nettle-bugs June 2026

nettle-bugs@lists.lysator.liu.se

2 participants
2 discussions

Return value from SLH-DSA signing functions?
by Niels Möller 05 Jun '26

05 Jun '26

In a different thread, I wrote: > (Somewhat related: I just realized that the slh-dsa signing functions > hit an assertion failure if public and private keys don't match. I think > it may be useful with an alternative signing function with a > success/fail return value). This isn't good; having asserts triggered by invalid input is ok only when inputs are invalid in a way that is (1) documented and (2) easy to check for at the call site. What happens is that creating an SLH-DSA signature will more or less for free recompute the top-level Merkle tree root hash, which is one of the pieces of the public key. So it's easy to compare them. If the two values differ, then either the private or public key doesn't match, or there's a bug in nettle, or there's some miscomputation, possibly caused by some fault injection attack. At least for some applications, it makes sense to always verify that a computed signature is valid before passing it on. This is pretty important, e.g., if using RSA in a setting where fault injection attacks are relevant, and some of Nettle' too many RSA signing functions have a check for that. As far as I understand, SLH-DSA is not that vulnerable to fault injection, but it may still be good practice to check that a computed signature is valid, in particular if one gets it for free when signing. So the options I see: 1. Keep assert, let it be caller's responsibilty to make sure that the public and private keys passed to the signing function are consistent. 2. Just delete the assert. 3. Drop the assert, but instead introduce a success/fail return value. Applications that care can check that; if one believes fault injection and the like isn't a relevant threat to one's application or to SLH-DSA in general, it seems fine to ignore the return value. 4. Have two flavors of signing functions, one with the assert, one with the return value. Any opinions? I'm currently leaning towards (3). In principle, changing return type from void to int is an ABI change, but I'm not aware of any platform where it actually is an ABI breakage. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

2 3

ML-KEM
by Niels Möller 04 Jun '26

04 Jun '26

Hi, I've now merge Daiki's ML-KEM implementation, see https://git.lysator.liu.se/nettle/nettle/-/merge_requests/67. I think there's some further changes I think I'd like to do before release: 1. Add more randomized tests, and add assert_maybe for some of the invariants, in particular for arithmetics. 2. Probably remove the ml_kem_params from the api, and instead use separate functions for ML-KEM 768 and ML-KEM 1024. 3. Add functions exposing structs for expanded keys. To avoid having to expand them over and over again if using the same key repeatedly. And for all-in-one functions, these structs could also be used as the types for needed scratch space, to make things a bit more type/alignment safe, and have a natural way to allocate needed storage without the _itch functions. Should then be done in a consistent way also for sntrup. (The reason sntrup api doesn't have any itch function is that its expanded keys are smaller, and it's more reasonable to just allocate them on the stack). 4. Micro optimize various internals. Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance.

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

nettle-bugs June 2026