updated to Pure MLDSA mode with 512-bit input msg (#56)

* updated to Pure MLDSA mode with 512-bit input msg

* MICROSOFT AUTOMATED PIPELINE: Stamp 'mojtaba-pureMLDSA' with updated timestamp and hash after successful run

* MICROSOFT AUTOMATED PIPELINE: Stamp 'mojtaba-pureMLDSA' with updated timestamp and hash after successful run

---------

Co-authored-by: Mojtaba Bisheh Niasar <“mojtabab@microsoft.com”>

.github/workflow_metadata/pr_hash

@@ -1 +1 @@
-a62d2ed013912136edb279a0e805b752fcee6aa58f2d4bf094bd42badde9f48c51cc0b27c58c00db7a6458e1dbfcdcfa
+41b06b124b04e583d0f040b825a4f769f1db7b6d2a1caf2820f12d656c293ba4572c81c43d3e77aa92679b7fe74cd3a1

.github/workflow_metadata/pr_timestamp

@@ -1 +1 @@
-1734034065
+1734046579

src/mldsa_top/rtl/mldsa_ctrl.sv

@@ -834,11 +834,10 @@ always_comb mldsa_privkey_lock = '0;
       end
     end
   end
-
-  //concatenate OID and MSG to make msg prime
-  logic [MSG_NUM_DWORDS-1+4 : 0][DATA_WIDTH-1:0] msg_p_reg;
-
-  always_comb msg_p_reg = {24'h0, msg_reg, PREHASH_OID, 8'h00, 8'h01};
+
+  //pure-MLDSA assuming 512-bit input msg and empty ctx
+  logic [MSG_NUM_DWORDS-1+1 : 0][DATA_WIDTH-1:0] msg_p_reg;
+  always_comb msg_p_reg = {16'h0, msg_reg, 8'h00, 8'h00};
 
   always_comb rho_reg = verifying_process ? publickey_reg.enc.rho : privatekey_reg.enc.rho;
 

src/mldsa_top/rtl/mldsa_seq_prim.sv

@@ -197,7 +197,7 @@ module mldsa_seq_prim
                 MLDSA_SIGN_RND_S+ 2     : data_o_rom <= '{opcode:MLDSA_UOP_LFSR,        imm:'h0000, length:'d00, operand1:MLDSA_NOP,        operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 //μ ←H(tr||M,512)
                 MLDSA_SIGN_S            : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d64, operand1:MLDSA_TR_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
-                MLDSA_SIGN_S+ 1         : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d77, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
+                MLDSA_SIGN_S+ 1         : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d66, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
                 //ρ′=Keccak(K||rnd|| μ)
                 MLDSA_SIGN_S+ 2         : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d32, operand1:MLDSA_K_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 MLDSA_SIGN_S+ 3         : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d32, operand1:MLDSA_SIGN_RND_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
@@ -339,7 +339,7 @@ module mldsa_seq_prim
                 MLDSA_VERIFY_H_TR           : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:PUBKEY_NUM_BYTES, operand1:MLDSA_PK_REG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_TR_REG_ID};
                 //μ ←H(tr||M,512)
                 MLDSA_VERIFY_H_MU           : data_o_rom <= '{opcode:MLDSA_UOP_LD_SHAKE256, imm:'h0000, length:'d64, operand1:MLDSA_TR_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
-                MLDSA_VERIFY_H_MU+ 1        : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d77, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
+                MLDSA_VERIFY_H_MU+ 1        : data_o_rom <= '{opcode:MLDSA_UOP_SHAKE256, imm:'h0000, length:'d66, operand1:MLDSA_MSG_ID, operand2:MLDSA_NOP, operand3:MLDSA_DEST_MU_REG_ID};
                 //c ←SampleInBall(c˜1)
                 MLDSA_VERIFY_MAKE_C         : data_o_rom <= '{opcode:MLDSA_UOP_SIB, imm:'h0000, length:'d64, operand1:MLDSA_SIG_C_REG_ID, operand2:MLDSA_NOP, operand3:MLDSA_NOP};
                 //cˆ ←NTT(c)

src/mldsa_top/uvmf/Dilithium_ref/dilithium/ref/test/test_dilithium.c

@@ -11,9 +11,19 @@
 #define MLEN 65536
 #define M_PRIME 1
 
+#ifndef PREHASH
+    #define PREHASH 0
+#endif
+
 #define PHM_SIZE 64 // 512 bits = 64 bytes
-#define OID_SIZE 11 // Size of OID (in bytes)
-#define M_SIZE (2 + OID_SIZE + PHM_SIZE) // Size of final message M'
+
+#if PREHASH == 1
+    #define OID_SIZE 11 // Size of OID (in bytes)
+    #define M_SIZE (2 + OID_SIZE + PHM_SIZE) // Size of final message M'
+#else
+    #define M_SIZE (2 + PHM_SIZE) // Size of final message M'
+#endif
+
 // Function prototypes
 uint8_t hexCharToInt(char c);
 uint8_t hexStringToByte(const char* str);
@@ -29,16 +39,28 @@ void create_message_prime(uint8_t *PHM, uint8_t *M_prime);
 const uint8_t rnd[32] = {0};
 
 void create_message_prime(uint8_t *PHM, uint8_t *M_prime) {
-    // Step 1: Initialize M_prime with required sizes
-    M_prime[0] = 0x01;
-    M_prime[1] = 0x00;
-
-    // Step 2: Add OID (0x0609608648016503040203)
-    uint8_t OID[OID_SIZE] = {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03};
-    memcpy(M_prime + 2, OID, OID_SIZE);
-
-    // Step 3: Add 512-bit (64-byte) PHM
-    memcpy(M_prime + 2 + OID_SIZE, PHM, PHM_SIZE);
+    #if PREHASH == 1
+        // pre-hash MLDSA
+        // Step 1: Initialize M_prime with required sizes
+        M_prime[0] = 0x01;
+        M_prime[1] = 0x00;
+
+        // Step 2: Add OID (0x0609608648016503040203)
+        uint8_t OID[OID_SIZE] = {0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03};
+        memcpy(M_prime + 2, OID, OID_SIZE);
+
+        // Step 3: Add 512-bit (64-byte) PHM
+        memcpy(M_prime + 2 + OID_SIZE, PHM, PHM_SIZE);
+
+    #else
+        // pure MLDSA
+        // Step 1: Initialize M_prime with required sizes
+        M_prime[0] = 0x00;
+        M_prime[1] = 0x00;
+
+        // Step 2: Add 512-bit (64-byte) PHM
+        memcpy(M_prime + 2, PHM, PHM_SIZE);
+    #endif
 }