Skip to content

Add external mu support to ML-DSA #117966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Jul 30, 2025
Merged

Add external mu support to ML-DSA #117966

merged 18 commits into from
Jul 30, 2025

Conversation

bartonjs
Copy link
Member

@bartonjs bartonjs commented Jul 23, 2025
edited
Loading

Fixes #116995

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

PranavSenthilnathan
PranavSenthilnathan reviewed Jul 23, 2025
View reviewed changes
Copy link
Member

@PranavSenthilnathan PranavSenthilnathan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comments

vcsjones
vcsjones reviewed Jul 23, 2025
View reviewed changes
@vcsjones
Copy link
Member

vcsjones commented Jul 24, 2025
edited
Loading

It looks like NistImportPublicKeyVerifyExternalMu needs to be marked conditional. It's failing on Windows in M.B.C.

 Failed System.Security.Cryptography.Tests.MLDsaImplementationTests.NistImportPublicKeyVerifyExternalMu(testCase: Nist Test Case 152 (ML-DSA-87, ShouldPass: False)) [< 1 ms]
  Error Message:
   System.PlatformNotSupportedException : Operation is not supported on this platform.
  Stack Trace:
     at System.Security.Cryptography.MLDsaImplementation.VerifyExternalMuCore(ReadOnlySpan`1 mu, ReadOnlySpan`1 signature) in E:\code\runtime\src\libraries\Common\src\System\Security\Cryptography\MLDsaImplementation.Windows.cs:line 98
   at System.Security.Cryptography.MLDsa.VerifyExternalMu(ReadOnlySpan`1 mu, ReadOnlySpan`1 signature) in E:\code\runtime\src\libraries\Common\src\System\Security\Cryptography\MLDsa.cs:line 698
   at System.Security.Cryptography.MLDsa.VerifyExternalMu(Byte[] mu, Byte[] signature) in E:\code\runtime\src\libraries\Common\src\System\Security\Cryptography\MLDsa.cs:line 673
   at System.Security.Cryptography.Tests.MLDsaTestsBase.NistImportPublicKeyVerifyExternalMu(MLDsaNistTestCase testCase) in E:\code\runtime\src\libraries\Common\tests\System\Security\Cryptography\AlgorithmImplementations\MLDsa\MLDsaTestsBase.cs:line 298
   at InvokeStub_MLDsaTestsBase.NistImportPublicKeyVerifyExternalMu(Object, Span`1)
   at System.Reflection.MethodBaseInvoker.InvokeWithOneArg(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) in E:\code\runtime\src\libraries\System.Private.CoreLib\src\System\Reflection\MethodBaseInvoker.cs:line 95

This was referenced Jul 24, 2025
Closed
Open
PranavSenthilnathan
PranavSenthilnathan reviewed Jul 24, 2025
View reviewed changes
Copy link
Member

@PranavSenthilnathan PranavSenthilnathan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some small stuff

This was referenced Jul 24, 2025
Open
Open
Closed
@bartonjs bartonjs marked this pull request as ready for review July 24, 2025 19:15
@Copilot Copilot AI review requested due to automatic review settings July 24, 2025 19:15
Copilot
Copilot AI reviewed Jul 24, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds external mu (μ) support to ML-DSA, allowing developers to compute the signature mu value independently and use it for signing and verification operations. This enables more flexible cryptographic workflows where the mu computation can be separated from the actual signing process.

