mldsa: backfill μ, re-add draft-celi-acvp-ml-dsa table 1 and 2 vectors#213
mldsa: backfill μ, re-add draft-celi-acvp-ml-dsa table 1 and 2 vectors#213
Conversation
The `mldsa_sign_common.json` schema used by both seed & noseed sign tests is updated to describe an optional `mu` field. The calculated `mu` value is added to all existing vectors except for the test cases with the `InvalidContext` flag where `mu` would be undefined.
|
cc @abbra |
|
In my case (high-level PyCA API), we do not plan to expose mu (yet), so it would be good to have a clear indication whether those tests that have no |
@abbra I would be open to that 👍 We should also perhaps amend the msg field schema description from
|
|
Make sense to amend a description. As for the flag, maybe follow |
The NIST ACVP specification for ML-DSA includes a table with "Known Answer Tests for Rejection Cases". These Known Answer Tests exercise all rejection paths in FIPS 204 Algorithm 7 (`ML-DSA.Sign_internal`): - ML-DSA-44: `z`, `r0`, `ct0`, `h` rejections - ML-DSA-65/87: `z`, `r0`, `h` rejections Notably, the `ct0` rejection (`||ct0||∞ ≥ γ2`) is unique to ML-DSA-44.
The NIST ACVP specification for ML-DSA includes a table with "Known Answer Tests for Number of Rejection Cases". These tests verify at least 32 rejections occur, detecting implementations that abort early and potentially leak information about the underlying key.
16b988d to
38d7080
Compare
|
Looks good to me. |
sgmenda
left a comment
There was a problem hiding this comment.
lgtm, re not possible in json with schema, we should maybe consider toml or something more flexible.
A `mu` value should be provided for each `mldsa_sign_common.json` test case with the exception of `"result": "invalid"` test cases.
|
Thanks for the reviews :-)
It ended up being possible after all (373a022).
I'm not a huge fan of JSON or JSON schema, but I also don't love TOML 😆 In either case I think it would be a big project to change the format of the vectors and schemas at this point and would probably want to prioritize other things first. |
|
@cpu nice!! thanks for the PR. 🫶🏽 |
This is a follow up to #207, which was reverted in #210 based on the feedback from #209.
A new commit is added up-front that backfills the calculated μ for both the seed & noseed ML-DSA sign test vectors. The common schema is updated to add
muas an optional field.Then, the draft-celi-acvp-ml-dsa §6.1.2 table 1 and 2 test vectors are re-added, this time without
msgbut withmucalculated properly from the inputM'values. The common schema is updated to makemsgan optional field to allow these new vectors where we havemubut notmsg. Unlike in #207 both the seed and noseed vectors are updated with the table 1 and 2 vectors.Updates #193
Replaces #207
Resolves #208
Resolves #209