Closed mwcw closed 5 months ago
celic
commented
5 months ago Can you please verify the implementation has the algorithm in Draft FIPS 204 Section 8.1 defined properly? They define how to read the byte values.
The reverse byte order is an interesting problem. We've published tests produced from this code previously and didn't receive such feedback. I'd like to verify that it isn't just this implementation before diving deeper.
cipherboy
commented
5 months ago @celic I'm a little confused by your statement. As far as I can tell (and I may be wrong!), Algorithm 2 ML-DSA.Sign(sk, M)'s use of M does not depend on the helper algorithms defined in Section 8.1 at all?
In particular, we define M as message M ∈ {0, 1}* i.e., a bitstring, and only use it in step 6 AFAICT:
μ ← H(tr||M, 512) ▷ Compute message representative μi.e., simple concatenation into the XOF's input stream.
Building a simple reproducer here in C, based off of the reference implementation:
I use the the second vector of the first test case from MW's above -- and with MW's reversal noted -- it passes:
$ cc -Wno-unused-result -O3 -fomit-frame-pointer -DDILITHIUM_MODE=2 \
-o nistacvp/testacvp nistacvp/main.c sign.c packing.c polyvec.c poly.c ntt.c reduce.c rounding.c fips202.c symmetric-shake.c -lcrypto
... compiler output elided ...
$ ./nistacvp/testacvp ; echo $?
0with the message byte order swap above (// MESSAGE REVERSAL) commented out -- hopefully corresponding to the expected interpretation of the vectors, using the decoded hex verbatim -- it fails:
$ cc -Wno-unused-result -O3 -fomit-frame-pointer -DDILITHIUM_MODE=2 \
-o nistacvp/testacvp nistacvp/main.c sign.c packing.c polyvec.c poly.c ntt.c reduce.c rounding.c fips202.c symmetric-shake.c -lcrypto
... compiler output elided ...
$ ./nistacvp/testacvp ; echo $?
got error verifying signature
1(this is built against https://github.com/pq-crystals/dilithium/tree/standard/ as of standard's latest commit at the time of writing (e7bed6258b9a3703ce78d4ec38021c86382ce31c) -- placed in a file called ref/nistacvp/main.c and built from the ref/ directory. I chose the second vector since the first one is expected to fail verification, but according to the server responses above, the second vector is meant to pass and does so correctly).
However, without swapping the byte order of the message itself, it fails verification against the algorithm author's standard reference implementation...
AFAICT -- and again, I might be wrong -- if Section 8.1's reversal algorithms is meant to be applied to the input message M, this isn't called out as a difference either in the NIST ML-DSA IPD draft over upstream (Section 1.3 doesn't mention this), and isn't made clear in the Algorithm 2 definition...
Thanks!
celic
commented
5 months ago Our BitString.cs class that we use to store things like byte string values for test case generation works as a big endian structure. Draft FIPS 204 operates on the reversed byte order, little endian bytes. I see why this is happening then. We use byte[] within the crypto for ML-DSA, but need to bring it back into a BitString to put it into JSON. The endianness is being lost in that translation.
I'll see if I can put a fix for this in quickly.
cipherboy
commented
5 months ago Perfect, thank you @celic!
celic
commented
5 months ago This will also impact FIPS 203, ML-KEM.
celic
commented
5 months ago Also to clarify, do you notice this on the signatures, or key values output from the server? Do you need to reverse the public and private key when communicating back to the server to get the correct verdict?
mwcw
commented
5 months ago Also to clarify, do you notice this on the signatures, or key values output from the server? Do you need to reverse the public and private key when communicating back to the server to get the correct verdict?
I'll put it in points so we can refer to it more easily.
ML-DSA:
I have not needed to reverse the outputs, pk,sk or signature, I did not dig too far into SigGen failures at this point because of this issue. I have not attempted to implement any testing for ML-KEM beyond fetching vectors.
Probably off topic, with KeyGen, we had an error report on one set of vectors about a PK and SK not matching on one test but it is intermittent, I have held of looking into that as well. (I have these vectors saved)
Please let me know if you need any more information?
MW
celic
commented
5 months ago Try siggen where you reverse the resulting signature before sending it to the server.
On Tue, Apr 9, 2024, 6:53 PM MW @.***> wrote:
Also to clarify, do you notice this on the signatures, or key values output from the server? Do you need to reverse the public and private key when communicating back to the server to get the correct verdict?
I'll put it in points so we can refer to it more easily.
ML-DSA:
- SigGen -- Total fail at the moment both AFT and GDT, reversing or not reversing the message.
- SigVer -- I can obtain passes if I reverse the message.
- KeyGen -- I can obtain passes if I reverse the seed.
I have not needed to reverse the outputs, pk,sk or signature, I did not dig too far into SigGen failures at this point because of this issue. I have not attempted to implement any testing for ML-KEM beyond fetching vectors.
Probably off topic, with KeyGen, we had an error report on one set of vectors about a PK and SK not being related but it is intermittent, I have held of looking into that as well. (I have these vectors saved)
Please let me know if you need any more information?
MW
— Reply to this email directly, view it on GitHub https://github.com/usnistgov/ACVP-Server/issues/320#issuecomment-2046166718, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATQXEJBEP7FOSJY2NSDRTDY4RWQNAVCNFSM6AAAAABF3Z6DO6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBWGE3DMNZRHA . You are receiving this because you were mentioned.Message ID: @.***>
mwcw
commented
5 months ago I got 100% failure, AFT, GDT SigGen with:
Not tried: Reversing pk in GDP results.
With GDP we are "non deterministic" and we are generating a key pair using a random entropy source.
smuellerDD
commented
5 months ago Allow me to add my observations:
ML-DSA:
ML-KEM:
celic
commented
5 months ago I see. This is concerning the BitArray from BitString conversion used for the message in ML-DSA SigGen and SigVer, and the seed for ML-DSA KeyGen. All that is needed is the final BitString that we use in the JSON needs the byte order reversed.
livebe01
environment Demo
testSessionId 501055 -- sigVer all passing with reversal of message 501053 -- keyGen all passing with reversal of seed
vsId 2261682 -- sigVer 2261680 -- keyGen
Algorithm registration
Endpoint in which the error is experienced demo
I was able to get ML-DSA sigVer vectors to pass if I reversed the byte order of the message being supplied to our verifier. Looking at the spec, and I am not super familiar with Dilithium, it appears that the message M is passed into H as is without any modification during the verification operation.
Our test harness passes hex encoded byte arrays from left to right, so "ABCDEF" => [0xAB, 0xCD, ... etc]
With respect to keyGen I was able to get a successful pass if I reversed the byte order of seed supplied to our implementation as well.
Without the byte order reversal it is 100% failure in for the modes tested so far.
Reversal in this case is: [0,1,2,3] => [3,2,1,0]
Let me know if you need any more information?
I have attached vector sets, our responses etc
Thanks,
MW
ml-dsa_keygen_pass.zip