signatures icon indicating copy to clipboard operation
signatures copied to clipboard
verified publisher icon RustCrypto

pre-hashed version of mldsa signature

Open ArthurHeymans opened this issue 10 months ago • 1 comments

Would it be acceptable to implement pre-hashed ml-dsa signature schemes (e.g. with OID fips204::ID_HASH_ML_DSA_87_WITH_SHA_512)? We have a use-case with HW-accelerated sha512 and ml-dsa but the ML-DSA IP only takes a 512bit message, so we use sha512 to have arbitrary sized messages fit that 512bit.

https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism/cybersecurity-guidelines/guidelines-cryptography states using this scheme should only be used in special cases. Would putting it behind a feature flag ok?

ArthurHeymans avatar Apr 15 '25 15:04 ArthurHeymans

I know there's been a bit of controversy surrounding the choice of HashML-DSA vs ExternalMu-ML-DSA:

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OyQw3YpSh-s/m/2HtxpeKlAQAJ

The downside of HashML-DSA is it effectively adds a parallel, incompatible algorithm, whereas ExternalMu-ML-DSA functions just like the regular ML-DSA.

tarcieri avatar Apr 16 '25 02:04 tarcieri