New release to confirm conformance to the released specification

[jonmon6691]

FIPS 205 was officially released about 4 weeks ago. A new release of this project to update the readme and address any changes (if any) from the draft to the official release would add confidence to users of the crate that it was up to date with the standard.

[jonmon6691]

I looked a little deeper into the difference in the draft spec and the released version and it seems like this will not be a trivial change to the crate.

• Draft (Current base document of this repo's implementation): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.ipd.pdf
• Released: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.205.pdf

FIPS 205 Relevant changes mentioned in the federal register announcement (https://www.federalregister.gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based#:~:text=Based%20on%20comments%20that%20were,of%20the%20message%20is%20signed.)

• FIPS 205 contains a revised specification of pre-hashing. It also now specifies domain separation to ensure that pre-hashed messages can be distinguished from non-pre-hashed messages. FIPS 205 specifies that the signature identifier should indicate whether or not the message was pre-hashed.
• FIPS 205 was revised to include tables showing the member functions for manipulating addresses, supplementing the text and the figures illustrating each of the address types. Information about compressed addresses was also revised.
• In FIPS 203, FIPS 204, and FIPS 205, the main functions now each call an internal derandomized function in order to facilitate validation of implementations of these algorithms. [...] In FIPS 204 and FIPS 205, this applies to KeyGen, Sign, and Verify. In addition, to offer misuse resistance against the possibility that keys for different parameter sets might be expanded from the same seed, domain separation was added to the key generation routine.
• Based on comments that were submitted on draft FIPS 205, the SLH-DSA signature generation and verification functions were modified to include domain separation cases in which the message is signed directly and cases in which a digest of the message is signed. The changes were made by modifying the inputs to the signing and verification functions.

My perceived checklist of changes needed to bring the codebase up to the current standard:

• [ ] Add support for pre-hash variants of the signing and verification functions
• [ ] Modify signing and verification function signatures to accept the context string (ctx) and modify them to use domain separated M'
• [ ] Factor out internal signature and verification functions (Not strictly necessary in this implementation since test fixtures could provide their own deterministic RNG to do testing, which is the reason NIST specified this change)
• [ ] Change function doc strings to align the changed Algorithm numbers with those used in the released spec
• [ ] Change comments to align the text of the algorithm steps with the released version
• [ ] Update readme and other package docs to reflect new status
• [ ] Bump major version as this will be a breaking change to the API

Non-impact to the implementation

• NIST changed how _optrand is specified in _slhsign(). But is equivalent to the old specification and current implementation

I've forked the repo to work on this but I think I might be out of my depth when it comes to adding the pre-hashed variants. I welcome feedback, or encouragement :)

[integritychain]

Hi @jonmon6691 - thanks for looking into this! Updating this crate to the latest spec is on my short list and shouldn't be too far off. I finished the update to FIPS 203 a few days back and have started on 204. This one is next (and likely has some similar items). Also, there is some supporting code that needs to be reworked/rechecked too.

As for feedback/encouragement, I am interested in understanding your usage better - it might help if I get faced with a decision...

[jonmon6691]

No problem, I'm mostly interested in getting my hands dirty with the standard, and I have to say, I really appreciate how nicely your code base mirrors the spec. I have some plans to use this crate to prototype an embedded CAN device that authenticates peers with PQC signed certificates, but for now I'm just trying to wrap my head around FIPS 205.

I just made a commit on #2 after fully reviewing the defined algorithms and it looks like there aren't any more changes hiding in the woodwork other than what I already foresaw.

Currently I'm a little stuck on how to prepend data to the message before hashing which is newly required in the released standard. The obvious way is to allocate a buffer and write in the prefix followed by the message but that's not real slick and doesn't align with the current crate promise that it doesn't allocate. Also it could be a whole lot of memory if m is large. I don't know if you already tackled this issue in the other changes you've made to update 203 and 204 but I'm open to ideas.

[eschorn1]

Hi @jonmon6691 thanks for your kind words. I haven't yet looked into the FIPS 205 changes in detail, but I suspect there may be some similarities to FIPS 204 changes which I have started upon. If you are referring to something like step 8 in algorithm 22 (of FIPS 205) then have a look at https://github.com/integritychain/fips204/blob/main/src/ml_dsa.rs#L131 - I avoid prepending/assembling stuff by running the fragments through the hash function. Hope that helps. I'll have some time to jump in and help here shortly...

[integritychain]

Fyi, getting close now...

[integritychain]

The code has been updated to align with the final/released FIPS 205 specification and is now published as v0.4.0. I did not update the major version as it currently sits at 0 (a special case for SemVer), despite some enhancements to the public API (which now nearly aligns to the FIPS 204 crate). I expect to continue polishing (e.g., fuzzing, an embedded target example, update WASM, etc) in preparation for a review that would then see it updated to v1.0.0. @jonmon6691 - thank you for your help and diligence on this!