Change API of signature_internal and verify_internal to match FIPS204

According to FIPS204, the internal functions take a formated message as input
defined as
BytesToBits(IntegerToBytes(0, 1) | IntegerToBytes(|ctxlen|, 1) | ctx) | msg

However, our current API takes ctx and message separately. This makes it
impossible to pass the ACVP tests which only contain one field for
the formates message (even worse: those tests apparently do not follow the
encoding above making it impossible to parse it and split it into ctx and msg.

This commit changes the APIs to match FIPS204, and adds the ACVP tests for
the internal functions. It also adjusts the CBMC proofs accordingly.

Resolves #40

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

mldsa/sign.c

@@ -453,7 +453,6 @@ MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen,
                                    const uint8_t *m, size_t mlen,
-                                   const uint8_t *pre, size_t prelen,
                                    const uint8_t rnd[MLDSA_RNDBYTES],
                                    const uint8_t *sk, int externalmu)
 {
@@ -474,7 +473,7 @@ int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen,
   if (!externalmu)
   {
     /* Compute mu = CRH(tr, pre, msg) */
-    mld_H(mu, MLDSA_CRHBYTES, tr, MLDSA_TRBYTES, pre, prelen, m, mlen);
+    mld_H(mu, MLDSA_CRHBYTES, tr, MLDSA_TRBYTES, m, mlen, NULL, 0);
   }
   else
   {
@@ -550,9 +549,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m,
                           size_t mlen, const uint8_t *ctx, size_t ctxlen,
                           const uint8_t *sk)
 {
-  size_t i;
   uint8_t pre[257];
   uint8_t rnd[MLDSA_RNDBYTES];
+  uint8_t mu[MLDSA_CRHBYTES];
   int result;
 
   if (ctxlen > 255)
@@ -566,26 +565,23 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m,
   /* Prepare pre = (0, ctxlen, ctx) */
   pre[0] = 0;
   pre[1] = ctxlen;
-  for (i = 0; i < ctxlen; i++)
-  __loop__(
-    assigns(i, object_whole(pre))
-    invariant(i <= ctxlen)
-    invariant(ctxlen <= 255)
-  )
+  if (ctx != NULL && ctxlen != 0)
   {
-    pre[2 + i] = ctx[i];
+    mld_memcpy(pre + 2, ctx, ctxlen);
   }
 
+  mld_H(mu, MLDSA_CRHBYTES, sk + 2 * MLDSA_SEEDBYTES, MLDSA_TRBYTES, pre,
+        ctxlen + 2, m, mlen);
+
 #ifdef MLD_RANDOMIZED_SIGNING
   mld_randombytes(rnd, MLDSA_RNDBYTES);
   MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
 #else
   mld_memset(rnd, 0, MLDSA_RNDBYTES);
 #endif
 
-
-  result = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, 2 + ctxlen,
-                                          rnd, sk, 0);
+  result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, rnd,
+                                          sk, 1);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(pre, sizeof(pre));
@@ -610,8 +606,8 @@ int crypto_sign_signature_extmu(uint8_t *sig, size_t *siglen,
   mld_memset(rnd, 0, MLDSA_RNDBYTES);
 #endif
 
-  result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL,
-                                          0, rnd, sk, 1);
+  result = crypto_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, rnd,
+                                          sk, 1);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(rnd, sizeof(rnd));
@@ -645,7 +641,6 @@ MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
                                 const uint8_t *m, size_t mlen,
-                                const uint8_t *pre, size_t prelen,
                                 const uint8_t *pk, int externalmu)
 {
   unsigned int i;
@@ -678,7 +673,7 @@ int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
     /* Compute CRH(H(rho, t1), pre, msg) */
     uint8_t hpk[MLDSA_CRHBYTES];
     mld_H(hpk, MLDSA_TRBYTES, pk, CRYPTO_PUBLICKEYBYTES, NULL, 0, NULL, 0);
-    mld_H(mu, MLDSA_CRHBYTES, hpk, MLDSA_TRBYTES, pre, prelen, m, mlen);
+    mld_H(mu, MLDSA_CRHBYTES, hpk, MLDSA_TRBYTES, m, mlen, NULL, 0);
 
