164edcceaSEric Biggers /* SPDX-License-Identifier: GPL-2.0-or-later */ 264edcceaSEric Biggers /* 364edcceaSEric Biggers * Support for verifying ML-DSA signatures 464edcceaSEric Biggers * 564edcceaSEric Biggers * Copyright 2025 Google LLC 664edcceaSEric Biggers */ 764edcceaSEric Biggers #ifndef _CRYPTO_MLDSA_H 864edcceaSEric Biggers #define _CRYPTO_MLDSA_H 964edcceaSEric Biggers 1064edcceaSEric Biggers #include <linux/types.h> 1164edcceaSEric Biggers 1264edcceaSEric Biggers /* Identifier for an ML-DSA parameter set */ 1364edcceaSEric Biggers enum mldsa_alg { 1464edcceaSEric Biggers MLDSA44, /* ML-DSA-44 */ 1564edcceaSEric Biggers MLDSA65, /* ML-DSA-65 */ 1664edcceaSEric Biggers MLDSA87, /* ML-DSA-87 */ 1764edcceaSEric Biggers }; 1864edcceaSEric Biggers 1964edcceaSEric Biggers /* Lengths of ML-DSA public keys and signatures in bytes */ 2064edcceaSEric Biggers #define MLDSA44_PUBLIC_KEY_SIZE 1312 2164edcceaSEric Biggers #define MLDSA65_PUBLIC_KEY_SIZE 1952 2264edcceaSEric Biggers #define MLDSA87_PUBLIC_KEY_SIZE 2592 2364edcceaSEric Biggers #define MLDSA44_SIGNATURE_SIZE 2420 2464edcceaSEric Biggers #define MLDSA65_SIGNATURE_SIZE 3309 2564edcceaSEric Biggers #define MLDSA87_SIGNATURE_SIZE 4627 2664edcceaSEric Biggers 2764edcceaSEric Biggers /** 2864edcceaSEric Biggers * mldsa_verify() - Verify an ML-DSA signature 2964edcceaSEric Biggers * @alg: The ML-DSA parameter set to use 3064edcceaSEric Biggers * @sig: The signature 3164edcceaSEric Biggers * @sig_len: Length of the signature in bytes. Should match the 3264edcceaSEric Biggers * MLDSA*_SIGNATURE_SIZE constant associated with @alg, 3364edcceaSEric Biggers * otherwise -EBADMSG will be returned. 3464edcceaSEric Biggers * @msg: The message 3564edcceaSEric Biggers * @msg_len: Length of the message in bytes 3664edcceaSEric Biggers * @pk: The public key 3764edcceaSEric Biggers * @pk_len: Length of the public key in bytes. Should match the 3864edcceaSEric Biggers * MLDSA*_PUBLIC_KEY_SIZE constant associated with @alg, 3964edcceaSEric Biggers * otherwise -EBADMSG will be returned. 4064edcceaSEric Biggers * 4164edcceaSEric Biggers * This verifies a signature using pure ML-DSA with the specified parameter set. 42*ffd42b6dSEric Biggers * The context string is assumed to be empty. This corresponds to FIPS 204 43*ffd42b6dSEric Biggers * Algorithm 3 "ML-DSA.Verify" with the ctx parameter set to the empty string 44*ffd42b6dSEric Biggers * and the lengths of the signature and key given explicitly by the caller. 4564edcceaSEric Biggers * 4664edcceaSEric Biggers * Context: Might sleep 4764edcceaSEric Biggers * 4864edcceaSEric Biggers * Return: 4964edcceaSEric Biggers * * 0 if the signature is valid 5064edcceaSEric Biggers * * -EBADMSG if the signature and/or public key is malformed 5164edcceaSEric Biggers * * -EKEYREJECTED if the signature is invalid but otherwise well-formed 5264edcceaSEric Biggers * * -ENOMEM if out of memory so the validity of the signature is unknown 5364edcceaSEric Biggers */ 5464edcceaSEric Biggers int mldsa_verify(enum mldsa_alg alg, const u8 *sig, size_t sig_len, 5564edcceaSEric Biggers const u8 *msg, size_t msg_len, const u8 *pk, size_t pk_len); 5664edcceaSEric Biggers 5764edcceaSEric Biggers #if IS_ENABLED(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST) 5864edcceaSEric Biggers /* Internal function, exposed only for unit testing */ 5964edcceaSEric Biggers s32 mldsa_use_hint(u8 h, s32 r, s32 gamma2); 6064edcceaSEric Biggers #endif 6164edcceaSEric Biggers 6264edcceaSEric Biggers #endif /* _CRYPTO_MLDSA_H */ 63