bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

MLDSAEngine with Null ctx

Open xipki opened this issue 1 month ago • 2 comments

In the MLDSAEngine.absorbCtx:

    void absorbCtx(boolean isPreHash, byte[] ctx)
    {
        if (ctx != null)
        {
            shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
            shake256Digest.update((byte)ctx.length);
            shake256Digest.update(ctx, 0, ctx.length);
        }
    }

The computation of M' seems to be different than FIPS 204 which requires the prehash flag byte (0 or 1) and ctx length 0 for empty (null) context.

xipki avatar Nov 18 '25 07:11 xipki

Hello @xipki,

If you follow the code for the MLDSASigner.init the ctx should never be a null value. ParametersWithContext will throw an error if you don't provide a valid byte array for the context. If ParametersWithContext is not provided, the ctx will be an empty byte array.

~ Roy

roy-basmacier avatar Nov 18 '25 17:11 roy-basmacier

OK. Then the should be changed to

    void absorbCtx(boolean isPreHash, byte[] ctx)
    {
        shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
        shake256Digest.update((byte)ctx.length);
        shake256Digest.update(ctx, 0, ctx.length);
    }

The check "ctx != null" is redundant.

xipki avatar Nov 18 '25 17:11 xipki