Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ML-DSA] Add pre-hashed API & domain separation #608

Merged
merged 16 commits into from
Oct 1, 2024
Merged

[ML-DSA] Add pre-hashed API & domain separation #608

merged 16 commits into from
Oct 1, 2024

Conversation

jschneider-bensch
Copy link
Collaborator

This PR introduces a new pre-hashed API for ML-DSA and the additional domain separation via the ctx parameter in signing and verification.

The standard says that any NIST-approved hash function or XOF can be used to perform the pre-hashing in the HashML-DSA variant and explicitly lists cases for SHA-256, SHA-512, and SHAKE-128 in Algorithms 4 and 5. From this it wasn't clear to me if these three are mandatory for implementing the standard or if e.g. one of them is sufficient. For the sake of keeping things simple and additional dependencies in the crate minimal I've chosen to implement HashML-DSA just for SHAKE-128 pre-hashing, but we should be able to extend it to other NIST-approved hash functions or XOFs if desired, hopefully without much effort.

With these changes, we test successfully against the Wycheproof vectors for the final standard version, giving some confidence that we've implemented all changes which affect signing and verification. I've thus re-enabled these tests and extended them somewhat such that we test all variants (excluding pre-hashed) in all optimizations.

Fixes #500
Fixes #501
Fixes #607

@jschneider-bensch jschneider-bensch self-assigned this Sep 30, 2024
@jschneider-bensch
Copy link
Collaborator Author

There are no Wycheproof vectors for the pre-hashed variant, but I've modified the spec-like python version we use to generate our own KATs so we can generate KATs for the pre-hashed version as well.

franziskuskiefer
franziskuskiefer requested changes Oct 1, 2024
View reviewed changes
Copy link
Member

@franziskuskiefer franziskuskiefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, lgtm with some nits.

libcrux-ml-dsa/src/pre_hash.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/pre_hash.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs Show resolved Hide resolved
libcrux-ml-dsa/src/constants.rs Show resolved Hide resolved
libcrux-ml-dsa/src/ml_dsa_44.rs Outdated Show resolved Hide resolved
libcrux-ml-dsa/tests/wycheproof_sign.rs Show resolved Hide resolved
franziskuskiefer
franziskuskiefer approved these changes Oct 1, 2024
View reviewed changes
Copy link
Member

@franziskuskiefer franziskuskiefer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving an r+ assuming that the domain separation gets resolved as discussed offline.

@jschneider-bensch jschneider-bensch added this pull request to the merge queue Oct 1, 2024
Merged via the queue into main with commit fd43045 Oct 1, 2024
48 checks passed
@jschneider-bensch jschneider-bensch deleted the jonas/pre-hashed branch October 1, 2024 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@franziskuskiefer franziskuskiefer franziskuskiefer approved these changes

Assignees

@jschneider-bensch jschneider-bensch

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jschneider-bensch @franziskuskiefer