From: Eric Biggers <ebiggers@kernel.org>
To: David Howells <dhowells@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
linux-crypto@vger.kernel.org, keyrings@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v9 2/9] crypto: Add ML-DSA/Dilithium verify support
Date: Mon, 17 Nov 2025 09:10:03 -0800 [thread overview]
Message-ID: <20251117171003.GC1584@sol> (raw)
In-Reply-To: <20251117145606.2155773-3-dhowells@redhat.com>
On Mon, Nov 17, 2025 at 02:55:51PM +0000, David Howells wrote:
> lib/crypto/Kconfig | 1 +
> lib/crypto/Makefile | 2 +
> lib/crypto/mldsa/Kconfig | 29 ++
> lib/crypto/mldsa/Makefile | 20 +
> lib/crypto/mldsa/crypto_mldsa_44.c | 166 ++++++++
> lib/crypto/mldsa/crypto_mldsa_65.c | 166 ++++++++
> lib/crypto/mldsa/crypto_mldsa_87.c | 166 ++++++++
> lib/crypto/mldsa/dilithium.h | 304 ++++++++++++++
> lib/crypto/mldsa/dilithium_44.c | 33 ++
> lib/crypto/mldsa/dilithium_44.h | 291 ++++++++++++++
> lib/crypto/mldsa/dilithium_65.c | 33 ++
> lib/crypto/mldsa/dilithium_65.h | 291 ++++++++++++++
> lib/crypto/mldsa/dilithium_87.c | 33 ++
> lib/crypto/mldsa/dilithium_87.h | 291 ++++++++++++++
> lib/crypto/mldsa/dilithium_common.c | 117 ++++++
> lib/crypto/mldsa/dilithium_debug.h | 49 +++
> lib/crypto/mldsa/dilithium_ntt.c | 89 +++++
> lib/crypto/mldsa/dilithium_ntt.h | 35 ++
> lib/crypto/mldsa/dilithium_pack.h | 119 ++++++
> lib/crypto/mldsa/dilithium_poly.c | 377 ++++++++++++++++++
> lib/crypto/mldsa/dilithium_poly.h | 181 +++++++++
> lib/crypto/mldsa/dilithium_poly_c.h | 141 +++++++
> lib/crypto/mldsa/dilithium_poly_common.h | 35 ++
> lib/crypto/mldsa/dilithium_polyvec.h | 343 ++++++++++++++++
> lib/crypto/mldsa/dilithium_polyvec_c.h | 81 ++++
> lib/crypto/mldsa/dilithium_reduce.h | 85 ++++
> lib/crypto/mldsa/dilithium_rounding.c | 128 ++++++
> lib/crypto/mldsa/dilithium_service_helpers.h | 99 +++++
> lib/crypto/mldsa/dilithium_signature_c.c | 279 +++++++++++++
> lib/crypto/mldsa/dilithium_signature_c.h | 37 ++
> lib/crypto/mldsa/dilithium_signature_impl.h | 370 +++++++++++++++++
> lib/crypto/mldsa/dilithium_type.h | 108 +++++
> lib/crypto/mldsa/dilithium_zetas.c | 68 ++++
> .../mldsa/signature_domain_separation.c | 204 ++++++++++
> .../mldsa/signature_domain_separation.h | 30 ++
> 35 files changed, 4801 insertions(+)
Over the past week I've been starting to review this massive addition.
I don't think this is on the right track. This implementation is really
messy, with lots of unused functionality and unnecessary abstractions,
and code that doesn't follow kernel conventions.
In comparison, BoringSSL has an entire implementation of ML-DSA,
*including key generation and signing*, in a bit over 3000 lines in one
file. But about half of that code is specific to key generation or
signing, which the kernel doesn't need, so in principle
verification-only shouldn't be much more than a thousand. I find it to
be much easier to understand than leancrypto as well.
Historically we've had a lot of problems with people integrating code
from external sources into the kernel, like mpi, with properly "owning"
it because they feel like it's not their code and someone else is
responsible. I feel like that's going to be a big problem here.
I think we can do better here and put together a smaller implementation
for the kernel that we'll actually be able to maintain.
- Eric
next prev parent reply other threads:[~2025-11-17 17:11 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-17 14:55 [PATCH v9 0/9] lib/crypto: Add ML-DSA signing David Howells
2025-11-17 14:55 ` [PATCH v9 1/9] crypto: Add support for shake256 through crypto_shash David Howells
2025-11-17 16:50 ` Eric Biggers
2025-11-17 14:55 ` [PATCH v9 2/9] crypto: Add ML-DSA/Dilithium verify support David Howells
2025-11-17 17:10 ` Eric Biggers [this message]
2025-11-17 19:52 ` David Howells
2025-11-17 20:05 ` David Howells
2025-11-17 20:12 ` Eric Biggers
2025-11-19 3:59 ` Eric Biggers
2025-11-19 14:20 ` David Howells
2025-11-17 20:19 ` James Bottomley
2025-11-18 8:39 ` David Howells
2025-11-18 12:59 ` James Bottomley
2025-11-25 10:10 ` Ignat Korchagin
2025-11-25 20:24 ` Eric Biggers
2025-11-25 20:51 ` Ignat Korchagin
2025-11-21 1:37 ` Eric Biggers
2025-11-25 4:10 ` Eric Biggers
2025-11-25 8:32 ` Stephan Müller
2025-11-17 14:55 ` [PATCH v9 3/9] mldsa: Add a simpler API David Howells
2025-11-17 14:55 ` [PATCH v9 4/9] crypto: Add ML-DSA-44 pure rejection test vectors as a kunit test David Howells
2025-11-17 14:55 ` [PATCH v9 5/9] crypto: Add ML-DSA-65 " David Howells
2025-11-17 14:55 ` [PATCH v9 6/9] crypto: Add ML-DSA-87 " David Howells
2025-11-17 14:55 ` [PATCH v9 7/9] pkcs7: Allow the signing algo to calculate the digest itself David Howells
2025-11-17 14:55 ` [PATCH v9 8/9] pkcs7, x509: Add ML-DSA support David Howells
2025-11-17 14:55 ` [PATCH v9 9/9] modsign: Enable ML-DSA module signing David Howells
2025-11-17 15:22 ` Pick up keys-pqc branch for linux-next? David Howells
2025-11-17 17:11 ` Eric Biggers
2025-11-20 9:53 ` Stephen Rothwell
2025-11-21 2:48 ` Eric Biggers
2025-11-17 16:01 ` Where to add FIPS tests David Howells
2025-11-17 16:54 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251117171003.GC1584@sol \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).