     /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
     mld_zeroize(hpk, sizeof(hpk));
@@ -756,8 +751,9 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m,
                        size_t mlen, const uint8_t *ctx, size_t ctxlen,
                        const uint8_t *pk)
 {
-  size_t i;
   uint8_t pre[257];
+  uint8_t mu[MLDSA_CRHBYTES];
+  uint8_t hpk[MLDSA_CRHBYTES];
   int result;
 
   if (ctxlen > 255)
@@ -767,16 +763,16 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m,
 
   pre[0] = 0;
   pre[1] = ctxlen;
-  for (i = 0; i < ctxlen; i++)
-  __loop__(
-    invariant(i <= ctxlen)
-  )
+  if (ctx != NULL && ctxlen != 0)
   {
-    pre[2 + i] = ctx[i];
+    mld_memcpy(pre + 2, ctx, ctxlen);
   }
 
-  result =
-      crypto_sign_verify_internal(sig, siglen, m, mlen, pre, 2 + ctxlen, pk, 0);
+  /* Compute CRH(H(rho, t1), pre, msg) */
+  mld_H(hpk, MLDSA_TRBYTES, pk, CRYPTO_PUBLICKEYBYTES, NULL, 0, NULL, 0);
+  mld_H(mu, MLDSA_CRHBYTES, hpk, MLDSA_TRBYTES, pre, ctxlen + 2, m, mlen);
+
+  result = crypto_sign_verify_internal(sig, siglen, mu, MLDSA_CRHBYTES, pk, 1);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   mld_zeroize(pre, sizeof(pre));
@@ -790,8 +786,7 @@ int crypto_sign_verify_extmu(const uint8_t *sig, size_t siglen,
                              const uint8_t mu[MLDSA_CRHBYTES],
                              const uint8_t *pk)
 {
-  return crypto_sign_verify_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL, 0,
-                                     pk, 1);
+  return crypto_sign_verify_internal(sig, siglen, mu, MLDSA_CRHBYTES, pk, 1);
 }
 
 MLD_MUST_CHECK_RETURN_VALUE

mldsa/sign.h

@@ -82,8 +82,6 @@ __contract__(
  *              - size_t *siglen: pointer to output length of signature
  *              - uint8_t *m:     pointer to message to be signed
  *              - size_t mlen:    length of message
- *              - uint8_t *pre:   pointer to prefix string
- *              - size_t prelen:  length of prefix string
  *              - uint8_t *rnd:   pointer to random seed
  *              - uint8_t *sk:    pointer to bit-packed secret key
  *              - int externalmu: indicates input message m is processed as mu
@@ -101,19 +99,16 @@ MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int crypto_sign_signature_internal(uint8_t *sig, size_t *siglen,
                                    const uint8_t *m, size_t mlen,
-                                   const uint8_t *pre, size_t prelen,
                                    const uint8_t rnd[MLDSA_RNDBYTES],
                                    const uint8_t *sk, int externalmu)
 __contract__(
   requires(mlen <= MLD_MAX_BUFFER_SIZE)
-  requires(prelen <= MLD_MAX_BUFFER_SIZE)
   requires(memory_no_alias(sig, CRYPTO_BYTES))
   requires(memory_no_alias(siglen, sizeof(size_t)))
   requires(memory_no_alias(m, mlen))
   requires(memory_no_alias(rnd, MLDSA_RNDBYTES))
   requires(memory_no_alias(sk, CRYPTO_SECRETKEYBYTES))
-  requires((externalmu == 0 && pre != NULL && prelen >= 2 && memory_no_alias(pre, prelen)) ||
-           (externalmu == 1 && mlen == MLDSA_CRHBYTES))
+  requires(externalmu == 0 || (externalmu == 1 && mlen == MLDSA_CRHBYTES))
   assigns(memory_slice(sig, CRYPTO_BYTES))
   assigns(object_whole(siglen))
   ensures((return_value == 0 && *siglen == CRYPTO_BYTES) ||
@@ -236,8 +231,6 @@ __contract__(
  *              - size_t siglen: length of signature
  *              - const uint8_t *m: pointer to message
  *              - size_t mlen: length of message
- *              - const uint8_t *pre: pointer to prefix string
- *              - size_t prelen: length of prefix string
  *              - const uint8_t *pk: pointer to bit-packed public key
  *              - int externalmu: indicates input message m is processed as mu
  *
@@ -247,16 +240,13 @@ MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int crypto_sign_verify_internal(const uint8_t *sig, size_t siglen,
                                 const uint8_t *m, size_t mlen,
-                                const uint8_t *pre, size_t prelen,
                                 const uint8_t *pk, int externalmu)
 __contract__(
-  requires(prelen <= MLD_MAX_BUFFER_SIZE)
   requires(mlen <= MLD_MAX_BUFFER_SIZE)
   requires(siglen <= MLD_MAX_BUFFER_SIZE)
   requires(memory_no_alias(sig, siglen))
   requires(memory_no_alias(m, mlen))
   requires(externalmu == 0 || (externalmu == 1 && mlen == MLDSA_CRHBYTES))
-  requires(externalmu == 1 || memory_no_alias(pre, prelen))
   requires(memory_no_alias(pk, CRYPTO_PUBLICKEYBYTES))
   ensures(return_value == 0 || return_value == -1)
 );

