Documentation ¶
Index ¶
- Constants
- Variables
- func GenerateKey(rand io.Reader) (*PublicKey, *PrivateKey, error)
- func NewKeyFromSeed(seed *[common.SeedSize]byte) (*PublicKey, *PrivateKey)
- func PolyDecompose(p, p0PlusQ, p1 *common.Poly)
- func PolyDeriveUniform(p *common.Poly, seed *[32]byte, nonce uint16)
- func PolyDeriveUniformBall(p *common.Poly, seed []byte)
- func PolyDeriveUniformBallX4(ps [4]*common.Poly, seed []byte)
- func PolyDeriveUniformLeGamma1(p *common.Poly, seed *[64]byte, nonce uint16)
- func PolyDeriveUniformLeqEta(p *common.Poly, seed *[64]byte, nonce uint16)
- func PolyDeriveUniformX4(ps [4]*common.Poly, seed *[32]byte, nonces [4]uint16)
- func PolyDotHat(p *common.Poly, a, b *VecL)
- func PolyMakeHint(p, p0, p1 *common.Poly) (pop uint32)
- func PolyPackLeGamma1(p *common.Poly, buf []byte)
- func PolyPackLeqEta(p *common.Poly, buf []byte)
- func PolyPackW1(p *common.Poly, buf []byte)
- func PolyUnpackLeGamma1(p *common.Poly, buf []byte)
- func PolyUnpackLeqEta(p *common.Poly, buf []byte)
- func PolyUseHint(p, q, hint *common.Poly)
- func SignTo(sk *PrivateKey, msg func(io.Writer), rnd [32]byte, signature []byte)
- func VecLDeriveUniformLeGamma1(v *VecL, seed *[64]byte, nonce uint16)
- func Verify(pk *PublicKey, msg func(io.Writer), signature []byte) bool
- type Mat
- type PrivateKey
- type PublicKey
- type VecK
- func (v *VecK) Add(w, u *VecK)
- func (v *VecK) Decompose(v0PlusQ, v1 *VecK)
- func (v *VecK) Exceeds(bound uint32) bool
- func (v *VecK) InvNTT()
- func (v *VecK) MakeHint(v0, v1 *VecK) (pop uint32)
- func (v *VecK) MulBy2toD(w *VecK)
- func (v *VecK) NTT()
- func (v *VecK) Normalize()
- func (v *VecK) NormalizeAssumingLe2Q()
- func (v *VecK) PackHint(buf []byte)
- func (v *VecK) PackLeqEta(buf []byte)
- func (v *VecK) PackT0(buf []byte)
- func (v *VecK) PackT1(buf []byte)
- func (v *VecK) PackW1(buf []byte)
- func (v *VecK) Power2Round(v0PlusQ, v1 *VecK)
- func (v *VecK) ReduceLe2Q()
- func (v *VecK) Sub(a, b *VecK)
- func (v *VecK) UnpackHint(buf []byte) bool
- func (v *VecK) UnpackLeqEta(buf []byte)
- func (v *VecK) UnpackT0(buf []byte)
- func (v *VecK) UnpackT1(buf []byte)
- func (v *VecK) UseHint(q, hint *VecK) *VecK
- type VecL
- func (v *VecL) Add(w, u *VecL)
- func (v *VecL) Decompose(v0PlusQ, v1 *VecL)
- func (v *VecL) Exceeds(bound uint32) bool
- func (v *VecL) NTT()
- func (v *VecL) Normalize()
- func (v *VecL) NormalizeAssumingLe2Q()
- func (v *VecL) PackLeGamma1(buf []byte)
- func (v *VecL) PackLeqEta(buf []byte)
- func (v *VecL) Power2Round(v0PlusQ, v1 *VecL)
- func (v *VecL) UnpackLeGamma1(buf []byte)
- func (v *VecL) UnpackLeqEta(buf []byte)
Constants ¶
const ( // Size of a packed polynomial of norm ≤η. // (Note that the formula is not valid in general.) PolyLeqEtaSize = (common.N * DoubleEtaBits) / 8 // β = τη, the maximum size of c s₂. Beta = Tau * Eta // γ₁ range of y Gamma1 = 1 << Gamma1Bits // Size of packed polynomial of norm <γ₁ such as z PolyLeGamma1Size = (Gamma1Bits + 1) * common.N / 8 // α = 2γ₂ parameter for decompose Alpha = 2 * Gamma2 // Size of a packed private key PrivateKeySize = 32 + 32 + TRSize + PolyLeqEtaSize*(L+K) + common.PolyT0Size*K // Size of a packed public key PublicKeySize = 32 + common.PolyT1Size*K // Size of a packed signature SignatureSize = L*PolyLeGamma1Size + Omega + K + CTildeSize // Size of packed w₁ PolyW1Size = (common.N * (common.QBits - Gamma1Bits)) / 8 )
const ( Name = "ML-DSA-87" K = 8 L = 7 Eta = 2 DoubleEtaBits = 3 Omega = 75 Tau = 60 Gamma1Bits = 19 Gamma2 = 261888 NIST = true TRSize = 64 CTildeSize = 64 )
Variables ¶
var DeriveX4Available = keccakf1600.IsEnabledX4()
DeriveX4Available indicates whether the system supports the quick fourway sampling variants like PolyDeriveUniformX4.
