Skip to content

Commit 31c9b9e

Browse files
mkannwischerhanno-becker
authored andcommitted
Remove crypto_sign_* aliases, NO_SUPERCOP and CRYPTO_* constants
mldsa_native.h exposed the public API under the crypto_sign_* SUPERCOP naming scheme, gated by MLD_CONFIG_NO_SUPERCOP. Of these, only crypto_sign_keypair (with the already-removed crypto_sign / crypto_sign_open) was an actual SUPERCOP API; the signature/verify variants were mldsa-native additions stapled onto the same prefix. This commit removes those aliases, the MLD_CONFIG_NO_SUPERCOP configuration, and the CRYPTO_{PUBLICKEY,SECRETKEY,}BYTES size constants -- the last remnant of the SUPERCOP naming -- along with the related documentation and #error messages. Consumers and tests now use the native namespaced API directly. Examples call the namespaced functions (e.g. mldsa_keypair); tests reconstruct the names via test/src/test_namespace.h. For the key and signature sizes, examples and tests derive them from MLD_CONFIG_PARAMETER_SET via local MLDSA_{PK,SK,SIG}_BYTES abbreviations, since they are built for all parameter sets (44, 65, 87). Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com> Signed-off-by: Hanno Becker <beckphan@amazon.co.uk>
1 parent 31300ad commit 31c9b9e

61 files changed

Lines changed: 1063 additions & 1348 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

README.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -191,7 +191,7 @@ To enable this mode, define `MLD_CONFIG_REDUCE_RAM` in [mldsa_native_config.h](m
191191

192192
By default, mldsa-native uses the randomized "hedged" signing variant as specified in FIPS 204 Section 3.4. The hedged variant uses both fresh randomness at signing time and precomputed randomness from the private key. This helps mitigate fault injection attacks and side-channel attacks while protecting against potential flaws in the random number generator.
193193

194-
If you need the deterministic variant of ML-DSA, you can call `crypto_sign_signature_internal`
194+
If you need the deterministic variant of ML-DSA, you can call `signature_internal`
195195
directly with an all-zero `rnd` argument.
196196
However, note that FIPS 204 warns that this should not be used on platforms where fault injection attacks and side-channel attacks are a concern, as the lack of fresh randomness makes fault attacks more difficult to mitigate.
197197

@@ -206,8 +206,8 @@ External mu mode enables applications to compute the message digest (mu) externa
206206
Yes. mldsa-native supports HashML-DSA, the pre-hashing variant of ML-DSA defined in FIPS 204 Algorithms 4 and 5.
207207

208208
mldsa-native provides two levels of API:
209-
- `crypto_sign_signature_pre_hash_internal` and `crypto_sign_verify_pre_hash_internal` - Low-level functions that accept a pre-hashed message digest. This function supports all 12 allowed hash functions.
210-
- `crypto_sign_signature_pre_hash_shake256` and `crypto_sign_verify_pre_hash_shake256` - High-level functions that perform SHAKE256 pre-hashing internally for convenience. Currently, only SHAKE256 is supported. If you require another hash function, use the `*_pre_hash_internal` functions or open an issue.
209+
- `signature_pre_hash_internal` and `verify_pre_hash_internal` - Low-level functions that accept a pre-hashed message digest. This function supports all 12 allowed hash functions.
210+
- `signature_pre_hash_shake256` and `verify_pre_hash_shake256` - High-level functions that perform SHAKE256 pre-hashing internally for convenience. Currently, only SHAKE256 is supported. If you require another hash function, use the `*_pre_hash_internal` functions or open an issue.
211211

212212
## Have a Question?
213213

examples/basic/main.c

Lines changed: 26 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,19 @@
1717
#include "expected_test_vectors.h"
1818
#include "test_only_rng/notrandombytes.h"
1919

