From: David Howells <dhowells@redhat.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: dhowells@redhat.com, linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Daniel Gomez <da.gomez@kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Ard Biesheuvel <ardb@kernel.org>,
Stephan Mueller <smueller@chronox.de>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
keyrings@vger.kernel.org, linux-modules@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/4] lib/crypto: Add ML-DSA verification support
Date: Thu, 20 Nov 2025 13:55:18 +0000 [thread overview]
Message-ID: <2624664.1763646918@warthog.procyon.org.uk> (raw)
In-Reply-To: <20251120003653.335863-2-ebiggers@kernel.org>
Eric Biggers <ebiggers@kernel.org> wrote:
> + /* Compute d = (c mod 2^32) * (q^-1 mod 2^32). */
> + s32 d = (s32)c * QINV_MOD_R;
Hmmm... is "(s32)c" actually "(c mod 2^32)"? Should that be:
u32 d = (u32)c * QINV_MOD_R;
This is followed up by casting 'd' to "s64". I don't think that should
sign-extend it, but...
> + for (int m = 0, len = 128; len >= 1; len /= 2) {
Can you put "int m = 0" outside of the for-statement? I know putting it
inside saves a line or two, but 'm' is not the loop counter - which it seems
like it should be by virtue of being listed first.
> + for (int m = 256, len = 1; len < 256; len *= 2) {
Ditto.
> +static const u8 *decode_t1_elem(struct mldsa_ring_elem *out,
> + const u8 *t1_encoded)
I think this is (more or less) pkDecode()? Can you put something like:
* Decode the vector 't1' from the public key.
* Reference: FIPS 204 Algorithm 23, sigDecode.
in the comment before it?
> +/*
> + * Use @seed to generate a ring element @c with coefficients in {-1, 0, 1},
> + * exactly @tau of them nonzero. Reference: FIPS 204 Algorithm 29, SampleInBall
> + */
> +static void sample_in_ball(struct mldsa_ring_elem *c, const u8 *seed,
> + size_t seed_len, int tau, struct shake_ctx *shake)
Should "seed" actually be labelled "rho"? I know a seed is what it is, but
the algo description has a different label - and the caller passes it ctilde,
not rho:-/.
> + u8 (*h)[N]; /* The signer's hint vector, length k */
> + h = (u8 (*)[N])&ws->z[l];
C is weird sometimes.
> + /* Reduce to [0, q), then tmp = w'_1 = UseHint(h, w'_Approx) */
Bracket mismatch. "[0, q]"
> + /* w1Encode(w'_1) */
> + w1_pos = 0;
> ...
Given you put the decode functions into helpers, don't you want to do that
with this?
> + if (memcmp(ws->ctildeprime, ctilde, params->ctilde_len) != 0)
> + return -EBADMSG;
Actually, this should return -EKEYREJECTED, not -EBADMSG.
I guess you don't need to use crypto_memneq() as timing doesn't matter.
The maths look okay, I think. You can add:
Reviewed-by: David Howells <dhowells@redhat.com>
David
next prev parent reply other threads:[~2025-11-20 13:55 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-20 0:36 [PATCH 0/4] lib/crypto: ML-DSA verification support Eric Biggers
2025-11-20 0:36 ` [PATCH 1/4] lib/crypto: Add " Eric Biggers
2025-11-20 8:14 ` David Howells
2025-11-21 2:15 ` Eric Biggers
2025-11-20 9:10 ` David Howells
2025-11-21 0:09 ` Eric Biggers
2025-11-20 13:55 ` David Howells [this message]
2025-11-21 0:50 ` Eric Biggers
2025-11-21 12:41 ` David Howells
2025-11-21 17:14 ` Eric Biggers
2025-11-21 17:41 ` David Howells
2025-11-25 4:29 ` Eric Biggers
2025-11-21 21:39 ` David Howells
2025-11-21 22:23 ` Eric Biggers
2025-11-21 22:29 ` Lukas Wunner
2025-11-21 22:48 ` Eric Biggers
2025-11-29 20:00 ` Becker, Hanno
2025-11-30 0:19 ` Eric Biggers
2025-11-30 1:05 ` Jason A. Donenfeld
2025-11-30 7:15 ` Becker, Hanno
2025-11-30 19:06 ` Eric Biggers
2025-11-20 0:36 ` [PATCH 2/4] lib/crypto: tests: Add KUnit tests for ML-DSA Eric Biggers
2025-11-20 2:29 ` Elliott, Robert (Servers)
2025-11-20 0:36 ` [PATCH 3/4] lib/crypto: tests: Add ML-DSA-65 test cases Eric Biggers
2025-11-20 0:36 ` [PATCH 4/4] lib/crypto: tests: Add ML-DSA-87 " Eric Biggers
2025-11-20 8:11 ` [PATCH 0/4] lib/crypto: ML-DSA verification support David Howells
2025-11-21 6:16 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2624664.1763646918@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=da.gomez@kernel.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=ignat@cloudflare.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mcgrof@kernel.org \
--cc=petr.pavlu@suse.com \
--cc=samitolvanen@google.com \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox