Skip to content

ML-DSA: Support deterministic signing #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mjdemilliano wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ML-DSA: Support deterministic signing #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions scripts/build_ffi.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1031,6 +1031,8 @@ def build_ffi(local_wolfssl, features):
int wc_dilithium_export_public(dilithium_key* key, byte* out, word32* outLen);
int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key);
int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, WC_RNG* rng);
int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, const byte* seed);
int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, const byte* seed);
int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, word32 msgLen, int* res, dilithium_key* key);
typedef dilithium_key MlDsaKey;
int wc_MlDsaKey_GetPrivLen(MlDsaKey* key, int* len);
Expand Down
30 changes: 30 additions & 0 deletions tests/test_mldsa.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
from wolfcrypt.ciphers import MlDsaPrivate, MlDsaPublic, MlDsaType
from wolfcrypt.random import Random

ML_DSA_SIGNATURE_SEED_LENGTH = 32
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This duplicates the seed-length constant that is already defined on MlDsaPrivate (_SIGNATURE_SEED_LENGTH). To avoid tests drifting if the library constant ever changes, consider referencing MlDsaPrivate._SIGNATURE_SEED_LENGTH directly instead of hard-coding 32 here.

Suggested change
ML_DSA_SIGNATURE_SEED_LENGTH = 32
ML_DSA_SIGNATURE_SEED_LENGTH = MlDsaPrivate._SIGNATURE_SEED_LENGTH

Copilot uses AI. Check for mistakes.

@pytest.fixture
def rng():
return Random()
Expand Down Expand Up @@ -134,3 +136,31 @@ def test_sign_verify(mldsa_type, rng):
# Verify with wrong message
wrong_message = b"This is a wrong message for ML-DSA signature"
assert not mldsa_pub.verify(signature, wrong_message)

def test_sign_with_seed(mldsa_type, rng):
signature_seed = rng.bytes(ML_DSA_SIGNATURE_SEED_LENGTH)
mldsa_priv = MlDsaPrivate.make_key(mldsa_type, rng)
pub_key = mldsa_priv.encode_pub_key()

# Import public key
mldsa_pub = MlDsaPublic(mldsa_type)
mldsa_pub.decode_key(pub_key)

# Sign a message
message = b"This is a test message for ML-DSA signature"
signature = mldsa_priv.sign_with_seed(message, signature_seed)
assert len(signature) == mldsa_priv.sig_size

# Verify the signature using public key
assert mldsa_pub.verify(signature, message)

# re-generate from the same seed:
signature_from_same_seed = mldsa_priv.sign_with_seed(message, signature_seed)
assert signature == signature_from_same_seed

Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sign_with_seed(..., ctx=...) introduces a separate code path (calls wc_dilithium_sign_ctx_msg_with_seed), but this test suite only exercises the ctx is None branch. Add a test that passes a non-None ctx (and ideally covers boundary conditions like empty ctx and max-length ctx) to ensure the new path works and stays covered.

Suggested change
# Exercise the non-None ctx code path, including boundary conditions.
empty_ctx = b""
signature_empty_ctx = mldsa_priv.sign_with_seed(
message, signature_seed, ctx=empty_ctx
)
assert len(signature_empty_ctx) == mldsa_priv.sig_size
assert mldsa_pub.verify(signature_empty_ctx, message)
assert signature_empty_ctx == mldsa_priv.sign_with_seed(
message, signature_seed, ctx=empty_ctx
)
ctx = b"ml-dsa ctx"
signature_with_ctx = mldsa_priv.sign_with_seed(message, signature_seed, ctx=ctx)
assert len(signature_with_ctx) == mldsa_priv.sig_size
assert mldsa_pub.verify(signature_with_ctx, message)
assert signature_with_ctx == mldsa_priv.sign_with_seed(
message, signature_seed, ctx=ctx
)
max_ctx = b"x" * 255
signature_max_ctx = mldsa_priv.sign_with_seed(
message, signature_seed, ctx=max_ctx
)
assert len(signature_max_ctx) == mldsa_priv.sig_size
assert mldsa_pub.verify(signature_max_ctx, message)
assert signature_max_ctx == mldsa_priv.sign_with_seed(
message, signature_seed, ctx=max_ctx
)

Copilot uses AI. Check for mistakes.
# test that the seed size is checked:
with pytest.raises(AssertionError):
_ = mldsa_priv.sign_with_seed(message, signature_seed[:-1])

with pytest.raises(AssertionError):
_ = mldsa_priv.sign_with_seed(message, "")
57 changes: 57 additions & 0 deletions wolfcrypt/ciphers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2152,6 +2152,9 @@ def verify(self, signature, message):
return res[0] == 1

class MlDsaPrivate(_MlDsaBase):
_SIGNATURE_SEED_LENGTH = 32
"""The length of a signature generation seed."""

