diff --git a/BIBLIOGRAPHY.md b/BIBLIOGRAPHY.md index 4cc0a0472..d58edc876 100644 --- a/BIBLIOGRAPHY.md +++ b/BIBLIOGRAPHY.md @@ -48,6 +48,7 @@ source code and documentation. - [mldsa/config.h](mldsa/config.h) - [mldsa/fips202/fips202.c](mldsa/fips202/fips202.c) - [mldsa/fips202/fips202x4.c](mldsa/fips202/fips202x4.c) + - [mldsa/mldsa_native.h](mldsa/mldsa_native.h) - [mldsa/ntt.h](mldsa/ntt.h) - [mldsa/poly.c](mldsa/poly.c) - [mldsa/polyvec.c](mldsa/polyvec.c) diff --git a/examples/basic/Makefile b/examples/basic/Makefile index f674b31e4..02ff114ca 100644 --- a/examples/basic/Makefile +++ b/examples/basic/Makefile @@ -69,8 +69,7 @@ CFLAGS := \ -O3 \ $(CFLAGS) -# Use the default namespace prefix from config.h -# CFLAGS += -DMLD_CONFIG_NAMESPACE_PREFIX=mldsa +CFLAGS += -DMLD_CONFIG_NAMESPACE_PREFIX=mldsa BINARY_NAME_FULL_44=$(BUILD_DIR)/$(BIN)44 BINARY_NAME_FULL_65=$(BUILD_DIR)/$(BIN)65 diff --git a/examples/basic/main.c b/examples/basic/main.c index 5a1373449..9307834f9 100644 --- a/examples/basic/main.c +++ b/examples/basic/main.c @@ -13,8 +13,9 @@ * This requires specifying the parameter set and namespace prefix * used for the build. */ - -#include "../../mldsa/sign.h" +#define MLD_CONFIG_API_PARAMETER_SET MLD_CONFIG_PARAMETER_SET +#define MLD_CONFIG_API_NAMESPACE_PREFIX mldsa +#include "../../mldsa/mldsa_native.h" #include "expected_signatures.h" #include "test_only_rng/notrandombytes.h" diff --git a/integration/liboqs/ML-DSA-44_META.yml b/integration/liboqs/ML-DSA-44_META.yml index 24ae1156b..93ed6c5ef 100644 --- a/integration/liboqs/ML-DSA-44_META.yml +++ b/integration/liboqs/ML-DSA-44_META.yml @@ -30,9 +30,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c - mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h - mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc + mldsa/mldsa_native.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h + mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h + mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h + mldsa/zetas.inc - name: x86_64 version: FIPS204 folder_name: . @@ -43,10 +44,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_x86_64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 supported_platforms: - architecture: x86_64 operating_systems: @@ -66,10 +67,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_aarch64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 supported_platforms: - architecture: arm_8 operating_systems: diff --git a/integration/liboqs/ML-DSA-65_META.yml b/integration/liboqs/ML-DSA-65_META.yml index c09815c67..8bbdb770c 100644 --- a/integration/liboqs/ML-DSA-65_META.yml +++ b/integration/liboqs/ML-DSA-65_META.yml @@ -30,9 +30,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c - mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h - mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc + mldsa/mldsa_native.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h + mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h + mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h + mldsa/zetas.inc - name: x86_64 version: FIPS204 folder_name: . @@ -43,10 +44,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_x86_64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 supported_platforms: - architecture: x86_64 operating_systems: @@ -66,10 +67,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_aarch64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 supported_platforms: - architecture: arm_8 operating_systems: diff --git a/integration/liboqs/ML-DSA-87_META.yml b/integration/liboqs/ML-DSA-87_META.yml index a990119d0..7906deb17 100644 --- a/integration/liboqs/ML-DSA-87_META.yml +++ b/integration/liboqs/ML-DSA-87_META.yml @@ -30,9 +30,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c - mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h - mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc + mldsa/mldsa_native.