Pre-hashing discussion in Security Considerations

[dcooper16]

The Security Considerations section of the draft says:

However, due to the fact that ML-DSA signatures may require the signing procedure to be repeated several times for a signature to be produced, ML-DSA implementations can make use of pre-hashing the message to prevent rehashing with each attempt.

This is not correct. It is true that the signing procedure may need to be repeated several times, but the message is only hashed once.

The signing algorithm can be found in Algorithm 2 of https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf. The message is only used once (on line 6) to create a message representative (μ ← H(tr || M, 512)). Starting on line 11, a loop is run until a signature is successfully created. But, within this loop the message representative μ is used rather than M. So, pre-hashing is not needed to prevent the message from being rehashed with each attempt.

Where ML-DSA differs from the traditional hash-then-sign paradigm is that the message is hashed as μ ← H(tr || M, 512), where tr is the hash of the public key, rather than just as μ ← H(M, 512).

[csosto-pk]

ACVK, but this was mostly referring to higher layer cases where you have M and you will sign it many times, so you will call ML-DSA Sign. In such cases, or in cases where you don't want to send the message too many times to the signer, you may just pass the digest of the message back and forth and sign that.