Deep security review: harden deserialization paths and publish updated security report

CLI.md

@@ -676,39 +676,39 @@ k-mosaic-cli benchmark --level 128 --iterations 20
 
 📊 KEM Key Generation
 ────────────────────────────────────────────────────────
-  kMOSAIC:      19.289 ms/op |     51.8 ops/sec
-  X25519:       0.016 ms/op |  63441.7 ops/sec
-  Comparison: Node.js is 1223.7x faster
+  kMOSAIC:      12.707 ms/op |     78.7 ops/sec
+  X25519:       0.015 ms/op |  67076.7 ops/sec
+  Comparison: Node.js is 852.4x faster
 
 📊 KEM Encapsulation
 ────────────────────────────────────────────────────────
-  kMOSAIC:       0.538 ms/op |   1860.0 ops/sec
-  X25519:       0.043 ms/op |  23529.4 ops/sec
-  Comparison: Node.js is 12.7x faster
+  kMOSAIC:       0.495 ms/op |   2021.6 ops/sec
+  X25519:       0.041 ms/op |  24180.4 ops/sec
+  Comparison: Node.js is 12.0x faster
 
 📊 KEM Decapsulation
 ────────────────────────────────────────────────────────
-  kMOSAIC:       4.220 ms/op |    237.0 ops/sec
-  X25519:       0.030 ms/op |  32811.1 ops/sec
-  Comparison: Node.js is 138.5x faster
+  kMOSAIC:       5.576 ms/op |    179.3 ops/sec
+  X25519:       0.032 ms/op |  31555.7 ops/sec
+  Comparison: Node.js is 176.0x faster
 
 📊 Signature Key Generation
 ────────────────────────────────────────────────────────
-  kMOSAIC:       19.204 ms/op |     52.1 ops/sec
-  Ed25519:       0.012 ms/op |  80971.7 ops/sec
-  Comparison: Node.js is 1555.0x faster
+  kMOSAIC:       12.438 ms/op |     80.4 ops/sec
+  Ed25519:       0.012 ms/op |  86673.9 ops/sec
+  Comparison: Node.js is 1078.0x faster
 
 📊 Signing
 ────────────────────────────────────────────────────────
-  kMOSAIC:        0.040 ms/op |  25049.6 ops/sec
-  Ed25519:       0.011 ms/op |  87190.3 ops/sec
-  Comparison: Node.js is 3.5x faster
+  kMOSAIC:        0.073 ms/op |  13697.4 ops/sec
+  Ed25519:       0.013 ms/op |  79522.9 ops/sec
+  Comparison: Node.js is 5.8x faster
 
 📊 Verification
 ────────────────────────────────────────────────────────
-  kMOSAIC:        1.417 ms/op |    705.9 ops/sec
-  Ed25519:       0.033 ms/op |  30607.6 ops/sec
-  Comparison: Node.js is 43.4x faster
+  kMOSAIC:        1.477 ms/op |    676.8 ops/sec
+  Ed25519:       0.033 ms/op |  30156.8 ops/sec
+  Comparison: Node.js is 44.6x faster
 
 ════════════════════════════════════════════════════════════════════════════
 
@@ -719,7 +719,7 @@ k-mosaic-cli benchmark --level 128 --iterations 20
 ├─────────────────────┼─────────────┼─────────────┤
 │ KEM Public Key      │ ~  7500 B │       44 B │
 │ KEM Ciphertext      │ ~  7800 B │       76 B │
-│ Signature           │ ~  7400 B │       64 B │
+│ Signature           │     204 B │       64 B │
 └─────────────────────┴─────────────┴─────────────┘
 
 💡 NOTES:

DEVELOPER_GUIDE.md

@@ -1461,20 +1461,20 @@ kMOSAIC's lattice component (SLSS) uses a variant of the SIS problem for signatu
 4. Public Key: (A, t)
 5. Secret Key: s
 
-**Signing** (simplified):
+**Signing** (sub-SLSS Sigma protocol):
 
-1. Generate random "mask" vector y
-2. Compute commitment w = A × y (mod q)
-3. Hash to get challenge c = H(message, w)
-4. Compute response z = y + c × s
-5. If z is too large, restart (rejection sampling)
-6. Output signature (c, z)
+1. Derive a dedicated signing sub-key `(A', s', t' = A'·s')` deterministically from the master seed
+2. Generate random mask vector r; compute commitment `w = A'·r (mod Q_SIG)`
+3. Hash to get challenge `c = H(serialize(w) || serialize(t') || msgHash || binding)`
+4. Compute response `z = r + c·s'`; output `tBytes = serialize(t')` and `zBytes = serialize(z)`
+5. Output signature: `commitment (32B) || challenge (32B) || tBytes (64B) || zBytes (64B)`
 
 **Verification**:
 
-1. Recompute w' = A × z - c × t (mod q)
-2. Recompute c' = H(message, w')
-3. Accept if c' = c and z is small
+1. Deserialize `tBytes` and `zBytes` from the response field
+2. Recompute `w_check = A'·z - c·t' (mod Q_SIG)`
+3. Recompute `c' = H(serialize(w_check) || tBytes || msgHash || binding)`
+4. Accept if `c' == commitment` (algebraic relation holds)
 
 ### Security of SLSS
 
@@ -3809,44 +3809,44 @@ So 256-bit classical ≈ 128-bit quantum security.
 
 | Operation   | Time (ms) | Ops/sec |
 | :---------- | :-------- | :------ |
-| KEM KeyGen  | 19.289    | 51.8    |
-| Sign KeyGen | 19.204    | 52.1    |
+| KEM KeyGen  | 12.707    | 78.7    |
+| Sign KeyGen | 12.438    | 80.4    |
 
 Key generation is done once and keys are reused.
 
