WIP: Add a concrete Kyber implementation

Author: jchambers

pom.xml

@@ -14,13 +14,26 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 
+    <repositories>
+        <repository>
+            <id>jitpack.io</id>
+            <url>https://jitpack.io</url>
+        </repository>
+    </repositories>
+
     <dependencies>
         <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>jsr305</artifactId>
             <version>3.0.2</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.github.fisherstevenk</groupId>
+            <artifactId>kyberJCE</artifactId>
+            <version>v3.0.0</version>
+        </dependency>
+
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>

src/main/java/com/eatthepath/noise/NoiseHandshake.java

@@ -823,7 +823,7 @@ public int writeMessage(@Nullable final byte[] payload,
           localKeyEncapsulationKeyPair = keyEncapsulationMechanism.generateKeyPair();
 
           final EncapsulatedKey encapsulatedKey =
-              keyEncapsulationMechanism.encapsulate(localKeyEncapsulationKeyPair.getPrivate(), remoteEphemeralPublicKey);
+              keyEncapsulationMechanism.encapsulate(localKeyEncapsulationKeyPair.getPrivate(), remoteKeyEncapsulationPublicKey);
 
           try {
             offset += encryptAndHash(encapsulatedKey.encapsulation(),
@@ -995,7 +995,7 @@ public int writeMessage(@Nullable final ByteBuffer payload,
           localKeyEncapsulationKeyPair = keyEncapsulationMechanism.generateKeyPair();
 
           final EncapsulatedKey encapsulatedKey =
-              keyEncapsulationMechanism.encapsulate(localKeyEncapsulationKeyPair.getPrivate(), remoteEphemeralPublicKey);
+              keyEncapsulationMechanism.encapsulate(localKeyEncapsulationKeyPair.getPrivate(), remoteKeyEncapsulationPublicKey);
 
           try {
             bytesWritten += encryptAndHash(ByteBuffer.wrap(encapsulatedKey.encapsulation()), message);

src/main/java/com/eatthepath/noise/component/AbstractKyberKeyEncapsulationMechanism.java

@@ -0,0 +1,90 @@
+package com.eatthepath.noise.component;
+
+import com.swiftcryptollc.crypto.interfaces.KyberPublicKey;
+import com.swiftcryptollc.crypto.provider.KyberCipherText;
+import com.swiftcryptollc.crypto.provider.KyberDecrypted;
+import com.swiftcryptollc.crypto.provider.KyberEncrypted;
+import com.swiftcryptollc.crypto.provider.KyberKeySize;
+import com.swiftcryptollc.crypto.provider.kyber.KyberParams;
+import com.swiftcryptollc.crypto.spec.KyberPublicKeySpec;
+
+import javax.crypto.KeyAgreement;
+import java.security.*;
+import java.security.spec.InvalidKeySpecException;
+
+abstract class AbstractKyberKeyEncapsulationMechanism implements NoiseKeyEncapsulationMechanism {
+
+  private final KeyAgreement keyAgreement;
+  private final KeyPairGenerator keyPairGenerator;
+  private final KeyFactory keyFactory;
+
+  AbstractKyberKeyEncapsulationMechanism(final KeyAgreement keyAgreement,
+                                         final KeyPairGenerator keyPairGenerator,
+                                         final KeyFactory keyFactory) {
+
+    this.keyAgreement = keyAgreement;
+    this.keyPairGenerator = keyPairGenerator;
+    this.keyFactory = keyFactory;
+  }
+
+  protected abstract KyberKeySize getKyberKeySize();
+
+  @Override
+  public KeyPair generateKeyPair() {
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  @Override
+  public EncapsulatedKey encapsulate(final PrivateKey privateKey, final PublicKey publicKey) {
+    try {
+      keyAgreement.init(privateKey);
+    } catch (final InvalidKeyException e) {
+      throw new IllegalArgumentException("Invalid private key for encapsulation", e);
+    }
+
+    try {
+      final KyberEncrypted kyberEncrypted = (KyberEncrypted) keyAgreement.doPhase(publicKey, true);
+
+      return new EncapsulatedKey(kyberEncrypted.getSecretKey().getS(), kyberEncrypted.getCipherText().getC());
+    } catch (final InvalidKeyException e) {
+      throw new IllegalArgumentException("Invalid public key for encapsulation", e);
+    }
+  }
+
+  @Override
+  public byte[] decapsulate(final PrivateKey privateKey, final byte[] encapsulation) {
+    try {
+      keyAgreement.init(privateKey);
+    } catch (final InvalidKeyException e) {
+      throw new IllegalArgumentException("Invalid private key for decapsulation", e);
+    }
+
+    try {
+      final KyberCipherText kyberCiphertext =
+          new KyberCipherText(encapsulation, KyberParams.default_p, KyberParams.default_g);
+
+      return ((KyberDecrypted) keyAgreement.doPhase(kyberCiphertext, true)).getSecretKey().getS();
+    } catch (final InvalidKeyException e) {
+      throw new IllegalArgumentException("Invalid ciphertext for decapsulation", e);
+    }
+  }
+
+  @Override
+  public byte[] serializePublicKey(final PublicKey publicKey) {
+    if (publicKey instanceof final KyberPublicKey kyberPublicKey) {
+      return kyberPublicKey.getY();
+    }
+
+    throw new IllegalArgumentException("Illegal public key type: " + publicKey.getClass());
+  }
+
+  @Override
+  public PublicKey deserializePublicKey(final byte[] publicKeyBytes) {
+    try {
+      return keyFactory.generatePublic(
+          new KyberPublicKeySpec(publicKeyBytes, KyberParams.default_p, KyberParams.default_g, getKyberKeySize()));
+    } catch (final InvalidKeySpecException e) {
+      throw new IllegalArgumentException("Could not parse public key bytes as a Kyber public key", e);
+    }
+  }
+}

