Add ML-DSA / FIPS 204 final (#1919)

* Pull ML-DSA from pq-crystals upstream.
* Removes ML-DSA-ipd
* Adds support for context strings to OQS SIG API.
* Adding _with_ctx_str APIs, templating
* Adds ACVP tests for ML-DSA
* export symbols for acvp tests (dynamic linking)
* remove IPD intermediate values
* adds flag for ctx support
* Update constant-time passes after line nubmer and function name changes
* Update KATs
* API with checks for signatures without ctx support
* Additional test for signatures with ctx
* Change alg_version to FIPS204
* Update ML-DSA security claim to SUF-CMA, according to FIPS204
* Update src/sig/sig.h
* Fix test_alg_info

---------
Signed-off-by: Basil Hess <bhe@zurich.ibm.com>
Co-authored-by: Spencer Wilson <spencer.wilson@uwaterloo.ca>

.CMake/alg_support.cmake

@@ -137,11 +137,8 @@ cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIU
 cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
 
 option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 
 option(OQS_ENABLE_SIG_FALCON "Enable falcon algorithm family" ON)
@@ -393,21 +390,18 @@ endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87" OFF)
 endif()
 endif()

.github/workflows/linux.yml

@@ -138,7 +138,7 @@ jobs:
           path: build/*.deb
       - name: Check STD algorithm and alias
         if: matrix.name == 'jammy-std-openssl3'
-        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
+        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
         working-directory: build
 
   linux_arm_emulated:

README.md

@@ -44,7 +44,7 @@ Details on each supported algorithm can be found in the [docs/algorithms](https:
 
 The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
 
-The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) (initial public draft) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/final) (final standard) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes.
 
 Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
 
@@ -69,7 +69,7 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
 - **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
 - **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5†
-- **ML-DSA**: ML-DSA-44-ipd (alias: ML-DSA-44), ML-DSA-65-ipd (alias: ML-DSA-65), ML-DSA-87-ipd (alias: ML-DSA-87)
+- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
 - **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
 - **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->

docs/algorithms/sig/ml_dsa.md

@@ -4,22 +4,22 @@
 - **Main cryptographic assumption**: hardness of lattice problems over module lattices.
 - **Principal submitters**: Vadim Lyubashevsky.
 - **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
-- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-- **Specification version**: ML-DSA-ipd.
+- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+- **Specification version**: ML-DSA.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2 with copy_from_upstream patches
   - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
 
 
 ## Parameter set summary
 
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-|  ML-DSA-44-ipd  | ML-DSA-44             | EUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
-|  ML-DSA-65-ipd  | ML-DSA-65             | EUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
-|  ML-DSA-87-ipd  | ML-DSA-87             | EUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
+|    ML-DSA-44    | NA                    | SUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
+|    ML-DSA-65    | NA                    | SUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
+|    ML-DSA-87    | NA                    | SUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
 
-## ML-DSA-44-ipd implementation characteristics
+## ML-DSA-44 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
@@ -30,7 +30,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
  ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
 
-## ML-DSA-65-ipd implementation characteristics
+## ML-DSA-65 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
@@ -39,7 +39,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
-## ML-DSA-87-ipd implementation characteristics
+## ML-DSA-87 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|

docs/algorithms/sig/ml_dsa.yml

@@ -11,18 +11,17 @@ auxiliary-submitters:
 - Gregor Seiler
 - Damien Stehlé
 crypto-assumption: hardness of lattice problems over module lattices
-website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-nist-round: ipd
-spec-version: ML-DSA-ipd
+website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+nist-round: FIPS204
+spec-version: ML-DSA
 primary-upstream:
-  source: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c
+  source: https://github.com/pq-crystals/dilithium/commit/444cdcc84eb36b66fe27b3a2529ee48f6d8150c2
     with copy_from_upstream patches
   spdx-license-identifier: CC0-1.0 or Apache-2.0
 parameter-sets:
-- name: ML-DSA-44-ipd
-  alias: ML-DSA-44
+- name: ML-DSA-44
   claimed-nist-level: 2
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
   length-public-key: 1312
   length-secret-key: 2560
   length-signature: 2420
@@ -51,10 +50,9 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-DSA-65-ipd
-  alias: ML-DSA-65
+- name: ML-DSA-65
   claimed-nist-level: 3
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
   length-public-key: 1952
   length-secret-key: 4032
   length-signature: 3309
@@ -83,10 +81,9 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-DSA-87-ipd
-  alias: ML-DSA-87
+- name: ML-DSA-87
   claimed-nist-level: 5
-  claimed-security: EUF-CMA
+  claimed-security: SUF-CMA
   length-public-key: 2592
   length-secret-key: 4896
   length-signature: 4627

