Switch ML-DSA to use AWS-LC SHA3

[jakemas]

Issues:

Resolves CryptoAlg-2726

Description of changes:

Following the inclusion of SHAKE as an extensible-output-function (XOF) in #1839, we are now able to fully support ML-DSA with SHA3/SHAKE usage within crypto/fipsmodule. As such, all references to the internal implementation of SHA3 (within crypto/dilithium/pqcrystals_dilithium_ref_common/fips202.{h|c}) have been removed.

Call-outs:

• The structure keccak_state provided by the Dilithium reference implementation has been replaced with KECCAK1600_CTX
• The calls to absorb/update/final have been replaced with a straight swap to AWS-LC's implementation
• The dilithium specific function dilithium_shake128_stream_init, dilithium_shake128_squeeze, dilithium_shake256_stream_init, dilithium_shake256_squeeze of fips202.c has been replaced with versions that call SHA3 from fipsmodule.

Testing:

The testing framework is the KATs for ML-DSA, and all other ML-DSA tests completed.

#CryptoAlg-2589 design documentation provides an analysis of all fips202.c usage from ML-DSA, to verify that all functionality that used to be provided by fips202.c has been replaced by this commit, the file has been removed from the library.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[jakemas]

See c4a0fdb for the changes proposed in this PR without the muddiness of #1999

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.66%. Comparing base (d681431) to head (35ae687).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2001      +/-   ##
==========================================
- Coverage   78.68%   78.66%   -0.02%     
==========================================
  Files         598      598              
  Lines      103350   103351       +1     
  Branches    14692    14691       -1     
==========================================
- Hits        81321    81305      -16     
- Misses      21377    21393      +16     
- Partials      652      653       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[geedo0]

Looks pretty straightforward. The only big thing missing here seems to be updates to the README.md file.

[geedo0]

I'll defer to the LC team on this point, but IMO the docstrings here should be in the header file and match LC's style conventions for comments. I can see that these were ported over from the fips202 source, so I can see the merit in retaining that style and content. It's also not part of LC's public interface so I feel less strong about belaboring it.

[jakemas]

Good call out. As I added these functions within the crypto/dilithium/pqcrystals_dilithium_ref_common/ directory, I wanted to be consistant with function conventions. I did the same within ML-KEM (see example).

[geedo0]

Perhaps extract the 2 as a constant value to improve readability?

[jakemas]

Looks pretty straightforward. The only big thing missing here seems to be updates to the README.md file.

README.md updated (was waiting on merge).

[dkostic]

why can't we just use SHA_Final directly?

[dkostic]

actually, why can't we use SHAKE256 instead of the sequence of Init, Update, Final?

[jakemas]

Because we need an additional squeeze down at line 524 below (part of the rejection sampling loop). If we call SHAKE256 directly at this stage, we cannot additionally squeeze output later. This is exactly the difference between calling SHAKE256 as a single shot output, vs as an extensible output function, as required for both ML-KEM and ML-DSA.

[jakemas]

However, I agree that we can use SHA_Final directly, and have modified the PR to do this for both SHAKE256 and SHAKE 128 in f4cc0fe

[jakemas]

Any further required actions here?

[dkostic]

Suggested change

	SHAKE_Final(buf, &state,POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);
	SHAKE_Final(buf, &state, POLY_UNIFORM_NBLOCKS * SHAKE128_BLOCKSIZE);

[jakemas]

acb7b42