@noble/post-quantum 0.1.0 → 0.2.0

package/src/ml-dsa.ts

@@ -1,6 +1,6 @@
 /*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
 import { shake256 } from '@noble/hashes/sha3';
-import { genCrystals, XOF, XOF128, XOF256, XOF_AES } from './_crystals.js';
+import { genCrystals, XOF, XOF128, XOF256 } from './_crystals.js';
 import {
   BytesCoderLen,
   Signer,
@@ -18,11 +18,6 @@ Lattice-based digital signature algorithm. See
 [repo](https://github.com/pq-crystals/dilithium).
 Dilithium has similar internals to Kyber, but their keys and params are different.
 
-Three versions are provided:
-
-1. Dilithium v3.0, v3.0 AES
-2. Dilithium v3.1, v3.1 AES
-3. ML-DSA aka [FIPS-204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf)
 */
 
 // Constants
@@ -135,13 +130,11 @@ type DilithiumOpts = {
   TR_BYTES: number;
   XOF128: XOF;
   XOF256: XOF;
-  FIPS204?: boolean;
-  V31?: boolean;
 };
 
 function getDilithium(opts: DilithiumOpts): Signer {
   const { K, L, GAMMA1, GAMMA2, TAU, ETA, OMEGA } = opts;
-  const { FIPS204, V31, CRH_BYTES, TR_BYTES, C_TILDE_BYTES, XOF128, XOF256 } = opts;
+  const { CRH_BYTES, TR_BYTES, C_TILDE_BYTES, XOF128, XOF256 } = opts;
 
   if (![2, 4].includes(ETA)) throw new Error('Wrong ETA');
   if (![1 << 17, 1 << 19].includes(GAMMA1)) throw new Error('Wrong GAMMA1');
@@ -171,6 +164,8 @@ function getDilithium(opts: DilithiumOpts): Signer {
     // But they return different results! However, decompose is same.
     // So, either there is a bug in Dilithium ref implementation or in FIPS204.
     // For now, lets use dilithium one, so test vectors can be passed.
+    // See
+    // https://github.com/GiacomoPope/dilithium-py?tab=readme-ov-file#optimising-decomposition-and-making-hints
     return res0;
   };
 
@@ -262,7 +257,7 @@ function getDilithium(opts: DilithiumOpts): Signer {
   const SampleInBall = (seed: Uint8Array) => {
     // Samples a polynomial c ∈ Rq with coeffcients from {−1, 0, 1} and Hamming weight τ
     const pre = newPoly(N);
-    const s = shake256.create({}).update(seed.slice(0, 32));
+    const s = shake256.create({}).update(seed);
     const buf = new Uint8Array(shake256.blockLen);
     s.xofInto(buf);
     const masks = buf.slice(0, 8);
@@ -309,15 +304,21 @@ function getDilithium(opts: DilithiumOpts): Signer {
     return { v, cnt };
   };
 
