Skip to content

[release/10.0] Composite ML-DSA Draft 12 and 13 updates (#120601, #120961) #121555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 14, 2025
Merged

[release/10.0] Composite ML-DSA Draft 12 and 13 updates (#120601, #120961) #121555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f1f4d3f
Initial plan
Copilot Nov 12, 2025
3e8973d
Require parameters in ECPrivateKey for Composite ML-DSA (#120601)
PranavSenthilnathan Oct 20, 2025
6970266
Draft 13 of Composite ML-DSA (#120961)
PranavSenthilnathan Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 49 additions & 5 deletions src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaAlgorithm.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,23 +473,67 @@ private static CompositeMLDsaAlgorithm CreateECDsa(
// publicKey [1] BIT STRING OPTIONAL
// }

// version

int versionSizeInBytes =
1 + // Tag for INTEGER
1 + // Length field
1; // Value (always 1)

// privateKey

int privateKeySizeInBytes =
1 + // Tag for OCTET STRING
GetDerLengthLength(keySizeInBytes) + // Length field
keySizeInBytes; // Value

// parameters and publicKey must be omitted for Composite ML-DSA
// parameters

int namedCurveSizeInBytes =
oid switch
{
Oids.MLDsa44WithECDsaP256PreHashSha256 or
Oids.MLDsa65WithECDsaP256PreHashSha512 =>
// 1.2.840.10045.3.1.7
// 06 08 2A 86 48 CE 3D 03 01 07
10,
Oids.MLDsa65WithECDsaP384PreHashSha512 or
Oids.MLDsa87WithECDsaP384PreHashSha512 =>
// 1.3.132.0.34
// 06 05 2B 81 04 00 22
7,
Oids.MLDsa87WithECDsaP521PreHashSha512 =>
// 1.3.132.0.35
// 06 05 2B 81 04 00 23
7,
Oids.MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 =>
// 1.3.36.3.3.2.8.1.1.7
// 06 09 2B 24 03 03 02 08 01 01 07
11,
Oids.MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 =>
// 1.3.36.3.3.2.8.1.1.11
// 06 09 2B 24 03 03 02 08 01 01 0B
11,
_ => AssertAndThrow(oid),
};

static int AssertAndThrow(string oid)
{
Debug.Fail($"Unsupported OID: {oid}.");
throw new CryptographicException();
}

int parametersSizeInBytes =
1 + // Context-specific tag for [0]
GetDerLengthLength(namedCurveSizeInBytes) + // Length field
namedCurveSizeInBytes; // Value

// publicKey must be omitted for Composite ML-DSA

int ecPrivateKeySizeInBytes =
1 + // Tag for SEQUENCE
GetDerLengthLength(versionSizeInBytes + privateKeySizeInBytes) + // Length field
versionSizeInBytes + // Version
privateKeySizeInBytes;
1 + // Tag for SEQUENCE
GetDerLengthLength(versionSizeInBytes + privateKeySizeInBytes + parametersSizeInBytes) + // Length field
versionSizeInBytes + privateKeySizeInBytes + parametersSizeInBytes; // Value

return new CompositeMLDsaAlgorithm(
name,
Expand Down
19 changes: 15 additions & 4 deletions src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,17 @@ public static unsafe ECDsaComponent ImportPrivateKey(ECDsaAlgorithm algorithm, R
ECPrivateKey ecPrivateKey = ECPrivateKey.Decode(manager.Memory, AsnEncodingRules.BER);

if (ecPrivateKey.Version != 1 ||
ecPrivateKey.Parameters is not null ||
ecPrivateKey.PublicKey is not null)
{
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}

if (ecPrivateKey.Parameters?.Named != algorithm.CurveOidValue)
{
// The curve specified must be named and match the required curve for the Composite ML-DSA algorithm.
throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
}

byte[] d = new byte[ecPrivateKey.PrivateKey.Length];

using (PinAndClear.Track(d))
Expand Down Expand Up @@ -206,7 +211,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes

try
{
WriteKey(ecParameters.D, writer);
WriteKey(ecParameters.D, _algorithm.CurveOidValue, writer);
return writer.TryEncode(destination, out bytesWritten);
}
finally
Expand Down Expand Up @@ -239,7 +244,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes
throw new CryptographicException();
}

WriteKey(d, writer);
WriteKey(d, _algorithm.CurveOidValue, writer);
return true;
});
});
Expand All @@ -252,7 +257,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes
}
#endif

static void WriteKey(byte[] d, AsnWriter writer)
static void WriteKey(byte[] d, string curveOid, AsnWriter writer)
{
// ECPrivateKey
using (writer.PushSequence())
Expand All @@ -262,6 +267,12 @@ static void WriteKey(byte[] d, AsnWriter writer)

// privateKey
writer.WriteOctetString(d);

