A technical note on FIPS 204 ML-DSA
806 views
Skip to first unread message
Bo Lin
Feb 8, 2026, 3:29:25 PMFeb 8
to pqc-forum
I wrote a technical note on explaining the FIPS 204 ML-DSA specification. It comes out from my several presentations in going through the standard. One challenge that I've noticed is that although there are many materials to explain lattice based PQC in literature, it could be a bit overwhelming to read the standard directly.
I hope this technical note can help those who study the FIPS 204 ML-DSA specification and I also welcome any comments to this technical note that I can update it accordingly.
I hope this technical note can help those who study the FIPS 204 ML-DSA specification and I also welcome any comments to this technical note that I can update it accordingly.
devi prasad
Feb 10, 2026, 11:36:09 AMFeb 10
to Bo Lin, pqc-forum
I strongly believe that your work in this direction is really useful and meaningful to many like me.
I think I would like to use your insights and the expository text in my own work which I'm trying to summarize below.
I think I would like to use your insights and the expository text in my own work which I'm trying to summarize below.
I have been trying to do something on these lines for both ML-KEM and ML-DSA. I keep struggling to connect all the dots and pieces. I'm neither a cryptographer nor a mathematician.
I have made a few diagrams myself with ML-DSA - all work in progress, and so unpolished and likely inaccurate in a few places. These are hand-drawn waiting to be translated into neater lines-boxes-arrows diagrams.
(1) This diagrams attempts to capture the Fiat-Shamir-with-Aborts idea: https://github.com/DeviPrasad/learn-ml-dsa/blob/main/course/images/ml-dsa-sign-scheme-details.jpg
(2) This tries to calculate why the rejection sampling parameters: https://github.com/DeviPrasad/learn-ml-dsa/blob/main/course/images/ml-dsa-sign-reject-sample-security.jpg
(3) Since I had trouble imagining how NTT's work - I ended up with a smaller degree polynomial ring - https://github.com/DeviPrasad/learn-ml-dsa/blob/main/course/images/factors-of-reduct-poly.png
I have written "very simple, down to earth, easy to explain and easy to understand" Rust code for KeyGen and Sign functions. Please note these two functions pass all KATS supplied by NIST and other sources.
The source code ML-DSA signing mentions line numbers on the ML-DSA (FIPS 204) algorithm: https://github.com/DeviPrasad/learn-ml-dsa/blob/main/src/sign.rs#L52
I have written "very simple, down to earth, easy to explain and easy to understand" Rust code for KeyGen and Sign functions. Please note these two functions pass all KATS supplied by NIST and other sources.
The source code ML-DSA signing mentions line numbers on the ML-DSA (FIPS 204) algorithm: https://github.com/DeviPrasad/learn-ml-dsa/blob/main/src/sign.rs#L52
My intent is to make it easy for teaching and learning this important signature scheme.
In addition, I have started a simple "Annotated ML-DSA" work in which I re-narrate the algorithms of ML-DSA (and ML_KEM) by re-writing the entire algorithms. I use latex to reproduce a "NIST-style" document :)
In addition, I have started a simple "Annotated ML-DSA" work in which I re-narrate the algorithms of ML-DSA (and ML_KEM) by re-writing the entire algorithms. I use latex to reproduce a "NIST-style" document :)
Scroll to page 6 (the last page of the document in the making) to see annotations and type hints on the signature algorithms.
Thank you!
Thank you!
Devi Prasad
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/e7a38cfb-8216-40da-bacf-5a2643bbd3b7n%40list.nist.gov.
Kris Kwiatkowski
Feb 17, 2026, 5:46:30 PM (9 days ago) Feb 17
to pqc-forum, devi prasad, pqc-forum, Bo Lin
FWIW: I've this one if it helps
https://github.com/kriskwiatkowski/mldsa-edu
It's also in Rust, it suppose to be very simple, passes all KAT tests, but has no security (not constant-time etc).
https://github.com/kriskwiatkowski/mldsa-edu
It's also in Rust, it suppose to be very simple, passes all KAT tests, but has no security (not constant-time etc).
Roderick Chapman
Feb 19, 2026, 4:05:36 AM (8 days ago) Feb 19
to pqc-...@list.nist.gov
...and similarly for ML-KEM:
https://github.com/awslabs/LibMLKEM/tree/main/spark_ada
That's mainly intended as an experiment in formal verification and as an educational vehicle. If you want to see the real, verified, optimized code that we're running in production, then look at:
https://github.com/pq-code-package/mlkem-native
All the best,
Rod
Kris Kwiatkowski
Feb 20, 2026, 10:33:12 AM (7 days ago) Feb 20
to pqc-forum, Roderick Chapman
Bo Lin
Feb 21, 2026, 7:15:57 AM (6 days ago) Feb 21
to devi prasad, 'Moody, Dustin (Fed)' via pqc-forum
Thanks, Devi. Glad it's helpful.
Other community members also replied to you. That's very nice. Their implementations will be very helpful.
If you want to implement the standard by your own way, This document will provide you all the intermediate values to help you debug your code. A self-implemented code is always useful, not only to help you to have a deep understanding the specification, but also to enable you to implement various cryptanalysis tools that intermediate values in a designated form are often required.
Best regards,
Bo LIN
Reply all
Reply to author
Forward
0 new messages