- Same UX as ML-KEM. The main ASN.1 private key syntax is the one from
Russ Housley's post on the LAMPS list, subsequently amended to tag the
seed instead of the key (each of the three parameter sets will have a
fixed size for the `expandedKey`):
ML-DSA-PrivateKey ::= CHOICE {
seed [0] IMPLICIT OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896)
both SEQUENCE {
seed OCTET STRING SIZE (32),
expandedKey OCTET STRING SIZE (2560 | 4032 | 4896) } }
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26638)
The ossl_ml_dsa_key_get0_libctx() and the various size macros are better in the intneral header
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26548)
- Make data encoding work on big-endian systems.
- Fix some ML-DSA-44 specific bugs related to w1-vector bits
per-coefficient, overall size and high-bits rounding.
- Use "do { ... } while (pointer < end)" style consistently.
- Drop redundant reference counting of provided keys.
- Add parameter blocks for ML-DSA-44 and ML-DSA-87 and turn on
associated provider glue. These now pass both keygen and
siggen tests (to be added separately).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
The key generation algorithm requires a significant portion of the many
algorithms present in FIPS 204.
This work is derived from the BoringSSL code located at
https://boringssl.googlesource.com/boringssl/+/refs/heads/master/crypto/mldsa/mldsa.cc
Instead of c++ templates it uses an ML_DSA_PARAMS object to store constants such as k & l.
To perform hash operations a temporary EVP_MD_CTX object is used, which is supplied with a
prefetched EVP_MD shake128 or shake256 object that reside in the ML_DSA_KEY object.
The ML_DSA_KEY object stores the encoded public and/or private key
whenever a key is loaded or generated. A public key is always present
if the private key component exists.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26127)
openssl-machine
Viktor Dukhovni
Pauli
slontis