Implement MultiPartSigner/Verifier for ML-DSA and SLH-DSA

Author: daxpedda

Cargo.lock

@@ -25,3 +25,6 @@ lms-signature = { path = "./lms" }
 ml-dsa = { path = "./ml-dsa" }
 rfc6979 = { path = "./rfc6979" }
 slh-dsa = { path = "./slh-dsa" }
+
+# https://github.com/RustCrypto/traits/pull/1880
+signature = { git = "https://github.com/RustCrypto/traits", rev = "ce4a05bc4266dd1d4c7c713fb7f9c211c76375ec" }

Cargo.toml

@@ -89,7 +89,7 @@ use core::fmt;
 
 pub use crate::param::{EncodedSignature, EncodedSigningKey, EncodedVerifyingKey, MlDsaParams};
 pub use crate::util::B32;
-pub use signature::{self, Error};
+pub use signature::{self, Error, MultiPartSigner, MultiPartVerifier};
 
 /// An ML-DSA signature
 #[derive(Clone, PartialEq, Debug)]
@@ -168,10 +168,10 @@ where
 // This method takes a slice of slices so that we can accommodate the varying calculations (direct
 // for test vectors, 0... for sign/sign_deterministic, 1... for the pre-hashed version) without
 // having to allocate memory for components.
-fn message_representative(tr: &[u8], Mp: &[&[u8]]) -> B64 {
+fn message_representative(tr: &[u8], Mp: &[&[&[u8]]]) -> B64 {
     let mut h = H::default().absorb(tr);
 
-    for m in Mp {
+    for m in Mp.iter().copied().flatten() {
         h = h.absorb(m);
     }
 
@@ -245,7 +245,13 @@ where
 /// only supports signing with an empty context string.
 impl<P: MlDsaParams> signature::Signer<Signature<P>> for KeyPair<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.signing_key.sign_deterministic(msg, &[])
+        self.try_multi_part_sign(&[msg])
+    }
+}
+
+impl<P: MlDsaParams> MultiPartSigner<Signature<P>> for KeyPair<P> {
+    fn try_multi_part_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.signing_key.raw_sign_deterministic(msg, &[])
     }
 }
 
@@ -350,6 +356,13 @@ impl<P: MlDsaParams> SigningKey<P> {
     // Algorithm 7 ML-DSA.Sign_internal
     // TODO(RLB) Only expose based on a feature.  Tests need access, but normal code shouldn't.
     pub fn sign_internal(&self, Mp: &[&[u8]], rnd: &B32) -> Signature<P>
+    where
+        P: MlDsaParams,
+    {
+        self.raw_sign_internal(&[Mp], rnd)
+    }
+
+    fn raw_sign_internal(&self, Mp: &[&[&[u8]]], rnd: &B32) -> Signature<P>
     where
         P: MlDsaParams,
     {
@@ -440,13 +453,17 @@ impl<P: MlDsaParams> SigningKey<P> {
     /// This method will return an opaque error if the context string is more than 255 bytes long.
     // Algorithm 2 ML-DSA.Sign (optional deterministic variant)
     pub fn sign_deterministic(&self, M: &[u8], ctx: &[u8]) -> Result<Signature<P>, Error> {
+        self.raw_sign_deterministic(&[M], ctx)
+    }
+
+    fn raw_sign_deterministic(&self, M: &[&[u8]], ctx: &[u8]) -> Result<Signature<P>, Error> {
         if ctx.len() > 255 {
             return Err(Error::new());
         }
 
         let rnd = B32::default();
-        let Mp = &[&[0], &[Truncate::truncate(ctx.len())], ctx, M];
-        Ok(self.sign_internal(Mp, &rnd))
+        let Mp = &[&[&[0], &[Truncate::truncate(ctx.len())], ctx], M];
+        Ok(self.raw_sign_internal(Mp, &rnd))
     }
 
     /// Encode the key in a fixed-size byte array.
@@ -492,7 +509,13 @@ impl<P: MlDsaParams> SigningKey<P> {
 /// string, use the [`SigningKey::sign_deterministic`] method.
 impl<P: MlDsaParams> signature::Signer<Signature<P>> for SigningKey<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.sign_deterministic(msg, &[])
+        self.try_multi_part_sign(&[msg])
+    }
+}
+
+impl<P: MlDsaParams> MultiPartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multi_part_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.raw_sign_deterministic(msg, &[])
     }
 }
 
