sign: Adding SLH-DSA signature#512
Merged
armfazh merged 14 commits intocloudflare:mainfrom Jun 6, 2025
Merged
Conversation
Contributor
Author
|
there is a timeout happening on the ARM build because tests are running in parallel, but it doesn't seems to be related to a failure in the code. |
rozbb
reviewed
Sep 23, 2024
rozbb
left a comment
There was a problem hiding this comment.
This looks great! Almost all my comments are nitpicky bc I didn't have anything else to talk about :)
| } | ||
|
|
||
| // See FIPS 205 -- Section 6.1 -- Algorithm 9 -- Iterative version. | ||
| func (s *statePriv) xmssNodeIter( |
There was a problem hiding this comment.
Similar thing. I had trouble following along with this algorithm, since it differs so much from the paper. Also why is i a parameter at all if it's not a recursive algorithm?
Contributor
Author
There was a problem hiding this comment.
Internally, the index of each node is used as part of the hash parameters. So, i denotes the first index of a sub-tree.
sign/slhdsa/internal.go
Outdated
| defer s.Clear() | ||
|
|
||
| s.forsSign(sig.forsSig, md, addr) | ||
| pkFors := s.forsPkFromSig(md, sig.forsSig, addr) |
There was a problem hiding this comment.
Would it be possible to compute pkFors as a side effect of forsSign? Can save a few hashes if so. Similarly might be able to do this in the htSign function
Contributor
Author
There was a problem hiding this comment.
I've tried to coalesce these functions, but didn't found any savings on the number of hashes.
12020e3 to
32046e4
Compare
32046e4 to
c74a2d3
Compare
Contributor
Author
|
ACVP test vectors updated to v1.1.0.37 |
bwesterb
reviewed
Dec 9, 2024
bwesterb
reviewed
Dec 9, 2024
bwesterb
reviewed
Dec 9, 2024
| addressSizeNonCompressed = 32 | ||
| ) | ||
|
|
||
| type address struct { |
Member
There was a problem hiding this comment.
Might be more efficient with respect to allocations to use [32]byte as address type.
Contributor
Author
There was a problem hiding this comment.
I tried that but didn't see any postive effect on allocs.
bwesterb
reviewed
Dec 9, 2024
bwesterb
reviewed
Dec 9, 2024
bwesterb
approved these changes
Dec 9, 2024
Passes Test vectors from ACVP for internal functions.
a91ad61 to
5e2385c
Compare
bwesterb
approved these changes
Feb 21, 2025
|
Hi, thanks for adding support for SLH-DSA. Is there anything else that needs to happen before this can be merged? Today, we are using liboqs bindings today in our GO code, but prefer GO direct implementation over native code (in C) to de-risk any unexpected memory issues. From GO dev group, the support for ML-DSA and SLH-DSA is not planned anytime soon (none this year), hence we are looking for alternate options to improve memory safety. |
|
Thanks for merging! |
arthurzam
pushed a commit
to gentoo-golang-dist/forgejo-runner
that referenced
this pull request
Mar 12, 2026
…1418) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/cloudflare/circl](https://github.com/cloudflare/circl) | `v1.6.1` -> `v1.6.3` |  |  | --- ### CIRCL has an incorrect calculation in secp384r1 CombinedMult [CVE-2026-1229](https://nvd.nist.gov/vuln/detail/CVE-2026-1229) / [GHSA-q9hv-hpm4-hj6x](GHSA-q9hv-hpm4-hj6x) <details> <summary>More information</summary> #### Details The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in **[v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3)**. #### Severity - CVSS Score: 2.9 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber` #### References - [https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x](https://github.com/cloudflare/circl/security/advisories/GHSA-q9hv-hpm4-hj6x) - [https://nvd.nist.gov/vuln/detail/CVE-2026-1229](https://nvd.nist.gov/vuln/detail/CVE-2026-1229) - [https://github.com/cloudflare/circl/pull/583](https://github.com/cloudflare/circl/pull/583) - [https://github.com/cloudflare/circl](https://github.com/cloudflare/circl) - [https://github.com/cloudflare/circl/releases/tag/v1.6.3](https://github.com/cloudflare/circl/releases/tag/v1.6.3) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-q9hv-hpm4-hj6x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>cloudflare/circl (github.com/cloudflare/circl)</summary> ### [`v1.6.3`](https://github.com/cloudflare/circl/releases/tag/v1.6.3): CIRCL v1.6.3 [Compare Source](cloudflare/circl@v1.6.2...v1.6.3) #### CIRCL v1.6.3 Fix a bug on ecc/p384 scalar multiplication. ##### What's