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h + mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h + mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h + mldsa/zetas.inc - name: x86_64 version: FIPS204 folder_name: . @@ -43,10 +44,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_x86_64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64 supported_platforms: - architecture: x86_64 operating_systems: @@ -65,10 +66,10 @@ implementations: api-with-context-string: true sources: integration/liboqs/config_aarch64.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h - mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c - mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c mldsa/polyvec.h - mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h - mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 + mldsa/mldsa_native.h mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h + mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/polyvec.c + mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c + mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64 supported_platforms: - architecture: arm_8 operating_systems: diff --git a/mldsa/mldsa_native.h b/mldsa/mldsa_native.h new file mode 100644 index 000000000..d49d086d2 --- /dev/null +++ b/mldsa/mldsa_native.h @@ -0,0 +1,449 @@ +/* + * Copyright (c) The mldsa-native project authors + * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + */ + +/* References + * ========== + * + * - [FIPS204] + * FIPS 204 Module-Lattice-Based Digital Signature Standard + * National Institute of Standards and Technology + * https://csrc.nist.gov/pubs/fips/204/final + */ + +#ifndef MLD_MLDSA_NATIVE_H +#define MLD_MLDSA_NATIVE_H + +/****************************************************************************** + * + * Public API for mldsa-native + * + * This header defines the public API of a single build of mldsa-native. + * + * # Examples + * + * See [examples/basic] for examples of how to use this header. + * + * # Usage + * + * To use this header, configure the following options: + * + * - MLD_CONFIG_API_PARAMETER_SET [required] + * + * The parameter set used for the build; 44, 65, or 87. + * + * - MLD_CONFIG_API_NAMESPACE_PREFIX [required] + * + * The namespace prefix used for the build. + * + * NOTE: + * For a multi-level build, you must include the 44/65/87 suffixes + * in MLD_CONFIG_API_NAMESPACE_PREFIX. + * + * - MLD_CONFIG_API_NO_SUPERCOP [optional] + * + * By default, this header will also expose the mldsa-native API in the + * SUPERCOP naming convention crypto_sign_xxx. If you don't want/need this, + * set MLD_CONFIG_API_NO_SUPERCOP. You must set this for a multi-level build. + * + * - MLD_CONFIG_API_CONSTANTS_ONLY [optional] + * + * If you don't want this header to expose any function declarations, + * but only constants for the sizes of key material, set + * MLD_CONFIG_API_CONSTANTS_ONLY. In this case, you don't need to set + * MLD_CONFIG_API_PARAMETER_SET or MLD_CONFIG_API_NAMESPACE_PREFIX, + * nor include a configuration. + * + * # Multi-level builds + * + * This header specifies a build of mldsa-native for a fixed security level. + * If you need