From f2f959f5d78f33d2f7eed9b404dc01fecdd155de Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:51:04 -0400 Subject: [PATCH 1/2] =?UTF-8?q?deps(rust):=20bump=20ml-dsa=200.0.4=20?= =?UTF-8?q?=E2=86=92=200.1.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ml-dsa 0.1 routes the `signature::Verifier::verify` trait method to FIPS 204 Algorithm 8 (no domain-separator prefix). The .NET writer signs with BouncyCastle's pure ML-DSA-87, which is Algorithm 3 (empty context, with the domain-separator prefix). So `verify_mldsa87` now calls `vk.verify_with_context(msg, &[], &sig)` — Algorithm 3 with empty ctx — to keep interop with the .NET-signed test vectors and cross-impl conformance suite. `VerifyingKey::decode`, `Signature::decode`, `EncodedVerifyingKey`, and `EncodedSignature` are unchanged between 0.0.4 and 0.1.0; the decode paths in `verify_mldsa87` remain identical. --- impl/rust/pqf-reader/Cargo.toml | 10 +++++----- impl/rust/pqf-reader/src/reader.rs | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/impl/rust/pqf-reader/Cargo.toml b/impl/rust/pqf-reader/Cargo.toml index 584ff99..2017d77 100644 --- a/impl/rust/pqf-reader/Cargo.toml +++ b/impl/rust/pqf-reader/Cargo.toml @@ -26,11 +26,11 @@ ml-kem = "0.2" # Hybrid signatures ed25519-dalek = { version = "2.1", features = ["std"] } -# Pinned to 0.0.4 (not 0.1) because ml-dsa 0.1 swapped to the -# `signature` 3.0 Verifier trait and renamed the verify method. Same -# situation as ml-kem above — dep-compatible but needs code changes -# in reader.rs. -ml-dsa = "0.0.4" +# ml-dsa 0.1 routes the `signature::Verifier::verify` trait method to +# FIPS 204 Algorithm 8 (no domain separator). BouncyCastle's pure +# ML-DSA-87 signs with Algorithm 3 (with the empty-context prefix), so +# the verifier in reader.rs uses `verify_with_context(msg, &[], &sig)`. +ml-dsa = "0.1.0" # AEAD + hashing + KDF aes-gcm = "0.10" diff --git a/impl/rust/pqf-reader/src/reader.rs b/impl/rust/pqf-reader/src/reader.rs index 08ceb8e..822c0e5 100644 --- a/impl/rust/pqf-reader/src/reader.rs +++ b/impl/rust/pqf-reader/src/reader.rs @@ -533,7 +533,7 @@ fn verify_mldsa87(pub_key: &[u8], message: &[u8], sig: &[u8]) -> bool { let Some(parsed) = ml_dsa::Signature::::decode(&sig_encoded) else { return false; }; - vk.verify(message, &parsed).is_ok() + vk.verify_with_context(message, &[], &parsed) } fn decode_mlkem_dk( From f1fb38df09cad6b94f2e4f80f4f6fc6f062186c8 Mon Sep 17 00:00:00 2001 From: Paul Clark Date: Thu, 4 Jun 2026 04:57:08 -0400 Subject: [PATCH 2/2] ci(wasm): enable getrandom 0.4 wasm_js feature for ml-dsa 0.1 ml-dsa 0.1 transitively depends on getrandom 0.4, which renamed the wasm32-unknown-unknown backend feature from "js" (0.2) to "wasm_js". The existing entry pins 0.2 for aes-gcm's path; add a renamed direct dep on 0.4 so the wasm_js feature is enabled on that version too. --- bindings/wasm/Cargo.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bindings/wasm/Cargo.toml b/bindings/wasm/Cargo.toml index 25bc84f..bbc88be 100644 --- a/bindings/wasm/Cargo.toml +++ b/bindings/wasm/Cargo.toml @@ -20,6 +20,11 @@ console_error_panic_hook = { version = "0.1", optional = true } # aes-gcm (via the reader) pulls getrandom 0.2; the wasm32-unknown-unknown # target needs its "js" backend explicitly enabled to build. getrandom = { version = "0.2", features = ["js"] } +# ml-dsa 0.1 (via the reader) pulls getrandom 0.4, which renamed the wasm +# backend feature from "js" to "wasm_js". Both versions coexist in the +# dep graph; we surface the 0.4 instance here under a rename so we can +# enable wasm_js without colliding with the 0.2 alias above. +getrandom_v04 = { package = "getrandom", version = "0.4", features = ["wasm_js"] } [features] default = ["console_error_panic_hook"]