docs/cbom.json

@@ -2,23 +2,23 @@
   "$schema": "https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:679a1c2f-1dd4-4692-b098-1d4dacdfc75d",
+  "serialNumber": "urn:uuid:de1355bb-9681-4a7e-8aa9-0ccc414ebe3b",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-10-01T14:21:06.857613+00:00",
+    "timestamp": "2024-11-05T12:25:53.012740+00:00",
     "component": {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@bf7cbdca1bf2866da22b4b75e04b68baf6707a7b",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@69a80f8a66988521d51e94d716cff8c936c07b8d",
       "name": "liboqs",
-      "version": "bf7cbdca1bf2866da22b4b75e04b68baf6707a7b"
+      "version": "69a80f8a66988521d51e94d716cff8c936c07b8d"
     }
   },
   "components": [
     {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@bf7cbdca1bf2866da22b4b75e04b68baf6707a7b",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@69a80f8a66988521d51e94d716cff8c936c07b8d",
       "name": "liboqs",
-      "version": "bf7cbdca1bf2866da22b4b75e04b68baf6707a7b"
+      "version": "69a80f8a66988521d51e94d716cff8c936c07b8d"
     },
     {
       "type": "cryptographic-asset",
@@ -2502,12 +2502,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-44-ipd:generic",
+      "bom-ref": "alg:ML-DSA-44:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-44-ipd",
+          "parameterSetIdentifier": "ML-DSA-44",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -2522,12 +2522,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-44-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-44:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-44-ipd",
+          "parameterSetIdentifier": "ML-DSA-44",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -2542,12 +2542,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-65-ipd:generic",
+      "bom-ref": "alg:ML-DSA-65:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-65-ipd",
+          "parameterSetIdentifier": "ML-DSA-65",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -2562,12 +2562,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-65-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-65:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-65-ipd",
+          "parameterSetIdentifier": "ML-DSA-65",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -2582,12 +2582,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-87-ipd:generic",
+      "bom-ref": "alg:ML-DSA-87:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-87-ipd",
+          "parameterSetIdentifier": "ML-DSA-87",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -2602,12 +2602,12 @@
     },
     {
       "type": "cryptographic-asset",
-      "bom-ref": "alg:ML-DSA-87-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-87:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "parameterSetIdentifier": "ML-DSA-87-ipd",
+          "parameterSetIdentifier": "ML-DSA-87",
           "primitive": "signature",
           "executionEnvironment": "software-plain-ram",
           "cryptoFunctions": [
@@ -3127,7 +3127,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:github/open-quantum-safe/liboqs@bf7cbdca1bf2866da22b4b75e04b68baf6707a7b",
+      "ref": "pkg:github/open-quantum-safe/liboqs@69a80f8a66988521d51e94d716cff8c936c07b8d",
       "provides": [
         "alg:BIKE-L1:x86_64",
         "alg:BIKE-L3:x86_64",
@@ -3253,12 +3253,12 @@
         "alg:MAYO-3:x86_64",
         "alg:MAYO-5:generic",
         "alg:MAYO-5:x86_64",
-        "alg:ML-DSA-44-ipd:generic",
-        "alg:ML-DSA-44-ipd:x86_64",
-        "alg:ML-DSA-65-ipd:generic",
-        "alg:ML-DSA-65-ipd:x86_64",
-        "alg:ML-DSA-87-ipd:generic",
-        "alg:ML-DSA-87-ipd:x86_64",
+        "alg:ML-DSA-44:generic",
+        "alg:ML-DSA-44:x86_64",
+        "alg:ML-DSA-65:generic",
+        "alg:ML-DSA-65:x86_64",
+        "alg:ML-DSA-87:generic",
+        "alg:ML-DSA-87:x86_64",
         "alg:SPHINCS+-SHA2-128f-simple:generic",
         "alg:SPHINCS+-SHA2-128f-simple:x86_64",
         "alg:SPHINCS+-SHA2-128s-simple:generic",
@@ -4044,37 +4044,37 @@
       ]
     },
     {
-      "ref": "alg:ML-DSA-44-ipd:generic",
+      "ref": "alg:ML-DSA-44:generic",
       "dependsOn": [
         "alg:sha3"
       ]
     },
     {
-      "ref": "alg:ML-DSA-44-ipd:x86_64",
+      "ref": "alg:ML-DSA-44:x86_64",
       "dependsOn": [
         "alg:sha3"
       ]
     },
     {
-      "ref": "alg:ML-DSA-65-ipd:generic",
+      "ref": "alg:ML-DSA-65:generic",
       "dependsOn": [
         "alg:sha3"
       ]
     },
     {
-      "ref": "alg:ML-DSA-65-ipd:x86_64",
+      "ref": "alg:ML-DSA-65:x86_64",
       "dependsOn": [
         "alg:sha3"
       ]
     },
     {
-      "ref": "alg:ML-DSA-87-ipd:generic",
+      "ref": "alg:ML-DSA-87:generic",
       "dependsOn": [
         "alg:sha3"
       ]
     },
     {
-      "ref": "alg:ML-DSA-87-ipd:x86_64",
+      "ref": "alg:ML-DSA-87:x86_64",
       "dependsOn": [
         "alg:sha3"
       ]