proofs/cbmc/crypto_sign_signature/Makefile

@@ -20,8 +20,8 @@ PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c
 PROJECT_SOURCES += $(SRCDIR)/mldsa/sign.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)signature
-USE_FUNCTION_CONTRACTS=mld_randombytes \
-                       $(MLD_NAMESPACE)signature_internal
+USE_FUNCTION_CONTRACTS=mld_randombytes mld_H
+USE_FUNCTION_CONTRACTS+=$(MLD_NAMESPACE)signature_internal
 
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1

proofs/cbmc/crypto_sign_signature_internal/crypto_sign_signature_internal_harness.c

@@ -9,12 +9,9 @@ void harness(void)
   size_t *siglen;
   uint8_t *m;
   size_t mlen;
-  uint8_t *pre;
-  size_t prelen;
   uint8_t *rnd;
   uint8_t *sk;
   int externalmu;
   int r;
-  r = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, prelen, rnd, sk,
-                                     externalmu);
+  r = crypto_sign_signature_internal(sig, siglen, m, mlen, rnd, sk, externalmu);
 }

proofs/cbmc/crypto_sign_verify/Makefile

@@ -21,7 +21,7 @@ PROJECT_SOURCES += $(SRCDIR)/mldsa/sign.c
 
 CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)verify
 USE_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)verify_internal
-USE_FUNCTION_CONTRACTS+=mld_zeroize
+USE_FUNCTION_CONTRACTS+=mld_zeroize mld_H
 
 APPLY_LOOP_CONTRACTS=on
 USE_DYNAMIC_FRAMES=1

proofs/cbmc/crypto_sign_verify_internal/crypto_sign_verify_internal_harness.c

@@ -9,11 +9,8 @@ void harness(void)
   size_t siglen;
   const uint8_t *m;
   size_t mlen;
-  const uint8_t *pre;
-  size_t prelen;
   const uint8_t *pk;
   int externalmu;
 
-  crypto_sign_verify_internal(sig, siglen, m, mlen, pre, prelen, pk,
-                              externalmu);
+  crypto_sign_verify_internal(sig, siglen, m, mlen, pk, externalmu);
 }

test/acvp_client.py

@@ -136,36 +136,48 @@ def run_sigGen_test(tg, tc):
     assert tg["testType"] == "AFT"
 
