ML-DSA: add rejection tests and its generator

Signed-off-by: Stephan Mueller <smueller@chronox.de>

Author: smuellerDD

README.debugging.md

@@ -70,3 +70,71 @@ To perform such a side channel analysis, apply the following steps:
 [5] Mehmet Sinan İnci, Berk Gülmezoğlu, Gorka Irazoqui, Thomas Eisenbarth, Berk Sunar, [Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud](https://eprint.iacr.org/2015/898.pdf).
 
 [6] Thierry Kaufmann, Hervé Pelletier, Serge Vaudenay, and Karine Villegas [When Constant-time Source Yields Variable-time Binary: Exploiting Curve25519-donna Built with MSVC 2015](https://infoscience.epfl.ch/record/223794/files/32_1.pdf).
+
+# Generation of ML-DSA Signature Generation Rejection Test Vectors
+
+The ML-DSA signature generation contains rejection code paths which are probabilistically triggered during production use. According to FIPS IG 10.3.A and also to ensure proper implementation, the rejection code paths should all be tested.
+
+According to FIPS IG 10.3.A, for ML-DSA 87 and 65, three of the four possible rejection code paths are to be triggered (z, r0 and h). For ML-DSA 44, in addition the ct0 rejection code path is to be tested. 
+
+TODO: The tests are not able to trigger all four rejection code paths for ML-DSA 44 - this needs to be checked with NIST.
+
+To generate ML-DSA signature generation test vectors that trigger all required code paths as mentioned above, leancrypto contains a test generator to generate such test vectors for pure, pre-hash and external MU interfaces. The test vector for the internal interface is derived from [1] and thus not generated by leancrypto.
+
+The following steps have to be followed if test vectors shall be generated anew:
+
+1. In the file `dilithium_signature_impl.h` the macro `REJECTION_TEST_SAMPLING` must be defined.
+
+2. In the file `dilithium_edge_case_tester.c` the macro `GENERATE_KEYS` must be defined.
+
+3. Ensure that SHA2-256 is enabled, i.e. the meson option `sha2-256` must be enabled (which is active by default)
+
+4. Compile leancrypto
+
+5. Generate pure ML-DSA vectors by executing:
+
+	* ML-DSA 87: `build/ml-dsa/tests/dilithium_pure_edge_case_tester_c > ml-dsa/tests/dilithium_pure_rejection_vectors_87.h`
+	
+	* ML-DSA 65: `build/ml-dsa/tests/dilithium_65_pure_edge_case_tester_c > ml-dsa/tests/dilithium_pure_rejection_vectors_65.h`
+	
+	* ML-DSA 44: `build/ml-dsa/tests/dilithium_44_pure_edge_case_tester_c > ml-dsa/tests/dilithium_pure_rejection_vectors_44.h`
+	
+6. Generate pre-hash ML-DSA vectors by executing:
+
+	* ML-DSA 87: `build/ml-dsa/tests/dilithium_prehash_edge_case_tester_c > ml-dsa/tests/dilithium_prehash_rejection_vectors_87.h`
+	
+	* ML-DSA 65: `build/ml-dsa/tests/dilithium_65_prehash_edge_case_tester_c > ml-dsa/tests/dilithium_prehash_rejection_vectors_65.h`
+	
+	* ML-DSA 44: `build/ml-dsa/tests/dilithium_44_prehash_edge_case_tester_c > ml-dsa/tests/dilithium_prehash_rejection_vectors_44.h`
+	
+7. Generate external-Mu ML-DSA vectors by executing:
+
+	* ML-DSA 87: `build/ml-dsa/tests/dilithium_external_mu_edge_case_tester_c > ml-dsa/tests/dilithium_external_mu_rejection_vectors_87.h`
+	
+	* ML-DSA 65: `build/ml-dsa/tests/dilithium_65_external_mu_edge_case_tester_c > ml-dsa/tests/dilithium_external_mu_rejection_vectors_65.h`
+	
+	* ML-DSA 44: `build/ml-dsa/tests/dilithium_44_external_mu_edge_case_tester_c > ml-dsa/tests/dilithium_external_mu_rejection_vectors_44.h`
+	
+8. Do not forget to undefine the macros  set in steps 1 and 2.
+
+## References
+
+[1] https://pages.nist.gov/ACVP/draft-celi-acvp-ml-dsa.html#name-known-answer-tests
+
+# Verification of ML-DSA Signature Generation Rejection Test Vectors
+
+The (ML-DSA signature generation rejection test vectors)[Generation of ML-DSA Signature Generation Rejection Test Vectors] can be verified to indeed trigger all rejection code paths as follows:
+
+1. Enable ML-DSA debug output: `meson configure build -Ddilithium_debug=enabled`
+
+2. Compile leancrypto
+
+3. Verify the triggering of the rejection code paths by invoking `build/ml-dsa/tests/dilithium_edge_case_tester_c | less` and check the presence of the following logging output depending on which rejection code path you are interested in:
+
+	* For z rejectin: `Siggen - z rejection`
+	
+	* For r1 rejection: `Siggen - r0 rejection`
+	
+	* For h rejection: `Siggen - h rejection`
+	
+	* For ct0 rejection: `Siggen - ct0 rejection`

