[crypto] ML-DSA-87: Hashing of the keygen seed Xi

andrea-caforio · andrea-caforio · commit ebd151921b8a · 2026-05-21T18:12:35.000+02:00
ML-DSA keygen is parametrized by a seed Xi that needs to be hash in
order to derived the public and secret keys.

Signed-off-by: Andrea Caforio &lt;andrea.caforio@lowrisc.org&gt;
diff --git a/sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_ops.s b/sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_ops.s
@@ -7,6 +7,7 @@
 .globl sample_s
 .globl compute_t
 .globl encode_t
+.globl hash_seed
 
 .text
 
@@ -317,3 +318,68 @@ encode_t:
     /* End of loop */
 
   ret
+
+/**
+ * Hash the seed Xi.
+ *
+ * ML-DSA keygen is parametrized by a 32-byte seed Xi (passed as a 34-byte
+ * value) that is hashed to create RHO, RHO_PRIME and K, i.e.,
+ *
+ *   RHO, RHO_PRIME, K = Shake256(Xi),
+ *
+ * where RHO is a 32-byte unshared value, RHO_PRIME is a 64-byte Boolean-shared
+ * value and K is a 32-byte Boolean-shared value.
+ *
+ * Xi is assumed to be passed as a 34-byte value in a 64-byte region with bytes
+ * 32 and 33 of both shares set to 0.
+ *
+ * @param[in] x2: DMEM address of the first Boolean share of Xi.
+ * @param[in] x3: DMEM address of the second Boolean share of Xi.
+ * @param[in] x4: DMEM address of RHO.
+ * @param[in] x5: DMEM address of the first Boolean share of RHO_PRIME.
+ * @param[in] x6: DMEM address of the second Boolean share of RHO_PRIME.
+ * @param[in] x7: DMEM address of the first Boolean share of K.
+ * @param[in] x8: DMEM address of the second Boolean share of K.
+ */
+hash_seed:
+  /* Xi[32] = K = 8, Xi[33] = L = 7. */
+  li x9, 0x00000708
+  sw x9, 32(x2)
+
+  /* Squeeze buffer WDR pointers. */
+  addi x9, x0, 29
+  addi x10, x0, 30
+
+  jal x1, xof_shake256_init
+
+  /* Absorb the 34-byte Boolean shared seed value Xi. */
+  addi x20, x0, 34
+  addi x21, x2, 0
+  addi x22, x3, 0
+  jal x1, xof_absorb
+  jal x1, xof_process
+
+  /* Squeeze the 32-byte unshared value RHO. */
+  jal x1, xof_squeeze32
+  bn.xor w29, w29, w30 /* unmask */
+  bn.sid x9, 0(x4)
+
+  /* Squeeze the 64-byte Boolean-shared value RHO_PRIME. */
+  jal x1, xof_squeeze32
+  bn.sid x9, 0(x5)
+  bn.xor w31, w31, w31 /* dummy */
+  bn.sid x10, 0(x6)
+  jal x1, xof_squeeze32
+  bn.sid x9, 32(x5)
+  bn.xor w31, w31, w31 /* dummy */
+  bn.sid x10, 32(x6)
+
+  /* Squeeze the 32-byte Boolean-shared value K. */
+  jal x1, xof_squeeze32
+  bn.sid x9, 0(x7)
+  bn.xor w31, w31, w31 /* dummy */
+  bn.sid x10, 0(x8)
+
+  jal x1, xof_finish
+
+  ret
diff --git a/sw/otbn/crypto/mldsa87/keygen/tests/BUILD b/sw/otbn/crypto/mldsa87/keygen/tests/BUILD
@@ -34,6 +34,7 @@ unit_tests = [
     "mldsa87_keygen_sample_s_test",
     "mldsa87_keygen_compute_t_test",
     "mldsa87_keygen_encode_t_test",
+    "mldsa87_keygen_hash_seed_test",
 ]
 
