fixed slh-dsa: message_to_indexes replaced with base2b in for.sign()

added internal functions
added context to SLHDSAKeyParameters

Author: royb

core/src/main/java/org/bouncycastle/pqc/crypto/slhdsa/Fors.java

@@ -1,5 +1,6 @@
 package org.bouncycastle.pqc.crypto.slhdsa;
 
+import java.math.BigInteger;
 import java.util.LinkedList;
 
 import org.bouncycastle.util.Arrays;
@@ -63,7 +64,8 @@ public SIG_FORS[] sign(byte[] md, byte[] skSeed, byte[] pkSeed, ADRS paramAdrs)
     {
         ADRS adrs = new ADRS(paramAdrs);
 
-        int[] idxs = message_to_idxs(md, engine.K, engine.A);
+//        int[] idxs = message_to_idxs(md, engine.K, engine.A);
+        int[] idxs = base2B(md, engine.A, engine.K);
         SIG_FORS[] sig_fors = new SIG_FORS[engine.K];
 // compute signature elements
         int t = engine.T;
@@ -99,7 +101,8 @@ public byte[] pkFromSig(SIG_FORS[] sig_fors, byte[] message, byte[] pkSeed, ADRS
         byte[][] root = new byte[engine.K][];
         int t = engine.T;
 
-        int[] idxs = message_to_idxs(message, engine.K, engine.A);
+//        int[] idxs = message_to_idxs(message, engine.K, engine.A);
+        int[] idxs = base2B(message, engine.A, engine.K);
         // compute roots
         for (int i = 0; i < engine.K; i++)
         {
@@ -137,24 +140,25 @@ public byte[] pkFromSig(SIG_FORS[] sig_fors, byte[] message, byte[] pkSeed, ADRS
         return engine.T_l(pkSeed, forspkADRS, Arrays.concatenate(root));
     }
 
-    /**
-     * Interprets m as SPX_FORS_HEIGHT-bit unsigned integers.
-     * Assumes m contains at least SPX_FORS_HEIGHT * SPX_FORS_TREES bits.
-     * Assumes indices has space for SPX_FORS_TREES integers.
-     */
-    static int[] message_to_idxs(byte[] msg, int fors_trees, int fors_height)
+    static int[] base2B(byte[] msg, int b, int outLen)
     {
-        int offset = 0;
-        int[] idxs = new int[fors_trees];
-        for (int i = 0; i < fors_trees; i++)
+        int[] baseB = new int[outLen];
+        int i = 0;
+        int bits = 0;
+        BigInteger total = BigInteger.ZERO;
+
+        for (int o = 0; o < outLen; o++)
         {
-            idxs[i] = 0;
-            for (int j = 0; j < fors_height; j++)
+            while (bits < b)
             {
-                idxs[i] ^= ((msg[offset >> 3] >> (offset & 0x7)) & 0x1) << j;
-                offset++;
+                total = total.shiftLeft(8).add(BigInteger.valueOf(msg[i] & 0xff));
+                i+= 1;
+                bits += 8;
             }
+            bits -= b;
+            baseB[o] = (total.shiftRight(bits).mod(BigInteger.valueOf(2).pow(b))).intValue();
         }
-        return idxs;
+
+        return baseB;
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/slhdsa/SLHDSAKeyPairGenerator.java

@@ -18,22 +18,32 @@ public void init(KeyGenerationParameters param)
         parameters = ((SLHDSAKeyGenerationParameters)param).getParameters();
     }
 
-    public AsymmetricCipherKeyPair generateKeyPair()
+    public AsymmetricCipherKeyPair internalGenerateKeyPair(byte[] skSeed, byte[] skPrf, byte[] pkSeed)
     {
         SLHDSAEngine engine = parameters.getEngine();
-        byte[] pkSeed;
-        SK sk;
-
-        sk = new SK(sec_rand(engine.N), sec_rand(engine.N));
-        pkSeed = sec_rand(engine.N);
+        SK sk = new SK(skSeed, skPrf);
 
         engine.init(pkSeed);
 
