Hi,
While commenting on the Composite ML-DSA draft [1], I looked at what FIPS 204 says about seed, input, output, external functions, and internal functions. I think it would be good if NIST added a row in the FIPS 204 Errata (potential updates) [2] to clarify things.
---
FIPS 204 specifies the external function
(pk, sk) = ML-DSA.KeyGen()
and the internal function
(pk, sk) = ML-DSA.KeyGen_internal(𝜉)
and states:
"The seed 𝜉 generated in step 1 of ML-DSA.KeyGen can be stored for the purpose of later expansion using ML-DSA.KeyGen_internal."
"Other than for testing purposes, the interfaces for key generation and signature generation specified
in this section should not be made available to applications"
"Therefore, implementations of ML-DSA shall ensure that any potentially sensitive intermediate data is
destroyed as soon as it is no longer needed."
---
At least in the IETF, storing the seed 𝜉 is clearly the preferred way to implement ML-DSA. However it is unclear how NIST thinks this should be implemented
- Should ML-DSA.KeyGen_internal(𝜉) be made external, or should there be a new separate external function (pk, sk) = ML-DSA.KeyGen2(𝜉). I don’t see any problem with making ML-DSA.KeyGen_internal(𝜉) external.
- The current text: can store seed, shall destroy, internal should not be made available, could be read as FIPS 204 discourage use of seed, which at least is not aligned with the IETF.
Cheers,
John
[1]
https://mailarchive.ietf.org/arch/msg/spasm/8-S68UybQoSfi9T4Xp1SboZWp7Y/
[2]
https://csrc.nist.gov/files/pubs/fips/204/final/docs/fips-204-potential-updates.xlsx
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SA1PR09MB86690BB0986A6D758ED24A00E5682%40SA1PR09MB8669.namprd09.prod.outlook.com.