/src/openssl/crypto/ml_dsa/ml_dsa_sign.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2024-2026 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <openssl/core_dispatch.h> |
11 | | #include <openssl/core_names.h> |
12 | | #include <openssl/params.h> |
13 | | #include <openssl/rand.h> |
14 | | #include <openssl/err.h> |
15 | | #include <openssl/proverr.h> |
16 | | #include "internal/common.h" |
17 | | #include "internal/constant_time.h" |
18 | | #include "ml_dsa_local.h" |
19 | | #include "ml_dsa_key.h" |
20 | | #include "ml_dsa_matrix.h" |
21 | | #include "ml_dsa_sign.h" |
22 | | #include "ml_dsa_hash.h" |
23 | | |
24 | | #define ML_DSA_MAX_LAMBDA 256 /* bit strength for ML-DSA-87 */ |
25 | | |
26 | | /* |
27 | | * @brief Initialize a Signature object by pointing all of its objects to |
28 | | * preallocated blocks. The values passed for hint, z and |
29 | | * c_tilde values are not owned/freed by the |sig| object. |
30 | | * |
31 | | * @param sig The ML_DSA_SIG to initialize. |
32 | | * @param hint A preallocated array of |k| polynomial blocks |
33 | | * @param k The number of |hint| polynomials |
34 | | * @param z A preallocated array of |l| polynomial blocks |
35 | | * @param l The number of |z| polynomials |
36 | | * @param c_tilde A preallocated buffer |
37 | | * @param c_tilde_len The size of |c_tilde| |
38 | | */ |
39 | | static void signature_init(ML_DSA_SIG *sig, |
40 | | POLY *hint, uint32_t k, POLY *z, uint32_t l, |
41 | | uint8_t *c_tilde, size_t c_tilde_len) |
42 | 0 | { |
43 | 0 | vector_init(&sig->z, z, l); |
44 | 0 | vector_init(&sig->hint, hint, k); |
45 | 0 | sig->c_tilde = c_tilde; |
46 | 0 | sig->c_tilde_len = c_tilde_len; |
47 | 0 | } |
48 | | |
49 | | /* |
50 | | * @brief: Auxiliary functions to compute ML-DSA's MU. |
51 | | * This combines the steps of creating M' and concatenating it |
52 | | * to the Public Key Hash to obtain MU. |
53 | | * See FIPS 204 Algorithm 2 Step 10 (and algorithm 3 Step 5) as |
54 | | * well as Algorithm 7 Step 6 (and algorithm 8 Step 7) |
55 | | * |
56 | | * ML_DSA pure signatures are encoded as M' = 00 || ctx_len || ctx || msg |
57 | | * Where ctx is the empty string by default and ctx_len <= 255. |
58 | | * The message is appended to the encoded context. |
59 | | * Finally a public key hash is prepended, and the whole is hashed |
60 | | * to derive the mu value. |
61 | | * |
62 | | * @param key: A public or private ML-DSA key; |
63 | | * @param encode: if not set, assumes that M' is provided raw and the |
64 | | * following parameters are ignored. |
65 | | * @param ctx An optional context to add to the message encoding. |
66 | | * @param ctx_len The size of |ctx|. It must be in the range 0..255 |
67 | | * @returns an EVP_MD_CTX if the operation is successful, NULL otherwise. |
68 | | */ |
