Add internal APIs for ML-DSA #1999
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1999 +/- ##
==========================================
+ Coverage 78.89% 78.93% +0.04%
==========================================
Files 595 594 -1
Lines 102451 102432 -19
Branches 14527 14524 -3
==========================================
+ Hits 80827 80853 +26
+ Misses 20976 20930 -46
- Partials 648 649 +1 ☔ View full report in Codecov by Sentry. 🚨 Try these New Features:
|
andrewhop
reviewed
Nov 19, 2024
dkostic
reviewed
Nov 20, 2024
andrewhop
reviewed
Nov 20, 2024
andrewhop
previously approved these changes
Nov 20, 2024
dkostic
reviewed
Nov 20, 2024
| /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */ | ||
| mu[0] = 0; | ||
| mu[1] = ctxlen; | ||
| /* Compute mu = CRH(tr, pre, msg) */ |
There was a problem hiding this comment.
can you add references to lines in FIPS 204, Algorithm 7 please (for verify_internal and keygen_internal as well)? For example, I believe this comment refers to line 6 that says: 𝜇 ← H(BytesToBits(𝑡𝑟)||𝑀 ′, 64) ?
There was a problem hiding this comment.
Yes, I'm staging a PR that adds a LOT of documentation and call out to each of the algorithms in FIPS 204 and their implementation here.
However, I want to get the larger code integrations complete before I start touching every single file in the dilithium repo to add comments. This will prevent me from re-base/conflicts pain down the line.
I'll add specific call outs to the lines in sign/verify in that forthcoming PR.
There was a problem hiding this comment.
sure, but the point of documentation is to make the review easier, once we merge the code it's not as useful :)
There was a problem hiding this comment.
Ahh I understand now, added these callouts to lines in the spec in 8c3d53e. I plan on adding a lot more documentation like this.
dkostic
reviewed
Nov 21, 2024
| goto rej; | ||
| } | ||
|
|
There was a problem hiding this comment.
Suggested change
| /* FIPS 204: line 26 Compute signer's hint */ |
dkostic
previously approved these changes
Nov 21, 2024
dkostic
approved these changes
Nov 21, 2024
andrewhop
approved these changes
Nov 22, 2024
nebeid
pushed a commit
that referenced
this pull request
Dec 3, 2024
This change adds ML-DSA-44 and ML-DSA-87 to AWS-LC. As we already have support for ML-DSA-65 through the PQDSA signature API (see #1963) and already support internal functions and KATs that use these internal APIs (see #1999), this change consists of: - The addition of the 6 `pqdsa` APIs for ML-DSA-44 and ML-DSA-87: `ml_dsa_{44/87}_keypair`, `ml_dsa_{44/87}_keypair_internal`, `ml_dsa_{44/87}_sign`, `ml_dsa_{44/87}_sign_internal`, `ml_dsa_{44/87}_verify`, and`ml_dsa_{44/87}_verify_internal` - The function methods: `sig_ml_dsa_44_method` and `sig_ml_dsa_87_method` - The algorithm data structs: `sig_ml_dsa_44` and `sig_ml_dsa_87` Integrating ML-DSA-44/87 into X.509 will be in a follow-up commit. Benchmarking results: ``` Did 33000 MLDSA44 keygen operations in 1000554us (32981.7 ops/sec) Did 8541 MLDSA44 signing operations in 1061153us (8048.8 ops/sec) Did 32000 MLDSA44 verify operations in 1016751us (31472.8 ops/sec) Did 17000 MLDSA65 keygen operations in 1021812us (16637.1 ops/sec) Did 6000 MLDSA65 signing operations in 1148331us (5225.0 ops/sec) Did 20000 MLDSA65 verify operations in 1019696us (19613.7 ops/sec) Did 12000 MLDSA87 keygen operations in 1011438us (11864.3 ops/sec) Did 4344 MLDSA87 signing operations in 1043422us (4163.2 ops/sec) Did 12000 MLDSA87 verify operations in 1027267us (11681.5 ops/sec) ``` Testing: `ML-DSA-44/87` are added to the test harness. This requires the inclusion of test harness raw public keys `mldsa{44/87}kPublicKey` and encoded public keys `mldsa{44/87}kPublicKeySPKI`. The lengths of the encodings are well defined by https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
justsmth
pushed a commit
that referenced
this pull request
Feb 5, 2025
