quantica/ml_dsa/params.rs
1//! ML-DSA parameter sets (FIPS 204, Table 1).
2//!
3//! Defines the global constants shared across all parameter sets (the prime
4//! modulus `Q`, polynomial degree `N`, etc.) and the [`Params`] trait that
5//! encodes the per-security-level constants.
6
7/// The prime modulus q = 2^23 - 2^13 + 1 = 8380417.
8///
9/// All polynomial arithmetic in ML-DSA is performed modulo this prime.
10pub const Q: i32 = 8380417;
11
12/// Polynomial degree (number of coefficients per polynomial).
13///
14/// ML-DSA operates over the ring `Z_q[X]/(X^256 + 1)`.
15pub const N: usize = 256;
16
17/// Primitive 512th root of unity modulo q.
18///
19/// Used to build the NTT twiddle factor table. zeta = 1753 satisfies
20/// zeta^256 = -1 (mod q).
21pub const ZETA: i32 = 1753;
22
23/// Maximum value of K across all parameter sets (ML-DSA-87 has K=8).
24pub const MAX_K: usize = 8;
25
26/// Maximum value of L across all parameter sets (ML-DSA-87 has L=7).
27pub const MAX_L: usize = 7;
28
29/// The `d` parameter (number of dropped bits from t).
30///
31/// Public key compression drops the low `d = 13` bits of the vector t,
32/// splitting it into (t1, t0) via Power2Round.
33pub const D: usize = 13;
34
35/// Multiplicative inverse of N modulo q: 256^{-1} mod q.
36///
37/// Applied as a final scaling factor in the inverse NTT.
38pub const N_INV: i32 = 8347681;
39
40/// Parameter trait for ML-DSA security levels.
41///
42/// Each implementor (e.g., [`MlDsa44`], [`MlDsa65`], [`MlDsa87`]) provides
43/// the constants from FIPS 204, Table 1. Derived sizes for public key,
44/// secret key, and signature are computed automatically from the base
45/// constants.
46pub trait Params {
47 /// Number of rows in the matrix A (dimension k).
48 const K: usize;
49 /// Number of columns in the matrix A (dimension l).
50 const L: usize;
51 /// Secret key coefficient bound: coefficients of s1, s2 lie in [-eta, eta].
52 const ETA: usize;
53 /// Number of +/-1 entries in the challenge polynomial c.
54 const TAU: usize;
55 /// Signing bound beta = tau * eta. Candidate signatures with infinity norm >= gamma1 - beta are rejected.
56 const BETA: i32;
57 /// Masking range: coefficients of the masking vector y are sampled from [-(gamma1-1), gamma1].
58 const GAMMA1: i32;
59 /// Decomposition parameter: controls the rounding used in HighBits/LowBits.
60 const GAMMA2: i32;
61 /// Maximum number of non-zero hint entries allowed across all k hint polynomials.
62 const OMEGA: usize;
63 /// Collision strength in bits; determines the length of the commitment hash c_tilde (lambda/4 bytes).
64 const LAMBDA: usize;
65
66 /// Public key length in bytes: 32 (rho) + k * 320 (encoded t1).
67 const PK_LEN: usize = 32 + 32 * Self::K * 10; // bitlen(q-1)-d = 23-13 = 10
68 /// Secret key length in bytes.
69 const SK_LEN: usize = 32 + 32 + 64 + 32 * (Self::L + Self::K) * Self::BITLEN_2ETA + 32 * Self::K * D;
70 /// Signature length in bytes.
71 const SIG_LEN: usize = Self::LAMBDA / 4 + Self::L * 32 * (1 + Self::BITLEN_GAMMA1_MINUS1) + Self::OMEGA + Self::K;
72
73 /// Helper constant: bit-length of 2*eta, used for encoding secret polynomials.
74 const BITLEN_2ETA: usize;
75 /// Helper constant: bit-length of gamma1 - 1, used for encoding z in signatures.
76 const BITLEN_GAMMA1_MINUS1: usize;
77}
78
79/// ML-DSA-44 parameter set (NIST security level 2).
80///
81/// Provides approximately 128 bits of classical security. Matrix dimensions
82/// are k=4, l=4 with eta=2.
83pub struct MlDsa44;
84
85impl Params for MlDsa44 {
86 const K: usize = 4;
87 const L: usize = 4;
88 const ETA: usize = 2;
89 const TAU: usize = 39;
90 const BETA: i32 = 78;
91 const GAMMA1: i32 = 1 << 17; // 2^17
92 const GAMMA2: i32 = (Q - 1) / 88; // 95232
93 const OMEGA: usize = 80;
94 const LAMBDA: usize = 128;
95 const BITLEN_2ETA: usize = 3; // bitlen(4) = 3
96 const BITLEN_GAMMA1_MINUS1: usize = 17; // bitlen(2^17 - 1) = 17
97}
98
99/// ML-DSA-65 parameter set (NIST security level 3).
100///
101/// Provides approximately 192 bits of classical security. Matrix dimensions
102/// are k=6, l=5 with eta=4.
103pub struct MlDsa65;
104
105impl Params for MlDsa65 {
106 const K: usize = 6;
107 const L: usize = 5;
108 const ETA: usize = 4;
109 const TAU: usize = 49;
110 const BETA: i32 = 196;
111 const GAMMA1: i32 = 1 << 19; // 2^19
112 const GAMMA2: i32 = (Q - 1) / 32; // 261888
113 const OMEGA: usize = 55;
114 const LAMBDA: usize = 192;
115 const BITLEN_2ETA: usize = 4; // bitlen(8) = 4
116 const BITLEN_GAMMA1_MINUS1: usize = 19; // bitlen(2^19 - 1) = 19
117}
118
119/// ML-DSA-87 parameter set (NIST security level 5).
120///
121/// Provides approximately 256 bits of classical security. Matrix dimensions
122/// are k=8, l=7 with eta=2.
123pub struct MlDsa87;
124
125impl Params for MlDsa87 {
126 const K: usize = 8;
127 const L: usize = 7;
128 const ETA: usize = 2;
129 const TAU: usize = 60;
130 const BETA: i32 = 120;
131 const GAMMA1: i32 = 1 << 19; // 2^19
132 const GAMMA2: i32 = (Q - 1) / 32; // 261888
133 const OMEGA: usize = 75;
134 const LAMBDA: usize = 256;
135 const BITLEN_2ETA: usize = 3; // bitlen(4) = 3
136 const BITLEN_GAMMA1_MINUS1: usize = 19; // bitlen(2^19 - 1) = 19
137}