From 33337c70cf208375fc1dd4324681674b32a596be Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 10 Feb 2026 10:57:26 +0800 Subject: [PATCH 1/2] sign: Set smlen to 0 in case of failure In mld_sign if a failure is returned from mld_sign_signature, we currently set the smlen to mlen (mld_sign_signature returns smlen=0, and we increment it by mlen). This commit changes it so that in the case of failure smlen=0 is returned. Signed-off-by: Matthias J. Kannwischer --- mldsa/src/sign.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c index cb322b75b..4ae40cc6c 100644 --- a/mldsa/src/sign.c +++ b/mldsa/src/sign.c @@ -964,7 +964,10 @@ int mld_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, } ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx, ctxlen, sk, context); - *smlen += mlen; + if (ret == 0) + { + *smlen += mlen; + } return ret; } #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */ From 134bfe11c73ca507bc2a2368dc1dfa7bef7af773 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 10 Feb 2026 11:15:34 +0800 Subject: [PATCH 2/2] CT: Clarify that t0 is public despite it not being part of the pk This commit adds a reference to FIPS204 that states that t0 does not need to be considered secret. That replaces an old reference to an eprint report stating the same. Signed-off-by: Matthias J. Kannwischer --- mldsa/src/sign.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c index 4ae40cc6c..1a84f25bc 100644 --- a/mldsa/src/sign.c +++ b/mldsa/src/sign.c @@ -692,8 +692,10 @@ __contract__( * Consequently, any value that can be computed from the signature and public * key is considered public. * w0 and w1 are public as they can be computed from Az - ct = \alpha w1 + w0. - * h=c*t0 is public as both c and t0 are public. - * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406. + * h=c*t0 is public as both c and t0 are considered public. + * While t0 is not part of the public key, it can be reconstructed from + * a small number of signatures and need not be regarded as secret + * (see @[FIPS204, Section 6.1]). */ MLD_CT_TESTING_DECLASSIFY(w0, sizeof(*w0)); MLD_CT_TESTING_DECLASSIFY(w1, sizeof(*w1));