Updated logic for ML-DSA randomized signing, updated docs and tests (Python & C)

M-AlNoaimi · M-AlNoaimi · commit ec7289ec08c7 · 2025-10-19T23:27:54.000+01:00
Signed-off-by: M-AlNoaimi &lt;mo@malnoaimi.com&gt;
diff --git a/.CMake/alg_support.cmake b/.CMake/alg_support.cmake
@@ -174,7 +174,7 @@ cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768 "" ON "OQS_ENABLE_KEM_ML_KEM" O
 cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
 
 option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING "Enable randomized signing for ML-DSA" OFF "OQS_ENABLE_SIG_ML_DSA" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING "Enable randomized signing for ML-DSA" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
diff --git a/CONFIGURE.md b/CONFIGURE.md
@@ -64,11 +64,11 @@ For a full list of such options and their default values, consult [.CMake/alg_su
 
 ### OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING
 
-Can be set to `ON` or `OFF`. When `ON`, ML-DSA signature algorithms are built with randomized signing enabled, resulting in non-deterministic signatures (randomized seed/nonce per signature).
+Can be set to `ON` or `OFF`. When `ON`, ML-DSA signature algorithms are built with randomized signing enabled, resulting in non-deterministic signatures. When `OFF`, ML-DSA signature algorithms use deterministic signing.
 
 This option is only available if `OQS_ENABLE_SIG_ML_DSA` is `ON`.
 
-**Default**: `OFF`.
+**Default**: `ON`.
 
 ## OQS_ALGS_ENABLED
 
diff --git a/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg.fragment b/scripts/copy_from_upstream/.CMake/alg_support.cmake/add_enable_by_alg.fragment
@@ -19,7 +19,7 @@ option(OQS_ENABLE_SIG_{{ family['name']|upper }} "Enable {{ family['name'] }} al
 option(OQS_ENABLE_SIG_{{ family['name']|upper }} "Enable {{ family['name'] }} algorithm family" ON)
 {%- endif %}
 {%- if family['name'] == "ml_dsa" %}
-cmake_dependent_option(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING "Enable randomized signing for ML-DSA" OFF "OQS_ENABLE_SIG_ML_DSA" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING "Enable randomized signing for ML-DSA" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
 {%- endif %}
     {%- for scheme in family['schemes'] %}
 cmake_dependent_option(OQS_ENABLE_SIG_{{ family['name'] }}_{{ scheme['scheme'] }} "" ON "OQS_ENABLE_SIG_{{ family['name']|upper }}" OFF)
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch
@@ -140,10 +140,18 @@ index 5163526..e9bff1e 100644
        - architecture: x86_64
          operating_systems:
 diff --git a/avx2/config.h b/avx2/config.h
-index a9facc0..3944cb4 100644
+index a9facc0..da97994 100644
 --- a/avx2/config.h
 +++ b/avx2/config.h
-@@ -11,17 +11,17 @@
+@@ -2,7 +2,6 @@
+ #define CONFIG_H
+ 
+ //#define DILITHIUM_MODE 2
+-#define DILITHIUM_RANDOMIZED_SIGNING
+ //#define USE_RDPMC
+ //#define DBENCH
+ 
+@@ -11,17 +10,17 @@
  #endif
  
  #if DILITHIUM_MODE == 2
@@ -520,10 +528,18 @@ index 8f3c3c5..fa49963 100644
  
  #endif
 diff --git a/ref/config.h b/ref/config.h
-index 98b8ccb..8008e11 100644
+index 98b8ccb..7d52ebc 100644
 --- a/ref/config.h
 +++ b/ref/config.h
-@@ -11,17 +11,17 @@
+@@ -2,7 +2,6 @@
+ #define CONFIG_H
+ 
+ //#define DILITHIUM_MODE 2
+-#define DILITHIUM_RANDOMIZED_SIGNING
+ //#define USE_RDPMC
+ //#define DBENCH
+ 
+@@ -11,17 +10,17 @@
  #endif
  
