Rule #2 in NASA's "Rules for developing safety critical code" says the
following: "All loops must have a fixed upper-bound. It must be
trivially possible for a checking tool to _prove_ statically that a
preset upper-bound on the number of iterations of a loop cannot be
exceeded." The same rule appears in other coding requirements and
testing tools---see, e.g., MISRA C requiring "well-formed" loops where a
loop counter is tested against a preset limit.
I've commented before on how poorly designed these rules are (see, e.g.,
https://web-backend.simula.no/sites/default/files/publications/Simula.SE.331.pdf)
and on ways around the rules: invoke waiver procedures; use at most
123456789123456789ULL iterations. But the reality is that some
implementors will truncate the ML-DSA signing loop at some much smaller
limit, _even if_ they see that NIST recommends against doing so.
Some of the implementors will end up with a wrong limit---for example,
they'll mistakenly copy a number from the wrong place (as NIST seems to
have done here), or they'll base the number on some inadequate tests, or
they'll simply have the number spoiled by a typo.
This process can produce many different failure probabilities---for
example, maybe it ends up with failure probability ~1/1000 for a key
used billions of times. Sometimes an implementation will have a test
that catches this, but let's think about all the other implementations.
Maybe some programmers will raise an exception for the application, but
the simplest way of inserting a limit into the loop will end up issuing
a signature that should have been rejected.
Presumably some feasible number of those signatures will give away the
secret key, since such rejection is advertised as the primary defense
against
https://link.springer.com/article/10.1007/s00145-008-9031-0
etc., although maybe there's some reason that such attacks don't work in
the case of ML-DSA.
Have there been any papers studying these attacks in the case of ML-DSA?
FIPS 204 doesn't provide any citations when it says that release of an
invalid ML-DSA signature "would leak information about the private key".
Analogy: The CRYSTALS team announced in January 2018 that both of the
Dilithium implementations had a bug that "can easily be exploited to
recover the secret key"; but they provided no justification for this
claim of easy secret-key recovery.
https://cr.yp.to/papers.html#mldsa
now reports a demo of efficient recovery of a _portion_ of the secret
key given an analogous ML-DSA bug; the demo also uses that portion to
efficiently forge signatures; but the forgery part involves looking at
ML-DSA details. Presumably something similar would also apply to the
original version of Dilithium, but this still wouldn't justify the
January 2018 key-recovery claim. We've seen other claims of Dilithium
leaks for which the response was that those leaks don't matter. It's
_plausible_ that FIPS 204 is correct in claiming that invalid signatures
leak information and, more to the point, leading the reader to think
that this is a problem for ML-DSA, but FIPS 204 doesn't say "presumably"
and doesn't cite the supposed basis for what it does claim.
On the flip side, I also didn't notice any statement in FIPS 204 along
the lines of "Here's a theorem showing that rejection _doesn't_ leak
information". Have there been any cryptanalysis papers looking at what
exactly rejection reveals for ML-DSA?
I also have two simple yes/no questions specifically for NIST. Someone
who says he "was NIST's lattice cryptographer" wrote in
https://web.archive.org/web/20260630121205/mailarchive.ietf.org/arch/msg/tls/nVeE4qhVAnLCOfGZcNloENNF34Q/
that "ML-KEM was fully vetted" during "the NIST PQC process". I'd think
many readers will understand this to be a statement of NIST's position,
and from context as also applying to ML-DSA. Does NIST in fact claim
that ML-KEM was fully vetted during the NIST PQC process? Does NIST
claim that ML-DSA was fully vetted during the NIST PQC process?
---D. J. Bernstein