Add ML-DSA Signing Implementation#596
Conversation
Implement ML-DSA (FIPS 204) post-quantum cryptographic signatures for model signing, providing quantum-resistant security. This adds complete CLI integration, password-protected key encryption, and comprehensive testing infrastructure. ML-DSA (Module Lattice Digital Signature Algorithm) is a NIST- standardized post-quantum signature scheme that provides security against both classical and quantum computer attacks. This implementation supports all three security levels (ML_DSA_44, ML_DSA_65, ML_DSA_87) corresponding to NIST security levels 2, 3, and 5. The implementation addresses the need for long-term security in model signing as quantum computers become more capable. While ML-DSA signatures are larger than traditional ECDSA signatures (~3-5KB vs ~70 bytes), this is an acceptable tradeoff for quantum resistance. Core Implementation: - Add sign_ml_dsa.py module with Signer and Verifier classes - Implement AES-256-GCM encryption for private key protection - Add PBKDF2-HMAC-SHA256 key derivation (100,000 iterations) - Auto-detect encrypted vs raw private keys - Support all three ML-DSA security variants (44/65/87) CLI Integration: - Add 'sign ml-dsa' command with --password and --variant options - Add 'verify ml-dsa' command with variant support - Integrate with existing ignore-paths and hashing config Key Management: - Add ml_dsa_key_tool.py utility for key encryption/decryption - Support encrypted key format with 56-byte overhead - Provide key verification functionality Testing: - Add 7 integration tests in api_test.py covering all scenarios - Add 8 CLI tests in cli_ml_dsa_test.py - Add shell test scripts for all variants and version compatibility - Generate test keys and pre-signed test data - Achieve 100% test pass rate across all test suites Documentation: - Add ml_dsa_examples.md with 750+ line comprehensive guide - Add ml_dsa_implementation.md with technical details - Add ml_dsa_testing.md for test infrastructure - Update README.md with post-quantum cryptography section - Document password protection and security levels Files Added: - src/model_signing/_signing/sign_ml_dsa.py (391 lines) - tests/cli_ml_dsa_test.py (427 lines, 8 tests) - tests/_signing/sign_ml_dsa_test.py - scripts/ml_dsa_key_tool.py (180 lines) - scripts/tests/test-sign-verify-ml-dsa.sh (176 lines) - scripts/tests/test-verify-v1.1.0-ml-dsa.sh - docs/ml_dsa_examples.md (750+ lines) - docs/ml_dsa_implementation.md - docs/ml_dsa_testing.md - scripts/tests/keys/ml-dsa/ (test keys) - scripts/tests/v1.1.0-ml-dsa/ (test data) Files Modified: - src/model_signing/_cli.py (+161 lines) - src/model_signing/signing.py (add use_ml_dsa_signer) - src/model_signing/verifying.py (add use_ml_dsa_verifier) - tests/api_test.py (+270 lines, TestMLDSASigning class) - README.md (add post-quantum section) - scripts/tests/test-sign-verify-allversions.sh (add ML-DSA) Dependencies: - dilithium-py: ML-DSA implementation - cryptography: AES-GCM encryption Breaking Changes: None - purely additive changes Performance Impact: ML-DSA signatures are larger (2-5KB) and slower to generate/verify than ECDSA, but provide quantum resistance. Security Notes: - Private keys can be encrypted with AES-256-GCM - Key derivation uses PBKDF2 with 100,000 iterations - Signature sizes: ML_DSA_44 (~2.4KB), ML_DSA_65 (~3.3KB), ML_DSA_87 (~4.6KB) Signed-off-by: chungrae.kim <[email protected]>
Signed-off-by: chungrae.kim <[email protected]>
|
@sigstore/model-transparency-codeowners |
pqc package install for cli test Signed-off-by: bbug96-crkim <[email protected]>
|
Sorry for coming late to these. You need to add a "Signed-off-by" line to each commit to pass the DCO check. Will review once the commits are amended and squashed |
|
Hey, thanks for the PR. I'm not going to chime in on the code itself, but rather PQC in the Sigstore ecosystem and more generally adoption of it in tooling. When it comes to PQC adoption, we have to take a step back and ask why now. Quantum confidentiality, where data that is encrypted now can be decrypted later (e.g. save-now-decrypt-later attacks on TLS), is a critical use case, and one that's solved by the adoption of ML-KEM. This isn't something that affects digital signing applications though. Quantum integrity/authenticity, e.g. forging a signature, is what ML-DSA supports, but ecosystems can more quickly mitigate this threat simply by rejecting classical crypto algorithms. With quantum integrity, cryptographic algorithm agility, being able to adopt new algorithms on a short timeline, is what's more important than actually adopting the new algorithm. If you're selling software to the gov't or you have a signature that can never be updated (e.g. firmware), then a more tight timeline for adoption makes sense, but we're still talking by 2030, not immediately. For Sigstore, we've published a blog post that discusses the community's thoughts on how we should go about adopting PQC algorithms. The short answer is we'd like to follow NIST guidance and avoid making decisions now (as in, not baking in algorithm choices into clients that we'll have to support indefinitely), while also still encouraging experimentation. Sigstore also needs to figure out how to support PQC in the infrastructure, not just the clients. We can't just replace ECDSA with ML-DSA as the infrastructure storage costs would balloon. It looks like this PR is meant to simply add an alternative rather than integrate ML-DSA into existing parts of the codebase. For what it's worth, I think this is the right way to do it at the moment, but I don't see a reason this should be added to the codebase as that suggests that this is the community's recommended approach to PQC. As the Sigstore ecosystem begins to adopt PQC, then this library can adopt PQC as well, likely indirectly through sigstore-python. For now, experimenting in a fork seems reasonable. This PR also requires installing https://github.com/GiacomoPope/dilithium-py, which has a giant red warning: " |
|
Going to close this, based on Hayden's comments and waiting for Sigstore support first, rather than getting a separate library |
3 participants
Description
This PR implements ML-DSA (Module Lattice Digital Signature Algorithm) post-quantum cryptographic signatures for model signing, providing quantum-resistant security standardized as NIST FIPS 204. Additionally, it includes documentation cleanup to fix broken links and remove redundant files.
Motivation
As quantum computing advances, traditional cryptographic signatures (like ECDSA) will become vulnerable to attacks. ML-DSA provides quantum-resistant security for long-term model integrity protection (10+ years). This implementation ensures that models signed today will remain verifiable even in a post-quantum era.
Problems Solved
Changes Made
Core Features (Commit 4caedff)
Documentation Cleanup (Commit 0023a82)
Breaking Changes
None - this is a purely additive feature. Existing ECDSA and Sigstore signing methods remain unchanged.
Performance Notes
Checklist
Added
model_signing sign ml-dsaandmodel_signing verify ml-dsacommands with password protection support.scripts/ml_dsa_key_tool.pyfor encrypting, decrypting, and verifying ML-DSA keys.use_ml_dsa_signer()anduse_ml_dsa_verifier()methods tosigning.Configandverifying.Configclasses.[pqc]extra for post-quantum cryptography support (dilithium-py).Fixed
/publications/detail/to/pubs/URL structure).ml_dsa_key_tool.pysource path resolution for correct module imports.Changed
ml_dsa_implementation.md,ml_dsa_testing.md) to streamline documentation.Documentation
docs/ml_dsa_examples.md) with 750+ lines covering all use cases.Dependencies: