ounsworth
commented
2 weeks ago The current version of the composite signature generation algorithm starts with
1. Compute the new Message M' by concatenating the Domain identifier (i.e., the DER encoding of the Composite signature algorithm identifier) with the Hash of the Message
M' := Domain || HASH(Message)
2. Generate the 2 component signatures independently, by calculating the signature over M'
according to their algorithm specifications that might involve the use of the hash-n-sign paradigm.
S1 := Sign( K1, A1, M' )
S2 := Sign( K2, A2, M' )So there is a common pre-hash that applies to both halves of the composite. Therefore the pre-hash needs to match the security level of the strongest of the components. ML-DSA-87 is a NIST Level 5 algorithm, which NIST defines as:
comparable to a key search on a block cipher with a 256-bit key (e.g. AES 256)
which requires SHA-512. Switching to SHA-384 would reduce this combination to a Level 4.
mojtaba-bisheh
Currently, the IETF defines “id-MLDSA87-ECDSA-P384-SHA512,” which restricts the input message to SHA-512 for the hybrid signature of MLDSA and NISTP384. However, including the SHA-384 option would reduce hardware complexities and align with both ECC and PQC standards.
The inclusion of “id-MLDSA87-ECDSA-P384-SHA384” would be compatible with existing standards and provide greater flexibility for implementations. FIPS 186-5 permits the use of both SHA-384 and SHA-512 for ECDSA P384. Additionally, FIPS 204 does not limit pre-hashed mode to SHA-512, stating: "Algorithm 4 shows the DER encodings of the OIDs for SHA-256, SHA-512, and SHAKE128. However, it may be used with other hash functions or XOFs."
For example, one of the use cases of SHA384 in hardware implementation is Caliptra, that exclusively uses SHA-384 for ECDSA P384.
The inclusion of “id-MLDSA87-ECDSA-P384-SHA384” would align with existing standards, provide more flexibility for implementations, and help enhance compatibility and facilitate broader deployment of PQC.