Bring up to date with FIPS 205#69
Open
bwesterb wants to merge 20 commits into
Open
Conversation
As proposed by NIST's David Cooper: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/88tuvtb7nN4/m/DA1QCoJWBAAJ
Expose crypto_sign_signature_derand() which takes an explicit SPX_N-byte addrnd in place of the internal randombytes() draw. The existing crypto_sign_signature() now forwards to it. Behaviour is unchanged for existing callers.
Builds the regular SOURCES with -fPIC -shared so the resulting shared library can be loaded via cffi or ctypes for testing harnesses.
acvp.py builds <impl>/libspx.so per (impl, parameter-set), loads it via cffi, and exercises the keyGen, sigGen, and sigVer ACVP test vectors in ./acvp/. Builds run serially per impl (matching vectors.py); the test phase runs in parallel via multiprocessing. Internal-interface ACVP groups map onto crypto_sign_seed_keypair, crypto_sign_signature_derand, and crypto_sign_verify and pass today. External and pre-hash groups are recorded as expected-fail until the FIPS-205 message prefix (context string + domain-separator byte, plus OID for HashSLH-DSA) is implemented.
FIPS-205 standardises SLH-DSA with SHA2 and SHAKE only. Remove the Haraka hash family entirely: the haraka-aesni/ implementation tree, ref's haraka sources and parameter sets, the SPX_HARAKA context block, the GitHub workflow, and all haraka references in vectors.py, benchmark.py, SHA256SUMS, and README.
FIPS-205 standardises only the "simple" tweakable hash construction. Remove the robust thash source files, the THASH Makefile variable, the thash matrix axis in the GitHub workflows, the robust entries in SHA256SUMS, and the robust handling in vectors.py / benchmark.py / acvp.py / README. The -simple suffix in NIST-KAT instance names is retained for backwards compatibility with existing SHA256SUMS entries.
Public crypto_sign_signature / crypto_sign_verify / crypto_sign / crypto_sign_open now take an explicit context string (ctx, ctxlen, with ctxlen <= 255), prepending the FIPS-205 prefix (0x00 || |ctx| || ctx) to the message. The pre-existing entry points are renamed to crypto_sign_signature_internal / crypto_sign_verify_internal and accept a raw (pre, prelen) prefix. In-tree callers and the ACVP harness are updated; external-pure sigGen/sigVer ACVP groups now pass. HashSLH-DSA (preHash) is still unimplemented and marked xfail.
- acvp.py: default -j to multiprocessing.cpu_count() - Add .github/workflows/test-acvp.yml that runs the ref impl through the ACVP harness on every push/PR
Add crypto_sign_signature_prehash{,_derand} and crypto_sign_verify_prehash
that accept a pre-hashed message and the DER-encoded OID of the pre-hash
function, build the FIPS-205 prefix (0x01 || |ctx| || ctx || OID), and
delegate to the corresponding _internal entry points.
The ACVP harness pre-hashes messages in Python for the twelve standard
hashAlgs (SHA-2, SHA-3, SHAKE families) and exercises the new API. All
ACVP groups now pass; no remaining xfails.
The FIPS-205 message prefix (0x00 || |ctx| || ctx, with empty ctx for PQCgenKAT_sign) changes the bytes fed to the message hash, so every PQCsignKAT_*.rsp digest differs from the pre-FIPS-205 baseline.
Note that SPHINCS+ has been standardised as SLH-DSA in FIPS-205. Add a short section listing the public C entry points, the new context-string arguments, the HashSLH-DSA variants, and the internal cores. Link to ACVP conformance via the new test-acvp workflow. Also fix the existing SHA2/SHAKE workflow badge URLs (the filenames did not match the actual workflow files).
…names The LLVM-suffixed mnemonics (bcax.16b, mov.16b, eor3.16b, rax1.2d, xar.2d, ld1.2d, st1.2d, eor.16b) are accepted by Apple's clang assembler but not by GNU as on Linux. Rewrite them in the unified ARMv8 form (mnemonic vd.<size>, vn.<size>, ...) so this source builds with both. Also export the symbol under both names: macOS Mach-O auto-prefixes C symbols with an underscore (so 'extern _f1600x2' from C resolves to asm symbol '__f1600x2'); Linux ELF has no such prefix.
Using .S enables the C preprocessor for the assembly source. The label prefix differs between macOS (Mach-O auto-prefixes C symbols with '_' so 'extern _f1600x2' resolves to '__f1600x2') and Linux (ELF, no prefix). Pick the right label with #ifdef __APPLE__.
bcax, eor3, rax1 and xar are part of the optional FEAT_SHA3 ARMv8.2 extension. Apple clang's assembler enables it by default; GNU as on Linux needs an explicit .arch directive.
Previously every workflow triggered on both `push` and `pull_request`, producing two identical runs per push to a PR branch. Restrict push triggers to master so feature branches only run via pull_request.
All ACVP groups now have a real pass/fail path, so the xfailed/xpassed counters in PhaseResult never trip. Remove them and the matching summary/main bits.
crypto_sign_signature_internal now interprets addrnd=NULL as FIPS-205 deterministic mode and uses PK.seed in its place. _derand and _prehash_derand inherit this via the internal core. The ACVP deterministic sigGen groups now exercise this code path directly: the harness passes addrnd=None and the C library substitutes PK.seed itself, instead of the harness doing the substitution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings up to date with FIPS 205 and checks against ACVP.
Subsumes #51