Merge pull request #555 from pq-code-package/randomized

Remove `MLD_RANDOMIZED_SIGNING` configuration option and adjust ACVP tests

Author: mkannwischer

README.md

@@ -54,7 +54,7 @@ timing side channels through suitable barriers and constant-time patterns.
 mldsa-native is split into a _frontend_ and two _backends_ for arithmetic and FIPS202 / SHA3. The frontend is
 fixed, written in C, and covers all routines that are not critical to performance. The backends are flexible, take care of
 performance-sensitive routines, and can be implemented in C or native code (assembly/intrinsics); see
-[mldsa/native/api.h](mldsa/native/api.h) for the arithmetic backend and 
+[mldsa/native/api.h](mldsa/native/api.h) for the arithmetic backend and
 [mldsa/fips202/native/api.h](mldsa/fips202/native/api.h) for the FIPS-202 backend. mldsa-native currently
 offers backends for C, AArch64, and x86_64 - if you'd like contribute new backends, please reach out or just open a PR.
 
@@ -81,9 +81,11 @@ Yes. mldsa-native supports all three ML-DSA security levels (ML-DSA-44, ML-DSA-6
 
 ### Does mldsa-native use hedged or deterministic signing?
 
-By default, mldsa-native uses the "hedged" signing variant as specified in FIPS 204 Section 3.4, with `MLD_RANDOMIZED_SIGNING` enabled in [mldsa/config.h](mldsa/config.h). The hedged variant uses both fresh randomness at signing time and precomputed randomness from the private key. This helps mitigate fault injection attacks and side-channel attacks while protecting against potential flaws in the random number generator.
+By default, mldsa-native uses the randomized "hedged" signing variant as specified in FIPS 204 Section 3.4. The hedged variant uses both fresh randomness at signing time and precomputed randomness from the private key. This helps mitigate fault injection attacks and side-channel attacks while protecting against potential flaws in the random number generator.
 
-The deterministic variant can be enabled by undefining `MLD_RANDOMIZED_SIGNING`, but FIPS 204 warns that this should not be used on platforms where fault injection attacks and side-channel attacks are a concern, as the lack of fresh randomness makes fault attacks more difficult to mitigate.
+If you need the deterministic variant of ML-DSA, you can call `crypto_sign_signature_internal`
+directly with an all-zero `rnd` argument.
+However, note that FIPS 204 warns that this should not be used on platforms where fault injection attacks and side-channel attacks are a concern, as the lack of fresh randomness makes fault attacks more difficult to mitigate.
 
 ### Does mldsa-native support the external mu mode?
 
@@ -106,7 +108,7 @@ Yes, you will be able to add custom backends for ML-DSA native arithmetic and/or
 ## Have a Question?
 
 If you think you have found a security bug in mldsa-native, please report the vulnerability through
-Github's [private vulnerability reporting](https://github.com/pq-code-package/mldsa-native/security). 
+Github's [private vulnerability reporting](https://github.com/pq-code-package/mldsa-native/security).
 Please do **not** create a public GitHub issue.
 
 If you have any other question / non-security related issue / feature request, please open a GitHub issue.

integration/liboqs/config_aarch64.h

@@ -24,9 +24,6 @@
 #endif
 #endif /* !__ASSEMBLER__ */
 
-
-#define MLD_RANDOMIZED_SIGNING
-
 /* Use OQS's FIPS202 via glue headers */
 #define MLD_CONFIG_FIPS202_CUSTOM_HEADER "../integration/liboqs/fips202_glue.h"
 #define MLD_CONFIG_FIPS202X4_CUSTOM_HEADER \

integration/liboqs/config_c.h

@@ -24,8 +24,6 @@
 #endif
 #endif /* !__ASSEMBLER__ */
 
-#define MLD_RANDOMIZED_SIGNING
-
 /* Use OQS's FIPS202 via glue headers */
 #define MLD_CONFIG_FIPS202_CUSTOM_HEADER "../integration/liboqs/fips202_glue.h"
 #define MLD_CONFIG_FIPS202X4_CUSTOM_HEADER \

integration/liboqs/config_x86_64.h

@@ -24,8 +24,6 @@
 #endif
 #endif /* !__ASSEMBLER__ */
 
-#define MLD_RANDOMIZED_SIGNING
-
 /* Use OQS's FIPS202 via glue headers */
 #define MLD_CONFIG_FIPS202_CUSTOM_HEADER "../integration/liboqs/fips202_glue.h"
 #define MLD_CONFIG_FIPS202X4_CUSTOM_HEADER \

mldsa/config.h

@@ -20,8 +20,6 @@
 #ifndef MLD_CONFIG_H
 #define MLD_CONFIG_H
 
-#define MLD_RANDOMIZED_SIGNING
-
 /******************************************************************************
  * Name:        MLD_CONFIG_PARAMETER_SET
  *

mldsa/sign.c

@@ -600,13 +600,10 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m,
     pre[2 + i] = ctx[i];
   }
 
-#ifdef MLD_RANDOMIZED_SIGNING
+  /* Randomized variant of ML-DSA. If you need the deterministic variant,
+   * call crypto_sign_signature_internal directly with all-zero rnd. */
   mld_randombytes(rnd, MLDSA_RNDBYTES);
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
-#else
-  mld_memset(rnd, 0, MLDSA_RNDBYTES);
-#endif
-
 
   result = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, 2 + ctxlen,
                                           rnd, sk, 0);
@@ -627,12 +624,10 @@ int crypto_sign_signature_extmu(uint8_t *sig, size_t *siglen,
   uint8_t rnd[MLDSA_RNDBYTES];
   int result;
 
-#ifdef MLD_RANDOMIZED_SIGNING
+  /* Randomized variant of ML-DSA. If you need the deterministic variant,
+   * call crypto_sign_signature_internal directly with all-zero rnd. */
   mld_randombytes(rnd, MLDSA_RNDBYTES);
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
-#else
-  mld_memset(rnd, 0, MLDSA_RNDBYTES);
-#endif
 
   result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL,
                                           0, rnd, sk, 1);

mldsa/sign.h

@@ -172,7 +172,9 @@ __contract__(
 /*************************************************
  * Name:        crypto_sign_signature
  *
- * Description: Computes signature.
+ * Description: Computes signature. This function implements the randomized
+ *              variant of ML-DSA. If you require the deterministic variant,
+ *              use crypto_sign_signature_internal directly.
  *
  * Arguments:   - uint8_t *sig:   pointer to output signature (of length
  *                                CRYPTO_BYTES)
@@ -186,7 +188,7 @@ __contract__(
  *
  * Returns 0 (success) or -1 (context string too long OR nonce exhaustion)
  *
- * Specification: Implements @[FIPS204 Algorithm 2 (ML-DSA.Sign)]
+ * Specification: Implements @[FIPS204 Algorithm 2 (ML-DSA.Sign)].
  *
  **************************************************/
 MLD_MUST_CHECK_RETURN_VALUE
@@ -211,7 +213,9 @@ __contract__(
 /*************************************************
  * Name:        crypto_sign_signature_extmu
  *
- * Description: Computes signature.
+ * Description: Computes signature. This function implements the randomized
+ *              variant of ML-DSA. If you require the deterministic variant,
+ *              use crypto_sign_signature_internal directly.
  *
  * Arguments:   - uint8_t *sig:   pointer to output signature (of length
  *                                CRYPTO_BYTES)

test/acvp_client.py

@@ -167,31 +167,35 @@ def run_sigGen_test(tg, tc):
 
     assert tg["testType"] == "AFT"
 
-    # TODO: probably we want to handle handle the deterministic case differently
-    if tg["deterministic"] is True:
-        tc["rnd"] = "0" * 64
+    is_deterministic = tg["deterministic"] is True
 
     if tg["preHash"] == "preHash":
         assert len(tc["context"]) <= 2 * 255
 
         # Use specialized SHAKE256 function that computes hash internally
         if tc["hashAlg"] == "SHAKE-256":
+            target = (
+                "sigGenPreHashShake256Deterministic"
+                if is_deterministic
+                else "sigGenPreHashShake256"
+            )
             acvp_call = exec_prefix + [
                 acvp_bin,
-                "sigGenPreHashShake256",
+                target,
                 f"message={tc['message']}",
                 f"context={tc['context']}",
-                f"rnd={tc['rnd']}",
                 f"sk={tc['sk']}",
             ]
         else:
             ph = compute_hash(tc["message"], tc["hashAlg"])
+            target = (
+                "sigGenPreHashDeterministic" if is_deterministic else "sigGenPreHash"
+            )
             acvp_call = exec_prefix + [
                 acvp_bin,
-                "sigGenPreHash",
+                target,
                 f"ph={ph}",
                 f"context={tc['context']}",
-                f"rng={tc['rnd']}",
                 f"sk={tc['sk']}",
                 f"hashAlg={tc['hashAlg']}",
             ]
@@ -200,11 +204,11 @@ def run_sigGen_test(tg, tc):
         assert len(tc["context"]) <= 2 * 255
         assert len(tc["message"]) <= 2 * 65536
 
+        target = "sigGenDeterministic" if is_deterministic else "sigGen"
         acvp_call = exec_prefix + [
             acvp_bin,
-            "sigGen",
+            target,
             f"message={tc['message']}",
-            f"rnd={tc['rnd']}",
             f"sk={tc['sk']}",
             f"context={tc['context']}",
         ]
@@ -219,15 +223,19 @@ def run_sigGen_test(tg, tc):
             assert len(tc["message"]) <= 2 * 65536
             msg = tc["message"]
 
+        target = "sigGenInternalDeterministic" if is_deterministic else "sigGenInternal"
         acvp_call = exec_prefix + [
             acvp_bin,
-            "sigGenInternal",
+            target,
             f"message={msg}",
-            f"rnd={tc['rnd']}",
             f"sk={tc['sk']}",
             f"externalMu={externalMu}",
         ]
 
+    # Append rnd argument for randomized (non-deterministic) variant
+    if not is_deterministic:
+        acvp_call.append(f"rnd={tc['rnd']}")
+
     result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
     if result.returncode != 0:
         err("FAIL!")