summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--crypto/src/pqc/crypto/crystals/dilithium/DilithiumEngine.cs26
-rw-r--r--crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs7
2 files changed, 16 insertions, 17 deletions
diff --git a/crypto/src/pqc/crypto/crystals/dilithium/DilithiumEngine.cs b/crypto/src/pqc/crypto/crystals/dilithium/DilithiumEngine.cs
index 4ba769984..27f1a59cd 100644
--- a/crypto/src/pqc/crypto/crystals/dilithium/DilithiumEngine.cs
+++ b/crypto/src/pqc/crypto/crystals/dilithium/DilithiumEngine.cs
@@ -17,6 +17,8 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Dilithium
         public const int RootOfUnity = 1753;
         public const int SeedBytes = 32;
         public const int CrhBytes = 64;
+        public const int RndBytes = 32;
+        public const int TrBytes = 64;
 
         public const int PolyT1PackedBytes = 320;
         public const int PolyT0PackedBytes = 416;
@@ -126,7 +128,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Dilithium
             byte[] buf = new byte[2 * SeedBytes + CrhBytes];
             byte[] rhoPrime = new byte[CrhBytes];
 
-            tr = new byte[SeedBytes];
+            tr = new byte[TrBytes];
             rho = new byte[SeedBytes];
             key = new byte[SeedBytes];
             s1_ = new byte[L * PolyEtaPackedBytes];
@@ -171,7 +173,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Dilithium
 
             Shake256Digest.BlockUpdate(rho, 0, rho.Length);
             Shake256Digest.BlockUpdate(encT1, 0, encT1.Length);
-            Shake256Digest.OutputFinal(tr, 0, SeedBytes);
+            Shake256Digest.OutputFinal(tr, 0, TrBytes);
 
             Packing.PackSecretKey(t0_, s1_, s2_, t0, s1, s2, this);
         }
@@ -190,21 +192,21 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Dilithium
             Packing.UnpackSecretKey(t0, s1, s2, t0Enc, s1Enc, s2Enc, this);
 
             ShakeDigest ShakeDigest256 = new ShakeDigest(256);
-            ShakeDigest256.BlockUpdate(tr, 0, SeedBytes);
+            ShakeDigest256.BlockUpdate(tr, 0, TrBytes);
             ShakeDigest256.BlockUpdate(msg, 0, msglen);
             ShakeDigest256.OutputFinal(mu, 0, CrhBytes);
 
+            byte[] rnd = new byte[RndBytes];
             if (_random != null)
             {
                 _random.NextBytes(rhoPrime);
             }
-            else
-            {
-                byte[] KeyMu = Arrays.CopyOf(key, SeedBytes + CrhBytes);
-                Array.Copy(mu, 0, KeyMu, SeedBytes, CrhBytes);
-                ShakeDigest256.BlockUpdate(KeyMu, 0, SeedBytes + CrhBytes);
-                ShakeDigest256.OutputFinal(rhoPrime, 0, CrhBytes);
-            }
+
+            byte[] KeyMu = Arrays.CopyOf(key, SeedBytes + RndBytes + CrhBytes);
+            Array.Copy(mu, 0, KeyMu, SeedBytes, RndBytes);
+            Array.Copy(mu, 0, KeyMu, SeedBytes + RndBytes, CrhBytes);
+            ShakeDigest256.BlockUpdate(KeyMu, 0, SeedBytes + RndBytes + CrhBytes);
+            ShakeDigest256.OutputFinal(rhoPrime, 0, CrhBytes);
 
             Matrix.ExpandMatrix(rho);
             
@@ -311,9 +313,9 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Dilithium
             ShakeDigest Shake256Digest = new ShakeDigest(256);
             Shake256Digest.BlockUpdate(rho, 0, rho.Length);
             Shake256Digest.BlockUpdate(encT1, 0, encT1.Length);
-            Shake256Digest.OutputFinal(mu, 0, SeedBytes);
+            Shake256Digest.OutputFinal(mu, 0, TrBytes);
 
-            Shake256Digest.BlockUpdate(mu, 0, SeedBytes);
+            Shake256Digest.BlockUpdate(mu, 0, TrBytes);
             Shake256Digest.BlockUpdate(msg, 0, msglen);
             Shake256Digest.DoFinal(mu, 0);
 
diff --git a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
index 132bd73b3..b7e4adf7c 100644
--- a/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
+++ b/crypto/src/pqc/crypto/crystals/kyber/KyberEngine.cs
@@ -122,7 +122,6 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
 
             m_random.NextBytes(randBytes, 0, SymBytes);
 
-            Symmetric.Hash_h(randBytes, randBytes, 0);
             Array.Copy(randBytes, 0, buf, 0, SymBytes);
 
             Symmetric.Hash_h(buf, pk, SymBytes);
@@ -131,9 +130,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
             
             m_indCpa.Encrypt(cipherText, Arrays.CopyOfRange(buf, 0, SymBytes), pk, Arrays.CopyOfRange(kr, SymBytes, 2 * SymBytes));
 
-            Symmetric.Hash_h(kr, cipherText, SymBytes);
-
-            Symmetric.Kdf(sharedSecret, kr);
+            Array.Copy(kr, 0, sharedSecret, 0, sharedSecret.Length);
         }
 
         internal void KemDecrypt(byte[] sharedSecret, byte[] cipherText, byte[] secretKey)
@@ -155,7 +152,7 @@ namespace Org.BouncyCastle.Pqc.Crypto.Crystals.Kyber
 
             CMov(kr, Arrays.CopyOfRange(secretKey, SecretKeyBytes - SymBytes, SecretKeyBytes), SymBytes, fail);
 
-            Symmetric.Kdf(sharedSecret, kr);
+            Array.Copy(kr, 0, sharedSecret, 0, sharedSecret.Length);
         }
 
         private void CMov(byte[] r, byte[] x, int len, bool b)