-  const signRandBytes = FIPS204 ? 32 : CRH_BYTES;
-  const seedCoder = splitCoder(32, V31 ? 64 : 32, 32);
-  const seedXOF = V31 ? XOF256 : XOF128;
+  const signRandBytes = 32;
+  const seedCoder = splitCoder(32, 64, 32);
   // API & argument positions are exactly as in FIPS204.
   return {
     signRandBytes,
     keygen: (seed = randomBytes(32)) => {
-      const [rho, rhoPrime, K_] = seedCoder.decode(shake256(seed, { dkLen: seedCoder.bytesLen }));
-      const xofPrime = seedXOF(rhoPrime);
+      // H(𝜉||IntegerToBytes(𝑘, 1)||IntegerToBytes(ℓ, 1), 128) 2: ▷ expand seed
+      const seedDst = new Uint8Array(32 + 2);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      seedDst[33] = L;
+      const [rho, rhoPrime, K_] = seedCoder.decode(
+        shake256(seedDst, { dkLen: seedCoder.bytesLen })
+      );
+      const xofPrime = XOF256(rhoPrime);
       const s1 = [];
       for (let i = 0; i < L; i++) s1.push(RejBoundedPoly(xofPrime.get(i & 0xff, (i >> 8) & 0xff)));
       const s2 = [];
@@ -348,7 +349,7 @@ function getDilithium(opts: DilithiumOpts): Signer {
       // STATS
       // Kyber512:  { calls: 4, xofs: 12 }, Kyber768: { calls: 9, xofs: 27 }, Kyber1024: { calls: 16, xofs: 48 }
       // DSA44:    { calls: 24, xofs: 24 }, DSA65:    { calls: 41, xofs: 41 }, DSA87:    { calls: 71, xofs: 71 }
-      cleanBytes(rho, rhoPrime, K_, s1, s2, s1Hat, t, t0, t1, tr);
+      cleanBytes(rho, rhoPrime, K_, s1, s2, s1Hat, t, t0, t1, tr, seedDst);
       return { publicKey, secretKey };
     },
     // NOTE: random is optional.
@@ -372,16 +373,17 @@ function getDilithium(opts: DilithiumOpts): Signer {
       }
       // This part is per msg
       const mu = shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 6: µ ← H(tr||M, 512) ▷ Compute message representative µ
-      let rhoprime; // Compute private random seed
-      if (FIPS204) {
-        const rnd = random ? random : new Uint8Array(32);
-        ensureBytes(rnd);
-        rhoprime = shake256.create({ dkLen: CRH_BYTES }).update(_K).update(rnd).update(mu).digest(); // ρ′← H(K||rnd||µ, 512)
-      } else {
-        rhoprime = random
-          ? random
-          : shake256.create({ dkLen: CRH_BYTES }).update(_K).update(mu).digest();
-      }
+
+      // Compute private random seed
+      const rnd = random ? random : new Uint8Array(32);
+      ensureBytes(rnd);
+      const rhoprime = shake256
+        .create({ dkLen: CRH_BYTES })
+        .update(_K)
+        .update(rnd)
+        .update(mu)
+        .digest(); // ρ′← H(K||rnd||µ, 512)
+
       ensureBytes(rhoprime, CRH_BYTES);
       const x256 = XOF256(rhoprime, ZCoder.bytesLen);
       //  Rejection sampling loop
@@ -407,7 +409,7 @@ function getDilithium(opts: DilithiumOpts): Signer {
           .update(W1Vec.encode(w1))
           .digest();
         // Verifer’s challenge
-        const cHat = NTT.encode(SampleInBall(cTilde.subarray(0, 32))); // c ← SampleInBall(c˜1); cˆ ← NTT(c)
+        const cHat = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1); cˆ ← NTT(c)
         // ⟨⟨cs1⟩⟩ ← NTT−1(cˆ◦ sˆ1)
         const cs1 = s1.map((i) => MultiplyNTTs(i, cHat));
         for (let i = 0; i < L; i++) {
@@ -450,7 +452,7 @@ function getDilithium(opts: DilithiumOpts): Signer {
       for (let i = 0; i < L; i++) if (polyChknorm(z[i], GAMMA1 - BETA)) return false;
       const mu = shake256.create({ dkLen: CRH_BYTES }).update(tr).update(msg).digest(); // 7: µ ← H(tr||M, 512)
       // Compute verifer’s challenge from c˜
-      const c = NTT.encode(SampleInBall(cTilde.subarray(0, 32))); // c ← SampleInBall(c˜1)
+      const c = NTT.encode(SampleInBall(cTilde)); // c ← SampleInBall(c˜1)
       const zNtt = z.map((i) => i.slice()); // zNtt = NTT(z)
       for (let i = 0; i < L; i++) NTT.encode(zNtt[i]);
       const wTick1 = [];
@@ -474,66 +476,18 @@ function getDilithium(opts: DilithiumOpts): Signer {
         .update(mu)
         .update(W1Vec.encode(wTick1))
         .digest();
-      if (FIPS204) {
-        // Additional checks in FIPS-204:
-        // [[ ||z||∞ < γ1 − β ]] and [[c ˜ = c˜′]] and [[number of 1’s in h is ≤ ω]]
-        for (const t of h) {
-          const sum = t.reduce((acc, i) => acc + i, 0);
-          if (!(sum <= OMEGA)) return false;
-        }
-        for (const t of z) if (polyChknorm(t, GAMMA1 - BETA)) return false;
+      // Additional checks in FIPS-204:
+      // [[ ||z||∞ < γ1 − β ]] and [[c ˜ = c˜′]] and [[number of 1’s in h is ≤ ω]]
+      for (const t of h) {
+        const sum = t.reduce((acc, i) => acc + i, 0);
+        if (!(sum <= OMEGA)) return false;
       }
+      for (const t of z) if (polyChknorm(t, GAMMA1 - BETA)) return false;
       return equalBytes(cTilde, c2);
     },
   };
 }
 