 ### KEM Operations
 
 | Operation   | Time (ms) | Ops/sec |
 | :---------- | :-------- | :------ |
-| Encapsulate | 0.538     | 1,860.0 |
-| Decapsulate | 4.220     | 237.0   |
+| Encapsulate | 0.495     | 2,021.6 |
+| Decapsulate | 5.576     | 179.3   |
 
 ### Signature Operations
 
 | Operation | Time (ms) | Ops/sec  |
 | :-------- | :-------- | :------- |
-| Sign      | 0.040     | 25,049.6 |
-| Verify    | 1.417     | 705.9    |
+| Sign      | 0.073     | 13,697.4 |
+| Verify    | 1.477     | 676.8    |
 
-_Benchmarks on Apple M2 Pro, Bun runtime. Tested: December 31, 2025._
+_Benchmarks on Apple M2 Pro, Bun runtime. Tested: April 11, 2026._
 
 ### Key and Signature Sizes
 
 #### MOS-128 (128-bit Security)
 
-| Component      | Size    | Notes                                                                              |
-| :------------- | :------ | :--------------------------------------------------------------------------------- |
-| KEM Public Key | ~824 KB | Contains SLSS matrix A (384 × 512 × 4 bytes), TDD tensor, EGRW keys                |
-| KEM Ciphertext | ~5.7 KB | Contains SLSS vectors (c1), TDD ciphertext (c2), EGRW vertex path (c3), NIZK proof |
-| Signature      | 140 B   | commitment (32B) + challenge (32B) + response (64B) + overhead (12B)               |
+| Component      | Size    | Notes                                                                                       |
+| :------------- | :------ | :------------------------------------------------------------------------------------------ |
+| KEM Public Key | ~824 KB | Contains SLSS matrix A (384 × 512 × 4 bytes), TDD tensor, EGRW keys                         |
+| KEM Ciphertext | ~5.7 KB | Contains SLSS vectors (c1), TDD ciphertext (c2), EGRW vertex path (c3), NIZK proof          |
+| Signature      | 204 B   | commitment (32B) + challenge (32B) + response: tBytes (64B) + zBytes (64B) + overhead (12B) |
 
 #### MOS-256 (256-bit Security)
 
 | Component      | Size     | Notes                                                                       |
 | :------------- | :------- | :-------------------------------------------------------------------------- |
 | KEM Public Key | ~3.3 MB  | Contains SLSS matrix A (768 × 1024 × 4 bytes), larger TDD tensor, EGRW keys |
 | KEM Ciphertext | ~10.5 KB | Larger ciphertexts due to bigger parameter sets                             |
-| Signature      | 140 B    | Same as MOS-128 - signature size is independent of security level           |
+| Signature      | 204 B    | Same as MOS-128 - signature size is independent of security level           |
 
 #### Classical Cryptography (for Reference)
 
@@ -3859,7 +3859,7 @@ _Benchmarks on Apple M2 Pro, Bun runtime. Tested: December 31, 2025._
 **Important Notes:**
 
 - kMOSAIC provides post-quantum security at the cost of **much larger** keys compared to classical algorithms (~100x larger)
-- Signatures are compact (140 bytes) despite the heterogeneous design
+- Signatures are compact (204 bytes) despite the heterogeneous design
 - Public key size dominates the communication footprint due to lattice-based matrix storage
 - See [test/validate-sizes.test.ts](test/validate-sizes.test.ts) for runtime validation of these sizes
 

README.md

@@ -238,7 +238,7 @@ interface MOSAICCiphertext {
 interface MOSAICSignature {
   commitment: Uint8Array // 32 bytes
   challenge: Uint8Array // 32 bytes
-  response: Uint8Array // 64 bytes
+  response: Uint8Array // 128 bytes: tBytes (64B) + zBytes (64B)
 }
 
 interface EncapsulationResult {
@@ -634,13 +634,14 @@ const ALGORITHM_INFO: AlgorithmInfo
 
 An internal security review identified and fixed critical vulnerabilities:
 
-| Issue                    | Severity    | Status   |
-| ------------------------ | ----------- | -------- |
-| TDD plaintext storage    | 🔴 Critical | ✅ Fixed |
-| EGRW randomness exposure | 🔴 Critical | ✅ Fixed |
-| TDD modular bias         | 🟠 High     | ✅ Fixed |
+| Issue                            | Severity    | Status   |
+| -------------------------------- | ----------- | -------- |
+| TDD plaintext storage            | 🔴 Critical | ✅ Fixed |
+| EGRW randomness exposure         | 🔴 Critical | ✅ Fixed |
+| TDD modular bias                 | 🟠 High     | ✅ Fixed |
+| Existential forgery (signatures) | 🔴 Critical | ✅ Fixed |
 
-All 304 tests pass. See [SECURITY_REPORT.md](SECURITY_REPORT.md) for full details.
+All 366 tests pass. See [SECURITY_REPORT.md](SECURITY_REPORT.md) for full details.
 
 **Known Limitations:**