Key changes include:

  • Addition of SignExternalMu and VerifyExternalMu methods to the ML-DSA API
  • Introduction of MLDsaMuHash class for stateful mu computation
  • Native layer support for external mu operations via OpenSSL

Reviewed Changes

Copilot reviewed 31 out of 32 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
pal_evp_pkey_ml_dsa.h Added function declarations for external mu signing and verification
pal_evp_pkey_ml_dsa.c Implemented external mu signing and verification using OpenSSL EVP APIs
opensslshim.h Added OSSL_SIGNATURE_PARAM_MU constant definition
entrypoints.c Exported new external mu functions for P/Invoke
MLDsaOpenSsl.OpenSsl.cs Added OpenSSL implementation of external mu methods
MLDsaOpenSsl.NotSupported.cs Added not-supported stubs for external mu methods
MLDsaImplementation.OpenSsl.cs Added external mu method implementations
System.Security.Cryptography.cs Added public API surface for external mu functionality
MLDsaMuHash.cs New class providing stateful hash computation for mu values
MLDsa.cs Added external mu methods and MLDsaMuHash factory methods
Various test files Added comprehensive test coverage for external mu functionality
UntouchableStream.cs Moved common test utility to shared location

@PranavSenthilnathan
Copy link
Member

Win11 with PQC has test failures on net481. They're all NotImplementedException from Shake256:

src\libraries\Microsoft.Bcl.Cryptography\tests> dn test -f net481 
[xUnit.net 00:00:01.06] System.Security.Cryptography.Tests.MLDsaImplementationTests.GenerateSignVerifyEmptyMessageExternalMuWithContext [SKIP]
[xUnit.net 00:00:02.31] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.GenerateSignVerifyExternalMuWithContext [SKIP]
[xUnit.net 00:00:02.52] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.GenerateSignVerifyEmptyMessageExternalMuNoContext [SKIP]
[xUnit.net 00:00:02.52] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.GenerateSignVerifyExternalMuNoContext [SKIP]
[xUnit.net 00:00:03.13] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.NistImportPublicKeyVerifyExternalMu [SKIP]
[xUnit.net 00:00:03.33] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:03.33] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:03.34] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:03.39] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:03.40] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:03.40] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:03.41] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:03.43] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:03.46] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:03.49] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:03.50] System.Security.Cryptography.Tests.AesGcmIsSupportedTests.CtorThrowsPNSEIfNotSupported [SKIP]
[xUnit.net 00:00:03.51] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:03.52] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:03.91] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:03.93] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:03.93] System.Security.Cryptography.Tests.MLDsaImplementationTests.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:04.15] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.GetMLKemPrivateKey_NoPrivateKey [SKIP]
[xUnit.net 00:00:04.16] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.GetMLKemPrivateKey_WithPrivateKey [SKIP]
[xUnit.net 00:00:04.23] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.CheckCopyWithPrivateKey_SlhDsa_OtherSlhDsa [SKIP]
[xUnit.net 00:00:04.23] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.GetMLKemPublicKey_WithPrivateKey [SKIP]
[xUnit.net 00:00:04.23] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.GetSlhDsaPrivateKeyTest [SKIP]
[xUnit.net 00:00:04.24] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.CheckCopyWithPrivateKey_MLKem_OtherMLKem_Seed [SKIP]
[xUnit.net 00:00:04.24] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.CheckCopyWithPrivateKey_MLKem [SKIP]
[xUnit.net 00:00:04.24] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.CheckCopyWithPrivateKey_SlhDsa [SKIP]
[xUnit.net 00:00:04.24] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.CheckCopyWithPrivateKey_MLKem_OtherMLKem_DecapsulationKey [SKIP]
[xUnit.net 00:00:04.25] System.Security.Cryptography.X509Certificates.Tests.CertificateCreation.PrivateKeyAssociationTests.GetSlhDsaPublicKeyTest [SKIP]
[xUnit.net 00:00:04.27] System.Security.Cryptography.X509Certificates.Tests.MLKemCertTests.GetMLKemPublicKey_PlatformNotSupported [SKIP]
[xUnit.net 00:00:04.47] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.GenerateSignVerifyEmptyMessageExternalMuWithContext [SKIP]
[xUnit.net 00:00:04.64] System.Security.Cryptography.Tests.MLDsaImplementationTests.GenerateSignVerifyEmptyMessageExternalMuNoContext [SKIP]
[xUnit.net 00:00:04.75] System.Security.Cryptography.Tests.MLDsaImplementationTests.GenerateSignVerifyExternalMuNoContext [SKIP]
[xUnit.net 00:00:04.94] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:04.95] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:04.95] System.Security.Cryptography.Tests.MLDsaCngTests_AllowExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:05.01] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:05.01] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:05.02] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_ClonesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:05.07] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.GenerateSignVerifyEmptyMessageExternalMuWithContext [SKIP]
[xUnit.net 00:00:05.08] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:05.08] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:05.09] System.Security.Cryptography.Tests.MLDsaImplementationTests.NistImportPublicKeyVerifyExternalMu [SKIP]
[xUnit.net 00:00:05.09] System.Security.Cryptography.Tests.MLDsaImplementationTests.GenerateSignVerifyExternalMuWithContext [SKIP]
[xUnit.net 00:00:05.09] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_AccruesProperly(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:05.17] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-44) [FAIL]
[xUnit.net 00:00:05.18] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-65) [FAIL]
[xUnit.net 00:00:05.18] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.ExternalMuHash_DoesNotKeepMLDsaAlive(algorithm: ML-DSA-87) [FAIL]
[xUnit.net 00:00:05.19] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.GenerateSignVerifyExternalMuWithContext [SKIP]
[xUnit.net 00:00:05.21] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.NistImportPublicKeyVerifyExternalMu [SKIP]
[xUnit.net 00:00:05.21] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.GenerateSignVerifyExternalMuNoContext [SKIP]
[xUnit.net 00:00:05.22] System.Security.Cryptography.Tests.MLDsaCngTests_AllowPlaintextExport.GenerateSignVerifyEmptyMessageExternalMuNoContext [SKIP]

