gmsm/mldsa/mldsa87.go

// Copyright 2025 Sun Yimin. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
// Code generated by generate.go. DO NOT EDIT.

//go:build go1.24

package mldsa

import (
	"crypto"
	"crypto/sha3"
	"crypto/subtle"
	"encoding/asn1"
	"errors"
	"io"
	"sync"
)

var _ crypto.Signer = (*PrivateKey87)(nil)
var _ crypto.Signer = (*Key87)(nil)

// A PrivateKey87 is the private key for the ML-DSA-87 signature scheme.
type PrivateKey87 struct {
	rho        [32]byte         // public random seed
	k          [32]byte         // private random seed for signing
	tr         [64]byte         // pre-cached public key Hash, H(pk, 64)
	s1         [l87]ringElement // private secret of size L with short coefficients (-4..4) or (-2..2)
	s2         [k87]ringElement // private secret of size K with short coefficients (-4..4) or (-2..2)
	t0         [k87]ringElement // the Polynomial encoding of the 13 LSB of each coefficient of the uncompressed public key polynomial t. This is saved as part of the private key.
	t1         [k87]ringElement // the Polynomial encoding of the 10 MSB of each coefficient of the uncompressed public key polynomial t. This is saved as part of the public key.
	s1NTTCache [l87]nttElement
	s2NTTCache [k87]nttElement
	t0NTTCache [k87]nttElement
	a          [k87 * l87]nttElement // a is generated and stored in NTT representation
	nttOnce    sync.Once
	t1Once     sync.Once
}

// Public returns the public key corresponding to the private key.
// Although we can derive the public key from the private key,
// but we do NOT need to derive it at most of the time.
func (sk *PrivateKey87) Public() crypto.PublicKey {
	sk.ensureT1()
	return &PublicKey87{
		rho: sk.rho,
		t1:  sk.t1,
		tr:  sk.tr,
		a:   sk.a,
	}
}

func (sk *PrivateKey87) ensureNTT() {
	sk.nttOnce.Do(func() {
		for i := range sk.s1NTTCache {
			sk.s1NTTCache[i] = ntt(sk.s1[i])
		}
		for i := range sk.s2NTTCache {
			sk.s2NTTCache[i] = ntt(sk.s2[i])
		}
		for i := range sk.t0NTTCache {
			sk.t0NTTCache[i] = ntt(sk.t0[i])
		}
	})
}

func (sk *PrivateKey87) ensureT1() {
	sk.ensureNTT()
	sk.t1Once.Do(func() {
		// t = NTT_inv(A' * NTT(s1)) + s2
		s1NTT := sk.s1NTTCache
		A := sk.a
		s2 := sk.s2
		var nttT [k87]nttElement

		for i := range nttT {
			for j := range s1NTT {
				nttT[i] = polyAdd(nttT[i], nttMul(s1NTT[j], A[i*l87+j]))
			}
		}
		var t [k87]ringElement
		t1 := &sk.t1
		for i := range nttT {
			t[i] = polyAdd(inverseNTT(nttT[i]), s2[i])
			// compress t
			for j := range n {
				t1[i][j], _ = power2Round(t[i][j])
			}
		}
	})
}

// A Key87 is the key pair for the ML-DSA-87 signature scheme.
type Key87 struct {
	PrivateKey87
	xi [32]byte // input seed
}

// A PublicKey87 is the public key for the ML-DSA-87 signature scheme.
type PublicKey87 struct {
	rho       [32]byte
	t1        [k87]ringElement
	tr        [64]byte // H(pk, 64), need to further check if public key requires it
	tNTTCache [k87]nttElement
	a         [k87 * l87]nttElement // a is generated and stored in NTT representation
	nttOnce   sync.Once
}

// Public generates and returns the corresponding public key for the given
// Key87 instance.
func (sk *Key87) Public() crypto.PublicKey {
	return &PublicKey87{
		rho: sk.rho,
		t1:  sk.t1,
		tr:  sk.tr,
		a:   sk.a,
	}
}

// Seed returns a byte slice of the secret key's seed value.
func (sk *Key87) Seed() []byte {
	var b [SeedSize]byte
	copy(b[:], sk.xi[:])
	return b[:]
}

func (pk *PublicKey87) Equal(x crypto.PublicKey) bool {
	xx, ok := x.(*PublicKey87)
	if !ok {
		return false
	}
	eq := subtle.ConstantTimeCompare(pk.rho[:], xx.rho[:]) &
		constantTimeEqualRingElementArray(pk.t1[:], xx.t1[:])
	return eq == 1
}

// Bytes converts the PublicKey87 instance into a byte slice.
// See FIPS 204, Algorithm 22, pkEncode()
func (pk *PublicKey87) Bytes() []byte {
	// The actual logic is in a separate function to outline this allocation.
	b := make([]byte, 0, PublicKeySize87)
	return pk.bytes(b)
}

func (pk *PublicKey87) bytes(b []byte) []byte {
	b = append(b, pk.rho[:]...)
	for _, f := range pk.t1 {
		b = simpleBitPack10Bits(b, f)
	}
	return b
}

func (pk *PublicKey87) ensureNTT() {
	pk.nttOnce.Do(func() {
		t := pk.t1
		for i := range k87 {
			for j := range t[i] {
				t[i][j] <<= d
			}
			pk.tNTTCache[i] = ntt(t[i])
		}
	})
}

// Bytes converts the PrivateKey87 instance into a byte slice.
// See FIPS 204, Algorithm 24, skEncode()
func (sk *PrivateKey87) Bytes() []byte {
	b := make([]byte, 0, PrivateKeySize87)
	return sk.bytes(b)
}

func (sk *PrivateKey87) bytes(b []byte) []byte {
	b = append(b, sk.rho[:]...)
	b = append(b, sk.k[:]...)
	b = append(b, sk.tr[:]...)
	for _, f := range sk.s1 {
		b = bitPackSigned2(b, f)
	}
	for _, f := range sk.s2 {
		b = bitPackSigned2(b, f)
	}
	for _, f := range sk.t0 {
		b = bitPackSigned4096(b, f)
	}
	return b
}

func (sk *PrivateKey87) Equal(x any) bool {
	xx, ok := x.(*PrivateKey87)
	if !ok {
		return false
	}
	eq := subtle.ConstantTimeCompare(sk.rho[:], xx.rho[:]) &
		subtle.ConstantTimeCompare(sk.k[:], xx.k[:]) &
		subtle.ConstantTimeCompare(sk.tr[:], xx.tr[:]) &
		constantTimeEqualRingElementArray(sk.s1[:], xx.s1[:]) &
		constantTimeEqualRingElementArray(sk.s2[:], xx.s2[:]) &
		constantTimeEqualRingElementArray(sk.t0[:], xx.t0[:])
	return eq == 1
}

// GenerateKey87 generates a new Key87 (ML-DSA-87) using the provided random source.
func GenerateKey87(rand io.Reader) (*Key87, error) {
	// The actual logic is in a separate function to outline this allocation.
	sk := &Key87{}
	return generateKey87(sk, rand)
}

func generateKey87(sk *Key87, rand io.Reader) (*Key87, error) {
	// Generate a random seed.
	var seed [SeedSize]byte
	if _, err := io.ReadFull(rand, seed[:]); err != nil {
		return nil, err
	}
	dsaKeyGen87(sk, &seed)
	return sk, nil
}

// NewKey87 creates a new instance of Key87 using the provided seed.
func NewKey87(seed []byte) (*Key87, error) {
	// The actual logic is in a separate function to outline this allocation.
	sk := &Key87{}
	return newPrivateKey87FromSeed(sk, seed)
}

func newPrivateKey87FromSeed(sk *Key87, seed []byte) (*Key87, error) {
	if len(seed) != SeedSize {
		return nil, errors.New("mldsa: invalid seed length")
	}
	xi := (*[32]byte)(seed)
	dsaKeyGen87(sk, xi)
	return sk, nil
}

func dsaKeyGen87(sk *Key87, xi *[32]byte) {
	sk.xi = *xi
	H := sha3.NewSHAKE256()
	H.Write(xi[:])
	H.Write([]byte{k87, l87})
	K := make([]byte, 128)
	H.Read(K)
	rho, rho1 := K[:32], K[32:96]
	K = K[96:]

	sk.rho = [32]byte(rho)
	sk.k = [32]byte(K)

	s1 := &sk.s1
	s2 := &sk.s2
	// Algorithm 33, ExpandS
	for s := range byte(l87) {
		s1[s] = rejBoundedPoly(rho1, eta2, 0, s)
	}
	for r := range byte(k87) {
		s2[r] = rejBoundedPoly(rho1, eta2, 0, r+l87)
	}

