Skip to content

Sign: Set smlen to 0 in case of failure #959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mkannwischer wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Sign: Set smlen to 0 in case of failure #959

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
33337c7
sign: Set smlen to 0 in case of failure
mkannwischer Feb 10, 2026
134bfe1
CT: Clarify that t0 is public despite it not being part of the pk
mkannwischer Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions mldsa/src/sign.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -692,8 +692,10 @@ __contract__(
* Consequently, any value that can be computed from the signature and public
* key is considered public.
* w0 and w1 are public as they can be computed from Az - ct = \alpha w1 + w0.
* h=c*t0 is public as both c and t0 are public.
* For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406.
* h=c*t0 is public as both c and t0 are considered public.
* While t0 is not part of the public key, it can be reconstructed from
* a small number of signatures and need not be regarded as secret
* (see @[FIPS204, Section 6.1]).
*/
MLD_CT_TESTING_DECLASSIFY(w0, sizeof(*w0));
MLD_CT_TESTING_DECLASSIFY(w1, sizeof(*w1));
Expand Down Expand Up @@ -964,7 +966,10 @@ int mld_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen,
}
ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx,
ctxlen, sk, context);
*smlen += mlen;
if (ret == 0)
Copy link
Copy Markdown
Contributor

@rod-chapman rod-chapman Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the comment(s) and the ensures contract for this function in sign.h
(or is it deliberately left under-specified?)

Copy link
Copy Markdown
Contributor

@rod-chapman rod-chapman Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the comments at the top-level API in mldsa/mldsa_native.h also need to be updated?

Copy link
Copy Markdown
Contributor Author

@mkannwischer mkannwischer Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the contract and comments exactly what we want to guarantee:
(return_value == 0 && *smlen == MLDSA_CRYPTO_BYTES + mlen)
WDYT @hanno-becker?

In the long term I think we should rather consider eliminating smlen altogether - see #789.

Copy link
Copy Markdown
Contributor

@rod-chapman rod-chapman Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the failure case(s), should we write *smlen==0 in the ensures clause, or leave it unspecified?

{
*smlen += mlen;
}
return ret;
}
#endif /* !MLD_CONFIG_NO_RANDOMIZED_API */
Expand Down
Loading