (IntegerPolynomial)f.clone(); + IntegerPolynomial v = (IntegerPolynomial)g.clone(); + int j = 0; + int k = 0; + int maxAdjustment = N; + while (k < maxAdjustment && j < N) + { + int D = 0; + int i = 0; + while (i < N) + { + int D1 = F.coeffs[i] * f.coeffs[i]; + int D2 = G.coeffs[i] * g.coeffs[i]; + int D3 = 4 * N * (D1 + D2); + D += D3; + i++; + } + // f(1)+g(1) = 2 + int D1 = 4 * (F.sumCoeffs() + G.sumCoeffs()); + D -= D1; + + if (D > E) + { + F.sub(u); + G.sub(v); + k++; + j = 0; + } + else if (D < -E) + { + F.add(u); + G.add(v); + k++; + j = 0; + } + j++; + u.rotate1(); + v.rotate1(); + } + } + + /** + * Creates a NTRUSigner basis consisting of polynomials <code>f, g, F, G, h</code>.<br/> + * If <code>KeyGenAlg=FLOAT</code>, the basis may not be valid and this method must be rerun if that is the case.<br/> + * + * @see #generateBoundedBasis() + */ + private FGBasis generateBasis() + { + int N = params.N; + int q = params.q; + int d = params.d; + int d1 = params.d1; + int d2 = params.d2; + int d3 = params.d3; + int basisType = params.basisType; + + Polynomial f; + IntegerPolynomial fInt; + Polynomial g; + IntegerPolynomial gInt; + IntegerPolynomial fq; + Resultant rf; + Resultant rg; + BigIntEuclidean r; + + int _2n1 = 2 * N + 1; + boolean primeCheck = params.primeCheck; + + do + { + do + { + f = params.polyType== NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE ? DenseTernaryPolynomial.generateRandom(N, d + 1, d, new SecureRandom()) : ProductFormPolynomial.generateRandom(N, d1, d2, d3 + 1, d3, new SecureRandom()); + fInt = f.toIntegerPolynomial(); + } + while (primeCheck && fInt.resultant(_2n1).res.equals(ZERO)); + fq = fInt.invertFq(q); + } + while (fq == null); + rf = fInt.resultant(); + + do + { + do + { + do + { + g = params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_SIMPLE ? DenseTernaryPolynomial.generateRandom(N, d + 1, d, new SecureRandom()) : ProductFormPolynomial.generateRandom(N, d1, d2, d3 + 1, d3, new SecureRandom()); + gInt = g.toIntegerPolynomial(); + } + while (primeCheck && gInt.resultant(_2n1).res.equals(ZERO)); + } + while (gInt.invertFq(q) == null); + rg = gInt.resultant(); + r = BigIntEuclidean.calculate(rf.res, rg.res); + } + while (!r.gcd.equals(ONE)); + + BigIntPolynomial A = (BigIntPolynomial)rf.rho.clone(); + A.mult(r.x.multiply(BigInteger.valueOf(q))); + BigIntPolynomial B = (BigIntPolynomial)rg.rho.clone(); + B.mult(r.y.multiply(BigInteger.valueOf(-q))); + + BigIntPolynomial C; + if (params.keyGenAlg == NTRUSigningKeyGenerationParameters.KEY_GEN_ALG_RESULTANT) + { + int[] fRevCoeffs = new int[N]; + int[] gRevCoeffs = new int[N]; + fRevCoeffs[0] = fInt.coeffs[0]; + gRevCoeffs[0] = gInt.coeffs[0]; + for (int i = 1; i < N; i++) + { + fRevCoeffs[i] = fInt.coeffs[N - i]; + gRevCoeffs[i] = gInt.coeffs[N - i]; + } + IntegerPolynomial fRev = new IntegerPolynomial(fRevCoeffs); + IntegerPolynomial gRev = new IntegerPolynomial(gRevCoeffs); + + IntegerPolynomial t = f.mult(fRev); + t.add(g.mult(gRev)); + Resultant rt = t.resultant(); + C = fRev.mult(B); // fRev.mult(B) is actually faster than new SparseTernaryPolynomial(fRev).mult(B), possibly due to cache locality? + C.add(gRev.mult(A)); + C = C.mult(rt.rho); + C.div(rt.res); + } + else + { // KeyGenAlg.FLOAT + // calculate ceil(log10(N)) + int log10N = 0; + for (int i = 1; i < N; i *= 10) + { + log10N++; + } + + // * Cdec needs to be accurate to 1 decimal place so it can be correctly rounded; + // * fInv loses up to (#digits of longest coeff of B) places in fInv.mult(B); + // * multiplying fInv by B also multiplies the rounding error by a factor of N; + // so make #decimal places of fInv the sum of the above. + BigDecimalPolynomial fInv = rf.rho.div(new BigDecimal(rf.res), B.getMaxCoeffLength() + 1 + log10N); + BigDecimalPolynomial gInv = rg.rho.div(new BigDecimal(rg.res), A.getMaxCoeffLength() + 1 + log10N); + + BigDecimalPolynomial Cdec = fInv.mult(B); + Cdec.add(gInv.mult(A)); + Cdec.halve(); + C = Cdec.round(); + } + + BigIntPolynomial F = (BigIntPolynomial)B.clone(); + F.sub(f.mult(C)); + BigIntPolynomial G = (BigIntPolynomial)A.clone(); + G.sub(g.mult(C)); + + IntegerPolynomial FInt = new IntegerPolynomial(F); + IntegerPolynomial GInt = new IntegerPolynomial(G); + minimizeFG(fInt, gInt, FInt, GInt, N); + + Polynomial fPrime; + IntegerPolynomial h; + if (basisType == NTRUSigningKeyGenerationParameters.BASIS_TYPE_STANDARD) + { + fPrime = FInt; + h = g.mult(fq, q); + } + else + { + fPrime = g; + h = FInt.mult(fq, q); + } + h.modPositive(q); + + return new FGBasis(f, fPrime, h, FInt, GInt, params); + } + + /** + * Creates a basis such that <code>|F| < keyNormBound</code> and <code>|G| < keyNormBound</code> + * + * @return a NTRUSigner basis + */ + public NTRUSigningPrivateKeyParameters.Basis generateBoundedBasis() + { + while (true) + { + FGBasis basis = generateBasis(); + if (basis.isNormOk()) + { + return basis; + } + } + } + + private class BasisGenerationTask + implements Callable<NTRUSigningPrivateKeyParameters.Basis> + { + + + public NTRUSigningPrivateKeyParameters.Basis call() + throws Exception + { + return generateBoundedBasis(); + } + } + + /** + * A subclass of Basis that additionally contains the polynomials <code>F</code> and <code>G</code>. + */ + public class FGBasis + extends NTRUSigningPrivateKeyParameters.Basis + { + public IntegerPolynomial F; + public IntegerPolynomial G; + + FGBasis(Polynomial f, Polynomial fPrime, IntegerPolynomial h, IntegerPolynomial F, IntegerPolynomial G, NTRUSigningKeyGenerationParameters params) + { + super(f, fPrime, h, params); + this.F = F; + this.G = G; + } + + /** + * Returns <code>true</code> if the norms of the polynomials <code>F</code> and <code>G</code> + * are within {@link NTRUSigningKeyGenerationParameters#keyNormBound}. + * + * @return + */ + boolean isNormOk() + { + double keyNormBoundSq = params.keyNormBoundSq; + int q = params.q; + return (F.centeredNormSq(q) < keyNormBoundSq && G.centeredNormSq(q) < keyNormBoundSq); + } + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningParameters.java new file mode 100644 index 00000000..bf9ba2cb --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningParameters.java @@ -0,0 +1,269 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.DataInputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.text.DecimalFormat; + +import org.spongycastle.crypto.Digest; +import org.spongycastle.crypto.digests.SHA256Digest; +import org.spongycastle.crypto.digests.SHA512Digest; + +/** + * A set of parameters for NtruSign. Several predefined parameter sets are available and new ones can be created as well. + */ +public class NTRUSigningParameters + implements Cloneable +{ + public int N; + public int q; + public int d, d1, d2, d3, B; + double beta; + public double betaSq; + double normBound; + public double normBoundSq; + public int signFailTolerance = 100; + int bitsF = 6; // max #bits needed to encode one coefficient of the polynomial F + public Digest hashAlg; + + /** + * Constructs a parameter set that uses ternary private keys (i.e. <code>polyType=SIMPLE</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param d number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param B number of perturbations + * @param beta balancing factor for the transpose lattice + * @param normBound maximum norm for valid signatures + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUSigningParameters(int N, int q, int d, int B, double beta, double normBound, Digest hashAlg) + { + this.N = N; + this.q = q; + this.d = d; + this.B = B; + this.beta = beta; + this.normBound = normBound; + this.hashAlg = hashAlg; + init(); + } + + /** + * Constructs a parameter set that uses product-form private keys (i.e. <code>polyType=PRODUCT</code>). + * + * @param N number of polynomial coefficients + * @param q modulus + * @param d1 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param d2 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param d3 number of -1's in the private polynomials <code>f</code> and <code>g</code> + * @param B number of perturbations + * @param beta balancing factor for the transpose lattice + * @param normBound maximum norm for valid signatures + * @param keyNormBound maximum norm for the ploynomials <code>F</code> and <code>G</code> + * @param hashAlg a valid identifier for a <code>java.security.MessageDigest</code> instance such as <code>SHA-256</code>. The <code>MessageDigest</code> must support the <code>getDigestLength()</code> method. + */ + public NTRUSigningParameters(int N, int q, int d1, int d2, int d3, int B, double beta, double normBound, double keyNormBound, Digest hashAlg) + { + this.N = N; + this.q = q; + this.d1 = d1; + this.d2 = d2; + this.d3 = d3; + this.B = B; + this.beta = beta; + this.normBound = normBound; + this.hashAlg = hashAlg; + init(); + } + + private void init() + { + betaSq = beta * beta; + normBoundSq = normBound * normBound; + } + + /** + * Reads a parameter set from an input stream. + * + * @param is an input stream + * @throws IOException + */ + public NTRUSigningParameters(InputStream is) + throws IOException + { + DataInputStream dis = new DataInputStream(is); + N = dis.readInt(); + q = dis.readInt(); + d = dis.readInt(); + d1 = dis.readInt(); + d2 = dis.readInt(); + d3 = dis.readInt(); + B = dis.readInt(); + beta = dis.readDouble(); + normBound = dis.readDouble(); + signFailTolerance = dis.readInt(); + bitsF = dis.readInt(); + String alg = dis.readUTF(); + if ("SHA-512".equals(alg)) + { + hashAlg = new SHA512Digest(); + } + else if ("SHA-256".equals(alg)) + { + hashAlg = new SHA256Digest(); + } + init(); + } + + /** + * Writes the parameter set to an output stream + * + * @param os an output stream + * @throws IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + DataOutputStream dos = new DataOutputStream(os); + dos.writeInt(N); + dos.writeInt(q); + dos.writeInt(d); + dos.writeInt(d1); + dos.writeInt(d2); + dos.writeInt(d3); + dos.writeInt(B); + dos.writeDouble(beta); + dos.writeDouble(normBound); + dos.writeInt(signFailTolerance); + dos.writeInt(bitsF); + dos.writeUTF(hashAlg.getAlgorithmName()); + } + + public NTRUSigningParameters clone() + { + return new NTRUSigningParameters(N, q, d, B, beta, normBound, hashAlg); + } + + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + B; + result = prime * result + N; + long temp; + temp = Double.doubleToLongBits(beta); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(betaSq); + result = prime * result + (int)(temp ^ (temp >>> 32)); + result = prime * result + bitsF; + result = prime * result + d; + result = prime * result + d1; + result = prime * result + d2; + result = prime * result + d3; + result = prime * result + ((hashAlg == null) ? 0 : hashAlg.getAlgorithmName().hashCode()); + temp = Double.doubleToLongBits(normBound); + result = prime * result + (int)(temp ^ (temp >>> 32)); + temp = Double.doubleToLongBits(normBoundSq); + result = prime * result + (int)(temp ^ (temp >>> 32)); + result = prime * result + q; + result = prime * result + signFailTolerance; + return result; + } + + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (!(obj instanceof NTRUSigningParameters)) + { + return false; + } + NTRUSigningParameters other = (NTRUSigningParameters)obj; + if (B != other.B) + { + return false; + } + if (N != other.N) + { + return false; + } + if (Double.doubleToLongBits(beta) != Double.doubleToLongBits(other.beta)) + { + return false; + } + if (Double.doubleToLongBits(betaSq) != Double.doubleToLongBits(other.betaSq)) + { + return false; + } + if (bitsF != other.bitsF) + { + return false; + } + if (d != other.d) + { + return false; + } + if (d1 != other.d1) + { + return false; + } + if (d2 != other.d2) + { + return false; + } + if (d3 != other.d3) + { + return false; + } + if (hashAlg == null) + { + if (other.hashAlg != null) + { + return false; + } + } + else if (!hashAlg.getAlgorithmName().equals(other.hashAlg.getAlgorithmName())) + { + return false; + } + if (Double.doubleToLongBits(normBound) != Double.doubleToLongBits(other.normBound)) + { + return false; + } + if (Double.doubleToLongBits(normBoundSq) != Double.doubleToLongBits(other.normBoundSq)) + { + return false; + } + if (q != other.q) + { + return false; + } + if (signFailTolerance != other.signFailTolerance) + { + return false; + } + + return true; + } + + public String toString() + { + DecimalFormat format = new DecimalFormat("0.00"); + + StringBuilder output = new StringBuilder("SignatureParameters(N=" + N + " q=" + q); + + output.append(" B=" + B + " beta=" + format.format(beta) + + " normBound=" + format.format(normBound) + + " hashAlg=" + hashAlg + ")"); + return output.toString(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPrivateKeyParameters.java new file mode 100644 index 00000000..bbbaaeef --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPrivateKeyParameters.java @@ -0,0 +1,385 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.util.ArrayList; +import java.util.List; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.pqc.math.ntru.polynomial.DenseTernaryPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.Polynomial; +import org.spongycastle.pqc.math.ntru.polynomial.ProductFormPolynomial; +import org.spongycastle.pqc.math.ntru.polynomial.SparseTernaryPolynomial; + +/** + * A NtruSign private key comprises one or more {@link NTRUSigningPrivateKeyParameters.Basis} of three polynomials each, + * except the zeroth basis for which <code>h</code> is undefined. + */ +public class NTRUSigningPrivateKeyParameters + extends AsymmetricKeyParameter +{ + private List<Basis> bases; + private NTRUSigningPublicKeyParameters publicKey; + + /** + * Constructs a new private key from a byte array + * + * @param b an encoded private key + * @param params the NtruSign parameters to use + */ + public NTRUSigningPrivateKeyParameters(byte[] b, NTRUSigningKeyGenerationParameters params) + throws IOException + { + this(new ByteArrayInputStream(b), params); + } + + /** + * Constructs a new private key from an input stream + * + * @param is an input stream + * @param params the NtruSign parameters to use + */ + public NTRUSigningPrivateKeyParameters(InputStream is, NTRUSigningKeyGenerationParameters params) + throws IOException + { + super(true); + bases = new ArrayList<Basis>(); + for (int i = 0; i <= params.B; i++) + // include a public key h[i] in all bases except for the first one + { + add(new Basis(is, params, i != 0)); + } + publicKey = new NTRUSigningPublicKeyParameters(is, params.getSigningParameters()); + } + + public NTRUSigningPrivateKeyParameters(List<Basis> bases, NTRUSigningPublicKeyParameters publicKey) + { + super(true); + this.bases = new ArrayList<Basis>(bases); + this.publicKey = publicKey; + } + + /** + * Adds a basis to the key. + * + * @param b a NtruSign basis + */ + private void add(Basis b) + { + bases.add(b); + } + + /** + * Returns the <code>i</code>-th basis + * + * @param i the index + * @return the basis at index <code>i</code> + */ + public Basis getBasis(int i) + { + return bases.get(i); + } + + public NTRUSigningPublicKeyParameters getPublicKey() + { + return publicKey; + } + + /** + * Converts the key to a byte array + * + * @return the encoded key + */ + public byte[] getEncoded() + throws IOException + { + ByteArrayOutputStream os = new ByteArrayOutputStream(); + for (int i = 0; i < bases.size(); i++) + { + // all bases except for the first one contain a public key + bases.get(i).encode(os, i != 0); + } + + os.write(publicKey.getEncoded()); + + return os.toByteArray(); + } + + /** + * Writes the key to an output stream + * + * @param os an output stream + * @throws IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + os.write(getEncoded()); + } + + @Override + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + ((bases == null) ? 0 : bases.hashCode()); + for (Basis basis : bases) + { + result += basis.hashCode(); + } + return result; + } + + @Override + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (getClass() != obj.getClass()) + { + return false; + } + NTRUSigningPrivateKeyParameters other = (NTRUSigningPrivateKeyParameters)obj; + if (bases == null) + { + if (other.bases != null) + { + return false; + } + } + if (bases.size() != other.bases.size()) + { + return false; + } + for (int i = 0; i < bases.size(); i++) + { + Basis basis1 = bases.get(i); + Basis basis2 = other.bases.get(i); + if (!basis1.f.equals(basis2.f)) + { + return false; + } + if (!basis1.fPrime.equals(basis2.fPrime)) + { + return false; + } + if (i != 0 && !basis1.h.equals(basis2.h)) // don't compare h for the 0th basis + { + return false; + } + if (!basis1.params.equals(basis2.params)) + { + return false; + } + } + return true; + } + + /** + * A NtruSign basis. Contains three polynomials <code>f, f', h</code>. + */ + public static class Basis + { + public Polynomial f; + public Polynomial fPrime; + public IntegerPolynomial h; + NTRUSigningKeyGenerationParameters params; + + /** + * Constructs a new basis from polynomials <code>f, f', h</code>. + * + * @param f + * @param fPrime + * @param h + * @param params NtruSign parameters + */ + protected Basis(Polynomial f, Polynomial fPrime, IntegerPolynomial h, NTRUSigningKeyGenerationParameters params) + { + this.f = f; + this.fPrime = fPrime; + this.h = h; + this.params = params; + } + + /** + * Reads a basis from an input stream and constructs a new basis. + * + * @param is an input stream + * @param params NtruSign parameters + * @param include_h whether to read the polynomial <code>h</code> (<code>true</code>) or only <code>f</code> and <code>f'</code> (<code>false</code>) + */ + Basis(InputStream is, NTRUSigningKeyGenerationParameters params, boolean include_h) + throws IOException + { + int N = params.N; + int q = params.q; + int d1 = params.d1; + int d2 = params.d2; + int d3 = params.d3; + boolean sparse = params.sparse; + this.params = params; + + if (params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT) + { + f = ProductFormPolynomial.fromBinary(is, N, d1, d2, d3 + 1, d3); + } + else + { + IntegerPolynomial fInt = IntegerPolynomial.fromBinary3Tight(is, N); + f = sparse ? new SparseTernaryPolynomial(fInt) : new DenseTernaryPolynomial(fInt); + } + + if (params.basisType == NTRUSigningKeyGenerationParameters.BASIS_TYPE_STANDARD) + { + IntegerPolynomial fPrimeInt = IntegerPolynomial.fromBinary(is, N, q); + for (int i = 0; i < fPrimeInt.coeffs.length; i++) + { + fPrimeInt.coeffs[i] -= q / 2; + } + fPrime = fPrimeInt; + } + else if (params.polyType == NTRUParameters.TERNARY_POLYNOMIAL_TYPE_PRODUCT) + { + fPrime = ProductFormPolynomial.fromBinary(is, N, d1, d2, d3 + 1, d3); + } + else + { + fPrime = IntegerPolynomial.fromBinary3Tight(is, N); + } + + if (include_h) + { + h = IntegerPolynomial.fromBinary(is, N, q); + } + } + + /** + * Writes the basis to an output stream + * + * @param os an output stream + * @param include_h whether to write the polynomial <code>h</code> (<code>true</code>) or only <code>f</code> and <code>f'</code> (<code>false</code>) + * @throws IOException + */ + void encode(OutputStream os, boolean include_h) + throws IOException + { + int q = params.q; + + os.write(getEncoded(f)); + if (params.basisType == NTRUSigningKeyGenerationParameters.BASIS_TYPE_STANDARD) + { + IntegerPolynomial fPrimeInt = fPrime.toIntegerPolynomial(); + for (int i = 0; i < fPrimeInt.coeffs.length; i++) + { + fPrimeInt.coeffs[i] += q / 2; + } + os.write(fPrimeInt.toBinary(q)); + } + else + { + os.write(getEncoded(fPrime)); + } + if (include_h) + { + os.write(h.toBinary(q)); + } + } + + private byte[] getEncoded(Polynomial p) + { + if (p instanceof ProductFormPolynomial) + { + return ((ProductFormPolynomial)p).toBinary(); + } + else + { + return p.toIntegerPolynomial().toBinary3Tight(); + } + } + + @Override + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + ((f == null) ? 0 : f.hashCode()); + result = prime * result + ((fPrime == null) ? 0 : fPrime.hashCode()); + result = prime * result + ((h == null) ? 0 : h.hashCode()); + result = prime * result + ((params == null) ? 0 : params.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (!(obj instanceof Basis)) + { + return false; + } + Basis other = (Basis)obj; + if (f == null) + { + if (other.f != null) + { + return false; + } + } + else if (!f.equals(other.f)) + { + return false; + } + if (fPrime == null) + { + if (other.fPrime != null) + { + return false; + } + } + else if (!fPrime.equals(other.fPrime)) + { + return false; + } + if (h == null) + { + if (other.h != null) + { + return false; + } + } + else if (!h.equals(other.h)) + { + return false; + } + if (params == null) + { + if (other.params != null) + { + return false; + } + } + else if (!params.equals(other.params)) + { + return false; + } + return true; + } + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPublicKeyParameters.java new file mode 100644 index 00000000..d7431b8b --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/ntru/NTRUSigningPublicKeyParameters.java @@ -0,0 +1,132 @@ +package org.spongycastle.pqc.crypto.ntru; + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; +import org.spongycastle.pqc.math.ntru.polynomial.IntegerPolynomial; + +/** + * A NtruSign public key is essentially a polynomial named <code>h</code>. + */ +public class NTRUSigningPublicKeyParameters + extends AsymmetricKeyParameter +{ + private NTRUSigningParameters params; + public IntegerPolynomial h; + + /** + * Constructs a new public key from a polynomial + * + * @param h the polynomial <code>h</code> which determines the key + * @param params the NtruSign parameters to use + */ + public NTRUSigningPublicKeyParameters(IntegerPolynomial h, NTRUSigningParameters params) + { + super(false); + this.h = h; + this.params = params; + } + + /** + * Converts a byte array to a polynomial <code>h</code> and constructs a new public key + * + * @param b an encoded polynomial + * @param params the NtruSign parameters to use + */ + public NTRUSigningPublicKeyParameters(byte[] b, NTRUSigningParameters params) + { + super(false); + h = IntegerPolynomial.fromBinary(b, params.N, params.q); + this.params = params; + } + + /** + * Reads a polynomial <code>h</code> from an input stream and constructs a new public key + * + * @param is an input stream + * @param params the NtruSign parameters to use + */ + public NTRUSigningPublicKeyParameters(InputStream is, NTRUSigningParameters params) + throws IOException + { + super(false); + h = IntegerPolynomial.fromBinary(is, params.N, params.q); + this.params = params; + } + + + /** + * Converts the key to a byte array + * + * @return the encoded key + */ + public byte[] getEncoded() + { + return h.toBinary(params.q); + } + + /** + * Writes the key to an output stream + * + * @param os an output stream + * @throws IOException + */ + public void writeTo(OutputStream os) + throws IOException + { + os.write(getEncoded()); + } + + @Override + public int hashCode() + { + final int prime = 31; + int result = 1; + result = prime * result + ((h == null) ? 0 : h.hashCode()); + result = prime * result + ((params == null) ? 0 : params.hashCode()); + return result; + } + + @Override + public boolean equals(Object obj) + { + if (this == obj) + { + return true; + } + if (obj == null) + { + return false; + } + if (getClass() != obj.getClass()) + { + return false; + } + NTRUSigningPublicKeyParameters other = (NTRUSigningPublicKeyParameters)obj; + if (h == null) + { + if (other.h != null) + { + return false; + } + } + else if (!h.equals(other.h)) + { + return false; + } + if (params == null) + { + if (other.params != null) + { + return false; + } + } + else if (!params.equals(other.params)) + { + return false; + } + return true; + } +}
\ No newline at end of file diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/Layer.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/Layer.java new file mode 100644 index 00000000..0556531e --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/Layer.java @@ -0,0 +1,322 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import java.security.SecureRandom; + +import org.spongycastle.pqc.crypto.rainbow.util.GF2Field; +import org.spongycastle.pqc.crypto.rainbow.util.RainbowUtil; +import org.spongycastle.util.Arrays; + + +/** + * This class represents a layer of the Rainbow Oil- and Vinegar Map. Each Layer + * consists of oi polynomials with their coefficients, generated at random. + * <p> + * To sign a document, we solve a LES (linear equation system) for each layer in + * order to find the oil variables of that layer and to be able to use the + * variables to compute the signature. This functionality is implemented in the + * RainbowSignature-class, by the aid of the private key. + * <p> + * Each layer is a part of the private key. + * <p> + * More information about the layer can be found in the paper of Jintai Ding, + * Dieter Schmidt: Rainbow, a New Multivariable Polynomial Signature Scheme. + * ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + */ +public class Layer +{ + private int vi; // number of vinegars in this layer + private int viNext; // number of vinegars in next layer + private int oi; // number of oils in this layer + + /* + * k : index of polynomial + * + * i,j : indices of oil and vinegar variables + */ + private short[/* k */][/* i */][/* j */] coeff_alpha; + private short[/* k */][/* i */][/* j */] coeff_beta; + private short[/* k */][/* i */] coeff_gamma; + private short[/* k */] coeff_eta; + + /** + * Constructor + * + * @param vi number of vinegar variables of this layer + * @param viNext number of vinegar variables of next layer. It's the same as + * (num of oils) + (num of vinegars) of this layer. + * @param coeffAlpha alpha-coefficients in the polynomials of this layer + * @param coeffBeta beta-coefficients in the polynomials of this layer + * @param coeffGamma gamma-coefficients in the polynomials of this layer + * @param coeffEta eta-coefficients in the polynomials of this layer + */ + public Layer(byte vi, byte viNext, short[][][] coeffAlpha, + short[][][] coeffBeta, short[][] coeffGamma, short[] coeffEta) + { + this.vi = vi & 0xff; + this.viNext = viNext & 0xff; + this.oi = this.viNext - this.vi; + + // the secret coefficients of all polynomials in this layer + this.coeff_alpha = coeffAlpha; + this.coeff_beta = coeffBeta; + this.coeff_gamma = coeffGamma; + this.coeff_eta = coeffEta; + } + + /** + * This function generates the coefficients of all polynomials in this layer + * at random using random generator. + * + * @param sr the random generator which is to be used + */ + public Layer(int vi, int viNext, SecureRandom sr) + { + this.vi = vi; + this.viNext = viNext; + this.oi = viNext - vi; + + // the coefficients of all polynomials in this layer + this.coeff_alpha = new short[this.oi][this.oi][this.vi]; + this.coeff_beta = new short[this.oi][this.vi][this.vi]; + this.coeff_gamma = new short[this.oi][this.viNext]; + this.coeff_eta = new short[this.oi]; + + int numOfPoly = this.oi; // number of polynomials per layer + + // Alpha coeffs + for (int k = 0; k < numOfPoly; k++) + { + for (int i = 0; i < this.oi; i++) + { + for (int j = 0; j < this.vi; j++) + { + coeff_alpha[k][i][j] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + } + // Beta coeffs + for (int k = 0; k < numOfPoly; k++) + { + for (int i = 0; i < this.vi; i++) + { + for (int j = 0; j < this.vi; j++) + { + coeff_beta[k][i][j] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + } + // Gamma coeffs + for (int k = 0; k < numOfPoly; k++) + { + for (int i = 0; i < this.viNext; i++) + { + coeff_gamma[k][i] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + // Eta + for (int k = 0; k < numOfPoly; k++) + { + coeff_eta[k] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + + /** + * This method plugs in the vinegar variables into the polynomials of this + * layer and computes the coefficients of the Oil-variables as well as the + * free coefficient in each polynomial. + * <p> + * It is needed for computing the Oil variables while signing. + * + * @param x vinegar variables of this layer that should be plugged into + * the polynomials. + * @return coeff the coefficients of Oil variables and the free coeff in the + * polynomials of this layer. + */ + public short[][] plugInVinegars(short[] x) + { + // temporary variable needed for the multiplication + short tmpMult = 0; + // coeff: 1st index = which polynomial, 2nd index=which variable + short[][] coeff = new short[oi][oi + 1]; // gets returned + // free coefficient per polynomial + short[] sum = new short[oi]; + + /* + * evaluate the beta-part of the polynomials (it contains no oil + * variables) + */ + for (int k = 0; k < oi; k++) + { + for (int i = 0; i < vi; i++) + { + for (int j = 0; j < vi; j++) + { + // tmp = beta * xi (plug in) + tmpMult = GF2Field.multElem(coeff_beta[k][i][j], x[i]); + // tmp = tmp * xj + tmpMult = GF2Field.multElem(tmpMult, x[j]); + // accumulate into the array for the free coefficients. + sum[k] = GF2Field.addElem(sum[k], tmpMult); + } + } + } + + /* evaluate the alpha-part (it contains oils) */ + for (int k = 0; k < oi; k++) + { + for (int i = 0; i < oi; i++) + { + for (int j = 0; j < vi; j++) + { + // alpha * xj (plug in) + tmpMult = GF2Field.multElem(coeff_alpha[k][i][j], x[j]); + // accumulate + coeff[k][i] = GF2Field.addElem(coeff[k][i], tmpMult); + } + } + } + /* evaluate the gama-part of the polynomial (containing no oils) */ + for (int k = 0; k < oi; k++) + { + for (int i = 0; i < vi; i++) + { + // gamma * xi (plug in) + tmpMult = GF2Field.multElem(coeff_gamma[k][i], x[i]); + // accumulate in the array for the free coefficients (per + // polynomial). + sum[k] = GF2Field.addElem(sum[k], tmpMult); + } + } + /* evaluate the gama-part of the polynomial (but containing oils) */ + for (int k = 0; k < oi; k++) + { + for (int i = vi; i < viNext; i++) + { // oils + // accumulate the coefficients of the oil variables (per + // polynomial). + coeff[k][i - vi] = GF2Field.addElem(coeff_gamma[k][i], + coeff[k][i - vi]); + } + } + /* evaluate the eta-part of the polynomial */ + for (int k = 0; k < oi; k++) + { + // accumulate in the array for the free coefficients per polynomial. + sum[k] = GF2Field.addElem(sum[k], coeff_eta[k]); + } + + /* put the free coefficients (sum) into the coeff-array as last column */ + for (int k = 0; k < oi; k++) + { + coeff[k][oi] = sum[k]; + } + return coeff; + } + + /** + * Getter for the number of vinegar variables of this layer. + * + * @return the number of vinegar variables of this layer. + */ + public int getVi() + { + return vi; + } + + /** + * Getter for the number of vinegar variables of the next layer. + * + * @return the number of vinegar variables of the next layer. + */ + public int getViNext() + { + return viNext; + } + + /** + * Getter for the number of Oil variables of this layer. + * + * @return the number of oil variables of this layer. + */ + public int getOi() + { + return oi; + } + + /** + * Getter for the alpha-coefficients of the polynomials in this layer. + * + * @return the coefficients of alpha-terms of this layer. + */ + public short[][][] getCoeffAlpha() + { + return coeff_alpha; + } + + /** + * Getter for the beta-coefficients of the polynomials in this layer. + * + * @return the coefficients of beta-terms of this layer. + */ + + public short[][][] getCoeffBeta() + { + return coeff_beta; + } + + /** + * Getter for the gamma-coefficients of the polynomials in this layer. + * + * @return the coefficients of gamma-terms of this layer + */ + public short[][] getCoeffGamma() + { + return coeff_gamma; + } + + /** + * Getter for the eta-coefficients of the polynomials in this layer. + * + * @return the coefficients eta of this layer + */ + public short[] getCoeffEta() + { + return coeff_eta; + } + + /** + * This function compares this Layer with another object. + * + * @param other the other object + * @return the result of the comparison + */ + public boolean equals(Object other) + { + if (other == null || !