Merge pull request #394 from pq-code-package/kat-pct

Author: mkannwischer

META.yml

@@ -8,16 +8,16 @@ implementations:
     length-public-key: 1312
     length-secret-key: 2560
     length-signature: 2420
-    kat-sha256: 9d4ae4ea0c1b56f96650838c7425cc2167a0754643b79a93bee28cb039ac2fc2
+    kat-sha256: 33e7eb7e3b4965fc8b8274ebf8a222c519008ec242b3f753d1bc240f1ee3cb1f
   - name: ML-DSA-65
     claimed-nist-level: 3
     length-public-key: 1952
     length-secret-key: 4032
     length-signature: 3309
-    kat-sha256: b66d7de88a3bec2d7cf171a7a1198f6de47384e2a1dd3bf7d07432316a9a40f8
+    kat-sha256: 2ff0ddcd0dc08b746aa04853d6f84c82c6c8ac38783c9061aed78e29c1698ae5
   - name: ML-DSA-87
     claimed-nist-level: 5
     length-public-key: 2592
     length-secret-key: 4896
     length-signature: 4627
-    kat-sha256: 93029142bf62f67ae3df0d31c2fccf8c9fa1e61ab388048e1b3faeb9451a61ce
+    kat-sha256: 1bfb25b29f6f2bc89057e3bddee055a8f7df563b0e747004b2968159f7739afa

test/gen_KAT.c

@@ -6,7 +6,8 @@
 #include <stddef.h>
 #include <stdio.h>
 #include <string.h>
-#include "../mldsa/api.h"
+#include "../mldsa/fips202/fips202.h"
+#include "../mldsa/sign.h"
 #include "../mldsa/sys.h"
 #include "notrandombytes/notrandombytes.h"
 
@@ -30,55 +31,61 @@ static void print_hex(const uint8_t *data, size_t size)
 
 int main(void)
 {
-  unsigned i, j;
+  unsigned i;
   int rc;
   uint8_t pk[CRYPTO_PUBLICKEYBYTES];
   uint8_t sk[CRYPTO_SECRETKEYBYTES];
-  uint8_t sm[MAXMLEN + CRYPTO_BYTES];
   uint8_t s[CRYPTO_BYTES];
-  uint8_t m[MAXMLEN];
-  uint8_t m2[MAXMLEN + CRYPTO_BYTES];
-  size_t smlen;
+  uint8_t *m;
+  /* empty ctx */
+  uint8_t pre[2] = {0, 0};
   size_t slen;
-  size_t mlen;
+
+  const uint8_t seed[64] = {
+      32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+      48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+      64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79,
+      80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95,
+  };
+  uint8_t coins[MLDSA_SEEDBYTES + MLDSA_RNDBYTES + MAXMLEN];
 
 #if defined(MLD_SYS_WINDOWS)
   /* Disable automatic CRLF conversion on Windows to match testvector hashes */
   _setmode(_fileno(stdout), _O_BINARY);
 #endif
 
+  /*
+   * We cannot rely on randombytes in the KAT test as randombytes() is used
+   * inside of crypto_sign_signature() which is called as a part of
+   * key generation in case PCT (pairwise-consistency test) is enabled.
+   * To allow KAT tests to still pass successfully, we derandomize the
+   * KAT test to only use deterministic randomness derived using SHAKE.
+   */
+
+  shake256(coins, sizeof(coins), seed, sizeof(seed));
+
   for (i = 0; i < MAXMLEN; i = (i == 0) ? i + 1 : i << 2)
   {
-    randombytes(m, i);
+    shake256(coins, sizeof(coins), coins, sizeof(coins));
+    m = coins + MLDSA_SEEDBYTES + MLDSA_RNDBYTES;
 
-
-    crypto_sign_keypair(pk, sk);
+    crypto_sign_keypair_internal(pk, sk, coins);
 
     print_hex(pk, CRYPTO_PUBLICKEYBYTES);
     print_hex(sk, CRYPTO_SECRETKEYBYTES);
 
-    crypto_sign(sm, &smlen, m, i, NULL, CTXLEN, sk);
-    crypto_sign_signature(s, &slen, m, i, NULL, CTXLEN, sk);
+    crypto_sign_signature_internal(s, &slen, m, i, pre, sizeof(pre),
+                                   coins + MLDSA_SEEDBYTES, sk, 0);
 
-    print_hex(sm, smlen);
     print_hex(s, slen);
 
-    rc = crypto_sign_open(m2, &mlen, sm, smlen, NULL, CTXLEN, pk);
-    rc |= crypto_sign_verify(s, slen, m, i, NULL, CTXLEN, pk);
+    rc = crypto_sign_verify(s, slen, m, i, NULL, CTXLEN, pk);
 
     if (rc)
     {
       printf("ERROR: signature verification failed\n");
       return -1;
     }
-    for (j = 0; j < i; j++)
-    {
-      if (m2[j] != m[j])
-      {
-        printf("ERROR: message recovery failed\n");
-        return -1;
-      }
-    }
   }
   return 0;
 }