- Reported
-
- Issued
-
- Package
-
libcrux-ml-dsa
(crates.io)
- Type
-
Vulnerability
- References
-
- Patched
-
- Affected Functions
- Version
libcrux_ml_dsa::ml_dsa_44::verify-
libcrux_ml_dsa::ml_dsa_65::verify-
libcrux_ml_dsa::ml_dsa_87::verify-
Description
The ML-DSA verification algorithm as specified in FIPS 204,
subsection
6.3
requires verifiers to check that the infinity norm of the deserialized
signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of
Algorithm 8).
The same check is required to be performed during signature generation.
libcrux-ml-dsa did not perform this check correctly during signature
verification, accepting signatures with signer response norm above the
allowed maximum value. The check is correctly performed during
signing.
Impact
Applications using libcrux-ml-dsa for signature verification would
have accepted signatures that would be rejected by a conforming
implementation.
Mitigation
Starting from version 0.0.8, signature verification uses the correct
value for $\gamma_1$ in the signer response norm check.
Advisory available under CC0-1.0
license.