Skip to content

Commit

Permalink
Merge pull request #1525 from usnistgov/MlDsaAddTestCases
Browse files Browse the repository at this point in the history 
Adds interesting test cases to ML-DSA SigGen
  • Loading branch information
@celic
celic authored Aug 8, 2024
2 parents bbce2ac + 7a9a411 commit 56bca24
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
35 changes: 35 additions & 0 deletions src/ml-dsa/sections/04-testtypes.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,38 @@ The tests described in this document have the intention of ensuring an implement
==== Requirements Not Covered

* FIPS 204 Section 3.5. Additional Requirements. Requirements outlined in this section are not testable by an ACVP server. An ACVP server will not test the zeroization of intermediate values, security strength of the deterministic random bit generators (DRBGs), or incorrect length signatures or public keys.

[[known_answer_tests]]
=== Known Answer Tests

Within ML-DSA sigGen, the algorithm enters a loop until a valid signature is found. The loop contains four potential reasons to reject a candidate signature: if the z infinity norm is too large, if the r infinity norm is too large, if there are too many hints in h, or if the ct0 infinity norm is too large. These conditions occur at various rarities that can make it difficult to test each error condition with randomized testing. If an implementation adheres strictly to the pseudocode in <<FIPS204>>, the following table provides helpful known answer tests that trigger each rejection case exactly once. If the implementation varies from the psuedocode, it would be prudent to use a debugger to ensure that all rejection cases are triggered by testing. To save on space, the table will provide the seed used to generate the key pair, and a hash of the keys, SHA2-256(pk || sk). A hash of the resulting signature is also provided, SHA2-256(sig). All cases are defined using the deterministic signature method. Note that the ct0 infinity norm check only applies to ML-DSA-44. This condition is not possible on the other security levels. Thanks to Qinglai Xiao and Mike Hamburg (Rambus Inc) for providing code to generate these test cases; more information on their technique is available on the NIST PQC-Forum <<PQC-Forum>>.

[[kats_table]]
.ML-DSA sigGen Known Answer Tests for Rejection Cases
|===
| Security Level | Seed | Key Hash | Message | Signature Hash

