Affected Crate: ml-dsa
Affected Versions: v0.1.0-rc.2 (and commits since b01c3b7)
Severity: Medium
Reporter: Oren Yomtov (Fireblocks)
The ML-DSA signature verification implementation in the RustCrypto ml-dsa crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be strictly increasing. The current implementation uses a non-strict monotonic check (<= instead of <), allowing duplicate indices.
Note: This is a regression bug. The original implementation was correct, but commit b01c3b7 ("Make ML-DSA signature decoding follow the spec (#895)", fixing issue #894) inadvertently changed the strict < comparison to <=, introducing the vulnerability.
The vulnerability is located in the monotonic helper function in ml-dsa/src/hint.rs:
fn monotonic(a: &[usize]) -> bool {
a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] <= *x)
}
The comparison operator <= allows equal consecutive values, meaning duplicate hint indices are not rejected. The correct implementation should use strict less-than (<):
fn monotonic(a: &[usize]) -> bool {
a.iter().enumerate().all(|(i, x)| i == 0 || a[i - 1] < *x)
}
1d3a1d1 - "Add support for ML-DSA (#877)"): Used < (strict)b01c3b7 - "Make ML-DSA signature decoding follow the spec (#895)"): Changed to <=The commit message suggests it was intended to fix issue #894 and make decoding follow the spec, but the change to the monotonic function was in the wrong direction. The other changes in that commit (to use_hint function) may have been correct, but this specific change introduced signature malleability.
This vulnerability allows signature malleability - the...
0.1.0-rc.4Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:NI:LA:N5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N