Add internal APIs for ML-DSA #1999
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1999 +/- ##
==========================================
+ Coverage 78.89% 78.93% +0.04%
==========================================
Files 595 594 -1
Lines 102451 102432 -19
Branches 14527 14524 -3
==========================================
+ Hits 80827 80853 +26
+ Misses 20976 20930 -46
- Partials 648 649 +1 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
| /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */ | ||
| mu[0] = 0; | ||
| mu[1] = ctxlen; | ||
| /* Compute mu = CRH(tr, pre, msg) */ |
There was a problem hiding this comment.
can you add references to lines in FIPS 204, Algorithm 7 please (for verify_internal and keygen_internal as well)? For example, I believe this comment refers to line 6 that says: 𝜇 ← H(BytesToBits(𝑡𝑟)||𝑀 ′, 64) ?
There was a problem hiding this comment.
Yes, I'm staging a PR that adds a LOT of documentation and call out to each of the algorithms in FIPS 204 and their implementation here.
However, I want to get the larger code integrations complete before I start touching every single file in the dilithium repo to add comments. This will prevent me from re-base/conflicts pain down the line.
I'll add specific call outs to the lines in sign/verify in that forthcoming PR.
There was a problem hiding this comment.
sure, but the point of documentation is to make the review easier, once we merge the code it's not as useful :)
There was a problem hiding this comment.
Ahh I understand now, added these callouts to lines in the spec in 8c3d53e. I plan on adding a lot more documentation like this.
| goto rej; | ||
| } | ||
|
|
There was a problem hiding this comment.
| /* FIPS 204: line 26 Compute signer's hint */ |
This change adds ML-DSA-44 and ML-DSA-87 to AWS-LC. As we already have support for ML-DSA-65 through the PQDSA signature API (see #1963) and already support internal functions and KATs that use these internal APIs (see #1999), this change consists of: - The addition of the 6 `pqdsa` APIs for ML-DSA-44 and ML-DSA-87: `ml_dsa_{44/87}_keypair`, `ml_dsa_{44/87}_keypair_internal`, `ml_dsa_{44/87}_sign`, `ml_dsa_{44/87}_sign_internal`, `ml_dsa_{44/87}_verify`, and`ml_dsa_{44/87}_verify_internal` - The function methods: `sig_ml_dsa_44_method` and `sig_ml_dsa_87_method` - The algorithm data structs: `sig_ml_dsa_44` and `sig_ml_dsa_87` Integrating ML-DSA-44/87 into X.509 will be in a follow-up commit. Benchmarking results: ``` Did 33000 MLDSA44 keygen operations in 1000554us (32981.7 ops/sec) Did 8541 MLDSA44 signing operations in 1061153us (8048.8 ops/sec) Did 32000 MLDSA44 verify operations in 1016751us (31472.8 ops/sec) Did 17000 MLDSA65 keygen operations in 1021812us (16637.1 ops/sec) Did 6000 MLDSA65 signing operations in 1148331us (5225.0 ops/sec) Did 20000 MLDSA65 verify operations in 1019696us (19613.7 ops/sec) Did 12000 MLDSA87 keygen operations in 1011438us (11864.3 ops/sec) Did 4344 MLDSA87 signing operations in 1043422us (4163.2 ops/sec) Did 12000 MLDSA87 verify operations in 1027267us (11681.5 ops/sec) ``` Testing: `ML-DSA-44/87` are added to the test harness. This requires the inclusion of test harness raw public keys `mldsa{44/87}kPublicKey` and encoded public keys `mldsa{44/87}kPublicKeySPKI`. The lengths of the encodings are well defined by https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
Issues:
Resolves #CryptoAlg-2723
Description of changes:
This PR adds the internal functions from FIPS 204: Module-Lattice-Based Digital Signature Standard. We base this implementation on the upstream reference implementation of ML-DSA pq-crystals/dilithium@444cdcc. However, the upstream commit only includes implementation of
ML-DSA.Sign_internalandML-DSA.Verify_internal, so we also includeML-DSA.KeyGen_internalto complete the implementation.Changes:
ML-DSA.KeyGenas crypto_sign_keypairML-DSA.Signas crypto_sign_signatureML-DSA.Verifyas crypto_sign_verifyML-DSA.KeyGen_internalas crypto_sign_keypair_internalML-DSA.Sign_internalas crypto_sign_signature_internalML-DSA.Verify_internalas crypto_sign_verify_internalpqdsaAPI:pq_custom_randombytes.{c/h}Call-outs:
We can remove the testing mechanism for the KATs
pq_custom_randombytesas we now support KATs that use the internal functions that provide randomness via an input seed.Testing:
The KATs have been migrated to use the internal functions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.