multiple builds, e.g. to build a library offering multiple + * security levels, you need multiple instances of this header. + * + * NOTE: In this case, you must rename or #undef the MLD_H header guard + * prior to subsequent inclusions of this file. + * + ******************************************************************************/ + +/******************************* Key sizes ************************************/ + +/* Sizes of cryptographic material, per parameter set */ +/* See mldsa/params.h for the arithmetic expressions giving rise to these */ +/* check-magic: off */ +#define MLDSA44_SECRETKEYBYTES 2560 +#define MLDSA44_PUBLICKEYBYTES 1312 +#define MLDSA44_BYTES 2420 + +#define MLDSA65_SECRETKEYBYTES 4032 +#define MLDSA65_PUBLICKEYBYTES 1952 +#define MLDSA65_BYTES 3309 + +#define MLDSA87_SECRETKEYBYTES 4896 +#define MLDSA87_PUBLICKEYBYTES 2592 +#define MLDSA87_BYTES 4627 +/* check-magic: on */ + +/* Size of seed and randomness in bytes (level-independent) */ +#define MLDSA_SEEDBYTES 32 +#define MLDSA44_SEEDBYTES MLDSA_SEEDBYTES +#define MLDSA65_SEEDBYTES MLDSA_SEEDBYTES +#define MLDSA87_SEEDBYTES MLDSA_SEEDBYTES + +/* Size of CRH output in bytes (level-independent) */ +#define MLDSA_CRHBYTES 64 +#define MLDSA44_CRHBYTES MLDSA_CRHBYTES +#define MLDSA65_CRHBYTES MLDSA_CRHBYTES +#define MLDSA87_CRHBYTES MLDSA_CRHBYTES + +/* Size of TR output in bytes (level-independent) */ +#define MLDSA_TRBYTES 64 +#define MLDSA44_TRBYTES MLDSA_TRBYTES +#define MLDSA65_TRBYTES MLDSA_TRBYTES +#define MLDSA87_TRBYTES MLDSA_TRBYTES + +/* Size of randomness for signing in bytes (level-independent) */ +#define MLDSA_RNDBYTES 32 +#define MLDSA44_RNDBYTES MLDSA_RNDBYTES +#define MLDSA65_RNDBYTES MLDSA_RNDBYTES +#define MLDSA87_RNDBYTES MLDSA_RNDBYTES + +/* Sizes of cryptographic material, as a function of LVL=44,65,87 */ +#define MLDSA_SECRETKEYBYTES_(LVL) MLDSA##LVL##_SECRETKEYBYTES +#define MLDSA_PUBLICKEYBYTES_(LVL) MLDSA##LVL##_PUBLICKEYBYTES +#define MLDSA_BYTES_(LVL) MLDSA##LVL##_BYTES +#define MLDSA_SECRETKEYBYTES(LVL) MLDSA_SECRETKEYBYTES_(LVL) +#define MLDSA_PUBLICKEYBYTES(LVL) MLDSA_PUBLICKEYBYTES_(LVL) +#define MLDSA_BYTES(LVL) MLDSA_BYTES_(LVL) + +/****************************** Function API **********************************/ + +#if !defined(MLD_CONFIG_API_CONSTANTS_ONLY) + +#if !defined(MLD_CONFIG_API_PARAMETER_SET) +#error MLD_CONFIG_API_PARAMETER_SET not defined +#endif +#if !defined(MLD_CONFIG_API_NAMESPACE_PREFIX) +#error MLD_CONFIG_API_NAMESPACE_PREFIX not defined +#endif + +/* Validate parameter set */ +#if MLD_CONFIG_API_PARAMETER_SET != 44 && \ + MLD_CONFIG_API_PARAMETER_SET != 65 && MLD_CONFIG_API_PARAMETER_SET != 87 +#error MLD_CONFIG_API_PARAMETER_SET must be 44, 65, or 87 +#endif + +/* Convenience macros for current parameter set */ +#if MLD_CONFIG_API_PARAMETER_SET == 44 +#define MLDSA_API_SECRETKEYBYTES MLDSA44_SECRETKEYBYTES +#define MLDSA_API_PUBLICKEYBYTES MLDSA44_PUBLICKEYBYTES +#define MLDSA_API_BYTES MLDSA44_BYTES +#elif MLD_CONFIG_API_PARAMETER_SET == 65 +#define MLDSA_API_SECRETKEYBYTES MLDSA65_SECRETKEYBYTES +#define MLDSA_API_PUBLICKEYBYTES MLDSA65_PUBLICKEYBYTES +#define MLDSA_API_BYTES MLDSA65_BYTES +#elif MLD_CONFIG_API_PARAMETER_SET == 87 +#define MLDSA_API_SECRETKEYBYTES MLDSA87_SECRETKEYBYTES +#define MLDSA_API_PUBLICKEYBYTES MLDSA87_PUBLICKEYBYTES +#define MLDSA_API_BYTES MLDSA87_BYTES +#endif + +/* Derive namespacing macro */ +#define MLD_API_CONCAT_(x, y) x##y +#define MLD_API_CONCAT(x, y) MLD_API_CONCAT_(x, y) +#define MLD_API_CONCAT_UNDERSCORE(x, y) MLD_API_CONCAT(MLD_API_CONCAT(x, _), y) +#define MLD_API_NAMESPACE(sym) \ + MLD_API_CONCAT_UNDERSCORE(MLD_CONFIG_API_NAMESPACE_PREFIX, sym) + +#if defined(__GNUC__) || defined(clang) +#define MLD_API_MUST_CHECK_RETURN_VALUE __attribute__((warn_unused_result)) +#else +#define MLD_API_MUST_CHECK_RETURN_VALUE +#endif + +#include +#include + +/************************************************* + * Name: crypto_sign_keypair_internal + * + * Description: Generates public and private key. Internal API. + * When MLD_CONFIG_KEYGEN_PCT is set, performs a Pairwise + * Consistency Test (PCT) as required by FIPS 140-3 IG. + * + * Arguments: - uint8_t *pk: pointer to output public key (allocated + * array of MLDSA_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key (allocated + * array of MLDSA_SECRETKEYBYTES bytes) + * - uint8_t *seed: pointer to input random seed (MLDSA_SEEDBYTES + * bytes) + * + * Returns 0 (success) or -1 (PCT failure) + * + * Specification: Implements @[FIPS204 Algorithm 6 (ML-DSA.KeyGen_internal)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(keypair_internal)( + uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)], + uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)], + const uint8_t seed[MLDSA_SEEDBYTES]); + +/************************************************* + * Name: crypto_sign_keypair + * + * Description: Generates public and private key. + * When MLD_CONFIG_KEYGEN_PCT is set, performs a Pairwise + * Consistency Test (PCT) as required by FIPS 140-3 IG. + * + * Arguments: - uint8_t *pk: pointer to output public key (allocated + * array of MLDSA_PUBLICKEYBYTES bytes) + * - uint8_t *sk: pointer to output private key (allocated + * array of MLDSA_SECRETKEYBYTES bytes) + * + * Returns 0 (success) or -1 (PCT failure) + * + * Specification: Implements @[FIPS204 Algorithm 1 (ML-DSA.KeyGen)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(keypair)( + uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)], + uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign_signature_internal + * + * Description: Computes signature. Internal API. + * + * Arguments: - uint8_t *sig: pointer to output signature (of length + * MLDSA{44,65,87}_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - uint8_t *pre: pointer to prefix string + * - size_t prelen: length of prefix string + * - uint8_t *rnd: pointer to random seed + * - uint8_t *sk: pointer to bit-packed secret key + * - int externalmu: indicates input message m is processed as mu + * + * Returns 0 (success) or -1 (indicating nonce exhaustion) + * + * If the returned value is -1, then the values of *sig and + * *siglen should not be referenced. + * + * Reference: This code differs from the reference implementation + * in that it adds an explicit check for nonce exhaustion + * and can return -1 in that case. + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(signature_internal)( + uint8_t sig[MLDSA_BYTES(MLD_CONFIG_API_PARAMETER_SET)], size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *pre, size_t prelen, + const uint8_t rnd[MLDSA_RNDBYTES], + const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)], + int externalmu); + +/************************************************* + * Name: crypto_sign_signature + * + * Description: Computes signature. + * + * Arguments: - uint8_t *sig: pointer to output signature (of length + * MLDSA{44,65,87}_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - uint8_t *ctx: pointer to context string. May be NULL + * iff ctxlen == 0 + * - size_t ctxlen: length