IETF Logo Mail Archive

[CFRG] Re: Where should test vectors live?

"D. J. Bernstein" <djb@cr.yp.to> Sat, 21 September 2024 17:38 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD97AC14F6BF for <cfrg@ietfa.amsl.com>; Sat, 21 Sep 2024 10:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggH62Hjr_iuY for <cfrg@ietfa.amsl.com>; Sat, 21 Sep 2024 10:38:46 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 07101C14F5EB for <cfrg@irtf.org>; Sat, 21 Sep 2024 10:38:45 -0700 (PDT)
Received: (qmail 1463 invoked by uid 1010); 21 Sep 2024 17:38:44 -0000
Received: from unknown (unknown) by unknown with QMTP; 21 Sep 2024 17:38:44 -0000
Received: (qmail 467067 invoked by uid 1000); 21 Sep 2024 17:38:36 -0000
Date: Sat, 21 Sep 2024 17:38:36 -0000
Message-ID: <20240921173836.467065.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <GVXPR07MB96788E2243EC05BF3A8E6DBF896D2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Message-ID-Hash: I6JXBJIIEEYZLTC2W2FGHFVW2LFGSUXC
X-Message-ID-Hash: I6JXBJIIEEYZLTC2W2FGHFVW2LFGSUXC
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: Where should test vectors live?
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/xLyIruRUmfHpdVq0z59lokJWnUQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

John Mattsson writes:
> Reference code only produces positive test vectors.

That depends on how the code is used! For example, after using KEM code
to generate legitimate ciphertexts, SUPERCOP automatically flips some
bits in the ciphertexts and tries decapsulating the results. There are
528 KEM implementations that have been submitted to and included in
SUPERCOP (e.g., 3 implementations of kyber1024), and these negative
tests are applied to all of them, without them having to do any work
beyond supporting the easy SUPERCOP API.

Meanwhile KEM teams following NIST's rules (and newer KEMs imitating
that pattern) have distributed endless copies of NIST's unmaintained
PQCgenKAT_kem.c (and the accompanying non-constant-time rng.c), along
with "KAT" files listing the resulting KEM test vectors. These KAT files
include only positive tests. How is that KAT ecosystem supposed to be
upgraded to add negative tests? Does someone patch PQCgenKAT_kem.c to
add those tests, and then try to convince everyone to remove the
existing KAT files in favor of the extended KAT files? Or should there
be separate NEGKAT files?

This is an illustration of how focusing on distribution of test vectors
ends up with lower-quality tests than focusing on distribution of (1)
reference code for each cryptographic primitive in a unified API and (2)
modular test tools that apply to anything using that API.

---D. J. Bernstein

v2.39.1 | Report a Bug | By Email | System Status