Commit 64edccea authored by Eric Biggers's avatar Eric Biggers
Browse files

lib/crypto: Add ML-DSA verification support 

Add support for verifying ML-DSA signatures.

ML-DSA (Module-Lattice-Based Digital Signature Algorithm) is specified
in FIPS 204 and is the standard version of Dilithium.  Unlike RSA and
elliptic-curve cryptography, ML-DSA is believed to be secure even
against adversaries in possession of a large-scale quantum computer.

Compared to the earlier patch
(https://lore.kernel.org/r/20251117145606.2155773-3-dhowells@redhat.com/

)
that was based on "leancrypto", this implementation:

  - Is about 700 lines of source code instead of 4800.

  - Generates about 4 KB of object code instead of 28 KB.

  - Uses 9-13 KB of memory to verify a signature instead of 31-84 KB.

  - Is at least about the same speed, with a microbenchmark showing 3-5%
    improvements on one x86_64 CPU and -1% to 1% changes on another.
    When memory is a bottleneck, it's likely much faster.

  - Correctly implements the RejNTTPoly step of the algorithm.

The API just consists of a single function mldsa_verify(), supporting
pure ML-DSA with any standard parameter set (ML-DSA-44, ML-DSA-65, or
ML-DSA-87) as selected by an enum.  That's all that's actually needed.

The following four potential features are unneeded and aren't included.
However, any that ever become needed could fairly easily be added later,
as they only affect how the message representative mu is calculated:

  - Nonempty context strings
  - Incremental message hashing
  - HashML-DSA
  - External mu

Signing support would, of course, be a larger and more complex addition.
However, the kernel doesn't, and shouldn't, need ML-DSA signing support.

Note that mldsa_verify() allocates memory, so it can sleep and can fail
with ENOMEM.  Unfortunately we don't have much choice about that, since
ML-DSA needs a lot of memory.  At least callers have to check for errors
anyway, since the signature could be invalid.

Note that verification doesn't require constant-time code, and in fact
some steps are inherently variable-time.  I've used constant-time
patterns in some places anyway, but technically they're not needed.

Reviewed-by: default avatarDavid Howells <dhowells@redhat.com>
Tested-by: default avatarDavid Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20251214181712.29132-2-ebiggers@kernel.org


Signed-off-by: default avatarEric Biggers <ebiggers@kernel.org>
parent 0f61b186

include/crypto/mldsa.h

0 → 100644
+60 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0-or-later */

/*

 * Support for verifying ML-DSA signatures

 *

 * Copyright 2025 Google LLC

 */

#ifndef _CRYPTO_MLDSA_H

#define _CRYPTO_MLDSA_H



#include <linux/types.h>



/* Identifier for an ML-DSA parameter set */

enum mldsa_alg {

	MLDSA44, /* ML-DSA-44 */

	MLDSA65, /* ML-DSA-65 */

	MLDSA87, /* ML-DSA-87 */

};



/* Lengths of ML-DSA public keys and signatures in bytes */

#define MLDSA44_PUBLIC_KEY_SIZE 1312

#define MLDSA65_PUBLIC_KEY_SIZE 1952

#define MLDSA87_PUBLIC_KEY_SIZE 2592

#define MLDSA44_SIGNATURE_SIZE 2420

#define MLDSA65_SIGNATURE_SIZE 3309

#define MLDSA87_SIGNATURE_SIZE 4627



/**

 * mldsa_verify() - Verify an ML-DSA signature

 * @alg: The ML-DSA parameter set to use

 * @sig: The signature

 * @sig_len: Length of the signature in bytes.  Should match the

 *	     MLDSA*_SIGNATURE_SIZE constant associated with @alg,

 *	     otherwise -EBADMSG will be returned.

 * @msg: The message

 * @msg_len: Length of the message in bytes

 * @pk: The public key

 * @pk_len: Length of the public key in bytes.  Should match the

 *	    MLDSA*_PUBLIC_KEY_SIZE constant associated with @alg,

 *	    otherwise -EBADMSG will be returned.

 *

 * This verifies a signature using pure ML-DSA with the specified parameter set.

 * The context string is assumed to be empty.

 *

 * Context: Might sleep

 *

 * Return:

 * * 0 if the signature is valid

 * * -EBADMSG if the signature and/or public key is malformed

 * * -EKEYREJECTED if the signature is invalid but otherwise well-formed

 * * -ENOMEM if out of memory so the validity of the signature is unknown

 */

int mldsa_verify(enum mldsa_alg alg, const u8 *sig, size_t sig_len,

		 const u8 *msg, size_t msg_len, const u8 *pk, size_t pk_len);



#if IS_ENABLED(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST)

/* Internal function, exposed only for unit testing */

s32 mldsa_use_hint(u8 h, s32 r, s32 gamma2);

#endif



#endif /* _CRYPTO_MLDSA_H */

lib/crypto/Kconfig

+7 −0
Original line number Diff line number Diff line
@@ -101,6 +101,13 @@ config CRYPTO_LIB_MD5_ARCH 
	default y if PPC

	default y if SPARC64



config CRYPTO_LIB_MLDSA

	tristate

	select CRYPTO_LIB_SHA3

	help

	  The ML-DSA library functions.  Select this if your module uses any of

	  the functions from <crypto/mldsa.h>.



config CRYPTO_LIB_POLY1305

	tristate

	help

lib/crypto/Makefile

+5 −0
Original line number Diff line number Diff line
@@ -126,6 +126,11 @@ endif # CONFIG_CRYPTO_LIB_MD5_ARCH 


################################################################################



obj-$(CONFIG_CRYPTO_LIB_MLDSA) += libmldsa.o

libmldsa-y := mldsa.o



################################################################################



obj-$(CONFIG_CRYPTO_LIB_POLY1305) += libpoly1305.o

libpoly1305-y := poly1305.o

ifeq ($(CONFIG_ARCH_SUPPORTS_INT128),y)

lib/crypto/mldsa.c

0 → 100644
+652 −0

File added.

Preview size limit exceeded, changes collapsed.