69 | | EVP_MD_CTX *ossl_ml_dsa_mu_init_int(EVP_MD *shake256_md, |
70 | | const uint8_t *tr, size_t tr_len, int encode, int prehash, |
71 | | const uint8_t *ctx, size_t ctx_len) |
72 | 0 | { |
73 | 0 | EVP_MD_CTX *md_ctx; |
74 | 0 | uint8_t itb[2]; |
75 | |
|
76 | 0 | md_ctx = EVP_MD_CTX_new(); |
77 | 0 | if (md_ctx == NULL) |
78 | 0 | return NULL; |
79 | | |
80 | | /* H(.. */ |
81 | 0 | if (!EVP_DigestInit_ex2(md_ctx, shake256_md, NULL)) |
82 | 0 | goto err; |
83 | | /* ..pk (= key->tr) */ |
84 | 0 | if (!EVP_DigestUpdate(md_ctx, tr, tr_len)) |
85 | 0 | goto err; |
86 | | /* M' = .. */ |
87 | 0 | if (encode) { |
88 | 0 | if (ctx_len > ML_DSA_MAX_CONTEXT_STRING_LEN) |
89 | 0 | goto err; |
90 | | /* IntegerToBytes(0, 1) .. */ |
91 | 0 | itb[0] = prehash ? 1 : 0; |
92 | | /* || IntegerToBytes(|ctx|, 1) || .. */ |
93 | 0 | itb[1] = (uint8_t)ctx_len; |
94 | 0 | if (!EVP_DigestUpdate(md_ctx, itb, 2)) |
95 | 0 | goto err; |
96 | | /* ctx || .. */ |
97 | 0 | if (!EVP_DigestUpdate(md_ctx, ctx, ctx_len)) |
98 | 0 | goto err; |
99 | | /* .. msg) will follow in update and final functions */ |
100 | 0 | } |
101 | | |
102 | 0 | return md_ctx; |
103 | | |
104 | 0 | err: |
105 | 0 | EVP_MD_CTX_free(md_ctx); |
106 | 0 | return NULL; |
107 | 0 | } |
108 | | |
109 | | EVP_MD_CTX *ossl_ml_dsa_mu_init(const ML_DSA_KEY *key, int encode, |
110 | | const uint8_t *ctx, size_t ctx_len) |
111 | 0 | { |
112 | 0 | if (key == NULL) |
113 | 0 | return NULL; |
114 | 0 | return ossl_ml_dsa_mu_init_int(key->shake256_md, key->tr, sizeof(key->tr), |
115 | 0 | encode, 0, ctx, ctx_len); |
116 | 0 | } |
117 | | |
118 | | /* |
119 | | * @brief: updates the internal ML-DSA hash with an additional message chunk. |
120 | | * |
121 | | * @param md_ctx: The hashing context |
122 | | * @param msg: The next message chunk |
123 | | * @param msg_len: The length of the msg buffer to process |
124 | | * @returns 1 on success, 0 on error |
125 | | */ |
126 | | int ossl_ml_dsa_mu_update(EVP_MD_CTX *md_ctx, const uint8_t *msg, size_t msg_len) |
127 | 0 | { |
128 | 0 | return EVP_DigestUpdate(md_ctx, msg, msg_len); |
129 | 0 | } |
130 | | |
131 | | /* |
132 | | * @brief: finalizes the internal ML-DSA hash |
133 | | * |
134 | | * @param md_ctx: The hashing context |
135 | | * @param mu: The output buffer for Mu |
136 | | * @param mu_len: The size of the output buffer |
137 | | * @returns 1 on success, 0 on error |
138 | | */ |
139 | | int ossl_ml_dsa_mu_finalize(EVP_MD_CTX *md_ctx, uint8_t *mu, size_t mu_len) |
140 | 0 | { |
141 | 0 | if (!ossl_assert(mu_len == ML_DSA_MU_BYTES)) { |
142 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
143 | 0 | return 0; |
144 | 0 | } |
145 | 0 | return EVP_DigestSqueeze(md_ctx, mu, mu_len); |
146 | 0 | } |
147 | | |
148 | | /* |
149 | | * @brief FIPS 204, Algorithm 7, ML-DSA.Sign_internal() |
