No context string input to ML-DSA

[jyao1]

Problem:

VERIFY call stack (no context):

• UnparsedPublicKey::verify(message, signature) — Rust API entry point
• PqdsaVerificationAlgorithm::verify_sig(pub_key, msg, sig) — file: pqdsa/signature.rs line 104
• evp_pkey.verify(msg, None, No_EVP_PKEY_CTX_consumer, signature) — file: pqdsa/signature.rs line 112
• EVP_DigestVerifyInit(md_ctx, pctx, NULL, NULL, pkey) — file: evp_pkey.rs line 447
• EVP_DigestVerify(md_ctx, sig, sig_len, msg, msg_len) — file: evp_pkey.rs line 462
• C code internally calls: ml_dsa_verify(pkey, sig, sig_len, msg, msg_len, context=NULL, context_len=0) — CONTEXT IS MISSING HERE

SIGN call stack (no context):

• PqdsaKeyPair::sign(msg, signature) — Rust API entry point
• self.evp_pkey.sign(msg, None, No_EVP_PKEY_CTX_consumer) — file: pqdsa/key_pair.rs line 198
• EVP_DigestSignInit(md_ctx, pctx, NULL, NULL, pkey) — file: evp_pkey.rs line 329
• EVP_DigestSign(md_ctx, sig, sig_len, msg, msg_len) — file: evp_pkey.rs line 363
• C code internally calls: ml_dsa_sign(pkey, sig, sig_len, msg, msg_len, context=NULL, context_len=0) — CONTEXT IS MISSING HERE

Is there any plan to add context string to RUST API, to align with C API and FIPS 204?

[justsmth]

Hello! You're right that the context string isn't currently plumbed through.

The underlying ML-DSA implementation in AWS-LC accepts context strings at lower levels (pqdsa_sign_message / pqdsa_verify_message both take ctx_string / ctx_string_len parameters), but the EVP layer for PQDSA currently hardcodes NULL for these. It also and doesn't implement the ctrl handler needed for EVP_PKEY_CTX_set_signature_context to work.

aws-lc-rs uses the EVP layer of AWS-LC to access these algorithms. Let me follow up to see when we might support for this to be added to the EVP layer.

[justsmth]

We have a related issue upstream: aws/aws-lc#3077

[jakemas]

Thanks @jyao1 for the request! I've kicked off the work in aws-lc to add it to the EVP layer. Then we can follow up with the aws-lc-rs layer.