20+
/* Convenience abbreviations for the key and signature sizes.
21+
*
22+
* Ordinarily you know the parameter set you're working with, so you would
23+
* just use the level-specific constants directly, e.g. MLDSA44_PUBLICKEYBYTES,
24+
* MLDSA65_BYTES, or MLDSA87_SECRETKEYBYTES.
25+
*
26+
* These examples, however, are compiled for all three parameter sets (44, 65,
27+
* 87), so we keep things generic by deriving the sizes from the configured
28+
* MLD_CONFIG_PARAMETER_SET. */
29+
#define MLDSA_PK_BYTES MLDSA_PUBLICKEYBYTES(MLD_CONFIG_PARAMETER_SET)
30+
#define MLDSA_SK_BYTES MLDSA_SECRETKEYBYTES(MLD_CONFIG_PARAMETER_SET)
31+
#define MLDSA_SIG_BYTES MLDSA_BYTES(MLD_CONFIG_PARAMETER_SET)
32+
2033
#define CHECK(x) \
2134
do \
2235
{ \
@@ -32,13 +45,13 @@
3245
#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
3346
static int example_keygen(void)
3447
{
35-
uint8_t pk[CRYPTO_PUBLICKEYBYTES];
36-
uint8_t sk[CRYPTO_SECRETKEYBYTES];
48+
uint8_t pk[MLDSA_PK_BYTES];
49+
uint8_t sk[MLDSA_SK_BYTES];
3750

3851
printf("Generating keypair... ");
39-
CHECK(crypto_sign_keypair(pk, sk) == 0);
40-
CHECK(memcmp(pk, test_vector_pk, CRYPTO_PUBLICKEYBYTES) == 0);
41-
CHECK(memcmp(sk, test_vector_sk, CRYPTO_SECRETKEYBYTES) == 0);
52+
CHECK(mldsa_keypair(pk, sk) == 0);
53+
CHECK(memcmp(pk, test_vector_pk, MLDSA_PK_BYTES) == 0);
54+
CHECK(memcmp(sk, test_vector_sk, MLDSA_SK_BYTES) == 0);
4255
printf("DONE\n");
4356
return 0;
4457
}
@@ -53,14 +66,13 @@ static int example_keygen(void)
5366
#if !defined(MLD_CONFIG_NO_SIGN_API)
5467
static int example_sign(void)
5568
{
56-
uint8_t sig[CRYPTO_BYTES];
69+
uint8_t sig[MLDSA_SIG_BYTES];
5770
size_t siglen;
5871

5972
printf("Signing message... ");
60-
CHECK(crypto_sign_signature(sig, &siglen, (const uint8_t *)TEST_VECTOR_MSG,
61-
TEST_VECTOR_MSG_LEN,
62-
(const uint8_t *)TEST_VECTOR_CTX,
63-
TEST_VECTOR_CTX_LEN, test_vector_sk) == 0);
73+
CHECK(mldsa_signature(sig, &siglen, (const uint8_t *)TEST_VECTOR_MSG,
74+
TEST_VECTOR_MSG_LEN, (const uint8_t *)TEST_VECTOR_CTX,
75+
TEST_VECTOR_CTX_LEN, test_vector_sk) == 0);
6476
CHECK(siglen == sizeof(test_vector_sig));
6577
CHECK(memcmp(sig, test_vector_sig, siglen) == 0);
6678
printf("DONE\n");
@@ -78,11 +90,10 @@ static int example_sign(void)
7890
static int example_verify(void)
7991
{
8092
printf("Verifying signature... ");
81-
CHECK(crypto_sign_verify(test_vector_sig, sizeof(test_vector_sig),
82-
(const uint8_t *)TEST_VECTOR_MSG,
83-
TEST_VECTOR_MSG_LEN,
84-
(const uint8_t *)TEST_VECTOR_CTX,
85-
TEST_VECTOR_CTX_LEN, test_vector_pk) == 0);
93+
CHECK(mldsa_verify(test_vector_sig, sizeof(test_vector_sig),
94+
(const uint8_t *)TEST_VECTOR_MSG, TEST_VECTOR_MSG_LEN,
95+
(const uint8_t *)TEST_VECTOR_CTX, TEST_VECTOR_CTX_LEN,
96+
test_vector_pk) == 0);
8697
printf("DONE\n");
8798
return 0;
8899
}

examples/basic_deterministic/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ without requiring a `randombytes()` implementation.
88

99
Use this approach when:
1010
- Your application manages its own entropy/randomness externally
11-
- You only need `crypto_sign_keypair_internal` and `crypto_sign_signature_internal` (deterministic variants)
11+
- You only need `mldsa_keypair_internal` and `mldsa_signature_internal` (deterministic variants)
1212

1313
## Components
1414

@@ -20,7 +20,7 @@ No `randombytes()` implementation is required.
2020
## Configuration
2121

