Google Git
Sign in
boringssl/boringssl/ff43c4eb7f048a99c099201f3f058f0d0655a6fc
commit
ff43c4eb7f048a99c099201f3f058f0d0655a6fc
[log]
author
David Benjamin <davidben@google.com>
Fri Jun 05 16:50:16 2026 -0400
committer
boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>
Mon Jun 08 21:23:43 2026 -0700
tree
5733d1d487cc73e9b0931c84736066063474679f
parent
d5549900f2e255353c8fd99cc427e5659ce761a7 [diff]
Store ML-DSA's s1, s2, and t0 in NTT form

ML-DSA sign only uses those in NTT form, so this avoids doing a
conversion on every signature operation. The result is that signing gets
faster, but keygen gets slower, because we shift some of those
conversions to keygen time.

Keygen itself needs s1 in NTT form anyway, so keygen gains two NTTs
while signing loses three, so even single-use keys (1x keygen + 1x sign)
get faster.

This complicates the ridiculous semi-expanded key format, which encodes
the three vectors in non-NTT form, but since we only implement it for
ACVP testing, it doesn't matter if that needs extra operations.

Benchmarks on a AMD Ryzen Threadripper PRO 7945WX 12-Cores below. Note
the percentages are misleading because the denominator for keygen was
lower.

Benchmark                                                 Time             CPU      Time Old      Time New       CPU Old       CPU New
--------------------------------------------------------------------------------------------------------------------------------------
BM_SpeedMLDSAKeyGen/ml_dsa_44/threads:1                +0.1576         +0.1576         33140         38362         33137         38358
BM_SpeedMLDSASign/ml_dsa_44/threads:1                  -0.0852         -0.0852        136175        124570        136165        124559
BM_SpeedMLDSAKeyGen/ml_dsa_65/threads:1                +0.1320         +0.1319         63872         72300         63862         72289
BM_SpeedMLDSASign/ml_dsa_65/threads:1                  -0.0384         -0.0383        210115        202048        210076        202027
BM_SpeedMLDSAKeyGen/ml_dsa_87/threads:1                +0.1130         +0.1131         90237        100437         90230        100431
BM_SpeedMLDSASign/ml_dsa_87/threads:1                  -0.0645         -0.0645        250679        234521        250656        234486

Change-Id: Ibdcf5591dc74c61fc694988828b2fa254f8112f2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/96810
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
1 file changed
tree: 5733d1d487cc73e9b0931c84736066063474679f
  1. .bcr/
  2. .github/
  3. bench/
  4. cmake/
  5. crypto/
  6. decrepit/
  7. docs/
  8. fuzz/
  9. gen/
  10. include/
  11. infra/
  12. pki/
  13. rust/
  14. ssl/
  15. third_party/
  16. tool/
  17. util/
  18. .bazelignore
  19. .bazelrc
  20. .bazelversion
  21. .clang-format
  22. .clang-format-ignore
  23. .clangd
  24. .gitattributes
  25. .gitignore
  26. API-CONVENTIONS.md
  27. AUTHORS
  28. BREAKING-CHANGES.md
  29. BUILD.bazel
  30. build.json
  31. BUILDING.md
  32. CMakeLists.txt
  33. codereview.settings
  34. CONTRIBUTING.md
  35. FUZZING.md
  36. go.mod
  37. go.sum
  38. INCORPORATING.md
  39. LICENSE
  40. MODULE.bazel
  41. MODULE.bazel.lock
  42. PORTING.md
  43. PRESUBMIT.py
  44. PrivacyInfo.xcprivacy
  45. README.md
  46. SANDBOXING.md
  47. SECURITY.md
  48. STYLE.md
README.md

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

Project links:

To file a security issue, use the Chromium process and mention in the report this is for BoringSSL. You can ignore the parts of the process that are specific to Chromium/Chrome.

There are other files in this directory which might be helpful: