DEV Community: g.okc The latest articles on DEV Community by g.okc (@gustavo89587). https://dev.to/gustavo89587 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3991621%2F12912b9e-0692-4573-ab16-5b1148b0e07f.png DEV Community: g.okc https://dev.to/gustavo89587 en How a modular arithmetic oversight turned a cryptographic primitive into a no-op — and what we did about it. g.okc Thu, 18 Jun 2026 23:39:41 +0000 https://dev.to/gustavo89587/how-a-modular-arithmetic-oversight-turned-a-cryptographic-primitive-into-a-no-op-and-what-we-did-1opc https://dev.to/gustavo89587/how-a-modular-arithmetic-oversight-turned-a-cryptographic-primitive-into-a-no-op-and-what-we-did-1opc <h1> The silent bug that made our post-quantum signatures accept everything </h1> <p><em>How a modular arithmetic oversight turned a cryptographic primitive into a no-op — and what we did about it.</em></p> <p>We were building Vortex DFS, a deterministic security layer for AI systems. The core idea: instead of heuristics, use mathematics. A packet either satisfies the laws of physics and cryptography, or it doesn't.</p> <p>Part of that meant implementing a post-quantum signature scheme based on <strong>Learning With Errors (LWE)</strong> — the mathematical hardness assumption behind NIST's 2024 post-quantum standards. We wanted something auditable, something we could reason about, something that would fail loudly if it was wrong.</p> <p>It didn't fail loudly. It failed silently. And it took a test case we almost didn't write to catch it.</p> <h2> What we built </h2> <p>The scheme follows the Fiat-Shamir paradigm applied to LWE. The idea is elegant:</p> <p><strong>Key generation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>s ← small secret vector in Z_q^n A ← random public matrix in Z_q^(n×n) b = A·s mod q (public key) </code></pre> </div> <p><strong>Signing a message <code>data</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>y ← random commitment vector w = A·y mod q c = H(data || w) (challenge — hash binding) z = y + c·s mod q (response) Signature: (z, c) </code></pre> </div> <p><strong>Verification:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Recompute: w' = A·z - c·b mod q Check: H(data || w') == c </code></pre> </div> <p>The security intuition: an attacker who doesn't know <code>s</code> can't produce a <code>z</code> such that <code>A·z - c·b</code> hashes back to <code>c</code>. Solving that requires inverting the LWE problem — which is believed to be hard even for quantum computers.</p> <p>We implemented this in Rust. The math looked right. The code compiled. The happy path test passed.</p> <p>Then we wrote the test that almost didn't get written.</p> <h2> The test we almost skipped </h2> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">fn</span> <span class="nf">test_lwe_wrong_key_rejected</span><span class="p">()</span> <span class="p">{</span> <span class="k">let</span> <span class="p">(</span><span class="n">sk1</span><span class="p">,</span> <span class="n">pk1</span><span class="p">)</span> <span class="o">=</span> <span class="nf">keygen</span><span class="p">(</span><span class="mi">0xAAAA</span><span class="p">);</span> <span class="k">let</span> <span class="p">(</span><span class="n">_sk2</span><span class="p">,</span> <span class="n">pk2</span><span class="p">)</span> <span class="o">=</span> <span class="nf">keygen</span><span class="p">(</span><span class="mi">0xBBBB</span><span class="p">);</span> <span class="c1">// Sign with sk2/pk2</span> <span class="k">let</span> <span class="n">sig</span> <span class="o">=</span> <span class="n">_sk2</span><span class="nf">.sign</span><span class="p">(</span><span class="s">b"dados"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">pk2</span><span class="p">,</span> <span class="mi">0x1111</span><span class="p">);</span> <span class="c1">// Verify against pk1 — should FAIL</span> <span class="nd">assert!</span><span class="p">(</span><span class="o">!</span><span class="nf">verify</span><span class="p">(</span><span class="o">&amp;</span><span class="n">pk1</span><span class="p">,</span> <span class="s">b"dados"</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sig</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p>The assertion failed. A signature made with one keypair was accepted by a completely different public key.</p> <p>The signature scheme that was supposed to be post-quantum secure was accepting any signature from any key.</p> <h2> Finding the root cause </h2> <p>We added diagnostic output and ran the math in Python to isolate where the failure was happening.