wycheproof icon indicating copy to clipboard operation
wycheproof copied to clipboard
verified publisher icon C2SP

ML-DSA-44 vectors are missing ct0 rejection tests

Open FiloSottile opened this issue 2 months ago • 2 comments

ML-DSA-44, unlike -65 and -87, can reject due to ||ct0||∞ ≥ γ2. It doesn't look like we have test vectors for that.

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/G8Zf0hC-uu0/m/Kb3qNJb0AwAJ has a very comprehensive set, unfortunately for Dilithium-2, but we should seek to reproduce them.

It would be good to generate boundary conditions for the other rejection cases, too. Especially for the ||r0||∞ ≥ γ2 − β check, since r0 is not used for anything else, so an off-by-one (or, in my case, a flipped sign of cs2) can go undetected.

FiloSottile avatar Nov 03 '25 15:11 FiloSottile

We also got permission to import the tests from https://github.com/smuellerDD/leancrypto/tree/master/ml-dsa/tests and described at https://leancrypto.org/leancrypto/debugging_support/index.html#generation-of-ml-dsa-signature-generation-rejection-test-vectors.

Moreover, we should add a couple tests for randomized signatures. It's a simple scheme, but good to cover the codepath.

FiloSottile avatar Nov 05 '25 16:11 FiloSottile

We can import the ct0 tests from ACVP (see https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/6U34L4ISYzk/m/hel75x07AQAJ).

FiloSottile avatar Nov 18 '25 17:11 FiloSottile