xref: /linux/include/crypto/mldsa.h (revision 23b0f90ba871f096474e1c27c3d14f455189d2d9) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * Support for verifying ML-DSA signatures
4  *
5  * Copyright 2025 Google LLC
6  */
7 #ifndef _CRYPTO_MLDSA_H
8 #define _CRYPTO_MLDSA_H
9 
10 #include <linux/types.h>
11 
12 /* Identifier for an ML-DSA parameter set */
13 enum mldsa_alg {
14 	MLDSA44, /* ML-DSA-44 */
15 	MLDSA65, /* ML-DSA-65 */
16 	MLDSA87, /* ML-DSA-87 */
17 };
18 
19 /* Lengths of ML-DSA public keys and signatures in bytes */
20 #define MLDSA44_PUBLIC_KEY_SIZE 1312
21 #define MLDSA65_PUBLIC_KEY_SIZE 1952
22 #define MLDSA87_PUBLIC_KEY_SIZE 2592
23 #define MLDSA44_SIGNATURE_SIZE 2420
24 #define MLDSA65_SIGNATURE_SIZE 3309
25 #define MLDSA87_SIGNATURE_SIZE 4627
26 
27 /**
28  * mldsa_verify() - Verify an ML-DSA signature
29  * @alg: The ML-DSA parameter set to use
30  * @sig: The signature
31  * @sig_len: Length of the signature in bytes.  Should match the
32  *	     MLDSA*_SIGNATURE_SIZE constant associated with @alg,
33  *	     otherwise -EBADMSG will be returned.
34  * @msg: The message
35  * @msg_len: Length of the message in bytes
36  * @pk: The public key
37  * @pk_len: Length of the public key in bytes.  Should match the
38  *	    MLDSA*_PUBLIC_KEY_SIZE constant associated with @alg,
39  *	    otherwise -EBADMSG will be returned.
40  *
41  * This verifies a signature using pure ML-DSA with the specified parameter set.
42  * The context string is assumed to be empty.  This corresponds to FIPS 204
43  * Algorithm 3 "ML-DSA.Verify" with the ctx parameter set to the empty string
44  * and the lengths of the signature and key given explicitly by the caller.
45  *
46  * Context: Might sleep
47  *
48  * Return:
49  * * 0 if the signature is valid
50  * * -EBADMSG if the signature and/or public key is malformed
51  * * -EKEYREJECTED if the signature is invalid but otherwise well-formed
52  * * -ENOMEM if out of memory so the validity of the signature is unknown
53  */
54 int mldsa_verify(enum mldsa_alg alg, const u8 *sig, size_t sig_len,
55 		 const u8 *msg, size_t msg_len, const u8 *pk, size_t pk_len);
56 
57 #if IS_ENABLED(CONFIG_CRYPTO_LIB_MLDSA_KUNIT_TEST)
58 /* Internal function, exposed only for unit testing */
59 s32 mldsa_use_hint(u8 h, s32 r, s32 gamma2);
60 #endif
61 
62 #endif /* _CRYPTO_MLDSA_H */
63