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">N</span> <span class="o">=</span> <span class="mi">16</span><span class="p">;</span> <span class="n">Q</span> <span class="o">=</span> <span class="mi">257</span><span class="p">;</span> <span class="n">ETA</span> <span class="o">=</span> <span class="mi">2</span> <span class="c1"># With a typical challenge value c ≈ 245: </span><span class="n">tol</span> <span class="o">=</span> <span class="n">c</span> <span class="o">*</span> <span class="n">ETA</span> <span class="o">+</span> <span class="mi">1</span> <span class="c1"># tol = 245 * 2 + 1 = 491 </span> <span class="c1"># But Q = 257, so the entire ring Z_q spans [0, 256] # Maximum circular distance in Z_q: Q // 2 = 128 </span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">tol=</span><span class="si">{</span><span class="n">tol</span><span class="si">}</span><span class="s">, Q=</span><span class="si">{</span><span class="n">Q</span><span class="si">}</span><span class="s">, tol &gt; Q: </span><span class="si">{</span><span class="n">tol</span> <span class="o">&gt;</span> <span class="n">Q</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># tol=491, Q=257, tol &gt; Q: True </span></code></pre> </div> <p>The tolerance exceeded the size of the ring. We were checking whether the difference between two values in Z₂₅₇ was "small enough" — but our definition of small enough covered the entire space.</p> <p>In practice: <code>verify()</code> was returning <code>True</code> for every input.</p> <p>The root was in our verification function. The original version computed <code>A·z - c·b</code> and checked whether it was "close to" <code>w</code> using a tolerance of <code>c × ETA</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// BEFORE — broken</span> <span class="k">let</span> <span class="n">tolerance</span> <span class="o">=</span> <span class="n">sig</span><span class="py">.c</span> <span class="o">*</span> <span class="n">ETA</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="n">N</span><span class="p">)</span><span class="nf">.all</span><span class="p">(|</span><span class="n">i</span><span class="p">|</span> <span class="nf">dist_circular</span><span class="p">(</span><span class="nf">mod_q</span><span class="p">(</span><span class="n">az</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">-</span> <span class="n">cb</span><span class="p">[</span><span class="n">i</span><span class="p">]),</span> <span class="n">sig</span><span class="py">.w</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="o">&lt;=</span> <span class="n">tolerance</span><span class="p">)</span> </code></pre> </div> <p>With <code>Q = 257</code> (a deliberately small parameter for a demo implementation) and <code>c</code> values that can reach up to <code>Q - 1 = 256</code>, the tolerance <code>c × ETA</code> can be <code>512</code> — more than double the entire modulus. The "check" was vacuously true.</p> <h2> Why this happens mathematically </h2> <p>In a proper LWE-based signature scheme, the public key is <code>b = A·s + e</code>, where <code>e</code> is a small error vector. During verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>A·z - c·b = A·(y + c·s) - c·(A·s + e) = A·y + c·A·s - c·A·s - c·e = A·y - c·e = w - c·e </code></pre> </div> <p>So <code>A·z - c·b</code> isn't exactly <code>w</code> — it differs by <code>c·e</code>. The tolerance exists to absorb this error. But the error bound <code>c × ETA</code> only stays safely below <code>Q/2</code> when <code>Q</code> is large relative to <code>c × ETA</code>.</p> <p>Production parameters (Dilithium uses <code>Q = 8,380,417</code>) make this gap enormous. Our demo parameter <code>Q = 257</code> collapsed it completely.</p> <h2> The fix </h2> <p>We changed the approach. Instead of checking proximity in the ring, we use hash binding directly.</p> <p>The key insight: if <code>b = A·s</code> (without the public error term), then <code>A·z - c·b = A·y = w</code> exactly. The verification becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Recompute w' = A·z - c·b mod q Accept iff H(data || w') == c </code></pre> </div> <p>No tolerance. No approximation. The hash function does the work — if <code>w'</code> differs from <code>w</code> by even a single bit, the hash changes completely.