         // TODO
         PK pk = new PK(pkSeed, new HT(engine, sk.seed, pkSeed).htPubKey);
 
         return new AsymmetricCipherKeyPair(new SLHDSAPublicKeyParameters(parameters, pk),
-            new SLHDSAPrivateKeyParameters(parameters, sk, pk));
+                new SLHDSAPrivateKeyParameters(parameters, sk, pk));
+    }
+
+    public AsymmetricCipherKeyPair generateKeyPair()
+    {
+        SLHDSAEngine engine = parameters.getEngine();
+        byte[] pkSeed;
+        byte[] skSeed;
+        byte[] skPrf;
+
+
+        skSeed = sec_rand(engine.N);
+        skPrf = sec_rand(engine.N);
+        pkSeed = sec_rand(engine.N);
+        return internalGenerateKeyPair(skSeed, skPrf, pkSeed);
     }
 
     private byte[] sec_rand(int n)

core/src/main/java/org/bouncycastle/pqc/crypto/slhdsa/SLHDSAKeyParameters.java

@@ -6,15 +6,27 @@ public class SLHDSAKeyParameters
     extends AsymmetricKeyParameter
 {
     final SLHDSAParameters parameters;
+    final byte[] context;
 
+    protected SLHDSAKeyParameters(boolean isPrivate, SLHDSAParameters parameters, byte[] context)
+    {
+        super(isPrivate);
+        this.parameters = parameters;
+        this.context = context;
+    }
     protected SLHDSAKeyParameters(boolean isPrivate, SLHDSAParameters parameters)
     {
         super(isPrivate);
         this.parameters = parameters;
+        this.context = new byte[0];
     }
 
     public SLHDSAParameters getParameters()
     {
         return parameters;
     }
+    public byte[] getContext()
+    {
+        return context.clone();
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/slhdsa/SLHDSASigner.java

@@ -52,68 +52,52 @@ public void init(boolean forSigning, CipherParameters param)
         }
     }
 
+    //TODO: make Hash_slh_sign
+
     public byte[] generateSignature(byte[] message)
     {
-//        # Input: Message M, private key SK = (SK.seed, SK.prf, PK.seed, PK.root)
-//        # Output: SLH-DSA signature SIG
-        // init
-
         SLHDSAEngine engine = privKey.getParameters().getEngine();
 
         engine.init(privKey.pk.seed);
+        byte[] ctx = privKey.getContext();
 
-        // generate randomizer
-        byte[] optRand = new byte[engine.N];
-        if (random != null)
+        if (ctx.length > 255)
         {
-            random.nextBytes(optRand);
+            throw new RuntimeException("Context too long");
         }
-        else
-        {
-            System.arraycopy(privKey.pk.seed, 0, optRand, 0, optRand.length);
-        }
-
-        Fors fors = new Fors(engine);
-        byte[] R = engine.PRF_msg(privKey.sk.prf, optRand, message);
 
-        // compute message digest and index
-        IndexedDigest idxDigest = engine.H_msg(R, privKey.pk.seed, privKey.pk.root, message);
-        byte[] mHash = idxDigest.digest;
-        long idx_tree = idxDigest.idx_tree;
-        int idx_leaf = idxDigest.idx_leaf;
-        // FORS sign
-        ADRS adrs = new ADRS();
-        adrs.setType(ADRS.FORS_TREE);
-        adrs.setTreeAddress(idx_tree);
-        adrs.setKeyPairAddress(idx_leaf);
-        SIG_FORS[] sig_fors = fors.sign(mHash, privKey.sk.seed, privKey.pk.seed, adrs);
-        // get FORS public key - spec shows M?
-        adrs = new ADRS();
-        adrs.setType(ADRS.FORS_TREE);
-        adrs.setTreeAddress(idx_tree);
-        adrs.setKeyPairAddress(idx_leaf);
-        byte[] PK_FORS = fors.pkFromSig(sig_fors, mHash, privKey.pk.seed, adrs);
+        byte[] ds_message = new byte[1 + 1 + ctx.length + message.length];
+        ds_message[0] = 0;
+        ds_message[1] = (byte)ctx.length;
+        System.arraycopy(ctx, 0, ds_message, 2, ctx.length);
+        System.arraycopy(message, 0, ds_message, 2 + ctx.length, message.length);
 
-        // sign FORS public key with HT
-        ADRS treeAdrs = new ADRS();
-        treeAdrs.setType(ADRS.TREE);
+        // generate randomizer
+        byte[] optRand = new byte[engine.N];
+        return internalGenerateSignature(ds_message, optRand);
+    }
 
-        HT ht = new HT(engine, privKey.getSeed(), privKey.getPublicSeed());
-        byte[] SIG_HT = ht.sign(PK_FORS, idx_tree, idx_leaf);
+    //TODO: make Hash_slh_verify
 
