lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <A7135B59-BAB5-451E-AD71-971F828054F0@amazon.co.uk>
Date: Sat, 29 Nov 2025 20:00:17 +0000
From: "Becker, Hanno" <beckphan@...zon.co.uk>
To: Eric Biggers <ebiggers@...nel.org>
CC: "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "David
 Howells" <dhowells@...hat.com>, Herbert Xu <herbert@...dor.apana.org.au>,
	"Luis Chamberlain" <mcgrof@...nel.org>, Petr Pavlu <petr.pavlu@...e.com>,
	"Daniel Gomez" <da.gomez@...nel.org>, Sami Tolvanen
	<samitolvanen@...gle.com>, "Jason A . Donenfeld" <Jason@...c4.com>, Ard
 Biesheuvel <ardb@...nel.org>, "Stephan Mueller" <smueller@...onox.de>, Lukas
 Wunner <lukas@...ner.de>, "Ignat Korchagin" <ignat@...udflare.com>,
	"keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
	"linux-modules@...r.kernel.org" <linux-modules@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"matthias@...nwischer.eu" <matthias@...nwischer.eu>
Subject: Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support

It looks like this may be close, but for the record:

The LF has a dedicated project for ML-DSA: https://github.com/pq-code-package/mldsa-native (part of the Post-Quantum Cryptography Alliance). It's derived from the reference implementation and adds automatically verified memory-safety + type-safety (= bounds-tracking) and a uniform backend interface for assembly optimizations; see the README for more details. It's licensed under Apache-2.0 OR MIT OR ISC.

If you are sure that the kernel will never need sign/keygen support, or support for optimized assembly, the current ad-hoc patch may be fine. Otherwise, the challenges are likely just delayed, e.g. how to safely re-use parts of the current code for the timing-sensitive signing, or in contexts with other bounds assumptions, or how to integrate assembly optimizations. It may not seem so, but this is difficult to get right and where maintainability gets challenging.

Verification here is a vehicle for maintainability: If you change any arithmetic code -- say you decide to do less modular reduction for performance -- you currently need very careful review that the bounds still check out in the worst case. In mldsa-native, this is re-checked automatically.

mldsa-native is production-ready and in the process of being integrated into Amazon's AWS-LC crypto library; the sibling-project mlkem-native https://github.com/pq-code-package/mlkem-native already has been. mldsa-native is not yet a drop-in for the kernel, however. At the least, memory usage needs to be brought down and allocation be made flexible. We're working on it, and if the kernel community was interested in it, it'd give impetus to accelerate the work.

This is just so you're aware. If mldsa-native is of interest, let us know -- it would be great to collaborate across the LF instead of duplicating efforts.

Thanks,
Hanno & Matthias (maintainers of mldsa-native)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