commit	21544c52bb7e46bfb77c6e8d8273395af2ea3318	[log] [tgz]
author	David Benjamin <davidben@google.com>	Tue Sep 30 12:47:33 2025 -0400
committer	Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>	Thu Oct 02 08:56:05 2025 -0700
tree	83e05b9d0a017bca788dd9a06fff8b2386baf011
parent	706742e482d89214f13a642ccfcdad596a24a32f [diff]

Rework ML-DSA modular operations

Most of the uses of constant_time_lt were unnecessary and can be
simpler. constant_time_lt needs to perform extra operations because the
inputs may use the full bit width of the input, but these values are
known to be smaller. We largely only need to select by the MSB of some
values.

Add a constant_time_select_32 so we don't have to implicitly cast
to/from int.

Remove a comment about unary minus and MSVC. We do that throughout the
codebase already.

Finally, matching the ML-KEM implementation, remove a
vectorization-impeding value barrier. This is... disappointing, but
seems to be a significant performance difference. Like in ML-KEM, this
was broadly okay except where we sample some value, where Clang was
tempted too far into misbehaving.

Apple M1 Pro, Clang:
Before:
Did 38824 MLDSA key generation operations in 4021430us (9654.3 ops/sec)
Did 7950 MLDSA sign (randomized) operations in 4072620us (1952.1 ops/sec)
Did 1163000 MLDSA parse (valid) public key operations in 4001540us (290638.1 ops/sec)
Did 40320 MLDSA verify (valid signature) operations in 4024830us (10017.8 ops/sec)
Did 40180 MLDSA verify (invalid signature) operations in 4009297us (10021.7 ops/sec)
After:
Did 48655 MLDSA key generation operations in 4020313us (12102.3 ops/sec) [+25.4%]
Did 13361 MLDSA sign (randomized) operations in 4078864us (3275.7 ops/sec) [+67.8%]
Did 1158000 MLDSA parse (valid) public key operations in 4000017us (289498.8 ops/sec) [-0.4%]
Did 56000 MLDSA verify (valid signature) operations in 4051698us (13821.4 ops/sec) [+38.0%]
Did 56000 MLDSA verify (invalid signature) operations in 4062468us (13784.7 ops/sec) [+37.5%]

Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz, GCC:
Before:
Did 17346 MLDSA key generation operations in 4019390us (4315.6 ops/sec)
Did 3444 MLDSA sign (randomized) operations in 4066107us (847.0 ops/sec)
Did 494000 MLDSA parse (valid) public key operations in 4004318us (123366.8 ops/sec)
Did 16842 MLDSA verify (valid signature) operations in 4093079us (4114.8 ops/sec)
Did 17220 MLDSA verify (invalid signature) operations in 4089998us (4210.3 ops/sec)
After:
Did 23058 MLDSA key generation operations in 4030723us (5720.6 ops/sec) [+32.6%]
Did 6534 MLDSA sign (randomized) operations in 4061126us (1608.9 ops/sec) [+90.0%]
Did 494000 MLDSA parse (valid) public key operations in 4002108us (123434.9 ops/sec) [+0.1%]
Did 26180 MLDSA verify (valid signature) operations in 4045953us (6470.7 ops/sec) [+57.3%]
Did 25800 MLDSA verify (invalid signature) operations in 4009973us (6434.0 ops/sec) [+52.8%]

Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz, Clang:
Before:
Did 17499 MLDSA key generation operations in 4059819us (4310.3 ops/sec)
Did 3520 MLDSA sign (randomized) operations in 4070484us (864.8 ops/sec)
Did 494000 MLDSA parse (valid) public key operations in 4003764us (123383.9 ops/sec)
Did 16926 MLDSA verify (valid signature) operations in 4029917us (4200.1 ops/sec)
Did 17220 MLDSA verify (invalid signature) operations in 4099146us (4200.9 ops/sec)
After:
Did 23104 MLDSA key generation operations in 4036297us (5724.1 ops/sec) [+32.8%]
Did 6336 MLDSA sign (randomized) operations in 4006447us (1581.5 ops/sec) [+82.9%]
Did 494000 MLDSA parse (valid) public key operations in 4005244us (123338.3 ops/sec) [-0.0%]
Did 26460 MLDSA verify (valid signature) operations in 4081059us (6483.6 ops/sec) [+54.4%]
Did 26120 MLDSA verify (invalid signature) operations in 4021846us (6494.5 ops/sec) [+54.6%]

Change-Id: I9f010ca1dde37a306e4a207caa12ec4feb920716
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/82527
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>

2 files changed

tree: 83e05b9d0a017bca788dd9a06fff8b2386baf011

README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful:

PORTING.md: how to port OpenSSL-using code to BoringSSL.
BUILDING.md: how to build BoringSSL
INCORPORATING.md: how to incorporate BoringSSL into a project.
API-CONVENTIONS.md: general API conventions for BoringSSL consumers and developers.
STYLE.md: rules and guidelines for coding style.
include/openssl: public headers with API documentation in comments. Also available online.
FUZZING.md: information about fuzzing BoringSSL.
CONTRIBUTING.md: how to contribute to BoringSSL.
BREAKING-CHANGES.md: notes on potentially-breaking changes.
SANDBOXING.md: notes on using BoringSSL in a sandboxed environment.