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// AFTER — correct</span> <span class="k">pub</span> <span class="k">fn</span> <span class="nf">verify</span><span class="p">(</span><span class="n">pk</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">PublicKey</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="o">&amp;</span><span class="p">[</span><span class="nb">u8</span><span class="p">],</span> <span class="n">sig</span><span class="p">:</span> <span class="o">&amp;</span><span class="n">Signature</span><span class="p">)</span> <span class="k">-&gt;</span> <span class="nb">bool</span> <span class="p">{</span> <span class="c1">// Recompute w' = A·z - c·b mod q</span> <span class="k">let</span> <span class="n">az</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="n">N</span><span class="p">)</span><span class="nf">.map</span><span class="p">(|</span><span class="n">i</span><span class="p">|</span> <span class="p">{</span> <span class="nf">mq</span><span class="p">(</span><span class="n">pk</span><span class="py">.a</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.zip</span><span class="p">(</span><span class="o">&amp;</span><span class="n">sig</span><span class="py">.z</span><span class="p">)</span><span class="nf">.map</span><span class="p">(|(</span><span class="n">a</span><span class="p">,</span> <span class="n">z</span><span class="p">)|</span> <span class="n">a</span> <span class="o">*</span> <span class="n">z</span><span class="p">)</span><span class="nf">.sum</span><span class="p">())</span> <span class="p">})</span><span class="nf">.collect</span><span class="p">();</span> <span class="k">let</span> <span class="n">cb</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span> <span class="o">=</span> <span class="n">pk</span><span class="py">.b</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.map</span><span class="p">(|</span><span class="o">&amp;</span><span class="n">bi</span><span class="p">|</span> <span class="nf">mq</span><span class="p">(</span><span class="n">sig</span><span class="py">.c</span> <span class="o">*</span> <span class="n">bi</span><span class="p">))</span><span class="nf">.collect</span><span class="p">();</span> <span class="k">let</span> <span class="n">w_prime</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="n">N</span><span class="p">)</span><span class="nf">.map</span><span class="p">(|</span><span class="n">i</span><span class="p">|</span> <span class="nf">mq</span><span class="p">(</span><span class="n">az</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">-</span> <span class="n">cb</span><span class="p">[</span><span class="n">i</span><span class="p">]))</span><span class="nf">.collect</span><span class="p">();</span> <span class="c1">// Accept iff H(data || w') == c</span> <span class="nf">hash_commit</span><span class="p">(</span><span class="n">data</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">w_prime</span><span class="p">)</span> <span class="o">==</span> <span class="n">sig</span><span class="py">.c</span> <span class="p">}</span> </code></pre> </div> <p>We also updated the key generation to remove the public error term, since we no longer need it and its presence was the source of the approximation problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="c1">// b = A·s (exact — no error term)</span> <span class="k">let</span> <span class="n">b</span><span class="p">:</span> <span class="nb">Vec</span><span class="o">&lt;</span><span class="nb">i64</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">(</span><span class="mi">0</span><span class="o">..</span><span class="n">N</span><span class="p">)</span> <span class="nf">.map</span><span class="p">(|</span><span class="n">i</span><span class="p">|</span> <span class="nf">mq</span><span class="p">(</span><span class="n">a</span><span class="p">[</span><span class="n">i</span><span class="p">]</span><span class="nf">.iter</span><span class="p">()</span><span class="nf">.zip</span><span class="p">(</span><span class="o">&amp;</span><span class="n">s</span><span class="p">)</span><span class="nf">.map</span><span class="p">(|(</span><span class="n">a</span><span class="p">,</span> <span class="n">s</span><span class="p">)|</span> <span class="n">a</span> <span class="o">*</span> <span class="n">s</span><span class="p">)</span><span class="nf">.sum</span><span class="p">()))</span> <span class="nf">.collect</span><span class="p">();</span> </code></pre> </div> <h2> Verifying the fix </h2> <p>We ran the same test suite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[OK] test_lwe_sign_verify ← valid sig accepted [OK] test_lwe_tampered_data_rejected ← modified data rejected [OK] test_lwe_wrong_key_rejected ← different keypair rejected ✓ </span></code></pre> </div> <p>And the adversarial cases in Python confirmed the math:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Same keypair → True ✓ # Different keypair → False ✓ # Tampered data → False ✓ # Modified z → False ✓ </span></code></pre> </div> <h2> What this means in practice </h2> <p>The original code looked correct. It used the right algorithm name, the right structure, the right variable names. It compiled without warnings. The happy-path test passed. A code reviewer without cryptography expertise would have approved it.