  #if DILITHIUM_MODE == 2
diff --git a/scripts/copy_from_upstream/src/sig/family/CMakeLists.txt b/scripts/copy_from_upstream/src/sig/family/CMakeLists.txt
@@ -46,6 +46,11 @@ if(OQS_ENABLE_SIG_{{ family }}_{{ scheme['scheme_c'] }}_{{ impl['name'] }}{%- if
         {%- if impl['compile_opts'] %}
     target_compile_options({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PUBLIC {{ impl['compile_opts'] }})
         {%- endif %}
+        {%- if family == 'ml_dsa' %}
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options({{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }} PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
+        {%- endif %}
     set(_{{ family|upper }}_OBJS ${_{{ family|upper }}_OBJS} $<TARGET_OBJECTS:{{ family }}_{{ scheme['scheme'] }}_{{ impl['name'] }}>)
 endif()
     {%- endfor -%}
diff --git a/src/sig/ml_dsa/CMakeLists.txt b/src/sig/ml_dsa/CMakeLists.txt
@@ -11,6 +11,9 @@ if(OQS_ENABLE_SIG_ml_dsa_44)
     target_include_directories(ml_dsa_44_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-44_ref)
     target_include_directories(ml_dsa_44_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_44_ref PUBLIC -DDILITHIUM_MODE=2)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_44_ref PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_44_ref>)
 endif()
 
@@ -20,6 +23,9 @@ if(OQS_ENABLE_SIG_ml_dsa_44_avx2)
     target_include_directories(ml_dsa_44_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_44_avx2 PRIVATE -mavx2 -mpopcnt)
     target_compile_options(ml_dsa_44_avx2 PUBLIC -DDILITHIUM_MODE=2)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_44_avx2 PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_44_avx2>)
 endif()
 
@@ -29,6 +35,9 @@ if(OQS_ENABLE_SIG_ml_dsa_65)
     target_include_directories(ml_dsa_65_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-65_ref)
     target_include_directories(ml_dsa_65_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_65_ref PUBLIC -DDILITHIUM_MODE=3)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_65_ref PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_65_ref>)
 endif()
 
@@ -38,6 +47,9 @@ if(OQS_ENABLE_SIG_ml_dsa_65_avx2)
     target_include_directories(ml_dsa_65_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_65_avx2 PRIVATE -mavx2 -mpopcnt)
     target_compile_options(ml_dsa_65_avx2 PUBLIC -DDILITHIUM_MODE=3)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_65_avx2 PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_65_avx2>)
 endif()
 
@@ -47,6 +59,9 @@ if(OQS_ENABLE_SIG_ml_dsa_87)
     target_include_directories(ml_dsa_87_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-87_ref)
     target_include_directories(ml_dsa_87_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_87_ref PUBLIC -DDILITHIUM_MODE=5)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_87_ref PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_87_ref>)
 endif()
 
@@ -56,6 +71,9 @@ if(OQS_ENABLE_SIG_ml_dsa_87_avx2)
     target_include_directories(ml_dsa_87_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
     target_compile_options(ml_dsa_87_avx2 PRIVATE -mavx2 -mpopcnt)
     target_compile_options(ml_dsa_87_avx2 PUBLIC -DDILITHIUM_MODE=5)
+    if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+        target_compile_options(ml_dsa_87_avx2 PUBLIC -DDILITHIUM_RANDOMIZED_SIGNING)
+    endif()
     set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $<TARGET_OBJECTS:ml_dsa_87_avx2>)
 endif()
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/config.h
@@ -2,7 +2,6 @@
 #define CONFIG_H
 
 //#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
 //#define USE_RDPMC
 //#define DBENCH
 