Changed - sign/mldsa: Check opts for nil value by [@​armfazh](https://github.com/armfazh) in [#​582](cloudflare/circl#582) - ecc/p384: Point addition must handle point doubling case. by [@​armfazh](https://github.com/armfazh) in [#​583](cloudflare/circl#583) - Release CIRCL v1.6.3 by [@​armfazh](https://github.com/armfazh) in [#​584](cloudflare/circl#584) **Full Changelog**: <cloudflare/circl@v1.6.2...v1.6.3> ### [`v1.6.2`](https://github.com/cloudflare/circl/releases/tag/v1.6.2): CIRCL v1.6.2 [Compare Source](cloudflare/circl@v1.6.1...v1.6.2) #### CIRCL v1.6.2 - New SLH-DSA, improvements in ML-DSA for arm64. - Tested compilation on WASM. #### What's Changed - Optimize pairing product computation by moving exponentiations to G1. by [@​dfaranha](https://github.com/dfaranha) in [#​547](cloudflare/circl#547) - sign: Adding SLH-DSA signature by [@​armfazh](https://github.com/armfazh) in [#​512](cloudflare/circl#512) - Update code generators to CIRCL v1.6.1. by [@​armfazh](https://github.com/armfazh) in [#​548](cloudflare/circl#548) - ML-DSA: Add preliminary Wycheproof test vectors by [@​bwesterb](https://github.com/bwesterb) in [#​552](cloudflare/circl#552) - go fmt by [@​bwesterb](https://github.com/bwesterb) in [#​554](cloudflare/circl#554) - gz-compressing test vectors, use of HexBytes and ReadGzip functions. by [@​armfazh](https://github.com/armfazh) in [#​555](cloudflare/circl#555) - group: Removes use of elliptic Marshal and Unmarshal functions. by [@​armfazh](https://github.com/armfazh) in [#​556](cloudflare/circl#556) - Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by [@​bwesterb](https://github.com/bwesterb) in [#​559](cloudflare/circl#559) - Update to golangci-lint v2 by [@​bwesterb](https://github.com/bwesterb) in [#​560](cloudflare/circl#560) - Preparation for ARM64 Implementation of poly operations for dilithium package. by [@​elementrics](https://github.com/elementrics) in [#​562](cloudflare/circl#562) - prepare power2Round for custom implementations in assembly by [@​elementrics](https://github.com/elementrics) in [#​564](cloudflare/circl#564) - ARM64 implementation for poly.PackLe16 by [@​elementrics](https://github.com/elementrics) in [#​563](cloudflare/circl#563) - add arm64 version of polyMulBy2toD by [@​elementrics](https://github.com/elementrics) in [#​565](cloudflare/circl#565) - add arm64 version of polySub by [@​elementrics](https://github.com/elementrics) in [#​566](cloudflare/circl#566) - group: add byteLen method for short groups and RandomScalar uses rand.Int by [@​armfazh](https://github.com/armfazh) in [#​568](cloudflare/circl#568) - add arm64 version of poly.Add/Sub by [@​elementrics](https://github.com/elementrics) in [#​572](cloudflare/circl#572) - group: Adding cryptobyte marshaling to scalars by [@​armfazh](https://github.com/armfazh) in [#​569](cloudflare/circl#569) - Bumping up to Go1.25 by [@​armfazh](https://github.com/armfazh) in [#​574](cloudflare/circl#574) - ci: Including WASM compilation. by [@​armfazh](https://github.com/armfazh) in [#​577](cloudflare/circl#577) - Revert to using package-declared HPKE errors for shortkem instead of standard library errors by [@​harshiniwho](https://github.com/harshiniwho) in [#​578](cloudflare/circl#578) - Release v1.6.2 by [@​armfazh](https://github.com/armfazh) in [#​579](cloudflare/circl#579) #### New Contributors - [@​dfaranha](https://github.com/dfaranha) made their first contribution in [#​547](cloudflare/circl#547) - [@​elementrics](https://github.com/elementrics) made their first contribution in [#​562](cloudflare/circl#562) - [@​harshiniwho](https://github.com/harshiniwho) made their first contribution in [#​578](cloudflare/circl#578) **Full Changelog**: <cloudflare/circl@v1.6.1...v1.6.2> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Mi4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiS2luZC9EZXBlbmRlbmN5VXBkYXRlIiwicnVuLWVuZC10by1lbmQtdGVzdHMiXX0=--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1418 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This implementation supports the twelve parameter sets approved at FIPS 205
Test vectors match the ones at ACVP-Server version 1.1.0.38. These test vectors target both internal and external functions.
Pure and Prehash-based signatures are supported.
Implementation makes a good effort to avoid heap allocations that usually add a significant overhead.