Functions ¶
func GenerateKey ¶
func GenerateKey(rand io.Reader) (*PublicKey, *PrivateKey, error)
GenerateKey generates a public/private key pair using entropy from rand. If rand is nil, crypto/rand.Reader will be used.
func NewKeyFromSeed ¶
func NewKeyFromSeed(seed *[common.SeedSize]byte) (*PublicKey, *PrivateKey)
NewKeyFromSeed derives a public/private key pair using the given seed.
func PolyDecompose ¶
Splits each of the coefficients of p using decompose.
func PolyDeriveUniformBall ¶
Samples p uniformly with τ non-zero coefficients in {q-1,1}.
The polynomial p will be normalized.
func PolyDeriveUniformBallX4 ¶
For each i, sample ps[i] uniformly with τ non-zero coefficients in {q-1,1} using the given seed and w1[i]. ps[i] may be nil and is ignored in that case. ps[i] will be normalized.
Can only be called when DeriveX4Available is true.
This function is currently not used (yet).
func PolyDeriveUniformLeGamma1 ¶
Sample p uniformly with coefficients in (-γ₁,…,γK1s] using the given seed and nonce.
p will be normalized.
func PolyDeriveUniformLeqEta ¶
Sample p uniformly with coefficients of norm less than or equal η, using the given seed and nonce.
p will not be normalized, but will have coefficients in [q-η,q+η].
func PolyDeriveUniformX4 ¶
For each i, sample ps[i] uniformly from the given seed and nonces[i]. ps[i] may be nil and is ignored in that case.
Can only be called when DeriveX4Available is true.
func PolyDotHat ¶
Set p to the inner product of a and b using pointwise multiplication.
Assumes a and b are in Montgomery form and their coefficients are pairwise sufficiently small to multiply, see Poly.MulHat(). Resulting coefficients are bounded by 2Lq.
func PolyMakeHint ¶
Sets p to the hint polynomial for p0 the modified low bits and p1 the unmodified high bits --- see makeHint().
Returns the number of ones in the hint polynomial.
func PolyPackLeGamma1 ¶
Writes p whose coefficients are in (-γ₁,γ₁] into buf which has to be of length PolyLeGamma1Size.
Assumes p is normalized.
func PolyPackLeqEta ¶
Writes p with norm less than or equal η into buf, which must be of size PolyLeqEtaSize.
Assumes coefficients of p are not normalized, but in [q-η,q+η].
func PolyUnpackLeGamma1 ¶
Sets p to the polynomial packed into buf by PolyPackLeGamma1.
p will be normalized.
func PolyUnpackLeqEta ¶
Sets p to the polynomial of norm less than or equal η encoded in the given buffer of size PolyLeqEtaSize.
Output coefficients of p are not normalized, but in [q-η,q+η] provided buf was created using PackLeqEta.
Beware, for arbitrary buf the coefficients of p might end up in the interval [q-2^b,q+2^b] where b is the least b with η≤2^b.
func PolyUseHint ¶
Computes corrections to the high bits of the polynomial q according to the hints in h and sets p to the corrected high bits. Returns p.
func SignTo ¶
func SignTo(sk *PrivateKey, msg func(io.Writer), rnd [32]byte, signature []byte)
SignTo signs the given message and writes the signature into signature.
