ML-DSA: missing context encoding step (only `internal` functions implemented?)

paulmillr / noble-post-quantum

Auditable & minimal JS implementation of public-key post-quantum cryptography

https://paulmillr.com/noble

MIT License

91 stars 8 forks source link

ML-DSA: missing context encoding step (only `internal` functions implemented?) #9

Open larabr opened 1 month ago

larabr commented 1 month ago

It seems that the exposed mldsa sign and verify functions correspond to ML-DSA.Sign_internal and Verify_internal (i.e. Algo 7 and 8 in FIPS 204), rather than Algo 2 and 3, which additionally encode a context string in input.

Is this intended? If so, I think this should be clarified in the README, as interoperability with other libs is affected.

paulmillr commented 1 month ago

f3580aff85a99c27bcd31b914c1f981aaba4a132 will expose context-based methods.

However, there are no test vectors for that.

Branch wycheproof incorporates vectors from https://github.com/C2SP/wycheproof/pull/112, but the upstream PR is not merged yet and unclear when it will be.