Switch ML-DSA to use AWS-LC SHA3 (#2001)

aws · Dec 10, 2024 · 0eaa0a8 · 0eaa0a8
1 parent 18cc07d
commit 0eaa0a8
Show file tree

Hide file tree

Showing 10 changed files with 79 additions and 965 deletions.
diff --git a/crypto/dilithium/ml_dsa.c b/crypto/dilithium/ml_dsa.c
@@ -9,7 +9,6 @@
 
 // These includes are required to compile ML-DSA. These can be moved to bcm.c
 // when ML-DSA is added to the fipsmodule directory.
-#include "./pqcrystals_dilithium_ref_common/fips202.c"
 #include "./pqcrystals_dilithium_ref_common/ntt.c"
 #include "./pqcrystals_dilithium_ref_common/packing.c"
 #include "./pqcrystals_dilithium_ref_common/params.c"
@@ -18,7 +17,6 @@
 #include "./pqcrystals_dilithium_ref_common/reduce.c"
 #include "./pqcrystals_dilithium_ref_common/rounding.c"
 #include "./pqcrystals_dilithium_ref_common/sign.c"
-#include "./pqcrystals_dilithium_ref_common/symmetric-shake.c"
 
 // Note: These methods currently default to using the reference code for
 // ML-DSA. In a future where AWS-LC has optimized options available,

diff --git a/crypto/dilithium/pqcrystals_dilithium_ref_common/README.md b/crypto/dilithium/pqcrystals_dilithium_ref_common/README.md
@@ -10,6 +10,7 @@ The code was refactored in [this PR](https://github.com/aws/aws-lc/pull/1910) by
 that initialize a given structure with values corresponding to a parameter set. This structure is then passed to every function that requires it as a function argument. In addition, the following changes were made to the source code in `pqcrystals_dilithium_ref_common` directory:
 
 - `randombytes.{h|c}` are deleted because we are using the randomness generation functions provided by AWS-LC.
+- `fips202.{h|c}`, `symmetric.h`, `symmetric-shake.c` are deleted as all SHA3/SHAKE functionality is provided instead by AWS-LC fipsmodule/sha rather than the reference implementation. Calls to `dilithium_shake128_stream_init` and `dilithium_shake256_stream_init` have been inlined.
 - `sign.c`: calls to `randombytes` function is replaced with calls to `RAND_bytes` and the appropriate header file is included (`openssl/rand.h`).
 - `ntt.c`, `poly.c`, `reduce.c`, `reduce.h`: have been modified with a code refactor. The function `fqmul` has been added to bring mode code consistency with Kyber/ML-KEM. See https://github.com/aws/aws-lc/pull/1748 for more details on this change.
 - `reduce.c`: a small fix to documentation has been made on the bounds of `reduce32`.
@@ -21,4 +22,4 @@ that initialize a given structure with values corresponding to a parameter set.
 
 **Testing** 
 
-The KATs were obtained from https://github.com/post-quantum-cryptography/KAT. We select the KATs for the signing mode `hedged`, which derives the signing private random seed (rho) pseudorandomly from the signer's private key, the message to be signed, and a 256-bit string `rnd` which is generated at random. The `pure` variant of these KATs were used, as they provide test vector inputs for "pure" i.e., non-pre-hashed messages. The KAT files have been modified to insert linebreaks between each test vector set.
+The KATs were obtained from https://github.com/post-quantum-cryptography/KAT. We select the KATs for the signing mode `hedged`, which derives the signing private random seed (rho) pseudorandomly from the signer's private key, the message to be signed, and a 256-bit string `rnd` which is generated at random. The `pure` variant of these KATs were used, as they provide test vector inputs for "pure" i.e., non-pre-hashed messages. The KAT files have been modified to insert linebreaks between each test vector set.