Skip to content

ml-dsa: zeroize seed on SigningKey drop#1308

Closed
MavenRain wants to merge 1 commit into
RustCrypto:masterfrom
MavenRain:ml-dsa/keypair-zeroize
Closed

ml-dsa: zeroize seed on SigningKey drop#1308
MavenRain wants to merge 1 commit into
RustCrypto:masterfrom
MavenRain:ml-dsa/keypair-zeroize

Conversation

@MavenRain
Copy link
Copy Markdown
Contributor

@MavenRain MavenRain commented Apr 26, 2026

The SigningKey (formerly KeyPair) held the 32-byte seed directly,
and Array<u8, U32> does not pick up ZeroizeOnDrop because u8
does not impl ZeroizeOnDrop. The seed is private key material, so it
needs an explicit Drop that zeroizes.

Adding Drop to SigningKey broke two call sites that moved
signing_key out of a SigningKey (Rust forbids field moves out of
Drop types). Both are refactored: ExpandedSigningKey::from_seed
now contains the FIPS-204 KeyGen_internal logic directly, and
P::from_seed delegates to it. The pkcs8 TryFrom<PrivateKeyInfoRef>
for ExpandedSigningKey decodes the seed inline and calls
ExpandedSigningKey::from_seed rather than going through SigningKey.

Adds a compile-time test asserting ZeroizeOnDrop on both
SigningKey<P> and ExpandedSigningKey<P> for each parameter set.

@MavenRain
ml-dsa: zeroize seed on SigningKey drop
e28ee1f 
  The `SigningKey` (formerly `KeyPair`) held the 32-byte `seed` directly,
  and `Array<u8, U32>` does not pick up `ZeroizeOnDrop` because `u8`
  does not impl `ZeroizeOnDrop`. The seed is private key material, so it
  needs an explicit `Drop` that zeroizes.

  Adding `Drop` to `SigningKey` broke two call sites that moved
  `signing_key` out of a `SigningKey` (Rust forbids field moves out of
  `Drop` types). Both are refactored: `ExpandedSigningKey::from_seed`
  now contains the FIPS-204 KeyGen_internal logic directly, and
  `P::from_seed` delegates to it. The pkcs8 `TryFrom<PrivateKeyInfoRef>`
  for `ExpandedSigningKey` decodes the seed inline and calls
  `ExpandedSigningKey::from_seed` rather than going through `SigningKey`.

  Adds a compile-time test asserting `ZeroizeOnDrop` on both
  `SigningKey<P>` and `ExpandedSigningKey<P>` for each parameter set.
@tarcieri tarcieri mentioned this pull request May 9, 2026
Merged
@tarcieri
Copy link
Copy Markdown
Member

tarcieri commented May 9, 2026

Thanks for pointing this out. I'm taking care of it in #1345.

tarcieri added a commit that referenced this pull request May 9, 2026
@tarcieri
ml-dsa: use MaybeBox for SigningKey
535d696 
Opportunistically stores the parts of `SigningKey` on the heap when the
`alloc` feature is enabled, similar to what #1344 did for
`VerifyingKey`.

This also addresses #1308 by adding a `Drop` (and `ZeroizeOnDrop`) impl
to `SigningKey` which clears the `Seed`.
tarcieri added a commit that referenced this pull request May 9, 2026
@tarcieri
ml-dsa: use MaybeBox for SigningKey (#1345)
c3ded0c 
Opportunistically stores the parts of `SigningKey` on the heap when the
`alloc` feature is enabled, similar to what #1344 did for
`VerifyingKey`.

This also addresses #1308 by adding a `Drop` (and `ZeroizeOnDrop`) impl
to `SigningKey` which clears the `Seed`.
@tarcieri tarcieri closed this May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MavenRain @tarcieri