-function getDilithiumVersions(cfg: Partial<DilithiumOpts>) {
-  return {
-    dilithium2: getDilithium({ ...PARAMS[2], ...cfg } as DilithiumOpts),
-    dilithium3: getDilithium({ ...PARAMS[3], ...cfg } as DilithiumOpts),
-    dilithium5: getDilithium({ ...PARAMS[5], ...cfg } as DilithiumOpts),
-  };
-}
-
-// v30 is NIST round 3 submission, for original vectors and benchmarking.
-// v31 is kyber: more secure than v30.
-// ml-dsa is NIST FIPS 204, but it is still a draft and may change.
-
-export const dilithium_v30 = /* @__PURE__ */ getDilithiumVersions({
-  CRH_BYTES: 48,
-  TR_BYTES: 48,
-  C_TILDE_BYTES: 32,
-  XOF128,
-  XOF256,
-});
-
-export const dilithium_v31 = /* @__PURE__ */ getDilithiumVersions({
-  CRH_BYTES: 64,
-  TR_BYTES: 32,
-  C_TILDE_BYTES: 32,
-  XOF128,
-  XOF256,
-  V31: true,
-});
-
-export const dilithium_v30_aes = /* @__PURE__ */ getDilithiumVersions({
-  CRH_BYTES: 48,
-  TR_BYTES: 48,
-  C_TILDE_BYTES: 32,
-  XOF128: XOF_AES,
-  XOF256: XOF_AES,
-});
-
-export const dilithium_v31_aes = /* @__PURE__ */ getDilithiumVersions({
-  CRH_BYTES: 64,
-  TR_BYTES: 32,
-  C_TILDE_BYTES: 32,
-  XOF128: XOF_AES,
-  XOF256: XOF_AES,
-  V31: true,
-});
-
 // ML-DSA
 export const ml_dsa44 = /* @__PURE__ */ getDilithium({
   ...PARAMS[2],
@@ -542,8 +496,6 @@ export const ml_dsa44 = /* @__PURE__ */ getDilithium({
   C_TILDE_BYTES: 32,
   XOF128,
   XOF256,
-  V31: true,
-  FIPS204: true,
 });
 
 export const ml_dsa65 = /* @__PURE__ */ getDilithium({
@@ -553,8 +505,6 @@ export const ml_dsa65 = /* @__PURE__ */ getDilithium({
   C_TILDE_BYTES: 48,
   XOF128,
   XOF256,
-  V31: true,
-  FIPS204: true,
 });
 
 export const ml_dsa87 = /* @__PURE__ */ getDilithium({
@@ -564,6 +514,4 @@ export const ml_dsa87 = /* @__PURE__ */ getDilithium({
   C_TILDE_BYTES: 64,
   XOF128,
   XOF256,
-  V31: true,
-  FIPS204: true,
 });

package/src/ml-kem.ts

@@ -1,9 +1,7 @@
 /*! noble-post-quantum - MIT License (c) 2024 Paul Miller (paulmillr.com) */
-import { ctr } from '@noble/ciphers/aes';
-import { sha256, sha512 } from '@noble/hashes/sha2';
 import { sha3_256, sha3_512, shake256 } from '@noble/hashes/sha3';
 import { u32, wrapConstructor, wrapConstructorWithOpts } from '@noble/hashes/utils';
-import { genCrystals, XOF, XOF_AES, XOF128 } from './_crystals.js';
+import { genCrystals, XOF, XOF128 } from './_crystals.js';
 import {
   Coder,
   cleanBytes,
@@ -34,16 +32,11 @@ There are some concerns with regards to security: see
 [djb blog](https://blog.cr.yp.to/20231003-countcorrectly.html) and
 [mailing list](https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E).
 
-Three versions are provided:
-
-1. Kyber
-2. Kyber-90s, using algorithms from 1990s
-3. ML-KEM aka [FIPS-203](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf)
 */
 
 const N = 256; // Kyber (not FIPS-203) supports different lengths, but all std modes were using 256
 const Q = 3329; // 13*(2**8)+1, modulo prime
-const F = 3303; // 3303 ≡ 128−1 mod q (FIPS-203)
+const F = 3303; // 3303 ≡ 128**(−1) mod q (FIPS-203)
 const ROOT_OF_UNITY = 17; // ζ = 17 ∈ Zq is a primitive 256-th root of unity modulo Q. ζ**128 ≡−1
 const { mod, nttZetas, NTT, bitsCoder } = genCrystals({
   N,
@@ -136,7 +129,6 @@ type KyberOpts = ParameterSet & {
   KDF: Hash | HashWOpts;
   XOF: XOF; // (seed: Uint8Array, len: number, x: number, y: number) => Uint8Array;
   PRF: PRF;
-  FIPS203?: boolean;
 };
 
