Support "pure" ML-DSA #422
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
2 times, most recently
from
4def8b6 to
152c285
Compare
jakemas
reviewed
Jan 29, 2025
csrc/mldsa_gen.cpp
Outdated
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
e8314cc to
bf10d99
Compare
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
bf10d99 to
9f6a4ea
Compare
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
715ba18 to
3b871e5
Compare
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
4951135 to
dee52a5
Compare
geedo0
reviewed
Jan 30, 2025
benchmarks/lib/src/jmh/java/com/amazon/corretto/crypto/provider/benchmarks/SignatureMlDSA.java
Outdated
Show resolved
Hide resolved
benchmarks/lib/src/jmh/java/com/amazon/corretto/crypto/provider/benchmarks/KeyGenMlDSA.java
Outdated
Show resolved
Hide resolved
tst/com/amazon/corretto/crypto/provider/test/KeyReuseThreadStormTest.java
Show resolved
Hide resolved
alexw91
reviewed
Jan 30, 2025
src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java
Outdated
Show resolved
Hide resolved
geedo0
previously approved these changes
Jan 30, 2025
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
a2c1578 to
0b41aa7
Compare
WillChilds-Klein
force-pushed
the
mldsa-pure
branch
from
0b41aa7 to
7f004fd
Compare
geedo0
previously approved these changes
Jan 30, 2025
geedo0
previously approved these changes
Jan 30, 2025
I would've included some KATs if it were straightforward. However, because ML-DSA introduces distinct randomness into each signature, signatures produced with identical parameters are unique. Since ACCP/JCA doesn't have a clean way of exposing AWS-LC's ML-DSA derandomization APIs, KATs for this PR are currently infeasible. |
alexw91
previously approved these changes
Jan 30, 2025
geedo0
approved these changes
Jan 30, 2025
alexw91
approved these changes
Jan 30, 2025
WillChilds-Klein
added a commit
that referenced
this pull request
Feb 3, 2025
A [recent AWS-LC change][1], coupled with [ACCP's recent ML-DSA support][2], induces [failures][3] in AWS-LC's tip-of-ACCP-main integration test. This is ultimately due to ACCP's current lack of support for deserializing BouncyCastle's ML-DSA private key encoding; ACCP expects the full key while BouncyCastle encodes only the 32 bytes seed. We're actively working on supporting both formats, but until that lands we modify `EvpKeyFactoryTest` to use ACCP for all ML-DSA keypairs. This was caught upstream in AWS-LC instead of ACCP's CI because: 1. ACCP pins AWS-LC version and doesn't currently test against AWS-LC tip-of-main 2. ACCP's EvpKeyFactoryTest cases for ML-DSA previously succeeded only because the de/serialized keys were never used. We were "successfully" deserializing BouncyCastle "keys" represented as a 32-byte seed, but never used them cryptographically in EvpKeyFactoryTest. Doing so results in verification failures as documented [here][4]. With AWS-LC's [recent change][1], the cryptographic properties of raw private key material are exercised and thus deserialization of seeds fails. We also bump AWS-LC tracking version to include above in tests. [1]: aws/aws-lc@695c3a0 [2]: #422 [3]: https://github.com/aws/aws-lc/actions/runs/13084244974/job/36513185053 [4]: https://github.com/corretto/amazon-corretto-crypto-provider/blob/aa9bfd2acc1c3539e2fe21630685b704930b9f74/tst/com/amazon/corretto/crypto/provider/test/MLDSATest.java#L239-L245
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available: i/ACCP-100
Description of changes:
Overview
This PR exposes ML-DSA functionality through the Signature, KeyPairGenerator, and KeyFactory JCA interfaces. The implementation closely follows our Ed25519 implementation, as both algorithms are currently used through AWS-LC's
EVP_DigestSignAPI initialized with aNULLmessage digest (these newer algorithms use a fixed, non-parameterizable digest function per spec).We also provide benchmarks for key generation, signing, and verifying.
Interoperability
This change has been written to be interoperable and forwards-compatible with other JCA provider ML-DSA implementations, such as BouncyCastle's and OpenJDK's JEP 497.
This means that ACCP callers cannot use JDK's NamedParameterSpec classes or BouncyCastle's MLDSAParameterSpec, but allows ACCP to provide ML-DSA on supported LTS JDK versions, independent of other providers. Instead of using ParameterSpec classes, callers can request a specific security level via the algorithm name passed into
KeyPairGenerator.getInstance(if no level is specified,"ML-DSA-44"is the default, conforming to JEP 497):We also update our BouncyCastle test dependency to 1.80, allowing us to pefrorm interoperability tests with BouncyCastle's ML-DSA implementation.
Limitations
As mentioned above, ACCP does not currently support ParameterSpec-based initialization on
KeyPairGeneratorinstances. We also don't supportkeysize-based initialization as it is somewhat ambiguous for ML-DSA. These limitations may change in the future.ACCP's ML-DSA keys cannot be used directly with BouncyCastle KeyFactory or Signature instances, as BouncyCastle only supports its own keys today. To use ACCP keys with BouncyCastle, callers will need to serialize them into
X509EncodedKeySpecorPKCS8EncodedKeySpecinstances and pass those to BouncyCastle'sKeyFactoryfor conversion.Finally, ACCP cannot yet deserialize ML-DSA private keys serialized by BouncyCastle. BouncyCastle currently encodes the private key's 32 byte seed upon serialization, while ACCP expects the fully expanded private key material.
Future Work
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.