Pull ML-DSA from upstream.

Add wrapper for default ctx recommended in FIPS 204
Update suppression files.

Signed-off-by: Basil Hess <[email protected]>

.CMake/alg_support.cmake

@@ -137,11 +137,8 @@ cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIU
 cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
 
 option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 
 option(OQS_ENABLE_SIG_FALCON "Enable falcon algorithm family" ON)
@@ -393,21 +390,18 @@ endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65" OFF)
 endif()
 endif()
 
 if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
 if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
-    cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87_ipd" OFF)
     cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87" OFF)
 endif()
 endif()

.github/workflows/linux.yml

@@ -138,7 +138,7 @@ jobs:
           path: build/*.deb
       - name: Check STD algorithm and alias
         if: matrix.name == 'jammy-std-openssl3'
-        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
+        run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44:\n    isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n    isnull: false"'
         working-directory: build
 
   linux_arm_emulated:

README.md

@@ -40,7 +40,7 @@ Details on each supported algorithm can be found in the [docs/algorithms](https:
 
 The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
 
-The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) (initial public draft) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/final) (final standard) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes.
 
 Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
 
@@ -65,7 +65,7 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
 - **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
 - **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5†
-- **ML-DSA**: ML-DSA-44-ipd (alias: ML-DSA-44), ML-DSA-65-ipd (alias: ML-DSA-65), ML-DSA-87-ipd (alias: ML-DSA-87)
+- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
 - **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
 - **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->

docs/algorithms/sig/ml_dsa.md

@@ -4,22 +4,22 @@
 - **Main cryptographic assumption**: hardness of lattice problems over module lattices.
 - **Principal submitters**: Vadim Lyubashevsky.
 - **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
-- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-- **Specification version**: ML-DSA-ipd.
+- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+- **Specification version**: ML-DSA.
 - **Primary Source**<a name="primary-source"></a>:
-  - **Source**: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c with copy_from_upstream patches
+  - **Source**: https://github.com/pq-crystals/dilithium/commit/cbcd8753a43402885c90343cd6335fb54712cda1 with copy_from_upstream patches
   - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
 
 
 ## Parameter set summary
 
 |  Parameter set  | Parameter set alias   | Security model   |   Claimed NIST Level |   Public key size (bytes) |   Secret key size (bytes) |   Signature size (bytes) |
 |:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-|  ML-DSA-44-ipd  | ML-DSA-44             | EUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
-|  ML-DSA-65-ipd  | ML-DSA-65             | EUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
-|  ML-DSA-87-ipd  | ML-DSA-87             | EUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
+|    ML-DSA-44    | NA                    | EUF-CMA          |                    2 |                      1312 |                      2560 |                     2420 |
+|    ML-DSA-65    | NA                    | EUF-CMA          |                    3 |                      1952 |                      4032 |                     3309 |
+|    ML-DSA-87    | NA                    | EUF-CMA          |                    5 |                      2592 |                      4896 |                     4627 |
 
-## ML-DSA-44-ipd implementation characteristics
+## ML-DSA-44 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?‡   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
@@ -30,7 +30,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
  ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
 
-## ML-DSA-65-ipd implementation characteristics
+## ML-DSA-65 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
@@ -39,7 +39,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
 Are implementations chosen based on runtime CPU feature detection? **Yes**.
 
-## ML-DSA-87-ipd implementation characteristics
+## ML-DSA-87 implementation characteristics
 
 |       Implementation source       | Identifier in upstream   | Supported architecture(s)   | Supported operating system(s)   | CPU extension(s) used   | No branching-on-secrets claimed?   | No branching-on-secrets checked by valgrind?   | Large stack usage?   |
 |:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|

docs/algorithms/sig/ml_dsa.yml

@@ -12,15 +12,14 @@ auxiliary-submitters:
 - Damien Stehlé
 crypto-assumption: hardness of lattice problems over module lattices
 website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-nist-round: ipd
-spec-version: ML-DSA-ipd
+nist-round: FIPS204
+spec-version: ML-DSA
 primary-upstream:
-  source: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c
+  source: https://github.com/pq-crystals/dilithium/commit/cbcd8753a43402885c90343cd6335fb54712cda1
     with copy_from_upstream patches
   spdx-license-identifier: CC0-1.0 or Apache-2.0
 parameter-sets:
-- name: ML-DSA-44-ipd
-  alias: ML-DSA-44
+- name: ML-DSA-44
   claimed-nist-level: 2
   claimed-security: EUF-CMA
   length-public-key: 1312
@@ -51,8 +50,7 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-DSA-65-ipd
-  alias: ML-DSA-65
+- name: ML-DSA-65
   claimed-nist-level: 3
   claimed-security: EUF-CMA
   length-public-key: 1952
@@ -83,8 +81,7 @@ parameter-sets:
     no-secret-dependent-branching-claimed: true
     no-secret-dependent-branching-checked-by-valgrind: true
     large-stack-usage: false
-- name: ML-DSA-87-ipd
-  alias: ML-DSA-87
+- name: ML-DSA-87
   claimed-nist-level: 5
   claimed-security: EUF-CMA
   length-public-key: 2592