@@ -576,6 +599,13 @@ impl<P: MlDsaParams> VerifyingKey<P> {
     /// and it does not separate the context string from the rest of the message.
     // Algorithm 8 ML-DSA.Verify_internal
     pub fn verify_internal(&self, Mp: &[&[u8]], sigma: &Signature<P>) -> bool
+    where
+        P: MlDsaParams,
+    {
+        self.raw_verify_internal(&[Mp], sigma)
+    }
+
+    fn raw_verify_internal(&self, Mp: &[&[&[u8]]], sigma: &Signature<P>) -> bool
     where
         P: MlDsaParams,
     {
@@ -605,12 +635,16 @@ impl<P: MlDsaParams> VerifyingKey<P> {
     /// This algorithm reflect the ML-DSA.Verify algorithm from FIPS 204.
     // Algorithm 3 ML-DSA.Verify
     pub fn verify_with_context(&self, M: &[u8], ctx: &[u8], sigma: &Signature<P>) -> bool {
+        self.raw_verify_with_context(&[M], ctx, sigma)
+    }
+
+    fn raw_verify_with_context(&self, M: &[&[u8]], ctx: &[u8], sigma: &Signature<P>) -> bool {
         if ctx.len() > 255 {
             return false;
         }
 
-        let Mp = &[&[0], &[Truncate::truncate(ctx.len())], ctx, M];
-        self.verify_internal(Mp, sigma)
+        let Mp = &[&[&[0], &[Truncate::truncate(ctx.len())], ctx], M];
+        self.raw_verify_internal(Mp, sigma)
     }
 
     fn encode_internal(rho: &B32, t1: &Vector<P::K>) -> EncodedVerifyingKey<P> {
@@ -635,7 +669,13 @@ impl<P: MlDsaParams> VerifyingKey<P> {
 
 impl<P: MlDsaParams> signature::Verifier<Signature<P>> for VerifyingKey<P> {
     fn verify(&self, msg: &[u8], signature: &Signature<P>) -> Result<(), Error> {
-        self.verify_with_context(msg, &[], signature)
+        self.multi_part_verify(&[msg], signature)
+    }
+}
+
+impl<P: MlDsaParams> MultiPartVerifier<Signature<P>> for VerifyingKey<P> {
+    fn multi_part_verify(&self, msg: &[&[u8]], signature: &Signature<P>) -> Result<(), Error> {
+        self.raw_verify_with_context(msg, &[], signature)
             .then_some(())
             .ok_or(Error::new())
     }

ml-dsa/src/lib.rs

@@ -23,15 +23,15 @@ pub(crate) trait HashSuite: Sized + Clone + Debug + PartialEq + Eq {
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N>;
 
     /// Hashes a message using a given randomizer
     fn h_msg(
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M>;
 
     /// PRF that is used to generate the secret values in WOTS+ and FORS private keys.
@@ -76,7 +76,7 @@ mod tests {
         let opt_rand = Array::<u8, H::N>::from_fn(|_| 1);
         let msg = [2u8; 32];
 
-        let result = H::prf_msg(&sk_prf, &opt_rand, &[msg]);
+        let result = H::prf_msg(&sk_prf, &opt_rand, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }
@@ -87,7 +87,7 @@ mod tests {
         let pk_root = Array::<u8, H::N>::from_fn(|_| 2);
         let msg = [3u8; 32];
 
-        let result = H::h_msg(&rand, &pk_seed, &pk_root, &[msg]);
+        let result = H::h_msg(&rand, &pk_seed, &pk_root, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }

slh-dsa/src/hashes.rs

@@ -61,11 +61,13 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut mac = Hmac::<Sha256>::new_from_slice(sk_prf.as_ref()).unwrap();
         mac.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| mac.update(msg_part.as_ref()));
         let result = mac.finalize().into_bytes();
         Array::clone_from_slice(&result[..Self::N::USIZE])
@@ -75,13 +77,16 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut h = Sha256::new();
         h.update(rand);
         h.update(pk_seed);
         h.update(pk_root);
-        msg.iter().for_each(|msg_part| h.update(msg_part.as_ref()));
+        msg.iter()
+            .copied()
+            .flatten()
+            .for_each(|msg_part| h.update(msg_part.as_ref()));
         let result = Array(h.finalize().into());
         let seed = rand.clone().concat(pk_seed.0.clone()).concat(result);
         mgf1::<Sha256, Self::M>(&seed)
@@ -224,11 +229,13 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut mac = Hmac::<Sha512>::new_from_slice(sk_prf.as_ref()).unwrap();
         mac.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| mac.update(msg_part.as_ref()));
         let result = mac.finalize().into_bytes();
         Array::clone_from_slice(&result[..Self::N::USIZE])
@@ -238,13 +245,16 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut h = Sha512::new();
         h.update(rand);
         h.update(pk_seed);
         h.update(pk_root);
-        msg.iter().for_each(|msg_part| h.update(msg_part.as_ref()));
+        msg.iter()
+            .copied()
+            .flatten()
+            .for_each(|msg_part| h.update(msg_part.as_ref()));
         let result = Array(h.finalize().into());
         let seed = rand.clone().concat(pk_seed.0.clone()).concat(result);
         mgf1::<Sha512, Self::M>(&seed)