of context string. Should be <= 255. + * - uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long OR nonce exhaustion) + * + * Specification: Implements @[FIPS204 Algorithm 2 (ML-DSA.Sign)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(signature)( + uint8_t sig[MLDSA_BYTES(MLD_CONFIG_API_PARAMETER_SET)], size_t *siglen, + const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen, + const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign_signature_extmu + * + * Description: Computes signature. + * + * Arguments: - uint8_t *sig: pointer to output signature (of length + * MLDSA{44,65,87}_BYTES) + * - size_t *siglen: pointer to output length of signature + * - uint8_t mu: input mu to be signed of size MLDSA_CRHBYTES + * - uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long OR nonce exhaustion) + * + * Specification: Implements @[FIPS204 Algorithm 2 (ML-DSA.Sign external mu + * variant)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(signature_extmu)( + uint8_t sig[MLDSA_BYTES(MLD_CONFIG_API_PARAMETER_SET)], size_t *siglen, + const uint8_t mu[MLDSA_CRHBYTES], + const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign + * + * Description: Compute signed message. + * + * Arguments: - uint8_t *sm: pointer to output signed message (allocated + * array with MLDSA{44,65,87}_BYTES + mlen bytes), + * can be equal to m + * - size_t *smlen: pointer to output length of signed + * message + * - const uint8_t *m: pointer to message to be signed + * - size_t mlen: length of message + * - const uint8_t *ctx: pointer to context string + * - size_t ctxlen: length of context string + * - const uint8_t *sk: pointer to bit-packed secret key + * + * Returns 0 (success) or -1 (context string too long OR nonce exhausted) + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(sign)( + uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t sk[MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign_verify_internal + * + * Description: Verifies signature. Internal API. + * Arguments: - uint8_t *sig: pointer to input signature + * - size_t siglen: length of signature + * - const uint8_t *m: pointer to message + * - size_t mlen: length of message + * - const uint8_t *pre: pointer to prefix string + * - size_t prelen: length of prefix string + * - const uint8_t *pk: pointer to bit-packed public key + * - int externalmu: indicates input message m is processed as mu + * + * Returns 0 if signature could be verified correctly and -1 otherwise + * + * Specification: Implements @[FIPS204 Algorithm 8 (ML-DSA.Verify_internal)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(verify_internal)( + const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, + const uint8_t *pre, size_t prelen, + const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)], + int externalmu); + +/************************************************* + * Name: crypto_sign_verify + * + * Description: Verifies signature. + * + * Arguments: - uint8_t *sig: pointer to input signature + * - size_t siglen: length of signature + * - const uint8_t *m: pointer to message + * - size_t mlen: length of message + * - const uint8_t *ctx: pointer to context string + * May be NULL iff ctxlen == 0 + * - size_t ctxlen: length of context string + * - const uint8_t *pk: pointer to bit-packed public key + * + * Returns 0 if signature could be verified correctly and -1 otherwise + * + * Specification: Implements @[FIPS204 Algorithm 3 (ML-DSA.Verify)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(verify)( + const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign_verify_extmu + * + * Description: Verifies signature. + * + * Arguments: - uint8_t *sig: pointer to input signature + * - size_t siglen: length of signature + * - const uint8_t mu: input mu of size MLDSA_CRHBYTES + * - const uint8_t *pk: pointer to bit-packed public key + * + * Returns 0 if signature could be verified correctly and -1 otherwise + * + * Specification: Implements @[FIPS204 Algorithm 3 (ML-DSA.Verify external mu + * variant)] + * + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(verify_extmu)( + const uint8_t *sig, size_t siglen, const uint8_t mu[MLDSA_CRHBYTES], + const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/************************************************* + * Name: crypto_sign_open + * + * Description: Verify signed message. + * + * Arguments: - uint8_t *m: pointer to output message (allocated + * array with smlen bytes), can be equal to sm + * - size_t *mlen: pointer to output length of message + * - const uint8_t *sm: pointer to signed message + * - size_t smlen: length of signed message + * - const uint8_t *ctx: pointer to context string + * - size_t ctxlen: length of context string + * - const uint8_t *pk: pointer to bit-packed public key + * + * Returns 0 if signed message could be verified correctly and -1 otherwise + **************************************************/ +MLD_API_MUST_CHECK_RETURN_VALUE +int MLD_API_NAMESPACE(open)( + uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, + const uint8_t *ctx, size_t ctxlen, + const uint8_t pk[MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET)]); + +/****************************** SUPERCOP API *********************************/ + +#if !defined(MLD_CONFIG_API_NO_SUPERCOP) +/* Export API in SUPERCOP naming scheme CRYPTO_xxx / crypto_sign_xxx */ +#define CRYPTO_SECRETKEYBYTES MLDSA_SECRETKEYBYTES(MLD_CONFIG_API_PARAMETER_SET) +#define CRYPTO_PUBLICKEYBYTES MLDSA_PUBLICKEYBYTES(MLD_CONFIG_API_PARAMETER_SET) +#define CRYPTO_BYTES MLDSA_BYTES(MLD_CONFIG_API_PARAMETER_SET) +#define CRYPTO_SEEDBYTES MLDSA_SEEDBYTES +#define CRYPTO_CRHBYTES MLDSA_CRHBYTES +#define CRYPTO_TRBYTES MLDSA_TRBYTES +#define CRYPTO_RNDBYTES MLDSA_RNDBYTES + +#define crypto_sign_keypair_internal MLD_API_NAMESPACE(keypair_internal) +#define crypto_sign_keypair MLD_API_NAMESPACE(keypair) +#define crypto_sign_signature_internal MLD_API_NAMESPACE(signature_internal) +#define crypto_sign_signature MLD_API_NAMESPACE(signature) +#define crypto_sign_signature_extmu MLD_API_NAMESPACE(signature_extmu) +#define crypto_sign MLD_API_NAMESPACE(sign) +#define crypto_sign_verify_internal MLD_API_NAMESPACE(verify_internal) +#define crypto_sign_verify MLD_API_NAMESPACE(verify) +#define crypto_sign_verify_extmu MLD_API_NAMESPACE(verify_extmu) +#define crypto_sign_open MLD_API_NAMESPACE(open) + +#else /* !MLD_CONFIG_API_NO_SUPERCOP */ + +/* If the SUPERCOP API is not needed, we can undefine the various helper macros + * above. Otherwise, they are needed for lazy evaluation of crypto_sign_xxx. */ +#undef MLD_API_CONCAT +#undef MLD_API_CONCAT_ +#undef MLD_API_CONCAT_UNDERSCORE +#undef MLD_API_NAMESPACE +#undef MLD_API_MUST_CHECK_RETURN_VALUE + +#endif /* MLD_CONFIG_API_NO_SUPERCOP */ +#endif /* !MLD_CONFIG_API_CONSTANTS_ONLY */ + +#endif /* !MLD_MLDSA_NATIVE_H */ diff --git a/mldsa/sign.h b/mldsa/sign.h index 0024afca7..d9caa1dd0 100644 --- a/mldsa/sign.h +++ b/mldsa/sign.h @@ -208,7 +208,7 @@ __contract__( (return_value == -1 && *siglen == 0)) ); -#define crypto_sign MLD_NAMESPACETOP +#define crypto_sign MLD_NAMESPACE(sign) /************************************************* * Name: crypto_sign * diff --git a/mldsa_native.c b/mldsa_native.c new file mode 100644 index 000000000..c455214a6 --- /dev/null +++ b/mldsa_native.c @@ -0,0 +1,209 @@ +/* + * Copyright (c) The mldsa-native project authors + * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT + */ + +/****************************************************************************** + * + * Single compilation unit (SCU) for fixed-level build of mldsa-native + * + * This compilation unit bundles together all source files for a build + * of mldsa-native for a fixed security level (ML-DSA-44/65/87). + * + * # API + * + * The API exposed by this file is described in mldsa_native.h. + * + * # Configuration + * + * The following options from the mldsa-native configuration are relevant: + * + * - MLD_CONFIG_FIPS202_CUSTOM_HEADER + * Set this option if you use a custom FIPS202 implementation. + * + * - MLD_CONFIG_USE_NATIVE_BACKEND_ARITH + * Set this option if you want to include the native arithmetic backends + * in your build. + * + * - MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 + * Set this option if you want to include the native FIPS202 backends + * in your build. + */ + +#include "mldsa/common.h" + +#include "mldsa/ct.c" +#include "mldsa/debug.c" +#include "mldsa/ntt.c" +#include "mldsa/packing.c" +#include "mldsa/poly.c" +#include "mldsa/polyvec.c" +#include "mldsa/sign.c" + +#if !defined(MLD_CONFIG_FIPS202_CUSTOM_HEADER) +#include "mldsa/fips202/fips202.c" +#include "mldsa/fips202/fips202x4.c" +#include "mldsa/fips202/keccakf1600.c" +#endif + +#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_ARITH) +#if defined(MLD_SYS_AARCH64) +#include "mldsa/native/aarch64/src/aarch64_zetas.c" +#include "mldsa/native/aarch64/src/rej_uniform_eta_table.c" +#include "mldsa/native/aarch64/src/rej_uniform_table.c" +#endif +#if defined(MLD_SYS_X86_64) +#include "mldsa/native/x86_64/src/consts.c" +#include "mldsa/native/x86_64/src/poly_caddq_avx2.c" +#include "mldsa/native/x86_64/src/poly_chknorm_avx2.c" +#include "mldsa/native/x86_64/src/poly_decompose_32_avx2.c" +#include "mldsa/native/x86_64/src/poly_decompose_88_avx2.c" +#include "mldsa/native/x86_64/src/poly_use_hint_32_avx2.c" +#include "mldsa/native/x86_64/src/poly_use_hint_88_avx2.c" +#include "mldsa/native/x86_64/src/rej_uniform_avx2.c" +#include "mldsa/native/x86_64/src/rej_uniform_eta2_avx2.c" +#include "mldsa/native/x86_64/src/rej_uniform_eta4_avx2.c" +#include "mldsa/native/x86_64/src/rej_uniform_table.c" +#endif +#endif /* MLD_CONFIG_USE_NATIVE_BACKEND_ARITH */ + +#if defined(MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202) +#if defined(MLD_SYS_AARCH64) +#include "mldsa/fips202/native/aarch64/src/keccakf1600_round_constants.c" +#endif +#if defined(MLD_SYS_X86_64) +#include "mldsa/fips202/native/x86_64/src/KeccakP_1600_times4_SIMD256.c" +#endif +#endif /* MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202 */ + +/* Macro #undef's + * + * The following undefines macros from headers + * included by the source files imported above. + * + * This is to allow building and linking multiple builds + * of mldsa-native for varying parameter sets through concatenation + * of this file, as if the files had been compiled separately. + * If this is not relevant to you, you may remove the following. + */ + +/* + * Undefine macros from MLD_CONFIG_PARAMETER_SET-specific files + */ +/* mldsa/mldsa_native.h */ +#undef CRYPTO_BYTES +#undef CRYPTO_CRHBYTES +#undef CRYPTO_PUBLICKEYBYTES +#undef CRYPTO_RNDBYTES +#undef CRYPTO_SECRETKEYBYTES +#undef CRYPTO_SEEDBYTES +#undef CRYPTO_TRBYTES +#undef MLDSA44_BYTES +#undef MLDSA44_CRHBYTES +#undef MLDSA44_PUBLICKEYBYTES +#undef MLDSA44_RNDBYTES +#undef MLDSA44_SECRETKEYBYTES +#undef MLDSA44_SEEDBYTES +#undef MLDSA44_TRBYTES +#undef MLDSA65_BYTES +#undef MLDSA65_CRHBYTES +#undef MLDSA65_PUBLICKEYBYTES +#undef MLDSA65_RNDBYTES +#undef MLDSA65_SECRETKEYBYTES +#undef MLDSA65_SEEDBYTES +#undef MLDSA65_TRBYTES +#undef MLDSA87_BYTES +#undef MLDSA87_CRHBYTES +#undef MLDSA87_PUBLICKEYBYTES +#undef MLDSA87_RNDBYTES +#undef MLDSA87_SECRETKEYBYTES +#undef MLDSA87_SEEDBYTES +#undef MLDSA87_TRBYTES +#undef MLDSA_API_BYTES +#undef MLDSA_API_PUBLICKEYBYTES +#undef MLDSA_API_SECRETKEYBYTES +#undef MLDSA_BYTES +#undef MLDSA_BYTES_ +#undef MLDSA_CRHBYTES +#undef MLDSA_PUBLICKEYBYTES +#undef MLDSA_PUBLICKEYBYTES_ +#undef MLDSA_RNDBYTES +#undef MLDSA_SECRETKEYBYTES +#undef MLDSA_SECRETKEYBYTES_ +#undef MLDSA_SEEDBYTES +#undef MLDSA_TRBYTES +#undef MLD_API_CONCAT +#undef MLD_API_CONCAT_ +#undef MLD_API_CONCAT_UNDERSCORE +#undef MLD_API_MUST_CHECK_RETURN_VALUE +#undef MLD_API_NAMESPACE +#undef MLD_H +#undef crypto_sign +#undef crypto_sign_keypair +#undef crypto_sign_keypair_internal +#undef crypto_sign_open +#undef crypto_sign_signature +#undef crypto_sign_signature_extmu +#undef crypto_sign_signature_internal +#undef crypto_sign_verify +#undef crypto_sign_verify_extmu +#undef crypto_sign_verify_internal +/* mldsa/common.h */ +#undef MLD_ADD_PARAM_SET +#undef MLD_ASM_FN_SYMBOL +#undef MLD_ASM_NAMESPACE +#undef MLD_COMMON_H +#undef MLD_CONCAT +#undef MLD_CONCAT_ +#undef MLD_CONFIG_API_NAMESPACE_PREFIX +#undef MLD_CONFIG_API_PARAMETER_SET +#undef MLD_EMPTY_CU +#undef MLD_EXTERNAL_API +#undef MLD_FIPS202X4_HEADER_FILE +#undef MLD_FIPS202_HEADER_FILE +#undef MLD_INTERNAL_API +#undef MLD_NAMESPACE +#undef MLD_NAMESPACE_PREFIX +#undef mld_memcpy +#undef mld_memset +/* mldsa/sign.h */ +#undef MLD_CONFIG_API_NO_SUPERCOP +#undef MLD_SIGN_H +#undef crypto_sign +#undef crypto_sign_keypair +#undef crypto_sign_keypair_internal +#undef crypto_sign_open +#undef crypto_sign_signature +#undef crypto_sign_signature_extmu +#undef crypto_sign_signature_internal +#undef crypto_sign_verify +#undef crypto_sign_verify_extmu +#undef crypto_sign_verify_internal +/* mldsa/params.h */ +#undef CRYPTO_BYTES +#undef CRYPTO_PUBLICKEYBYTES +#undef CRYPTO_SECRETKEYBYTES +#undef MLD_PARAMS_H +#undef MLDSA_BETA +#undef MLDSA_CTILDEBYTES +#undef MLDSA_CRHBYTES +#undef MLDSA_D +#undef MLDSA_ETA +#undef MLDSA_GAMMA1 +#undef MLDSA_GAMMA2 +#undef MLDSA_K +#undef MLDSA_L +#undef MLDSA_N +#undef MLDSA_OMEGA +#undef MLDSA_POLYETA_PACKEDBYTES +#undef MLDSA_POLYT0_PACKEDBYTES +#undef MLDSA_POLYT1_PACKEDBYTES +#undef MLDSA_POLYVECH_PACKEDBYTES +#undef MLDSA_POLYW1_PACKEDBYTES +#undef MLDSA_POLYZ_PACKEDBYTES +#undef MLDSA_Q +#undef MLDSA_Q_HALF +#undef MLDSA_RNDBYTES +#undef MLDSA_SEEDBYTES +#undef MLDSA_TAU +#undef MLDSA_TRBYTES diff --git a/proofs/cbmc/crypto_sign/Makefile b/proofs/cbmc/crypto_sign/Makefile index dd9e2c32d..f4fa7deec 100644 --- a/proofs/cbmc/crypto_sign/Makefile +++ b/proofs/cbmc/crypto_sign/Makefile @@ -19,7 +19,7 @@ UNWINDSET += PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c PROJECT_SOURCES += $(SRCDIR)/mldsa/sign.c -CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACETOP) +CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)sign USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)signature APPLY_LOOP_CONTRACTS=on