Add support for PreHash ML-DSA

This commit adds two functions crypto_sign_signature_pre_hash_internal
and crypto_sign_verify_pre_hash_internal implementing the pre-hashing mode of
ML-DSA. Instead of receiving a message, they receive a pre-hashed message.
Details can be found in Algorithm 4 and 5 in FIPS204.

The message to signed is formatted as
0x01 || ctxlen (1 byte) || ctx || oid || ph
where ph is the pre-hash and oid is the object identifier of the used hash
algorithm.

The ACVP client is adjusted to support the pre-hashing test cases. Note that
the ACVP testvectors only contain the message, not the pre-hash. I opted for
computing the hash in the ACVP Python client as for that we do not have to
add implementations for the 12 hash functions.

CBMC proofs for the new functions are added.

Resolves #39

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

integration/liboqs/ML-DSA-44_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -69,8 +70,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-65_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -69,8 +70,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-87_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -68,8 +69,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

mldsa/prehash.c

@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#include "prehash.h"
+#include "symmetric.h"
+
+#define MLD_PRE_HASH_OID_LEN 11
+
+/*************************************************
+ * Name:        mld_get_hash_oid
+ *
+ * Description: Returns the OID of a given SHA-2/SHA-3 hash function.
+ *
+ * Arguments:   - uint8_t oid[11]: pointer to output oid
+ *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *
+ **************************************************/
+static void mld_get_hash_oid(uint8_t oid[MLD_PRE_HASH_OID_LEN],
+                             mld_hash_alg_t hashAlg)
+{
+  unsigned int i;
+  static const struct
+  {
+    mld_hash_alg_t alg;
+    uint8_t oid[MLD_PRE_HASH_OID_LEN];
+  } oid_map[] = {
+      {MLD_SHA2_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}},
+      {MLD_SHA2_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}},
+      {MLD_SHA2_384,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}},
+      {MLD_SHA2_512,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}},
+      {MLD_SHA2_512_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05}},
+      {MLD_SHA2_512_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06}},
+      {MLD_SHA3_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07}},
+      {MLD_SHA3_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08}},
+      {MLD_SHA3_384,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09}},
+      {MLD_SHA3_512,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0A}},
+      {MLD_SHAKE_128,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0B}},
+      {MLD_SHAKE_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0C}}};
+
+  for (i = 0; i < sizeof(oid_map) / sizeof(oid_map[0]); i++)
+  __loop__(
+    invariant(i <= sizeof(oid_map) / sizeof(oid_map[0]))
+  )
+  {
+    if (oid_map[i].alg == hashAlg)
+    {
+      mld_memcpy(oid, oid_map[i].oid, MLD_PRE_HASH_OID_LEN);
+      return;
+    }
+  }
+}
+
+int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len)
+{
+  switch (hashAlg)
+  {
+    case MLD_SHA2_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA2_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA2_384:
+      return (len == 384 / 8) ? 0 : -1;
+    case MLD_SHA2_512:
+      return (len == 512 / 8) ? 0 : -1;
+    case MLD_SHA2_512_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA2_512_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA3_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA3_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA3_384:
+      return (len == 384 / 8) ? 0 : -1;
+    case MLD_SHA3_512:
+      return (len == 512 / 8) ? 0 : -1;
+    case MLD_SHAKE_128:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHAKE_256:
+      return (len == 512 / 8) ? 0 : -1;
+  }
+  return -1;
+}
+
+size_t mld_format_pre_hash_message(
+    uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg)
+{
+  /* Format: 0x01 || ctxlen (1 byte) || ctx || oid (11 bytes) || ph */
+  fmsg[0] = 1;
+  fmsg[1] = (uint8_t)ctxlen;
+
+  /* Copy context if present */
+  if (ctxlen > 0)
+  {
+    mld_memcpy(fmsg + 2, ctx, ctxlen);
+  }
+
+  /* Write OID */
+  mld_get_hash_oid(fmsg + 2 + ctxlen, hashAlg);
+
+  /* Copy pre-hash */
+  mld_memcpy(fmsg + 2 + ctxlen + MLD_PRE_HASH_OID_LEN, ph, phlen);
+
+  /* Return total formatted message length */
+  return 2 + ctxlen + MLD_PRE_HASH_OID_LEN + phlen;
+}

