ML-DSA, CRYSTALS-Dilithium Digital Signature Algorithm

Start of changeML-DSA, CRYSTALS-Dilithium are lattice-based digital signature schemes whose security is based on the hardness of finding short vectors in lattices. They are members of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. The strength of the key is represented by the size of its matrix of polynomials; the larger the matrix size, the stronger the key. These keys can only be used for Digital Signature Generation and Verification.
Note: ML-DSA is the standardized version of the CRYSTALS-Dilithium Digital Signature Algorithm.
End of change

Start of changeICSF supports the ML-DSA algorithm within the CCA architecture. The CRYSTALS-Dilithium Signature Algorithm is supported on both the PKCS#11 and CCA architectures.End of change

Start of changePKCS#11 CRYSTALS-Dilithium key operations can be performed in hardware or software. These key operations are supported on the IBM z15 or later hardware with a CEX7P or later feature. There is no PKCS#11 C-API for CRYSTALS-Dilithium keys. End of change

Start of changeCCA ML-DSA, CRYSTALS-Dilithium key operations are only performed in hardware. A CEX7C or higher coprocessor is required for CRYSTALS-Dilithium. A CEX8C or higher coprocessor is required for ML-DSA.End of change

Start of changeThe abbreviation, LI2, is used to refer to CRYSTALS-Dilithium in character restricted fields.End of change

PKCS#11 callable services that support CRYSTALS-Dilithium key operations are:

  • PKCS #11 Generate Key Pair (CSFPGKP and CSFPGKP6).
  • PKCS #11 One-Way Hash, Sign, or Verify (CSFPOWH and CSFPOWH6).
  • PKCS #11 Private Key Sign (CSFPPKS and CSFPPKS6).
  • PKCS #11 Public Key Verify (CSFPPKV and CSFPPKV6).
  • PKCS #11 Token Record Create (CSFPTRC and CSFPTRC6).

Start of changeCCA callable services that support ML-DSA, CRYSTALS-Dilithium key operations are:End of change

  • Digital Signature Generate (CSNDDSG and CSNFDSG).
  • Digital Signature Verify (CSNDDSV and CSNFDSV).
  • PKA Key Generate (CSNDPKG and CSNFPKG).
  • PKA Key Import (CSNDPKI and CSNFPKI).
  • PKA Key Token Build (CSNDPKB and CSNFPKB).
  • PKA Key Token Change (CSNDKTC and CSNFKTC).
  • PKA Key Translate (CSNDPKT and CSNFPKT).
  • PKA Public Key Extract (CSNDPKX and CSNFPKX).
  • PKDS Key Record Create (CSNDKRC and CSNFKRC).
  • PKDS Key Record Delete (CSNDKRD and CSNFKRD).
  • PKDS Key Record Read and PKDS Key Record Read2 (CSNDKRR or CSNDKRR2 and CSNFKRR or CSNFKRR2).
  • PKDS Key Record Write (CSNDKRW and CSNFKRW).