Support for ML-DSA public key generation from private key #2142
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2142 +/- ##
==========================================
+ Coverage 78.96% 78.97% +0.01%
==========================================
Files 610 610
Lines 105293 105323 +30
Branches 14919 14921 +2
==========================================
+ Hits 83141 83178 +37
+ Misses 21500 21493 -7
Partials 652 652 ☔ View full report in Codecov by Sentry. |
justsmth
previously approved these changes
Jan 28, 2025
nebeid
reviewed
Jan 28, 2025
There was a problem hiding this comment.
May I suggest renaming to pack_pk_from_sk? I understand they're internal functions but they're exported and so renaming them later may be more difficult.
Nit: comments in
aws-lc/crypto/ml_dsa/ml_dsa_ref/packing.c
Lines 182 to 187 in 4fbcd10
const.
Thank you, changed to
Got them, also fixed in |
justsmth
previously approved these changes
Jan 28, 2025
nebeid
approved these changes
Jan 28, 2025
justsmth
approved these changes
Jan 28, 2025
manastasova
pushed a commit
to manastasova/aws-lc
that referenced
this pull request
Jan 30, 2025
### Issues: Resolves #CryptoAlg-2868 ### Description of changes: It is often useful when serializing asymmetric key pairs to populate both the public and private elements, given only the private element. For this to be possible, an algorithm utility function is often provided to derive key material. ML-DSA does not support this in the reference implementation. #### Background ML-DSA keypairs An ML-DSA private key is constructed of the following elements: (ref https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf) ``` sk = ( rho, // public random seed (32-bytes) tr, // public key hash (64-bytes) key, // private random seed (32-bytes) (utilized during sign) t0, // polynomial vector: encodes the least significant bits of public-key polynomial t, facilitating certain computational efficiencies. s1, // secret polynomial vectors. These vectors contain polynomials with coefficients in a specified range, s2. // serving as the secret components in the lattice-based structure of ML-DSA. ) ``` An ML-DSA public key is constructed of the following elements: ``` pk = ( rho, // public random seed (32-bytes) t1. // compressed representation of the public key polynomial ) ``` - The vector t is decomposed into two parts: - `t1`: Represents the higher-order bits of `t`. - `t0`: Represents the lower-order bits of `t`. One can see that to reconstruct the public key from the private key, one must: 1. Extract all elements from `sk`, using the existing function in `/ml_dsa_ref/packing.c`: `ml_dsa_unpack_sk` 1. This will provide `sk = (rho, tr, key, t0, s1, s2)`. 2. Reconstruct `A` using `rho` with the existing function in `/ml_dsa_ref/polyvec.c`: `ml_dsa_polyvec_matrix_expand` 3. Reconstruct `t` from `t = A*s1 + s2` 4. Drop `d` lower bits from `t` to get `t1` 5. Pack `rho`, `t1` into public key. 6. Verify `pk` matches expected value, by comparing SHAKE256(pk) + `tr` (unpacked from secret key). This has been implemented in `ml_dsa_pack_pk_from_sk` -- not tied to the name, just using what I've seen so far in common nomenclature. As the values of `d` differ for each parameter set of ML-DSA, we must create packing functions for each parameter size. As such, `ml_dsa_44_pack_pk_from_sk``, `ml_dsa_65_pack_pk_from_sk``, and `ml_dsa_87_pack_pk_from_sk`` have been added to `ml_dsa.h` to serve as utility functions in higher level EVP APIs. ### Call-outs: The scope of this PR is only the algorithm level, using these functions for useful tasks such as populating the public key automatically on private key import -- will be added in subsequent PRs. ### Testing: A new test has been added to `PQDSAParameterTest`, namely, `KeyConsistencyTest` that will assert that packing the key is successful, and that the key produced matches the original public key. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Resolves #CryptoAlg-2868
Description of changes:
It is often useful when serializing asymmetric key pairs to populate both the public and private elements, given only the private element. For this to be possible, an algorithm utility function is often provided to derive key material. ML-DSA does not support this in the reference implementation.
Background ML-DSA keypairs
An ML-DSA private key is constructed of the following elements: (ref https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf)
An ML-DSA public key is constructed of the following elements:
t1: Represents the higher-order bits oft.t0: Represents the lower-order bits oft.One can see that to reconstruct the public key from the private key, one must:
sk, using the existing function in/ml_dsa_ref/packing.c:ml_dsa_unpack_sksk = (rho, tr, key, t0, s1, s2).Ausingrhowith the existing function in/ml_dsa_ref/polyvec.c:ml_dsa_polyvec_matrix_expandtfromt = A*s1 + s2dlower bits fromtto gett1rho,t1into public key.pkmatches expected value, by comparing SHAKE256(pk) +tr(unpacked from secret key).This has been implemented in
ml_dsa_pack_pk_from_sk-- not tied to the name, just using what I've seen so far in common nomenclature.As the values of
ddiffer for each parameter set of ML-DSA, we must create packing functions for each parameter size. As such,ml_dsa_44_pack_pk_from_sk,ml_dsa_65_pack_pk_from_sk, andml_dsa_87_pack_pk_from_skhave been added toml_dsa.hto serve as utility functions in higher level EVP APIs.Call-outs:
The scope of this PR is only the algorithm level, using these functions for useful tasks such as populating the public key automatically on private key import -- will be added in subsequent PRs.
Testing:
A new test has been added to
PQDSAParameterTest, namely,KeyConsistencyTestthat will assert that packing the key is successful, and that the key produced matches the original public key.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.