(other instanceof Layer)) + { + return false; + } + Layer otherLayer = (Layer)other; + + return vi == otherLayer.getVi() + && viNext == otherLayer.getViNext() + && oi == otherLayer.getOi() + && RainbowUtil.equals(coeff_alpha, otherLayer.getCoeffAlpha()) + && RainbowUtil.equals(coeff_beta, otherLayer.getCoeffBeta()) + && RainbowUtil.equals(coeff_gamma, otherLayer.getCoeffGamma()) + && RainbowUtil.equals(coeff_eta, otherLayer.getCoeffEta()); + } + + public int hashCode() + { + int hash = vi; + hash = hash * 37 + viNext; + hash = hash * 37 + oi; + hash = hash * 37 + Arrays.hashCode(coeff_alpha); + hash = hash * 37 + Arrays.hashCode(coeff_beta); + hash = hash * 37 + Arrays.hashCode(coeff_gamma); + hash = hash * 37 + Arrays.hashCode(coeff_eta); + + return hash; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyGenerationParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyGenerationParameters.java new file mode 100644 index 00000000..2cbc5b62 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyGenerationParameters.java @@ -0,0 +1,26 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.KeyGenerationParameters; + +public class RainbowKeyGenerationParameters + extends KeyGenerationParameters +{ + private RainbowParameters params; + + public RainbowKeyGenerationParameters( + SecureRandom random, + RainbowParameters params) + { + // TODO: key size? + super(random, params.getVi()[params.getVi().length - 1] - params.getVi()[0]); + this.params = params; + } + + public RainbowParameters getParameters() + { + return params; + } +} + diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java new file mode 100644 index 00000000..1115d649 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java @@ -0,0 +1,413 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.AsymmetricCipherKeyPair; +import org.spongycastle.crypto.AsymmetricCipherKeyPairGenerator; +import org.spongycastle.crypto.KeyGenerationParameters; +import org.spongycastle.pqc.crypto.rainbow.util.ComputeInField; +import org.spongycastle.pqc.crypto.rainbow.util.GF2Field; + +/** + * This class implements AsymmetricCipherKeyPairGenerator. It is used + * as a generator for the private and public key of the Rainbow Signature + * Scheme. + * <p> + * Detailed information about the key generation is to be found in the paper of + * Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial + * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12) + */ +public class RainbowKeyPairGenerator + implements AsymmetricCipherKeyPairGenerator +{ + private boolean initialized = false; + private SecureRandom sr; + private RainbowKeyGenerationParameters rainbowParams; + + /* linear affine map L1: */ + private short[][] A1; // matrix of the lin. affine map L1(n-v1 x n-v1 matrix) + private short[][] A1inv; // inverted A1 + private short[] b1; // translation element of the lin.affine map L1 + + /* linear affine map L2: */ + private short[][] A2; // matrix of the lin. affine map (n x n matrix) + private short[][] A2inv; // inverted A2 + private short[] b2; // translation elemt of the lin.affine map L2 + + /* components of F: */ + private int numOfLayers; // u (number of sets S) + private Layer layers[]; // layers of polynomials of F + private int[] vi; // set of vinegar vars per layer. + + /* components of Public Key */ + private short[][] pub_quadratic; // quadratic(mixed) coefficients + private short[][] pub_singular; // singular coefficients + private short[] pub_scalar; // scalars + + // TODO + + /** + * The standard constructor tries to generate the Rainbow algorithm identifier + * with the corresponding OID. + */ + public RainbowKeyPairGenerator() + { + } + + + /** + * This function generates a Rainbow key pair. + * + * @return the generated key pair + */ + public AsymmetricCipherKeyPair genKeyPair() + { + RainbowPrivateKeyParameters privKey; + RainbowPublicKeyParameters pubKey; + + if (!initialized) + { + initializeDefault(); + } + + /* choose all coefficients at random */ + keygen(); + + /* now marshall them to PrivateKey */ + privKey = new RainbowPrivateKeyParameters(A1inv, b1, A2inv, b2, vi, layers); + + + /* marshall to PublicKey */ + pubKey = new RainbowPublicKeyParameters(vi[vi.length - 1] - vi[0], pub_quadratic, pub_singular, pub_scalar); + + return new AsymmetricCipherKeyPair(pubKey, privKey); + } + + // TODO + public void initialize( + KeyGenerationParameters param) + { + this.rainbowParams = (RainbowKeyGenerationParameters)param; + + // set source of randomness + this.sr = new SecureRandom(); + + // unmarshalling: + this.vi = this.rainbowParams.getParameters().getVi(); + this.numOfLayers = this.rainbowParams.getParameters().getNumOfLayers(); + + this.initialized = true; + } + + private void initializeDefault() + { + RainbowKeyGenerationParameters rbKGParams = new RainbowKeyGenerationParameters(new SecureRandom(), new RainbowParameters()); + initialize(rbKGParams); + } + + /** + * This function calls the functions for the random generation of the coefficients + * and the matrices needed for the private key and the method for computing the public key. + */ + private void keygen() + { + generateL1(); + generateL2(); + generateF(); + computePublicKey(); + } + + /** + * This function generates the invertible affine linear map L1 = A1*x + b1 + * <p/> + * The translation part b1, is stored in a separate array. The inverse of + * the matrix-part of L1 A1inv is also computed here. + * <p/> + * This linear map hides the output of the map F. It is on k^(n-v1). + */ + private void generateL1() + { + + // dimension = n-v1 = vi[last] - vi[first] + int dim = vi[vi.length - 1] - vi[0]; + this.A1 = new short[dim][dim]; + this.A1inv = null; + ComputeInField c = new ComputeInField(); + + /* generation of A1 at random */ + while (A1inv == null) + { + for (int i = 0; i < dim; i++) + { + for (int j = 0; j < dim; j++) + { + A1[i][j] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + A1inv = c.inverse(A1); + } + + /* generation of the translation vector at random */ + b1 = new short[dim]; + for (int i = 0; i < dim; i++) + { + b1[i] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + + /** + * This function generates the invertible affine linear map L2 = A2*x + b2 + * <p/> + * The translation part b2, is stored in a separate array. The inverse of + * the matrix-part of L2 A2inv is also computed here. + * <p/> + * This linear map hides the output of the map F. It is on k^(n). + */ + private void generateL2() + { + + // dimension = n = vi[last] + int dim = vi[vi.length - 1]; + this.A2 = new short[dim][dim]; + this.A2inv = null; + ComputeInField c = new ComputeInField(); + + /* generation of A2 at random */ + while (this.A2inv == null) + { + for (int i = 0; i < dim; i++) + { + for (int j = 0; j < dim; j++) + { // one col extra for b + A2[i][j] = (short)(sr.nextInt() & GF2Field.MASK); + } + } + this.A2inv = c.inverse(A2); + } + /* generation of the translation vector at random */ + b2 = new short[dim]; + for (int i = 0; i < dim; i++) + { + b2[i] = (short)(sr.nextInt() & GF2Field.MASK); + } + + } + + /** + * This function generates the private map F, which consists of u-1 layers. + * Each layer consists of oi polynomials where oi = vi[i+1]-vi[i]. + * <p/> + * The methods for the generation of the coefficients of these polynomials + * are called here. + */ + private void generateF() + { + + this.layers = new Layer[this.numOfLayers]; + for (int i = 0; i < this.numOfLayers; i++) + { + layers[i] = new Layer(this.vi[i], this.vi[i + 1], sr); + } + } + + /** + * This function computes the public key from the private key. + * <p/> + * The composition of F with L2 is computed, followed by applying L1 to the + * composition's result. The singular and scalar values constitute to the + * public key as is, the quadratic terms are compacted in + * <tt>compactPublicKey()</tt> + */ + private void computePublicKey() + { + + ComputeInField c = new ComputeInField(); + int rows = this.vi[this.vi.length - 1] - this.vi[0]; + int vars = this.vi[this.vi.length - 1]; + // Fpub + short[][][] coeff_quadratic_3dim = new short[rows][vars][vars]; + this.pub_singular = new short[rows][vars]; + this.pub_scalar = new short[rows]; + + // Coefficients of layers of Private Key F + short[][][] coeff_alpha; + short[][][] coeff_beta; + short[][] coeff_gamma; + short[] coeff_eta; + + // Needed for counters; + int oils = 0; + int vins = 0; + int crnt_row = 0; // current row (polynomial) + + short vect_tmp[] = new short[vars]; // vector tmp; + short sclr_tmp = 0; + + // Composition of F and L2: Insert L2 = A2*x+b2 in F + for (int l = 0; l < this.layers.length; l++) + { + // get coefficients of current layer + coeff_alpha = this.layers[l].getCoeffAlpha(); + coeff_beta = this.layers[l].getCoeffBeta(); + coeff_gamma = this.layers[l].getCoeffGamma(); + coeff_eta = this.layers[l].getCoeffEta(); + oils = coeff_alpha[0].length;// this.layers[l].getOi(); + vins = coeff_beta[0].length;// this.layers[l].getVi(); + // compute polynomials of layer + for (int p = 0; p < oils; p++) + { + // multiply alphas + for (int x1 = 0; x1 < oils; x1++) + { + for (int x2 = 0; x2 < vins; x2++) + { + // multiply polynomial1 with polynomial2 + vect_tmp = c.multVect(coeff_alpha[p][x1][x2], + this.A2[x1 + vins]); + coeff_quadratic_3dim[crnt_row + p] = c.addSquareMatrix( + coeff_quadratic_3dim[crnt_row + p], c + .multVects(vect_tmp, this.A2[x2])); + // mul poly1 with scalar2 + vect_tmp = c.multVect(this.b2[x2], vect_tmp); + this.pub_singular[crnt_row + p] = c.addVect(vect_tmp, + this.pub_singular[crnt_row + p]); + // mul scalar1 with poly2 + vect_tmp = c.multVect(coeff_alpha[p][x1][x2], + this.A2[x2]); + vect_tmp = c.multVect(b2[x1 + vins], vect_tmp); + this.pub_singular[crnt_row + p] = c.addVect(vect_tmp, + this.pub_singular[crnt_row + p]); + // mul scalar1 with scalar2 + sclr_tmp = GF2Field.multElem(coeff_alpha[p][x1][x2], + this.b2[x1 + vins]); + this.pub_scalar[crnt_row + p] = GF2Field.addElem( + this.pub_scalar[crnt_row + p], GF2Field + .multElem(sclr_tmp, this.b2[x2])); + } + } + // multiply betas + for (int x1 = 0; x1 < vins; x1++) + { + for (int x2 = 0; x2 < vins; x2++) + { + // multiply polynomial1 with polynomial2 + vect_tmp = c.multVect(coeff_beta[p][x1][x2], + this.A2[x1]); + coeff_quadratic_3dim[crnt_row + p] = c.addSquareMatrix( + coeff_quadratic_3dim[crnt_row + p], c + .multVects(vect_tmp, this.A2[x2])); + // mul poly1 with scalar2 + vect_tmp = c.multVect(this.b2[x2], vect_tmp); + this.pub_singular[crnt_row + p] = c.addVect(vect_tmp, + this.pub_singular[crnt_row + p]); + // mul scalar1 with poly2 + vect_tmp = c.multVect(coeff_beta[p][x1][x2], + this.A2[x2]); + vect_tmp = c.multVect(this.b2[x1], vect_tmp); + this.pub_singular[crnt_row + p] = c.addVect(vect_tmp, + this.pub_singular[crnt_row + p]); + // mul scalar1 with scalar2 + sclr_tmp = GF2Field.multElem(coeff_beta[p][x1][x2], + this.b2[x1]); + this.pub_scalar[crnt_row + p] = GF2Field.addElem( + this.pub_scalar[crnt_row + p], GF2Field + .multElem(sclr_tmp, this.b2[x2])); + } + } + // multiply gammas + for (int n = 0; n < vins + oils; n++) + { + // mul poly with scalar + vect_tmp = c.multVect(coeff_gamma[p][n], this.A2[n]); + this.pub_singular[crnt_row + p] = c.addVect(vect_tmp, + this.pub_singular[crnt_row + p]); + // mul scalar with scalar + this.pub_scalar[crnt_row + p] = GF2Field.addElem( + this.pub_scalar[crnt_row + p], GF2Field.multElem( + coeff_gamma[p][n], this.b2[n])); + } + // add eta + this.pub_scalar[crnt_row + p] = GF2Field.addElem( + this.pub_scalar[crnt_row + p], coeff_eta[p]); + } + crnt_row = crnt_row + oils; + } + + // Apply L1 = A1*x+b1 to composition of F and L2 + { + // temporary coefficient arrays + short[][][] tmp_c_quad = new short[rows][vars][vars]; + short[][] tmp_c_sing = new short[rows][vars]; + short[] tmp_c_scal = new short[rows]; + for (int r = 0; r < rows; r++) + { + for (int q = 0; q < A1.length; q++) + { + tmp_c_quad[r] = c.addSquareMatrix(tmp_c_quad[r], c + .multMatrix(A1[r][q], coeff_quadratic_3dim[q])); + tmp_c_sing[r] = c.addVect(tmp_c_sing[r], c.multVect( + A1[r][q], this.pub_singular[q])); + tmp_c_scal[r] = GF2Field.addElem(tmp_c_scal[r], GF2Field + .multElem(A1[r][q], this.pub_scalar[q])); + } + tmp_c_scal[r] = GF2Field.addElem(tmp_c_scal[r], b1[r]); + } + // set public key + coeff_quadratic_3dim = tmp_c_quad; + this.pub_singular = tmp_c_sing; + this.pub_scalar = tmp_c_scal; + } + compactPublicKey(coeff_quadratic_3dim); + } + + /** + * The quadratic (or mixed) terms of the public key are compacted from a n x + * n matrix per polynomial to an upper diagonal matrix stored in one integer + * array of n (n + 1) / 2 elements per polynomial. The ordering of elements + * is lexicographic and the result is updating <tt>this.pub_quadratic</tt>, + * which stores the quadratic elements of the public key. + * + * @param coeff_quadratic_to_compact 3-dimensional array containing a n x n Matrix for each of the + * n - v1 polynomials + */ + private void compactPublicKey(short[][][] coeff_quadratic_to_compact) + { + int polynomials = coeff_quadratic_to_compact.length; + int n = coeff_quadratic_to_compact[0].length; + int entries = n * (n + 1) / 2;// the small gauss + this.pub_quadratic = new short[polynomials][entries]; + int offset = 0; + + for (int p = 0; p < polynomials; p++) + { + offset = 0; + for (int x = 0; x < n; x++) + { + for (int y = x; y < n; y++) + { + if (y == x) + { + this.pub_quadratic[p][offset] = coeff_quadratic_to_compact[p][x][y]; + } + else + { + this.pub_quadratic[p][offset] = GF2Field.addElem( + coeff_quadratic_to_compact[p][x][y], + coeff_quadratic_to_compact[p][y][x]); + } + offset++; + } + } + } + } + + public void init(KeyGenerationParameters param) + { + this.initialize(param); + } + + public AsymmetricCipherKeyPair generateKeyPair() + { + return genKeyPair(); + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyParameters.java new file mode 100644 index 00000000..075afda4 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowKeyParameters.java @@ -0,0 +1,25 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import org.spongycastle.crypto.params.AsymmetricKeyParameter; + +public class RainbowKeyParameters + extends AsymmetricKeyParameter +{ + private int docLength; + + public RainbowKeyParameters( + boolean isPrivate, + int docLength) + { + super(isPrivate); + this.docLength = docLength; + } + + /** + * @return the docLength + */ + public int getDocLength() + { + return this.docLength; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowParameters.java new file mode 100644 index 00000000..edc0d023 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowParameters.java @@ -0,0 +1,111 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import org.spongycastle.crypto.CipherParameters; + +public class RainbowParameters + implements CipherParameters +{ + + /** + * DEFAULT PARAMS + */ + /* + * Vi = vinegars per layer whereas n is vu (vu = 33 = n) such that + * + * v1 = 6; o1 = 12-6 = 6 + * + * v2 = 12; o2 = 17-12 = 5 + * + * v3 = 17; o3 = 22-17 = 5 + * + * v4 = 22; o4 = 33-22 = 11 + * + * v5 = 33; (o5 = 0) + */ + private final int[] DEFAULT_VI = {6, 12, 17, 22, 33}; + + private int[] vi;// set of vinegar vars per layer. + + /** + * Default Constructor The elements of the array containing the number of + * Vinegar variables in each layer are set to the default values here. + */ + public RainbowParameters() + { + this.vi = this.DEFAULT_VI; + } + + /** + * Constructor with parameters + * + * @param vi The elements of the array containing the number of Vinegar + * variables per layer are set to the values of the input array. + */ + public RainbowParameters(int[] vi) + { + this.vi = vi; + try + { + checkParams(); + } + catch (Exception e) + { + e.printStackTrace(); + } + } + + private void checkParams() + throws Exception + { + if (vi == null) + { + throw new Exception("no layers defined."); + } + if (vi.length > 1) + { + for (int i = 0; i < vi.length - 1; i++) + { + if (vi[i] >= vi[i + 1]) + { + throw new Exception( + "v[i] has to be smaller than v[i+1]"); + } + } + } + else + { + throw new Exception( + "Rainbow needs at least 1 layer, such that v1 < v2."); + } + } + + /** + * Getter for the number of layers + * + * @return the number of layers + */ + public int getNumOfLayers() + { + return this.vi.length - 1; + } + + /** + * Getter for the number of all the polynomials in Rainbow + * + * @return the number of the polynomials + */ + public int getDocLength() + { + return vi[vi.length - 1] - vi[0]; + } + + /** + * Getter for the array containing the number of Vinegar-variables per layer + * + * @return the numbers of vinegars per layer + */ + public int[] getVi() + { + return this.vi; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPrivateKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPrivateKeyParameters.java new file mode 100644 index 00000000..5d501a53 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPrivateKeyParameters.java @@ -0,0 +1,117 @@ +package org.spongycastle.pqc.crypto.rainbow; + +public class RainbowPrivateKeyParameters + extends RainbowKeyParameters +{ + /** + * Constructor + * + * @param A1inv the inverse of A1(the matrix part of the affine linear map L1) + * (n-v1 x n-v1 matrix) + * @param b1 translation vector, part of the linear affine map L1 + * @param A2inv the inverse of A2(the matrix part of the affine linear map L2) + * (n x n matrix) + * @param b2 translation vector, part of the linear affine map L2 + * @param vi the number of Vinegar-variables per layer + * @param layers the polynomials with their coefficients of private map F + */ + public RainbowPrivateKeyParameters(short[][] A1inv, short[] b1, + short[][] A2inv, short[] b2, int[] vi, Layer[] layers) + { + super(true, vi[vi.length - 1] - vi[0]); + + this.A1inv = A1inv; + this.b1 = b1; + this.A2inv = A2inv; + this.b2 = b2; + this.vi = vi; + this.layers = layers; + } + + /* + * invertible affine linear map L1 + */ + // the inverse of A1, (n-v1 x n-v1 matrix) + private short[][] A1inv; + + // translation vector of L1 + private short[] b1; + + /* + * invertible affine linear map L2 + */ + // the inverse of A2, (n x n matrix) + private short[][] A2inv; + + // translation vector of L2 + private short[] b2; + + /* + * components of F + */ + // the number of Vinegar-variables per layer. + private int[] vi; + + // contains the polynomials with their coefficients of private map F + private Layer[] layers; + + /** + * Getter for the translation part of the private quadratic map L1. + * + * @return b1 the translation part of L1 + */ + public short[] getB1() + { + return this.b1; + } + + /** + * Getter for the inverse matrix of A1. + * + * @return the A1inv inverse + */ + public short[][] getInvA1() + { + return this.A1inv; + } + + /** + * Getter for the translation part of the private quadratic map L2. + * + * @return b2 the translation part of L2 + */ + public short[] getB2() + { + return this.b2; + } + + /** + * Getter for the inverse matrix of A2 + * + * @return the A2inv + */ + public short[][] getInvA2() + { + return this.A2inv; + } + + /** + * Returns the layers contained in the private key + * + * @return layers + */ + public Layer[] getLayers() + { + return this.layers; + } + + /** + * /** Returns the array of vi-s + * + * @return the vi + */ + public int[] getVi() + { + return vi; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPublicKeyParameters.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPublicKeyParameters.java new file mode 100644 index 00000000..3a5314e1 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowPublicKeyParameters.java @@ -0,0 +1,53 @@ +package org.spongycastle.pqc.crypto.rainbow; + +public class RainbowPublicKeyParameters + extends RainbowKeyParameters +{ + private short[][] coeffquadratic; + private short[][] coeffsingular; + private short[] coeffscalar; + + /** + * Constructor + * + * @param docLength + * @param coeffQuadratic + * @param coeffSingular + * @param coeffScalar + */ + public RainbowPublicKeyParameters(int docLength, + short[][] coeffQuadratic, short[][] coeffSingular, + short[] coeffScalar) + { + super(false, docLength); + + this.coeffquadratic = coeffQuadratic; + this.coeffsingular = coeffSingular; + this.coeffscalar = coeffScalar; + + } + + /** + * @return the coeffquadratic + */ + public short[][] getCoeffQuadratic() + { + return coeffquadratic; + } + + /** + * @return the coeffsingular + */ + public short[][] getCoeffSingular() + { + return coeffsingular; + } + + /** + * @return the coeffscalar + */ + public short[] getCoeffScalar() + { + return coeffscalar; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowSigner.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowSigner.java new file mode 100644 index 00000000..9033b37e --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/RainbowSigner.java @@ -0,0 +1,301 @@ +package org.spongycastle.pqc.crypto.rainbow; + +import java.security.SecureRandom; + +import org.spongycastle.crypto.CipherParameters; +import org.spongycastle.crypto.params.ParametersWithRandom; +import org.spongycastle.pqc.crypto.MessageSigner; +import org.spongycastle.pqc.crypto.rainbow.util.ComputeInField; +import org.spongycastle.pqc.crypto.rainbow.util.GF2Field; + +/** + * It implements the sign and verify functions for the Rainbow Signature Scheme. + * Here the message, which has to be signed, is updated. The use of + * different hash functions is possible. + * <p> + * Detailed information about the signature and the verify-method is to be found + * in the paper of Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable + * Polynomial Signature Scheme. ACNS 2005: 164-175 + * (http://dx.doi.org/10.1007/11496137_12) + */ +public class RainbowSigner + implements MessageSigner +{ + // Source of randomness + private SecureRandom random; + + // The length of a document that can be signed with the privKey + int signableDocumentLength; + + // Container for the oil and vinegar variables of all the layers + private short[] x; + + private ComputeInField cf = new ComputeInField(); + + RainbowKeyParameters key; + + public void init(boolean forSigning, + CipherParameters param) + { + if (forSigning) + { + if (param instanceof ParametersWithRandom) + { + ParametersWithRandom rParam = (ParametersWithRandom)param; + + this.random = rParam.getRandom(); + this.key = (RainbowPrivateKeyParameters)rParam.getParameters(); + + } + else + { + + this.random = new SecureRandom(); + this.key = (RainbowPrivateKeyParameters)param; + } + } + else + { + this.key = (RainbowPublicKeyParameters)param; + } + + this.signableDocumentLength = this.key.getDocLength(); + } + + + /** + * initial operations before solving the Linear equation system. + * + * @param layer the current layer for which a LES is to be solved. + * @param msg the message that should be signed. + * @return Y_ the modified document needed for solving LES, (Y_ = + * A1^{-1}*(Y-b1)) linear map L1 = A1 x + b1. + */ + private short[] initSign(Layer[] layer, short[] msg) + { + + /* preparation: Modifies the document with the inverse of L1 */ + // tmp = Y - b1: + short[] tmpVec = new short[msg.length]; + + tmpVec = cf.addVect(((RainbowPrivateKeyParameters)this.key).getB1(), msg); + + // Y_ = A1^{-1} * (Y - b1) : + short[] Y_ = cf.multiplyMatrix(((RainbowPrivateKeyParameters)this.key).getInvA1(), tmpVec); + + /* generates the vinegar vars of the first layer at random */ + for (int i = 0; i < layer[0].getVi(); i++) + { + x[i] = (short)random.nextInt(); + x[i] = (short)(x[i] & GF2Field.MASK); + } + + return Y_; + } + + /** + * This function signs the message that has been updated, making use of the + * private key. + * <p> + * For computing the signature, L1 and L2 are needed, as well as LES should + * be solved for each layer in order to find the Oil-variables in the layer. + * <p> + * The Vinegar-variables of the first layer are random generated. + * + * @param message the message + * @return the signature of the message. + */ + public byte[] generateSignature(byte[] message) + { + Layer[] layer = ((RainbowPrivateKeyParameters)this.key).getLayers(); + int numberOfLayers = layer.length; + + x = new short[((RainbowPrivateKeyParameters)this.key).getInvA2().length]; // all variables + + short[] Y_; // modified document + short[] y_i; // part of Y_ each polynomial + int counter; // index of the current part of the doc + + short[] solVec; // the solution of LES pro layer + short[] tmpVec; + + // the signature as an array of shorts: + short[] signature; + // the signature as a byte-array: + byte[] S = new byte[layer[numberOfLayers - 1].getViNext()]; + + short[] msgHashVals = makeMessageRepresentative(message); + + // shows if an exception is caught + boolean ok; + do + { + ok = true; + counter = 0; + try + { + Y_ = initSign(layer, msgHashVals); + + for (int i = 0; i < numberOfLayers; i++) + { + + y_i = new short[layer[i].getOi()]; + solVec = new short[layer[i].getOi()]; // solution of LES + + /* copy oi elements of Y_ into y_i */ + for (int k = 0; k < layer[i].getOi(); k++) + { + y_i[k] = Y_[counter]; + counter++; // current index of Y_ + } + + /* + * plug in the vars of the previous layer in order to get + * the vars of the current layer + */ + solVec = cf.solveEquation(layer[i].plugInVinegars(x), y_i); + + if (solVec == null) + { // LES is not solveable + throw new Exception("LES is not solveable!"); + } + + /* copy the new vars into the x-array */ + for (int j = 0; j < solVec.length; j++) + { + x[layer[i].getVi() + j] = solVec[j]; + } + } + + /* apply the inverse of L2: (signature = A2^{-1}*(b2+x)) */ + tmpVec = cf.addVect(((RainbowPrivateKeyParameters)this.key).getB2(), x); + signature = cf.multiplyMatrix(((RainbowPrivateKeyParameters)this.key).getInvA2(), tmpVec); + + /* cast signature from short[] to byte[] */ + for (int i = 0; i < S.length; i++) + { + S[i] = ((byte)signature[i]); + } + } + catch (Exception se) + { + // if one of the LESs was not solveable - sign again + ok = false; + } + } + while (!ok); + /* return the signature in bytes */ + return S; + } + + /** + * This function verifies the signature of the message that has been + * updated, with the aid of the public key. + * + * @param message the message + * @param signature the signature of the message + * @return true if the signature has been verified, false otherwise. + */ + public boolean verifySignature(byte[] message, byte[] signature) + { + short[] sigInt = new short[signature.length]; + short tmp; + + for (int i = 0; i < signature.length; i++) + { + tmp = (short)signature[i]; + tmp &= (short)0xff; + sigInt[i] = tmp; + } + + short[] msgHashVal = makeMessageRepresentative(message); + + // verify + short[] verificationResult = verifySignatureIntern(sigInt); + + // compare + boolean verified = true; + if (msgHashVal.length != verificationResult.length) + { + return false; + } + for (int i = 0; i < msgHashVal.length; i++) + { + verified = verified && msgHashVal[i] == verificationResult[i]; + } + + return verified; + } + + /** + * Signature verification using public key + * + * @param signature vector of dimension n + * @return document hash of length n - v1 + */ + private short[] verifySignatureIntern(short[] signature) + { + + short[][] coeff_quadratic = ((RainbowPublicKeyParameters)this.key).getCoeffQuadratic(); + short[][] coeff_singular = ((RainbowPublicKeyParameters)this.key).getCoeffSingular(); + short[] coeff_scalar = ((RainbowPublicKeyParameters)this.key).getCoeffScalar(); + + short[] rslt = new short[coeff_quadratic.length];// n - v1 + int n = coeff_singular[0].length; + int offset = 0; // array position + short tmp = 0; // for scalar + + for (int p = 0; p < coeff_quadratic.length; p++) + { // no of polynomials + offset = 0; + for (int x = 0; x < n; x++) + { + // calculate quadratic terms + for (int y = x; y < n; y++) + { + tmp = GF2Field.multElem(coeff_quadratic[p][offset], + GF2Field.multElem(signature[x], signature[y])); + rslt[p] = GF2Field.addElem(rslt[p], tmp); + offset++; + } + // calculate singular terms + tmp = GF2Field.multElem(coeff_singular[p][x], signature[x]); + rslt[p] = GF2Field.addElem(rslt[p], tmp); + } + // add scalar + rslt[p] = GF2Field.addElem(rslt[p], coeff_scalar[p]); + } + + return rslt; + } + + /** + * This function creates the representative of the message which gets signed + * or verified. + * + * @param message the message + * @return message representative + */ + private short[] makeMessageRepresentative(byte[] message) + { + // the message representative + short[] output = new short[this.signableDocumentLength]; + + int h = 0; + int i = 0; + do + { + if (i >= message.length) + { + break; + } + output[i] = (short)message[h]; + output[i] &= (short)0xff; + h++; + i++; + } + while (i < output.length); + + return output; + } +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/ComputeInField.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/ComputeInField.java new file mode 100644 index 00000000..1e4b6c0f --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/ComputeInField.java @@ -0,0 +1,490 @@ +package org.spongycastle.pqc.crypto.rainbow.util; + +/** + * This class offers different operations on matrices in field GF2^8. + * <p> + * Implemented are functions: + * - finding inverse of a matrix + * - solving linear equation systems using the Gauss-Elimination method + * - basic operations like matrix multiplication, addition and so on. + */ + +public class ComputeInField +{ + + private short[][] A; // used by solveEquation and inverse + short[] x; + + /** + * Constructor with no parameters + */ + public ComputeInField() + { + } + + + /** + * This function finds a solution of the equation Bx = b. + * Exception is thrown if the linear equation system has no solution + * + * @param B this matrix is the left part of the + * equation (B in the equation above) + * @param b the right part of the equation + * (b in the equation above) + * @return x the solution of the equation if it is solvable + * null otherwise + * @throws RuntimeException if LES is not solvable + */ + public short[] solveEquation(short[][] B, short[] b) + { + try + { + + if (B.length != b.length) + { + throw new RuntimeException( + "The equation system is not solvable"); + } + + /** initialize **/ + // this matrix stores B and b from the equation B*x = b + // b is stored as the last column. + // B contains one column more than rows. + // In this column we store a free coefficient that should be later subtracted from b + A = new short[B.length][B.length + 1]; + // stores the solution of the LES + x = new short[B.length]; + + /** copy B into the global matrix A **/ + for (int i = 0; i < B.length; i++) + { // rows + for (int j = 0; j < B[0].length; j++) + { // cols + A[i][j] = B[i][j]; + } + } + + /** copy the vector b into the global A **/ + //the free coefficient, stored in the last column of A( A[i][b.length] + // is to be subtracted from b + for (int i = 0; i < b.length; i++) + { + A[i][b.length] = GF2Field.addElem(b[i], A[i][b.length]); + } + + /** call the methods for gauss elimination and backward substitution **/ + computeZerosUnder(false); // obtain zeros under the diagonal + substitute(); + + return x; + + } + catch (RuntimeException rte) + { + return null; // the LES is not solvable! + } + } + + /** + * This function computes the inverse of a given matrix using the Gauss- + * Elimination method. + * <p> + * An exception is thrown if the matrix has no inverse + * + * @param coef the matrix which inverse matrix is needed + * @return inverse matrix of the input matrix. + * If the matrix is singular, null is returned. + * @throws RuntimeException if the given matrix is not invertible + */ + public short[][] inverse(short[][] coef) + { + try + { + /** Initialization: **/ + short factor; + short[][] inverse; + A = new short[coef.length][2 * coef.length]; + if (coef.length != coef[0].length) + { + throw new RuntimeException( + "The matrix is not invertible. Please choose another one!"); + } + + /** prepare: Copy coef and the identity matrix into the global A. **/ + for (int i = 0; i < coef.length; i++) + { + for (int j = 0; j < coef.length; j++) + { + //copy the input matrix coef into A + A[i][j] = coef[i][j]; + } + // copy the identity matrix into A. + for (int j = coef.length; j < 2 * coef.length; j++) + { + A[i][j] = 0; + } + A[i][i + A.length] = 1; + } + + /** Elimination operations to get the identity matrix from the left side of A. **/ + // modify A to get 0s under the diagonal. + computeZerosUnder(true); + + // modify A to get only 1s on the diagonal: A[i][j] =A[i][j]/A[i][i]. + for (int i = 0; i < A.length; i++) + { + factor = GF2Field.invElem(A[i][i]); + for (int j = i; j < 2 * A.length; j++) + { + A[i][j] = GF2Field.multElem(A[i][j], factor); + } + } + + //modify A to get only 0s above the diagonal. + computeZerosAbove(); + + // copy the result (the second half of A) in the matrix inverse. + inverse = new short[A.length][A.length]; + for (int i = 0; i < A.length; i++) + { + for (int j = A.length; j < 2 * A.length; j++) + { + inverse[i][j - A.length] = A[i][j]; + } + } + return inverse; + + } + catch (RuntimeException rte) + { + // The matrix is not invertible! A new one should be generated! + return null; + } + } + + /** + * Elimination under the diagonal. + * This function changes a matrix so that it contains only zeros under the + * diagonal(Ai,i) using only Gauss-Elimination operations. + * <p/> + * It is used in solveEquaton as well as in the function for + * finding an inverse of a matrix: {@link}inverse. Both of them use the + * Gauss-Elimination Method. + * <p/> + * The result is stored in the global matrix A + * + * @param usedForInverse This parameter shows if the function is used by the + * solveEquation-function or by the inverse-function and according + * to this creates matrices of different sizes. + * @throws RuntimeException in case a multiplicative inverse of 0 is needed + */ + private void computeZerosUnder(boolean usedForInverse) + throws RuntimeException + { + + //the number of columns in the global A where the tmp results are stored + int length; + short tmp = 0; + + //the function is used in inverse() - A should have 2 times more columns than rows + if (usedForInverse) + { + length = 2 * A.length; + } + //the function is used in solveEquation - A has 1 column more than rows + else + { + length = A.length + 1; + } + + //elimination operations to modify A so that that it contains only 0s under the diagonal + for (int k = 0; k < A.length - 1; k++) + { // the fixed row + for (int i = k + 1; i < A.length; i++) + { // rows + short factor1 = A[i][k]; + short factor2 = GF2Field.invElem(A[k][k]); + + //The element which multiplicative inverse is needed, is 0 + //in this case is the input matrix not invertible + if (factor2 == 0) + { + throw new RuntimeException("Matrix not invertible! We have to choose another one!"); + } + + for (int j = k; j < length; j++) + {// columns + // tmp=A[k,j] / A[k,k] + tmp = GF2Field.multElem(A[k][j], factor2); + // tmp = A[i,k] * A[k,j] / A[k,k] + tmp = GF2Field.multElem(factor1, tmp); + // A[i,j]=A[i,j]-A[i,k]/A[k,k]*A[k,j]; + A[i][j] = GF2Field.addElem(A[i][j], tmp); + } + } + } + } + + /** + * Elimination above the diagonal. + * This function changes a matrix so that it contains only zeros above the + * diagonal(Ai,i) using only Gauss-Elimination operations. + * <p/> + * It is used in the inverse-function + * The result is stored in the global matrix A + * + * @throws RuntimeException in case a multiplicative inverse of 0 is needed + */ + private void computeZerosAbove() + throws RuntimeException + { + short tmp = 0; + for (int k = A.length - 1; k > 0; k--) + { // the fixed row + for (int i = k - 1; i >= 0; i--) + { // rows + short factor1 = A[i][k]; + short factor2 = GF2Field.invElem(A[k][k]); + if (factor2 == 0) + { + throw new RuntimeException("The matrix is not invertible"); + } + for (int j = k; j < 2 * A.length; j++) + { // columns + // tmp = A[k,j] / A[k,k] + tmp = GF2Field.multElem(A[k][j], factor2); + // tmp = A[i,k] * A[k,j] / A[k,k] + tmp = GF2Field.multElem(factor1, tmp); + // A[i,j] = A[i,j] - A[i,k] / A[k,k] * A[k,j]; + A[i][j] = GF2Field.addElem(A[i][j], tmp); + } + } + } + } + + + /** + * This function uses backward substitution to find x + * of the linear equation system (LES) B*x = b, + * where A a triangle-matrix is (contains only zeros under the diagonal) + * and b is a vector + * <p/> + * If the multiplicative inverse of 0 is needed, an exception is thrown. + * In this case is the LES not solvable + * + * @throws RuntimeException in case a multiplicative inverse of 0 is needed + */ + private void substitute() + throws RuntimeException + { + + // for the temporary results of the operations in field + short tmp, temp; + + temp = GF2Field.invElem(A[A.length - 1][A.length - 1]); + if (temp == 0) + { + throw new RuntimeException("The equation system is not solvable"); + } + + /** backward substitution **/ + x[A.length - 1] = GF2Field.multElem(A[A.length - 1][A.length], temp); + for (int i = A.length - 2; i >= 0; i--) + { + tmp = A[i][A.length]; + for (int j = A.length - 1; j > i; j--) + { + temp = GF2Field.multElem(A[i][j], x[j]); + tmp = GF2Field.addElem(tmp, temp); + } + + temp = GF2Field.invElem(A[i][i]); + if (temp == 0) + { + throw new RuntimeException("Not solvable equation system"); + } + x[i] = GF2Field.multElem(tmp, temp); + } + } + + + /** + * This function multiplies two given matrices. + * If the given matrices cannot be multiplied due + * to different sizes, an exception is thrown. + * + * @param M1 -the 1st matrix + * @param M2 -the 2nd matrix + * @return A = M1*M2 + * @throws RuntimeException in case the given matrices cannot be multiplied + * due to different dimensions. + */ + public short[][] multiplyMatrix(short[][] M1, short[][] M2) + throws RuntimeException + { + + if (M1[0].length != M2.length) + { + throw new RuntimeException("Multiplication is not possible!"); + } + short tmp = 0; + A = new short[M1.length][M2[0].length]; + for (int i = 0; i < M1.length; i++) + { + for (int j = 0; j < M2.length; j++) + { + for (int k = 0; k < M2[0].length; k++) + { + tmp = GF2Field.multElem(M1[i][j], M2[j][k]); + A[i][k] = GF2Field.addElem(A[i][k], tmp); + } + } + } + return A; + } + + /** + * This function multiplies a given matrix with a one-dimensional array. + * <p> + * An exception is thrown, if the number of columns in the matrix and + * the number of rows in the one-dim. array differ. + * + * @param M1 the matrix to be multiplied + * @param m the one-dimensional array to be multiplied + * @return M1*m + * @throws RuntimeException in case of dimension inconsistency + */ + public short[] multiplyMatrix(short[][] M1, short[] m) + throws RuntimeException + { + if (M1[0].length != m.length) + { + throw new RuntimeException("Multiplication is not possible!"); + } + short tmp = 0; + short[] B = new short[M1.length]; + for (int i = 0; i < M1.length; i++) + { + for (int j = 0; j < m.length; j++) + { + tmp = GF2Field.multElem(M1[i][j], m[j]); + B[i] = GF2Field.addElem(B[i], tmp); + } + } + return B; + } + + /** + * Addition of two vectors + * + * @param vector1 first summand, always of dim n + * @param vector2 second summand, always of dim n + * @return addition of vector1 and vector2 + * @throws RuntimeException in case the addition is impossible + * due to inconsistency in the dimensions + */ + public short[] addVect(short[] vector1, short[] vector2) + { + if (vector1.length != vector2.length) + { + throw new RuntimeException("Multiplication is not possible!"); + } + short rslt[] = new short[vector1.length]; + for (int n = 0; n < rslt.length; n++) + { + rslt[n] = GF2Field.addElem(vector1[n], vector2[n]); + } + return rslt; + } + + /** + * Multiplication of column vector with row vector + * + * @param vector1 column vector, always n x 1 + * @param vector2 row vector, always 1 x n + * @return resulting n x n matrix of multiplication + * @throws RuntimeException in case the multiplication is impossible due to + * inconsistency in the dimensions + */ + public short[][] multVects(short[] vector1, short[] vector2) + { + if (vector1.length != vector2.length) + { + throw new RuntimeException("Multiplication is not possible!"); + } + short rslt[][] = new short[vector1.length][vector2.length]; + for (int i = 0; i < vector1.length; i++) + { + for (int j = 0; j < vector2.length; j++) + { + rslt[i][j] = GF2Field.multElem(vector1[i], vector2[j]); + } + } + return rslt; + } + + /** + * Multiplies vector with scalar + * + * @param scalar galois element to multiply vector with + * @param vector vector to be multiplied + * @return vector multiplied with scalar + */ + public short[] multVect(short scalar, short[] vector) + { + short rslt[] = new short[vector.length]; + for (int n = 0; n < rslt.length; n++) + { + rslt[n] = GF2Field.multElem(scalar, vector[n]); + } + return rslt; + } + + /** + * Multiplies matrix with scalar + * + * @param scalar galois element to multiply matrix with + * @param matrix 2-dim n x n matrix to be multiplied + * @return matrix multiplied with scalar + */ + public short[][] multMatrix(short scalar, short[][] matrix) + { + short[][] rslt = new short[matrix.length][matrix[0].length]; + for (int i = 0; i < matrix.length; i++) + { + for (int j = 0; j < matrix[0].length; j++) + { + rslt[i][j] = GF2Field.multElem(scalar, matrix[i][j]); + } + } + return rslt; + } + + /** + * Adds the n x n matrices matrix1 and matrix2 + * + * @param matrix1 first summand + * @param matrix2 second summand + * @return addition of matrix1 and matrix2; both having the dimensions n x n + * @throws RuntimeException in case the addition is not possible because of + * different dimensions of the matrices + */ + public short[][] addSquareMatrix(short[][] matrix1, short[][] matrix2) + { + if (matrix1.length != matrix2.length || matrix1[0].length != matrix2[0].length) + { + throw new RuntimeException("Addition is not possible!"); + } + + short[][] rslt = new short[matrix1.length][matrix1.length];// + for (int i = 0; i < matrix1.length; i++) + { + for (int j = 0; j < matrix2.length; j++) + { + rslt[i][j] = GF2Field.addElem(matrix1[i][j], matrix2[i][j]); + } + } + return rslt; + } + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/GF2Field.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/GF2Field.java new file mode 100644 index 00000000..675f0ec5 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/GF2Field.java @@ -0,0 +1,139 @@ +package org.spongycastle.pqc.crypto.rainbow.util; + +/** + * This class provides the basic operations like addition, multiplication and + * finding the multiplicative inverse of an element in GF2^8. + * <p> + * The operations are implemented using the irreducible polynomial + * 1+x^2+x^3+x^6+x^8 ( 1 0100 1101 = 0x14d ) + * <p> + * This class makes use of lookup tables(exps and logs) for implementing the + * operations in order to increase the efficiency of Rainbow. + */ +public class GF2Field +{ + + public static final int MASK = 0xff; + + /* + * this lookup table is needed for multiplication and computing the + * multiplicative inverse + */ + static final short exps[] = {1, 2, 4, 8, 16, 32, 64, 128, 77, 154, 121, 242, + 169, 31, 62, 124, 248, 189, 55, 110, 220, 245, 167, 3, 6, 12, 24, + 48, 96, 192, 205, 215, 227, 139, 91, 182, 33, 66, 132, 69, 138, 89, + 178, 41, 82, 164, 5, 10, 20, 40, 80, 160, 13, 26, 52, 104, 208, + 237, 151, 99, 198, 193, 207, 211, 235, 155, 123, 246, 161, 15, 30, + 60, 120, 240, 173, 23, 46, 92, 184, 61, 122, 244, 165, 7, 14, 28, + 56, 112, 224, 141, 87, 174, 17, 34, 68, 136, 93, 186, 57, 114, 228, + 133, 71, 142, 81, 162, 9, 18, 36, 72, 144, 109, 218, 249, 191, 51, + 102, 204, 213, 231, 131, 75, 150, 97, 194, 201, 223, 243, 171, 27, + 54, 108, 216, 253, 183, 35, 70, 140, 85, 170, 25, 50, 100, 200, + 221, 247, 163, 11, 22, 44, 88, 176, 45, 90, 180, 37, 74, 148, 101, + 202, 217, 255, 179, 43, 86, 172, 21, 42, 84, 168, 29, 58, 116, 232, + 157, 119, 238, 145, 111, 222, 241, 175, 19, 38, 76, 152, 125, 250, + 185, 63, 126, 252, 181, 39, 78, 156, 117, 234, 153, 127, 254, 177, + 47, 94, 188, 53, 106, 212, 229, 135, 67, 134, 65, 130, 73, 146, + 105, 210, 233, 159, 115, 230, 129, 79, 158, 113, 226, 137, 95, 190, + 49, 98, 196, 197, 199, 195, 203, 219, 251, 187, 59, 118, 236, 149, + 103, 206, 209, 239, 147, 107, 214, 225, 143, 83, 166, 1}; + + /* + * this lookup table is needed for multiplication and computing the + * multiplicative inverse + */ + static final short logs[] = {0, 0, 1, 23, 2, 46, 24, 83, 3, 106, 47, 147, + 25, 52, 84, 69, 4, 92, 107, 182, 48, 166, 148, 75, 26, 140, 53, + 129, 85, 170, 70, 13, 5, 36, 93, 135, 108, 155, 183, 193, 49, 43, + 167, 163, 149, 152, 76, 202, 27, 230, 141, 115, 54, 205, 130, 18, + 86, 98, 171, 240, 71, 79, 14, 189, 6, 212, 37, 210, 94, 39, 136, + 102, 109, 214, 156, 121, 184, 8, 194, 223, 50, 104, 44, 253, 168, + 138, 164, 90, 150, 41, 153, 34, 77, 96, 203, 228, 28, 123, 231, 59, + 142, 158, 116, 244, 55, 216, 206, 249, 131, 111, 19, 178, 87, 225, + 99, 220, 172, 196, 241, 175, 72, 10, 80, 66, 15, 186, 190, 199, 7, + 222, 213, 120, 38, 101, 211, 209, 95, 227, 40, 33, 137, 89, 103, + 252, 110, 177, 215, 248, 157, 243, 122, 58, 185, 198, 9, 65, 195, + 174, 224, 219, 51, 68, 105, 146, 45, 82, 254, 22, 169, 12, 139, + 128, 165, 74, 91, 181, 151, 201, 42, 162, 154, 192, 35, 134, 78, + 188, 97, 239, 204, 17, 229, 114, 29, 61, 124, 235, 232, 233, 60, + 234, 143, 125, 159, 236, 117, 30, 245, 62, 56, 246, 217, 63, 207, + 118, 250, 31, 132, 160, 112, 237, 20, 144, 179, 126, 88, 251, 226, + 32, 100, 208, 221, 119, 173, 218, 197, 64, 242, 57, 176, 247, 73, + 180, 11, 127, 81, 21, 67, 145, 16, 113, 187, 238, 191, 133, 200, + 161}; + + /** + * This function calculates the sum of two elements as an operation in GF2^8 + * + * @param x the first element that is to be added + * @param y the second element that should be add + * @return the sum of the two elements x and y in GF2^8 + */ + public static short addElem(short x, short y) + { + return (short)(x ^ y); + } + + /** + * This function computes the multiplicative inverse of a given element in + * GF2^8 The 0 has no multiplicative inverse and in this case 0 is returned. + * + * @param x the element which multiplicative inverse is to be computed + * @return the multiplicative inverse of the given element, in case it + * exists or 0, otherwise + */ + public static short invElem(short x) + { + if (x == 0) + { + return 0; + } + return (exps[255 - logs[x]]); + } + + /** + * This function multiplies two elements in GF2^8. If one of the two + * elements is 0, 0 is returned. + * + * @param x the first element to be multiplied. + * @param y the second element to be multiplied. + * @return the product of the two input elements in GF2^8. + */ + public static short multElem(short x, short y) + { + if (x == 0 || y == 0) + { + return 0; + } + else + { + return (exps[(logs[x] + logs[y]) % 255]); + } + } + + /** + * This function returns the values of exps-lookup table which correspond to + * the input + * + * @param x the index in the lookup table exps + * @return exps-value, corresponding to the input + */ + public static short getExp(short x) + { + return exps[x]; + } + + /** + * This function returns the values of logs-lookup table which correspond to + * the input + * + * @param x the index in the lookup table logs + * @return logs-value, corresponding to the input + */ + public static short getLog(short x) + { + return logs[x]; + } + + +} diff --git a/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/RainbowUtil.java b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/RainbowUtil.java new file mode 100644 index 00000000..1e4f40f4 --- /dev/null +++ b/core/src/main/java/org/spongycastle/pqc/crypto/rainbow/util/RainbowUtil.java @@ -0,0 +1,230 @@ +package org.spongycastle.pqc.crypto.rainbow.util; + +/** + * This class is needed for the conversions while encoding and decoding, as well as for + * comparison between arrays of some dimensions + */ +public class RainbowUtil +{ + + /** + * This function converts an one-dimensional array of bytes into a + * one-dimensional array of int + * + * @param in the array to be converted + * @return out + * the one-dimensional int-array that corresponds the input + */ + public static int[] convertArraytoInt(byte[] in) + { + int[] out = new int[in.length]; + for (int i = 0; i < in.length; i++) + { + out[i] = in[i] & GF2Field.MASK; + } + return out; + } + + /** + * This function converts an one-dimensional array of bytes into a + * one-dimensional array of type short + * + * @param in the array to be converted + * @return out + * one-dimensional short-array that corresponds the input + */ + public static short[] convertArray(byte[] in) + { + short[] out = new short[in.length]; + for (int i = 0; i < in.length; i++) + { + out[i] = (short)(in[i] & GF2Field.MASK); + } + return out; + } + + /** + * This function converts a matrix of bytes into a matrix of type short + * + * @param in the matrix to be converted + * @return out + * short-matrix that corresponds the input + */ + public static short[][] convertArray(byte[][] in) + { + short[][] out = new short[in.length][in[0].length]; + for (int i = 0; i < in.length; i++) + { + for (int j = 0; j < in[0].length; j++) + { + out[i][j] = (short)(in[i][j] & GF2Field.MASK); + } + } + return out; + } + + /** + * This function converts a 3-dimensional array of bytes into a 3-dimensional array of type short + * + * @param in the array to be converted + * @return out + * short-array that corresponds the input + */ + public static short[][][] convertArray(byte[][][] in) + { + short[][][] out = new short[in.length][in[0].length][in[0][0].length]; + for (int i = 0; i < in.length; i++) + { + for (int j = 0; j < in[0].length; j++) + { + for (int k = 0; k < in[0][0].length; k++) + { + out[i][j][k] = (short)(in[i][j][k] & GF2Field.MASK); + } + } + } + return out; + } + + /** + * This function converts an array of type int into an array of type byte + * + * @param in the array to be converted + * @return out + * the byte-array that corresponds the input + */ + public static byte[] convertIntArray(int[] in) + { + byte[] out = new byte[in.length]; + for (int i = 0; i < in.length; i++) + { + out[i] = (byte)in[i]; + } + return out; + } + + + /** + * This function converts an array of type short into an array of type byte + * + * @param in the array to be converted + * @return out + * the byte-array that corresponds the input + */ + public static byte[] convertArray(short[] in) + { + byte[] out = new byte[in.length]; + for (int i = 0; i < in.length; i++) + { + out[i] = (byte)in[i]; + } + return out; + } + + /** + * This function converts a matrix of type short into a matrix of type byte + * + * @param in the matrix to be converted + * @return out + * the byte-matrix that corresponds the input + */ + public static byte[][] convertArray(short[][] in) + { + byte[][] out = new byte[in.length][in[0].length]; + for (int i = 0; i < in.length; i++) + { + for (int j = 0; j < in[0].length; j++) + { + out[i][j] = (byte)in[i][j]; + } + } + return out; + } + + /** + * This function converts a 3-dimensional array of type short into a 3-dimensional array of type byte + * + * @param in the array to be converted + * @return out + * the byte-array that corresponds the input + */ + public static byte[][][] convertArray(short[][][] in) + { + byte[][][] out = new byte[in.length][in[0].length][in[0][0].length]; + for (int i = 0; i < in.length; i++) + { + for (int j = 0; j < in[0].length; j++) + { + for (int k = 0; k < in[0][0].length; k++) + { + out[i][j][k] = (byte)in[i][j][k]; + } + } + } + return out; + } + + /** + * Compare two short arrays. No null checks are performed. + * + * @param left the first short array + * @param right the second short array + * @return the result of the comparison + */ + public static boolean equals(short[] left, short[] right) + { + if (left.length != right.length) + { + return false; + } + boolean result = true; + for (int i = left.length - 1; i >= 0; i--) + { + result &= left[i] == right[i]; + } + return result; + } + + /** + * Compare two two-dimensional short arrays. No null checks are performed. + * + * @param left the first short array + * @param right the second short array + * @return the result of the comparison + */ + public static boolean equals(short[][] left, short[][] right) + { + if (left.length != right.length) + { + return false; + } + boolean result = true; + for (int i = left.length - 1; i >= 0; i--) + { + result &= equals(left[i], right[i]); + } + return result; + } + + /** + * Compare two three-dimensional short arrays. No null checks are performed. + * + * @param left the first short array + * @param right the second short array + * @return the result of the comparison + */ + public static boolean equals(short[][][] left, short[][][] right) + { + if (left.length != right.length) + { + return false; + } + boolean result = true; + for (int i = left.length - 1; i >= 0; i--) + { + result &= equals(left[i], right[i]); + } + return result; + } + +} |