Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ML-DSA #877

Open
wants to merge 39 commits into
base: master
Choose a base branch
from
Open

Add support for ML-DSA #877

wants to merge 39 commits into from

Conversation

bifurcation
Copy link

@bifurcation bifurcation commented Nov 14, 2024
edited
Loading

This PR is a first step toward ML-DSA support, as discussed in #8. It puts in place enough of the basic algebraic and encoding primitives to get key generation going.

Still TODO:

  • More complete unit test coverage (e.g., on encoding routines)
  • Signing
  • Verification
  • Integration tests against NIST ACVP test vectors
  • Performance benchmarks
  • Pull out things that are common with ML-KEM into a shared module (?)

@tarcieri - This is currently blocked on typenum not having enough integers. Specifically, there is no ArraySize implementation for U4896, which the compiler says is necessary for MlDsa87. Can we get that added?

@cothan, @marija-mijailovic - If you guys are still interested in collaborating, making PRs to this branch would be a good way to help.

On the latter point about overlap with ML-KEM: Thinking about this while I was writing this PR, it seems like the main shared stuff would be:

  • Structs for polynomials, polynomial vectors, NTT vectors, and NTT matrices
  • Fixed-width encoding of unsigned integers

Getting those factored out would be a non-trivial savings, but would require some careful introduction of generics. For example, the algebraic stuff would have to be generic over the field over which the polynomials exist (since there are different q moduli in the two algorithms), as well as the details of multiplication of polynomials and NTT.

@tarcieri
Copy link
Member

@bifurcation sure. Here's an example PR to add more sizes: RustCrypto/hybrid-array#104

Note that the uint! macro uses a little endian bit encoding for the size

@bifurcation
Copy link
Author

Latest push adds signing/verification logic. It can verify its own signatures, but fails the ACVP test vectors.

Note that it will not build against the public version of hybrid-array, since that is missing some ArraySize implementations. I'm planning to submit a PR to that repo once things are in basic working order here, so that we have confidence that we've covered all the necessary integers.

@bifurcation
Copy link
Author

Thanksgiving update 🦃: Now passing ACVP tests, working on cleanup.

@bifurcation bifurcation mentioned this pull request Nov 29, 2024
Merged
@tarcieri tarcieri mentioned this pull request Dec 2, 2024
Open
10 tasks
@bifurcation
Copy link
Author

@tarcieri - I think this is about ready for review and merging, though the CI won't succeed until RustCrypto/hybrid-array#108 is merged and there's a new release. What are the next steps here?

tarcieri pushed a commit to RustCrypto/hybrid-array that referenced this pull request Dec 7, 2024
@bifurcation
Update ML-DSA sizes (#108)
1dbb4af 
This PR was developed in parallel with RustCrypto/signatures#877,
to provide the array sizes necessary for serializing / deserializing
ML-DSA keys and signatures.

In addition to the end key/signature sizes, some intermediate value sizes
are required.
@tarcieri
Copy link
Member

tarcieri commented Dec 7, 2024

@bifurcation new sizes released in hybrid-array v0.2.3

@bifurcation bifurcation marked this pull request as ready for review December 9, 2024 15:30
@bifurcation
Copy link
Author

OK, this is ready for review.

@tarcieri looks like the SLH-DSA build is broken at the moment.

@tarcieri
Copy link
Member

@bifurcation slh-dsa build is fixed if you can rebase

@bifurcation
Copy link
Author

@tarcieri - CI is green. What do you think about review?

@tarcieri
Copy link
Member

@bifurcation sorry, have a huge backlog of PRs and haven't been reviewing as much lately. Will try to look this weekend

ArthurHeymans added a commit to chipsalliance/caliptra-sw that referenced this pull request Dec 19, 2024
@ArthurHeymans
Update to rust 1.83
fb4fca1 
The goal of updating the rust library is to be able to use Mldsa from
rustCrypto repo: RustCrypto/signatures#877

The goal of using this code is to replace openssl to generate TBS and
CSR tempaltes. Openssl does not yet support Mldsa

The minimum required rust version is 1.81.

It looks like this toolchain needs a lot more stack than 1.70.

Rust 1.83 warns about unused stuff a lot more often which is addressed
in this commit.

Signed-off-by: Arthur Heymans <arthur.heymans@9elements.com>
ArthurHeymans added a commit to chipsalliance/caliptra-sw that referenced this pull request Dec 19, 2024
@ArthurHeymans
Update to rust 1.83
f98864f 
The goal of updating the rust library is to be able to use Mldsa from
rustCrypto repo: RustCrypto/signatures#877

The goal of using this code is to replace openssl to generate TBS and
CSR tempaltes. Openssl does not yet support Mldsa

The minimum required rust version is 1.81.

It looks like this toolchain needs a lot more stack than 1.70.

Rust 1.83 warns about unused stuff a lot more often which is addressed
in this commit.

Signed-off-by: Arthur Heymans <arthur.heymans@9elements.com>
@ArthurHeymans ArthurHeymans mentioned this pull request Dec 19, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bifurcation @tarcieri