Add advisory for libcrux-ml-dsa

jschneider-bensch · jschneider-bensch · commit 28c3c452e605 · 2026-03-24T09:15:58.000+01:00
diff --git a/crates/libcrux-ml-dsa/RUSTSEC-0000-0000.0.md b/crates/libcrux-ml-dsa/RUSTSEC-0000-0000.0.md
@@ -0,0 +1,39 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "libcrux-ml-dsa"
+date = "2026-03-04"
+url = "https://github.com/cryspen/libcrux/pull/1347"
+
+[affected.functions]
+"libcrux_ml_dsa::ml_dsa_44::verify" = [ "<= 0.0.7" ]
+"libcrux_ml_dsa::ml_dsa_65::verify" = [ "<= 0.0.7" ]
+"libcrux_ml_dsa::ml_dsa_87::verify" = [ "<= 0.0.7" ]
+
+[versions]
+patched = [">= 0.0.8 "]
+```
+
+# Incorrect Check of Signer Response Norm During Verification
+
+The ML-DSA verification algorithm as specified in [FIPS 204,
+subsection
+6.3](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#subsection.6.3)
+requires verifiers to check that the infinity norm of the deserialized
+signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of
+Algorithm 8).
+The same check is required to be performed during signature generation.
+
+libcrux-ml-dsa did not perform this check correctly during signature
+verification, accepting signatures with signer response norm above the
+allowed maximum value.  The check is correctly performed during
+signing.
+
+## Impact
+Applications using libcrux-ml-dsa for signature verification would
+have accepted signatures that would be rejected by a conforming
+implementation.
+
+## Mitigation
+Starting from version `0.0.8`, signature verification uses the correct
+value for $\gamma_1$ in the signer response norm check.
