botan icon indicating copy to clipboard operation
botan copied to clipboard
verified publisher icon randombit

ML-DSA private key encoding format has changed

Open strongX509 opened this issue 5 months ago • 2 comments

Starting with draft-ietf-lamps-dilithium-certificates-09 dated May 7 2025, the ML-DSA private key format changed to

ML-DSA-44-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (2560)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (2560))
      }
  }

ML-DSA-65-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (4032)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (4032))
      }
  }

ML-DSA-87-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (4896)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (4896))
      }
  }

Thus since Botan currently supports the keyseed format only, an ASN.1 CONTEXT 0 tag has to be inserted after the ASN.1 OCTET STRING tag of the PKCS#8 private key encoding. When will this change of the encoding be supported by Botan library?

strongX509 avatar Jul 18 '25 10:07 strongX509

Thanks for the ping on this! Our next release is just around the corner. We'll see whether we can still make it for that.

reneme avatar Jul 21 '25 08:07 reneme

For the record: Currently, there is an ongoing tender from BSI (Projekt 663 - partially in German) that explixitly requests the implementation of draft-ietf-lamps-dilithium-certificates among other things.

Whoever wins this tender, should likely implement this in the coming months.

reneme avatar Sep 15 '25 16:09 reneme