 // Return poly in NTT representation
@@ -185,7 +177,7 @@ function sampleCBD(PRF: PRF, seed: Uint8Array, nonce: number, eta: number): Poly
 // K-PKE
 // As per FIPS-203, it doesn't perform any input validation and can't be used in standalone fashion.
 const genKPKE = (opts: KyberOpts) => {
-  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv, FIPS203 } = opts;
+  const { K, PRF, XOF, HASH512, ETA1, ETA2, du, dv } = opts;
   const poly1 = polyCoder(1);
   const polyV = polyCoder(dv);
   const polyU = polyCoder(du);
@@ -199,7 +191,12 @@ const genKPKE = (opts: KyberOpts) => {
     publicKeyLen: publicCoder.bytesLen,
     cipherTextLen: cipherCoder.bytesLen,
     keygen: (seed: Uint8Array) => {
-      const [rho, sigma] = seedCoder.decode(HASH512(seed));
+      const seedDst = new Uint8Array(33);
+      seedDst.set(seed);
+      seedDst[32] = K;
+      const seedHash = HASH512(seedDst);
+
+      const [rho, sigma] = seedCoder.decode(seedHash);
       const sHat: Poly[] = [];
       const tHat: Poly[] = [];
       for (let i = 0; i < K; i++) sHat.push(NTT.encode(sampleCBD(PRF, sigma, i, ETA1)));
@@ -207,7 +204,7 @@ const genKPKE = (opts: KyberOpts) => {
       for (let i = 0; i < K; i++) {
         const e = NTT.encode(sampleCBD(PRF, sigma, K + i, ETA1));
         for (let j = 0; j < K; j++) {
-          const aji = SampleNTT(FIPS203 ? x.get(i, j) : x.get(j, i)); // A[j][i], inplace
+          const aji = SampleNTT(x.get(j, i)); // A[j][i], inplace
           polyAdd(e, MultiplyNTTs(aji, sHat[j]));
         }
         tHat.push(e); // t ← A ◦ s + e
@@ -217,7 +214,7 @@ const genKPKE = (opts: KyberOpts) => {
         publicKey: publicCoder.encode([tHat, rho]),
         secretKey: secretCoder.encode(sHat),
       };
-      cleanBytes(rho, sigma, sHat, tHat);
+      cleanBytes(rho, sigma, sHat, tHat, seedDst, seedHash);
       return res;
     },
     encrypt: (publicKey: Uint8Array, msg: Uint8Array, seed: Uint8Array) => {
@@ -231,7 +228,7 @@ const genKPKE = (opts: KyberOpts) => {
         const e1 = sampleCBD(PRF, seed, K + i, ETA2);
         const tmp = new Uint16Array(N);
         for (let j = 0; j < K; j++) {
-          const aij = SampleNTT(FIPS203 ? x.get(j, i) : x.get(i, j)); // A[i][j], inplace
+          const aij = SampleNTT(x.get(i, j)); // A[i][j], inplace
           polyAdd(tmp, MultiplyNTTs(aij, rHat[j])); // t += aij * rHat[j]
         }
         polyAdd(e1, NTT.decode(tmp)); // e1 += tmp
@@ -261,7 +258,7 @@ const genKPKE = (opts: KyberOpts) => {
 
