openssl/include/crypto/ml_dsa.h

/*
 * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/* Internal ML_DSA functions for other submodules, not for application use */

#ifndef OSSL_CRYPTO_ML_DSA_H
# define OSSL_CRYPTO_ML_DSA_H

# pragma once
# include <openssl/e_os2.h>
# include <openssl/types.h>
# include "crypto/types.h"

# define ML_DSA_MAX_CONTEXT_STRING_LEN 255

# define ML_DSA_ENTROPY_LEN 32

/* See FIPS 204 Section 4 Table 1 & Table 2 */
# define ML_DSA_44_PRIV_LEN 2560
# define ML_DSA_44_PUB_LEN 1312
# define ML_DSA_44_SIG_LEN 2420

/* See FIPS 204 Section 4 Table 1 & Table 2 */
# define ML_DSA_65_PRIV_LEN 4032
# define ML_DSA_65_PUB_LEN 1952
# define ML_DSA_65_SIG_LEN 3309

/* See FIPS 204 Section 4 Table 1 & Table 2 */
# define ML_DSA_87_PRIV_LEN 4896
# define ML_DSA_87_PUB_LEN 2592
# define ML_DSA_87_SIG_LEN 4627

/* Key and signature size maximums taken from values above */
# define MAX_ML_DSA_PRIV_LEN ML_DSA_87_PRIV_LEN
# define MAX_ML_DSA_PUB_LEN ML_DSA_87_PUB_LEN
# define MAX_ML_DSA_SIG_LEN ML_DSA_87_SIG_LEN

__owur ML_DSA_KEY *ossl_ml_dsa_key_new(OSSL_LIB_CTX *libctx, const char *propq,
                                       const char *alg);
__owur int ossl_ml_dsa_key_pub_alloc(ML_DSA_KEY *key);
__owur int ossl_ml_dsa_key_priv_alloc(ML_DSA_KEY *key);
void ossl_ml_dsa_key_free(ML_DSA_KEY *key);
__owur ML_DSA_KEY *ossl_ml_dsa_key_dup(const ML_DSA_KEY *src, int selection);
__owur int ossl_ml_dsa_key_equal(const ML_DSA_KEY *key1, const ML_DSA_KEY *key2,
                                 int selection);
__owur int ossl_ml_dsa_to_text(BIO *out, ML_DSA_KEY *key, int selection);
__owur int ossl_ml_dsa_key_has(const ML_DSA_KEY *key, int selection);
__owur int ossl_ml_dsa_key_pairwise_check(const ML_DSA_KEY *key);
__owur int ossl_ml_dsa_key_fromdata(ML_DSA_KEY *key, const OSSL_PARAM *params,
                                    int include_private);
__owur int ossl_ml_dsa_generate_key(OSSL_LIB_CTX *libctx,
                                    const uint8_t *entropy, size_t entropy_len,
                                    ML_DSA_KEY *out);
__owur const uint8_t *ossl_ml_dsa_key_get_pub(const ML_DSA_KEY *key);
__owur const uint8_t *ossl_ml_dsa_key_get_priv(const ML_DSA_KEY *key);
__owur size_t ossl_ml_dsa_key_get_pub_len(const ML_DSA_KEY *key);
__owur size_t ossl_ml_dsa_key_get_collision_strength_bits(const ML_DSA_KEY *key);
__owur size_t ossl_ml_dsa_key_get_priv_len(const ML_DSA_KEY *key);
__owur size_t ossl_ml_dsa_key_get_sig_len(const ML_DSA_KEY *key);
__owur int ossl_ml_dsa_key_matches(const ML_DSA_KEY *key, const char *alg);
__owur const char *ossl_ml_dsa_key_get_name(const ML_DSA_KEY *key);
__owur int ossl_ml_dsa_key_to_text(BIO *out, const ML_DSA_KEY *key, int selection);
OSSL_LIB_CTX *ossl_ml_dsa_key_get0_libctx(const ML_DSA_KEY *key);

__owur int ossl_ml_dsa_key_public_from_private(ML_DSA_KEY *key);
__owur int ossl_ml_dsa_pk_decode(ML_DSA_KEY *key, const uint8_t *in, size_t in_len);
__owur int ossl_ml_dsa_sk_decode(ML_DSA_KEY *key, const uint8_t *in, size_t in_len);

__owur int ossl_ml_dsa_key_public_from_private(ML_DSA_KEY *key);
__owur int ossl_ml_dsa_pk_decode(ML_DSA_KEY *key, const uint8_t *in, size_t in_len);
__owur int ossl_ml_dsa_sk_decode(ML_DSA_KEY *key, const uint8_t *in, size_t in_len);

__owur int ossl_ml_dsa_sign(const ML_DSA_KEY *priv,
                            const uint8_t *msg, size_t msg_len,
                            const uint8_t *context, size_t context_len,
                            const uint8_t *rand, size_t rand_len, int encode,
                            unsigned char *sig, size_t *siglen, size_t sigsize);
__owur int ossl_ml_dsa_verify(const ML_DSA_KEY *pub,
                              const uint8_t *msg, size_t msg_len,
                              const uint8_t *context, size_t context_len,
                              int encode, const uint8_t *sig, size_t sig_len);

#endif /* OSSL_CRYPTO_SLH_DSA_H */
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`/*`
			`* Copyright 2024 The OpenSSL Project Authors. All Rights Reserved.`
			`*`
			`* Licensed under the Apache License 2.0 (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
			`*/`

			`/* Internal ML_DSA functions for other submodules, not for application use */`

			`#ifndef OSSL_CRYPTO_ML_DSA_H`
			`# define OSSL_CRYPTO_ML_DSA_H`

			`# pragma once`
			`# include <openssl/e_os2.h>`
			`# include <openssl/types.h>`
			`# include "crypto/types.h"`

			`# define ML_DSA_MAX_CONTEXT_STRING_LEN 255`

ml-dsa: add more to internal header The ossl_ml_dsa_key_get0_libctx() and the various size macros are better in the intneral header Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26548) 2025-01-22 10:08:33 +08:00			`# define ML_DSA_ENTROPY_LEN 32`

			`/* See FIPS 204 Section 4 Table 1 & Table 2 */`
			`# define ML_DSA_44_PRIV_LEN 2560`
			`# define ML_DSA_44_PUB_LEN 1312`
			`# define ML_DSA_44_SIG_LEN 2420`

			`/* See FIPS 204 Section 4 Table 1 & Table 2 */`
			`# define ML_DSA_65_PRIV_LEN 4032`
			`# define ML_DSA_65_PUB_LEN 1952`
			`# define ML_DSA_65_SIG_LEN 3309`

			`/* See FIPS 204 Section 4 Table 1 & Table 2 */`
			`# define ML_DSA_87_PRIV_LEN 4896`
			`# define ML_DSA_87_PUB_LEN 2592`
			`# define ML_DSA_87_SIG_LEN 4627`

			`/* Key and signature size maximums taken from values above */`
			`# define MAX_ML_DSA_PRIV_LEN ML_DSA_87_PRIV_LEN`
			`# define MAX_ML_DSA_PUB_LEN ML_DSA_87_PUB_LEN`
			`# define MAX_ML_DSA_SIG_LEN ML_DSA_87_SIG_LEN`