src/main/java/com/eatthepath/noise/component/AbstractXECKeyAgreement.java

@@ -14,8 +14,8 @@ abstract class AbstractXECKeyAgreement implements NoiseKeyAgreement {
   private final KeyFactory keyFactory;
 
   protected AbstractXECKeyAgreement(final KeyAgreement keyAgreement,
-                          final KeyPairGenerator keyPairGenerator,
-                          final KeyFactory keyFactory) {
+                                    final KeyPairGenerator keyPairGenerator,
+                                    final KeyFactory keyFactory) {
 
     this.keyAgreement = keyAgreement;
     this.keyPairGenerator = keyPairGenerator;

src/main/java/com/eatthepath/noise/component/EncapsulatedKey.java

@@ -1,4 +1,6 @@
 package com.eatthepath.noise.component;
 
+import java.security.Key;
+
 public record EncapsulatedKey(byte[] sharedSecret, byte[] encapsulation) {
 }

src/main/java/com/eatthepath/noise/component/Kyber1024KeyEncapsulationMechanism.java

@@ -0,0 +1,36 @@
+package com.eatthepath.noise.component;
+
+import com.swiftcryptollc.crypto.provider.KyberKeySize;
+import com.swiftcryptollc.crypto.provider.kyber.KyberParams;
+
+import javax.crypto.KeyAgreement;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+public class Kyber1024KeyEncapsulationMechanism extends AbstractKyberKeyEncapsulationMechanism {
+
+  public Kyber1024KeyEncapsulationMechanism() throws NoSuchAlgorithmException {
+    super(KeyAgreement.getInstance("Kyber"), KeyPairGenerator.getInstance("Kyber1024"), KeyFactory.getInstance("Kyber"));
+  }
+
+  @Override
+  protected KyberKeySize getKyberKeySize() {
+    return KyberKeySize.KEY_1024;
+  }
+
+  @Override
+  public String getName() {
+    return "Kyber1024";
+  }
+
+  @Override
+  public int getPublicKeyLength() {
+    return KyberParams.Kyber1024PKBytes;
+  }
+
+  @Override
+  public int getEncapsulationLength() {
+    return KyberParams.Kyber1024CTBytes;
+  }
+}

src/main/java/com/eatthepath/noise/component/Kyber512KeyEncapsulationMechanism.java

