From 2cb13710d95157e2dbe9e6632a846295d2f8fecc Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 10 Feb 2026 10:57:26 +0800 Subject: [PATCH 1/2] sign: Set smlen to 0 in case of failure In mld_sign if a failure is returned from mld_sign_signature, we currently set the smlen to mlen (mld_sign_signature returns smlen=0, and we increment it by mlen). This commit changes it so that in the case of failure smlen=0 is returned. Signed-off-by: Matthias J. Kannwischer --- mldsa/src/sign.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c index 4b15b1a50..2f1bdf729 100644 --- a/mldsa/src/sign.c +++ b/mldsa/src/sign.c @@ -1004,7 +1004,10 @@ int mld_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, } ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx, ctxlen, sk, context); - *smlen += mlen; + if (ret == 0) + { + *smlen += mlen; + } return ret; } #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */ From 97afc26123ed011e9e1e50aa091d0224f45ab644 Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Tue, 10 Feb 2026 11:15:34 +0800 Subject: [PATCH 2/2] CT: Clarify that t0 is public despite it not being part of the pk This commit adds a reference to FIPS204 that states that t0 does not need to be considered secret. That replaces an old reference to an eprint report stating the same. Signed-off-by: Matthias J. Kannwischer --- mldsa/src/sign.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mldsa/src/sign.c b/mldsa/src/sign.c index 2f1bdf729..679eb4cf5 100644 --- a/mldsa/src/sign.c +++ b/mldsa/src/sign.c @@ -713,8 +713,10 @@ __contract__( * Consequently, any value that can be computed from the signature and public * key is considered public. * w0 and w1 are public as they can be computed from Az - ct = \alpha w1 + w0. - * h=c*t0 is public as both c and t0 are public. - * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406. + * h=c*t0 is public as both c and t0 are considered public. + * While t0 is not part of the public key, it can be reconstructed from + * a small number of signatures and need not be regarded as secret + * (see @[FIPS204, Section 6.1]). */ MLD_CT_TESTING_DECLASSIFY(w0, sizeof(*w0)); MLD_CT_TESTING_DECLASSIFY(w1, sizeof(*w1));