Git Patch to Generate Known Answer Tests ( KATs ) from ML-DSA "Official" Reference Implementation

ml_dsa_kat_generation.patch

diff --git a/ref/hex_print.h b/ref/hex_print.h
new file mode 100644
index 0000000..7afd872
--- /dev/null
+++ b/ref/hex_print.h
@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <stdint.h>
+
+inline void to_hex(const uint8_t *const bytes, const size_t blen) {
+    for(size_t i = 0; i < blen; i++) {
+        printf("%.2x", bytes[i]);
+    }
+    printf("\n");
+}
diff --git a/ref/sign.c b/ref/sign.c
index d25a399..9267d24 100644
--- a/ref/sign.c
+++ b/ref/sign.c
@@ -7,6 +7,7 @@
 #include "randombytes.h"
 #include "symmetric.h"
 #include "fips202.h"
+#include "hex_print.h"
 
 /*************************************************
 * Name:        crypto_sign_keypair
@@ -30,6 +31,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
 
   /* Get randomness for rho, rhoprime and key */
   randombytes(seedbuf, SEEDBYTES);
+  printf("seed = ");
+  to_hex(seedbuf, SEEDBYTES);
+
   shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
   rho = seedbuf;
   rhoprime = rho + SEEDBYTES;
@@ -61,6 +65,11 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
   shake256(tr, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
   pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
 
+  printf("pkey = ");
+  to_hex(pk, CRYPTO_PUBLICKEYBYTES);
+  printf("skey = ");
+  to_hex(sk, CRYPTO_SECRETKEYBYTES);
+
   return 0;
 }
 
@@ -83,6 +92,10 @@ int crypto_sign_signature(uint8_t *sig,
                           size_t mlen,
                           const uint8_t *sk)
 {
+  printf("mlen = %zu\n", mlen);
+  printf("msg = ");
+  to_hex(m, mlen);
+
   unsigned int n;
   uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
   uint8_t *rho, *tr, *key, *mu, *rhoprime, *rnd;
@@ -114,6 +127,10 @@ int crypto_sign_signature(uint8_t *sig,
   for(n=0;n<RNDBYTES;n++)
     rnd[n] = 0;
 #endif
+
+  printf("rnd = ");
+  to_hex(rnd, RNDBYTES);
+
   shake256(rhoprime, CRHBYTES, key, SEEDBYTES + RNDBYTES + CRHBYTES);
 
   /* Expand matrix and transform vectors */
@@ -178,6 +195,11 @@ rej:
   /* Write signature */
   pack_sig(sig, sig, &z, &h);
   *siglen = CRYPTO_BYTES;
+
+  printf("sig = ");
+  to_hex(sig, *siglen);
+  printf("\n");
+
   return 0;
 }
 

Steps for Generating Known Answer Tests for ML-DSA-{44, 65, 87}

ML-DSA was previously known as Dilithium (https://pq-crystals.org/dilithium/index.shtml) and it's being standardized by NIST. Currently we've a draft standard from NIST for FIPS 204 @ https://doi.org/10.6028/NIST.FIPS.204.ipd.

Note

These KATs are used to test functional correctness & conformance of ML-DSA implementation https://github.com/itzmeanjan/dilithium.

• Create working directory

cd
mkdir tmp
cd tmp

• Clone ML-DSA official implementation

git clone https://github.com/pq-crystals/dilithium.git 
git checkout e7bed6258b9a3703ce78d4ec38021c86382ce31c # `standard` branch

Warning

Don't forget to setup environment, following ML-DSA documents ( see the README.md in ML-DSA official implementation repository ).

• Clone this gist ( the git patch file )

git clone https://gist.github.com/d14afc3866b82119221682f0f3c9822d.git

• Copy patch file to ML-DSA repository

cp d14afc3866b82119221682f0f3c9822d/ml_dsa_kat_generation.patch dilithium/

• Apply git patch

cd dilithium
git apply ml_dsa_kat_generation.patch

• Check status to find out which files were touched

git status

• Generate KATs for ML-DSA-{44, 65, 87} ( see content of file ml_dsa_{44,65,87}.kat )

pushd ref

make nistkat/PQCgenKAT_sign2 && ./nistkat/PQCgenKAT_sign2 > ../ml_dsa_44.kat # SHA256SUM: 988eab33727730ab7d17c6df377dbe79e42815cfa33d3aed0842d124d0d35daa
make nistkat/PQCgenKAT_sign3 && ./nistkat/PQCgenKAT_sign3 > ../ml_dsa_65.kat # SHA256SUM: 306e31256d674cc501896ae23513596d6f9674065a0bb72c1b2087ac8244897a
make nistkat/PQCgenKAT_sign5 && ./nistkat/PQCgenKAT_sign5 > ../ml_dsa_87.kat # SHA256SUM: 63a2f9c6edc2d6ffbbf5af08a9f56b41c8b43f4917677d09d2bd3a87b04dbe1d

popd