	// Using rho generate A' = A in NTT form
	A := &sk.a
	// Algorithm 32, ExpandA
	for r := range byte(k87) {
		for s := byte(0); s < l87; s++ {
			A[r*l87+s] = rejNTTPoly(rho, s, r)
		}
	}

	// t = NTT_inv(A' * NTT(s1)) + s2
	var s1NTT [l87]nttElement
	var nttT [k87]nttElement
	for i := range s1 {
		s1NTT[i] = ntt(s1[i])
	}
	for i := range nttT {
		for j := range s1NTT {
			nttT[i] = polyAdd(nttT[i], nttMul(s1NTT[j], A[i*l87+j]))
		}
	}
	var t [k87]ringElement
	t0 := &sk.t0
	t1 := &sk.t1
	for i := range nttT {
		t[i] = polyAdd(inverseNTT(nttT[i]), s2[i])
		// compress t
		for j := range n {
			t1[i][j], t0[i][j] = power2Round(t[i][j])
		}
	}
	H.Reset()
	ek := sk.Public().(*PublicKey87).Bytes()
	H.Write(ek)
	H.Read(sk.tr[:])
}

// NewPublicKey87 decode an public key from its encoded form.
// See FIPS 204, Algorithm 23 pkDecode()
func NewPublicKey87(b []byte) (*PublicKey87, error) {
	// The actual logic is in a separate function to outline this allocation.
	pk := &PublicKey87{}
	return parsePublicKey87(pk, b)
}

// See FIPS 204, Algorithm 23 pkDecode()
func parsePublicKey87(pk *PublicKey87, b []byte) (*PublicKey87, error) {
	if len(b) != PublicKeySize87 {
		return nil, errors.New("mldsa: invalid public key length")
	}

	H := sha3.NewSHAKE256()
	H.Write(b)
	H.Read(pk.tr[:])

	copy(pk.rho[:], b[:32])
	b = b[32:]
	for i := range k87 {
		simpleBitUnpack10Bits(b, &pk.t1[i])
		b = b[encodingSize10:]
	}

	A := &pk.a
	rho := pk.rho[:]
	// Algorithm 32, ExpandA
	for r := range byte(k87) {
		for s := range byte(l87) {
			A[r*l87+s] = rejNTTPoly(rho, s, r)
		}
	}
	return pk, nil
}

// NewPrivateKey87 decode an private key from its encoded form.
// See FIPS 204, Algorithm 25 skDecode()
func NewPrivateKey87(b []byte) (*PrivateKey87, error) {
	// The actual logic is in a separate function to outline this allocation.
	sk := &PrivateKey87{}
	return parsePrivateKey87(sk, b)
}

// See FIPS 204, Algorithm 25 skDecode()
// Decode a private key from its encoded form.
func parsePrivateKey87(sk *PrivateKey87, b []byte) (*PrivateKey87, error) {
	if len(b) != PrivateKeySize87 {
		return nil, errors.New("mldsa: invalid private key length")
	}
	copy(sk.rho[:], b[:32])
	copy(sk.k[:], b[32:64])
	copy(sk.tr[:], b[64:128])
	b = b[128:]
	for i := range l87 {
		f, err := bitUnpackSigned2(b)
		if err != nil {
			return nil, err
		}
		sk.s1[i] = f
		b = b[encodingSize3:]
	}
	for i := range k87 {
		f, err := bitUnpackSigned2(b)
		if err != nil {
			return nil, err
		}
		sk.s2[i] = f
		b = b[encodingSize3:]
	}
	for i := range k87 {
		bitUnpackSigned4096(b, &sk.t0[i])
		b = b[encodingSize13:]
	}
	A := &sk.a
	rho := sk.rho[:]
	// Algorithm 32, ExpandA
	for r := range byte(k87) {
		for s := range byte(l87) {
			A[r*l87+s] = rejNTTPoly(rho, s, r)
		}
	}
	return sk, nil
}

// Sign signs the provided digest using the private key. It is a wrapper around SignMessage.
// It satisfies the crypto.Signer interface.
func (sk *PrivateKey87) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
	return sk.SignMessage(rand, digest, opts)
}

