Merge pull request #498 from pq-code-package/acvp-prehash

Add support for HashML-DSA

Author: mkannwischer

README.md

@@ -85,15 +85,19 @@ By default, mldsa-native uses the "hedged" signing variant as specified in FIPS
 
 The deterministic variant can be enabled by undefining `MLD_RANDOMIZED_SIGNING`, but FIPS 204 warns that this should not be used on platforms where fault injection attacks and side-channel attacks are a concern, as the lack of fresh randomness makes fault attacks more difficult to mitigate.
 
-### Does mldsa-native support the pre-hash/digest sign/verify mode (external mu)?
+### Does mldsa-native support the external mu mode?
 
 Yes. mldsa-native supports external mu mode, which allows for pre-hashing of messages before signing. This addresses the pre-hashing capability described in the NIST PQC FAQ[^NIST_FAQ] and detailed in NIST's guidance on FIPS 204 Section 6[^NIST_FIPS204_SEC6].
 
 External mu mode enables applications to compute the message digest (mu) externally and provide it to the signing implementation, which is particularly useful for large messages or streaming applications where the entire message cannot be held in memory during signing.
 
 ### Does mldsa-native support HashML-DSA?
 
-No. mldsa-native does not currently implement HashML-DSA, the hash-based variant of ML-DSA defined in FIPS 204. The current implementation focuses on the standard ML-DSA signature scheme.
+Yes. mldsa-native supports HashML-DSA, the pre-hashing variant of ML-DSA defined in FIPS 204 Algorithms 4 and 5.
+
+mldsa-native provides two levels of API:
+- `crypto_sign_signature_pre_hash_internal` and `crypto_sign_verify_pre_hash_internal` - Low-level functions that accept a pre-hashed message digest. This function supports all 12 allowed hash functions.
+- `crypto_sign_signature_pre_hash_shake256` and `crypto_sign_verify_pre_hash_shake256` - High-level functions that perform SHAKE256 pre-hashing internally for convenience. Currently, only SHAKE256 is supported. If you require another hash function, use the `*_pre_hash_internal` functions or open an issue.
 
 ### Will I be able to bring my own backend?
 

integration/liboqs/ML-DSA-44_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -69,8 +70,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-65_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -69,8 +70,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-87_META.yml

@@ -31,9 +31,9 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/ntt.c mldsa/ntt.h mldsa/packing.c mldsa/packing.h mldsa/params.h mldsa/poly.c
-    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/randombytes.h
-    mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h
-    mldsa/zetas.inc
+    mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h
+    mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c mldsa/sign.h
+    mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -46,8 +46,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/x86_64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -68,8 +69,9 @@ implementations:
     mldsa/cbmc.h mldsa/common.h mldsa/ct.c mldsa/ct.h mldsa/debug.c mldsa/debug.h
     mldsa/native/api.h mldsa/native/meta.h mldsa/ntt.c mldsa/ntt.h mldsa/packing.c
     mldsa/packing.h mldsa/params.h mldsa/poly.c mldsa/poly.h mldsa/poly_kl.c mldsa/polyvec.c
-    mldsa/polyvec.h mldsa/randombytes.h mldsa/reduce.h mldsa/rounding.h mldsa/sign.c
-    mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc mldsa/native/aarch64
+    mldsa/polyvec.h mldsa/prehash.c mldsa/prehash.h mldsa/randombytes.h mldsa/reduce.h
+    mldsa/rounding.h mldsa/sign.c mldsa/sign.h mldsa/symmetric.h mldsa/sys.h mldsa/zetas.inc
+    mldsa/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

mldsa/prehash.c

@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#include "prehash.h"
+#include "symmetric.h"
+
+#define MLD_PRE_HASH_OID_LEN 11
+
+/*************************************************
+ * Name:        mld_get_hash_oid
+ *
+ * Description: Returns the OID of a given SHA-2/SHA-3 hash function.
+ *
+ * Arguments:   - uint8_t oid[11]: pointer to output oid
+ *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *
+ **************************************************/
+static void mld_get_hash_oid(uint8_t oid[MLD_PRE_HASH_OID_LEN],
+                             mld_hash_alg_t hashAlg)
+{
+  unsigned int i;
+  static const struct
+  {
+    mld_hash_alg_t alg;
+    uint8_t oid[MLD_PRE_HASH_OID_LEN];
+  } oid_map[] = {
+      {MLD_SHA2_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}},
+      {MLD_SHA2_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}},
+      {MLD_SHA2_384,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}},
+      {MLD_SHA2_512,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}},
+      {MLD_SHA2_512_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x05}},
+      {MLD_SHA2_512_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x06}},
+      {MLD_SHA3_224,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x07}},
+      {MLD_SHA3_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x08}},
+      {MLD_SHA3_384,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x09}},
+      {MLD_SHA3_512,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0A}},
+      {MLD_SHAKE_128,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0B}},
+      {MLD_SHAKE_256,
+       {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x0C}}};
+
+  for (i = 0; i < sizeof(oid_map) / sizeof(oid_map[0]); i++)
+  __loop__(
+    invariant(i <= sizeof(oid_map) / sizeof(oid_map[0]))
+  )
+  {
+    if (oid_map[i].alg == hashAlg)
+    {
+      mld_memcpy(oid, oid_map[i].oid, MLD_PRE_HASH_OID_LEN);
+      return;
+    }
+  }
+}
+
+int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len)
+{
+  switch (hashAlg)
+  {
+    case MLD_SHA2_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA2_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA2_384:
+      return (len == 384 / 8) ? 0 : -1;
+    case MLD_SHA2_512:
+      return (len == 512 / 8) ? 0 : -1;
+    case MLD_SHA2_512_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA2_512_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA3_224:
+      return (len == 224 / 8) ? 0 : -1;
+    case MLD_SHA3_256:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHA3_384:
+      return (len == 384 / 8) ? 0 : -1;
+    case MLD_SHA3_512:
+      return (len == 512 / 8) ? 0 : -1;
+    case MLD_SHAKE_128:
+      return (len == 256 / 8) ? 0 : -1;
+    case MLD_SHAKE_256:
+      return (len == 512 / 8) ? 0 : -1;
+  }
+  return -1;
+}
+
+size_t mld_format_pre_hash_message(
+    uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg)
+{
+  /* Format: 0x01 || ctxlen (1 byte) || ctx || oid (11 bytes) || ph */
+  fmsg[0] = 1;
+  fmsg[1] = (uint8_t)ctxlen;
+
+  /* Copy context if present */
+  if (ctxlen > 0)
+  {
+    mld_memcpy(fmsg + 2, ctx, ctxlen);
+  }
+
+  /* Write OID */
+  mld_get_hash_oid(fmsg + 2 + ctxlen, hashAlg);
+
+  /* Copy pre-hash */
+  mld_memcpy(fmsg + 2 + ctxlen + MLD_PRE_HASH_OID_LEN, ph, phlen);
+
+  /* Return total formatted message length */
+  return 2 + ctxlen + MLD_PRE_HASH_OID_LEN + phlen;
+}

mldsa/prehash.h

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_PREHASH_H
+#define MLD_PREHASH_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include "common.h"
+#include "sign.h"
+
+/* Maximum formatted pre-hash message length: 0x01 || ctxlen || ctx (max 255) ||
+ * oid (11) || ph (max 64) */
+#define MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES (2 + 255 + 11 + 64)
+
+#define mld_validate_hash_length MLD_NAMESPACE(validate_hash_length)
+/*************************************************
+ * Name:        mld_validate_hash_length
+ *
+ * Description: Validates that the given hash length matches the expected
+ *              length for the given hash algorithm.
+ *
+ * Arguments:   - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *              - size_t len: Hash length to be checked
+ *
+ * Returns 0 if hash algorithm is known and the hash length matches
+ * and -1 otherwise.
+ **************************************************/
+MLD_MUST_CHECK_RETURN_VALUE
+MLD_INTERNAL_API
+int mld_validate_hash_length(mld_hash_alg_t hashAlg, size_t len);
+
+#define mld_format_pre_hash_message MLD_NAMESPACE(format_pre_hash_message)
+/*************************************************
+ * Name:        mld_format_pre_hash_message
+ *
+ * Description: Formats a pre-hash message according to FIPS 204:
+ *              0x01 || ctxlen (1 byte) || ctx || oid || ph
+ *
+ * Arguments:   - uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES]:
+ *                output formatted message buffer
+ *              - const uint8_t *ph: pointer to pre-hashed message
+ *              - size_t phlen: length of pre-hashed message
+ *              - const uint8_t *ctx: pointer to context string (may be NULL)
+ *              - size_t ctxlen: length of context string
+ *              - mld_hash_alg_t hashAlg: hash algorithm enumeration
+ *
+ * Returns the total length of the formatted message (2 + ctxlen + 11 + phlen).
+ **************************************************/
+MLD_INTERNAL_API
+size_t mld_format_pre_hash_message(
+    uint8_t fmsg[MLD_PRE_HASH_MAX_FORMATTED_MESSAGE_BYTES], const uint8_t *ph,
+    size_t phlen, const uint8_t *ctx, size_t ctxlen, mld_hash_alg_t hashAlg);
+
+#endif /* !MLD_PREHASH_H */