@classmethod
def make_key(cls, mldsa_type, rng=Random()):
"""
Expand Down Expand Up @@ -2280,6 +2283,60 @@ def sign(self, message, rng=Random()):

return _ffi.buffer(signature, out_size[0])[:]

def sign_with_seed(self, message, seed, ctx=None):
"""
:param message: message to be signed
:type message: bytes or str
:param seed: 32-byte seed for deterministic signature generation.
:type seed: bytes
:param ctx: context (optional)
:type ctx: None for no context, str or bytes otherwise
:return: signature
:rtype: bytes
"""
msg_bytestype = t2b(message)
in_size = self.sig_size
signature = _ffi.new(f"byte[{in_size}]")
out_size = _ffi.new("word32 *")
out_size[0] = in_size

assert isinstance(seed, bytes) and len(seed) == MlDsaPrivate._SIGNATURE_SEED_LENGTH, \
f"Seed for generating a signature must be {MlDsaPrivate._SIGNATURE_SEED_LENGTH} bytes."
Comment on lines +2303 to +2304
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assert is being used for runtime input validation of seed. Asserts can be disabled with Python optimizations (-O), which would remove this check and change the exception behavior for invalid seeds. Prefer raising TypeError/ValueError (or WolfCryptError if that’s the library convention) with a clear message instead.

Suggested change
assert isinstance(seed, bytes) and len(seed) == MlDsaPrivate._SIGNATURE_SEED_LENGTH, \
f"Seed for generating a signature must be {MlDsaPrivate._SIGNATURE_SEED_LENGTH} bytes."
if not isinstance(seed, bytes):
raise TypeError("Seed for generating a signature must be bytes.")
if len(seed) != MlDsaPrivate._SIGNATURE_SEED_LENGTH:
raise ValueError(
f"Seed for generating a signature must be "
f"{MlDsaPrivate._SIGNATURE_SEED_LENGTH} bytes."
)

Copilot uses AI. Check for mistakes.

if ctx is not None:
ctx_bytestype = t2b(ctx)
ret = _lib.wc_dilithium_sign_ctx_msg_with_seed(
_ffi.from_buffer(ctx_bytestype),
len(ctx_bytestype),
_ffi.from_buffer(msg_bytestype),
Comment on lines +2306 to +2311
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wc_dilithium_sign_ctx_msg_with_seed takes ctxLen as a byte (0–255), but len(ctx_bytestype) is passed without bounds checking. If ctx is longer than 255 bytes this will truncate/overflow at the C boundary and sign using an unintended context length. Validate len(ctx_bytestype) <= 255 (and raise a deterministic exception) before calling into _lib.

Copilot uses AI. Check for mistakes.
len(msg_bytestype),
signature,
out_size,
self.native_object,
_ffi.from_buffer(seed),
)
if ret < 0: # pragma: no cover
raise WolfCryptError("wc_dilithium_sign_ctx_msg_with_seed() error (%d)" % ret)
else:
ret = _lib.wc_dilithium_sign_msg_with_seed(
_ffi.from_buffer(msg_bytestype),
len(msg_bytestype),
signature,
out_size,
self.native_object,
_ffi.from_buffer(seed),
)
if ret < 0: # pragma: no cover
raise WolfCryptError("wc_dilithium_sign_msg_with_seed() error (%d)" % ret)


if in_size != out_size[0]:
raise WolfCryptError(
"in_size=%d and out_size=%d don't match" % (in_size, out_size[0])
)

return _ffi.buffer(signature, out_size[0])[:]

class MlDsaPublic(_MlDsaBase):
@property
def key_size(self):
Expand Down
Loading