Refactoring in NTRU

Author: peterdettman

crypto/src/pqc/crypto/ntru/NtruKemExtractor.cs

@@ -1,71 +1,56 @@
 using System;
-using System.Diagnostics;
 
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Pqc.Crypto.Ntru.Owcpa;
-using Org.BouncyCastle.Pqc.Crypto.Ntru.ParameterSets;
+using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Pqc.Crypto.Ntru
 {
     /// <summary>
     /// NTRU secret encapsulation extractor.
     /// </summary>
-    public class NtruKemExtractor : IEncapsulatedSecretExtractor
+    public class NtruKemExtractor
+        : IEncapsulatedSecretExtractor
     {
-        private readonly NtruParameters _parameters;
-        private readonly NtruPrivateKeyParameters _ntruPrivateKey;
+        private readonly NtruPrivateKeyParameters m_privateKey;
 
         public NtruKemExtractor(NtruPrivateKeyParameters ntruPrivateKey)
         {
-            _parameters = ntruPrivateKey.Parameters;
-            _ntruPrivateKey = ntruPrivateKey;
+            m_privateKey = ntruPrivateKey ?? throw new ArgumentNullException(nameof(ntruPrivateKey));
         }
 
-
         public byte[] ExtractSecret(byte[] encapsulation)
         {
-            Debug.Assert(_ntruPrivateKey != null);
+            var parameterSet = m_privateKey.Parameters.ParameterSet;
 
-            NtruParameterSet parameterSet = _parameters.ParameterSet;
+            if (encapsulation == null)
+                throw new ArgumentNullException(nameof(encapsulation));
+            if (encapsulation.Length != parameterSet.NtruCiphertextBytes())
+                throw new ArgumentException(nameof(encapsulation));
 
-            byte[] sk = _ntruPrivateKey.PrivateKey;
-            int i, fail;
-            byte[] rm;
-            byte[] buf = new byte[parameterSet.PrfKeyBytes + parameterSet.NtruCiphertextBytes()];
+            // TODO[pqc] Avoid copy?
+            byte[] sk = m_privateKey.GetEncoded();
 
             NtruOwcpa owcpa = new NtruOwcpa(parameterSet);
-            OwcpaDecryptResult owcpaResult = owcpa.Decrypt(encapsulation, _ntruPrivateKey.PrivateKey);
-            rm = owcpaResult.Rm;
-            fail = owcpaResult.Fail;
+            OwcpaDecryptResult owcpaResult = owcpa.Decrypt(encapsulation, sk);
+            byte[] rm = owcpaResult.Rm;
+            int fail = owcpaResult.Fail;
 
             Sha3Digest sha3256 = new Sha3Digest(256);
-
             byte[] k = new byte[sha3256.GetDigestSize()];
 
             sha3256.BlockUpdate(rm, 0, rm.Length);
             sha3256.DoFinal(k, 0);
 
             /* shake(secret PRF key || input ciphertext) */
-            for (i = 0; i < parameterSet.PrfKeyBytes; i++)
-            {
-                buf[i] = sk[i + parameterSet.OwcpaSecretKeyBytes()];
-            }
-
-            for (i = 0; i < parameterSet.NtruCiphertextBytes(); i++)
-            {
-                buf[parameterSet.PrfKeyBytes + i] = encapsulation[i];
-            }
-
-            sha3256.Reset();
-            sha3256.BlockUpdate(buf, 0, buf.Length);
+            sha3256.BlockUpdate(sk, parameterSet.OwcpaSecretKeyBytes(), parameterSet.PrfKeyBytes);
+            sha3256.BlockUpdate(encapsulation, 0, encapsulation.Length);
             sha3256.DoFinal(rm, 0);
 
             Cmov(k, rm, (byte)fail);
 
-            byte[] sharedKey = new byte[parameterSet.SharedKeyBytes];
-            Array.Copy(k, 0, sharedKey, 0, parameterSet.SharedKeyBytes);
-
+            var sharedKey = Arrays.CopyOfRange(k, 0, parameterSet.SharedKeyBytes);
             Array.Clear(k, 0, k.Length);
 
             return sharedKey;
@@ -80,6 +65,6 @@ private static void Cmov(byte[] r, byte[] x, byte b)
             }
         }
 
