Open dcooper16 opened 3 months ago
ACVK, but this was mostly referring to higher layer cases where you have M and you will sign it many times, so you will call ML-DSA Sign. In such cases, or in cases where you don't want to send the message too many times to the signer, you may just pass the digest of the message back and forth and sign that.
The Security Considerations section of the draft says:
This is not correct. It is true that the signing procedure may need to be repeated several times, but the message is only hashed once.
The signing algorithm can be found in Algorithm 2 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf. The message is only used once (on line 6) to create a message representative (μ ← H(tr || M, 512)). Starting on line 11, a loop is run until a signature is successfully created. But, within this loop the message representative μ is used rather than M. So, pre-hashing is not needed to prevent the message from being rehashed with each attempt.
Where ML-DSA differs from the traditional hash-then-sign paradigm is that the message is hashed as μ ← H(tr || M, 512), where tr is the hash of the public key, rather than just as μ ← H(M, 512).