Hello,
For an increasing demand, I've created an initial implemention of the
ML-DSA signature scheme for Nettle, which I would like to have any
feedback. The code is available here:
https://git.lysator.liu.se/nettle/nettle/-/merge_requests/68
This is a naive implementation based on Alfred Menezes' lecture[1],
without consulting any other implementation, so aside the caveats
mentioned in the MR description, it might have some issues related to
performance or side-channels; I would appreciate your scrutiny of the
code.
Here are some numbers from the hogweed-benchmark program:
name size sign/s verify/s
rsa 1024 6725.2 148157.5
rsa 2048 1163.2 43674.5
rsa-tr 1024 2821.7 143160.9
rsa-tr 2048 618.4 42589.8
dsa 1024 10826.5 7820.8
ecdsa 192 28974.8 8603.2
ecdsa 224 18453.9 5667.3
ecdsa 256 17528.0 5185.6
ecdsa 384 7443.0 2210.4
ecdsa 521 3831.2 1088.2
eddsa 255 30769.8 7323.7
eddsa 448 8546.7 2356.2
curve 255 31995.1 10698.2
curve 448 9668.1 3395.1
gostdsa 256 16567.5 3551.9
gostdsa 512 4176.5 883.4
slh-dsa-shake-s 128 1.30 1312.91
slh-dsa-shake-f 128 27.01 451.49
slh-dsa-sha2-s 128 5.36 5345.13
slh-dsa-sha2-f 128 110.6 1804.4
ml-dsa-65 15616 450.9 905.5
ml-dsa-87 20736 130.3 604.3
Footnotes:
[1] https://cryptography101.ca/kyber-dilithium/
Regards,
--
Daiki Ueno
