ml-dsa: deterministic hint-decode canonicity regression tests (GHSA-5x2r-hc65-25f9)#1418
Open
amarshat wants to merge 1 commit into
Open
ml-dsa: deterministic hint-decode canonicity regression tests (GHSA-5x2r-hc65-25f9)#1418amarshat wants to merge 1 commit into
amarshat wants to merge 1 commit into
Conversation
231471c to
5797198
Compare
Adds unit-level tests exercising Signature::decode directly against the HintBitUnpack canonicity clauses (FIPS 204 Algorithm 21), the GHSA-5x2r-hc65-25f9 / CVE-2026-24850 site. They complement the Wycheproof verification corpus (which covers end-to-end verification of the repeated-hint vector) with decoder-local checks: strict per-polynomial index ordering (the bug was <= where < is required), monotonic bounded cuts, zero padding after the last cut, the empty hint, the cut == omega upper boundary, and the legal boundary that identical index values may occur in different polynomials. Run for all three parameter sets. Verified: pass on current main, and the repeated-index cases fail if the strict < in hint.rs is reverted to <=.
5797198 to
503f391
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Complements Wycheproof's end-to-end repeated-hint vector (#1176) with deterministic, decoder-local regression coverage for the FIPS 204 Algorithm 21 (
HintBitUnpack) canonicity rules: monotonic bounded cuts, strict per-polynomial index ordering, zero padding after the last cut, and their acceptance boundaries. Runs across ML-DSA-44, 65, and 87.The bug (GHSA-5x2r-hc65-25f9 / CVE-2026-24850, fixed in #895) was a single
<=where the spec requires strict<in the per-polynomial ordering check. These tests exerciseSignature::decodedirectly and assert each clause:Verified locally:
cargo test -p ml-dsa --libpasses on all three parameter sets, and the repeated-index cases fail on all three if the strict<inhint.rsis reverted to<=.cargo fmt --checkandcargo clippy --testsare clean.Not a bug report; the current code is correct. Placement is in
lib.rs(testing the publicSignature::decodeingress); happy to fold into the existing test module if preferred.