</p> <p>The failure was invisible until we explicitly tested the adversarial case: <em>what happens when you verify a signature made with the wrong key?</em></p> <p>In a deployed system, this would have meant that any packet — from any source, with any signature — would pass authentication. The post-quantum security layer would have been a no-op. Worse, it would have been a no-op that looked like it was working.</p> <h2> Three lessons </h2> <p><strong>Test the adversarial case explicitly.</strong> Happy-path tests don't find security bugs. For every authentication check, write the test that uses the wrong key, the wrong data, the tampered payload. If the test doesn't exist, the guarantee doesn't exist.</p> <p><strong>Small parameters expose bugs that large parameters hide.</strong> <code>Q = 257</code> made the overflow immediate and visible. With <code>Q = 8,380,417</code>, the same logical error might pass casual testing because the tolerance stays within bounds in typical cases — but could still be exploitable under crafted inputs. Use small parameters in tests to stress the boundaries.</p> <p><strong>For production, use audited implementations.</strong> The mathematics in our implementation is correct, but correct mathematics isn't the same as a secure implementation. Dilithium — the NIST-standardized lattice signature scheme — has been analyzed by hundreds of cryptographers over seven years. Use <code>pqcrypto-dilithium</code> in production. Our implementation is what you study to understand <em>why</em> it works. Theirs is what you deploy.</p> <h2> The production path </h2> <p>If you're building on Vortex DFS and need production-grade post-quantum signatures today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="nn">[dependencies]</span> <span class="py">pqcrypto-dilithium</span> <span class="p">=</span> <span class="s">"0.5"</span> <span class="py">pqcrypto-traits</span> <span class="p">=</span> <span class="s">"0.3"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight rust"><code><span class="k">use</span> <span class="nn">pqcrypto_dilithium</span><span class="p">::</span><span class="n">dilithium3</span><span class="p">;</span> <span class="k">use</span> <span class="nn">pqcrypto_traits</span><span class="p">::</span><span class="nn">sign</span><span class="p">::{</span><span class="n">DetachedSignature</span><span class="p">,</span> <span class="n">PublicKey</span><span class="p">,</span> <span class="n">SecretKey</span><span class="p">};</span> <span class="k">let</span> <span class="p">(</span><span class="n">pk</span><span class="p">,</span> <span class="n">sk</span><span class="p">)</span> <span class="o">=</span> <span class="nn">dilithium3</span><span class="p">::</span><span class="nf">keypair</span><span class="p">();</span> <span class="k">let</span> <span class="n">sig</span> <span class="o">=</span> <span class="nn">dilithium3</span><span class="p">::</span><span class="nf">detached_sign</span><span class="p">(</span><span class="n">message</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sk</span><span class="p">);</span> <span class="nd">assert!</span><span class="p">(</span><span class="nn">dilithium3</span><span class="p">::</span><span class="nf">verify_detached_signature</span><span class="p">(</span><span class="o">&amp;</span><span class="n">sig</span><span class="p">,</span> <span class="n">message</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">pk</span><span class="p">)</span><span class="nf">.is_ok</span><span class="p">());</span> </code></pre> </div> <p>Same mathematical foundation. NIST-standardized parameters. Seven years of public cryptanalysis.</p> <h2> Conclusion </h2> <p>The bug was a single line — a tolerance calculation that exceeded the modulus. It rendered an entire cryptographic layer meaningless. It was caught by a test case that was almost skipped.</p> <p>Security isn't about looking correct. It's about being provably incorrect when something is wrong.</p> <p>Vortex DFS is built on that principle. Every packet gets a typed rejection reason. Every layer has an adversarial test. Every guarantee has a corresponding test that tries to break it.</p> <p>The code is open source. Read it, break it, tell us what you find.</p> <p><em>Vortex DFS is built at Okamoto Security Labs. Apache 2.0.</em><br><br> <em>Source: <a href="https://github.com" rel="noopener noreferrer">github.com/okamoto-security-labs/Vortex-DFS</a></em></p> algorithms computerscience cybersecurity security [Boost] g.okc Thu, 18 Jun 2026 23:36:42 +0000 https://dev.to/gustavo89587/-1554 https://dev.to/gustavo89587/-1554