150 | | * |
151 | | * This algorithm is decomposed in 2 steps, a set of functions to compute mu |
152 | | * and then the actual signing function. |
153 | | * |
154 | | * @param priv: The private ML-DSA key |
155 | | * @param mu: The pre-computed mu hash |
156 | | * @param mu_len: The length of the mu buffer |
157 | | * @param rnd: The random buffer |
158 | | * @param rnd_len: The length of the random buffer |
159 | | * @param out_sig: The output signature buffer |
160 | | * @returns 1 on success, 0 on error |
161 | | */ |
162 | | static int ml_dsa_sign_internal(const ML_DSA_KEY *priv, |
163 | | const uint8_t *mu, size_t mu_len, const uint8_t *rnd, size_t rnd_len, |
164 | | uint8_t *out_sig) |
165 | 0 | { |
166 | 0 | int ret = 0; |
167 | 0 | const ML_DSA_PARAMS *params = priv->params; |
168 | 0 | EVP_MD_CTX *md_ctx = NULL; |
169 | 0 | uint32_t k = (uint32_t)params->k, l = (uint32_t)params->l; |
170 | 0 | uint32_t gamma1 = params->gamma1, gamma2 = params->gamma2; |
171 | 0 | uint8_t *alloc = NULL, *w1_encoded; |
172 | 0 | size_t alloc_len, w1_encoded_len; |
173 | 0 | size_t num_polys_sig_k = 2 * k; |
174 | 0 | size_t num_polys_k = 5 * k; |
175 | 0 | size_t num_polys_l = 3 * l; |
176 | 0 | size_t num_polys_k_by_l = k * l; |
177 | 0 | POLY *p, *c_ntt; |
178 | 0 | VECTOR s1_ntt, s2_ntt, t0_ntt, w, w1, cs1, cs2, y; |
179 | 0 | MATRIX a_ntt; |
180 | 0 | ML_DSA_SIG sig; |
181 | 0 | uint8_t rho_prime[ML_DSA_RHO_PRIME_BYTES]; |
182 | 0 | uint8_t c_tilde[ML_DSA_MAX_LAMBDA / 4]; |
183 | 0 | size_t c_tilde_len = params->bit_strength >> 2; |
184 | 0 | size_t kappa; |
185 | |
|
186 | 0 | if (mu_len != ML_DSA_MU_BYTES) { |
187 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
188 | 0 | return 0; |
189 | 0 | } |
190 | | |
191 | | /* |
192 | | * Allocate a single blob for most of the variable size temporary variables. |
193 | | * Mostly used for VECTOR POLYNOMIALS (every POLY is 1K). |
194 | | */ |
195 | 0 | w1_encoded_len = k * (gamma2 == ML_DSA_GAMMA2_Q_MINUS1_DIV88 ? 192 : 128); |
196 | 0 | alloc_len = w1_encoded_len |
197 | 0 | + sizeof(*p) * (1 + num_polys_k + num_polys_l + num_polys_k_by_l + num_polys_sig_k); |
198 | 0 | alloc = OPENSSL_malloc(alloc_len); |
199 | 0 | if (alloc == NULL) |
200 | 0 | return 0; |
201 | 0 | md_ctx = EVP_MD_CTX_new(); |
202 | 0 | if (md_ctx == NULL) |
203 | 0 | goto err; |
204 | | |
205 | 0 | w1_encoded = alloc; |
206 | | /* Init the temp vectors to point to the allocated polys blob */ |
207 | 0 | p = (POLY *)(w1_encoded + w1_encoded_len); |
208 | 0 | c_ntt = p++; |
209 | 0 | matrix_init(&a_ntt, p, k, l); |
210 | 0 | p += num_polys_k_by_l; |
211 | 0 | vector_init(&s2_ntt, p, k); |
212 | 0 | vector_init(&t0_ntt, s2_ntt.poly + k, k); |
213 | 0 | vector_init(&w, t0_ntt.poly + k, k); |
