I think we're missing OIDs for ML-DSA with SHA-3/SHAKE parameters.
ML-DSA, of course, uses SHAKE in pure mode, so it would make sense to try to avoid unnecessarily pre-hashing with SHAKE if one can. There are some security properties that are lost, albeit a bit obscure ones. I guess this is why they left it out..
My impression is that SHA2 is available for ML-DSA via prehash because of legacy systems (CNSA) where a need to sign plain SHA2 message hashes exists. I also doubt that there are similar legacy systems with SHA3 or SHAKE. SLH-DSA has a pre-hash for an additional reason, to avoid hashing the entire message twice (and have it entirely in memory) when signing. So, it has more OIDs.
Another reason to do pre-hashing is to be able to hash outside the signing module. This is especially relevant for hardware signing modules with low-bandwidth interfaces like smartcards (typically serial) or Root-of-Trust (typically mailbox). There is one confusing/contradictory aspect related to this in the spec:
Step 6 of the ML-DSA internal signing function (Algorithm 7) and Step 7 of the internal verification function (Algorithm 8) have a comment about variable mu: "message representative that may optionally be computed in a different cryptographic module." This implies that the entire padding (with "tr" and "ctx" variables) can be done outside the module.
Now, if "mu" is coming from the outside, this means that the outside module can bypass the wrapper functions such as ML-DSA.Sign() (Algorithm 2), and HashML-DSA.Sign (Algorithm 4) as the external-facing wrapper functions don't have such an input.
However, Section 6 (Internal Functions) states "Other than for testing purposes, the interfaces for key generation and signature generation specified in this section should not be made available to applications,"
So this leaves open the question about passing the variable "mu" to the internal functions.
Or perhaps this is as simple as not considering the external hash function (which is also assumed to be FIPS 140-3 certified, i.e., a "module") as a part of the "application." However, additional interfaces must be exposed since these modules are physically separate (example: you're a release engineer and your PC is hashing your gigabyte app update, and then you use your closely guarded smart card key to sign it.)
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/159C88F1-5A51-42C7-935A-3BE66B1A1E26%40icloud.com.
2024年8月31日 15:21,Markku-Juhani O. Saarinen <mjos....@gmail.com> 写道:SLH-DSA has a pre-hash for an additional reason, to avoid hashing the entire message twice (and have it entirely in memory) when signing.
2024年8月31日 15:21,Markku-Juhani O. Saarinen <mjos....@gmail.com> 写道:SLH-DSA has a pre-hash for an additional reason, to avoid hashing the entire message twice (and have it entirely in memory) when signing.Can you explain more? It appears to me that the same reason is equally applicable to ML-DSA.
And the only place the message gets an extra hashing in SLH-DSA is when generating R - the randomization string, which I think can be replaced with a TRNG if one wants to avoid hedged and deterministic signing; and this is equally applicable to ML-DSA.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/8429A6ED-2AEB-4933-B1E9-2062D2A90ADC%40icloud.com.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/f77441e7-2c3a-4423-994b-2309e19e090fn%40list.nist.gov.
> To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.
> To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/222995c2-1d4a-4b2d-b1bc-2a120e58268c%40nist.gov.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+unsubscribe@list.nist.gov.