Adjust KAT test to work with PCT

mkannwischer · hanno-becker · commit 464c622628f2 · 2025-08-04T04:45:02.000+01:00
Currently our KAT tests do not work in case the pairwise-consistency
test (PCT) is enabled through MLD_CONFIG_KEYGEN_PCT.
The reason for this is that when PCT is enabled, a signature is generated
at the end of key generation which requires randomness to be sampled
from randombytes() messing with the state of the deterministic
random number generator used for KAT tests.

To work around this, this commit changes the KAT tests to follow the same
approach that is also used by mlkem-native: Only use the de-randomized APIs
and derive all random coins deterministically using SHAKE instead of
randombytes().

This enabled KAT tests even when PCT is enabled.
Unfortunately, it requires changing the KAT hashes once.

Signed-off-by: Matthias J. Kannwischer &lt;matthias@kannwischer.eu&gt;
diff --git a/META.yml b/META.yml
@@ -8,16 +8,16 @@ implementations:
     length-public-key: 1312
     length-secret-key: 2560
     length-signature: 2420
-    kat-sha256: 9d4ae4ea0c1b56f96650838c7425cc2167a0754643b79a93bee28cb039ac2fc2
+    kat-sha256: 33e7eb7e3b4965fc8b8274ebf8a222c519008ec242b3f753d1bc240f1ee3cb1f
   - name: ML-DSA-65
     claimed-nist-level: 3
     length-public-key: 1952
     length-secret-key: 4032
     length-signature: 3309
-    kat-sha256: b66d7de88a3bec2d7cf171a7a1198f6de47384e2a1dd3bf7d07432316a9a40f8
+    kat-sha256: 2ff0ddcd0dc08b746aa04853d6f84c82c6c8ac38783c9061aed78e29c1698ae5
   - name: ML-DSA-87
     claimed-nist-level: 5
     length-public-key: 2592
     length-secret-key: 4896
     length-signature: 4627
-    kat-sha256: 93029142bf62f67ae3df0d31c2fccf8c9fa1e61ab388048e1b3faeb9451a61ce
+    kat-sha256: 1bfb25b29f6f2bc89057e3bddee055a8f7df563b0e747004b2968159f7739afa
diff --git a/test/gen_KAT.c b/test/gen_KAT.c
@@ -6,7 +6,8 @@
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
-#include "../mldsa/api.h"
+#include "../mldsa/fips202/fips202.h"
+#include "../mldsa/sign.h"
 #include "../mldsa/sys.h"
 #include "notrandombytes/notrandombytes.h"
 
@@ -30,55 +31,61 @@ static void print_hex(const uint8_t *data, size_t size)
 
 int main(void)
 {
-  unsigned i, j;
+  unsigned i;
   int rc;
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
   uint8_t sk[CRYPTO_SECRETKEYBYTES];
-  uint8_t sm[MAXMLEN + CRYPTO_BYTES];
   uint8_t s[CRYPTO_BYTES];
-  uint8_t m[MAXMLEN];
-  uint8_t m2[MAXMLEN + CRYPTO_BYTES];
-  size_t smlen;
+  uint8_t *m;
+  /* empty ctx */
+  uint8_t pre[2] = {0, 0};
   size_t slen;
-  size_t mlen;
+
+  const uint8_t seed[64] = {
+      32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+      48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+      64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79,
+      80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95,
+  };
+  uint8_t coins[MLDSA_SEEDBYTES + MLDSA_RNDBYTES + MAXMLEN];
 
 #if defined(MLD_SYS_WINDOWS)
   /* Disable automatic CRLF conversion on Windows to match testvector hashes */
   _setmode(_fileno(stdout), _O_BINARY);
 #endif
 
+  /*
+   * We cannot rely on randombytes in the KAT test as randombytes() is used
+   * inside of crypto_sign_signature() which is called as a part of
+   * key generation in case PCT (pairwise-consistency test) is enabled.
+   * To allow KAT tests to still pass successfully, we derandomize the
+   * KAT test to only use deterministic randomness derived using SHAKE.
+   */
+
+  shake256(coins, sizeof(coins), seed, sizeof(seed));
+
   for (i = 0; i < MAXMLEN; i = (i == 0) ? i + 1 : i << 2)
   {
-    randombytes(m, i);
+    shake256(coins, sizeof(coins), coins, sizeof(coins));
+    m = coins + MLDSA_SEEDBYTES + MLDSA_RNDBYTES;
 
-
-    crypto_sign_keypair(pk, sk);
+    crypto_sign_keypair_internal(pk, sk, coins);
 
     print_hex(pk, CRYPTO_PUBLICKEYBYTES);
     print_hex(sk, CRYPTO_SECRETKEYBYTES);
 
-    crypto_sign(sm, &smlen, m, i, NULL, CTXLEN, sk);
-    crypto_sign_signature(s, &slen, m, i, NULL, CTXLEN, sk);
+    crypto_sign_signature_internal(s, &slen, m, i, pre, sizeof(pre),
+                                   coins + MLDSA_SEEDBYTES, sk, 0);
 
-    print_hex(sm, smlen);
     print_hex(s, slen);
 
-    rc = crypto_sign_open(m2, &mlen, sm, smlen, NULL, CTXLEN, pk);
-    rc |= crypto_sign_verify(s, slen, m, i, NULL, CTXLEN, pk);
+    rc = crypto_sign_verify(s, slen, m, i, NULL, CTXLEN, pk);
 
     if (rc)
     {
       printf("ERROR: signature verification failed\n");
       return -1;
     }
-    for (j = 0; j < i; j++)
-    {
-      if (m2[j] != m[j])
-      {
-        printf("ERROR: message recovery failed\n");
-        return -1;
-      }
-    }
   }
   return 0;
 }
