ML-DSA private keys from seeds #2157
Conversation
crypto/pqdsa/pqdsa.c
Outdated
| @@ -82,14 +82,69 @@ int PQDSA_KEY_set_raw_public_key(PQDSA_KEY *key, CBS *in) { | |||
| } | |||
|
|
|||
| int PQDSA_KEY_set_raw_private_key(PQDSA_KEY *key, CBS *in) { | |||
There was a problem hiding this comment.
This implementation feels very much like two functions conflated into one.
Could there instead be a separate function for the seed, like PQDSA_KEY_set_raw_seed? Then have the callers (pqdsa_priv_decode and EVP_PKEY_pqdsa_new_raw_private_key?) make the decision about which to call based on the length of the data?
There was a problem hiding this comment.
I see! Reworked in e506ba1/
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2157 +/- ##
==========================================
- Coverage 78.95% 78.94% -0.01%
==========================================
Files 611 611
Lines 105551 105603 +52
Branches 14950 14957 +7
==========================================
+ Hits 83341 83372 +31
- Misses 21558 21575 +17
- Partials 652 656 +4 ☔ View full report in Codecov by Sentry. |
crypto/pqdsa/pqdsa.c
Outdated
| key->public_key = public_key; | ||
| } | ||
|
|
||
| if (key->private_key == NULL || key->public_key == NULL ) { |
There was a problem hiding this comment.
I think this additional check would not be needed if key->private_key was checked at line 126 above. (The other code paths all seem to have NULL checks for both values covered.)
Issues:
Resolves #CryptoAlg-2889
Description of changes:
The industry has decided upon a few conventions to assist with the usability of ML-DSA key sizes, one of which is to decrease the amount of bytes transferred when encoding ML-DSA private keys. As ML-DSA keys can be deterministically generated from a provided 32-byte seed, many standards bodies have selected to use private keys in seed format. For example, the IETF draft that standardizes the use of ML-DSA in X.509. https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/
This provides:
The functionality that provides key generation from seeds for ML-DSA was added in my previous PR #1999. This PR exposes the internal key generation functions within the
PQDSAstruct, so that a new function namedPQDSA_KEY_set_raw_keypair_from_seedcan directly call the method.The function
PQDSA_KEY_set_raw_keypair_from_seedsimply performs:seedis of the correct lengthpqdsa_keygen_internalAs such,
pqdsa_priv_decodehas been modified to call:PQDSA_KEY_set_raw_private_keywhen the provided length of the key ispqdsa->private_key_lenPQDSA_KEY_set_raw_keypair_from_seedwhen the provided length of the key ispqdsa->keygen_seed_lenWe implement this at the EVP layer by modifying
EVP_PKEY_pqdsa_new_raw_private_keyto:PQDSA_KEY_set_raw_private_keywhen thelenprovided isprivate_key_lenPQDSA_KEY_set_raw_keypair_from_seedwhen thelenprovided iskeygen_seed_lenCall-outs:
EVP_PKEY_pqdsa_new_raw_private_keywill now populate both public and private keys when provided a seed. but only private key when provided the raw private key. (We can make behaviour consistant by calling thepkfromskderivation functionml_dsa_XX_pack_pk_from_skadded in Support for ML-DSA public key generation from private key #2142)PQDSA_KEY_set_raw_private_keywill only set private keyPQDSA_KEY_set_raw_public_keywill only set public keyTesting:
To provide KAT for keys from seeds I have included the
Appendix C. Examplesfrom https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/. For each provided ML-DSA parameter set, we generate the example private key provided from seed, and check that the corresponding public key matches that in the specification. These tests are inPQDSAParameterTestnamely,ParsePrivateKey.These examples show how much shorter ML-DSA-87 private keys are in seed format:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.