ML-DSA: Fix poly_uniform

smuellerDD · smuellerDD · commit 32166fb2560a · 2025-11-25T09:28:02.000+01:00
In the second and later squeezes, it squeezes SHAKE128_BLOCK_SIZE
(168) bytes, but then it uses only the first DILITHIUM_SEEDBYTES
(32) bytes.

Now, that 32 is on top of the 840-byte first squeeze, so there are 872
correct bytes which is enough for 290 samples.  So an incorrect matrix
would be generated only if more than 290 samples happen to be required
to get the 256 coefficients.  q / 2^23 = ~99.9% of coefficients are
accepted, so that number of rejections would be pretty unlikely.

Reported-by Eric Biggers &lt;ebiggers@kernel.org&gt;
Signed-off-by: Stephan Mueller &lt;smueller@chronox.de&gt;
diff --git a/ml-dsa/src/dilithium_poly.c b/ml-dsa/src/dilithium_poly.c
@@ -96,7 +96,7 @@ void poly_uniform(poly *a, const uint8_t seed[LC_DILITHIUM_SEEDBYTES],
 			buf[i] = buf[buflen - off + i];
 
 		lc_hash_final(hash_ctx, buf + off);
-		buflen = LC_DILITHIUM_SEEDBYTES + off;
+		buflen = LC_SHAKE_128_SIZE_BLOCK + off;
 		ctr += rej_uniform(a->coeffs + ctr, LC_DILITHIUM_N - ctr, buf,
 				   buflen);
 	}

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ void poly_uniform(poly *a, const uint8_t seed[LC_DILITHIUM_SEEDBYTES],`
`96`	`96`	`buf[i] = buf[buflen - off + i];`
`97`	`97`
`98`	`98`	`lc_hash_final(hash_ctx, buf + off);`
`99`		`- buflen = LC_DILITHIUM_SEEDBYTES + off;`
	`99`	`+ buflen = LC_SHAKE_128_SIZE_BLOCK + off;`
`100`	`100`	`ctr += rej_uniform(a->coeffs + ctr, LC_DILITHIUM_N - ctr, buf,`
`101`	`101`	`buflen);`
`102`	`102`	`}`