// parameters
using (writer.PushSequence(new Asn1Tag(TagClass.ContextSpecific, 0, isConstructed: true)))
{
writer.WriteObjectIdentifier(curveOid);
}
}
}
}
Expand Down
26 changes: 13 additions & 13 deletions src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ internal static CompositeMLDsa GenerateKeyImpl(CompositeMLDsaAlgorithm algorithm

AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];

// draft-ietf-lamps-pq-composite-sigs-08, 4.1
// draft-ietf-lamps-pq-composite-sigs-12, 4.1
// 1. Generate component keys
//
// mldsaSeed = Random(32)
Expand Down Expand Up @@ -115,7 +115,7 @@ internal static CompositeMLDsa ImportCompositeMLDsaPublicKeyImpl(CompositeMLDsaA

AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];

// draft-ietf-lamps-pq-composite-sigs-08, 5.1
// draft-ietf-lamps-pq-composite-sigs-12, 5.1
// 1. Parse each constituent encoded public key.
// The length of the mldsaKey is known based on the
// size of the ML-DSA component key length specified
Expand Down Expand Up @@ -167,7 +167,7 @@ internal static CompositeMLDsa ImportCompositeMLDsaPrivateKeyImpl(CompositeMLDsa

AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];

// draft-ietf-lamps-pq-composite-sigs-08, 5.2
// draft-ietf-lamps-pq-composite-sigs-12, 5.2
// 1. Parse each constituent encoded key.
//
// mldsaSeed = bytes[:32]
Expand Down Expand Up @@ -203,7 +203,7 @@ static CryptographicException FailAndGetException()

protected override int SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination)
{
// draft-ietf-lamps-pq-composite-sigs-08, 4.2
// draft-ietf-lamps-pq-composite-sigs-12, 4.2
// 1. If len(ctx) > 255:
// return error

Expand Down Expand Up @@ -287,7 +287,7 @@ protected override int SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte>

protected override bool VerifyDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, ReadOnlySpan<byte> signature)
{
// draft-ietf-lamps-pq-composite-sigs-08, 4.3
// draft-ietf-lamps-pq-composite-sigs-12, 4.3
// 1. If len(ctx) > 255
// return error

Expand Down Expand Up @@ -375,7 +375,7 @@ protected override bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out

protected override int ExportCompositeMLDsaPublicKeyCore(Span<byte> destination)
{
// draft-ietf-lamps-pq-composite-sigs-08, 5.1
// draft-ietf-lamps-pq-composite-sigs-12, 5.1
// 1. Combine and output the encoded public key
//
// output mldsaPK || tradPK
Expand All @@ -397,7 +397,7 @@ protected override int ExportCompositeMLDsaPublicKeyCore(Span<byte> destination)

protected override int ExportCompositeMLDsaPrivateKeyCore(Span<byte> destination)
{
// draft-ietf-lamps-pq-composite-sigs-08, 5.2
// draft-ietf-lamps-pq-composite-sigs-12, 5.2
// 1. Combine and output the encoded private key.
//
// output mldsaSeed || tradSK
Expand Down Expand Up @@ -626,23 +626,23 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa65,
ECDsaAlgorithm.CreateP256(HashAlgorithmName.SHA256),
[.."COMPSIG-MLDSA65-P256-SHA512"u8],
[.."COMPSIG-MLDSA65-ECDSA-P256-SHA512"u8],
HashAlgorithmName.SHA512)
},
{
CompositeMLDsaAlgorithm.MLDsa65WithECDsaP384,
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa65,
ECDsaAlgorithm.CreateP384(HashAlgorithmName.SHA384),
[.."COMPSIG-MLDSA65-P384-SHA512"u8],
[.."COMPSIG-MLDSA65-ECDSA-P384-SHA512"u8],
HashAlgorithmName.SHA512)
},
{
CompositeMLDsaAlgorithm.MLDsa65WithECDsaBrainpoolP256r1,
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa65,
ECDsaAlgorithm.CreateBrainpoolP256r1(HashAlgorithmName.SHA256),
[.."COMPSIG-MLDSA65-BP256-SHA512"u8],
[.."COMPSIG-MLDSA65-ECDSA-BP256-SHA512"u8],
HashAlgorithmName.SHA512)
},
{
Expand All @@ -658,15 +658,15 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa87,
ECDsaAlgorithm.CreateP384(HashAlgorithmName.SHA384),
[.."COMPSIG-MLDSA87-P384-SHA512"u8],
[.."COMPSIG-MLDSA87-ECDSA-P384-SHA512"u8],
HashAlgorithmName.SHA512)
},
{
CompositeMLDsaAlgorithm.MLDsa87WithECDsaBrainpoolP384r1,
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa87,
ECDsaAlgorithm.CreateBrainpoolP384r1(HashAlgorithmName.SHA384),
[.."COMPSIG-MLDSA87-BP384-SHA512"u8],
[.."COMPSIG-MLDSA87-ECDSA-BP384-SHA512"u8],
HashAlgorithmName.SHA512)
},
{
Expand Down Expand Up @@ -698,7 +698,7 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
new AlgorithmMetadata(
MLDsaAlgorithm.MLDsa87,
ECDsaAlgorithm.CreateP521(HashAlgorithmName.SHA512),
[.."COMPSIG-MLDSA87-P521-SHA512"u8],
[.."COMPSIG-MLDSA87-ECDSA-P521-SHA512"u8],
HashAlgorithmName.SHA512)
}
};
Expand Down
36 changes: 18 additions & 18 deletions src/libraries/Common/src/System/Security/Cryptography/Oids.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,24 +135,24 @@ internal static partial class Oids
internal const string Mgf1 = "1.2.840.113549.1.1.8";
internal const string PSpecified = "1.2.840.113549.1.1.9";