@@ -0,0 +1,36 @@
+package com.eatthepath.noise.component;
+
+import com.swiftcryptollc.crypto.provider.KyberKeySize;
+import com.swiftcryptollc.crypto.provider.kyber.KyberParams;
+
+import javax.crypto.KeyAgreement;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+class Kyber512KeyEncapsulationMechanism extends AbstractKyberKeyEncapsulationMechanism {
+
+  public Kyber512KeyEncapsulationMechanism() throws NoSuchAlgorithmException {
+    super(KeyAgreement.getInstance("Kyber"), KeyPairGenerator.getInstance("Kyber512"), KeyFactory.getInstance("Kyber"));
+  }
+
+  @Override
+  protected KyberKeySize getKyberKeySize() {
+    return KyberKeySize.KEY_512;
+  }
+
+  @Override
+  public String getName() {
+    return "Kyber512";
+  }
+
+  @Override
+  public int getPublicKeyLength() {
+    return KyberParams.Kyber512PKBytes;
+  }
+
+  @Override
+  public int getEncapsulationLength() {
+    return KyberParams.Kyber512CTBytes;
+  }
+}

src/main/java/com/eatthepath/noise/component/Kyber768KeyEncapsulationMechanism.java

@@ -0,0 +1,35 @@
+package com.eatthepath.noise.component;
+
+import com.swiftcryptollc.crypto.provider.KyberKeySize;
+import com.swiftcryptollc.crypto.provider.kyber.KyberParams;
+
+import javax.crypto.KeyAgreement;
+import java.security.KeyFactory;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+
+class Kyber768KeyEncapsulationMechanism extends AbstractKyberKeyEncapsulationMechanism {
+  public Kyber768KeyEncapsulationMechanism() throws NoSuchAlgorithmException {
+    super(KeyAgreement.getInstance("Kyber"), KeyPairGenerator.getInstance("Kyber768"), KeyFactory.getInstance("Kyber"));
+  }
+
+  @Override
+  protected KyberKeySize getKyberKeySize() {
+    return KyberKeySize.KEY_768;
+  }
+
+  @Override
+  public String getName() {
+    return "Kyber768";
+  }
+
+  @Override
+  public int getPublicKeyLength() {
+    return KyberParams.Kyber768PKBytes;
+  }
+
+  @Override
+  public int getEncapsulationLength() {
+    return KyberParams.Kyber768CTBytes;
+  }
+}

src/main/java/com/eatthepath/noise/component/NoiseKeyEncapsulationMechanism.java

@@ -1,13 +1,16 @@
 package com.eatthepath.noise.component;
 
-import java.security.KeyPair;
-import java.security.PrivateKey;
-import java.security.PublicKey;
+import java.security.*;
 
 public interface NoiseKeyEncapsulationMechanism {
 
-  static NoiseKeyEncapsulationMechanism getInstance(final String name) {
-    throw new IllegalArgumentException("Unrecognized key encapsulation method name: " + name);
+  static NoiseKeyEncapsulationMechanism getInstance(final String name) throws NoSuchAlgorithmException {
+    return switch (name) {
+      case "Kyber512" -> new Kyber512KeyEncapsulationMechanism();
+      case "Kyber768" -> new Kyber768KeyEncapsulationMechanism();
+      case "Kyber1024" -> new Kyber1024KeyEncapsulationMechanism();
+      default -> throw new IllegalArgumentException("Unrecognized key encapsulation method name: " + name);
+    };
   }
 
   String getName();

src/test/java/com/eatthepath/noise/NoiseProtocolIntegrationTest.java

@@ -6,18 +6,21 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectReader;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.swiftcryptollc.crypto.provider.KyberJCE;
 import org.junit.jupiter.api.Assumptions;
 import org.junit.jupiter.api.Named;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.opentest4j.TestAbortedException;
 