For Dilithium this is the top-level signing function. For ML-DSA this is ML-DSA.Sign_internal.
func VecLDeriveUniformLeGamma1 ¶
Sample v[i] uniformly with coefficients in (-γ₁,…,γ₁] using the given seed and nonce+i
p will be normalized.
Types ¶
type PrivateKey ¶
type PrivateKey struct { // Cached values A Mat // ExpandA(ρ) // contains filtered or unexported fields }
PrivateKey is the type of Dilithium private keys.
func (*PrivateKey) Equal ¶
func (sk *PrivateKey) Equal(other *PrivateKey) bool
Equal returns whether the two private keys are equal
func (*PrivateKey) Pack ¶
func (sk *PrivateKey) Pack(buf *[PrivateKeySize]byte)
Packs the private key into buf.
func (*PrivateKey) Public ¶
func (sk *PrivateKey) Public() *PublicKey
Computes the public key corresponding to this private key.
func (*PrivateKey) Unpack ¶
func (sk *PrivateKey) Unpack(buf *[PrivateKeySize]byte)
Sets sk to the private key encoded in buf.
type PublicKey ¶
type PublicKey struct { A *Mat // contains filtered or unexported fields }
PublicKey is the type of Dilithium public keys.
func (*PublicKey) Pack ¶
func (pk *PublicKey) Pack(buf *[PublicKeySize]byte)
Packs the public key into buf.
func (*PublicKey) Unpack ¶
func (pk *PublicKey) Unpack(buf *[PublicKeySize]byte)
Sets pk to the public key encoded in buf.
type VecK ¶
A vector of K polynomials.
func (*VecK) Decompose ¶
Applies Poly.Decompose componentwise.
Requires the vector to be normalized.
func (*VecK) Exceeds ¶
Checks whether any of the coefficients exceeds the given bound in supnorm
Requires the vector to be normalized.
func (*VecK) InvNTT ¶
func (v *VecK) InvNTT()
Applies InvNTT componentwise. See Poly.InvNTT() for details.
func (*VecK) MakeHint ¶
Sets v to the hint vector for v0 the modified low bits and v1 the unmodified high bits --- see makeHint().
Returns the number of ones in the hint vector.
func (*VecK) NormalizeAssumingLe2Q ¶
func (v *VecK) NormalizeAssumingLe2Q()
Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.
func (*VecK) PackHint ¶
Writes v with coefficients in {0, 1} of which at most ω non-zero to buf, which must have length ω+k.
func (*VecK) PackLeqEta ¶
Sequentially packs each polynomial using Poly.PackLeqEta().
func (*VecK) Power2Round ¶
Applies Poly.Power2Round componentwise.
Requires the vector to be normalized.
func (*VecK) Sub ¶
Sets v to a - b.
Warning: assumes coefficients of the polynomials of b are less than 2q.
func (*VecK) UnpackHint ¶
Sets v to the vector encoded using VecK.PackHint()
Returns whether unpacking was successful.
func (*VecK) UnpackLeqEta ¶
Sets v to the polynomials packed in buf using VecK.PackLeqEta().
type VecL ¶
A vector of L polynomials.
func (*VecL) Decompose ¶
Applies Poly.Decompose componentwise.
Requires the vector to be normalized.
func (*VecL) Exceeds ¶
Checks whether any of the coefficients exceeds the given bound in supnorm
Requires the vector to be normalized.
func (*VecL) NormalizeAssumingLe2Q ¶
func (v *VecL) NormalizeAssumingLe2Q()
Normalize the polynomials in this vector assuming their coefficients are already bounded by 2q.
func (*VecL) PackLeGamma1 ¶
Sequentially packs each polynomial using PolyPackLeGamma1().
func (*VecL) PackLeqEta ¶
Sequentially packs each polynomial using Poly.PackLeqEta().
func (*VecL) Power2Round ¶
Applies Poly.Power2Round componentwise.
Requires the vector to be normalized.
func (*VecL) UnpackLeGamma1 ¶
Sets v to the polynomials packed in buf using VecL.PackLeGamma1().
func (*VecL) UnpackLeqEta ¶
Sets v to the polynomials packed in buf using VecL.PackLeqEta().