-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PQC: ML-DSA #4270
PQC: ML-DSA #4270
Conversation
7f6c0c7
to
cca40dc
Compare
This comment was marked as resolved.
This comment was marked as resolved.
4cf710e
to
e2a643a
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Appendix D.3 lists a few minor changes in the truncation of certain hash values. Those should be simple changes. Also, there's now a domain separation in the hashing of the random seed in the key generation, similar to ML-DSA. Also there's now a "pre-hash" version of ML-DSA, where the user provides a hash value instead of the entire "data to sign". Key generation for HashML-DSA is equivalent, but signing and verification is not. I feel that supporting HashML-DSA should be fairly simple to do, but I would suggest to not do that in this particular PR. Perhaps, we even want to take a step back and make this a first-class API extension. This may (or may not) align quite nicely with other use cases where a user might want to handle the data hashing independently from the actual signing (eg. for TPM or #4269 (comment)). |
TBH my inclination would be to just wait and see if anyone even adopts this. For comparison the Ed25519 RFC introduced the Ed25519ph variant, and I don't know that I've ever seen a system where it was actually used. I looked at RFC 8032 again, and - regarding the prehashed variant that the RFC itself introduced, which did not exist prior - it says
Thanks I guess. 😂 |
e2a643a
to
f80b12a
Compare
Well, I think the problem is a somewhat more subtle. In the RFC, the statement "SHOULD NOT be used" is preceded by the text
So I think the "SHOULD NOT" needs to interpreted as: "The pure variant is better. Use the pre-hash variant only if you cannot use the pure variant". For instance for the integration of PQC into OpenPGP, we need pre-hashing, as changing that would require rewriting substantial parts of the protocol specification. And I think the fact that previously the prehash-variants of RFC 8032 have not been widely used is often by mistake. By that I mean that in certain cases where the pre-hash variant had to be used, the pure variant was used. One such case is the OpenPGP specification given by RFC 9580 itself. It simply specifies hash-and-sign with the pure variant of Ed25519. If digging enough, one probably finds other examples. Uses the pure variant for hash-and-sign, i.e. simply setting the hash as the message, works fine unless the "correct" use of the pure variant is also added (i.e., actually setting the message as the message). When that happens, signature forgeries are introduced into the protocol. So I would ask to add the pre-hash variant, as that is what we need for using it in Thunderbird (via RNP, which uses Botan) according to what will be specified in https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/ for the adaption to the final NIST standards of the two signature schemes. Otherwise we have to resort to the same formally invalid construction by using the "pure" variant for hash-and-sign. |
With the new public API being discussed in #4318 we'll remove the biggest obstacle to the implementation of Prehash-Mode; namely that it isn't straightforward to integrate in the existing |
At the risk of derailing this discussion, I'd like to add that this part is still being discussed on the OpenPGP mailing list, and I personally disagree with the proposal to use the pre-hash variant, because FIPS 204 also says (similarly to RFC 8032):
So, basically, if the application can prehash the data itself and ensure proper domain separation, there's no need for HashML-DSA, and the use of pure ML-DSA seems to be recommended instead. |
Yes, correct, I needed to say "might be specified in ...". |
823455d
to
d9c70f6
Compare
Just like ML-KEM, ML-DSA now exclusively uses the private seeds ( |
d9c70f6
to
f7d4281
Compare
bdb5c93
to
22459ba
Compare
e87a8ea
to
4ce4e4f
Compare
4ce4e4f
to
2b270d9
Compare
@randombit This is now ready for final review. It would be amazing to have this merged before the 3.6.0 release. Please let us know if we can help in some way. Left for future work:
Note: The commits that introduce |
2b270d9
to
02b9058
Compare
Rebased after #4367 caused a conflict. |
c7e5ddc
to
c7e7d6c
Compare
c7e7d6c
to
59f8381
Compare
This adds an implementation of the final FIPS 204 standard based on the pre-existing implementation of Dilithium 3.1. The pre-standard support for Dilithium is retained. To accomodate ML-DSA that was derived from Dilithium 3.1 some of the existing implementation had to be refactored and cleaned up. All references to the specification have been updated to refer to the final publication of FIPS 204. Co-Authored-By: Amos Treiber <[email protected]> Co-Authored-By: René Meusel <[email protected]>
This adds KATs based on the 'official' ACVP-Server KAT vectors and a a python script that illustrates the necessary steps to convert these KAT vectors into a format usable by our test framework.
59f8381
to
041fb0a
Compare
Adds an implementation of the final standard of FIPS 204 (ML-DSA) to the existing Dilithium code. Since it is based on the refactored version of Kyber/Dilithium, it replaces #4062. (I did not base the changes on the old PR since the new dilithium code base is too different)
@atreiber94 I added you as a co-author since I copied half of your code from #4062.
Things to do
Effective: 17 September
Here's what is left to do:
Suggestion: rename the internal
ml_dsa_ipd.h
toml_dsa_impl.h
in order to leave room for a future publicml_dsa.h
is_ml_dsa_ipd()
)(18.09. RM: looks good to me. Except the private key encoding as a seed (considering the draft linked above from July '24. But that's supposed to change).
ml_dsa_ipd.h
Wycheproof draft tests?(will come later)Implement PrehashML-DSAdepends on Add PK_Signature_Options #4318 (planned for 3.7.0)
Implement the new "context" parameter in signing/verifyingdepends on Add PK_Signature_Options #4318 (planned for 3.7.0)