ML artifact provenance schemes — OpenSSF Model Signing, sigstore cosign, NVIDIA NGC signing, HuggingFace signed commits — assert that a valid signature means an artifact came from a trusted key and has not been modified. This assertion is correct about integrity. It is silent about subliminal content encoded in the signature itself. CRYSTALS-Dilithium / ML-DSA, the post-quantum signature scheme mandated by OpenSSF Model Signing's PQ roadmap, contains a 256-bit nonce field (rnd) that the signer may choose freely without affecting signature validity. This is a textbook subliminal channel: an attacker controlling the signing key can embed a prearranged 256-bit command signal in every valid model signature, invisible to verify(), invisible to transparency logs, and invisible to artifact scanners. In multi-party threshold signing, a single compromised signer achieves 256-bit subliminal capacity via nonce contribution bias, requiring only 1-of-k compromise. We evaluate this attack against deployed ML provenance verifiers and find that none inspect signature entropy or nonce distribution. We further show that even a purpose-built entropy auditor cannot detect ML-DSA subliminal payloads: rnd is structurally absent from the observable signature bytes, making detection infeasible at any sample size. The post-quantum migration intended to strengthen ML provenance inadvertently enlarges its subliminal surface from zero (deterministic ECDSA via standard API) to 256 bits per signature (ML-DSA).
Nathan Keys (Mon,) studied this question.