keygen from seed

Author: eschorn1

README.md

@@ -54,14 +54,15 @@ The Rust [Documentation][docs-link] lives under each **Module** corresponding to
 
 ## Notes
 
-* This crate is fully functional and corresponds to FIPS 204 (August 13, 2024).    
+* This crate is fully functional and corresponds to FIPS 204 (August 13, 2024).
+* **BEWARE:** As of September 27, 2024 NIST has not release external/hash test vectors!
 * Constant-time assurances target the source-code level only on MSRV, with confirmation via
   manual review/inspection, the embedded target, and the `dudect` dynamic tests.
 * Note that FIPS 204 places specific requirements on randomness per section 3.5.1, hence the exposed `RNG`.
 * Requires Rust **1.70** or higher. The minimum supported Rust version may be changed in the future, but 
   it will be done with a minor version bump (when the major version is larger than 0)..
 * All on-by-default features of this library are covered by `SemVer`.
-* The FIPS 204 standard and this software is considered experimental -- USE AT YOUR OWN RISK!
+* The FIPS 204 standard and this software should be considered experimental -- USE AT YOUR OWN RISK!
 
 ## License
 

src/hashing.rs

@@ -3,18 +3,10 @@
 use crate::conversion::{bit_unpack, coeff_from_half_byte, coeff_from_three_bytes};
 use crate::helpers::{bit_length, is_in_range};
 use crate::types::{Ph, R, R0, T, T0};
+use sha2::{Digest, Sha256, Sha512};
 use sha3::digest::{ExtendableOutput, Update, XofReader};
 use sha3::{Shake128, Shake256};
 
-// use sha3::Shake256Core;
-// use sha3::digest::core_api::CoreWrapper;
-//
-// pub(crate) fn hhh_xof(v: &[&[u8]]) -> CoreWrapper<Shake256Core> {
-//     let mut hasher = Shake256::default();
-//     v.iter().for_each(|b| hasher.update(b));
-//     hasher
-// }
-
 
 /// # Function H(v,d) of (8.1) on page 29.
 /// Takes a reference to a list of byte-slice references and runs them through Shake256.
@@ -343,48 +335,39 @@ pub(crate) fn expand_mask<const L: usize>(gamma1: i32, rho: &[u8; 64], mu: u16)
 
 pub(crate) fn hash_message(message: &[u8], ph: &Ph, phm: &mut [u8; 64]) -> ([u8; 11], usize) {
     match ph {
-        Ph::SHA256 => {
-            use sha2::{Digest, Sha256};
-            (
-                [
-                    0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
-                ],
-                {
-                    let mut hasher = Sha256::new();
-                    Digest::update(&mut hasher, message); //hasher.update(message);
-                    phm[0..32].copy_from_slice(&hasher.finalize());
-                    32
-                },
-            )
-        }
-        Ph::SHA512 => {
-            use sha2::{Digest, Sha512};
-            (
-                [
-                    0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
-                ],
-                {
-                    let mut hasher = Sha512::new();
-                    Digest::update(&mut hasher, message); //hasher.update(message);
-                    phm.copy_from_slice(&hasher.finalize());
-                    64
-                },
-            )
-        }
-        Ph::SHAKE128 => {
-            (
-                [
-                    0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0B,
-                ],
-                {
-                    //use sha3::digest::{ExtendableOutput, Update, XofReader}; // some collide with sha2
-                    let mut hasher = Shake128::default();
-                    hasher.update(message);
-                    let mut reader = hasher.finalize_xof();
-                    reader.read(phm);
-                    64
-                },
-            )
-        }
+        Ph::SHA256 => (
+            [
+                0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+            ],
+            {
+                let mut hasher = Sha256::new();
+                Digest::update(&mut hasher, message);
+                phm[0..32].copy_from_slice(&hasher.finalize());
+                32
+            },
+        ),
+        Ph::SHA512 => (
+            [
+                0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+            ],
+            {
+                let mut hasher = Sha512::new();
+                Digest::update(&mut hasher, message);
+                phm.copy_from_slice(&hasher.finalize());
+                64
+            },
+        ),
+        Ph::SHAKE128 => (
+            [
+                0x06u8, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0B,
+            ],
+            {
+                let mut hasher = Shake128::default();
+                hasher.update(message);
+                let mut reader = hasher.finalize_xof();
+                reader.read(phm);
+                64
+            },
+        ),
     }
 }

src/lib.rs

@@ -223,6 +223,14 @@ macro_rules! functionality {
                 Ok((PublicKey { 0: pk }, PrivateKey { 0: sk }))
             }
 