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -154,6 +154,9 @@ endif()
 
 add_executable(test_sig test_sig.c test_helpers.c)
 target_link_libraries(test_sig PRIVATE ${TEST_DEPS})
+if(OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+    target_compile_definitions(test_sig PRIVATE OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING)
+endif()
 if(CMAKE_SYSTEM_NAME STREQUAL "Windows" AND BUILD_SHARED_LIBS)
     # workaround for Windows .dll
     if(CMAKE_CROSSCOMPILING)
diff --git a/tests/helpers.py b/tests/helpers.py
@@ -193,6 +193,17 @@ def available_use_options_by_name():
 def is_use_option_enabled_by_name(name):
     return name in available_use_options_by_name()
 
+def is_ml_dsa_randomized_signing_enabled():
+    header = os.path.join(get_current_build_dir_name(), 'include', 'oqs', 'oqsconfig.h')
+    try:
+        with open(header) as fh:
+            for line in fh:
+                if line.strip() == "#define OQS_ENABLE_SIG_ML_DSA_RANDOMIZED_SIGNING":
+                    return True
+    except Exception:
+        pass
+    return False
+
 def get_kats(t):
     if kats[t] is None:
         with open(os.path.join('tests', 'KATs', t, 'kats.json'), 'r') as fp:
diff --git a/tests/test_acvp_vectors.py b/tests/test_acvp_vectors.py
@@ -159,6 +159,9 @@ def test_acvp_vec_ml_dsa_sig_gen(sig_name):
                 if variant["parameterSet"] == sig_name:
                     variantFound = True
                     for testCase in variant["tests"]:
+                        # Skip randomized signature vectors if built in deterministic mode
+                        if (not helpers.is_ml_dsa_randomized_signing_enabled()) and (not variant["deterministic"]):
+                            pytest.skip("Skipping randomized signature vector test: implementation built in deterministic mode")
                         sk = testCase["sk"]
                         message = testCase["message"]
                         signature = testCase["signature"]
diff --git a/tests/test_kat.py b/tests/test_kat.py
@@ -27,6 +27,9 @@ def test_sig(sig_name):
     kats = helpers.get_kats("sig")
     # slh dsa will run ACVP vectors instead
     if ("SLH_DSA" in sig_name): pytest.skip('slhdsa not enabled for KATs')
+    # Skip ML-DSA KATs if randomized signing is not enabled
+    if sig_name in ["ML-DSA-44", "ML-DSA-65", "ML-DSA-87"] and not helpers.is_ml_dsa_randomized_signing_enabled():
+        pytest.skip("Skipping ML-DSA KAT signature test: implementation built in deterministic mode")
     if not(helpers.is_sig_enabled_by_name(sig_name)): pytest.skip('Not enabled')
     output = helpers.run_subprocess(
         [helpers.path_to_executable('kat_sig'), sig_name],
diff --git a/tests/test_kat_all.py b/tests/test_kat_all.py
@@ -27,6 +27,9 @@ def test_sig(sig_name):
     kats = helpers.get_kats("sig")
     # slh dsa will run ACVP vectors instead
     if ("SLH_DSA" in sig_name): pytest.skip('slhdsa not enabled for KATs')
+    # Skip ML-DSA KATs if randomized signing is not enabled
+    if sig_name in ["ML-DSA-44", "ML-DSA-65", "ML-DSA-87"] and not helpers.is_ml_dsa_randomized_signing_enabled():
+        pytest.skip("Skipping ML-DSA KAT signature test: implementation built in deterministic mode")
     if not(helpers.is_sig_enabled_by_name(sig_name)): pytest.skip('Not enabled')
     output = helpers.run_subprocess(
         [helpers.path_to_executable('kat_sig'), sig_name, '--all'],
diff --git a/tests/test_sig.c b/tests/test_sig.c
@@ -260,8 +260,8 @@ static OQS_STATUS sig_test_randomized_signing(const char *method_name) {
 
 	sig = OQS_SIG_new(method_name);
 	if (sig == NULL) {
-		// ML-DSA is not enabled, so we can't test it.
-		return OQS_SUCCESS;
+		fprintf(stderr, "ERROR: OQS_SIG_new failed for %s\n", method_name);
+		return OQS_ERROR;
 	}
 
 	printf("Testing randomized signing for %s\n", sig->method_name);
