Pass signature verification tests

Author: bifurcation

ml-dsa/src/algebra.rs

@@ -686,7 +686,12 @@ impl From<NttPolynomial> for Array<FieldElement, U256> {
 // Algorithm 41 NTT
 impl Polynomial {
     pub fn ntt(&self) -> NttPolynomial {
-        let mut w = self.0.clone();
+        // XXX let mut w = self.0.clone();
+        let mut w: Array<FieldElement, U256> = self
+            .0
+            .iter()
+            .map(|x| FieldElement(x.0 % FieldElement::Q))
+            .collect();
 
         let mut m = 0;
         for len in [128, 64, 32, 16, 8, 4, 2, 1] {

ml-dsa/src/hint.rs

@@ -98,7 +98,6 @@ where
         let mut y: EncodedHint<P> = Default::default();
         let mut index = 0;
         let omega = P::Omega::USIZE;
-
         for i in 0..P::K::U8 {
             let i_usize: usize = i.into();
             for j in 0..256 {
@@ -114,32 +113,37 @@ where
         y
     }
 
+    fn monotonic(a: &[usize]) -> bool {
+        a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] < *x)
+    }
+
     pub fn bit_unpack(y: &EncodedHint<P>) -> Option<Self> {
+        let (indices, cuts) = P::split_hint(y);
+        let cuts: Array<usize, P::K> = cuts.iter().map(|x| usize::from(*x)).collect();
+
+        let indices: Array<usize, P::Omega> = indices.iter().map(|x| usize::from(*x)).collect();
+        let max_cut: usize = cuts.iter().cloned().max().unwrap().into();
+        if !Self::monotonic(&cuts)
+            || max_cut > indices.len()
+            || indices[max_cut..].iter().cloned().max().unwrap_or(0) > 0
+        {
+            return None;
+        }
+
         let mut h = Self::default();
-        let mut index = 0;
-        let omega = P::Omega::USIZE;
+        let mut start = 0;
+        for (i, &end) in cuts.iter().enumerate() {
+            let indices = &indices[start..end];
 
-        for i in 0..P::K::U8 {
-            let i_usize: usize = i.into();
-            let end: usize = y[omega + i_usize].into();
-            if end < index || end > omega {
+            if !Self::monotonic(indices) {
                 return None;
             }
 
-            let start = index;
-            while index < end {
-                if index > start && y[index - 1] >= y[index] {
-                    return None;
-                }
-
-                let j: usize = y[index].into();
-                h.0[i_usize][j] = true;
-                index += 1;
+            for &j in indices {
+                h.0[i][j] = true;
             }
-        }
 
-        if y[index..omega].iter().any(|x| *x != 0) {
-            return None;
+            start = end;
         }
 
         Some(h)

ml-dsa/src/lib.rs

@@ -56,11 +56,16 @@ impl<P: SignatureParams> Signature<P> {
     // Algorithm 27 sigDecode
     pub fn decode(enc: &EncodedSignature<P>) -> Option<Self> {
         let (c_tilde, z, h) = P::split_sig(&enc);
-        Some(Self {
-            c_tilde: c_tilde.clone(),
-            z: P::decode_z(z),
-            h: Hint::bit_unpack(h)?,
-        })
+
+        let c_tilde = c_tilde.clone();
+        let z = P::decode_z(z);
+        let h = Hint::bit_unpack(h)?;
+
+        if z.infinity_norm() >= P::GAMMA1_MINUS_BETA {
+            return None;
+        }
+
+        Some(Self { c_tilde, z, h })
     }
 }
 
@@ -164,24 +169,27 @@ impl<P: ParameterSet> SigningKey<P> {
             let z = &y + &cs1;
             let r0 = (&w - &cs2).low_bits::<P::Gamma2>();
 
-            let gamma1_threshold = P::Gamma1::U32 - P::BETA;
-            let gamma2_threshold = P::Gamma2::U32 - P::BETA;
-            if r0.infinity_norm() > gamma2_threshold || z.infinity_norm() > gamma1_threshold {
+            if z.infinity_norm() >= P::GAMMA1_MINUS_BETA
+                || r0.infinity_norm() >= P::GAMMA2_MINUS_BETA
+            {
                 continue;
             }
 
             let ct0 = (&c_hat * &t0_hat).ntt_inverse();
             let h = Hint::<P>::new(-&ct0, &(&w - &cs2) + &ct0);
 