| ML-DSA-44 | 9EFCCC4652FFCCA921675044212B9845A06591ED6C21BDAA7053F18788B8FAB8 | F5721F9249EC740A32C8EDAD28DE5913587DD09509396BCC82466ED9D05C2422 | 636EF578FF26E7286BF9E6AA832FD1B3E2830C971571425AD3925197C9BDCF35 | 1379ACF5632268AAA4CD113BE8D2E99A886113CC577C7DB495E8FF2442781900
| ML-DSA-44 | B6D8DF653CB0AC358B8DCB5043CBD77DC75738CA9561460AF30C6827502D38B0 | 9FFE68221D549ABB63901348C811E2D4CC46AF33E90798F1E2EE6CFFDA6EFB6C | D1CC972EBE55557C9BDFA211F509C76B9867FE08CE92AF4D9AE84ABD9471E280 | 1977159429814BC3054B5DFB912CA912FD779D1F4D706BC9D752E9E9248249F8
| ML-DSA-44 | 19A4578402EA7A3B0FA1E6A642B346202F70FD48EFF88716700D2FB856F637E1 | 6C346DF3312E5F08AA6FD536B650B0000E875956E11DA641C2A09AE2C008D739 | F6BA1E9EDBB1DD6C31D50E039EBB5D2E6BDD88EC74D415C55BF2BDF8119C1F99 | 9BF7310CBA86AA09655951746356BAEB3160928A472F0F800321A1102D513277
| ML-DSA-44 | 19A4578402EA7A3B0FA1E6A642B346202F70FD48EFF88716700D2FB856F637E1 | 6C346DF3312E5F08AA6FD536B650B0000E875956E11DA641C2A09AE2C008D739 | 59334D1433CC317A4E0B20AB4C8695FE92384F094CFC4AB9E2731921CFE82E95 | 2BBF13A30DF7F20BB20469C0AA1A37207327E1AEC8DC0353426951F134C7F336
| ML-DSA-44 | D0CBB07234CF3DAC9ABCFEAD5F30D386503D74394FF2E89C572893623B352CE2 | 1725AF7435651074D115180AB3BD7045E3119AC7B01E329C667CABDBA7AF81A9 | 6A98B59552C3ABF1E12CE10214DEB33E266E83439674B1C62A8118CD299F4DDA | FBFB9FDD9932B7ADCD6EB9C1988954F5523B50E400958B7E3E2FBD514D07B811
| ML-DSA-44 | AF3B137E678A32C9890DA57B908212B883DF5F53698906AC259DC957F3AA0F49 | C592A44E6BA38F32ED2AD6020CFEF4762AEF29FE1E6B81B13F011B70B4B27878 | E5E6CDA64A9BCDCE1B3CF60ED5FBD32067B007E99AE8D30BCBB3A47D6606BC63 | D31400BA008C66C13CB82BF7C4EB98B4127B0D018A26B5F78B724E4816D0575B
| ML-DSA-44 | 41F1DD6ADBE99B20F7C09CBEC35FE4D577121AB1A2D1F19A67D093A889A212BF | 81C98CAEA0C96CDC7E6E899F3D21C65D5A1BA1ADBFB05709A3DD94760657481D | DEFC0A181C7EEE47E366B775069E4E75E9B03E41A32FD992F5321F5F3ABF3A1E | FC7835D7BC7A005DC9E80A331D24FEAB4A09F22269DA05D88F31114E65522CC0
| ML-DSA-44 | EDC15BAB40D4F0061A42BB1B1E25FB88DDA81DE556B5B7D1D1F6F976BF18D342 | B48037915BEAF73FD8071C4A37D8650F9BDC43FF448CA5FC2A5D82128A5415E2 | 9AFE6CEC7BEBCE176F3BED99F6530B30235F9DCE8DB2B845ABC29DDC7800D0DF | FF8D018D776DDBE437E10AFA01092F622E133BC968E6F3547B5EEC0582340BA2
| ML-DSA-44 | 06DE27935B3546108CB5DF5B9D20962E66E9483D28B6BD3526BC29E67D639346 | DEFF6103F2461EE3664598D047308DF594481D8A7909D665A39D9E3F7BFD378E | 2BC53BCC9014351EBE53927437DC3B3445221D367060A7E02387F05D6AF88CDA | 9B767458CC66B0CAC8CBB23688AE62A031AA0C0C1A2A94D05BCCE63F89F662DE
| ML-DSA-44 | 0EB9FC82941492B544B335299F0A9988149B073481E524A463E0DCBB5CA6D0CD | 3981CDAE116B3FBBD4FB5F84B62EF8B799E4859780063DE7CD7CD1FE1C95F12A | 91A6C4DA9EFA41C589183A460BEB2BF717A63538AD677698C2F1FBFD4EE5FB03 | 1330509757042FF7CE5D370DAC53EFF645D387E9F9F59E26DA7CA47815C2BF59
| ML-DSA-44 | 6CB6030AA76C4F4079FC0396664FF361B994697DB2FE9F182835CA0A93FE6B3B | E77BF73434960A36BF59724E8B26370E7F84480563C0BDC75A5FAF2B47C0A59B | 35C034A8D77CBD042FBC6F0083FA29374F7ADC8F66CCED0556F69D1814E4D453 | EED5A78DC83D3F0DD6D2CD17765F3C71CBE3D2DD1C282A800577A3D88E5532B5
| ML-DSA-44 | 96EC11B9D089E586E7686EE4A0D0EFD76E4B03D4A3BC1A1CC19E3E6D9B0B0932 | 6494B70209B2957B4F2FEFFD608F46F2EE230448055E85F27ACF7504DD52BD86 | 860036A45D331BCD28DEC06841233FCB73F6DD6515604C39F85FA790326F1C70 | EEE85299E4C205D5833013B22AD21B459A241FC5F9FD97C5BAB33068B61F1459
