ML-DSA parameter refactor (#1910)

### Issues:
CryptoAlg-2724

### Description of changes: 

#### Parameterization of ML-DSA
Previous to this change, ML-DSA was implemented such that the code for a
parameter set was selected by defining the correct C pre-processor flag
(for example, if you want to compile the code for ML-DSA-65 parameter
set you would `#define DILITHIUM_MODE 3`).

The consequence of this was that we had to compile the code three times
for three ML-DSA parameter sets. We do this by adding a C file for each
parameter set where we first define the corresponding `DILITHIUM_MODE`
value and then include all the ML-DSA C files. Besides being an awkward
way to handle multiple parameter sets, this will not work for the FIPS
module where we bundle all C files inside `bcm.c` and compile it as a
single compilation unit.

In this change we refactor ML-DSA by parametrizing all functions that
depend on values that are specific to a parameter set, i.e., that
directly or indirectly depend on the value of `DILITHIUM_MODE`. To do
this, in `params.h` we define a structure that holds those ML-DSA
parameters and functions that initialize a given structure with values
corresponding to a parameter set. This structure can then be passed to
every function that requires it. For example, `polyvecl_add` function
was previously implemented as:

```
void polyvecl_add(polyvecl *w,
                  const polyvecl *u, 
                  const polyvecl *v) {
  unsigned int i;

  for(i = 0; i < L; ++i)
    poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
}
```
Is now changed to:

```
void polyvecl_add(ml_dsa_params *params,
                  polyvecl *w,
                  const polyvecl *u,
                  const polyvecl *v) {
  unsigned int i;

  for(i = 0; i < params->l; ++i)
    poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
}

```

Of course, now we have to change all callers of `polyvecl_add` to also
have `ml_dsa_params` as an input argument, and then callers of the
caller, etc. These changes bubble up to the highest level API defined in
sign.h where we now have:

```

int crypto_sign_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk);

int crypto_sign_signature(ml_dsa_params *params,
                          uint8_t *sig, size_t *siglen,
                          const uint8_t *m, size_t mlen,
                          const uint8_t *ctx, size_t ctxlen,
                          const uint8_t *sk);

int crypto_sign(ml_dsa_params *params,
                uint8_t *sm, size_t *smlen,
                const uint8_t *m, size_t mlen,
                const uint8_t *ctx, size_t ctxlen,
                const uint8_t *sk);

int crypto_sign_verify(ml_dsa_params *params,
                       const uint8_t *sig, size_t siglen,
                       const uint8_t *m, size_t mlen,
                       const uint8_t *ctx, size_t ctxlen,
                       const uint8_t *pk);

int crypto_sign_open(ml_dsa_params *params,
                     uint8_t *m, size_t *mlen,
                     const uint8_t *sm, size_t smlen,
                     const uint8_t *ctx, size_t ctxlen,
                     const uint8_t *pk);
```

Then we can easily implement these functions for specific parameter
sets, which can be seen in `sig_dilithium3.c` file. For example:

```
int ml_dsa_65_keypair(uint8_t *public_key /* OUT */,
                       uint8_t *secret_key /* OUT */) {
  ml_dsa_params params;
  ml_dsa_65_params_init(&params);
  return crypto_sign_keypair(&params, public_key, secret_key);
}

int ml_dsa_65_sign(uint8_t *sig               /* OUT */,
                    size_t *sig_len            /* OUT */,
                    const uint8_t *message     /* IN */,
                    size_t message_len         /* IN */,
                    const uint8_t *ctx         /* IN */,
                    size_t ctx_len             /* IN */,
                    const uint8_t *secret_key  /* IN */) {
  ml_dsa_params params;
  ml_dsa_65_params_init(&params);
  return crypto_sign_signature(&params, sig, sig_len, message, message_len,
                                             ctx, ctx_len, secret_key);
}

int ml_dsa_65_verify(const uint8_t *message    /* IN */,
                      size_t message_len        /* IN */,
                      const uint8_t *sig        /* IN */,
                      size_t sig_len            /* IN */,
                      const uint8_t *ctx        /* IN */,
                      size_t ctx_len            /* IN */,
                      const uint8_t *public_key /* IN */) {
  ml_dsa_params params;
  ml_dsa_65_params_init(&params);
  return crypto_sign_verify(&params, sig, sig_len, message, message_len,
                                          ctx, ctx_len, public_key);
}
```
As such, files:
- `dilithium3r3_ref.c`
- `api.h`
- `config.h`

are no longer required, and have been removed.

