Support for seed-only ML-DSA private key serialization format

[jgrateron]

Context:
Currently, KeyStore Explorer serializes ML-DSA private keys (e.g., ML-DSA-44) using the both option from the ASN.1 CHOICE defined in RFC 9881, which includes both the seed (32 bytes) and the expanded key (2560 bytes). This results in a key object of ~2592 bytes.

Problem:
This choice is not viable for environments with strict persistent storage constraints, such as:

• HSMs (Hardware Security Modules)
• Smart cards
• Resource-constrained embedded firmware

In these environments, storing 2.5 KB+ per key is prohibitive compared to alternatives like ECC (32 bytes) or even RSA (256 bytes).

Proposal:
Implement the ability to choose the serialization format for ML-DSA private keys, according to the RFC 9881 options:

1. seed (32 bytes) – ideal for HSM storage.
2. expandedKey (2560 bytes) – generally not recommended.
3. both (2592 bytes) – currently implemented, good for software performance.

Functional requirements:

• Allow import/export of keys in the seed format (ASN.1 tag [0]).
• Keep both as the default for compatibility and general performance.

[The-Lum]

Hello all,

[Just for the record and for traceability]
Link to the initial request:

• support finalized NIST PQC signature algorithms #521 (comment)

Regards,
Th.