On Tue, Jun 02, 2026 at 10:23:00AM -0400, Russ Housley wrote: > With the notice that you attached to this note, it cannot be used to > improve the Security Considerations of draft-ietf-tls-mldsa-03. As > such, this is very unhelpful.
Maybe something like: ----------------------------------------------------------------------- Incorrect implementations of ML-DSA signing may leak the private key along with signatures. While basic testing catches some kinds of errors, there are errors that can evade such tests. Examples of such errors are (with algorithms from FIPS 204): - Incorrectly calculating rhoprimeprime on line 7 of ML-DSA.Sign_internal. - Incorrectly calculating y on line 11 of ML-DSA.Sign_internal, which could be caused by incorrect implementation of ExpandMask or BitUnpack. - Omitting norm check on r_0 on line 23 of ML-DSA.Sign_internal. Tests that could catch such errors include comparing generated signatures with another independent implementation. Signing with the same key, randomizer, context and message should always produce the same signature. ----------------------------------------------------------------------- -Ilari _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