-            if ct0.infinity_norm() > P::Gamma2::U32 || h.hamming_weight() > P::Omega::USIZE {
+            if ct0.infinity_norm() >= P::Gamma2::U32 || h.hamming_weight() > P::Omega::USIZE {
                 continue;
             }
 
             let z = z.mod_plus_minus(FieldElement(FieldElement::Q));
             return Signature { c_tilde, z, h };
         }
 
-        // TODO(RLB) Make this method fallible
+        // XXX(RLB) We could be more parsimonious about the number of iterations here, and still
+        // have an overwhelming probability of success.
+        // XXX(RLB) I still don't love panicking.  Maybe we should expose the fact that this method
+        // can fail?
         panic!("Rejection sampling failed to find a valid signature");
     }
 
@@ -228,17 +236,17 @@ pub struct VerificationKey<P: ParameterSet> {
 }
 
 impl<P: ParameterSet> VerificationKey<P> {
-    pub fn verify(&self, Mp: &[u8], sigma: &Signature<P>) -> bool
+    pub fn verify_internal(&self, Mp: &[u8], sigma: &Signature<P>) -> bool
     where
         P: VerificationKeyParams + SignatureParams,
     {
         // TODO(RLB) pre-compute these and store them on the signing key struct
         let A_hat = NttMatrix::<P::K, P::L>::expand_a(&self.rho);
-        let t1_hat = (FieldElement(1 << 13) * &self.t1).ntt();
+        let t1 = FieldElement(1 << 13) * &self.t1;
+        let t1_hat = t1.ntt();
         let tr: B64 = H::default().absorb(&self.encode()).squeeze_new();
 
         // Compute the message representative
-        // XXX(RLB) might need to run bytes_to_bits()?
         let mu: B64 = H::default().absorb(&tr).absorb(&Mp).squeeze_new();
 
         // Reconstruct w
@@ -259,7 +267,7 @@ impl<P: ParameterSet> VerificationKey<P> {
             .squeeze_new::<P::Lambda>();
 
         let gamma1_threshold = P::Gamma1::U32 - P::BETA;
-        return sigma.z.infinity_norm() < gamma1_threshold && sigma.c_tilde == cp_tilde;
+        sigma.c_tilde == cp_tilde
     }
 
     // Algorithm 22 pkEncode
@@ -354,6 +362,12 @@ mod test {
         let sk_bytes = sk.encode();
         let sk2 = SigningKey::<P>::decode(&sk_bytes);
         assert!(sk == sk2);
+
+        let sig = sk.sign_internal(&[0, 1, 2, 3], (&[0u8; 32]).into());
+        let sig_bytes = sig.encode();
+        println!("sig_bytes: {:?}", hex::encode(&sig_bytes));
+        let sig2 = Signature::<P>::decode(&sig_bytes).unwrap();
+        assert!(sig == sig2);
     }
 
     #[test]
@@ -370,14 +384,13 @@ mod test {
         let mut rng = rand::thread_rng();
 
         let seed: [u8; 32] = rng.gen();
-        let (_pk, sk) = SigningKey::<P>::key_gen_internal(&seed.into());
+        let (pk, sk) = SigningKey::<P>::key_gen_internal(&seed.into());
 
         let rnd: [u8; 32] = rng.gen();
         let Mp = b"Hello world";
-        let _sig = sk.sign_internal(Mp, &rnd.into());
+        let sig = sk.sign_internal(Mp, &rnd.into());
 
-        // TODO(RLB) Re-enable and debug
-        // assert!(pk.verify(Mp, &sig));
+        assert!(pk.verify_internal(Mp, &sig));
     }
 
     #[test]

ml-dsa/src/param.rs

@@ -396,6 +396,11 @@ pub trait SignatureParams: ParameterSet {
     type HintSize: ArraySize;
     type SignatureSize: ArraySize;
 
+    const GAMMA1_MINUS_BETA: u32;
+    const GAMMA2_MINUS_BETA: u32;
+
+    fn split_hint(y: &EncodedHint<Self>) -> (&EncodedHintIndices<Self>, &EncodedHintCuts<Self>);
+
     fn encode_w1(t1: &PolynomialVector<Self::K>) -> EncodedW1<Self>;
     fn decode_w1(enc: &EncodedW1<Self>) -> PolynomialVector<Self::K>;
 