214 | 0 | vector_init(&w1, w.poly + k, k); |
215 | 0 | vector_init(&cs2, w1.poly + k, k); |
216 | 0 | p += num_polys_k; |
217 | 0 | vector_init(&s1_ntt, p, l); |
218 | 0 | vector_init(&y, p + l, l); |
219 | 0 | vector_init(&cs1, p + 2 * l, l); |
220 | 0 | p += num_polys_l; |
221 | 0 | signature_init(&sig, p, k, p + k, l, c_tilde, c_tilde_len); |
222 | | /* End of the allocated blob setup */ |
223 | | |
224 | | /* |
225 | | * Mark the private key material as secret before we start computing with |
226 | | * it. Any control-flow branch or memory-index that transitively depends |
227 | | * on these bytes will be flagged by Valgrind when the library is built |
228 | | * with enable-ct-validation. |
229 | | */ |
230 | 0 | CONSTTIME_SECRET(priv->K, sizeof(priv->K)); |
231 | 0 | CONSTTIME_SECRET_VECTOR(priv->s1); |
232 | 0 | CONSTTIME_SECRET_VECTOR(priv->s2); |
233 | 0 | CONSTTIME_SECRET_VECTOR(priv->t0); |
234 | |
|
235 | 0 | if (!matrix_expand_A(md_ctx, priv->shake128_md, priv->rho, &a_ntt)) |
236 | 0 | goto err; |
237 | | |
238 | | /* |
239 | | * rho_prime is derived from the secret K and must remain tainted |
240 | | * throughout the rejection loop: knowing it would let an attacker |
241 | | * reconstruct every mask y and recover c*s1 = z - y from the final |
242 | | * signature. Do NOT declassify it. |
243 | | */ |
244 | 0 | if (!shake_xof_3(md_ctx, priv->shake256_md, priv->K, sizeof(priv->K), |
245 | 0 | rnd, rnd_len, mu, mu_len, |
246 | 0 | rho_prime, sizeof(rho_prime))) |
247 | 0 | goto err; |
248 | | |
249 | 0 | vector_copy(&s1_ntt, &priv->s1); |
250 | 0 | vector_ntt(&s1_ntt); |
251 | 0 | vector_copy(&s2_ntt, &priv->s2); |
252 | 0 | vector_ntt(&s2_ntt); |
253 | 0 | vector_copy(&t0_ntt, &priv->t0); |
254 | 0 | vector_ntt(&t0_ntt); |
255 | | |
256 | | /* |
257 | | * kappa must not exceed 2^16. But the probability of it |
258 | | * exceeding even 1000 iterations is vanishingly small. |
259 | | */ |
260 | 0 | for (kappa = 0;; kappa += l) { |
261 | 0 | VECTOR *y_ntt = &cs1; |
262 | 0 | VECTOR *r0 = &w1; |
263 | 0 | VECTOR *ct0 = &w1; |
264 | 0 | uint32_t z_max, r0_max, ct0_max, h_ones; |
265 | |
|
266 | 0 | vector_expand_mask(&y, rho_prime, sizeof(rho_prime), (uint32_t)kappa, |
267 | 0 | gamma1, md_ctx, priv->shake256_md); |
268 | 0 | vector_copy(y_ntt, &y); |
269 | 0 | vector_ntt(y_ntt); |
270 | |
|
271 | 0 | matrix_mult_vector(&a_ntt, y_ntt, &w); |
272 | 0 | vector_ntt_inverse(&w); |
273 | |
|
274 | 0 | vector_high_bits(&w, gamma2, &w1); |
275 | 0 | ossl_ml_dsa_w1_encode(&w1, gamma2, w1_encoded, w1_encoded_len); |
276 | |
|
277 | 0 | if (!shake_xof_2(md_ctx, priv->shake256_md, mu, mu_len, |
278 | 0 | w1_encoded, w1_encoded_len, c_tilde, c_tilde_len)) |
279 | 0 | break; |
280 | | |
281 | 0 | if (!poly_sample_in_ball_ntt(c_ntt, c_tilde, (int)c_tilde_len, |
