Add NIST KAT tests

[jschanck]

This adds KAT tests to kyber_test.py. I found that the tests failed because kyber.py uses shake128 for KDF. So this PR also aligns kyber.py with the spec's use of shake256.

The contents of nistkat.py were produced by applying the following patch to PQCgenKAT_kem.c.

diff --git a/ref/PQCgenKAT_kem.c b/ref/PQCgenKAT_kem.c
index d24fa50..edc87fc 100644
--- a/ref/PQCgenKAT_kem.c
+++ b/ref/PQCgenKAT_kem.c
@@ -21,6 +21,7 @@
 int        FindMarker(FILE *infile, const char *marker);
 int        ReadHex(FILE *infile, unsigned char *A, int Length, char *str);
 void   fprintBstr(FILE *fp, char *S, unsigned char *A, unsigned long long L);
+void   fprintBstr2(FILE *fp, char *S, unsigned char *A, unsigned long long L);

 int
 main()
@@ -29,6 +30,7 @@ main()
     FILE                *fp_req, *fp_rsp;
     unsigned char       seed[48];
     unsigned char       entropy_input[48];
+    unsigned char       drbg_output[64];
     unsigned char       ct[CRYPTO_CIPHERTEXTBYTES], ss[CRYPTO_BYTES], ss1[CRYPTO_BYTES];
     int                 count;
     int                 done;
@@ -68,7 +70,7 @@ main()
         return KAT_FILE_OPEN_ERROR;
     }

-    fprintf(fp_rsp, "# %s\n\n", CRYPTO_ALGNAME);
+    fprintf(fp_rsp, "%s_nistkats = [\n", CRYPTO_ALGNAME);
     done = 0;
     do {
         if ( FindMarker(fp_req, "count = ") )
@@ -77,13 +79,21 @@ main()
             done = 1;
             break;
         }
-        fprintf(fp_rsp, "count = %d\n", count);
+        fprintf(fp_rsp, "nistkat(\n");
+        fprintf(fp_rsp, "count = %d,\n", count);

         if ( !ReadHex(fp_req, seed, 48, "seed = ") ) {
             printf("ERROR: unable to read 'seed' from <%s>\n", fn_req);
             return KAT_DATA_ERROR;
         }
-        fprintBstr(fp_rsp, "seed = ", seed, 48);
+        fprintBstr2(fp_rsp, "seed = ", seed, 48);
+
+        randombytes_init(seed, NULL, 256);
+        randombytes(drbg_output, 32);
+        randombytes(drbg_output+32, 32);
+        fprintBstr2(fp_rsp, "rand1 = ", drbg_output, 64);
+        randombytes(drbg_output, 32);
+        fprintBstr2(fp_rsp, "rand2 = ", drbg_output, 32);

         randombytes_init(seed, NULL, 256);

@@ -92,17 +102,17 @@ main()
             printf("crypto_kem_keypair returned <%d>\n", ret_val);
             return KAT_CRYPTO_FAILURE;
         }
-        fprintBstr(fp_rsp, "pk = ", pk, CRYPTO_PUBLICKEYBYTES);
-        fprintBstr(fp_rsp, "sk = ", sk, CRYPTO_SECRETKEYBYTES);
+        fprintBstr2(fp_rsp, "pk = ", pk, CRYPTO_PUBLICKEYBYTES);
+        fprintBstr2(fp_rsp, "sk = ", sk, CRYPTO_SECRETKEYBYTES);

         if ( (ret_val = crypto_kem_enc(ct, ss, pk)) != 0) {
             printf("crypto_kem_enc returned <%d>\n", ret_val);
             return KAT_CRYPTO_FAILURE;
         }
-        fprintBstr(fp_rsp, "ct = ", ct, CRYPTO_CIPHERTEXTBYTES);
-        fprintBstr(fp_rsp, "ss = ", ss, CRYPTO_BYTES);
+        fprintBstr2(fp_rsp, "ct = ", ct, CRYPTO_CIPHERTEXTBYTES);
+        fprintBstr2(fp_rsp, "ss = ", ss, CRYPTO_BYTES);

-        fprintf(fp_rsp, "\n");
+        fprintf(fp_rsp, "),\n");

         if ( (ret_val = crypto_kem_dec(ss1, ct, sk)) != 0) {
             printf("crypto_kem_dec returned <%d>\n", ret_val);
@@ -115,6 +125,7 @@ main()
         }

     } while ( !done );
+    fprintf(fp_rsp, "]\n");

     fclose(fp_req);
     fclose(fp_rsp);
@@ -230,3 +241,20 @@ fprintBstr(FILE *fp, char *S, unsigned char *A, unsigned long long L)
    fprintf(fp, "\n");
 }

+void
+fprintBstr2(FILE *fp, char *S, unsigned char *A, unsigned long long L)
+{
+   unsigned long long  i;
+
+   fprintf(fp, "%s", S);
+   fprintf(fp, "b\"", S);
+
+   for ( i=0; i<L; i++ )
+       fprintf(fp, "\\x%02X", A[i]);
+
+   if ( L == 0 )
+       fprintf(fp, "\\x00");
+
+   fprintf(fp, "\",\n");
+}
+

[bwesterb]

Thanks for spotting this. I wrote the NIST DRBG in Python so that we don't have to include the big KAT files.

https://github.com/bwesterb/draft-schwabe-cfrg-kyber/commit/a302ee805a17dd0f24770add109ee6b41fdb3c8a