mldsa: add ctx-length=255 boundary sign-seed vectors#235
Open
tob-scott-a wants to merge 1 commit intoC2SP:mainfrom
Open
mldsa: add ctx-length=255 boundary sign-seed vectors#235tob-scott-a wants to merge 1 commit intoC2SP:mainfrom
tob-scott-a wants to merge 1 commit intoC2SP:mainfrom
Conversation
Adds one valid deterministic signature per parameter set (tcId 89 / 108 / 99
for ML-DSA-44 / 65 / 87) with a context of exactly 255 bytes — the inclusive
upper bound of the FIPS 204 domain-separator length field.
The existing 255-byte context test in each file (tcId 4) carries a
precomputed mu and therefore verifies via Sign_mu / Verify_mu, bypassing
the ctx-length check in Sign (FIPS 204 §5.2 line 3, pseudocode
`if |ctx| > 255 return perp`). These new vectors exercise Sign directly
with msg + ctx, so an implementation that mis-handles the boundary as
`|ctx| >= 255` will reject a case the spec requires to succeed.
Each vector still carries a precomputed mu so existing harnesses that
only consume the mu path continue to match; the cross-verification
assertion is between the vector's sig field and the implementation's
deterministic signature over (sk, msg, ctx). Generated with
RustCrypto ml-dsa v0.1.0-rc.8 and cross-verified against Cloudflare
CIRCL sign/mldsa/mldsa{44,65,87} (byte-identical deterministic sig +
Verify acceptance).
All files pass vectorlint against the unchanged
mldsa_sign_seed_schema.json.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I tried to identify areas to strengthen the ML-KEM and ML-DSA test vectors using vector-forge Claude skill, which uses mutation testing and graph analysis (ideally with multiple implementations) to identify areas where bugs are not killed by the current test vector suite. (Or to generate a fresh suite for an algorithm that doesn't have good tests already.)
After a list of candidates was identified, I had Claude eliminate duplicated work in other PRs (e.g., #234, which kills the use_hint mutants in RustCrypto).
The only ML-KEM mutation-testable gap found in RustCrypto was in compress.rs and requires a targeted-search tool that generates a ciphertext whose decapsulated shared secret depends on decompression rounding direction. (The escaped mutant in question affects the
POW2_HALFvalue.)This isn't the most important addition to the test suite (and the ML-KEM one might require a bit of luck), but I thought I'd toss it over in case it's helpful to exercise the boundary conditions of ctx length.