282 | 0 | md_ctx, priv->shake256_md, params->tau)) |
283 | 0 | break; |
284 | | |
285 | 0 | vector_mult_scalar(&s1_ntt, c_ntt, &cs1); |
286 | 0 | vector_ntt_inverse(&cs1); |
287 | 0 | vector_mult_scalar(&s2_ntt, c_ntt, &cs2); |
288 | 0 | vector_ntt_inverse(&cs2); |
289 | |
|
290 | 0 | vector_add(&y, &cs1, &sig.z); |
291 | | |
292 | | /* r0 = lowbits(w - cs2) */ |
293 | 0 | vector_sub(&w, &cs2, r0); |
294 | 0 | vector_low_bits(r0, gamma2, r0); |
295 | | |
296 | | /* |
297 | | * Leaking that the signature is rejected is fine: the next attempt |
298 | | * is (indistinguishable from) independent of this one, so an |
299 | | * observer learns nothing about the secret key beyond the number of |
300 | | * iterations, which is itself safe to reveal. |
301 | | * Declassify the bound-check output so that Valgrind does not flag |
302 | | * these intentional leaks. |
303 | | */ |
304 | 0 | z_max = vector_max(&sig.z); |
305 | 0 | r0_max = vector_max_signed(r0); |
306 | 0 | if (constant_time_declassify_u32( |
307 | 0 | constant_time_ge(z_max, gamma1 - params->beta) |
308 | 0 | | constant_time_ge(r0_max, gamma2 - params->beta))) |
309 | 0 | continue; |
310 | | |
311 | 0 | vector_mult_scalar(&t0_ntt, c_ntt, ct0); |
312 | 0 | vector_ntt_inverse(ct0); |
313 | 0 | vector_make_hint(ct0, &cs2, &w, gamma2, &sig.hint); |
314 | |
|
315 | 0 | ct0_max = vector_max(ct0); |
316 | 0 | h_ones = (uint32_t)vector_count_ones(&sig.hint); |
317 | | /* Same reasoning applies to the leak as above */ |
318 | 0 | if (constant_time_declassify_u32( |
319 | 0 | constant_time_ge(ct0_max, gamma2) |
320 | 0 | | constant_time_lt(params->omega, h_ones))) |
321 | 0 | continue; |
322 | | |
323 | | /* |
324 | | * The iteration has passed both rejection tests: the signature is |
325 | | * accepted. Declassify all three public outputs before encoding. |
326 | | * |
327 | | * sig.z and sig.hint were computed from secret key material (s1, |
328 | | * s2, t0) and carry taint, but the rejection checks above have |
329 | | * verified they lie within the ranges required by the security |
330 | | * proof, so they reveal nothing about the key. |
331 | | * |
332 | | * c_tilde = H(mu || w1) carries taint that propagated from the |
333 | | * secret rho_prime through y → w → w1. It is the Fiat-Shamir |
334 | | * challenge commitment and is published as part of the signature. |
335 | | * We defer its declassification to here (rather than immediately |
336 | | * after the SHAKE call) so that Valgrind can check that |
337 | | * poly_sample_in_ball_ntt and the NTT challenge arithmetic are |
338 | | * data-oblivious with respect to their tainted inputs. |
339 | | */ |
340 | 0 | CONSTTIME_DECLASSIFY(c_tilde, c_tilde_len); |
341 | 0 | CONSTTIME_DECLASSIFY_VECTOR(sig.z); |
342 | 0 | CONSTTIME_DECLASSIFY_VECTOR(sig.hint); |
343 | |
|
344 | 0 | ret = ossl_ml_dsa_sig_encode(&sig, params, out_sig); |
345 | 0 | break; |
346 | 0 | } |
347 | 0 | err: |
348 | 0 | EVP_MD_CTX_free(md_ctx); |
349 | 0 | OPENSSL_clear_free(alloc, alloc_len); |
350 | 0 | OPENSSL_cleanse(rho_prime, sizeof(rho_prime)); |
351 | | /* |
352 | | * Declassify the private key material before returning. The key struct |
353 | | * is not owned here, so we do not free it, but we must remove the |
354 | | * "secret" taint so that the caller does not inherit spurious Valgrind |
355 | | * "uninitialised" state. The polynomial data in |alloc| was already |
356 | | * zeroed and freed above; rho_prime is stack-allocated and cleansed. |
357 | | */ |
358 | 0 | CONSTTIME_DECLASSIFY(priv->K, sizeof(priv->K)); |
359 | 0 | CONSTTIME_DECLASSIFY_VECTOR(priv->s1); |
360 | 0 | CONSTTIME_DECLASSIFY_VECTOR(priv->s2); |
361 | 0 | CONSTTIME_DECLASSIFY_VECTOR(priv->t0); |
362 | 0 | return ret; |
363 | 0 | } |
364 | | |
365 | | /* |
366 | | * @brief FIPS 204, Algorithm 8, ML-DSA.Verify_internal(). |
367 | | * |
368 | | * This algorithm is decomposed in 2 steps, a set of functions to compute mu |
369 | | * and then the actual verification function. |
370 | | * |
371 | | * @param pub: The public ML-DSA key |
372 | | * @param mu: The pre-computed mu hash |
373 | | * @param mu_len: The length of the mu buffer |
374 | | * @param sig_enc: The encoded signature to be verified |
375 | | * @param sig_enc_len: the encoded csignature length |
376 | | * @returns 1 on success, 0 on error |
377 | | */ |
378 | | static int ml_dsa_verify_internal(const ML_DSA_KEY *pub, |
379 | | const uint8_t *mu, size_t mu_len, |
380 | | const uint8_t *sig_enc, size_t sig_enc_len) |
381 | 0 | { |
382 | 0 | int ret = 0; |
383 | 0 | uint8_t *alloc = NULL, *w1_encoded; |
384 | 0 | POLY *p, *c_ntt; |
385 | 0 | MATRIX a_ntt; |
386 | 0 | VECTOR az_ntt, ct1_ntt, *z_ntt, *w1, *w_approx; |
387 | 0 | ML_DSA_SIG sig; |
388 | 0 | const ML_DSA_PARAMS *params = pub->params; |
389 | 0 | uint32_t k = (uint32_t)pub->params->k; |
390 | 0 | uint32_t l = (uint32_t)pub->params->l; |
391 | 0 | uint32_t gamma2 = params->gamma2; |
392 | 0 | size_t w1_encoded_len; |
393 | 0 | size_t num_polys_sig = k + l; |
394 | 0 | size_t num_polys_k = 2 * k; |
395 | 0 | size_t num_polys_l = 1 * l; |
396 | 0 | size_t num_polys_k_by_l = k * l; |
397 | 0 | uint8_t c_tilde[ML_DSA_MAX_LAMBDA / 4]; |
398 | 0 | uint8_t c_tilde_sig[ML_DSA_MAX_LAMBDA / 4]; |
399 | 0 | EVP_MD_CTX *md_ctx = NULL; |
400 | 0 | size_t c_tilde_len = params->bit_strength >> 2; |
401 | 0 | uint32_t z_max; |
402 | | |
403 | | /* FIPS 204 compliance: Also validate signature length before decoding */ |
404 | 0 | if (mu_len != ML_DSA_MU_BYTES || sig_enc_len != params->sig_len) { |
405 | 0 | ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); |
