Add ML-DSA (FIPS204) #480
Merged
Add ML-DSA (FIPS204) #480
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9537079 to
5bd6e0d
Compare
e60db3b to
47bb92a
Compare
wussler
reviewed
Feb 28, 2024
1fbec7a to
7970d07
Compare
7970d07 to
16fa7b7
Compare
armfazh
requested changes
Oct 4, 2024
There was a problem hiding this comment.
Just minor changes. Overall is ok.
Q: is this compliant with ACVP test files?
https://github.com/usnistgov/ACVP-Server/tree/master/gen-val/json-files/ML-DSA-sigGen-FIPS204
| SignTo(sk, msg, sig[:]) | ||
| return sig[:], nil | ||
| {{- if .NIST }} | ||
| if err = SignTo(sk, msg, nil, false, ret[:]); err != nil { |
There was a problem hiding this comment.
here we are defaulting Sign to be a deterministic algorithm,
From Sec 3.4:
Only implementing the hedged variant (i.e., without the deterministic variant) is sufficient to guarantee interoperability.
It seems to me that the default should be randomized signatures.
Note that Sign receives a 'rand io.Reader' variable for providing randomness to the function.
There was a problem hiding this comment.
From the Dilithium specification:
Randomised signing is easier to make side channel secure against power/EM leakage in hardware. Thus it makes sense to use it as default in hardware. In software deterministic signing as default seems to make more sense. I don't think it makes a big difference. A non security argument is that the deterministic variant is easier to test.
| @@ -16,13 +16,27 @@ import ( | |||
| "github.com/cloudflare/circl/sign/ed448" | |||
| "github.com/cloudflare/circl/sign/eddilithium2" | |||
| "github.com/cloudflare/circl/sign/eddilithium3" | |||
|
|
|||
| dilithium2 "github.com/cloudflare/circl/sign/dilithium/mode2" | |||
There was a problem hiding this comment.
In the past, we've recommend not to use dilithium alone, but used as a hybrid.
Has something changed?
There was a problem hiding this comment.
For the web, PQ certificates only add value once a CRQC is close. Once that happens, hybrids don't make sense anymore. Also, the standardisation of hybrids for signatures is quite messy.
Forgot to add tests. Done now. Should be good to merge (and squash.) |
The final version of FIPS204 has not been released, thus this implementation is not yet final.
Remove old mode API and hook Dilithium and ML-DSA into generic signature API. Expose support for randomized ML-DSA mode. (It is not exposed in the generic signature API.) Remove old AES variants of Dilithium. Does not add the HashML-DSA variants (yet).
Fix one bug in key derivation.
|
Rebased. |
armfazh
approved these changes
Oct 9, 2024
Closed
project-mirrors-bot-tu bot
pushed a commit
to project-mirrors/forgejo-runner-as-gitea-act-runner-fork
that referenced
this pull request
Jul 3, 2025
…605) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | indirect | minor | `v1.3.7` -> `v1.6.1` | --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results [GHSA-2x5j-vhc8-9cwm](GHSA-2x5j-vhc8-9cwm) / [GO-2025-3754](https://pkg.go.dev/vuln/GO-2025-3754) <details> <summary>More information</summary> #### Details ##### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ##### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings. #### Severity Low #### References - [https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm](https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm) - [https://github.com/cloudflare/circl](https://github.com/cloudflare/circl) - [https://github.com/cloudflare/circl/tree/v1.6.1](https://github.com/cloudflare/circl/tree/v1.6.1) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-2x5j-vhc8-9cwm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl [GHSA-2x5j-vhc8-9cwm](GHSA-2x5j-vhc8-9cwm) / [GO-2025-3754](https://pkg.go.dev/vuln/GO-2025-3754) <details> <summary>More information</summary> #### Details CIRCL-Fourq: Missing and wrong validation can lead to incorrect results in github.com/cloudflare/circl #### Severity Unknown #### References - [https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm](https://github.com/cloudflare/circl/security/advisories/GHSA-2x5j-vhc8-9cwm) - [https://github.com/cloudflare/circl/tree/v1.6.1](https://github.com/cloudflare/circl/tree/v1.6.1) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3754) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>cloudflare/circl (github.com/cloudflare/circl)</summary> ### [`v1.6.1`](https://github.com/cloudflare/circl/releases/tag/v1.6.1): CIRCL v1.6.1 [Compare Source](cloudflare/circl@v1.6.0...v1.6.1) #### CIRCL v1.6.1 - Fixes some point checks on the FourQ curve. - Hybrid KEM fails on low-order points. ##### What's Changed - kem/hybrid: ensure X25519 hybrids fails with low order points by [@​Lekensteyn](https://github.com/Lekensteyn) in cloudflare/circl#541 - .github: Use native ARM64 builders instead of QEMU by [@​Lekensteyn](https://github.com/Lekensteyn) in cloudflare/circl#542 - Fixes several errors on twisted Edwards curves. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#545 - Release v1.6.1 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#546 **Full Changelog**: cloudflare/circl@v1.6.0...v1.6.1 ### [`v1.6.0`](https://github.com/cloudflare/circl/releases/tag/v1.6.0): CIRCL v1.6.0 [Compare Source](cloudflare/circl@v1.5.0...v1.6.0) #### CIRCL v1.6.0 ##### New! - [Prio3](https://github.com/cloudflare/circl/blob/main/vdaf/prio3) Verifiable Distributed Aggregation Function ([draft-irtf-cfrg-vdaf](https://datatracker.ietf.org/doc/draft-irtf-cfrg-vdaf/)). - [X-Wing](https://github.com/cloudflare/circl/blob/main/kem/xwing): general-purpose hybrid post-quantum KEM ([draft-connolly-cfrg-xwing-kem](https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/)) ##### What's Changed - Add OIDs to ML-DSA by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#519 - Adds Prio3 a set of verifiable distributed aggregation functions. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#522 - Run semgrep cronjob only in upstream repository. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#526 - X-Wing PQ/T hybrid by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#471 - ckem: move crypto/elliptic to crypto/ecdh by [@​MingLLuo](https://github.com/MingLLuo) in cloudflare/circl#529 - hpke: Update HPKE code to use ecdh stdlib package. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#530 - prio3: Adds polynomial multiplication using NTT by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#532 - Add Prio3 in readme. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#527 ##### New Contributors - [@​MingLLuo](https://github.com/MingLLuo) made their first contribution in cloudflare/circl#529 **Full Changelog**: cloudflare/circl@v1.5.0...v1.6.0 ### [`v1.5.0`](https://github.com/cloudflare/circl/releases/tag/v1.5.0): CIRCL v1.5.0 [Compare Source](cloudflare/circl@v1.4.0...v1.5.0) ### CIRCL v1.5.0 **New:** ML-DSA, Module-Lattice-based Digital Signature Algorithm. ##### What's Changed - kem: add X25519MLKEM768 TLS hybrid KEM by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#510 - Create semgrep.yml by [@​hrushikeshdeshpande](https://github.com/hrushikeshdeshpande) in cloudflare/circl#514 - repo: Some fixes reported by CodeQL by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#515 - Add ML-DSA (FIPS204) by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#480 - sign/mldsa: Add test for ML-DSA signature verification. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#517 - Release v1.5.0 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#518 ##### New Contributors - [@​hrushikeshdeshpande](https://github.com/hrushikeshdeshpande) made their first contribution in cloudflare/circl#514 **Full Changelog**: cloudflare/circl@v1.4.0...v1.5.0 ### [`v1.4.0`](https://github.com/cloudflare/circl/releases/tag/v1.4.0): CIRCL v1.4.0 [Compare Source](cloudflare/circl@v1.3.9...v1.4.0) ### CIRCL v1.4.0 ##### Changes New: ML-KEM compatible with FIPS-203. ##### Commit History - eddilithium3: fix typos by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#503 - Add ML-KEM (FIPS 203). by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#470 - Add ML-KEM decapsulation key check. by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#507 - Preparing