Invalid PQ Signature Detection

Version: 1.0.0
Status: Production
Last Updated: 2026-05-23
Editor: Eric Beans, H33.ai, Inc.
Canonical URL: https://h33.ai/verification/invalid-signature/

1. Scope

This walkthrough demonstrates the AND-gate signature verification model. The input bundle is identical to the valid bundle in HATS-VW-001, except that node 1's ML-DSA-65 signature has been corrupted (a single byte flipped). The FALCON-512 and SLH-DSA-SHA2-128f signatures on the same node remain valid.

Under the AND-gate model, all signature families present on a node MUST independently verify. A single invalid family causes the entire node's attestation to fail. The expected verifier output is FAILED with the failure localized to node 1, family ML-DSA-65.

2. Definitions

AND-Gate Verification: The verification policy requiring that every post-quantum signature family present on a governance node independently verifies. This is not a threshold (k-of-n) scheme. It is a strict conjunction: if any family fails, the node fails. The attestation is only as strong as the conjunction of all families.
Signature Corruption: The modification of one or more bytes within a signature value after the signature was generated. Even a single bit flip produces an invalid signature because post-quantum signature schemes are not malleable under NIST-standardized parameters.
Family Independence: The property that each signature family is verified using an independent key pair, an independent algorithm, and an independent mathematical hardness assumption. Compromise of one family's private key does not compromise the others.
ML-DSA-65 (Dilithium): Module-Lattice-Based Digital Signature Algorithm, security level 3 (NIST FIPS 204). Based on the hardness of Module-LWE and Module-SIS problems over structured lattices.

3. Input Modification

The corruption is a single byte change in node 1's ML-DSA-65 signature. The original signature byte at offset 47 was 0xA3; the corrupted value is 0xA4. All other fields, including the FALCON-512 and SLH-DSA signatures on the same node, are unchanged.

invalid-signature.json (node 1 signatures excerpt)

"signatures": {
  "ml_dsa_65": "ML-DSA-65:3045022100...a4...c9d0e1f2a3",
                                    ^^
                          byte 47: 0xA3 -> 0xA4 (corrupted)

  "falcon_512": "FALCON-512:3045022100...b2c3d4e5f6",   (valid)
  "slh_dsa": "SLH-DSA-SHA2-128f:3045022100...a7b8c9d0e1" (valid)
}

This walkthrough models the scenario where an attacker replaces a signature with a near-valid forgery, or where bit rot / transport error corrupts a single byte. Both produce identical verifier behavior: the signature does not verify, and the AND-gate fails the node.

4. CLI Command

$ hats verify invalid-signature.json

5. Detection Mechanism

5.1. Verification Order

The verifier processes checks in the following order for each node:

Schema validation (already passed at bundle level).
Chain integrity (predecessor hash matches preceding node).
Node hash verification (recomputed hash matches declared hash).
Signature verification (each family independently).

For node 1, checks 1-3 pass because the node content and hash chain are unmodified. The failure occurs at check 4.

5.2. Per-Family Results

Family	Algorithm	Signature Size	Status	Detail
ML-DSA-65	NIST FIPS 204	3,309 bytes	INVALID	Verification equation failed: corrupted byte at offset 47
FALCON-512	FALCON Round 3	~690 bytes	VALID	Signature verified against node_hash
SLH-DSA-SHA2-128f	NIST FIPS 205	17,088 bytes	VALID	Signature verified against node_hash

5.3. AND-Gate Evaluation

The AND-gate evaluates as:

AND-gate = ML-DSA-65(VALID?) AND FALCON-512(VALID?) AND SLH-DSA(VALID?)
         = false             AND true              AND true
         = false

Node 1 attestation: INVALID

Despite two of three families verifying correctly, the AND-gate produces false. The attestation for node 1 is invalid.

The AND-gate is a deliberate design decision. A threshold scheme (e.g., 2-of-3) would allow an attacker who compromises one family's key to forge attestations. The AND-gate requires breaking all three independent hardness assumptions (MLWE lattices, NTRU lattices, and stateless hash functions) simultaneously.

6. Expected Output

stdout

$ hats verify invalid-signature.json

HATS Verifier v1.0.0
Bundle: b8f3c2a1-4e5d-4a6b-9c8d-7e6f5a4b3c2d
Session: s-20260515-143000-a1b2c3

Checking schema .............. OK
Checking chain integrity ..... OK (3 links)
Checking node hashes ......... OK (3 nodes)
Checking signatures .......... FAILED

  Node 1 [COMPUTE_EXECUTE]: signature verification failed
    ML-DSA-65:    INVALID (verification equation failed)
    FALCON-512:   VALID
    SLH-DSA-128f: VALID

  AND-gate result: FAILED (1 of 3 families invalid)

Result: FAILED
  Failure: SIGNATURE_INVALID at node 1
  Family:  ML-DSA-65
  Impact:  Node 1 attestation is invalid despite 2/3 valid signatures
Duration: 38ms

7. JSON Output

{
  "status": "FAILED",
  "bundle_id": "b8f3c2a1-4e5d-4a6b-9c8d-7e6f5a4b3c2d",
  "failure": {
    "type": "SIGNATURE_INVALID",
    "node_index": 1,
    "action_type": "COMPUTE_EXECUTE",
    "failed_families": ["ml_dsa_65"],
    "valid_families": ["falcon_512", "slh_dsa"],
    "and_gate_result": false,
    "message": "ML-DSA-65 signature verification failed on node 1. AND-gate requires all families to verify."
  },
  "nodes_checked": 3,
  "nodes_passed": 2,
  "signatures_checked": 9,
  "signatures_passed": 8,
  "duration_ms": 38
}

8. Why AND-Gate, Not Threshold

The HATS specification requires AND-gate (all-of-n) rather than threshold (k-of-n) verification for the following reasons:

No single point of cryptographic failure. If MLWE is broken (compromising ML-DSA-65), an attacker with the ML-DSA private key still cannot forge attestations because FALCON-512 and SLH-DSA remain intact. Under a 2-of-3 threshold, compromising ML-DSA-65 and either FALCON or SLH-DSA would be sufficient.
Hardness assumption independence. ML-DSA-65 relies on Module-LWE/Module-SIS. FALCON-512 relies on NTRU lattices. SLH-DSA relies on hash function preimage and collision resistance. These are three mathematically independent assumptions. The AND-gate forces an attacker to break all three.
Detection of partial compromise. If an attacker compromises one family's key and attempts to forge signatures, the AND-gate immediately detects the forgery because the other families' signatures cannot be produced. A threshold scheme would mask partial compromise.

9. Failure Mode Summary

Check	Node 0	Node 1	Node 2
Schema	PASS	PASS	PASS
Chain integrity	PASS	PASS	PASS
Node hash	PASS	PASS	PASS
ML-DSA-65	PASS	FAIL	SKIP
FALCON-512	PASS	PASS	SKIP
SLH-DSA	PASS	PASS	SKIP
AND-gate	PASS	FAIL	SKIP

Conformance test vector ID: HATS-VW-004-INVALID-SIGNATURE

Related Walkthroughs & Specifications

Verification Index Valid Bundle Tampered Receipt Broken Chain Replay Determinism H33-74 Specification Conformance Suite