Add ML-DSA test vectors that exercise the use_hint function with (1, 0) as input#234
Open
Add ML-DSA test vectors that exercise the use_hint function with (1, 0) as input#234
Conversation
…nput. Reproduction case for the bug in tink-crypto/tink-go#48.
gendx
changed the title
davidben
reviewed
Apr 17, 2026
| }, | ||
| { | ||
| "type": "MlDsaVerify", | ||
| "publicKey": "2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b2b0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", |
Contributor
There was a problem hiding this comment.
vectorlint is failing because these are currently missing publicKeyDer, the SPKI representation. (BoringSSL uses this in one of our test harnesses.)
Contributor
There was a problem hiding this comment.
In a pinch you can construct it by just prepending the right prefix to each key. I believe they are:
- ML-DSA-44:
30820532300b06096086480165030403110382052100 - ML-DSA-65:
308207b2300b0609608648016503040312038207a100 - ML-DSA-87:
30820a32300b060960864801650304031303820a2100
And then to spot-check them, you can echo .... | der2ascii -hex with https://github.com/google/der-ascii
Member
|
Ah! Thank you for generating and contributing this vector! I had been trying to get coverage for h=1, w_approx={-1, 0, 1} and had found no good way. This covers 0, any way to cover 1 and -1? Also, I had instead resorted to exhaustively testing all use_hint inputs. Could you check if https://github.com/C2SP/CCTV/tree/main/ML-DSA/accumulated#field-operation-tests would have caught this bug? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reproduction case for the bug in tink-crypto/tink-go#48.
These hand-crafted tests use:
t1set to all zeros,zset to all zeros.These conditions ensure that the verifier obtains a
w_approxset to all zeros.Then all hints in the signature are set to
falseexcept the first one, which ensures that a call touse_hint(1, 0)is made.w1is computed correctly by using this hint, and a consistentc_tildeis then derived and put in the signature.w1is set to all zeros instead (which is what happens when the using the buggy implementation ofuse_hintthat is fixed in mldsa: fix UseHint edge case for r0=0 per FIPS 204 Algorithm 40 tink-crypto/tink-go#48), and an inconsistentc_tildeis generated. Compliant implementations therefore reject this signature, whereas buggy ones accept it.(In other words, the difference between the valid and invalid signatures is the value of
c_tilde.)