406 | 0 | return 0; |
407 | 0 | } |
408 | | |
409 | | /* Allocate space for all the POLYNOMIALS used by temporary VECTORS */ |
410 | 0 | w1_encoded_len = k * (gamma2 == ML_DSA_GAMMA2_Q_MINUS1_DIV88 ? 192 : 128); |
411 | 0 | alloc = OPENSSL_malloc(w1_encoded_len |
412 | 0 | + sizeof(*p) * (1 + num_polys_k + num_polys_l + num_polys_k_by_l + num_polys_sig)); |
413 | 0 | if (alloc == NULL) |
414 | 0 | return 0; |
415 | 0 | md_ctx = EVP_MD_CTX_new(); |
416 | 0 | if (md_ctx == NULL) |
417 | 0 | goto err; |
418 | | |
419 | 0 | w1_encoded = alloc; |
420 | | /* Init the temp vectors to point to the allocated polys blob */ |
421 | 0 | p = (POLY *)(w1_encoded + w1_encoded_len); |
422 | 0 | c_ntt = p++; |
423 | 0 | matrix_init(&a_ntt, p, k, l); |
424 | 0 | p += num_polys_k_by_l; |
425 | 0 | signature_init(&sig, p, k, p + k, l, c_tilde_sig, c_tilde_len); |
426 | 0 | p += num_polys_sig; |
427 | 0 | vector_init(&az_ntt, p, k); |
428 | 0 | vector_init(&ct1_ntt, p + k, k); |
429 | |
|
430 | 0 | if (!ossl_ml_dsa_sig_decode(&sig, sig_enc, sig_enc_len, pub->params) |
431 | 0 | || !matrix_expand_A(md_ctx, pub->shake128_md, pub->rho, &a_ntt)) |
432 | 0 | goto err; |
433 | | |
434 | | /* Compute verifiers challenge c_ntt = NTT(SampleInBall(c_tilde)) */ |
435 | 0 | if (!poly_sample_in_ball_ntt(c_ntt, c_tilde_sig, (int)c_tilde_len, |
436 | 0 | md_ctx, pub->shake256_md, params->tau)) |
437 | 0 | goto err; |
438 | | |
439 | | /* ct1_ntt = NTT(c) * NTT(t1 * 2^d) */ |
440 | 0 | vector_scale_power2_round_ntt(&pub->t1, &ct1_ntt); |
441 | 0 | vector_mult_scalar(&ct1_ntt, c_ntt, &ct1_ntt); |
442 | | |
443 | | /* compute z_max early in order to reuse sig.z */ |
444 | 0 | z_max = vector_max(&sig.z); |
445 | | |
446 | | /* w_approx = NTT_inverse(A * NTT(z) - ct1_ntt) */ |
447 | 0 | z_ntt = &sig.z; |
448 | 0 | vector_ntt(z_ntt); |
449 | 0 | matrix_mult_vector(&a_ntt, z_ntt, &az_ntt); |
450 | 0 | w_approx = &az_ntt; |
451 | 0 | vector_sub(&az_ntt, &ct1_ntt, w_approx); |
452 | 0 | vector_ntt_inverse(w_approx); |
453 | | |
454 | | /* compute w1_encoded */ |
455 | 0 | w1 = w_approx; |
456 | 0 | vector_use_hint(&sig.hint, w_approx, gamma2, w1); |
457 | 0 | ossl_ml_dsa_w1_encode(w1, gamma2, w1_encoded, w1_encoded_len); |
458 | |
|
459 | 0 | if (!shake_xof_3(md_ctx, pub->shake256_md, mu, mu_len, |
460 | 0 | w1_encoded, w1_encoded_len, NULL, 0, c_tilde, c_tilde_len)) |
461 | 0 | goto err; |
462 | | |
463 | 0 | ret = (z_max < (uint32_t)(params->gamma1 - params->beta)) |
464 | 0 | && memcmp(c_tilde, sig.c_tilde, c_tilde_len) == 0; |
465 | 0 | err: |
466 | 0 | OPENSSL_free(alloc); |
467 | 0 | EVP_MD_CTX_free(md_ctx); |
468 | 0 | return ret; |
469 | 0 | } |
470 | | |
471 | | /** |
472 | | * See FIPS 204 Section 5.2 Algorithm 2 ML-DSA.Sign() |
473 | | * |
474 | | * @returns 1 on success, or 0 on error. |