 function createKyber(opts: KyberOpts) {
   const KPKE = genKPKE(opts);
-  const { HASH256, HASH512, KDF, FIPS203 } = opts;
+  const { HASH256, HASH512, KDF } = opts;
   const { secretCoder: KPKESecretCoder, cipherTextLen } = KPKE;
   const publicKeyLen = KPKE.publicKeyLen; // 384*K+32
   const secretCoder = splitCoder(KPKE.secretKeyLen, KPKE.publicKeyLen, 32, 32);
@@ -282,29 +279,21 @@ function createKyber(opts: KyberOpts) {
     encapsulate: (publicKey: Uint8Array, msg = randomBytes(32)) => {
       ensureBytes(publicKey, publicKeyLen);
       ensureBytes(msg, msgLen);
-      if (!FIPS203) msg = HASH256(msg); // NOTE: ML-KEM doesn't have this step!
-      else {
-        // FIPS-203 includes additional verification check for modulus
-        const eke = publicKey.subarray(0, 384 * opts.K);
-        const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(eke.slice())); // Copy because of inplace encoding
-        // (Modulus check.) Perform the computation ek ← ByteEncode12(ByteDecode12(eke)).
-        // If ek = ̸ eke, the input is invalid. (See Section 4.2.1.)
-        if (!equalBytes(ek, eke)) {
-          cleanBytes(ek);
-          throw new Error('ML-KEM.encapsulate: wrong publicKey modulus');
-        }
+
+      // FIPS-203 includes additional verification check for modulus
+      const eke = publicKey.subarray(0, 384 * opts.K);
+      const ek = KPKESecretCoder.encode(KPKESecretCoder.decode(eke.slice())); // Copy because of inplace encoding
+      // (Modulus check.) Perform the computation ek ← ByteEncode12(ByteDecode12(eke)).
+      // If ek = ̸ eke, the input is invalid. (See Section 4.2.1.)
+      if (!equalBytes(ek, eke)) {
         cleanBytes(ek);
+        throw new Error('ML-KEM.encapsulate: wrong publicKey modulus');
       }
+      cleanBytes(ek);
       const kr = HASH512.create().update(msg).update(HASH256(publicKey)).digest(); // derive randomness
       const cipherText = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64));
-      if (FIPS203) return { cipherText, sharedSecret: kr.subarray(0, 32) };
-      const cipherTextHash = HASH256(cipherText);
-      const sharedSecret = KDF.create({})
-        .update(kr.subarray(0, 32))
-        .update(cipherTextHash)
-        .digest();
-      cleanBytes(kr, cipherTextHash);
-      return { cipherText, sharedSecret };
+      kr.subarray(32).fill(0);
+      return { cipherText, sharedSecret: kr.subarray(0, 32) };
     },
     decapsulate: (cipherText: Uint8Array, secretKey: Uint8Array) => {
       ensureBytes(secretKey, secretKeyLen); // 768*k + 96
@@ -315,43 +304,13 @@ function createKyber(opts: KyberOpts) {
       const Khat = kr.subarray(0, 32);
       const cipherText2 = KPKE.encrypt(publicKey, msg, kr.subarray(32, 64)); // re-encrypt using the derived randomness
       const isValid = equalBytes(cipherText, cipherText2); // if ciphertexts do not match, “implicitly reject”
-      if (FIPS203) {
-        const Kbar = KDF.create({ dkLen: 32 }).update(z).update(cipherText).digest();
-        cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
-        return isValid ? Khat : Kbar;
-      }
-      const cipherTextHash = HASH256(cipherText);
-      const sharedSecret = KDF.create({ dkLen: 32 })
-        .update(isValid ? Khat : z)
-        .update(cipherTextHash)
-        .digest();
-      cleanBytes(msg, cipherTextHash, cipherText2, Khat, z);
-      return sharedSecret;
+      const Kbar = KDF.create({ dkLen: 32 }).update(z).update(cipherText).digest();
+      cleanBytes(msg, cipherText2, !isValid ? Khat : Kbar);
+      return isValid ? Khat : Kbar;
     },
   };
 }
 
-function PRF(l: number, key: Uint8Array, nonce: number) {
-  const _nonce = new Uint8Array(16);
-  _nonce[0] = nonce;
-  return ctr(key, _nonce).encrypt(new Uint8Array(l));
-}
-
-const opts90s = { HASH256: sha256, HASH512: sha512, KDF: sha256, XOF: XOF_AES, PRF };
-
-export const kyber512_90s = /* @__PURE__ */ createKyber({
-  ...opts90s,
-  ...PARAMS[512],
-});
-export const kyber768_90s = /* @__PURE__ */ createKyber({
-  ...opts90s,
-  ...PARAMS[768],
-});
-export const kyber1024_90s = /* @__PURE__ */ createKyber({
-  ...opts90s,
-  ...PARAMS[1024],
-});
-
 function shakePRF(dkLen: number, key: Uint8Array, nonce: number) {
   return shake256
     .create({ dkLen })
@@ -368,36 +327,18 @@ const opts = {
   PRF: shakePRF,
 };
 
-export const kyber512 = /* @__PURE__ */ createKyber({
-  ...opts,
-  ...PARAMS[512],
-});
-export const kyber768 = /* @__PURE__ */ createKyber({
-  ...opts,
-  ...PARAMS[768],
-});
-export const kyber1024 = /* @__PURE__ */ createKyber({
-  ...opts,
-  ...PARAMS[1024],
-});
-
 /**
- * FIPS-203 (draft) ML-KEM.
- * Unsafe: we can't cross-verify, because there are no test vectors or other implementations.
+ * FIPS-203 ML-KEM.
  */
-
 export const ml_kem512 = /* @__PURE__ */ createKyber({
   ...opts,
   ...PARAMS[512],
-  FIPS203: true,
 });
 export const ml_kem768 = /* @__PURE__ */ createKyber({
   ...opts,
   ...PARAMS[768],
-  FIPS203: true,
 });
 export const ml_kem1024 = /* @__PURE__ */ createKyber({
   ...opts,
   ...PARAMS[1024],
-  FIPS203: true,
 });