slh-dsa/src/hashes/sha2.rs

@@ -35,12 +35,14 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut hasher = Shake256::default();
         hasher.update(sk_prf.as_ref());
         hasher.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| hasher.update(msg_part.as_ref()));
         let mut output = Array::<u8, Self::N>::default();
         hasher.finalize_xof_into(&mut output);
@@ -51,13 +53,15 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut hasher = Shake256::default();
         hasher.update(rand.as_slice());
         hasher.update(pk_seed.as_ref());
         hasher.update(pk_root.as_ref());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| hasher.update(msg_part.as_ref()));
         let mut output = Array::<u8, Self::M>::default();
         hasher.finalize_xof_into(&mut output);
@@ -276,7 +280,7 @@ mod tests {
 
         let expected = hex!("bc5c062307df0a41aeeae19ad655f7b2");
 
-        let result = H::prf_msg(&sk_prf, &opt_rand, &[msg]);
+        let result = H::prf_msg(&sk_prf, &opt_rand, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }

slh-dsa/src/hashes/shake.rs

@@ -4,7 +4,7 @@ use crate::util::split_digest;
 use crate::verifying_key::VerifyingKey;
 use crate::{ParameterSet, PkSeed, Sha2L1, Sha2L35, Shake, VerifyingKeyLen};
 use ::signature::{
-    Error, KeypairRef, RandomizedSigner, Signer,
+    Error, KeypairRef, MultiPartSigner, RandomizedMultiPartSigner, RandomizedSigner, Signer,
     rand_core::{CryptoRng, TryCryptoRng},
 };
 use hybrid_array::{Array, ArraySize};
@@ -133,6 +133,10 @@ impl<P: ParameterSet> SigningKey<P> {
     /// Published for KAT validation purposes but not intended for general use.
     /// opt_rand must be a P::N length slice, panics otherwise.
     pub fn slh_sign_internal(&self, msg: &[&[u8]], opt_rand: Option<&[u8]>) -> Signature<P> {
+        self.raw_slh_sign_internal(&[msg], opt_rand)
+    }
+
+    fn raw_slh_sign_internal(&self, msg: &[&[&[u8]]], opt_rand: Option<&[u8]>) -> Signature<P> {
         let rand = opt_rand
             .unwrap_or(&self.verifying_key.pk_seed.0)
             .try_into()
@@ -167,12 +171,21 @@ impl<P: ParameterSet> SigningKey<P> {
         msg: &[u8],
         ctx: &[u8],
         opt_rand: Option<&[u8]>,
+    ) -> Result<Signature<P>, Error> {
+        self.raw_try_sign_with_context(&[msg], ctx, opt_rand)
+    }
+
+    fn raw_try_sign_with_context(
+        &self,
+        msg: &[&[u8]],
+        ctx: &[u8],
+        opt_rand: Option<&[u8]>,
     ) -> Result<Signature<P>, Error> {
         let ctx_len = u8::try_from(ctx.len()).map_err(|_| Error::new())?;
         let ctx_len_bytes = ctx_len.to_be_bytes();
 
-        let ctx_msg = [&[0], &ctx_len_bytes, ctx, msg];
-        Ok(self.slh_sign_internal(&ctx_msg, opt_rand))
+        let ctx_msg = [&[&[0], &ctx_len_bytes, ctx], msg];
+        Ok(self.raw_slh_sign_internal(&ctx_msg, opt_rand))
     }
 
     /// Serialize the signing key to a new stack-allocated array
@@ -218,7 +231,13 @@ impl<P: ParameterSet> TryFrom<&[u8]> for SigningKey<P> {
 
 impl<P: ParameterSet> Signer<Signature<P>> for SigningKey<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.try_sign_with_context(msg, &[], None)
+        self.try_multi_part_sign(&[msg])
+    }
+}
+
+impl<P: ParameterSet> MultiPartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multi_part_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.raw_try_sign_with_context(msg, &[], None)
     }
 }
 
@@ -228,10 +247,20 @@ impl<P: ParameterSet> RandomizedSigner<Signature<P>> for SigningKey<P> {
         rng: &mut R,
         msg: &[u8],
     ) -> Result<Signature<P>, signature::Error> {
+        self.try_multi_part_sign_with_rng(rng, &[msg])
+    }
+}
+
+impl<P: ParameterSet> RandomizedMultiPartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multi_part_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &self,
+        rng: &mut R,
+        msg: &[&[u8]],
+    ) -> Result<Signature<P>, Error> {
         let mut randomizer = Array::<u8, P::N>::default();
         rng.try_fill_bytes(randomizer.as_mut_slice())
             .map_err(|_| signature::Error::new())?;
-        self.try_sign_with_context(msg, &[], Some(&randomizer))
+        self.raw_try_sign_with_context(msg, &[], Some(&randomizer))
     }
 }