#### Other Changes
Also modified in this PR are the KAT test framework in
`p_dilithium_test.cc`. This KAT framework has been modified to support
multiple levels of ML-DSA (to be added in a later PR).

### Call-outs:
See similar changes to ML-KEM in #1763

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

crypto/CMakeLists.txt

@@ -323,7 +323,6 @@ if(ENABLE_DILITHIUM)
   set(
     DILITHIUM_SOURCES
 
-    dilithium/dilithium3r3_ref.c
     dilithium/p_dilithium3.c
     dilithium/p_dilithium3_asn1.c
     dilithium/sig_dilithium3.c

crypto/dilithium/p_dilithium3.c

@@ -1,5 +1,5 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: Apache-2.0 OR ISC
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -31,7 +31,7 @@ static int pkey_dilithium3_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {
 
   evp_pkey_set_method(pkey, &dilithium3_asn1_meth);
 
-  if (DILITHIUM3_keypair(key->pub, key->priv) != 0) {
+  if (ml_dsa_65_keypair(key->pub, key->priv) != 0) {
     goto err;
   }
 
@@ -74,7 +74,7 @@ static int pkey_dilithium3_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,
     return 0;
   }
 
-  if (DILITHIUM3_sign(sig, siglen, tbs, tbslen, NULL, 0, key->priv) != 0) {
+  if (ml_dsa_65_sign(sig, siglen, tbs, tbslen, NULL, 0, key->priv) != 0) {
     OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);
     return 0;
   }
@@ -92,7 +92,7 @@ static int pkey_dilithium3_verify_message(EVP_PKEY_CTX *ctx, const uint8_t *sig,
   DILITHIUM3_KEY *key = ctx->pkey->pkey.ptr;
 
   if (siglen != DILITHIUM3_SIGNATURE_BYTES ||
-      DILITHIUM3_verify(tbs, tbslen, sig, siglen, NULL, 0, key->pub) != 0) {
+      ml_dsa_65_verify(tbs, tbslen, sig, siglen, NULL, 0, key->pub) != 0) {
     OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE);
     return 0;
   }

crypto/dilithium/p_dilithium3_asn1.c

@@ -1,5 +1,5 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: Apache-2.0 OR ISC
 
 #include <openssl/evp.h>
 

crypto/dilithium/p_dilithium_test.cc

@@ -1,5 +1,5 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
+// SPDX-License-Identifier: Apache-2.0 OR ISC
 
 #include <gtest/gtest.h>
 #include <openssl/base.h>
@@ -679,70 +679,94 @@ TEST(Dilithium3Test, SIGOperations) {
   md_ctx.Reset();
 }
 
