Change VerifyingKey::A_hat and SigningKey::A_hat field from stack-all…#1257
Closed
mgodf89 wants to merge 1 commit intoRustCrypto:masterfrom
Closed
Change VerifyingKey::A_hat and SigningKey::A_hat field from stack-all…#1257mgodf89 wants to merge 1 commit intoRustCrypto:masterfrom
mgodf89 wants to merge 1 commit intoRustCrypto:masterfrom
Conversation
…ocated to Box (Box the A_hat in `new` methods) & Dereference Box when cloning A_hat for VerifyingKey in verifying_key()
tarcieri
reviewed
Mar 17, 2026
| use module_lattice::Truncate; | ||
| use sha3::Shake256; | ||
| use signature::{DigestSigner, DigestVerifier, MultipartSigner, MultipartVerifier, Signer}; | ||
| extern crate alloc; |
Member
There was a problem hiding this comment.
We deliberately avoid having a hard dependency on liballoc and the heap.
This needs to at least be an optional alloc feature, although ideally the solution would not need such a dependency
Member
|
Closing as this add a hard dependency on liballoc |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1256
ml-dsa: Box
A_hatinSigningKeyandVerifyingKeyto reduce stack usageProblem
from_seedfor ML-DSA-65 consumes ~600KB of stack in debug builds, causing stack overflows on WASM targets and on native targets in common scenarios such as test harnesses, async runtimes, and applications that callfrom_seedfrom non-trivial call depths.SigningKeyandVerifyingKeyeach contain anNttMatrix<K, L>inline — 30KB each for ML-DSA-65. Infrom_seed, the compiler must hold the localA_hat, a clone forVerifyingKey, and the move intoSigningKeysimultaneously on top of all other temporaries. In debug mode without NRVO or move elision, the full frame reaches ~600KB.WASM: On
wasm32-wasip2with the default 1MB stack, a singlefrom_seedcall overflows insideexpand_a→Array::from_fn.Native: On x86_64 with the default 8MB test thread stack, creating two key pairs (common in handshake/session tests) reliably overflows.
Fix
Box the
A_hatfield inSigningKeyandVerifyingKey, moving ~90KB from stack to heap.Changes
SigningKey::A_hat/VerifyingKey::A_hat:NttMatrix<P::K, P::L>→Box<NttMatrix<P::K, P::L>>SigningKey::new()/VerifyingKey::new(): wrap withBox::new()&self.A_hat * ...multiplication sites: →&*self.A_hat * ...(explicit deref required;Mulis implemented for&NttMatrix, not&Box<NttMatrix>)SigningKey::verifying_key():(*self.A_hat).clone()extern crate allocanduse alloc::boxed::Box(gated on the existingallocfeature, which is in the default set)No public API changes —
A_hatis a private field. All existing tests pass.Results
Measured in a debug-mode test scenario with two parties each generating keys via
from_seedand performing a full session handshake:A standalone
from_seedcall requires well under 200KB after this change.