@bartonjs
Copy link
Member Author

Win11 with PQC has test failures on net481. They're all NotImplementedException from Shake256:

Fair, guess I get to power that up. In my head it was unreachable until we get to integrate with the Windows feature, but, nope, it's the base impl.

@build-analysis build-analysis bot mentioned this pull request Jul 24, 2025
Open
vcsjones
vcsjones reviewed Jul 25, 2025
View reviewed changes
Copy link
Member

@vcsjones vcsjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments

@bartonjs bartonjs added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Jul 28, 2025
@bartonjs
Copy link
Member Author

Since the API Review session is, at this point, "tomorrow", I've slapped on NO-MERGE so I remind myself to wait for updates from that, rather than getting trigger-happy.

@bartonjs bartonjs removed the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Jul 29, 2025
@bartonjs
Copy link
Member Author

OK, the latest push

  • Updates the public API to call the methods Mu and the parameters externalMu.
  • Leaves the crypto shim and interop stub with the opposite convention.
  • Removed MLDsaMuHash 🪦.
  • Adds a test helper that calculates mu (.NET 8+), so we have the crossways SignMu/VerifyData and SignData/VerifyMu checks.
    • The helper returns null on netfx, so it skips the crossways checks.
  • Undoes the move of UntouchableStream, since nothing in this PR requires it to move.

@bartonjs
Copy link
Member Author

@artl93 BTW: PQC RC1 API Addition (I was so tempted to say ADD instead of addition...)

PranavSenthilnathan
PranavSenthilnathan approved these changes Jul 29, 2025
View reviewed changes
@build-analysis build-analysis bot mentioned this pull request Jul 30, 2025
Closed
@bartonjs bartonjs merged commit 73d13d9 into dotnet:main Jul 30, 2025
100 checks passed
@bartonjs bartonjs deleted the external_mu branch July 30, 2025 20:38
@github-actions github-actions bot locked and limited conversation to collaborators Aug 30, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@vcsjones vcsjones vcsjones left review comments

Copilot code review Copilot Copilot left review comments

@PranavSenthilnathan PranavSenthilnathan PranavSenthilnathan approved these changes

Assignees

@bartonjs bartonjs

Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add External-Mu support to ML-DSA
3 participants
@bartonjs @vcsjones @PranavSenthilnathan