for release v1.4.0 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#508 **Full Changelog**: cloudflare/circl@v1.3.9...v1.4.0 ### [`v1.3.9`](https://github.com/cloudflare/circl/releases/tag/v1.3.9): CIRCL v1.3.9 [Compare Source](cloudflare/circl@v1.3.8...v1.3.9) #### CIRCL v1.3.9 ##### Changes: - Fix bug on BLS12381 decoding elements. ##### Commit History - dilithium: fix typo by [@​bwesterb](https://github.com/bwesterb) in cloudflare/circl#498 - bls12381: Detects invalid prefix in G1 and G2 serialized elements by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#500 - Preparing CIRCL release v1.3.9 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#501 **Full Changelog**: cloudflare/circl@v1.3.8...v1.3.9 ### [`v1.3.8`](https://github.com/cloudflare/circl/releases/tag/v1.3.8): CIRCL v1.3.8 [Compare Source](cloudflare/circl@v1.3.7...v1.3.8) ### CIRCL v1.3.8 #### New - BLS Signatures on top of BLS12-381. - Adopt faster squaring in pairings. - BlindRSA compliant with RFC9474. - (Verifiable) Secret Sharing compatible with the Group interface (elliptic curves). #### Notice - Update on cpabe/tkn20 ciphertexts, read more at https://github.com/cloudflare/circl/wiki/tkn20-Ciphertext-Format-(v1.3.8) ##### What's Changed - Implement Granger-Scott faster squaring in the cyclotomic subgroup. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#449 - Updates avo and CIRCL's own dependency. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#474 - Updating documentation for OPRF package. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#475 - group: removes order method from group interface by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#356 - zk/dleq: Adding DLEQ proofs for Qn, the subgroup of squares in (Z/nZ)\* by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#451 - Reduce x/crypto and x/sys versions to match Go 1.21 by [@​Lekensteyn](https://github.com/Lekensteyn) in cloudflare/circl#476 - Bump GitHub Actions versions and use Go 1.22 and 1.21 by [@​Lekensteyn](https://github.com/Lekensteyn) in cloudflare/circl#477 - Adding rule for constant values by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#478 - Add BLS signatures over BLS12-381 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#446 - group: Implements Shamir and Feldman secret sharing. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#348 - blindrsa: add support for all variants of RFC9474 by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#479 - Explicitly installs Go with version before CodeQL analysis. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#481 - Bumps golangci-lint action by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#485 - ecc/bls12381: Ensures pairing operations don't overwrite their input by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#494 - Align to the `purego` build tag, removing `noasm` build tag by [@​mattyclarkson](https://github.com/mattyclarkson) in cloudflare/circl#492 - cpabe: Serializing ciphertext with 32-bit prefixes. by [@​armfazh](https://github.com/armfazh) in cloudflare/circl#490 ##### New Contributors - [@​mattyclarkson](https://github.com/mattyclarkson) made their first contribution in cloudflare/circl#492 **Full Changelog**: cloudflare/circl@v1.3.7...v1.3.8 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC40OC40IiwidXBkYXRlZEluVmVyIjoiNDAuNDguNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/605 Reviewed-by: earl-warren <earl-warren@noreply.code.forgejo.org> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note There are no complete test vectors for FIPS 204 yet. I propose we'll wait for that before we merge this. (The ACVP test vectors only test ML-DSA.Sign_internal.)Adds ML-DSA aka FIPS 204.
Tests against reference implementation and ACVP test vectors.
Keeps old Dilithium around in case it's used, but removes the AES modes.
Hooks Dilithium and ML-DSA into the generic signatures API. Removes the old Dilithium mode API.
Adds support for the ML-DSA randomised variant, but only via the package API — not generic signature API.
Does not add support for the HashML-DSA variants.