+
+            fn keygen_from_seed(xi: &[u8; 32]) -> (Self::PublicKey, Self::PrivateKey) {
+                // let (pk, sk) = ml_dsa::key_gen::<CTEST, K, L, PK_LEN, SK_LEN>(rng, ETA)?;
+                // Ok((PublicKey { 0: pk }, PrivateKey { 0: sk }))
+                let (pk, sk) = ml_dsa::key_gen_internal::<CTEST, K, L, PK_LEN, SK_LEN>(ETA, xi);
+                (PublicKey { 0: pk }, PrivateKey { 0: sk })
+            }
+
             // A portion of algorithm 1 in KeyGen trait -- expanded private key for faster signing
             fn gen_expanded_private(sk: &PrivateKey) -> Result<Self::ExpandedPrivateKey, &'static str> {
                 let esk = ml_dsa::sign_start::<CTEST, K, L, SK_LEN>(ETA, &sk.0)?;
@@ -247,18 +255,7 @@ macro_rules! functionality {
                 ensure!(ctx.len() < 256, "ML-DSA.Sign: ctx too long");
                 let esk = ml_dsa::sign_start::<CTEST, K, L, SK_LEN>(ETA, &self.0)?;
                 let sig = ml_dsa::sign_finish::<CTEST, K, L, LAMBDA_DIV4, SIG_LEN, SK_LEN, W1_LEN>(
-                    rng,
-                    BETA,
-                    GAMMA1,
-                    GAMMA2,
-                    OMEGA,
-                    TAU,
-                    &esk,
-                    message,
-                    ctx,
-                    &[],
-                    &[],
-                    false,
+                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &esk, message, ctx, &[], &[], false
                 )?;
                 Ok(sig)
             }
@@ -272,7 +269,7 @@ macro_rules! functionality {
                 let mut phm = [0u8; 64];  // hashers don't all play well with each other
                 let (oid, phm_len) = hash_message(message, ph, &mut phm);
                 let sig = ml_dsa::sign_finish::<CTEST, K, L, LAMBDA_DIV4, SIG_LEN, SK_LEN, W1_LEN>(
-                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &esk, message, ctx, &oid, &phm[0..phm_len], false,
+                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &esk, message, ctx, &oid, &phm[0..phm_len], false
                 )?;
                 Ok(sig)
             }
@@ -290,18 +287,7 @@ macro_rules! functionality {
             ) -> Result<Self::Signature, &'static str> {
                 ensure!(ctx.len() < 256, "ML-DSA.Sign: ctx too long");
                 let sig = ml_dsa::sign_finish::<CTEST, K, L, LAMBDA_DIV4, SIG_LEN, SK_LEN, W1_LEN>(
-                    rng,
-                    BETA,
-                    GAMMA1,
-                    GAMMA2,
-                    OMEGA,
-                    TAU,
-                    &self,
-                    message,
-                    ctx,
-                    &[],
-                    &[],
-                    false,
+                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &self, message, ctx, &[], &[], false
                 )?;
                 Ok(sig)
             }
@@ -316,7 +302,7 @@ macro_rules! functionality {
                 let mut phm = [0u8; 64];  // hashers don't all play well with each other
                 let (oid, phm_len) = hash_message(message, ph, &mut phm);
                 let sig = ml_dsa::sign_finish::<CTEST, K, L, LAMBDA_DIV4, SIG_LEN, SK_LEN, W1_LEN>(
-                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &self, message, ctx, &oid, &phm[0..phm_len], false,
+                    rng, BETA, GAMMA1, GAMMA2, OMEGA, TAU, &self, message, ctx, &oid, &phm[0..phm_len], false
                 )?;
                 Ok(sig)
             }
@@ -331,59 +317,33 @@ macro_rules! functionality {
                 if ctx.len() > 255 {
                     return false;
                 };
-                let epk = ml_dsa::verify_start(&self.0);
-                if epk.is_err() {
+                let Ok(epk) = ml_dsa::verify_start(&self.0) else {
                     return false;
                 };
-                let res = ml_dsa::verify_finish::<K, L, LAMBDA_DIV4, PK_LEN, SIG_LEN, W1_LEN>(
-                    BETA,
-                    GAMMA1,
-                    GAMMA2,
-                    OMEGA,
-                    TAU,
-                    &epk.unwrap(),
-                    &message,
-                    &sig,
-                    ctx,
-                    &[],
-                    &[],
-                    false,
-                );
-                if res.is_err() {
+                let Ok(res) = ml_dsa::verify_finish::<K, L, LAMBDA_DIV4, PK_LEN, SIG_LEN, W1_LEN>(
+                    BETA, GAMMA1, GAMMA2, OMEGA, TAU, &epk, &message, &sig, ctx, &[], &[], false
+                ) else {
                     return false;
                 };
-                res.unwrap()
+                res
             }
 
