Upstreaming of our masked ML-DSA implementation
6 views
Skip to first unread message
matt...@zerorisc.com
Jun 16, 2026, 11:34:59 PM (10 days ago) Jun 16
to Pavona
Dear all,
We have a performant, masked ML-DSA implementation for ACC that we would like to contribute to Pavona. It was developed in parallel with the masked ML-KEM work we posted two weeks ago and follows the same overall design. We've opened a draft pull request for initial review and would appreciate feedback from the community:
https://github.com/pavona/pavona/pull/261
The implementation adds first-order-DPA protection to ML-DSA-44, -65, and -87 signing and key generation and closely follows our ML-KEM implementation, i.e., its using pre-existing ACC’s first-order masked Keccak hardware and everything else is implemented in software. The overhead compared to the unprotected ML-DSA implementation ranges from 2.4 to 2.8× for key generation and 3.6 to 4.1× for signing. Everything fits within the 32 KB of DMEM available in the default ACC post-quantum-configuration. A more detailed technical description is available here:
https://www.zerorisc.com/blog/hardened-pqc-on-pavona-part-ii-masking-ml-dsa
We invite feedback from the community on the prototype implementation while we continue to work on improving the implementation.We plan to upstream this implementation together with the hardened ML-KEM in the coming weeks after restructuring the implementation to align with the other ACC code, consolidating the documentation with the ML-KEM implementation, extend the testing, and addressing any feedback we receive in the meantime.
Kind regards,
Matthias
We have a performant, masked ML-DSA implementation for ACC that we would like to contribute to Pavona. It was developed in parallel with the masked ML-KEM work we posted two weeks ago and follows the same overall design. We've opened a draft pull request for initial review and would appreciate feedback from the community:
https://github.com/pavona/pavona/pull/261
The implementation adds first-order-DPA protection to ML-DSA-44, -65, and -87 signing and key generation and closely follows our ML-KEM implementation, i.e., its using pre-existing ACC’s first-order masked Keccak hardware and everything else is implemented in software. The overhead compared to the unprotected ML-DSA implementation ranges from 2.4 to 2.8× for key generation and 3.6 to 4.1× for signing. Everything fits within the 32 KB of DMEM available in the default ACC post-quantum-configuration. A more detailed technical description is available here:
https://www.zerorisc.com/blog/hardened-pqc-on-pavona-part-ii-masking-ml-dsa
We invite feedback from the community on the prototype implementation while we continue to work on improving the implementation.We plan to upstream this implementation together with the hardened ML-KEM in the coming weeks after restructuring the implementation to align with the other ACC code, consolidating the documentation with the ML-KEM implementation, extend the testing, and addressing any feedback we receive in the meantime.
Kind regards,
Matthias
Reply all
Reply to author
Forward
0 new messages