ml-dsa's UseHint function has off by two error when r0 equals zero

Summary There's a bug in the usehint function where it adds 1 instead of subtracting 1 when the decomposed low bits r0 equal exactly zero. FIPS 204 Algorithm 40 is pretty clear that r0 0 means strictly positive, but the current code treats zero as positive. This causes valid signatures to...

GHSA-H37V-HP6W-2PP8 ml-dsa's UseHint function has off by two error when r0 equals zero

Summary There's a bug in the usehint function where it adds 1 instead of subtracting 1 when the decomposed low bits r0 equal exactly zero. FIPS 204 Algorithm 40 is pretty clear that r0 0 means strictly positive, but the current code treats zero as positive. This causes valid signatures to...

PT-2026-5048

The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard ML-DSA. Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto ml-dsa crate incorrectly accepts signatures with repeated duplicat...

Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense

Google has announced that it will be switching from KYBER to ML-KEM in its Chrome web browser as part of its ongoing efforts to defend against the risk posed by cryptographically relevant quantum computers CRQCs. "Chrome will offer a key share prediction for hybrid ML-KEM codepoint 0x11EC," David...

NIST Releases First Post-Quantum Encryption Algorithms

From the Federal Register: After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes:...