 import javax.annotation.Nullable;
 import javax.crypto.AEADBadTagException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.security.spec.NamedParameterSpec;
 import java.util.List;
@@ -665,4 +668,84 @@ public void nextBytes(final byte[] bytes) {
       throw new RuntimeException(e);
     }
   }
+
+  @ParameterizedTest
+  @ValueSource(strings = {"Kyber512", "Kyber768", "Kyber1024"})
+  void hackyHfsTest(final String keyEncapsulationMechanism) throws NoSuchAlgorithmException, AEADBadTagException {
+    Security.addProvider(new KyberJCE());
+
+    final NoiseHandshake initiatorHandshake = NoiseHandshakeBuilder.forNNHfsInitiator()
+        .setKeyAgreement("25519")
+        .setKeyEncapsulationMechanism(keyEncapsulationMechanism)
+        .setCipher("AESGCM")
+        .setHash("SHA256")
+        .build();
+
+    final NoiseHandshake responderHandshake = NoiseHandshakeBuilder.forNNHfsResponder()
+        .setKeyAgreement("25519")
+        .setKeyEncapsulationMechanism(keyEncapsulationMechanism)
+        .setCipher("AESGCM")
+        .setHash("SHA256")
+        .build();
+
+    // -> e (with an empty payload)
+    final byte[] initiatorEMessage = initiatorHandshake.writeMessage((byte[]) null);
+    responderHandshake.readMessage(initiatorEMessage);
+
+    // <- e, ee (with an empty payload)
+    final byte[] responderEEeMessage = responderHandshake.writeMessage((byte[]) null);
+    initiatorHandshake.readMessage(responderEEeMessage);
+
+    assertTrue(initiatorHandshake.isDone());
+    assertTrue(responderHandshake.isDone());
+
+    final NoiseTransport initiatorTransport = initiatorHandshake.toTransport();
+    final NoiseTransport responderTransport = responderHandshake.toTransport();
+
+    final byte[] originalPlaintext = "Original payload!".getBytes(StandardCharsets.UTF_8);
+    final byte[] originalCiphertext = initiatorTransport.writeMessage(originalPlaintext);
+    final byte[] decryptedPlaintext = responderTransport.readMessage(originalCiphertext);
+
+    assertArrayEquals(originalPlaintext, decryptedPlaintext);
+  }
+
+  @ParameterizedTest
+  @ValueSource(strings = {"Kyber512", "Kyber768", "Kyber1024"})
+  void hackyHfsByteBufferTest(final String keyEncapsulationMechanism) throws NoSuchAlgorithmException, AEADBadTagException {
+    Security.addProvider(new KyberJCE());
+
+    final NoiseHandshake initiatorHandshake = NoiseHandshakeBuilder.forNNHfsInitiator()
+        .setKeyAgreement("25519")
+        .setKeyEncapsulationMechanism(keyEncapsulationMechanism)
+        .setCipher("AESGCM")
+        .setHash("SHA256")
+        .build();
+
+    final NoiseHandshake responderHandshake = NoiseHandshakeBuilder.forNNHfsResponder()
+        .setKeyAgreement("25519")
+        .setKeyEncapsulationMechanism(keyEncapsulationMechanism)
+        .setCipher("AESGCM")
+        .setHash("SHA256")
+        .build();
+
+    // -> e (with an empty payload)
+    final ByteBuffer initiatorEMessage = initiatorHandshake.writeMessage((ByteBuffer) null);
+    responderHandshake.readMessage(initiatorEMessage);
+
+    // <- e, ee (with an empty payload)
+    final ByteBuffer responderEEeMessage = responderHandshake.writeMessage((ByteBuffer) null);
+    initiatorHandshake.readMessage(responderEEeMessage);
+
+    assertTrue(initiatorHandshake.isDone());
+    assertTrue(responderHandshake.isDone());
+
+    final NoiseTransport initiatorTransport = initiatorHandshake.toTransport();
+    final NoiseTransport responderTransport = responderHandshake.toTransport();
+
+    final ByteBuffer originalPlaintext = ByteBuffer.wrap("Original payload!".getBytes(StandardCharsets.UTF_8));
+    final ByteBuffer originalCiphertext = initiatorTransport.writeMessage(originalPlaintext);
+    final ByteBuffer decryptedPlaintext = responderTransport.readMessage(originalCiphertext);
+
+    assertEquals(originalPlaintext.rewind(), decryptedPlaintext);
+  }
 }