internal const string MLDsa44WithRSA2048PssPreHashSha256 = "2.16.840.1.114027.80.9.1.20";
internal const string MLDsa44WithRSA2048Pkcs15PreHashSha256 = "2.16.840.1.114027.80.9.1.21";
internal const string MLDsa44WithEd25519PreHashSha512 = "2.16.840.1.114027.80.9.1.22";
internal const string MLDsa44WithECDsaP256PreHashSha256 = "2.16.840.1.114027.80.9.1.23";
internal const string MLDsa65WithRSA3072PssPreHashSha512 = "2.16.840.1.114027.80.9.1.24";
internal const string MLDsa65WithRSA3072Pkcs15PreHashSha512 = "2.16.840.1.114027.80.9.1.25";
internal const string MLDsa65WithRSA4096PssPreHashSha512 = "2.16.840.1.114027.80.9.1.26";
internal const string MLDsa65WithRSA4096Pkcs15PreHashSha512 = "2.16.840.1.114027.80.9.1.27";
internal const string MLDsa65WithECDsaP256PreHashSha512 = "2.16.840.1.114027.80.9.1.28";
internal const string MLDsa65WithECDsaP384PreHashSha512 = "2.16.840.1.114027.80.9.1.29";
internal const string MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 = "2.16.840.1.114027.80.9.1.30";
internal const string MLDsa65WithEd25519PreHashSha512 = "2.16.840.1.114027.80.9.1.31";
internal const string MLDsa87WithECDsaP384PreHashSha512 = "2.16.840.1.114027.80.9.1.32";
internal const string MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 = "2.16.840.1.114027.80.9.1.33";
internal const string MLDsa87WithEd448PreHashShake256_512 = "2.16.840.1.114027.80.9.1.34";
internal const string MLDsa87WithRSA3072PssPreHashSha512 = "2.16.840.1.114027.80.9.1.35";
internal const string MLDsa87WithRSA4096PssPreHashSha512 = "2.16.840.1.114027.80.9.1.36";
internal const string MLDsa87WithECDsaP521PreHashSha512 = "2.16.840.1.114027.80.9.1.37";
internal const string MLDsa44WithRSA2048PssPreHashSha256 = "1.3.6.1.5.5.7.6.37";
internal const string MLDsa44WithRSA2048Pkcs15PreHashSha256 = "1.3.6.1.5.5.7.6.38";
internal const string MLDsa44WithEd25519PreHashSha512 = "1.3.6.1.5.5.7.6.39";
internal const string MLDsa44WithECDsaP256PreHashSha256 = "1.3.6.1.5.5.7.6.40";
internal const string MLDsa65WithRSA3072PssPreHashSha512 = "1.3.6.1.5.5.7.6.41";
internal const string MLDsa65WithRSA3072Pkcs15PreHashSha512 = "1.3.6.1.5.5.7.6.42";
internal const string MLDsa65WithRSA4096PssPreHashSha512 = "1.3.6.1.5.5.7.6.43";
internal const string MLDsa65WithRSA4096Pkcs15PreHashSha512 = "1.3.6.1.5.5.7.6.44";
internal const string MLDsa65WithECDsaP256PreHashSha512 = "1.3.6.1.5.5.7.6.45";
internal const string MLDsa65WithECDsaP384PreHashSha512 = "1.3.6.1.5.5.7.6.46";
internal const string MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 = "1.3.6.1.5.5.7.6.47";
internal const string MLDsa65WithEd25519PreHashSha512 = "1.3.6.1.5.5.7.6.48";
internal const string MLDsa87WithECDsaP384PreHashSha512 = "1.3.6.1.5.5.7.6.49";
internal const string MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 = "1.3.6.1.5.5.7.6.50";
internal const string MLDsa87WithEd448PreHashShake256_512 = "1.3.6.1.5.5.7.6.51";
internal const string MLDsa87WithRSA3072PssPreHashSha512 = "1.3.6.1.5.5.7.6.52";
internal const string MLDsa87WithRSA4096PssPreHashSha512 = "1.3.6.1.5.5.7.6.53";
internal const string MLDsa87WithECDsaP521PreHashSha512 = "1.3.6.1.5.5.7.6.54";

// PKCS#7
internal const string NoSignature = "1.3.6.1.5.5.7.6.2";
Expand Down
Loading
Loading