ml-dsa/src/avx2/dilithium_signature_avx2.c

@@ -132,7 +132,7 @@ LC_INTERFACE_FUNCTION(int, lc_dilithium_keypair_avx2,
 	}
 
 	dilithium_keypair_tester(&tested, "Dilithium Keygen AVX2",
-				 lc_dilithium_keypair_avx2);
+				 lc_dilithium_keypair_from_seed_avx2);
 
 	row = ws->rowbuf;
 
@@ -462,8 +462,11 @@ static int lc_dilithium_sign_avx2_internal(struct lc_dilithium_sig *sig,
 		unpoison(&ws->z.vec[i], sizeof(poly));
 
 		if (poly_chknorm_avx(&ws->z.vec[i],
-				     LC_DILITHIUM_GAMMA1 - LC_DILITHIUM_BETA))
+				     LC_DILITHIUM_GAMMA1 - LC_DILITHIUM_BETA)) {
+			dilithium_print_polyvecl(&ws->z,
+						 "Siggen - z rejection");
 			goto rej;
+		}
 	}
 
 	/* Zero hint vector in signature */
@@ -485,8 +488,11 @@ static int lc_dilithium_sign_avx2_internal(struct lc_dilithium_sig *sig,
 		unpoison(&ws->tmpv.w0.vec[i], sizeof(poly));
 
 		if (poly_chknorm_avx(&ws->tmpv.w0.vec[i],
-				     LC_DILITHIUM_GAMMA2 - LC_DILITHIUM_BETA))
+				     LC_DILITHIUM_GAMMA2 - LC_DILITHIUM_BETA)) {
+			dilithium_print_polyveck(&ws->tmpv.w0,
+						 "Siggen - r0 rejection");
 			goto rej;
+		}
 
 		/* Compute hints */
 		poly_pointwise_montgomery_avx(&ws->tmp, &ws->c, &ws->t0.vec[i]);
@@ -496,15 +502,21 @@ static int lc_dilithium_sign_avx2_internal(struct lc_dilithium_sig *sig,
 		/* Timecop: the hint information is not sensitive any more. */
 		unpoison(&ws->tmp, sizeof(poly));
 
-		if (poly_chknorm_avx(&ws->tmp, LC_DILITHIUM_GAMMA2))
+		if (poly_chknorm_avx(&ws->tmp, LC_DILITHIUM_GAMMA2)) {
+			dilithium_print_poly(&ws->tmp,
+					     "Siggen - ct0 rejection");
 			goto rej;
+		}
 
 		poly_add_avx(&ws->tmpv.w0.vec[i], &ws->tmpv.w0.vec[i],
 			     &ws->tmp);
 		n = poly_make_hint_avx(ws->hintbuf, &ws->tmpv.w0.vec[i],
 				       &ws->w1.vec[i]);
-		if (pos + n > LC_DILITHIUM_OMEGA)
+		if (pos + n > LC_DILITHIUM_OMEGA) {
+			dilithium_print_polyveck(&ws->tmpv.w0,
+						 "Siggen - h rejection");
 			goto rej;
+		}
 
