ml-dsa: zeroize NTT-domain derived values in ExpandedSigningKey Drop (#1300)

pmembrey · web-flow · commit ecaf35904d90 · 2026-04-15T10:53:09.000-06:00
The existing Drop impl for ExpandedSigningKey (gated on the zeroize
feature) zeroizes rho, K, tr, s1, s2, and t0 but skips the
NTT-domain derived values s1_hat, s2_hat, and t0_hat.

The NTT is invertible, so s1_hat in memory is equivalent to having
s1. This leaves secret key material unzeroized after drop.

Add s1_hat, s2_hat, and t0_hat to the Drop impl. All three are
NttVector types which implement Zeroize via module-lattice.

A_hat (the public matrix derived from rho) is not zeroized here
because NttMatrix does not implement Zeroize in module-lattice.
A_hat is derived from public data (rho) so this is lower priority,
but a follow-up PR to module-lattice could add Zeroize for NttMatrix
for completeness.
diff --git a/ml-dsa/src/lib.rs b/ml-dsa/src/lib.rs
@@ -301,6 +301,9 @@ impl<P: MlDsaParams> Drop for ExpandedSigningKey<P> {
         self.s1.zeroize();
         self.s2.zeroize();
         self.t0.zeroize();
+        self.s1_hat.zeroize();
+        self.s2_hat.zeroize();
+        self.t0_hat.zeroize();
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -301,6 +301,9 @@ impl<P: MlDsaParams> Drop for ExpandedSigningKey<P> {`
`301`	`301`	`self.s1.zeroize();`
`302`	`302`	`self.s2.zeroize();`
`303`	`303`	`self.t0.zeroize();`
	`304`	`+ self.s1_hat.zeroize();`
	`305`	`+ self.s2_hat.zeroize();`
	`306`	`+ self.t0_hat.zeroize();`
`304`	`307`	`}`
`305`	`308`	`}`
`306`	`309`