-        byte[][] sigComponents = new byte[sig_fors.length + 2][];
-        sigComponents[0] = R;
+    // Equivalent to slh_verify_internal from specs
+    public boolean verifySignature(byte[] message, byte[] signature)
+    {
+        byte[] ctx = pubKey.getContext();
 
-        for (int i = 0; i != sig_fors.length; i++)
+        if (ctx.length > 255)
         {
-            sigComponents[1 + i] = Arrays.concatenate(sig_fors[i].sk, Arrays.concatenate(sig_fors[i].authPath));
+            throw new RuntimeException("Context too long");
         }
-        sigComponents[sigComponents.length - 1] = SIG_HT;
 
-        return Arrays.concatenate(sigComponents);
-    }
+        byte[] ds_message = new byte[1 + 1 + ctx.length + message.length];
+        ds_message[0] = 0;
+        ds_message[1] = (byte)ctx.length;
+        System.arraycopy(ctx, 0, ds_message, 2, ctx.length);
+        System.arraycopy(message, 0, ds_message, 2 + ctx.length, message.length);
 
-    public boolean verifySignature(byte[] message, byte[] signature)
+        return internalVerifySignature(ds_message, signature);
+    }
+    public boolean internalVerifySignature(byte[] message, byte[] signature)
     {
         //# Input: Message M, signature SIG, public key PK
         //# Output: Boolean
@@ -124,6 +108,12 @@ public boolean verifySignature(byte[] message, byte[] signature)
         engine.init(pubKey.getSeed());
 
         ADRS adrs = new ADRS();
+
+        if (((1 + engine.K * (1 + engine.A) + engine.H + engine.D *engine.WOTS_LEN)* engine.N) != signature.length)
+        {
+            return false;
+        }
+
         SIG sig = new SIG(engine.N, engine.K, engine.A, engine.D, engine.H_PRIME, engine.WOTS_LEN, signature);
 
         byte[] R = sig.getR();
@@ -150,5 +140,55 @@ public boolean verifySignature(byte[] message, byte[] signature)
         HT ht = new HT(engine, null, pubKey.getSeed());
         return ht.verify(PK_FORS, SIG_HT, pubKey.getSeed(), idx_tree, idx_leaf, pubKey.getRoot());
     }
+
+    public byte[] internalGenerateSignature(byte[] message, byte[] optRand)
+    {
+        SLHDSAEngine engine = privKey.getParameters().getEngine();
+        engine.init(privKey.pk.seed);
+
+        if (optRand == null)
+        {
+            optRand = new byte[engine.N];
+            System.arraycopy(privKey.pk.seed, 0, optRand, 0, optRand.length);
+        }
+
+        Fors fors = new Fors(engine);
+        byte[] R = engine.PRF_msg(privKey.sk.prf, optRand, message);
+
+        IndexedDigest idxDigest = engine.H_msg(R, privKey.pk.seed, privKey.pk.root, message);
+        byte[] mHash = idxDigest.digest;
+        long idx_tree = idxDigest.idx_tree;
+        int idx_leaf = idxDigest.idx_leaf;
+        // FORS sign
+        ADRS adrs = new ADRS();
+        adrs.setType(ADRS.FORS_TREE);
+        adrs.setTreeAddress(idx_tree);
+        adrs.setKeyPairAddress(idx_leaf);
+        SIG_FORS[] sig_fors = fors.sign(mHash, privKey.sk.seed, privKey.pk.seed, adrs);
+        // get FORS public key - spec shows M?
+        adrs = new ADRS();
+        adrs.setType(ADRS.FORS_TREE);
+        adrs.setTreeAddress(idx_tree);
+        adrs.setKeyPairAddress(idx_leaf);
+        byte[] PK_FORS = fors.pkFromSig(sig_fors, mHash, privKey.pk.seed, adrs);
+
+        // sign FORS public key with HT
+        ADRS treeAdrs = new ADRS();
+        treeAdrs.setType(ADRS.TREE);
+
+        HT ht = new HT(engine, privKey.getSeed(), privKey.getPublicSeed());
+        byte[] SIG_HT = ht.sign(PK_FORS, idx_tree, idx_leaf);
+
+        byte[][] sigComponents = new byte[sig_fors.length + 2][];
+        sigComponents[0] = R;
+
+        for (int i = 0; i != sig_fors.length; i++)
+        {
+            sigComponents[1 + i] = Arrays.concatenate(sig_fors[i].sk, Arrays.concatenate(sig_fors[i].authPath));
+        }
+        sigComponents[sigComponents.length - 1] = SIG_HT;
+
+        return Arrays.concatenate(sigComponents);
+    }
 }