| ML-DSA-44 | 96EC11B9D089E586E7686EE4A0D0EFD76E4B03D4A3BC1A1CC19E3E6D9B0B0932 | 6494B70209B2957B4F2FEFFD608F46F2EE230448055E85F27ACF7504DD52BD86 | EB9E8DD8C013FF6B35434544956D35D9BFDCD008C9DB10668DAA4C41E01A98D6 | 701A51429F144D5D9460E50850F55A07F35F721248D215EFDCECCA02E9AC1CF2
| ML-DSA-44 | DA0AAB120F3CAF12B62D72C4B764FE47502410125FA3137827AA55F8B1B0AFFA | E91CC190F7DD8357A5AADDEF6AB717B7B3AC4CCB3F7DA950453CD92A397991FF | 5467A7F2B82F6010CFE658AE18B72F347A9ACC7C4FC90303ADF93FFB5F612A63 | A82258C53B5934638F26D6A25B5E093D3724012E79A3392FFA398162C4105517
| ML-DSA-44 | 563E184C05A6945E6C72225E197375EC8186460ADF6B970ED837EDB2CC37CE0D | 654AB2600BD29986F24AB4AC0BC2F1FF6E32A2EB189AB58D0A33579B92130DC4 | 24031DAF81B8BDD151FC61F5AD919E82FA18DFD2E1EB4725D82E81879B0020F6 | AE5C85BED5861B80EA205D030D0D471D87E72E658A1141608481A116CAF9FA31
| ML-DSA-44 | 4E21C3CDB838083C5DC68AD48DA70A1C3B858B55E14772A608BDD7FE6FC10681 | 73A5E94A0D7326DFABDCCC0120E7DF22CA7EA8F20E3CE3805915B32A7A8B44F7 | D54E634AF8B5F55A5DC4F81755920663C8D33B0B76CBA13CAB15F564A5702EAF | 2DFD78BFB7848D7E5DD810CCBB4D1C4A00CE514E63F34CABDF536958CDE6E0D1
| ML-DSA-44 | E443F1F2006E788785D941A75FB879F682B9A7238389ADA2541EABE2E28EEBD5 | 3B1A7815B625A5EEB7983A22580D1757A1C880F762D7FE01109FE1B73E3B4F0E | C93326B1E76EC026DA5CA229AE4664715B78EB4DB743BC031D54BE08F762817A | 0B2C4C827DA81261959A4921729DAE6545326E7B7D3DE9E5615DC36CBB2B24F4
| ML-DSA-44 | BC0E8F7F3516A9C86D20BFF75AE056905D840414DBC662B41C8FD22C4BD72602 | 4170198F73493F081E3827135B00C89D389F24DA6F3026684938AE284F38CFF6 | 79E1889617C550F544E0BFF6746C89FB018F97010E3A72648A36BD844E7FD702 | EF9C712D5E96D437D5CA30E4E0A288928977270231E459350FC4730F1B63DA1A
| ML-DSA-44 | F8299C7C155E6A543C3BB2ED85C5B7DDF41A1CA2C79ABB9146E620A5E3C6CD52 | ACC93A8A6CE09E91331765EB3E0B43D514220A6222841753A477508F3316D996 | 7C352A1621B0B71DB7C988F3C78E13D0DEAF152F337CA3B9D6DDBB7735857FE4 | 787705010EFFA3F9B2D35CFD7AB9DF0A7162A381618B1F91A7622038B68767F8
| ML-DSA-44 | 613355AC3C5A4721ECA5C35A983351CB48E7DBA30914F04ACB1CD0ECA6B46797 | 346D0540D9CA2618C7B42AD3D43A236C87625665BA66206DCFCDE94AB607349C | 47FB0D336EAC39E02D4C2A1DB74B4196C3490B6EE2F0CA59D9C7C8EAEA53B4DA | 324D20D69B4DF8AAD0D38BCAEB900E41D69FF129FF5754044B31E556CC37C38A
| ML-DSA-44 | B6AA3BA3B3289E2484B7AD76AD17C7B86CEAE632C11B43E4C0826543FFC68054 | 673D01FED88C527B29A7ADC26F9C73EA352EB4337E5A20670BF331AE7250025E | BE77A2BFA9E5F0F03794877AF73DA495D0C3A809EB365A5DE5490C3A4B4FBC90 | BEEA3888AF937E011A8D771F451A394255670E303E507F460289B0B019CE470C
| ML-DSA-44 | C53FB3949EFEB05FABA206F5A6E2B4D214C36454C55FA38F3F571BF1AB83A8AC | 3423708B762452EA34E4A175C55DC05EDD7766B49C7832EFB2B51E03BB73DF27 | 5D1D4555CF47B8F53F8F8C325A2C18F40AA542E81CFBA51D6C26127F4A5F07BF | B7B6F02F216AF4B173CFA2468EC1570C0B1C7903CC5E7B15FA78D5FA5263FF04
| ML-DSA-44 | D9BAC8AC09213F46358B7EF7EB0D9CAFC5492A4A473A01BC6D708E4D8459881A | 5AF1DAB893662B90F8DC13AA4C0180610F20F33CDF56EFB4F7F63D26C857AFCC | FF05D333B0F908E839DCB8B2D02BBE8864048355EF838CE413701D9B5FFE8B22 | 5C882CE4205F9214DCB1ACB4B4F8DFE31D3A49B6DD202BFF10B7FCC446CC50AA
|===
9 changes: 9 additions & 0 deletions src/ml-dsa/sections/98-references.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,12 @@ contributor.organization.abbreviation:: NIST
date::
date.type:: published
date.value:: 2019-07-01

[%bibitem]
=== PQC-Forum
id:: PQC-Forum
docid::
id::: PQC-Forum
link::
link.type:: src
link.content:: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/G8Zf0hC-uu0/m/Kb3qNJb0AwAJ

0 comments on commit 56bca24

Please sign in to comment.