 [
diff --git a/sw/otbn/crypto/mldsa87/keygen/tests/mldsa87_keygen_hash_seed_test.hjson b/sw/otbn/crypto/mldsa87/keygen/tests/mldsa87_keygen_hash_seed_test.hjson
@@ -0,0 +1,27 @@
+// Copyright lowRISC contributors (OpenTitan project).
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+// NIST ACVP ML-DSA-87 keygen vector #51 (first ML-DSA-87 vector):
+// https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-keyGen-FIPS204
+
+{
+  "entrypoint": "main",
+  "input": {
+    "dmem": {
+      // Xi
+      "_hash_seed_xi_share0": "0x7bcbfc40c22b8e76a5dd9f8927691d12305635a63b771687cd591792bb2f05f7",
+      "_hash_seed_xi_share1": "0x0000000000000000000000000000000000000000000000000000000000000000"
+    }
+  },
+  "output": {
+    "dmem": {
+      // RHO
+      "_hash_seed_rho": "0xd937df8c3fe571dcc9de94cd892d91cfcdb5e640a21935a26e75f5de92f3df18",
+      // RHO_PRIME
+      "_hash_seed_rho_prime_share0": "0x3af649807ca2405382e16fc376486871f8478741dcb502773f43b3ff7910a4892f75a52f1205580933491c0c9434133ea4660011c521c5df9cf9b54bb701a885",
+      // K
+      "_hash_seed_k_share0": "0xd24ab993ed9fb49815e9ea7a168ae2a07c538064017431e12b26d55584d307d7",
+    }
+  }
+}
diff --git a/sw/otbn/crypto/mldsa87/keygen/tests/mldsa87_keygen_hash_seed_test.s b/sw/otbn/crypto/mldsa87/keygen/tests/mldsa87_keygen_hash_seed_test.s
@@ -0,0 +1,70 @@
+/* Copyright lowRISC contributors (OpenTitan project). */
+/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
+/* SPDX-License-Identifier: Apache-2.0 */
+
+/* Verify that keygen seed Xi hash is correctly hashed. */
+
+.section .text.start
+
+main:
+  la x31, _stack
+  bn.xor w31, w31, w31
+
+  la x2, _params
+  bn.lid x0, 0(x2)
+  bn.wsrw MOD, w0
+
+  la x2, _hash_seed_xi_share0
+  la x3, _hash_seed_xi_share1
+  la x4, _hash_seed_rho
+  la x5, _hash_seed_rho_prime_share0
+  la x6, _hash_seed_rho_prime_share1
+  la x7, _hash_seed_k_share0
+  la x8, _hash_seed_k_share1
+  jal x1, hash_seed
+
+  la x20, _hash_seed_rho_prime_share0
+  la x21, _hash_seed_rho_prime_share1
+  addi x22, x0, 2
+  jal x1, unmask_boolean
+
+  la x20, _hash_seed_k_share0
+  la x21, _hash_seed_k_share1
+  addi x22, x0, 1
+  jal x1, unmask_boolean
+
+  ecall
+
+.data
+.balign 32
+
+_hash_seed_xi_share0:
+.zero 34
+.zero 30 /* Padding */
+_hash_seed_xi_share1:
+.zero 34
+.zero 30 /* Padding */
+
+_hash_seed_rho:
+.zero 32
+_hash_seed_rho_prime_share0:
+.zero 64
+_hash_seed_rho_prime_share1:
+.zero 64
+_hash_seed_k_share0:
+.zero 32
+_hash_seed_k_share1:
+.zero 32
+
+_params:
+.word 0x007fe001 /* q */
+.word 0xfc7fdfff /* mu */
+.word 0x0000a3fa /* n^-1 * R^3 mod q */
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+.word 0x00000000
+
+_stack:
+.zero 256

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ unit_tests = [`
`34`	`34`	`"mldsa87_keygen_sample_s_test",`
`35`	`35`	`"mldsa87_keygen_compute_t_test",`
`36`	`36`	`"mldsa87_keygen_encode_t_test",`
	`37`	`+ "mldsa87_keygen_hash_seed_test",`
`37`	`38`	`]`
`38`	`39`
`39`	`40`	`[`