diff --git a/core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java b/core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java index a17bfcd235..44a46d6a47 100644 --- a/core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java +++ b/core/src/main/java/org/bouncycastle/crypto/hpke/DHKEM.java @@ -36,6 +36,7 @@ class DHKEM + extends KEM { private AsymmetricCipherKeyPairGenerator kpGen; @@ -48,6 +49,7 @@ class DHKEM private byte bitmask; private int Nsk; private int Nsecret; + private int Nenc; ECDomainParameters domainParams; @@ -74,7 +76,7 @@ protected DHKEM(short kemid) bitmask = (byte)0xff; Nsk = 32; Nsecret = 32; - + Nenc = 65; this.kpGen = new ECKeyPairGenerator(); this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom())); @@ -96,6 +98,7 @@ protected DHKEM(short kemid) bitmask = (byte)0xff; Nsk = 48; Nsecret = 48; + Nenc = 97; this.kpGen = new ECKeyPairGenerator(); this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom())); @@ -119,6 +122,7 @@ protected DHKEM(short kemid) bitmask = 0x01; Nsk = 66; Nsecret = 64; + Nenc = 133; this.kpGen = new ECKeyPairGenerator(); this.kpGen.init(new ECKeyGenerationParameters(domainParams, new SecureRandom())); @@ -129,6 +133,7 @@ protected DHKEM(short kemid) this.agreement = new XDHBasicAgreement(); Nsecret = 32; Nsk = 32; + Nenc = 32; this.kpGen = new X25519KeyPairGenerator(); this.kpGen.init(new X25519KeyGenerationParameters(new SecureRandom())); @@ -138,6 +143,7 @@ protected DHKEM(short kemid) this.agreement = new XDHBasicAgreement(); Nsecret = 64; Nsk = 56; + Nenc = 56; this.kpGen = new X448KeyPairGenerator(); this.kpGen.init(new X448KeyGenerationParameters(new SecureRandom())); @@ -242,6 +248,11 @@ public AsymmetricCipherKeyPair DeserializePrivateKey(byte[] skEncoded, byte[] pk } } + int getEncryptionSize() + { + return Nenc; + } + private boolean ValidateSk(BigInteger d) { BigInteger n = domainParams.getN(); diff --git a/core/src/main/java/org/bouncycastle/crypto/hpke/HPKE.java b/core/src/main/java/org/bouncycastle/crypto/hpke/HPKE.java index 076e28f45f..64f63c708a 100644 --- a/core/src/main/java/org/bouncycastle/crypto/hpke/HPKE.java +++ b/core/src/main/java/org/bouncycastle/crypto/hpke/HPKE.java @@ -40,7 +40,7 @@ public class HPKE private final short kemId; private final short kdfId; private final short aeadId; - private final DHKEM dhkem; + private final KEM kem; private final HKDF hkdf; short Nk; @@ -58,7 +58,7 @@ public HPKE(byte mode, short kemId, short kdfId, short aeadId) this.kdfId = kdfId; this.aeadId = aeadId; this.hkdf = new HKDF(kdfId); - this.dhkem = new DHKEM(kemId); + this.kem = new DHKEM(kemId); if (aeadId == aead_AES_GCM128) { Nk = 16; @@ -67,25 +67,12 @@ public HPKE(byte mode, short kemId, short kdfId, short aeadId) { Nk = 32; } + } public int getEncSize() { - switch (kemId) - { - case HPKE.kem_P256_SHA256: - return 65; - case HPKE.kem_P384_SHA348: - return 97; - case HPKE.kem_P521_SHA512: - return 133; - case HPKE.kem_X25519_SHA256: - return 32; - case HPKE.kem_X448_SHA512: - return 56; - default: - throw new IllegalArgumentException("invalid kem id"); - } + return kem.getEncryptionSize(); } public short getAeadId() { @@ -139,32 +126,32 @@ private HPKEContext keySchedule(byte mode, byte[] sharedSecret, byte[] info, byt public AsymmetricCipherKeyPair generatePrivateKey() { - return dhkem.GeneratePrivateKey(); + return kem.GeneratePrivateKey(); } public byte[] serializePublicKey(AsymmetricKeyParameter pk) { - return dhkem.SerializePublicKey(pk); + return kem.SerializePublicKey(pk); } public byte[] serializePrivateKey(AsymmetricKeyParameter sk) { - return dhkem.SerializePrivateKey(sk); + return kem.SerializePrivateKey(sk); } public AsymmetricKeyParameter deserializePublicKey(byte[] pkEncoded) { - return dhkem.DeserializePublicKey(pkEncoded); + return kem.DeserializePublicKey(pkEncoded); } public AsymmetricCipherKeyPair deserializePrivateKey(byte[] skEncoded, byte[] pkEncoded) { - return dhkem.DeserializePrivateKey(skEncoded, pkEncoded); + return kem.DeserializePrivateKey(skEncoded, pkEncoded); } public AsymmetricCipherKeyPair deriveKeyPair(byte[] ikm) { - return dhkem.DeriveKeyPair(ikm); + return kem.DeriveKeyPair(ikm); } public byte[][] sendExport(AsymmetricKeyParameter pkR, byte[] info, byte[] exporterContext, int L, @@ -273,7 +260,7 @@ public byte[] open(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[] public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[] info) { - byte[][] output = dhkem.Encap(pkR); // sharedSecret, enc + byte[][] output = kem.Encap(pkR); // sharedSecret, enc HPKEContext ctx = keySchedule(mode_base, output[0], info, default_psk, default_psk_id); return new HPKEContextWithEncapsulation(ctx, output[1]); @@ -283,7 +270,7 @@ public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[ // This should only be used to validate test vectors. public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[] info, AsymmetricCipherKeyPair kpE) { - byte[][] output = dhkem.Encap(pkR, kpE); // sharedSecret, enc + byte[][] output = kem.Encap(pkR, kpE); // sharedSecret, enc HPKEContext ctx = keySchedule(mode_base, output[0], info, default_psk, default_psk_id); return new HPKEContextWithEncapsulation(ctx, output[1]); @@ -291,13 +278,13 @@ public HPKEContextWithEncapsulation setupBaseS(AsymmetricKeyParameter pkR, byte[ public HPKEContext setupBaseR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info) { - byte[] sharedSecret = dhkem.Decap(enc, skR); + byte[] sharedSecret = kem.Decap(enc, skR); return keySchedule(mode_base, sharedSecret, info, default_psk, default_psk_id); } public HPKEContextWithEncapsulation SetupPSKS(AsymmetricKeyParameter pkR, byte[] info, byte[] psk, byte[] psk_id) { - byte[][] output = dhkem.Encap(pkR); // sharedSecret, enc + byte[][] output = kem.Encap(pkR); // sharedSecret, enc HPKEContext ctx = keySchedule(mode_psk, output[0], info, psk, psk_id); @@ -306,13 +293,13 @@ public HPKEContextWithEncapsulation SetupPSKS(AsymmetricKeyParameter pkR, byte[] public HPKEContext setupPSKR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[] psk, byte[] psk_id) { - byte[] sharedSecret = dhkem.Decap(enc, skR); + byte[] sharedSecret = kem.Decap(enc, skR); return keySchedule(mode_psk, sharedSecret, info, psk, psk_id); } public HPKEContextWithEncapsulation setupAuthS(AsymmetricKeyParameter pkR, byte[] info, AsymmetricCipherKeyPair skS) { - byte[][] output = dhkem.AuthEncap(pkR, skS); + byte[][] output = kem.AuthEncap(pkR, skS); HPKEContext ctx = keySchedule(mode_auth, output[0], info, default_psk, default_psk_id); return new HPKEContextWithEncapsulation(ctx, output[1]); @@ -320,13 +307,13 @@ public HPKEContextWithEncapsulation setupAuthS(AsymmetricKeyParameter pkR, byte[ public HPKEContext setupAuthR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, AsymmetricKeyParameter pkS) { - byte[] sharedSecret = dhkem.AuthDecap(enc, skR, pkS); + byte[] sharedSecret = kem.AuthDecap(enc, skR, pkS); return keySchedule(mode_auth, sharedSecret, info, default_psk, default_psk_id); } public HPKEContextWithEncapsulation setupAuthPSKS(AsymmetricKeyParameter pkR, byte[] info, byte[] psk, byte[] psk_id, AsymmetricCipherKeyPair skS) { - byte[][] output = dhkem.AuthEncap(pkR, skS); + byte[][] output = kem.AuthEncap(pkR, skS); HPKEContext ctx = keySchedule(mode_auth_psk, output[0], info, psk, psk_id); return new HPKEContextWithEncapsulation(ctx, output[1]); @@ -334,7 +321,7 @@ public HPKEContextWithEncapsulation setupAuthPSKS(AsymmetricKeyParameter pkR, by public HPKEContext setupAuthPSKR(byte[] enc, AsymmetricCipherKeyPair skR, byte[] info, byte[] psk, byte[] psk_id, AsymmetricKeyParameter pkS) { - byte[] sharedSecret = dhkem.AuthDecap(enc, skR, pkS); + byte[] sharedSecret = kem.AuthDecap(enc, skR, pkS); return keySchedule(mode_auth_psk, sharedSecret, info, psk, psk_id); } } diff --git a/core/src/main/java/org/bouncycastle/crypto/hpke/KEM.java b/core/src/main/java/org/bouncycastle/crypto/hpke/KEM.java new file mode 100644 index 0000000000..6b3ddc67f0 --- /dev/null +++ b/core/src/main/java/org/bouncycastle/crypto/hpke/KEM.java @@ -0,0 +1,35 @@ +package org.bouncycastle.crypto.hpke; + +import org.bouncycastle.crypto.AsymmetricCipherKeyPair; +import org.bouncycastle.crypto.params.AsymmetricKeyParameter; + + +/** + * base class for HPKE KEM + */ +public abstract class KEM { + + // Key Generation + abstract AsymmetricCipherKeyPair GeneratePrivateKey(); + abstract AsymmetricCipherKeyPair DeriveKeyPair(byte[] ikm); + + // Encapsulates a shared secret for a given public key and returns the encapsulated key and shared secret. + abstract byte[][] Encap(AsymmetricKeyParameter recipientPublicKey); + abstract byte[][] Encap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair kpE); + abstract byte[][] AuthEncap(AsymmetricKeyParameter pkR, AsymmetricCipherKeyPair kpS); + + // Decapsulates the given encapsulated key using the recipient's key pair and returns the shared secret. + abstract byte[] Decap(byte[] encapsulatedKey, AsymmetricCipherKeyPair recipientKeyPair); + abstract byte[] AuthDecap(byte[] enc, AsymmetricCipherKeyPair kpR, AsymmetricKeyParameter pkS); + + // Serialization + abstract byte[] SerializePublicKey(AsymmetricKeyParameter publicKey); + abstract byte[] SerializePrivateKey(AsymmetricKeyParameter key); + + // Deserialization + abstract AsymmetricKeyParameter DeserializePublicKey(byte[] encodedPublicKey); + abstract AsymmetricCipherKeyPair DeserializePrivateKey(byte[] skEncoded, byte[] pkEncoded); + + abstract int getEncryptionSize(); + +} \ No newline at end of file