ml-dsa: additional test vectors#242
Conversation
sgmenda
left a comment
sgmenda
left a comment
There was a problem hiding this comment.
haven’t independently verified them, but lgtm.
|
It is not required for merging, but @tob-scott-a could you share the precise sage script used to generate the test vectors? |
https://gist.github.com/tob-scott-a/2343b9e8e5980ecca25ae1d987f71a2b |
davidben
left a comment
davidben
left a comment
There was a problem hiding this comment.
Verified by running these through our implementation.
|
I don't understand what these vectors add, I believe every single existing vector would catch Bernstein's made-up bugs. https://mailarchive.ietf.org/arch/msg/tls/p5j6UCQGBAOblWPAjXb5ycMjxA4/ |
|
Oh, if they're redundant then yeah I agree there's no point in adding them. (Haven't checked myself. I did not simulate the bugs to check if the existing vectors would have caught them or anything.) |
|
The implementations I worked with did not use the full Wycheproof test suite due to feature limitations (e.g., no deterministic support, only hedged), so the gaps I observed could have been a false negative. Codex agrees with your statement, @FiloSottile. Happy to close this if you think it adds no real value. |
4 participants
This PR adds new test cases to kill implementation bug classes identified in DJB's latest loquacious screed against ML-DSA.
It's sad that Dr. Bernstein prioritizes trying to win cheap points in Internet debates by citing CVEs against pre-production software and fearmongering instead of doing anything to actually help improve Internet security.
To wit: If a CRQC were to exist today, Ed25519 would contribute zero security, and thus ML-DSA implementation security would be all that users can rely on.
So, I'm doing the work DJB should have done instead of writing that doc, using the vector-forge skill.
Target
ML-DSA-44, ML-DSA-65, and ML-DSA-87 signing test vectors.
The target bug classes come from Daniel J. Bernstein, "Exploiting ML-DSA
bugs" (2026-06-01), https://cr.yp.to/papers/mldsa-20260601.pdf, and its
supplement, https://cr.yp.to/2026/mldsabugs-20260601.tar.gz.
Bug Classes
SigningRandomnessExpansion: signers that incorrectly expand theper-signature mask
y, including AABBCC, ABABCDCD, and A0B0C0-stylecoefficient patterns.
RepeatedNonce: signers that omit message-dependent material from noncederivation, causing repeated
yvalues across messages.ClearedSecretK: signers or key-generation paths that clear or ignore thesecret
Kvalue used in per-signature mask derivation.These are signing-side bugs: a faulty signer can emit signatures that verify
under a correct verifier. Verification-only tests do not catch them; exact
known-answer signing tests do.
Vectors Added
Each parameter set gets three same-key deterministic signing KATs using
rnd = 00...00, added to both seed-key and full-key signing corpora.testvectors_v1/mldsa_44_sign_seed_test.jsontestvectors_v1/mldsa_44_sign_noseed_test.jsontestvectors_v1/mldsa_65_sign_seed_test.jsontestvectors_v1/mldsa_65_sign_noseed_test.jsontestvectors_v1/mldsa_87_sign_seed_test.jsontestvectors_v1/mldsa_87_sign_noseed_test.jsonValidation
supplement's
mldsa.sagereference implementation.implementation and
rnd = 00...00before generating new vectors.pqcryptoML-DSAimplementation.
Fault Replay
The new seed-key vectors were replayed against five simulated faulty signers: AABBCC, ABABCDCD, A0B0C0, truncated nonce derivation (
rho = H(K)), and zeroedK.This confirms the intended Vector Forge property: these vectors catch implementation bugs that ordinary sign-and-verify or interoperability tests would miss.