Add ML-DSA test vectors (FIPS 204 standard). #146
Conversation
|
@gendx Was it intentional to put the test vectors in the schema dir? I think we'd probably want them in |
|
@cpu No that was a typo. Moved them to the suitable directory now :) |
There was a problem hiding this comment.
I haven't done a deep dive on the test vector content yet, but had some feedback on the schemas and splitting these up further based on which have seeds available. I also filed #147 to remind myself to put more of this into docs.
Thanks for picking this up again. I hope we can get it merged sooner than later.
| "$ref": "#/definitions/MlDsaSignTestVector" | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
For each object in your new schemas can you please add additionalProperties: false to avoid allowing extra unspec'd fields, and a required list with the required fields:
"required": [ ... ],
"additionalProperties": false
| "privateSeed": { | ||
| "type": "string", | ||
| "format": "HexBytes", | ||
| "description": "[optional] 32-byte seed that generated the private key (absent if unknown or if the private key is malformed)" |
There was a problem hiding this comment.
Let's split the tests that don't have a seed from the ones that do at the schema/testcase level instead of making it an optional field in one common test type.
| "definitions": { | ||
| "MlDsaSignTestGroup": { | ||
| "type": "object", | ||
| "properties": { |
There was a problem hiding this comment.
Please also add a source property ref'ing the common.json definition:
"source": {
"$ref": "common.json#/definitions/Source"
},
| "generatorVersion": { | ||
| "type": "string", | ||
| "description": "the version of the test vectors." | ||
| }, |
There was a problem hiding this comment.
This should be marked deprecated "deprecated": true to match the other schemas. I think it's probably premature to avoid including it all-together (?)
| @@ -0,0 +1,98 @@ | |||
| { | |||
| "type": "object", | |||
| "definitions": { | |||
There was a problem hiding this comment.
I think all of my comments from the other schema file also apply here but I won't duplicate them :-)
| "sig": { | ||
| "type": "string", | ||
| "format": "HexBytes", | ||
| "description": "The encoded signature (empty in case of failure)" |
There was a problem hiding this comment.
nit: maybe clearer as:
| "description": "The encoded signature (empty in case of failure)" | |
| "description": "The encoded signature (empty in case of expected failure)" |
This PR adds test vectors for ML-DSA, for the FIPS 204 standard. It's a restart of #112 without the pre-standard versions (round 3, ipd).
These tests aim to cover the following cases:
s1ors2vectors out of the[-eta, eta]range.t1component set to zero (allowing trivial forgeries, but the verification algorithm should still accept signatures for this key).z_maxequalsgamma1 - beta - 1andgamma1 - beta,r0_maxequalsgamma2 - beta - 1andgamma2 - beta,h_onesequalsomegaandomega + 1,|ct0|_maxequalsgamma2 - 1andgamma2.expand_a,expand_s,rej_ntt_polyandrej_bounded_polyfunctions.power_2_roundfunction: when the remainder (found int0) is equal to 4096 or -4095,decompose(viahigh_bitsorlow_bits): when the conditionr_plus - r_0 = q - 1happens.Beyond the baseline API, also covered are:
contextvalue: empty (default), regular length, or context too long.What isn't covered:
Notable difference(s) from the previous pull request (#112):
"algorithm": "ML-DSA-44") to make it easier to consume without looking at file names.privateSeedfield) when meaningful and known. It's notably absent for:|ct0|_max(note that it's possible to generate similar vectors with a known seed but using a lot of brute-force).