Skip to content

pre-hashed version of mldsa signature #939

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ArthurHeymans opened this issue Apr 15, 2025 · 1 comment
Open

pre-hashed version of mldsa signature #939

ArthurHeymans opened this issue Apr 15, 2025 · 1 comment

Comments

@ArthurHeymans
Copy link

Would it be acceptable to implement pre-hashed ml-dsa signature schemes (e.g. with OID fips204::ID_HASH_ML_DSA_87_WITH_SHA_512)?
We have a use-case with HW-accelerated sha512 and ml-dsa but the ML-DSA IP only takes a 512bit message, so we use sha512 to have arbitrary sized messages fit that 512bit.

https://www.cyber.gov.au/resources-business-and-government/essential-cybersecurity/ism/cybersecurity-guidelines/guidelines-cryptography states using this scheme should only be used in special cases. Would putting it behind a feature flag ok?
@tarcieri
Copy link
Member

I know there's been a bit of controversy surrounding the choice of HashML-DSA vs ExternalMu-ML-DSA:

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/OyQw3YpSh-s/m/2HtxpeKlAQAJ

The downside of HashML-DSA is it effectively adds a parallel, incompatible algorithm, whereas ExternalMu-ML-DSA functions just like the regular ML-DSA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @ArthurHeymans