ML-DSA: integrate final standard

[bhess]

The final standards were published today: FIPS203 and FIPS204.

This is to track the integration of the updated algorithms.

I'd suggest the following steps:

• Pull update from pq-crystals upstream once available
• The current ML-DSA-ipd/ML-KEM-ipd implementations would be dropped
• Integrate test vectors from NIST ACVP repository

update (Aug 22):

• pq-crystals/kyber upstream has been updated
• ML-KEM / ML-DSA OIDs have been published
• ACVP repository has been updated
• Add ML-KEM / FIPS203 final #1899 integrates ML-KEM and ACVP vectors

Update (Aug 27):
ML-KEM landed in main, remaining is ML-DSA integration

Update (Sep 5):
ML-DSA is available upstream: https://github.com/pq-crystals/dilithium

[baentsch]

On item1, any timeline as to when upstream will make them available? Would it make sense to do 0.11.0 (or maybe finally a 1.0.0!) after they landed?

[bhess]

The information I got is that the pq-crystals team looks at updating the implementation later this month.

[tomato42]

The NIST ACVP repository hasn't been updated with new vectors. Do you know when will that happen?

[bhess]

The NIST ACVP repository hasn't been updated with new vectors. Do you know when will that happen?

According to this message on the pqc-forum, a fixed version should be released today.

[dstebila]

Tying into Roadmap discussion

[obronchain]

Hi all,

Also according to this message on the pqc-forum, the CAVP will also integrate all the external API (around october 2024 ?).

I would be very useful if LibOqs could support also all these APIs and are compatible will all the KATs.

[bhenning10]

It looks like pq-crystals merged changes to support the final spec.
pq-crystals/dilithium@cf998be

[abhinav-thales]

It looks like pq-crystals merged changes to support the final spec. pq-crystals/dilithium@cf998be

IMO these changes are not compatible with the ACVP vectors. The vectors are based on 'internal' API's as per FIPS204 and not the high level API's.

Also refer comment from author here : pq-crystals/dilithium#88 (comment)

[dstebila]

I don't think this has been completed?

[bhess]

Planning a draft PR later today.
There will still be some open points for a full integration: access to the 'internal' API to be able to run the ACVP vectors (planned upstream: pq-crystals/dilithium#88 (comment)), and adding ACVP vectors for the 'external' API (planned by NIST as outlined by @obronchain above).

[baentsch]

Why did you close this @planetf1 ? #1919 didn't land afaik.

[planetf1]

@baentsch Sincere apologies. My error when scrolling through the project on a touch screen. Unintentional, should reopen. Thanks for spotting.

[baentsch]

Again incorrectly closed.

[johngray-dev]

I was wondering if you are planning to support the context string for ML-DSA when you release version 12.0 officially? I took a look at your code, and it looks like the context String is supported internally, but not in your external API. In our latest composite signatures draft https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/03/ we actually need to make use of the ML-DSA context String to give the draft stronger security properties. If it will not be in the upcoming version 12.0, is there a timeline for ML-DSA context String support to be added? The composite signatures implementation in the oqs provider by my colleague Felipe Ventura won't be able to be updated to the latest draft until ML-DSA officially supports the context String.

[bhess]

Hi @johngray-dev, yes I'll update PR #1919 soon with a proposed API that supports providing the context string.