-
Bug
-
Resolution: Unresolved
-
P2
-
None
-
25
-
None
In the implementation of [JEP-497](https://openjdk.org/jeps/497), the PKCS #8 encoding of an ML-DSA private key includes the complete private key material as defined in FIPS 204: `skEncode(𝜌, 𝐾, 𝑡𝑟, 𝐬1, 𝐬2, 𝐭0)`. We also noted that "The encoding used by the ML-DSA KeyFactory is defined in [a draft IETF RFC](https://datatracker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates). We will track changes in this draft until it is published."
In November 2024, the 5th version of this draft clarified that "An ML-DSA private key is encoded by storing its 32-octet seed in the privateKey field". which is different from our current encoding format.
Later on, there have been more proposals on the encoding. See the mails at https://mailarchive.ietf.org/arch/msg/spasm/6iUmCadOg3PfGja7j26-MUXTUVk/ and https://mailarchive.ietf.org/arch/msg/spasm/50v8oLi5XObC7AIL4DH337_Anos/.
In November 2024, the 5th version of this draft clarified that "An ML-DSA private key is encoded by storing its 32-octet seed in the privateKey field". which is different from our current encoding format.
Later on, there have been more proposals on the encoding. See the mails at https://mailarchive.ietf.org/arch/msg/spasm/6iUmCadOg3PfGja7j26-MUXTUVk/ and https://mailarchive.ietf.org/arch/msg/spasm/50v8oLi5XObC7AIL4DH337_Anos/.
- blocks
-
JDK-8339010 JEP 497: Quantum-Resistant Module-Lattice-Based Digital Signature Algorithm
-
- Closed
-
- csr for
-
JDK-8349164 Switch to latest ML-DSA private key encoding
-
- Draft
-
- links to
-
Review(master)
openjdk/jdk/23376