ML-DSA fixups Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2025-01-06 14:42:12 +08:00			`__owur ML_DSA_KEY ossl_ml_dsa_key_new(OSSL_LIB_CTX libctx, const char *propq,`
			`const char *alg);`
			`__owur int ossl_ml_dsa_key_pub_alloc(ML_DSA_KEY *key);`
			`__owur int ossl_ml_dsa_key_priv_alloc(ML_DSA_KEY *key);`
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`void ossl_ml_dsa_key_free(ML_DSA_KEY *key);`
ML-DSA: Add support for dup. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/26451) 2025-01-17 12:05:21 +08:00			`__owur ML_DSA_KEY ossl_ml_dsa_key_dup(const ML_DSA_KEY src, int selection);`
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`__owur int ossl_ml_dsa_key_equal(const ML_DSA_KEY key1, const ML_DSA_KEY key2,`
			`int selection);`
Add ML_DSA encoders Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26575) 2025-01-10 09:41:12 +08:00			`__owur int ossl_ml_dsa_to_text(BIO out, ML_DSA_KEY key, int selection);`
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`__owur int ossl_ml_dsa_key_has(const ML_DSA_KEY *key, int selection);`
			`__owur int ossl_ml_dsa_key_pairwise_check(const ML_DSA_KEY *key);`
			`__owur int ossl_ml_dsa_key_fromdata(ML_DSA_KEY key, const OSSL_PARAM params,`
			`int include_private);`
ML-DSA fixups Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2025-01-06 14:42:12 +08:00			`__owur int ossl_ml_dsa_generate_key(OSSL_LIB_CTX *libctx,`
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`const uint8_t *entropy, size_t entropy_len,`
			`ML_DSA_KEY *out);`
			`__owur const uint8_t ossl_ml_dsa_key_get_pub(const ML_DSA_KEY key);`
			`__owur const uint8_t ossl_ml_dsa_key_get_priv(const ML_DSA_KEY key);`
			`__owur size_t ossl_ml_dsa_key_get_pub_len(const ML_DSA_KEY *key);`
			`__owur size_t ossl_ml_dsa_key_get_collision_strength_bits(const ML_DSA_KEY *key);`
			`__owur size_t ossl_ml_dsa_key_get_priv_len(const ML_DSA_KEY *key);`
			`__owur size_t ossl_ml_dsa_key_get_sig_len(const ML_DSA_KEY *key);`
ML-DSA fixups Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2025-01-06 14:42:12 +08:00			`__owur int ossl_ml_dsa_key_matches(const ML_DSA_KEY key, const char alg);`
ML-DSA: coverage testing fixups Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26505) 2025-01-22 05:46:18 +08:00			`__owur const char ossl_ml_dsa_key_get_name(const ML_DSA_KEY key);`
ml-dsa: add more to internal header The ossl_ml_dsa_key_get0_libctx() and the various size macros are better in the intneral header Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26548) 2025-01-22 10:08:33 +08:00			`__owur int ossl_ml_dsa_key_to_text(BIO out, const ML_DSA_KEY key, int selection);`
			`OSSL_LIB_CTX ossl_ml_dsa_key_get0_libctx(const ML_DSA_KEY key);`
Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00
Add ML_DSA encoders Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/26451) 2025-01-10 09:41:12 +08:00			`__owur int ossl_ml_dsa_key_public_from_private(ML_DSA_KEY *key);`
			`__owur int ossl_ml_dsa_pk_decode(ML_DSA_KEY key, const uint8_t in, size_t in_len);`
			`__owur int ossl_ml_dsa_sk_decode(ML_DSA_KEY key, const uint8_t in, size_t in_len);`

Add ML_DSA encoders Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26575) 2025-01-10 09:41:12 +08:00			`__owur int ossl_ml_dsa_key_public_from_private(ML_DSA_KEY *key);`
			`__owur int ossl_ml_dsa_pk_decode(ML_DSA_KEY key, const uint8_t in, size_t in_len);`
			`__owur int ossl_ml_dsa_sk_decode(ML_DSA_KEY key, const uint8_t in, size_t in_len);`

ML-DSA fixups Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2025-01-06 14:42:12 +08:00			`__owur int ossl_ml_dsa_sign(const ML_DSA_KEY *priv,`
Add ML-DSA sign/verify Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-20 11:18:27 +08:00			`const uint8_t *msg, size_t msg_len,`
			`const uint8_t *context, size_t context_len,`
			`const uint8_t *rand, size_t rand_len, int encode,`
			`unsigned char sig, size_t siglen, size_t sigsize);`
ML-DSA fixups Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2025-01-06 14:42:12 +08:00			`__owur int ossl_ml_dsa_verify(const ML_DSA_KEY *pub,`
Add ML-DSA sign/verify Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-20 11:18:27 +08:00			`const uint8_t *msg, size_t msg_len,`
			`const uint8_t *context, size_t context_len,`
			`int encode, const uint8_t *sig, size_t sig_len);`

Add ML-DSA Keygen support The key generation algorithm requires a significant portion of the many algorithms present in FIPS 204. This work is derived from the BoringSSL code located at https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l. To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object. The ML_DSA_KEY object stores the encoded public and/or private key whenever a key is loaded or generated. A public key is always present if the private key component exists. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26127) 2024-12-03 12:03:09 +08:00			`#endif /* OSSL_CRYPTO_SLH_DSA_H */`