     # TODO: implement pre-hashing mode
-    if tg["preHash"] != "pure":
+    if tg["preHash"] == "preHash":
         info("SKIP preHash")
         return
 
-    # TODO: implement internal interface
-    if tg["signatureInterface"] != "external":
-        info("SKIP internal")
-        return
-
-    # TODO: implement external-mu mode
-    if tg["externalMu"] is True:
-        info("SKIP externalMu")
-        return
-
     # TODO: probably we want to handle handle the deterministic case differently
     if tg["deterministic"] is True:
         tc["rnd"] = "0" * 64
 
     assert tc["hashAlg"] == "none"
-    assert len(tc["context"]) <= 2 * 255
-    assert len(tc["message"]) <= 2 * 65536
 
-    acvp_call = exec_prefix + [
-        acvp_bin,
-        "sigGen",
-        f"message={tc['message']}",
-        f"rnd={tc['rnd']}",
-        f"sk={tc['sk']}",
-        f"context={tc['context']}",
-    ]
+    if tg["signatureInterface"] == "external":
+
+        assert len(tc["context"]) <= 2 * 255
+        assert len(tc["message"]) <= 2 * 65536
+
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "sigGen",
+            f"message={tc['message']}",
+            f"rnd={tc['rnd']}",
+            f"sk={tc['sk']}",
+            f"context={tc['context']}",
+        ]
+    else:  # signatureInterface=internal
+        externalMu = 0
+        if tg["externalMu"] is True:
+            externalMu = 1
+            assert len(tc["mu"]) == 2 * 64
+            msg = tc["mu"]
+        else:
+            assert len(tc["message"]) <= 2 * 65536
+            msg = tc["message"]
+
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "sigGenInternal",
+            f"message={msg}",
+            f"rnd={tc['rnd']}",
+            f"sk={tc['sk']}",
+            f"externalMu={externalMu}",
+        ]
+
     result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
     if result.returncode != 0:
         err("FAIL!")
@@ -187,32 +199,42 @@ def run_sigVer_test(tg, tc):
     acvp_bin = get_acvp_binary(tg)
 
     # TODO: implement pre-hashing mode
-    if tg["preHash"] != "pure":
+    if tg["preHash"] == "preHash":
         info("SKIP preHash")
         return
 
-    # TODO: implement internal interface
-    if tg["signatureInterface"] != "external":
-        info("SKIP internal")
-        return
-
-    # TODO: implement external-mu mode
-    if tg["externalMu"] is True:
-        info("SKIP externalMu")
-        return
-
     assert tc["hashAlg"] == "none"
-    assert len(tc["context"]) <= 2 * 255
-    assert len(tc["message"]) <= 2 * 65536
+    if tg["signatureInterface"] == "external":
+        assert len(tc["context"]) <= 2 * 255
+        assert len(tc["message"]) <= 2 * 65536
+
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "sigVer",
+            f"message={tc['message']}",
+            f"context={tc['context']}",
+            f"signature={tc['signature']}",
+            f"pk={tc['pk']}",
+        ]
+    else:  # signatureInterface=internal
+        externalMu = 0
+        if tg["externalMu"] is True:
+            externalMu = 1
+            assert len(tc["mu"]) == 2 * 64
+            msg = tc["mu"]
+        else:
+            assert len(tc["message"]) <= 2 * 65536
+            msg = tc["message"]
+
+        acvp_call = exec_prefix + [
+            acvp_bin,
+            "sigVerInternal",
+            f"message={msg}",
+            f"signature={tc['signature']}",
+            f"pk={tc['pk']}",
+            f"externalMu={externalMu}",
+        ]
 
-    acvp_call = exec_prefix + [
-        acvp_bin,
-        "sigVer",
-        f"message={tc['message']}",
-        f"context={tc['context']}",
-        f"signature={tc['signature']}",
-        f"pk={tc['pk']}",
-    ]
     result = subprocess.run(acvp_call, encoding="utf-8", capture_output=True)
 
     if (result.returncode == 0) != tc["testPassed"]: