Change 6.1.2 ML DSA SigGen TestTypes to be a bit more clear. (#1583)

jbrock24 · web-flow · commit 102ced776b4b · 2025-05-21T10:56:18.000-04:00
diff --git a/src/ml-dsa/sections/04-testtypes.adoc b/src/ml-dsa/sections/04-testtypes.adoc
@@ -19,7 +19,7 @@ For each test case provided, the IUT *SHALL* generate a key pair from a provided
 
 The IUT *SHALL* generate valid signatures based on the ACVP-provided message, mu (for external mu testing), private key, context (for external interface testing), hashAlg (for preHash testing), and randomness (for non-deterministic signature testing). The signature is then compared to the known signature by the ACVP server. This tests the implementation of Algorithm 2 `ML-DSA.Sign()`, Algorithm 4 `HashML-DSA.Sign()`, and Algorithm 7 `ML-DSA.Sign_internal()` from <<FIPS204>>. 
 
-There are several assurances to obtain from AFTs. First is correctness of the algorithm implementation. The server *SHALL* include at least 15 tests for each combination of capabilities to meet this assurance. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the at least 15 tests generated for each combination of capabilities. 
+There are several assurances to obtain from AFTs. First is correctness of the algorithm implementation. The server *SHALL* include at least 15 tests for each combination of capabilities to meet this assurance. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the, minimum, 15 tests generated for each combination of capabilities. 
 
 The second assurance is correctness under all rejection paths. Within ML-DSA sigGen, i.e., in Algorithm 7 `ML-DSA.Sign_internal()`, the algorithm enters a loop until a valid signature is found. The loop contains four potential reasons to reject a candidate signature: if the z infinity norm is too large, if the r infinity norm is too large, if there are too many hints in h, or if the ct0 infinity norm is too large. These conditions occur at various rarities that can make it difficult to test each error condition with randomized testing. If an implementation adheres strictly to the pseudocode in Algorithm 7 `ML-DSA.Sign_internal()` <<FIPS204>>, the following table provides helpful known answer tests that trigger each rejection case exactly once. If the implementation varies from the psuedocode, it would be prudent to use a debugger or other tooling to ensure that all rejection cases are triggered by testing. To save on space, the table will provide the seed used to generate the key pair, a hash of the keys, SHA2-256(pk || sk), and a hash of the resulting signature, SHA2-256(sig). All cases are defined using the deterministic signature method, Algorithm 7 `ML-DSA.Sign_internal()`. Note that the ct0 infinity norm check only applies to ML-DSA-44. This condition is not possible on the other security levels. Thanks to Qinglai Xiao and Mike Hamburg (Rambus Inc) for providing code to generate these test cases; more information on their technique is available on the NIST PQC-Forum <<PQCForum>>. 
 
@@ -66,7 +66,7 @@ The third assurance is correctness under a large number of rejections. The stand
 
 * ML-DSA / sigVer / * "AFT" - Algorithm Functional Test. 
 
-The IUT *SHALL* determine the validity of the signature based on the ACVP-provided message, mu (for external mu testing), context (for external interface testing), hashAlg (for preHash testing), public key, and signature. This tests the implementation of Algorithm 3 `ML-DSA.Verify()`, Algorithm 5 `HashML-DSA.Verify()`, and Algorithm 8 `ML-DSA.Verify_internal()` from <<FIPS204>>. Tests for signature verification are performed by the server modifying a valid signature to obtain specific assurances from the implementation. The server *SHALL* include at least 3 tests for each modification type (including "valid signature") for all combinations of capabilities. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the at least 15 tests generated for each combination of capabilities. 
+The IUT *SHALL* determine the validity of the signature based on the ACVP-provided message, mu (for external mu testing), context (for external interface testing), hashAlg (for preHash testing), public key, and signature. This tests the implementation of Algorithm 3 `ML-DSA.Verify()`, Algorithm 5 `HashML-DSA.Verify()`, and Algorithm 8 `ML-DSA.Verify_internal()` from <<FIPS204>>. Tests for signature verification are performed by the server modifying a valid signature to obtain specific assurances from the implementation. The server *SHALL* include at least 3 tests for each modification type (including "valid signature") for all combinations of capabilities. The `"hashAlg"` capability *MAY* be excluded from the combination of capabilities due to the number of supported hash functions. Each `"hashAlg"` provided by the IUT *SHALL* be covered within the, minimum, 15 tests generated for each combination of capabilities. 
 
 The signature modifications are:
 
