Skip to content

ML-DSA driver: support the expanded private key format#834

Open
gilles-peskine-arm wants to merge 8 commits into
Mbed-TLS:developmentfrom
gilles-peskine-arm:mldsa-driver-expanded-key
Open

ML-DSA driver: support the expanded private key format#834
gilles-peskine-arm wants to merge 8 commits into
Mbed-TLS:developmentfrom
gilles-peskine-arm:mldsa-driver-expanded-key

Conversation

@gilles-peskine-arm

Copy link
Copy Markdown
Contributor

In the ML-DSA driver, support export-public and signing where the key input is the concatenation of the seed and the expanded private key, in addition to supporting the seed only. Resolves #774.

Needs preceding PR: framework prerequisite Mbed-TLS/mbedtls-framework#312

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

  • changelog not required because: not exposed in the API yet
  • framework PR provided ML-DSA test generator: support expanded and joined key formats mbedtls-framework#312
  • TF-PSA-Crypto development PR here
  • TF-PSA-Crypto 1.1 PR not required because: new feature
  • mbedtls development PR not required because: new feature
  • mbedtls 4.1 PR not required because: new feature
  • mbedtls 3.6 PR not required because: new feature
  • tests provided

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The value is 64 either way, so the behavior was correct, but use the
intended constant name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The public key hash (tr) is stored in the expanded private key. In multipart
signature, get it from there, rather than recalculate it from the public
key. (In one-shot signature, this is what mldsa-native does internally.)

This is a tiny performance improvement. But more importantly, it paves the
way for being able to sign with just the expanded private key, without
having to have the public key.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…rmat

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@gilles-peskine-arm gilles-peskine-arm added size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon needs-preceding-pr Requires another PR to be merged first needs-ci Needs to pass CI tests labels Jul 8, 2026
In one-shot and multipart MLDSA signature, support the key either as just
the seed (the standard PSA format), or the seed concatenated with the
standard expanded key format.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the multipart signature interface, the driver dispatch code must pass the
same key to the `sign_setup` and `sign_finish` entry points. Otherwise the
behavior of the driver is undefined.

For robustness, prepare to validate the behavior of the ML-DSA driver when
the keys are different.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* Only the expanded private key (not supported).
* Almost but not exactly the joined format.
* Mismatch between the seed and the private key.
* Mismatch between the key format passed to setup() and finish().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
@gilles-peskine-arm gilles-peskine-arm force-pushed the mldsa-driver-expanded-key branch from d11e1fe to c73fd1b Compare July 9, 2026 08:21
@gilles-peskine-arm gilles-peskine-arm added needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review and removed needs-work needs-ci Needs to pass CI tests labels Jul 9, 2026
@bjwtaylor bjwtaylor self-requested a review July 9, 2026 10:17

@bjwtaylor bjwtaylor left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question on the scope, though otherwise looks good.

}
}

psa_status_t tf_psa_crypto_mldsa_export_public_key(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says this PR adds support for export-public and signing where the key input is the concatenation of the seed and the expanded private key. However it looks like this function still calls to seed_to_public_key and doesn't accept the proposed new key input and the other changes seem related to signing? So is the description out of date, the code needs additional functionality or have I missed something?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, oops. That's what you get for working on a feature one hour at a time... I'll do it when I get back, either here or in a follow-up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-preceding-pr Requires another PR to be merged first needs-review Every commit must be reviewed by at least two team members needs-reviewer This PR needs someone to pick it up for review needs-work priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)

Projects

Development

Successfully merging this pull request may close these issues.

Support expanded key format in ML-DSA signature driver

2 participants