@@ -415,6 +420,8 @@ pub trait SignatureParams: ParameterSet {
 pub type EncodedCTilde<P> = Array<u8, <P as ParameterSet>::Lambda>;
 pub type EncodedW1<P> = Array<u8, <P as SignatureParams>::W1Size>;
 pub type EncodedZ<P> = Array<u8, <P as SignatureParams>::ZSize>;
+pub type EncodedHintIndices<P> = Array<u8, <P as ParameterSet>::Omega>;
+pub type EncodedHintCuts<P> = Array<u8, <P as ParameterSet>::K>;
 pub type EncodedHint<P> = Array<u8, <P as SignatureParams>::HintSize>;
 pub type EncodedSignature<P> = Array<u8, <P as SignatureParams>::SignatureSize>;
 
@@ -435,7 +442,7 @@ where
         + Rem<P::L, Output = U0>,
     // Hint
     P::Omega: Add<P::K>,
-    Sum<P::Omega, P::K>: ArraySize,
+    Sum<P::Omega, P::K>: ArraySize + Sub<P::Omega, Output = P::K>,
     // Signature
     P::Lambda: Add<Prod<RangeEncodedPolynomialSize<Diff<P::Gamma1, U1>, P::Gamma1>, P::L>>,
     Sum<P::Lambda, Prod<RangeEncodedPolynomialSize<Diff<P::Gamma1, U1>, P::Gamma1>, P::L>>:
@@ -459,6 +466,13 @@ where
     type HintSize = Sum<P::Omega, P::K>;
     type SignatureSize = Sum<Sum<P::Lambda, Self::ZSize>, Self::HintSize>;
 
+    const GAMMA1_MINUS_BETA: u32 = P::Gamma1::U32 - P::BETA;
+    const GAMMA2_MINUS_BETA: u32 = P::Gamma2::U32 - P::BETA;
+
+    fn split_hint(y: &EncodedHint<Self>) -> (&EncodedHintIndices<Self>, &EncodedHintCuts<Self>) {
+        y.split_ref()
+    }
+
     fn encode_w1(w1: &PolynomialVector<Self::K>) -> EncodedW1<Self> {
         SimpleBitPack::<Self::W1Bits>::pack(w1)
     }

ml-dsa/tests/README.md

@@ -14,8 +14,8 @@ The current copies of these files were taken from commit [65370b8] of that repo.
 The actual tests to be performed are described in the [ACVP documentation].
 
 [NIST ACVP repository]: https://github.com/usnistgov/ACVP-Server/
-[keyGen]: https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-keyGen-FIPS204
-[sigGen]: https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-sigGen-FIPS204
-[sigVer]: https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/json-files/ML-DSA-sigVer-FIPS204
-[65370b8]: https://github.com/usnistgov/ACVP-Server/commit/65370b861b96efd30dfe0daae607bde26a78a5c8
-[ACVP documentation]: https://github.com/usnistgov/ACVP/tree/65370b861b96efd30dfe0daae607bde26a78a5c8/src/ml-dsa/sections
+[keyGen]: https://github.com/usnistgov/ACVP-Server/blob/65370b8/gen-val/json-files/ML-DSA-keyGen-FIPS204
+[sigGen]: https://github.com/usnistgov/ACVP-Server/blob/65370b8/gen-val/json-files/ML-DSA-sigGen-FIPS204
+[sigVer]: https://github.com/usnistgov/ACVP-Server/blob/65370b8/gen-val/json-files/ML-DSA-sigVer-FIPS204
+[65370b8]: https://github.com/usnistgov/ACVP-Server/commit/65370b8
+[ACVP documentation]: https://github.com/usnistgov/ACVP/tree/master/src/ml-dsa/sections

ml-dsa/tests/sig-ver.rs

@@ -31,10 +31,13 @@ fn verify<P: VerificationKeyParams + SignatureParams>(tg: &acvp::TestGroup, tc:
 
     // Import the signature
     let sig_bytes = EncodedSignature::<P>::try_from(tc.signature.as_slice()).unwrap();
-    let sig = Signature::<P>::decode(&sig_bytes).unwrap();
+    let sig = Signature::<P>::decode(&sig_bytes);
 
-    // Verify the signature
-    assert!(pk.verify(tc.message.as_slice(), &sig));
+    // Verify the signature if it successfully decoded
+    let test_passed = sig
+        .map(|sig| pk.verify_internal(tc.message.as_slice(), &sig))
+        .unwrap_or_default();
+    assert_eq!(test_passed, tc.test_passed);
 }
 
 mod acvp {
@@ -77,6 +80,11 @@ mod acvp {
         #[serde(rename = "tcId")]
         pub id: usize,
 
+        #[serde(rename = "testPassed")]
+        pub test_passed: bool,
+
+        pub reason: String,
+
         #[serde(with = "hex::serde")]
         pub message: Vec<u8>,