Hi all,
This post will outline one of the changes NIST is planning for FIPS 203, 204, and 205. This change would add a “derandomized” layer to the API; it was briefly introduced at the recent workshop.
In the current drafts of all three FIPS, there are top-level algorithms that generate randomness as an internal step. (By “top-level”, we mean the three main algorithms of the scheme, e.g., KeyGen, Encaps, and Decaps for KEMs.) In FIPS 203, for example, both ML-KEM.KeyGen() and ML-KEM.Encaps(ek) begin by generating random byte strings. This approach has some disadvantages:
The proposed change would alter the internal algorithms of all three FIPS as follows. Roughly speaking, each top-level algorithm would be split into two stages:
Stage 1: Receive INPUT; call the RNG to generate COINS; throw an exception if a failure occurs.
Stage 2: Call a deterministic subroutine with input (INPUT, COINS) and output what the subroutine outputs.
This would be done in such a way that the functionality of the top-level algorithms is identical. (This means that the functionality of the schemes ML-KEM, ML-DSA, and SLH-DSA would not change in any way.) Of course, this change would necessitate adding at least three new algorithms to each FIPS. These new algorithms would specify the deterministic subroutines mentioned in Stage 2 above.
Continuing with FIPS 203 as the example, the new “API” would now look like the below. (Analogous interfaces for ML-DSA and SLH-DSA will be shared in a reply to this post.)
ML-KEM.KeyGen_internal(d, z)
ML-KEM.Encaps_internal(ek, m)
ML-KEM.Decaps_internal(dk, c) // Decaps already deterministic; only added for consistency
ML-KEM.KeyGen() // generate random 32-byte d, z; call KeyGen_internal(d,z)
ML-KEM.Encaps(ek) // generate random 32-byte m; call Encaps_internal(ek, m)
ML-KEM.Decaps(dk, c) // call Decaps_internal(dk, c)
Some points:
Any feedback on the above is most welcome. (Note that a recent post suggests using a single 32-byte seed instead of the two 32-byte seeds d and z above. Please discuss that specific suggestion in that thread, so we can keep this thread on the general topic of derandomization for all three FIPS.)
Best,
Gorjan
(on behalf of NIST PQC group.)
Details for ML-DSA and SLH-DSA:
New ML-DSA interface:
ML-DSA.KeyGen_internal(\xi)
ML-DSA.Sign_internal(sk, M’, rnd )
ML-DSA.Verify_internal(pk, M’, \sigma)
ML-DSA.KeyGen() \\ generate random 32-byte seed, \xi; call ML-DSA.KeyGen_internal(\xi)
ML-DSA.Sign(sk, M, ctx) \\ Either randomly generate a 32 byte random value rnd (default, hedged case) or use a 32-byte all-zeroes string for rnd (deterministic case); Generate M’ from M and ctx; call ML-DSA.Sign_internal(sk, M’, rnd )
HashML-DSA.Sign(sk, M, ctx, PH) \\ Either randomly generate a 32 byte random value rnd (default, hedged case) or use a 32-byte all-zeroes string for rnd (deterministic case); Generate M’ from M, ctx, and PH; call ML-DSA.Sign_internal(sk, M’, rnd )
ML-DSA.Verify(pk, M, \sigma, ctx) \\ Generate M’ from M and ctx; call ML-DSA.Verify_internal (pk, c)
HashML-DSA.Verify(sk, M, ctx, PH) \\ Generate M’ from M, ctx, and PH; call ML-DSA.Verify_internal (pk, M’)
New SLH-DSA interface:
slh_keygen_internal(SK.seed, SK.prf, PK.seed)
slh_sign_internal(M, SK, addrnd) // opt_rand <- addrnd
slh_sign_internal(M, SK) // opt_rand <- PK.seed
sig_verify_internal(M, SIG, PK)
slh_keygen() // generate random SK.seed, SK.pdf, and PK.seed. call slh_keygen_internal(SK.seed, SK.prf, PK.seed)
slh_sign(M, ctx, SK) // optionally generate random addrnd. Construct domain separated message M'. call slh_sign_internal(M', SK, addrnd) or slh_sign_internal(M', SK)
hash_slh_sign(M, ctx, PH, SK) // optionally generate random andrnd. Construct domain separated message M' from PH(M). call slh_sign_internal(M', SK, addrnd) or slh_sign_internal(M', SK)
slh_verify(M, SIG, cts, PK) // Construct domain separated message M'. call sig_verify_internal(M', SIG, PK)
hash_slh_verify(M, SIG, ctx, PH, PK) // Construct domain separated message M' from PH(M). call slh_verify_internal(M', SIG, PK)
// See slide 11 of https://csrc.nist.gov/csrc/media/Presentations/2024/fips-205/images-media/kelsey-fips-205-pqc2024.pdf for illustration of construction of domain separated message M'
Nice to hear! This API change is definitely a move in the right direction.
Considering that the recently-announced CNSA-2.0 does not include SHAKE or SHA-3, would NIST consider using SHA-2-based XOF?
Thanks!
--
V/R,
Uri
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Date: Friday, April 19, 2024 at 14:06
To: pqc-forum <pqc-...@list.nist.gov>
Subject: [EXT] [pqc-forum] More details on a "derandomized" layer for the API for FIPS 203, 204, and 205
Hi all, This post will outline one of the changes NIST is planning for FIPS 203, 204, and 205. This change would add a “derandomized” layer to the API; it was briefly introduced at the recent workshop. In the current drafts of all three FIPS,
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB86698E602A2BD77A095475B9E50D2%40SA1PR09MB8669.namprd09.prod.outlook.com.