The signing APIs decode the secret key and use s1, s2, and t0 without
validating that the decoded secret-key components are canonical and within the
ML-DSA coefficient bounds. The separate pk_from_sk API performs those checks
and rejects the same malformed keys.
Wycheproof marks these test keys with InvalidPrivateKey. The normal
Wycheproof signing harness skips those signing tests because signing currently
does not validate secret keys, then tests them only through pkFromSk. When run
directly, sigGenDeterministic succeeds for the invalid private keys and the
resulting signatures verify under the corresponding public keys.
The signing APIs decode the secret key and use
s1,s2, andt0withoutvalidating that the decoded secret-key components are canonical and within the
ML-DSA coefficient bounds. The separate
pk_from_skAPI performs those checksand rejects the same malformed keys.
Wycheproof marks these test keys with
InvalidPrivateKey. The normalWycheproof signing harness skips those signing tests because signing currently
does not validate secret keys, then tests them only through
pkFromSk. When rundirectly,
sigGenDeterministicsucceeds for the invalid private keys and theresulting signatures verify under the corresponding public keys.