             // Algorithm 5 in Verifier trait.
             fn hash_verify(&self, message: &[u8], sig: &Self::Signature, ctx: &[u8], ph: &Ph) -> bool {
                 if ctx.len() > 255 {
                     return false;
                 };
-                let epk = ml_dsa::verify_start(&self.0);
-                if epk.is_err() {
+                let Ok(epk) = ml_dsa::verify_start(&self.0) else {
                     return false;
                 };
                 let mut phm = [0u8; 64];  // hashers don't all play well with each other
                 let (oid, phm_len) = hash_message(message, ph, &mut phm);
-                let res = ml_dsa::verify_finish::<K, L, LAMBDA_DIV4, PK_LEN, SIG_LEN, W1_LEN>(
-                    BETA,
-                    GAMMA1,
-                    GAMMA2,
-                    OMEGA,
-                    TAU,
-                    &epk.unwrap(),
-                    &message,
-                    &sig,
-                    ctx,
-                    &oid,
-                    &phm[0..phm_len],
-                    false,
-                );
-                if res.is_err() {
+                let Ok(res) = ml_dsa::verify_finish::<K, L, LAMBDA_DIV4, PK_LEN, SIG_LEN, W1_LEN>(
+                    BETA, GAMMA1, GAMMA2, OMEGA, TAU, &epk, &message,  &sig, ctx, &oid, &phm[0..phm_len], false
+                ) else {
                     return false;
                 };
-                res.unwrap()
+                res
             }
         }
 

src/ml_dsa.rs

@@ -39,7 +39,7 @@ pub(crate) fn key_gen<
     let mut xi = [0u8; 32];
     rng.try_fill_bytes(&mut xi).map_err(|_| "Random number generator failed")?;
 
-    Ok(key_gen_internal::<CTEST, K, L, PK_LEN, SK_LEN>(eta, xi))
+    Ok(key_gen_internal::<CTEST, K, L, PK_LEN, SK_LEN>(eta, &xi))
 }
 
 
@@ -444,7 +444,7 @@ pub(crate) fn key_gen_internal<
     const PK_LEN: usize,
     const SK_LEN: usize,
 >(
-    eta: i32, xi: [u8; 32],
+    eta: i32, xi: &[u8; 32],
 ) -> ([u8; PK_LEN], [u8; SK_LEN]) {
     //
     // 1: ξ ← {0,1}^{256}    ▷ Choose random seed
@@ -453,7 +453,7 @@ pub(crate) fn key_gen_internal<
 
     // WRONG: 2: (ρ, ρ′, K) ∈ {0,1}^{256} × {0,1}^{512} × {0,1}^{256} ← H(ξ, 1024)    ▷ Expand seed
     // 1: (𝜌, 𝜌′, 𝐾) ∈ 𝔹32 × 𝔹64 × 𝔹32 ← H(𝜉||IntegerToBytes(𝑘, 1)||IntegerToBytes(ℓ, 1), 128)
-    let mut h2 = h_xof(&[&xi, &[K.to_le_bytes()[0]], &[L.to_le_bytes()[0]]]);
+    let mut h2 = h_xof(&[xi, &[K.to_le_bytes()[0]], &[L.to_le_bytes()[0]]]);
     let mut rho = [0u8; 32];
     h2.read(&mut rho);
     let mut rho_prime = [0u8; 64];

src/traits.rs

@@ -76,6 +76,40 @@ pub trait KeyGen {
         rng: &mut impl CryptoRngCore,
     ) -> Result<(Self::PublicKey, Self::PrivateKey), &'static str>;
 
+    /// Generates an public and private key key pair specific to this security parameter set
+    /// based on a provided seed. <br>
+    /// This function operates in constant-time relative to secret data (which specifically excludes
+    /// the the `rho` value stored in the public key and the hash-derived `rho_prime` values that are
+    /// rejection-sampled/expanded into the internal `s_1` and `s_2` values).
+    /// # Examples
+    /// ```rust
+    /// # use std::error::Error;
+    /// # fn main() -> Result<(), Box<dyn Error>> {
+    /// # #[cfg(feature = "ml-dsa-44")] {
+    /// use crate::fips204::RngCore;
+    /// use fips204::ml_dsa_44; // Could also be ml_dsa_65 or ml_dsa_87.
+    /// use fips204::traits::{KeyGen, Signer, Verifier};
+    /// use rand_core::OsRng;
+    ///
+    /// // The signor gets the xi seed from the OS random number generator
+    /// let mut xi = [0u8; 32];
+    /// OsRng.fill_bytes(&mut xi);
+    /// ///
+    /// let message = [0u8, 1, 2, 3, 4, 5, 6, 7];
+    ///
+    /// // Generate key pair and signature
+    /// let (pk, sk) = ml_dsa_44::KG::keygen_from_seed(&xi); // Generate both public and secret keys
+    /// let sig = sk.try_sign(&message, &[0])?; // Use the secret key to generate a message signature
+    ///
+    /// let res = pk.verify(&message, &sig, &[0]);
+    /// assert!(res); // Signature accepted
+    /// # }
+    /// # Ok(())}
+    /// ```
+    #[must_use]
+    fn keygen_from_seed(_xi: &[u8; 32]) -> (Self::PublicKey, Self::PrivateKey);
+
+
     /// Generates an expanded private key from the normal/compressed private key.
     /// This supports improved signing performance. This function operates in constant-time
     /// relative to secret data (which specifically excludes the provided random `rho`