2222
The configuration file [mldsa_native_config.h](mldsa_native/mldsa_native_config.h) sets:
23-
- `MLD_CONFIG_NO_RANDOMIZED_API`: Disables `crypto_sign_keypair`, `crypto_sign_signature`, etc.
23+
- `MLD_CONFIG_NO_RANDOMIZED_API`: Disables `mldsa_keypair`, `mldsa_signature`, etc.
2424
- `MLD_CONFIG_PARAMETER_SET`: Security level (default 65)
2525
- `MLD_CONFIG_NAMESPACE_PREFIX`: Symbol prefix (set to `mldsa`)
2626

examples/basic_deterministic/main.c

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,19 @@
1616
#include <mldsa_native.h>
1717
#include "expected_test_vectors.h"
1818

19+
/* Convenience abbreviations for the key and signature sizes.
20+
*
21+
* Ordinarily you know the parameter set you're working with, so you would
22+
* just use the level-specific constants directly, e.g. MLDSA44_PUBLICKEYBYTES,
23+
* MLDSA65_BYTES, or MLDSA87_SECRETKEYBYTES.
24+
*
25+
* These examples, however, are compiled for all three parameter sets (44, 65,
26+
* 87), so we keep things generic by deriving the sizes from the configured
27+
* MLD_CONFIG_PARAMETER_SET. */
28+
#define MLDSA_PK_BYTES MLDSA_PUBLICKEYBYTES(MLD_CONFIG_PARAMETER_SET)
29+
#define MLDSA_SK_BYTES MLDSA_SECRETKEYBYTES(MLD_CONFIG_PARAMETER_SET)
30+
#define MLDSA_SIG_BYTES MLDSA_BYTES(MLD_CONFIG_PARAMETER_SET)
31+
1932
/* For testing, we use the same randomness that would be generated by our
2033
* deterministic test rng such that we can produce the same keys and
2134
* signatures as in the basic example.
@@ -43,13 +56,13 @@
4356
#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
4457
static int example_keygen(void)
4558
{
46-
uint8_t pk[CRYPTO_PUBLICKEYBYTES];
47-
uint8_t sk[CRYPTO_SECRETKEYBYTES];
59+
uint8_t pk[MLDSA_PK_BYTES];
60+
uint8_t sk[MLDSA_SK_BYTES];
4861

4962
printf("Generating keypair... ");
5063
CHECK(mldsa_keypair_internal(pk, sk, test_vector_rnd) == 0);
51-
CHECK(memcmp(pk, test_vector_pk, CRYPTO_PUBLICKEYBYTES) == 0);
52-
CHECK(memcmp(sk, test_vector_sk, CRYPTO_SECRETKEYBYTES) == 0);
64+
CHECK(memcmp(pk, test_vector_pk, MLDSA_PK_BYTES) == 0);
65+
CHECK(memcmp(sk, test_vector_sk, MLDSA_SK_BYTES) == 0);
5366
printf("DONE\n");
5467
return 0;
5568
}
@@ -64,7 +77,7 @@ static int example_keygen(void)
6477
#if !defined(MLD_CONFIG_NO_SIGN_API)
6578
static int example_sign(void)
6679
{
67-
uint8_t sig[CRYPTO_BYTES];
80+
uint8_t sig[MLDSA_SIG_BYTES];
6881
size_t siglen;
6982
uint8_t pre[TEST_VECTOR_CTX_LEN + 2]; /* prefix string (0, ctxlen, ctx) */
7083