-        public int EncapsulationLength => _parameters.ParameterSet.NtruCiphertextBytes();
+        public int EncapsulationLength => m_privateKey.Parameters.ParameterSet.NtruCiphertextBytes();
     }
 }

crypto/src/pqc/crypto/ntru/NtruKemGenerator.cs

@@ -5,6 +5,7 @@
 using Org.BouncyCastle.Pqc.Crypto.Ntru.Owcpa;
 using Org.BouncyCastle.Pqc.Crypto.Ntru.Polynomials;
 using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Pqc.Crypto.Ntru
 {
@@ -14,24 +15,30 @@ namespace Org.BouncyCastle.Pqc.Crypto.Ntru
     ///
     /// <seealso cref="NtruKemExtractor"/>
     /// <seealso href="https://ntru.org/">NTRU website</seealso>
-    public class NtruKemGenerator : IEncapsulatedSecretGenerator
+    public class NtruKemGenerator
+        : IEncapsulatedSecretGenerator
     {
-        private readonly SecureRandom _random;
+        private readonly SecureRandom m_random;
 
         public NtruKemGenerator(SecureRandom random)
         {
-            _random = random;
+            m_random = random ?? throw new ArgumentNullException(nameof(random));
         }
 
         public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter recipientKey)
         {
-            var parameterSet = ((NtruPublicKeyParameters)recipientKey).Parameters.ParameterSet;
+            if (recipientKey == null)
+                throw new ArgumentNullException(nameof(recipientKey));
+            if (!(recipientKey is NtruPublicKeyParameters publicKey))
+                throw new ArgumentException(nameof(recipientKey));
+
+            var parameterSet = publicKey.Parameters.ParameterSet;
             var sampling = new NtruSampling(parameterSet);
             var owcpa = new NtruOwcpa(parameterSet);
             var rm = new byte[parameterSet.OwcpaMsgBytes()];
             var rmSeed = new byte[parameterSet.SampleRmBytes()];
 
-            _random.NextBytes(rmSeed);
+            m_random.NextBytes(rmSeed);
 
             var pair = sampling.SampleRm(rmSeed);
             Polynomial r = pair.R();
@@ -41,24 +48,20 @@ public ISecretWithEncapsulation GenerateEncapsulated(AsymmetricKeyParameter reci
             m.S3ToBytes(rm, parameterSet.PackTrinaryBytes());
 
             var sha3256 = new Sha3Digest(256);
-            sha3256.BlockUpdate(rm, 0, rm.Length);
-
-
             var k = new byte[sha3256.GetDigestSize()];
 
+            sha3256.BlockUpdate(rm, 0, rm.Length);
             sha3256.DoFinal(k, 0);
 
-
             r.Z3ToZq();
 
-            var c = owcpa.Encrypt(r, m, ((NtruPublicKeyParameters)recipientKey).PublicKey);
-
-            var sharedKey = new byte[parameterSet.SharedKeyBytes];
-            Array.Copy(k, 0, sharedKey, 0, sharedKey.Length);
+            // TODO[pqc] Avoid copy?
+            var c = owcpa.Encrypt(r, m, publicKey.GetEncoded());
 
+            var sharedKey = Arrays.CopyOfRange(k, 0, parameterSet.SharedKeyBytes);
             Array.Clear(k, 0, k.Length);
 
             return new NtruEncapsulation(sharedKey, c);
         }
     }
-}
+}

crypto/src/pqc/crypto/ntru/NtruKeyPairGenerator.cs

@@ -2,44 +2,46 @@
 
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Pqc.Crypto.Ntru.Owcpa;
-using Org.BouncyCastle.Pqc.Crypto.Ntru.ParameterSets;
 using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Pqc.Crypto.Ntru
 {
-    public class NtruKeyPairGenerator : IAsymmetricCipherKeyPairGenerator
+    public class NtruKeyPairGenerator
+        : IAsymmetricCipherKeyPairGenerator
     {
-        private NtruKeyGenerationParameters _keygenParameters;
-        private SecureRandom _random;
+        private NtruKeyGenerationParameters m_keyGenParameters;
+        private SecureRandom m_random;
 
