ML-DSA for libgcrypt
Open, WishlistPublic
Actions

Assigned To

Authored By

	• gniibe
	May 7 2025, 7:43 AM

Description

Kyber (ML-KEM) is in libgcrypt 1.11.

I think that we can take same approach of Kyber for Dilithium (ML-DSA); Including upstream code as intact as possible (so that auditing the code can be easier), provides three variants (of 2, 3, and 5) in a way of good performance.

Revisions and Commits

rC libgcrypt
	rC95beae482412 tests: Add a test for Dilithium.
	rC0a1fda8ce4d0 cipher:dilithium: Support "no-prefix" flag for Dilithium testing.
	rC40c84d8a4c76 cipher:dilithium: Add ML-DSA into libgcrypt pubkey interface.
	rC81a8332963e2 cipher:dilithium: Add dilithium functions for libgcrypt internal use.
	rCbef89f9316c8 cipher:dilithium: List the dilithium implementation to Makefile.am.
	rCcce9c02988c2 cipher:dilithium: Have cipher/dilithium.h.
	rCaeb775adfafd cipher:dilithium: Don't include unused freeze function.
	rCf78099b5a022 cipher:dilithium: Add DILITHIUM_INTERNAL_API_ONLY.
	rCa0bd76300f60 cipher:dilithium: Fix comment style.
	rC5cbf3180533d cipher:dilithium: Make the implementation into three files.
	rC92f129fb9ddc cipher:dilithium: For _GCRYPT_IN_LIBGCRYPT, add *_close function.
	rC28fb2e30790b cipher:dilithium: Functions of poly for different DILITHIUM_MODE.
	rCcb15a5563ade cipher: Editorial clean up cipher/dilithium.c for headers.
	rCcc7d750be1c7 cipher:dilithium: Export the external API only.
	rC1b422366e2b3 cipher: Put the original Dilithium implementation.
	rCa7fdda036591 cipher: Add headers to the Dilithium implementation.
	rCb945002e44ce tests:common: Increse buffer size to allow input for PQC testing.

Related Objects
Search...

Status	Assigned	Task
Open	None	T6636 PQC Implementation
Open	• gniibe	T6637 PQC for Libgcrypt
Open	• gniibe	T7640 ML-DSA for libgcrypt

Event Timeline

• gniibe triaged this task as Wishlist priority.May 7 2025, 7:43 AM

• gniibe created this task.

Looking the FIPS 204 document, using the following functions (API) is good:

int crypto_sign_keypair_internal(uint8_t *pk, uint8_t *sk,
                                 uint8_t seed[SEEDBYTES]);
int crypto_sign_signature_internal(uint8_t *sig,
                                   size_t *siglen,
                                   const uint8_t *m,
                                   size_t mlen,
                                   const uint8_t *pre,
                                   size_t prelen,
                                   const uint8_t rnd[RNDBYTES],
                                   const uint8_t *sk);
int crypto_sign_verify_internal(const uint8_t *sig,
                                size_t siglen,
                                const uint8_t *m,
                                size_t mlen,
                                const uint8_t *pre,
                                size_t prelen,
                                const uint8_t *pk);

That is, we won't have the randombytes function, but use these internal API within libgcrypt, so that KAT tests can be cleanly implemented.

To support Dilithium, we need to extend data handling of libgcrypt.
I propose following changes:

internal flag of PUBKEY_FLAG_BYTE_STRING to ask opaque MPI for data to be signed/verified.
The format of data as: (data(raw)[(flags no-prefix)](value ...)[(label ...)][(random-override ...)]): message, context, and random. Optional no-prefix flag to ask specific way of signing, controlling the internal, for Known Answer Tests (siggen).