475 | | */ |
476 | | int ossl_ml_dsa_sign(const ML_DSA_KEY *priv, |
477 | | int msg_is_mu, const uint8_t *msg, size_t msg_len, |
478 | | const uint8_t *context, size_t context_len, |
479 | | const uint8_t *rand, size_t rand_len, int encode, |
480 | | unsigned char *sig, size_t *sig_len, size_t sig_size) |
481 | 0 | { |
482 | 0 | EVP_MD_CTX *md_ctx = NULL; |
483 | 0 | uint8_t mu[ML_DSA_MU_BYTES]; |
484 | 0 | const uint8_t *mu_ptr = mu; |
485 | 0 | size_t mu_len = sizeof(mu); |
486 | 0 | int ret = 0; |
487 | |
|
488 | 0 | if (ossl_ml_dsa_key_get_priv(priv) == NULL) |
489 | 0 | return 0; |
490 | | |
491 | 0 | if (sig_len != NULL) |
492 | 0 | *sig_len = priv->params->sig_len; |
493 | |
|
494 | 0 | if (sig == NULL) |
495 | 0 | return (sig_len != NULL) ? 1 : 0; |
496 | | |
497 | 0 | if (sig_size < priv->params->sig_len) |
498 | 0 | return 0; |
499 | | |
500 | 0 | if (msg_is_mu) { |
501 | 0 | mu_ptr = msg; |
502 | 0 | mu_len = msg_len; |
503 | 0 | } else { |
504 | 0 | md_ctx = ossl_ml_dsa_mu_init(priv, encode, context, context_len); |
505 | 0 | if (md_ctx == NULL) |
506 | 0 | return 0; |
507 | | |
508 | 0 | if (!ossl_ml_dsa_mu_update(md_ctx, msg, msg_len)) |
509 | 0 | goto err; |
510 | | |
511 | 0 | if (!ossl_ml_dsa_mu_finalize(md_ctx, mu, mu_len)) |
512 | 0 | goto err; |
513 | 0 | } |
514 | | |
515 | 0 | ret = ml_dsa_sign_internal(priv, mu_ptr, mu_len, rand, rand_len, sig); |
516 | |
|
517 | 0 | err: |
518 | 0 | EVP_MD_CTX_free(md_ctx); |
519 | 0 | return ret; |
520 | 0 | } |
521 | | |
522 | | /** |
523 | | * See FIPS 203 Section 5.3 Algorithm 3 ML-DSA.Verify() |
524 | | * @returns 1 on success, or 0 on error. |
525 | | */ |
526 | | int ossl_ml_dsa_verify(const ML_DSA_KEY *pub, |
527 | | int msg_is_mu, const uint8_t *msg, size_t msg_len, |
528 | | const uint8_t *context, size_t context_len, int encode, |
529 | | const uint8_t *sig, size_t sig_len) |
530 | 0 | { |
531 | 0 | EVP_MD_CTX *md_ctx = NULL; |
532 | 0 | uint8_t mu[ML_DSA_MU_BYTES]; |
533 | 0 | const uint8_t *mu_ptr = mu; |
534 | 0 | size_t mu_len = sizeof(mu); |
535 | 0 | int ret = 0; |
536 | |
|
537 | 0 | if (ossl_ml_dsa_key_get_pub(pub) == NULL) |
538 | 0 | return 0; |
539 | | |
540 | 0 | if (msg_is_mu) { |
541 | 0 | mu_ptr = msg; |
542 | 0 | mu_len = msg_len; |
543 | 0 | } else { |
544 | 0 | md_ctx = ossl_ml_dsa_mu_init(pub, encode, context, context_len); |
545 | 0 | if (md_ctx == NULL) |
546 | 0 | return 0; |
547 | | |
548 | 0 | if (!ossl_ml_dsa_mu_update(md_ctx, msg, msg_len)) |
549 | 0 | goto err; |
550 | | |
551 | 0 | if (!ossl_ml_dsa_mu_finalize(md_ctx, mu, mu_len)) |
552 | 0 | goto err; |
553 | 0 | } |
554 | | |
555 | 0 | ret = ml_dsa_verify_internal(pub, mu_ptr, mu_len, sig, sig_len); |
556 | 0 | err: |
557 | 0 | EVP_MD_CTX_free(md_ctx); |
558 | 0 | return ret; |
559 | 0 | } |