         public void Init(KeyGenerationParameters parameters)
         {
-            _keygenParameters = (NtruKeyGenerationParameters)parameters;
-            _random = parameters.Random;
+            if (parameters == null)
+                throw new ArgumentNullException(nameof(parameters));
+
+            m_keyGenParameters = (NtruKeyGenerationParameters)parameters;
+            m_random = parameters.Random;
         }
 
         public AsymmetricCipherKeyPair GenerateKeyPair()
         {
-            // Debug.Assert(this._random != null);
-            NtruParameterSet parameterSet = _keygenParameters.NtruParameters.ParameterSet;
+            var parameters = m_keyGenParameters.NtruParameters;
+            var parameterSet = parameters.ParameterSet;
 
-            var seed = new byte[parameterSet.SampleFgBytes()];
-            _random.NextBytes(seed);
+            var seed = SecureRandom.GetNextBytes(m_random, parameterSet.SampleFgBytes());
 
             NtruOwcpa owcpa = new NtruOwcpa(parameterSet);
             OwcpaKeyPair owcpaKeys = owcpa.KeyPair(seed);
 
             byte[] publicKey = owcpaKeys.PublicKey;
-            byte[] privateKey = new byte[parameterSet.NtruSecretKeyBytes()];
-            byte[] owcpaPrivateKey = owcpaKeys.PrivateKey;
-            Array.Copy(owcpaPrivateKey, 0, privateKey, 0, owcpaPrivateKey.Length);
-            //
-            byte[] prfBytes = new byte[parameterSet.PrfKeyBytes];
-            _random.NextBytes(prfBytes);
-            Array.Copy(prfBytes, 0, privateKey, parameterSet.OwcpaSecretKeyBytes(), prfBytes.Length);
-
-            return new AsymmetricCipherKeyPair(new NtruPublicKeyParameters(_keygenParameters.NtruParameters, publicKey),
-                new NtruPrivateKeyParameters(_keygenParameters.NtruParameters, privateKey));
+
+            byte[] privateKey = Arrays.CopyOf(owcpaKeys.PrivateKey, parameterSet.NtruSecretKeyBytes());
+            m_random.NextBytes(privateKey, parameterSet.OwcpaSecretKeyBytes(), parameterSet.PrfKeyBytes);
+
+#pragma warning disable CS0618 // Type or member is obsolete
+            return new AsymmetricCipherKeyPair(
+                new NtruPublicKeyParameters(parameters, publicKey),
+                new NtruPrivateKeyParameters(parameters, privateKey));
+#pragma warning restore CS0618 // Type or member is obsolete
         }
     }
-}
+}

crypto/src/pqc/crypto/ntru/NtruParameters.cs

@@ -42,21 +42,24 @@ public static readonly NtruParameters NtruHps40961229
         /// </summary>
         public static readonly NtruParameters NtruHrss1373 = new NtruParameters("ntruhrss1373", new NtruHrss1373());
 
-        /// <summary>
-        /// Currently selected parameter set
-        /// </summary>
-        internal readonly NtruParameterSet ParameterSet;
-
-        private readonly string _name;
+        private readonly string m_name;
+        private readonly NtruParameterSet m_parameterSet;
 
         private NtruParameters(string name, NtruParameterSet parameterSet)
         {
-            _name = name;
-            ParameterSet = parameterSet;
+            m_name = name;
+            m_parameterSet = parameterSet;
         }
 
-        public string Name => _name;
+        public string Name => m_name;
+
+        internal NtruParameterSet ParameterSet => m_parameterSet;
+
+        internal int PrivateKeyLength => ParameterSet.NtruSecretKeyBytes();
+
+        internal int PublicKeyLength => ParameterSet.NtruPublicKeyBytes();
 
