bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Please add support of PreHash-MLDSA

Open xipki opened this issue 1 month ago • 6 comments

In the current version (1.82 or the latest github branch main), the class HashMLDSASigner accepts only the raw data as input.

Please either extend the class HashMLDSASigner, or better create a new class which accepts the hash value (byte[]) and hash algorithm OID (byte[]) as input. This allows the external application to compute the hash value by itself.

xipki avatar Nov 18 '25 07:11 xipki

Only SHA512 is defined for this at the moment. Can you tell we what you are trying to do?

dghgit avatar Nov 24 '25 05:11 dghgit

  1. Support of hash value instead raw data as input: One of the main purposes of Pre-Hash MLDSA is to allow the application to compute the hash value itself. This is useful since the application may do not the access to the original raw data.

  2. Support of hash algoroithms other than SHA512: NIST FIPS-206 does not limit the hash algorithms to SHA512. As in Section "5.4. Pre-Hash ML-DSA", at least three algorithms SHA256, SHA512 and SHAKE256 are listed.

xipki avatar Nov 26 '25 09:11 xipki

Two minor quibbles. On 1, are you sure you can't use external-mu? Pre-hash's only real use case now is for people who do not have access to the public key. On 2, there are no object identifiers for the other variants, it's also questionable that SHA-256 should be used in this way.

I'm really not sure about this one...

dghgit avatar Nov 26 '25 09:11 dghgit

On 1: do you have example code for this? On 2: the object identifiers shall be the same for the hash algorithms, at least for the sha256, sha512 and shake256 (as in FIPS 204).

xipki avatar Nov 26 '25 09:11 xipki

See https://github.com/bcgit/bc-java/blob/04ffb14f8b30b581549ff86c3a448d27fb1f07e8/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/MLDSATest.java#L482

With 2, it's not those object identifiers I'm talking about, there's none for the actual signature mechanisms, as in id-hash-ml-dsa-44-with-sha512 it's not really enough just to be able to create a signature, you have to be able to "tag it" in some way so people can understand it.

dghgit avatar Nov 26 '25 10:11 dghgit

The signature with mu as intermediate step is still a Pure-MLDSA signature. As you mentioned, the application needs to know the public key.

Pre-Hash ML-DSA will be used where the application is free to choose the hash algorithm, and it just needs to compute the raw hash value (without other input e.g. ctx and public key). I know there is still no OID for combinations e.g. Pre-Hash ML-DSA with SHAKE256, but in many cases, there are other ways to identify the algorithm.

As I understand, the "core" and "prov" modules provide the basic capabilities, many algorithms without known OID are also supported.

Since the MLDSAEngine is not public, it is not possible to implement this feature outside BC. So please consider adding this feature in BC.

xipki avatar Nov 26 '25 10:11 xipki