examples/basic_deterministic/mldsa_native/mldsa_native_config.h

Lines changed: 19 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -127,8 +127,8 @@
127127
*
128128
* By default, mldsa-native includes support for generating key
129129
* pairs. If you don't need this, set MLD_CONFIG_NO_KEYPAIR_API
130-
* to exclude crypto_sign_keypair, crypto_sign_keypair_internal,
131-
* crypto_sign_pk_from_sk, and all internal APIs only needed by
130+
* to exclude keypair, keypair_internal,
131+
* pk_from_sk, and all internal APIs only needed by
132132
* those functions.
133133
*/
134134
/* #define MLD_CONFIG_NO_KEYPAIR_API */
@@ -138,10 +138,10 @@
138138
*
139139
* By default, mldsa-native includes support for creating
140140
* signatures. If you don't need this, set MLD_CONFIG_NO_SIGN_API
141-
* to exclude crypto_sign_signature,
142-
* crypto_sign_signature_extmu, crypto_sign_signature_internal,
143-
* crypto_sign_signature_pre_hash_internal,
144-
* crypto_sign_signature_pre_hash_shake256, and all internal APIs
141+
* to exclude signature,
142+
* signature_extmu, signature_internal,
143+
* signature_pre_hash_internal,
144+
* signature_pre_hash_shake256, and all internal APIs
145145
* only needed by those functions.
146146
*/
147147
/* #define MLD_CONFIG_NO_SIGN_API */
@@ -151,10 +151,10 @@
151151
*
152152
* By default, mldsa-native includes support for verifying
153153
* signatures. If you don't need this, set
154-
* MLD_CONFIG_NO_VERIFY_API to exclude crypto_sign_verify,
155-
* crypto_sign_verify_extmu, crypto_sign_verify_internal,
156-
* crypto_sign_verify_pre_hash_internal,
157-
* crypto_sign_verify_pre_hash_shake256, and all internal APIs
154+
* MLD_CONFIG_NO_VERIFY_API to exclude verify,
155+
* verify_extmu, verify_internal,
156+
* verify_pre_hash_internal,
157+
* verify_pre_hash_shake256, and all internal APIs
158158
* only needed by those functions.
159159
*/
160160
/* #define MLD_CONFIG_NO_VERIFY_API */
@@ -163,40 +163,28 @@
163163
* MLD_CONFIG_CORE_API_ONLY
164164
*
165165
* Set this to remove all public APIs except
166-
* crypto_sign_keypair_internal, crypto_sign_signature_internal,
167-
* and crypto_sign_verify_internal.
166+
* keypair_internal, signature_internal,
167+
* and verify_internal.
168168
*/
169169
/* #define MLD_CONFIG_CORE_API_ONLY */
170170

171171
/**
172172
* MLD_CONFIG_NO_RANDOMIZED_API
173173
*
174174
* If this option is set, mldsa-native will be built without the
175-
* randomized API functions (crypto_sign_keypair,
176-
* crypto_sign_signature, and crypto_sign_signature_extmu).
175+
* randomized API functions (keypair,
176+
* signature, and signature_extmu).
177177
* This allows users to build mldsa-native without providing a
178178
* randombytes() implementation if they only need the
179179
* internal deterministic API
180-
* (crypto_sign_keypair_internal, crypto_sign_signature_internal).
180+
* (keypair_internal, signature_internal).
181181
*
182182
* @note This option is incompatible with MLD_CONFIG_KEYGEN_PCT
183183
* as the current PCT implementation requires
184-
* crypto_sign_signature().
184+
* signature().
185185
*/
186186
#define MLD_CONFIG_NO_RANDOMIZED_API
187187

188-
/**
189-
* MLD_CONFIG_NO_SUPERCOP
190-
*
191-
* By default, mldsa_native.h exposes the mldsa-native API in the
192-
* SUPERCOP naming convention (crypto_sign_xxx). If you don't need
193-
* this, set MLD_CONFIG_NO_SUPERCOP.
194-
*
195-
* @note You must set this for a multi-level build as the SUPERCOP
196-
* naming does not disambiguate between the parameter sets.
197-
*/
198-
/* #define MLD_CONFIG_NO_SUPERCOP */
199-
200188
/**
201189
* MLD_CONFIG_CONSTANTS_ONLY
202190
*
@@ -632,16 +620,16 @@
632620
* generated keypair before it can be exported.
633621
*
634622
* Set this option if such a check should be implemented.
635-
* In this case, crypto_sign_keypair_internal and
636-
* crypto_sign_keypair will return a non-zero error code if the
623+
* In this case, keypair_internal and
624+
* keypair will return a non-zero error code if the
637625
* PCT failed.
638626
*
639627
* @note This feature will drastically lower the performance of
640628
* key generation.
641629
*
642630
* @note This option is incompatible with MLD_CONFIG_NO_SIGN_API
643631
* and MLD_CONFIG_NO_VERIFY_API as the current PCT implementation
644-
* requires crypto_sign_signature() and crypto_sign_verify().
632+
* requires signature() and verify().
645633
*/
646634
/* #define MLD_CONFIG_KEYGEN_PCT */
647635

examples/basic_lowram/main.c

Lines changed: 26 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,19 @@
1717
#include "expected_test_vectors.h"
1818
#include "test_only_rng/notrandombytes.h"
1919

