If the content to be signed is large, hashing of the content is often
performed at the application level.
For example, in the Cryptographic Message Syntax [29], a digest of the
content may be computed, and
that digest is signed along with other attributes. If the content is not
hashed at the application level, the
pre-hash version of ML-DSA signing may be used.
In order to maintain the same level of security strength when the content
is hashed at the application level
or using HashML-DSA , the digest that is signed needs to be generated using
an approved hash function
or XOF (e.g., from FIPS 180 [8] or FIPS 202 [7]) that provides at least 𝜆
bits of classical security strength
against both collision and second preimage attacks ...
OR13
commented
3 weeks ago
See Section 5.4 of FIPS204