Skip to content

[crypto] ML-DSA-87 verify (1/24) #29299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
andrea-caforio wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[crypto] ML-DSA-87 verify (1/24) #29299

andrea-caforio wants to merge 3 commits into from
+137 −5

Conversation

@andrea-caforio
Copy link
Contributor

@andrea-caforio andrea-caforio commented Feb 11, 2026

First PR of the series adding package documentation, Bazel build files and increases the OTBN memories:

This is a series of PRs that in their composition result in FIPS-204-compliant OTBN implementation of ML-DSA-87 verify.

Resources

Preamble

  1. doc

Number-theoretic transform

  1. NTT
  2. INTT

Polynomial arithmetic

  1. poly_add, poly_sub, poly_mul
  2. poly_mul_add

XOF

  1. xof_init, xof_poll, xof_finish
  2. xof_absorb
  3. xof_squeeze

Rounding

  1. shift_left
  2. decompose

Reduction

  1. reduce

Infinity norm

  1. norm_check

Sampling

  1. rej_ntt_poly, expand_a
  2. sample_in-ball
  3. challenge_hash

Encoding

  1. decode_z
  2. decode_t1
  3. decode_hint
  4. encode_w1

Vector operations

  1. sig_decode
  2. norm_check_z
  3. A*z, c * t1, Az - ct1
  4. use_hint

Epilogue

  1. app

@andrea-caforio
[crypto] ML-DSA-87 package documentation
ec0bbca 
This file documents the high-level implementation choices and should
be the initial contact point when navigating to the `mldsa87`
directory.

Signed-off-by: Andrea Caforio <[email protected]>
@andrea-caforio
[crypto] ML-DSA-87 Bazel files
a84d732 
Two Bazel build files are required for the ML-DSA-87 apps: One for the
sources files and another one for the unit tests.

Signed-off-by: Andrea Caforio <[email protected]>
@andrea-caforio
[crypto] Increase OTBN DMEM/IMEM
0d2d6bb 
Increase the size of the OTBN DMEM from 4 KiB to 32 KiB (32768 bytes)
and the size of the IMEM from 8 KiB to 16 KiB (16384 bytes).

Signed-off-by: Andrea Caforio <[email protected]>
@andrea-caforio andrea-caforio self-assigned this Feb 11, 2026
@andrea-caforio andrea-caforio added the SW:cryptolib Crypto library label Feb 11, 2026
nasahlpa
nasahlpa reviewed Feb 11, 2026
View reviewed changes
sw/otbn/crypto/mldsa87/mldsa87.s
Comment on lines +1 to +3
/* Copyright lowRISC contributors (OpenTitan project).
Licensed under the Apache License, Version 2.0, see LICENSE for details.
SPDX-License-Identifier: Apache-2.0 */
Copy link
Member

@nasahlpa nasahlpa Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/* Copyright lowRISC contributors (OpenTitan project).
Licensed under the Apache License, Version 2.0, see LICENSE for details.
SPDX-License-Identifier: Apache-2.0 */
/* Copyright lowRISC contributors (OpenTitan project). */
/* Licensed under the Apache License, Version 2.0, see LICENSE for details. */
/* SPDX-License-Identifier: Apache-2.0 */

etterli
etterli reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@etterli etterli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me except that the memory increase should probably be an atomic commit which also touches the RTL and DV. The reason is that otherwise the DV and potentially IBEX SW breaks.

I think increasing the memories should touch the same files as in this commit: etterli/opentitan-otbn-pqc-isa@b0ce32d

hw/ip/otbn/data/otbn.hjson
Comment on lines 800 to 801
Note that DMEM is actually 4kiB in size, but only the first 3kiB of
the memory is visible through this register interface.
Copy link
Contributor

@etterli etterli Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TODO: Document the .bss and .scratchpad split
Note that DMEM is actually 32kiB in size, but only the first XkiB of
the memory is visible through this register interface.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasahlpa nasahlpa nasahlpa left review comments

@vogelpi vogelpi Awaiting requested review from vogelpi

@andreaskurth andreaskurth Awaiting requested review from andreaskurth

@siemen11 siemen11 Awaiting requested review from siemen11

@h-filali h-filali Awaiting requested review from h-filali

@johannheyszl johannheyszl Awaiting requested review from johannheyszl

+1 more reviewer

@etterli etterli etterli left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@andrea-caforio andrea-caforio

Labels

SW:cryptolib Crypto library

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrea-caforio @nasahlpa @etterli