20+
/* Convenience abbreviations for the key and signature sizes.
21+
*
22+
* Ordinarily you know the parameter set you're working with, so you would
23+
* just use the level-specific constants directly, e.g. MLDSA44_PUBLICKEYBYTES,
24+
* MLDSA65_BYTES, or MLDSA87_SECRETKEYBYTES.
25+
*
26+
* These examples, however, are compiled for all three parameter sets (44, 65,
27+
* 87), so we keep things generic by deriving the sizes from the configured
28+
* MLD_CONFIG_PARAMETER_SET. */
29+
#define MLDSA_PK_BYTES MLDSA_PUBLICKEYBYTES(MLD_CONFIG_PARAMETER_SET)
30+
#define MLDSA_SK_BYTES MLDSA_SECRETKEYBYTES(MLD_CONFIG_PARAMETER_SET)
31+
#define MLDSA_SIG_BYTES MLDSA_BYTES(MLD_CONFIG_PARAMETER_SET)
32+
2033
#define CHECK(x) \
2134
do \
2235
{ \
@@ -32,13 +45,13 @@
3245
#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
3346
static int example_keygen(void)
3447
{
35-
uint8_t pk[CRYPTO_PUBLICKEYBYTES];
36-
uint8_t sk[CRYPTO_SECRETKEYBYTES];
48+
uint8_t pk[MLDSA_PK_BYTES];
49+
uint8_t sk[MLDSA_SK_BYTES];
3750

3851
printf("Generating keypair... ");
39-
CHECK(crypto_sign_keypair(pk, sk) == 0);
40-
CHECK(memcmp(pk, test_vector_pk, CRYPTO_PUBLICKEYBYTES) == 0);
41-
CHECK(memcmp(sk, test_vector_sk, CRYPTO_SECRETKEYBYTES) == 0);
52+
CHECK(mldsa_keypair(pk, sk) == 0);
53+
CHECK(memcmp(pk, test_vector_pk, MLDSA_PK_BYTES) == 0);
54+
CHECK(memcmp(sk, test_vector_sk, MLDSA_SK_BYTES) == 0);
4255
printf("DONE\n");
4356
return 0;
4457
}
@@ -53,14 +66,13 @@ static int example_keygen(void)
5366
#if !defined(MLD_CONFIG_NO_SIGN_API)
5467
static int example_sign(void)
5568
{
56-
uint8_t sig[CRYPTO_BYTES];
69+
uint8_t sig[MLDSA_SIG_BYTES];
5770
size_t siglen;
5871

5972
printf("Signing message... ");
60-
CHECK(crypto_sign_signature(sig, &siglen, (const uint8_t *)TEST_VECTOR_MSG,
61-
TEST_VECTOR_MSG_LEN,
62-
(const uint8_t *)TEST_VECTOR_CTX,
63-
TEST_VECTOR_CTX_LEN, test_vector_sk) == 0);
73+
CHECK(mldsa_signature(sig, &siglen, (const uint8_t *)TEST_VECTOR_MSG,
74+
TEST_VECTOR_MSG_LEN, (const uint8_t *)TEST_VECTOR_CTX,
75+
TEST_VECTOR_CTX_LEN, test_vector_sk) == 0);
6476
CHECK(siglen == sizeof(test_vector_sig));
6577
CHECK(memcmp(sig, test_vector_sig, siglen) == 0);
6678
printf("DONE\n");
@@ -78,11 +90,10 @@ static int example_sign(void)
7890
static int example_verify(void)
7991
{
8092
printf("Verifying signature... ");
81-
CHECK(crypto_sign_verify(test_vector_sig, sizeof(test_vector_sig),
82-
(const uint8_t *)TEST_VECTOR_MSG,
83-
TEST_VECTOR_MSG_LEN,
84-
(const uint8_t *)TEST_VECTOR_CTX,
85-
TEST_VECTOR_CTX_LEN, test_vector_pk) == 0);
93+
CHECK(mldsa_verify(test_vector_sig, sizeof(test_vector_sig),
94+
(const uint8_t *)TEST_VECTOR_MSG, TEST_VECTOR_MSG_LEN,
95+
(const uint8_t *)TEST_VECTOR_CTX, TEST_VECTOR_CTX_LEN,
96+
test_vector_pk) == 0);
8697
printf("DONE\n");
8798
return 0;
8899
}

0 commit comments

Comments
 (0)