Implement changes from FIP 205 Initial Public Draft -> FIPS 205 Final (#844)

- Implement changes from FIP 205 Initial Public Draft -> FIPS 205 Final
- Add SLH-DSA CVP known answer tests
- Add E2E tests for sign-with-context and require alloc for KATs

Author: tjade273

Cargo.lock

@@ -2,7 +2,7 @@
 name = "slh-dsa"
 description = """
 Pure Rust implementation of SLH-DSA (aka SPHINCS+) as described in the
-FIPS-205 Inital Public Draft
+FIPS-205 standard
 """
 version = "0.0.2"
 edition = "2021"
@@ -27,7 +27,7 @@ digest = "0.10.7"
 
 [dev-dependencies]
 hex-literal = "0.4.1"
-hex = "0.4.1"
+hex = { version = "0.4.1", features = ["serde"] }
 num-bigint = "0.4.4"
 quickcheck = "1"
 quickcheck_macros = "1"
@@ -39,6 +39,8 @@ ctr = "0.9.2"
 rand_core = "0.6.4"
 paste = "1.0.15"
 rand = "0.8.5"
+serde_json = "1.0.124"
+serde = { version = "1.0.207", features = ["derive"] }
 
 [lib]
 bench = false

slh-dsa/Cargo.toml

@@ -9,7 +9,7 @@
 
 Pure Rust implementation of the SLH-DSA (aka SPHINCS+) signature scheme.
 
-Implemented based on the [FIPS-205 Inital Public Draft].
+Implemented based on the [FIPS-205 Standard].
 
 ## ⚠️ Security Warning
 
@@ -53,4 +53,4 @@ dual licensed as above, without any additional terms or conditions.
 [//]: # (links)
 
 [RustCrypto]: https://github.com/RustCrypto
-[FIPS-205 Inital Public Draft]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.ipd.pdf
+[FIPS-205 Standard]: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf

slh-dsa/README.md

@@ -349,7 +349,7 @@ impl ForsParams for Sha2_192f {
     type MD = U<{ (33 * 8 + 7) / 8 }>;
 }
 impl ParameterSet for Sha2_192f {
-    const NAME: &'static str = "SLH-DSA-SHA2-128f";
+    const NAME: &'static str = "SLH-DSA-SHA2-192f";
 }
 
 /// SHA2 at L5 security with small signatures

slh-dsa/src/hashes/sha2.rs

@@ -8,7 +8,7 @@
 #![deny(missing_docs)] // Require all public interfaces to be documented
 
 //! # Usage
-//! This crate implements the Stateless Hash-based Digital Signature Algorithm (SLH-DSA) based on the draft
+//! This crate implements the Stateless Hash-based Digital Signature Algorithm (SLH-DSA) based on the finalized
 //! standard by NIST in FIPS-205. SLH-DSA (based on the SPHINCS+ submission) is a signature algorithm designed
 //! to be resistant to quantum computers.
 //!
@@ -80,6 +80,7 @@ mod tests {
     use super::*;
     use rand::Rng;
     use signature::*;
+    use util::macros::test_parameter_sets;
 
     fn test_sign_verify<P: ParameterSet>() {
         let mut rng = rand::thread_rng();
@@ -89,66 +90,7 @@ mod tests {
         let sig = sk.try_sign(msg).unwrap();
         vk.verify(msg, &sig).unwrap();
     }
-
-    #[test]
-    fn test_sign_verify_shake_128f() {
-        test_sign_verify::<Shake128f>();
-    }
-
-    #[test]
-    fn test_sign_verify_shake_128s() {
-        test_sign_verify::<Shake128s>();
-    }
-
-    #[test]
-    fn test_sign_verify_shake_192f() {
-        test_sign_verify::<Shake192f>();
-    }
-
-    #[test]
-    fn test_sign_verify_shake_192s() {
-        test_sign_verify::<Shake192s>();
-    }
-
-    #[test]
-    fn test_sign_verify_shake_256f() {
-        test_sign_verify::<Shake256f>();
-    }
-
-    #[test]
-    fn test_sign_verify_shake_256s() {
-        test_sign_verify::<Shake256s>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_128f() {
-        test_sign_verify::<Sha2_128f>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_128s() {
-        test_sign_verify::<Sha2_128s>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_192f() {
-        test_sign_verify::<Sha2_192f>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_192s() {
-        test_sign_verify::<Sha2_192s>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_256f() {
-        test_sign_verify::<Sha2_256f>();
-    }
-
-    #[test]
-    fn test_sign_verify_sha2_256s() {
-        test_sign_verify::<Sha2_256s>();
-    }
+    test_parameter_sets!(test_sign_verify);
 
     // Check signature fails on modified message
     #[test]
@@ -212,4 +154,27 @@ mod tests {
             "Two successive randomized signatures over the same message should not be equal"
         );
     }
+
+    #[test]
+    fn test_sign_verify_nonempty_context() {
+        let mut rng = rand::thread_rng();
+        let sk = SigningKey::<Shake128f>::new(&mut rng);
+        let vk = sk.verifying_key();
+        let msg = b"Hello, world!";
+        let ctx = b"Test context";
+        let sig = sk.try_sign_with_context(msg, ctx, None).unwrap();
+        vk.try_verify_with_context(msg, ctx, &sig).unwrap();
+    }
+
+    #[test]
+    fn test_sign_verify_wrong_context() {
+        let mut rng = rand::thread_rng();
+        let sk = SigningKey::<Shake128f>::new(&mut rng);
+        let vk = sk.verifying_key();
+        let msg = b"Hello, world!";
+        let ctx = b"Test context!";
+        let wrong_ctx = b"Wrong context";
+        let sig = sk.try_sign_with_context(msg, ctx, None).unwrap();
+        assert!(vk.try_verify_with_context(msg, wrong_ctx, &sig).is_err());
+    }
 }