### Issues: Resolves #CryptoAlg-2889 ### Description of changes: The industry has decided upon a few conventions to assist with the usability of ML-DSA key sizes, one of which is to decrease the amount of bytes transferred when encoding ML-DSA private keys. As ML-DSA keys can be deterministically generated from a provided 32-byte seed, many standards bodies have selected to use private keys in seed format. For example, the IETF draft that standardizes the use of ML-DSA in X.509. https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ This provides: - Compliance with IETF spec https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ - Will allow interoperability with BC to allow customers to import ML-DSA keys The functionality that provides key generation from seeds for ML-DSA was added in my previous PR #1999. This PR exposes the internal key generation functions within the `PQDSA` struct, so that a new function named `PQDSA_KEY_set_raw_keypair_from_seed` can directly call the method. The function `PQDSA_KEY_set_raw_keypair_from_seed` simply performs: - a check that the provided `seed` is of the correct length - allocation of public/private key buffers - key generation from seed using `pqdsa_keygen_internal` As such, `pqdsa_priv_decode` has been modified to call: - `PQDSA_KEY_set_raw_private_key` when the provided length of the key is `pqdsa->private_key_len` - `PQDSA_KEY_set_raw_keypair_from_seed` when the provided length of the key is `pqdsa->keygen_seed_len` We implement this at the EVP layer by modifying `EVP_PKEY_pqdsa_new_raw_private_key` to: - call `PQDSA_KEY_set_raw_private_key` when the `len` provided is `private_key_len` - call `PQDSA_KEY_set_raw_keypair_from_seed` when the `len` provided is `keygen_seed_len` ### Call-outs: - The API `EVP_PKEY_pqdsa_new_raw_private_key` will now populate both public and private keys when provided a seed. - The API `EVP_PKEY_pqdsa_new_raw_public_key` only sets the public key - The API `PQDSA_KEY_set_raw_private_key` will only set private key - The API `PQDSA_KEY_set_raw_public_key` will only set public key - The API `EVP_parse_public_key` sets the public key from DER encoded of public key - The API `EVP_parse_private_key` can accept DER encodings of either the full private key representation, or the 32-byte seed. - The API `EVP_marshal_public_key` sets the DER encoded public key from a EVP PKEY - The API `EVP_marshal_private_key` sets the DER encoded full private key representation (it cannot marshal the seed, as this cannot be derived from the full private key representation. ### Testing: To provide KAT for keys from seeds I have included the `Appendix C. Examples` from https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/. For each provided ML-DSA parameter set, we generate the example private key provided from seed, and check that the corresponding public key matches that in the specification. These tests are in `PQDSAParameterTest` namely, `ParsePrivateKey`. These examples show how much shorter ML-DSA-87 private keys are in seed format: ``` -----BEGIN PRIVATE KEY----- MDICAQAwCwYJYIZIAWUDBAMTBCAAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRob HB0eHw== -----END PRIVATE KEY----- ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves #CryptoAlg-2723
Description of changes:
This PR adds the internal functions from FIPS 204: Module-Lattice-Based Digital Signature Standard. We base this implementation on the upstream reference implementation of ML-DSA pq-crystals/dilithium@444cdcc. However, the upstream commit only includes implementation of
ML-DSA.Sign_internalandML-DSA.Verify_internal, so we also includeML-DSA.KeyGen_internalto complete the implementation.Changes:
ML-DSA.KeyGenas crypto_sign_keypairML-DSA.Signas crypto_sign_signatureML-DSA.Verifyas crypto_sign_verifyML-DSA.KeyGen_internalas crypto_sign_keypair_internalML-DSA.Sign_internalas crypto_sign_signature_internalML-DSA.Verify_internalas crypto_sign_verify_internalpqdsaAPI:pq_custom_randombytes.{c/h}Call-outs:
We can remove the testing mechanism for the KATs
pq_custom_randombytesas we now support KATs that use the internal functions that provide randomness via an input seed.Testing:
The KATs have been migrated to use the internal functions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.