mldsa/prehash.h

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_PREHASH_H
+#define MLD_PREHASH_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include "common.h"
+#include "sign.h"
+
+/* Maximum formatted pre-hash message length: 0x01 || ctxlen || ctx (max 255) ||
+ * oid (11) || ph (max 64) */
+#define MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES (2 + 255 + 11 + 64)
+
+#define mld_validate_hash_length MLD_NAMESPACE(validate_hash_length)
+/*************************************************
+ * Name:        mld_validate_hash_length
+ *
+ * Description: Validates that the given hash length matches the expected
+ *              length for the given hash algorithm.
+ *
+ * Arguments:   - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *              - size_t len: Hash length to be checked
+ *
+ * Returns 0 if hash algorithm is known and the hash length matches
+ * and -1 otherwise.
+ **************************************************/
+MLD_MUST_CHECK_RETURN_VALUE
+MLD_INTERNAL_API
+int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len);
+
+#define mld_format_pre_hash_message MLD_NAMESPACE(format_pre_hash_message)
+/*************************************************
+ * Name:        mld_format_pre_hash_message
+ *
+ * Description: Formats a pre-hash message according to FIPS 204:
+ *              0x01 || ctxlen (1 byte) || ctx || oid || ph
+ *
+ * Arguments:   - uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES]:
+ *                output formatted message buffer
+ *              - const uint8_t *ph: pointer to pre-hashed message
+ *              - size_t phlen: length of pre-hashed message
+ *              - const uint8_t *ctx: pointer to context string (may be NULL)
+ *              - size_t ctxlen: length of context string
+ *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *
+ * Returns the total length of the formatted message (2 + ctxlen + 11 + phlen).
+ **************************************************/
+MLD_INTERNAL_API
+size_t mld_format_pre_hash_message(
+    uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg);
+
+#endif /* !MLD_PREHASH_H */

mldsa/sign.c

@@ -31,6 +31,7 @@
 #include "packing.h"
 #include "poly.h"
 #include "polyvec.h"
+#include "prehash.h"
 #include "randombytes.h"
 #include "sign.h"
 #include "symmetric.h"
@@ -862,3 +863,69 @@ int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
 
   return -1;
 }
+
+
+MLD_MUST_CHECK_RETURN_VALUE
+MLD_EXTERNAL_API
+int crypto_sign_signature_pre_hash_internal(uint8_t *sig, size_t *siglen,
+                                            const uint8_t *ph, size_t phlen,
+                                            const uint8_t *ctx, size_t ctxlen,
+                                            const uint8_t rnd[MLDSA_RNDBYTES],
+                                            const uint8_t *sk,
+                                            mld_hash_alg_t hashAlg)
+{
+  MLD_ALIGN uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES];
+  size_t fmsg_len;
+  int result;
+
+  if (ctxlen > 255)
+  {
+    *siglen = 0;
+    return -1;
+  }
+
+  if (mld_validate_hash_length(hashAlg, phlen))
+  {
+    *siglen = 0;
+    return -1;
+  }
+
+  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashAlg);
+
+  result = crypto_sign_signature_internal(sig, siglen, fmsg, fmsg_len, NULL, 0,
+                                          rnd, sk, 0);
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(fmsg, sizeof(fmsg));
+  return result;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+MLD_EXTERNAL_API
+int crypto_sign_verify_pre_hash_internal(const uint8_t *sig, size_t siglen,
+                                         const uint8_t *ph, size_t phlen,
+                                         const uint8_t *ctx, size_t ctxlen,
+                                         const uint8_t *pk,
+                                         mld_hash_alg_t hashAlg)
+{
+  MLD_ALIGN uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES];
+  size_t fmsg_len;
+  int result;
+
+  if (ctxlen > 255)
+  {
+    return -1;
+  }
+
+  if (mld_validate_hash_length(hashAlg, phlen))
+  {
+    return -1;
+  }
+
+  fmsg_len = mld_format_pre_hash_message(fmsg, ph, phlen, ctx, ctxlen, hashAlg);
+
+  result =
+      crypto_sign_verify_internal(sig, siglen, fmsg, fmsg_len, NULL, 0, pk, 0);
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(fmsg, sizeof(fmsg));
+  return result;
+}