+        // TODO[pqc] bc-java uses 'SessionKeySize' for this
         public int DefaultKeySize => ParameterSet.SharedKeyBytes * 8;
     }
-}
+}

crypto/src/pqc/crypto/ntru/NtruPrivateKeyParamaters.cs

@@ -1,24 +1,40 @@
-namespace Org.BouncyCastle.Pqc.Crypto.Ntru
+using System;
+
+namespace Org.BouncyCastle.Pqc.Crypto.Ntru
 {
     public sealed class NtruPrivateKeyParameters
         : NtruKeyParameters
     {
-        private byte[] _privateKey;
-
-        public byte[] PrivateKey
+        public static NtruPrivateKeyParameters FromEncoding(NtruParameters parameters, byte[] encoding)
         {
-            get => (byte[])_privateKey.Clone();
-            private set => _privateKey = (byte[])value.Clone();
+#pragma warning disable CS0618 // Type or member is obsolete
+            return new NtruPrivateKeyParameters(parameters, encoding);
+#pragma warning restore CS0618 // Type or member is obsolete
         }
 
-        public NtruPrivateKeyParameters(NtruParameters parameters, byte[] key) : base(true, parameters)
+        private readonly byte[] m_privateKey;
+
+        [Obsolete("Use 'FromEncoding' instead")]
+        public NtruPrivateKeyParameters(NtruParameters parameters, byte[] key)
+            : base(privateKey: true, parameters)
         {
-            PrivateKey = key;
+            if (parameters == null)
+                throw new ArgumentNullException(nameof(parameters));
+            if (key == null)
+                throw new ArgumentNullException(nameof(key));
+            if (key.Length != parameters.PrivateKeyLength)
+                throw new ArgumentException("invalid encoding", nameof(key));
+
+            m_privateKey = (byte[])key.Clone();
         }
 
-        public override byte[] GetEncoded()
+        public override byte[] GetEncoded() => (byte[])m_privateKey.Clone();
+
+        [Obsolete("Use 'GetEncoded' instead")]
+        public byte[] PrivateKey
         {
-            return PrivateKey;
+            get => GetEncoded();
+            private set => throw new NotSupportedException();
         }
     }
-}
+}

crypto/src/pqc/crypto/ntru/NtruPublicKeyParameters.cs

@@ -1,24 +1,40 @@
-namespace Org.BouncyCastle.Pqc.Crypto.Ntru
+using System;
+
+namespace Org.BouncyCastle.Pqc.Crypto.Ntru
 {
     public sealed class NtruPublicKeyParameters
         : NtruKeyParameters
     {
-        private byte[] _publicKey;
-
-        public byte[] PublicKey
+        public static NtruPublicKeyParameters FromEncoding(NtruParameters parameters, byte[] encoding)
         {
-            get => (byte[])_publicKey.Clone();
-            set => _publicKey = (byte[])value.Clone();
+#pragma warning disable CS0618 // Type or member is obsolete
+            return new NtruPublicKeyParameters(parameters, encoding);
+#pragma warning restore CS0618 // Type or member is obsolete
         }
 
-        public NtruPublicKeyParameters(NtruParameters parameters, byte[] key) : base(false, parameters)
+        private readonly byte[] m_publicKey;
+
+        [Obsolete("Use 'FromEncoding' instead")]
+        public NtruPublicKeyParameters(NtruParameters parameters, byte[] key)
+            : base(privateKey: false, parameters)
         {
-            PublicKey = key;
+            if (parameters == null)
+                throw new ArgumentNullException(nameof(parameters));
+            if (key == null)
+                throw new ArgumentNullException(nameof(key));
+            if (key.Length != parameters.PublicKeyLength)
+                throw new ArgumentException("invalid encoding", nameof(key));
+
+            m_publicKey = (byte[])key.Clone();
         }
 
-        public override byte[] GetEncoded()
+        public override byte[] GetEncoded() => (byte[])m_publicKey.Clone();
+
+        [Obsolete("Use 'GetEncoded' instead")]
+        public byte[] PublicKey
         {
-            return PublicKey;
+            get => GetEncoded();
+            set => throw new NotSupportedException();
         }
     }
-}
+}