-static void RunKat(FileTest *t)
-{
-  std::string count, mlen, smlen;
-  std::vector<uint8_t> seed, msg, pk, sk, sm;
-
-  ASSERT_TRUE(t->GetAttribute(&count, "count"));
-  ASSERT_TRUE(t->GetBytes(&seed, "seed"));
-  ASSERT_TRUE(t->GetAttribute(&mlen, "mlen"));
-  ASSERT_TRUE(t->GetBytes(&msg, "msg"));
-  ASSERT_TRUE(t->GetBytes(&pk, "pk"));
-  ASSERT_TRUE(t->GetBytes(&sk, "sk"));
-  ASSERT_TRUE(t->GetAttribute(&smlen, "smlen"));
-  ASSERT_TRUE(t->GetBytes(&sm, "sm"));
-
-  // The KAT files generated by the dilithium team use the optional APIs that
-  // create a signature for a message m and append the message to the end of
-  // the signature. We only want to bring the APIs that create and verify just
-  // the signature, therefore each signature is a constant
-  // DILITHIUM3_SIGNATURE_BYTES and we truncate the signed message down to a
-  // constant DILITHIUM3_SIGNATURE_BYTES.
-  uint8_t signature[DILITHIUM3_SIGNATURE_BYTES];
-  size_t signature_len = DILITHIUM3_SIGNATURE_BYTES;
-  sm.resize(signature_len);
-
-  // Convert string read from KAT to int
-  size_t mlen_int = std::stoi(mlen);
-
-  // Here we fix the DRBG (AES-CTR) so that we are able to seed it with the
-  // seed from the KAT (testing only)
-  pq_custom_randombytes_use_deterministic_for_testing();
-  pq_custom_randombytes_init_for_testing(seed.data());
-
-  // Generate our dilithium public and private key pair
-  EVP_PKEY_CTX *dilithium_pkey_ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DILITHIUM3, nullptr);
-  ASSERT_NE(dilithium_pkey_ctx, nullptr);
-
-  EVP_PKEY *dilithium_pkey = EVP_PKEY_new();
-  ASSERT_NE(dilithium_pkey, nullptr);
-
-  EXPECT_TRUE(EVP_PKEY_keygen_init(dilithium_pkey_ctx));
-  EXPECT_TRUE(EVP_PKEY_keygen(dilithium_pkey_ctx, &dilithium_pkey));
-  const DILITHIUM3_KEY *dilithium3Key = (DILITHIUM3_KEY *)(dilithium_pkey->pkey.ptr);
-  EXPECT_EQ(Bytes(pk), Bytes(dilithium3Key->pub, DILITHIUM3_PUBLIC_KEY_BYTES));
-  EXPECT_EQ(Bytes(sk), Bytes(dilithium3Key->priv, DILITHIUM3_PRIVATE_KEY_BYTES));
-
-  // Generate a signature for the message
-  bssl::ScopedEVP_MD_CTX md_ctx;
-  // We have to use EVP_DigestSign because dilithium supports the use of
-  // non-hash-then-sign (just like ed25519) so we first init EVP_DigestSign
-  // WITHOUT a hash function.
-  ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), NULL, NULL, NULL, dilithium_pkey));
-  ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature, &signature_len, msg.data(), mlen_int));
-  EXPECT_EQ(Bytes(sm), Bytes(signature, signature_len));
-
-  // Verify the signature for the message
-  ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature, signature_len, msg.data(), mlen_int));
+struct ML_DSA {
+  const char name[20];
+  const int nid;
+  const size_t public_key_len;
+  const size_t secret_key_len;
+  const size_t signature_len;
+  const char *kat_filename;
+};
 
-  EVP_PKEY_free(dilithium_pkey);
-  EVP_PKEY_CTX_free(dilithium_pkey_ctx);
-  md_ctx.Reset();
-}
+static const struct ML_DSA parameterSet[] = {
+  {"MLDSA65", NID_DILITHIUM3_R3, 1952, 4032, 3309,  "dilithium/kat/mldsa65.txt"},
+};
 