// SignMessage signs a message with the private key.
// It satisfies the crypto.MessageSigner interface.
//
// The function supports pre-hashing the message by providing a hash OID in the options.
// Context data can also be provided, but is limited to 255 bytes.
func (sk *PrivateKey87) SignMessage(rand io.Reader, message []byte, opts crypto.SignerOpts) ([]byte, error) {
	var (
		context   []byte
		hashOID   asn1.ObjectIdentifier
		indicator byte = 0
	)
	if opts, ok := opts.(*Options); ok {
		context = opts.Context
		hashOID = opts.PrehashOID
	}
	if len(hashOID) != 0 {
		var err error
		if message, err = preHash(hashOID, message); err != nil {
			return nil, err
		}
		indicator = 1
	}
	if len(message) == 0 {
		return nil, errors.New("mldsa: empty message")
	}
	if len(context) > 255 {
		return nil, errors.New("mldsa: context too long")
	}
	var seed [SeedSize]byte
	if _, err := io.ReadFull(rand, seed[:]); err != nil {
		return nil, err
	}
	H := sha3.NewSHAKE256()
	H.Write(sk.tr[:])
	H.Write([]byte{indicator, byte(len(context))})
	if len(context) > 0 {
		H.Write(context)
	}
	H.Write(message)
	var mu [64]byte
	H.Read(mu[:])

	return sk.signInternal(seed[:], mu[:])
}

// See FIPS 204, Algorithm 7 ML-DSA.Sign_internal()
func (sk *PrivateKey87) signInternal(seed, mu []byte) ([]byte, error) {
	var rho2 [64 + 2]byte
	H := sha3.NewSHAKE256()
	H.Write(sk.k[:])
	H.Write(seed[:])
	H.Write(mu[:])
	H.Read(rho2[:64])
	A := &sk.a

	sk.ensureNTT()
	zNormThreshold := int(gamma1TwoPower19 - beta87)
	r0NormThreshold := int(gamma2QMinus1Div32 - beta87)

	// rejection sampling loop
	for kappa := 0; ; kappa += l87 {
		// expand mask
		var (
			y    [l87]ringElement
			yNTT [l87]nttElement
		)
		for i := range l87 {
			index := kappa + i
			rho2[64] = byte(index)
			rho2[65] = byte(index >> 8)
			y[i] = expandMask(rho2[:], gamma1TwoPower19)
		}
		// compute y in NTT form
		for i := range l87 {
			yNTT[i] = ntt(y[i])
		}
		// compute w and w1
		var (
			w, w1 [k87]ringElement
			wNTT  [k87]nttElement
		)
		for i := range w {
			for j := range yNTT {
				wNTT[i] = polyAdd(wNTT[i], nttMul(yNTT[j], A[i*l87+j]))
			}
			w[i] = inverseNTT(wNTT[i])
			// high bits
			for j := range w[i] {
				w1[i][j] = fieldElement(compressHighBits(w[i][j], gamma2QMinus1Div32))
			}
		}
		// commitment hash
		var (
			cTilde    [lambda256 / 4]byte
			w1Encoded [encodingSize4]byte
		)
		H.Reset()
		H.Write(mu[:])
		for i := range k87 {
			simpleBitPack4Bits(w1Encoded[:0], w1[i])
			H.Write(w1Encoded[:])
		}
		H.Read(cTilde[:])
		// verifier's challenge
		cNTT := ntt(sampleInBall(cTilde[:], tau60))

		var (
			cs1 [l87]ringElement
			cs2 [k87]ringElement
			z   [l87]ringElement
			r0  [k87][n]int32
		)
		// compute <<cs1>> and z = <<cs1>> + y
		for i := range l87 {
			cs1[i] = inverseNTT(nttMul(cNTT, sk.s1NTTCache[i]))
			z[i] = polyAdd(cs1[i], y[i])
		}
		// compute <<cs2>> and r0 = LowBits(w - <<cs2>>)
		for i := range k87 {
			cs2[i] = inverseNTT(nttMul(cNTT, sk.s2NTTCache[i]))
			for j := range cs2[i] {
				_, r0[i][j] = decompose(fieldSub(w[i][j], cs2[i][j]), gamma2QMinus1Div32)
			}
		}
		zNorm := vectorInfinityNorm(z[:], 0)
		r0Norm := vectorInfinityNormSigned(r0[:], 0)