docs/cbom.json

@@ -1,23 +1,23 @@
 {
   "bomFormat": "CBOM",
   "specVersion": "1.4-cbom-1.0",
-  "serialNumber": "urn:uuid:b953d460-1246-4cbb-aff9-642a0308d18b",
+  "serialNumber": "urn:uuid:8ab32dcc-f97b-480a-840f-7aa14563ad9c",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-08-26T18:04:44.668645",
+    "timestamp": "2024-09-10T11:25:43.713773",
     "component": {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
       "name": "liboqs",
-      "version": "062e793edf54cbc1073b54d0689795063fd41910"
+      "version": "b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01"
     }
   },
   "components": [
     {
       "type": "library",
-      "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+      "bom-ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
       "name": "liboqs",
-      "version": "062e793edf54cbc1073b54d0689795063fd41910"
+      "version": "b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01"
     },
     {
       "type": "crypto-asset",
@@ -2501,12 +2501,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-44-ipd:generic",
+      "bom-ref": "alg:ML-DSA-44:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-44-ipd",
+          "variant": "ML-DSA-44",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2521,12 +2521,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-44-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-44:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-44-ipd",
+          "variant": "ML-DSA-44",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2541,12 +2541,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-65-ipd:generic",
+      "bom-ref": "alg:ML-DSA-65:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-65-ipd",
+          "variant": "ML-DSA-65",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2561,12 +2561,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-65-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-65:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-65-ipd",
+          "variant": "ML-DSA-65",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2581,12 +2581,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-87-ipd:generic",
+      "bom-ref": "alg:ML-DSA-87:generic",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-87-ipd",
+          "variant": "ML-DSA-87",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -2601,12 +2601,12 @@
     },
     {
       "type": "crypto-asset",
-      "bom-ref": "alg:ML-DSA-87-ipd:x86_64",
+      "bom-ref": "alg:ML-DSA-87:x86_64",
       "name": "ML-DSA",
       "cryptoProperties": {
         "assetType": "algorithm",
         "algorithmProperties": {
-          "variant": "ML-DSA-87-ipd",
+          "variant": "ML-DSA-87",
           "primitive": "signature",
           "implementationLevel": "softwarePlainRam",
           "cryptoFunctions": [
@@ -3128,7 +3128,7 @@
   ],
   "dependencies": [
     {
-      "ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+      "ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
       "dependsOn": [
         "alg:BIKE-L1:x86_64",
         "alg:BIKE-L3:x86_64",
@@ -3254,12 +3254,12 @@
         "alg:MAYO-3:x86_64",
         "alg:MAYO-5:generic",
         "alg:MAYO-5:x86_64",
-        "alg:ML-DSA-44-ipd:generic",
-        "alg:ML-DSA-44-ipd:x86_64",
-        "alg:ML-DSA-65-ipd:generic",
-        "alg:ML-DSA-65-ipd:x86_64",
-        "alg:ML-DSA-87-ipd:generic",
-        "alg:ML-DSA-87-ipd:x86_64",
+        "alg:ML-DSA-44:generic",
+        "alg:ML-DSA-44:x86_64",
+        "alg:ML-DSA-65:generic",
+        "alg:ML-DSA-65:x86_64",
+        "alg:ML-DSA-87:generic",
+        "alg:ML-DSA-87:x86_64",
         "alg:SPHINCS+-SHA2-128f-simple:generic",
         "alg:SPHINCS+-SHA2-128f-simple:x86_64",
         "alg:SPHINCS+-SHA2-128s-simple:generic",
@@ -4166,42 +4166,42 @@
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-44-ipd:generic",
+      "ref": "alg:ML-DSA-44:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-44-ipd:x86_64",
+      "ref": "alg:ML-DSA-44:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-65-ipd:generic",
+      "ref": "alg:ML-DSA-65:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-65-ipd:x86_64",
+      "ref": "alg:ML-DSA-65:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-87-ipd:generic",
+      "ref": "alg:ML-DSA-87:generic",
       "dependsOn": [
         "alg:sha3"
       ],
       "dependencyType": "uses"
     },
     {
-      "ref": "alg:ML-DSA-87-ipd:x86_64",
+      "ref": "alg:ML-DSA-87:x86_64",
       "dependsOn": [
         "alg:sha3"
       ],