mldsa: Module-Lattice-based Digital Signature Algorithm

[ bsd3, cryptography, library ] [ Propose Tags ] [ Report a vulnerability ]

Module-Lattice-based Digital Signature Algorithm (ML-DSA) implemented in Haskell.


[Skip to Readme]

Modules

[Index] [Quick Jump]

Flags

Manual Flags

NameDescriptionDefault
use_crypton

Use crypton instead of cryptonite

Enabled

Use -f <flag> to enable a flag, or -f -<flag> to disable that flag. More info

Downloads

Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees

Candidates

  • No Candidates
Versions [RSS] 0.1.0.0
Change log CHANGELOG.md
Dependencies base (>=4.7 && <5), crypton (>=1.1.1), deepseq, primitive (>=0.7.2), ram [details]
License BSD-3-Clause
Copyright 2026 Olivier Chéron
Author Olivier Chéron
Maintainer olivier.cheron@gmail.com
Uploaded by OlivierCheron at 2026-07-05T07:03:06Z
Category Cryptography
Home page https://codeberg.org/ocheron/hs-mldsa#readme
Bug tracker https://codeberg.org/ocheron/hs-mldsa/issues
Source repo head: git clone https://codeberg.org/ocheron/hs-mldsa
Distributions
Downloads 1 total (1 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2026-07-05 [all 1 reports]

Readme for mldsa-0.1.0.0

[back to package description]

ML-DSA

BSD Haskell Hackage

Module-Lattice-based Digital Signature Algorithm implemented in Haskell.

See FIPS 204.

Example session:

> :set -XOverloadedStrings
> import Crypto.PubKey.ML_DSA
> import Data.ByteString
> import Data.Proxy
> let params = Proxy :: Proxy ML_DSA_65
> (pubKey, privKey) <- generate params
> sigma <- sign privKey ("original message" :: ByteString) defaultContext
> verify pubKey ("original message" :: ByteString) sigma defaultContext
True
> verify pubKey ("altered message" :: ByteString) sigma defaultContext
False

Notes

The library does its best to destroy secrets and intermediate buffers from memory after use, despite the implementation in functional style. This relies on finalization by the garbage collector and is not guaranteed to run before the program exits. Also, depending on optimizations applied, lambdas may capture variables and move them to the heap. This could theoretically include machine words containing secret information that would not then be destroyed. Cautious users can run the benchmarks with info-table profiling and verify that closures containing non pointers capture only non-secret variables like loop indices or algorithm parameters.

Best performance is obtained with the LLVM code generator. On ARM, define macro __ARM_FEATURE_UNALIGNED if unaligned access is supported by the target.

Randomness is provided either from explicit inputs or through a user-selected instance of the MonadRandom type class from crypton. A good implementation would combine multiple sources of entropy, reseed periodically, and protect its internal state in memory. Deterministic signing with no source of randomness is possible but is not advised.

Testing

The test suite executes all NIST test vectors but necessary files are not included in the package to limit its size. Instead, three files are downloaded from the project repository during execution, and this relies on commands sh and curl to run the script tests/get-vectors.sh. If not applicable to your environment, please execute the same steps manually. It will be needed only the first time.