		// if zNorm >= gamma1 - beta || r0Norm >= gamma2 - beta, then continue
		if subtle.ConstantTimeLessOrEq(zNormThreshold, zNorm)|subtle.ConstantTimeLessOrEq(r0NormThreshold, r0Norm) == 1 {
			continue
		}
		// compute <<ct0>>
		var ct0 [k87]ringElement
		for i := range k87 {
			ct0[i] = inverseNTT(nttMul(cNTT, sk.t0NTTCache[i]))
		}
		// compute infinity norm of <<ct0>>
		ct0Norm := vectorInfinityNorm(ct0[:], 0)
		// make hint
		var hints [k87]ringElement
		vectorMakeHint(ct0[:], cs2[:], w[:], hints[:], gamma2QMinus1Div32)
		// if the number of 1 in the hint is greater than omega or the infinity norm of <<ct0>> >= gamma2, then continue
		if (subtle.ConstantTimeLessOrEq(int(omega75+1), vectorCountOnes(hints[:])) | subtle.ConstantTimeLessOrEq(gamma2QMinus1Div32, ct0Norm)) == 1 {
			continue
		}
		// signature encoding
		sig := make([]byte, 0, sigEncodedLen87)
		sig = append(sig, cTilde[:]...)
		for i := range l87 {
			sig = bitPackSignedTwoPower19(sig, z[i])
		}
		return hintBitPack(sig, hints[:], omega75), nil
	}
}

// VerifyWithOptions verifies a signature against a message using the public key with additional options.
func (pk *PublicKey87) VerifyWithOptions(sig []byte, message []byte, opts crypto.SignerOpts) bool {
	var (
		context   []byte
		hashOID   asn1.ObjectIdentifier
		indicator byte = 0
	)
	if opts, ok := opts.(*Options); ok {
		context = opts.Context
		hashOID = opts.PrehashOID
	}
	if len(hashOID) != 0 {
		var err error
		if message, err = preHash(hashOID, message); err != nil {
			return false
		}
		indicator = 1
	}

	if len(message) == 0 {
		return false
	}
	if len(context) > 255 {
		return false
	}
	if len(sig) != sigEncodedLen87 {
		return false
	}
	H := sha3.NewSHAKE256()
	H.Write(pk.tr[:])
	H.Write([]byte{indicator, byte(len(context))})
	if len(context) > 0 {
		H.Write(context)
	}
	H.Write(message)
	var mu [64]byte
	H.Read(mu[:])

	return pk.verifyInternal(sig, mu[:])
}

// See FIPS 204, Algorithm 8 ML-DSA.Verify_internal()
func (pk *PublicKey87) verifyInternal(sig, mu []byte) bool {
	// Decode the signature
	cTilde := sig[:lambda256/4]
	sig = sig[lambda256/4:]

	var (
		z    [l87]ringElement
		zNTT [l87]nttElement
	)
	for i := range l87 {
		bitUnpackSignedTwoPower19(sig, &z[i])
		zNTT[i] = ntt(z[i])
		sig = sig[encodingSize20:]
	}
	zNorm := vectorInfinityNorm(z[:], 0)
	var hints [k87]ringElement
	if !hintBitUnpack(sig, hints[:], omega75) {
		return false
	}
	// verifier's challenge
	cNTT := ntt(sampleInBall(cTilde[:], tau60))

	pk.ensureNTT()
	// tNTT = tNTTCache*cNTT
	var tNTT [k87]nttElement
	for i := range k87 {
		tNTT[i] = nttMul(pk.tNTTCache[i], cNTT)
	}

	var (
		w1, wApprox [k87]ringElement
		zNTTMulA    [k87]nttElement
	)
	for i := range k87 {
		for j := range l87 {
			zNTTMulA[i] = polyAdd(zNTTMulA[i], nttMul(zNTT[j], pk.a[i*l87+j]))
		}
		zNTTMulA[i] = polySub(zNTTMulA[i], tNTT[i])
		wApprox[i] = inverseNTT(zNTTMulA[i])
	}

	H := sha3.NewSHAKE256()
	H.Write(mu[:])
	var w1Encoded [encodingSize4]byte
	for i := range k87 {
		for j := range wApprox[i] {
			w1[i][j] = useHint(hints[i][j], wApprox[i][j], gamma2QMinus1Div32)
		}
		simpleBitPack4Bits(w1Encoded[:0], w1[i])
		H.Write(w1Encoded[:])
	}
	var cTilde1 [lambda256 / 4]byte
	H.Read(cTilde1[:])
	return subtle.ConstantTimeLessOrEq(int(gamma1TwoPower19-beta87), zNorm) == 0 &&
		subtle.ConstantTimeCompare(cTilde, cTilde1[:]) == 1
}