Skip to content

ml-dsa: deterministic hint-decode canonicity regression tests (GHSA-5x2r-hc65-25f9)#1418

Open
amarshat wants to merge 1 commit into
RustCrypto:masterfrom
amarshat:test/hint-decode-canonicity-regression
Open

ml-dsa: deterministic hint-decode canonicity regression tests (GHSA-5x2r-hc65-25f9)#1418
amarshat wants to merge 1 commit into
RustCrypto:masterfrom
amarshat:test/hint-decode-canonicity-regression

Conversation

@amarshat

@amarshat amarshat commented Jul 6, 2026

Copy link
Copy Markdown

Complements Wycheproof's end-to-end repeated-hint vector (#1176) with deterministic, decoder-local regression coverage for the FIPS 204 Algorithm 21 (HintBitUnpack) canonicity rules: monotonic bounded cuts, strict per-polynomial index ordering, zero padding after the last cut, and their acceptance boundaries. Runs across ML-DSA-44, 65, and 87.

The bug (GHSA-5x2r-hc65-25f9 / CVE-2026-24850, fixed in #895) was a single <= where the spec requires strict < in the per-polynomial ordering check. These tests exercise Signature::decode directly and assert each clause:

  • a repeated index within one polynomial is rejected (the CVE),
  • decreasing indices rejected, decreasing cuts rejected, cut > ω rejected, nonzero padding rejected;
  • and the valid boundaries are accepted: a canonical hint, the empty hint, cut == ω, and the legal case of the same index value in different polynomials.

Verified locally: cargo test -p ml-dsa --lib passes on all three parameter sets, and the repeated-index cases fail on all three if the strict < in hint.rs is reverted to <=. cargo fmt --check and cargo clippy --tests are clean.

Not a bug report; the current code is correct. Placement is in lib.rs (testing the public Signature::decode ingress); happy to fold into the existing test module if preferred.

@amarshat amarshat force-pushed the test/hint-decode-canonicity-regression branch 3 times, most recently from 231471c to 5797198 Compare July 6, 2026 22:51
Adds unit-level tests exercising Signature::decode directly against the
HintBitUnpack canonicity clauses (FIPS 204 Algorithm 21), the
GHSA-5x2r-hc65-25f9 / CVE-2026-24850 site. They complement the Wycheproof
verification corpus (which covers end-to-end verification of the
repeated-hint vector) with decoder-local checks: strict per-polynomial
index ordering (the bug was <= where < is required), monotonic bounded
cuts, zero padding after the last cut, the empty hint, the cut == omega
upper boundary, and the legal boundary that identical index values may
occur in different polynomials. Run for all three parameter sets.

Verified: pass on current main, and the repeated-index cases fail if the
strict < in hint.rs is reverted to <=.
@amarshat amarshat force-pushed the test/hint-decode-canonicity-regression branch from 5797198 to 503f391 Compare July 7, 2026 08:17
@amarshat amarshat marked this pull request as ready for review July 7, 2026 21:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant