Bouncy Castle Cryptography Library 1.85

org.bouncycastle.pqc.crypto.faest
Class FaestKeyPairGenerator

java.lang.Object
  extended byorg.bouncycastle.pqc.crypto.faest.FaestKeyPairGenerator
All Implemented Interfaces:
AsymmetricCipherKeyPairGenerator

public class FaestKeyPairGenerator
extends java.lang.Object
implements AsymmetricCipherKeyPairGenerator

Implementation of the FAEST asymmetric key pair generator following the FAEST signature scheme specifications.

This generator produces FaestPublicKeyParameters and FaestPrivateKeyParameters based on the FAEST algorithm parameters. The secret signing key is an AES key, while the public verification key is a plaintext–ciphertext pair obtained by encrypting a random message under the signing key. The implementation follows the specification defined in the official FAEST documentation and the reference C implementation.

References:

FAEST Official Website FAEST v2.0 Specification Document (NIST Round 2) FAEST Reference Implementation (C)


Constructor Summary
FaestKeyPairGenerator()
           
 
Method Summary
 AsymmetricCipherKeyPair generateKeyPair()
          Generate a fresh FAEST key pair.
 void init(KeyGenerationParameters param)
          intialise the key pair generator.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

FaestKeyPairGenerator

public FaestKeyPairGenerator()
Method Detail

init

public void init(KeyGenerationParameters param)
Description copied from interface: AsymmetricCipherKeyPairGenerator
intialise the key pair generator.

Specified by:
init in interface AsymmetricCipherKeyPairGenerator
Parameters:
param - the parameters the key pair is to be initialised with.

generateKeyPair

public AsymmetricCipherKeyPair generateKeyPair()
Generate a fresh FAEST key pair.

Side-channel note: the OWF-key validity check (low two bits not both set, matching upstream ) is enforced by a rejection-sampling loop. The loop's iteration count therefore depends on bytes drawn from the supplied SecureRandom and is observable via timing. The information leaked is about the discarded DRBG draws, not the accepted OWF key, so the loop does not expose secret key bits. Callers that need to suppress even that signal can pass a deterministic / pre-conditioned random source.

Specified by:
generateKeyPair in interface AsymmetricCipherKeyPairGenerator
Returns:
an AsymmetricCipherKeyPair containing the generated keys.

Bouncy Castle Cryptography Library 1.85