 		/* Store hints in signature */
 		memcpy(&hint[pos], ws->hintbuf, n);

ml-dsa/src/dilithium_selftest.c

@@ -23,62 +23,58 @@
 #include "selftest_rng.h"
 #include "small_stack_support.h"
 
+/*
+ * Use rejection test vector which will cover all rejection code paths
+ * as generated with the dilithium_edge_case_tester.
+ *
+ * For FIPS 140: The test vectors cover the requirements of IG 10.3.A.
+ */
 #if LC_DILITHIUM_MODE == 2
-#include "dilithium_selftest_vector_44.h"
-#elif LC_DILITHIUM_MODE == 3
-#include "dilithium_selftest_vector_65.h"
-#else
-#include "dilithium_selftest_vector_87.h"
-#endif
-
-#if LC_DILITHIUM_MODE == 2
-#include "../tests/dilithium_rejection_vectors_44.h"
+#include "../tests/dilithium_pure_rejection_vectors_44.h"
 #elif LC_DILITHIUM_MODE == 3
-#include "../tests/dilithium_rejection_vectors_65.h"
+#include "../tests/dilithium_pure_rejection_vectors_65.h"
 #elif LC_DILITHIUM_MODE == 5
-#include "../tests/dilithium_rejection_vectors_87.h"
+#include "../tests/dilithium_pure_rejection_vectors_87.h"
 #endif
 
 static int _dilithium_keypair_tester(
 	const char *impl,
-	int (*_lc_dilithium_keypair)(struct lc_dilithium_pk *pk,
-				     struct lc_dilithium_sk *sk,
-				     struct lc_rng_ctx *rng_ctx))
+	int (*_lc_dilithium_keypair_from_seed)(struct lc_dilithium_pk *pk,
+					       struct lc_dilithium_sk *sk,
+					       const uint8_t *seed,
+					       size_t seedlen))
 {
 	struct workspace {
 		struct lc_dilithium_pk pk;
 		struct lc_dilithium_sk sk;
 	};
 	char str[25];
-	uint8_t discard[64];
+	const struct dilithium_rejection_testvector *tc =
+		&dilithium_rejection_testvectors[0];
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
-	LC_SELFTEST_DRNG_CTX_ON_STACK(selftest_rng);
-
-	/* The test vector RNG state served a message gen before keygen */
-	lc_rng_generate(selftest_rng, NULL, 0, discard, sizeof(discard));
 
-	_lc_dilithium_keypair(&ws->pk, &ws->sk, selftest_rng);
+	_lc_dilithium_keypair_from_seed(&ws->pk, &ws->sk, tc->seed,
+					sizeof(tc->seed));
 	snprintf(str, sizeof(str), "%s PK", impl);
-	lc_compare_selftest(ws->pk.pk, vector.pk.pk,
-			    LC_DILITHIUM_PUBLICKEYBYTES, str);
+	lc_compare_selftest(ws->pk.pk, tc->pk, LC_DILITHIUM_PUBLICKEYBYTES,
+			    str);
 	snprintf(str, sizeof(str), "%s SK", impl);
-	lc_compare_selftest(ws->sk.sk, vector.sk.sk,
-			    LC_DILITHIUM_PUBLICKEYBYTES, str);
+	lc_compare_selftest(ws->sk.sk, tc->sk, LC_DILITHIUM_PUBLICKEYBYTES,
+			    str);
 
 	LC_RELEASE_MEM(ws);
-	lc_rng_zero(selftest_rng);
 	return 0;
 }
 
-void dilithium_keypair_tester(
-	int *tested, const char *impl,
-	int (*_lc_dilithium_keypair)(struct lc_dilithium_pk *pk,
-				     struct lc_dilithium_sk *sk,
-				     struct lc_rng_ctx *rng_ctx))
+void dilithium_keypair_tester(int *tested, const char *impl,
+			      int (*_lc_dilithium_keypair_from_seed)(
+				      struct lc_dilithium_pk *pk,
+				      struct lc_dilithium_sk *sk,
+				      const uint8_t *seed, size_t seedlen))
 {
 	LC_SELFTEST_RUN(tested);
 
-	if (_dilithium_keypair_tester(impl, _lc_dilithium_keypair))
+	if (_dilithium_keypair_tester(impl, _lc_dilithium_keypair_from_seed))
 		lc_compare_selftest((uint8_t *)"test", (uint8_t *)"fail", 4,
 				    impl);
 }
@@ -95,27 +91,14 @@ static int _dilithium_siggen_tester(
 		struct lc_dilithium_sig sig;
 	};
 	LC_DILITHIUM_CTX_ON_STACK(ctx);
+	const struct dilithium_rejection_testvector *tc =
+		&dilithium_rejection_testvectors[0];
 	LC_DECLARE_MEM(ws, struct workspace, sizeof(uint64_t));
 
-	_lc_dilithium_sign(&ws->sig, ctx, vector.m, sizeof(vector.m),
-			   &vector.sk, NULL);
-	lc_compare_selftest(ws->sig.sig, vector.sig.sig,
-			    LC_DILITHIUM_CRYPTO_BYTES, impl);
-
-	/* Rejection test case */
-	if (fips140_mode_enabled()) {
-		ctx->ml_dsa_internal = 1;
-		_lc_dilithium_sign(
-			&ws->sig, ctx, dilithium_rejection_testvectors[0].msg,
-			sizeof(dilithium_rejection_testvectors[0].msg),
-			(struct lc_dilithium_sk *)
-				dilithium_rejection_testvectors[0]
-					.sk,
-			NULL);
-		lc_compare_selftest(ws->sig.sig,
-				    dilithium_rejection_testvectors[0].sig,
-				    LC_DILITHIUM_CRYPTO_BYTES, impl);
-	}
+	_lc_dilithium_sign(&ws->sig, ctx, tc->msg, sizeof(tc->msg),
+			   (struct lc_dilithium_sk *)tc->sk, NULL);
+	lc_compare_selftest(ws->sig.sig, tc->sig, LC_DILITHIUM_CRYPTO_BYTES,
+			    impl);
 
 	LC_RELEASE_MEM(ws);
 	lc_dilithium_ctx_zero(ctx);
@@ -146,11 +129,14 @@ void dilithium_sigver_tester(
 {
 	int ret, exp;
 	LC_DILITHIUM_CTX_ON_STACK(ctx);
+	const struct dilithium_rejection_testvector *tc =
+		&dilithium_rejection_testvectors[0];
 	LC_SELFTEST_RUN(tested);
 
 	exp = 0;
-	ret = _lc_dilithium_verify(&vector.sig, ctx, vector.m, sizeof(vector.m),
-				   &vector.pk);
+	ret = _lc_dilithium_verify((struct lc_dilithium_sig *)tc->sig, ctx,
+				   tc->msg, sizeof(tc->msg),
+				   (struct lc_dilithium_pk *)tc->pk);
 	lc_dilithium_ctx_zero(ctx);
 
 	lc_compare_selftest((uint8_t *)&ret, (uint8_t *)&exp, sizeof(ret),

ml-dsa/src/dilithium_selftest.h

@@ -33,11 +33,11 @@ struct dilithium_testvector {
 	struct lc_dilithium_sig sig;
 };
 
-void dilithium_keypair_tester(
-	int *tested, const char *impl,
-	int (*_lc_dilithium_keypair)(struct lc_dilithium_pk *pk,
-				     struct lc_dilithium_sk *sk,
-				     struct lc_rng_ctx *rng_ctx));
+void dilithium_keypair_tester(int *tested, const char *impl,
+			      int (*_lc_dilithium_keypair_from_seed)(
+				      struct lc_dilithium_pk *pk,
+				      struct lc_dilithium_sk *sk,
+				      const uint8_t *seed, size_t seedlen));
 
 void dilithium_siggen_tester(
 	int *tested, const char *impl,