[This feature is a licensed version feature]
If you need a license, you can obtain a 30-day license from the Program Key Issuance page. This feature can be tested with BerEditor version 2.5.0 or later.
Let’s use the BerEditor tool to generate a key pair using the PQC algorithm, Ml-DSA, and digitally sign it.
In this example, the execution environment is set to English. If the language is Korean, the message will be displayed in Korean.
Generating an ML-DSA Key Pair
To create an electronic signature, you must first generate an ML-DSA key pair.
To generate a key pair, run BerEditor -> Service -> KeyPair Manager.
In KeyPair Manager, select “Generate KeyPair.”
In the KeyPair window, enter the key pair name and select ML DSA in the PQC section.
For KeyLength, select one of the three options (DSA_44, DSA_65, DSA_87). It becomes
Once the key pair is created, you can check it using the name you entered in the KeyPair Manager.
To view the key’s detailed value, double-click the key.
In fact, the key pair generated by KeyPair Manager is for testing purposes, so the private key is stored as a pure value in PEM format. KeyPair Manager should be considered for testing purposes rather than for safe storage. In the case of CertMan, certificates and private keys are stored, but since CertMan uses certificates together, for added security, the private key is encrypted and stored in PKCS8 format, and the private key password is asked when used.
Creating an ML-DSA Digital Signature
To create a digital signature using the generated ML-DSA key pair, select BerEditor->Cryptography->Sign/Verify.
In that window, click the Sign radio button (selected by default).
For reference, in the case of ML-DSA, the Hash algorithm combo value is specifically ignored. In particular, in the case of EDDSA ML-DSA SLH-DSA, there is no need to specify a Hash value because it uses an internally fixed value rather than specifying a Hash algorithm. ML-DSA uses SHAKE as the hash algorithm internally.
Note that for ML-DSA, there is no specific digest algorithm specified.
This is fixed within ML-DSA and is not specified.
After entering the input data and clicking the Sign button, select the previously generated ML-DSA key in the KeyPair Manager (double-click).
Selecting the key will display the signature value in the Signature field.
Internally, the private key is read from KeyPair Manager and signed.
Note that Use CertMan at the top should not be checked. This is because if Use CertMan is checked, the CertMan window will appear instead of the keyPair Manager window. Of course, if the ML-DSA key and certificate are in CertMan, the test can be performed in the same manner, but this is an example using the keyPair Manager. Also, if you want to test the private key and public key as files instead of the key pair created here, you can check Select each certificate and private key and select the corresponding files for testing.
Verifying an ML-DSA Digital Signature
To verify a digital signature using the generated ML-DSA key pair, select BerEditor->Cryptography->Sign/Verify.
In that window, click the “Verify” radio button.
Enter the input data and signature values, then click the “Verify” button. The signature verification results will be displayed.
In the image below, the square mark is missing from the Signature section, but the Signature value must be entered.
In the case of signature verification, Use CertMan should not be checked, just like in the case of signature creation.
Conclusion
There seems to be a rapid demand for the current PQC algorithm and its modifications. And OpenSSL 3.5 LTS includes ML-DSA, ML-KEM, and SLH-DSA.
Now, to familiarize yourself with PQC and verify its values, BerEditor supports it.
For reference, for SLH-DSA, select only SLH-DSA when selecting a key pair, and the key pair generation, digital signature, and verification are all the same.