tireddy2
commented
6 months ago Good points, I see that in https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf the message (M) is hashed only once.
The signed octets for initiator and responder should not exceed few kilo bytes and would fit in the memory (see https://www.rfc-editor.org/rfc/rfc7296.html#section-2.15).
There's a couple of problems with the paragraph:
ML-DSA can indeed perform several iterations before it finds a signature it doesn't reject; however it doesn't hash the message each time - it hashes the message once.
"pre-hashing reintroduces the weakness that hash collisions directly yield signature forgeries" - actually, that vulnerability exists in the non-prehash version. The prepend that ML-DSA inserts in the hash is predictable (it's the hash of the public key), and so doesn't interfere with an attacker's collision search. Now, prehashing does give two places where a collision may occur (and if the "outer hash" is weaker, that does weaken things); the moral would be "don't use a weak hash function"
Whether we use prehashing or not would depend on practical issues - can the signer/verifier be expected to hold the entire message to be signed/verified in memory?