-TEST(Dilithium3Test, KAT) {
-  FileTestGTest("crypto/dilithium/kat/dilithium3_r3.txt", RunKat);
+class MLDSAParameterTest : public testing::TestWithParam<ML_DSA> {};
+
+INSTANTIATE_TEST_SUITE_P(All, MLDSAParameterTest, testing::ValuesIn(parameterSet),
+                         [](const testing::TestParamInfo<ML_DSA> &params)
+                             -> std::string { return params.param.name; });
+
+
+TEST_P(MLDSAParameterTest, KAT) {
+  std::string kat_filepath = "crypto/";
+  kat_filepath += GetParam().kat_filename;
+
+  FileTestGTest(kat_filepath.c_str(), [&](FileTest *t) {
+    std::string count, mlen, smlen;
+    std::vector<uint8_t> seed, msg, pk, sk, sm;
+
+    ASSERT_TRUE(t->GetAttribute(&count, "count"));
+    ASSERT_TRUE(t->GetBytes(&seed, "seed"));
+    ASSERT_TRUE(t->GetAttribute(&mlen, "mlen"));
+    ASSERT_TRUE(t->GetBytes(&msg, "msg"));
+    ASSERT_TRUE(t->GetBytes(&pk, "pk"));
+    ASSERT_TRUE(t->GetBytes(&sk, "sk"));
+    ASSERT_TRUE(t->GetAttribute(&smlen, "smlen"));
+    ASSERT_TRUE(t->GetBytes(&sm, "sm"));
+
+    size_t pk_len = GetParam().public_key_len;
+    size_t sk_len = GetParam().secret_key_len;
+    size_t sig_len = GetParam().signature_len;
+
+    // The KAT files generated by the dilithium team use the optional APIs that
+    // create a signature for a message m and append the message to the end of
+    // the signature. We only want to bring the APIs that create and verify just
+    // the signature, therefore each signature is a constant
+    // DILITHIUM3_SIGNATURE_BYTES and we truncate the signed message down to a
+    // constant DILITHIUM3_SIGNATURE_BYTES.
+
+    std::vector<uint8_t> signature(sig_len);
+    sm.resize(sig_len);
+
+    // Convert string read from KAT to int
+    size_t mlen_int = std::stoi(mlen);
+
+    // Here we fix the DRBG (AES-CTR) so that we are able to seed it with the
+    // seed from the KAT (testing only)
+    pq_custom_randombytes_use_deterministic_for_testing();
+    pq_custom_randombytes_init_for_testing(seed.data());
+
+    // Generate our dilithium public and private key pair
+    EVP_PKEY_CTX *dilithium_pkey_ctx = EVP_PKEY_CTX_new_id(GetParam().nid, nullptr);
+    ASSERT_NE(dilithium_pkey_ctx, nullptr);
+
+    EVP_PKEY *dilithium_pkey = EVP_PKEY_new();
+    ASSERT_NE(dilithium_pkey, nullptr);
+
+    ASSERT_TRUE(EVP_PKEY_keygen_init(dilithium_pkey_ctx));
+    ASSERT_TRUE(EVP_PKEY_keygen(dilithium_pkey_ctx, &dilithium_pkey));
+    const DILITHIUM3_KEY *dilithium3Key = (DILITHIUM3_KEY *)(dilithium_pkey->pkey.ptr); //called dilithium3 but is generic
+    EXPECT_EQ(Bytes(pk), Bytes(dilithium3Key->pub, pk_len));
+    EXPECT_EQ(Bytes(sk), Bytes(dilithium3Key->priv, sk_len));
+
+    // Generate a signature for the message
+    bssl::ScopedEVP_MD_CTX md_ctx;
+    // We have to use EVP_DigestSign because dilithium supports the use of
+    // non-hash-then-sign (just like ed25519) so we first init EVP_DigestSign
+    // WITHOUT a hash function.
+    ASSERT_TRUE(EVP_DigestSignInit(md_ctx.get(), NULL, NULL, NULL, dilithium_pkey));
+    ASSERT_TRUE(EVP_DigestSign(md_ctx.get(), signature.data(), &sig_len, msg.data(), mlen_int));
+    EXPECT_EQ(Bytes(sm), Bytes(signature.data(), sig_len));
+
+    // Verify the signature for the message
+    ASSERT_TRUE(EVP_DigestVerify(md_ctx.get(), signature.data(), sig_len, msg.data(), mlen_int));
+
+    EVP_PKEY_free(dilithium_pkey);
+    EVP_PKEY_CTX_free(dilithium_pkey_ctx);
+    md_ctx.Reset();
+  });
 }
 
 #else

crypto/dilithium/pqcrystals_dilithium_ref_common/README.md

@@ -6,7 +6,8 @@ The source code in this folder implements ML-DSA as defined in FIPS 204 Module-L
 
 The source code was imported from a branch of the official repository of the Crystals-Dilithium team: https://github.com/pq-crystals/dilithium. The code was taken at [commit](https://github.com/pq-crystals/dilithium/commit/cbcd8753a43402885c90343cd6335fb54712cda1) as of 10/01/2024. At the moment, only the reference C implementation is imported.
 
-The `api.h`, `fips202.h` and `params.h` header files were modified to support our [prefixed symbols build](https://github.com/awslabs/aws-lc/blob/main/BUILDING.md#building-with-prefixed-symbols).
+The code was refactored in [this PR](https://github.com/aws/aws-lc/pull/1910) by parameterizing all functions that depend on values that are specific to a parameter set, i.e., that directly or indirectly depend on the value of `DILITHIUM_MODE`. To do this, in `params.h` we defined a structure that holds those ML-DSA parameters and functions
+that initialize a given structure with values corresponding to a parameter set. This structure is then passed to every function that requires it as a function argument. In addition, the following changes were made to the source code in `pqcrystals_dilithium_ref_common` directory:
 
 - `randombytes.{h|c}` are deleted because we are using the randomness generation functions provided by AWS-LC.
 - `sign.c`: calls to `randombytes` function is replaced with calls to `pq_custom_randombytes` and the appropriate header file is included (`crypto/rand_extra/pq_custom_randombytes.h`).