MLDSAEngine with Null ctx

[xipki]

In the MLDSAEngine.absorbCtx:

    void absorbCtx(boolean isPreHash, byte[] ctx)
    {
        if (ctx != null)
        {
            shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
            shake256Digest.update((byte)ctx.length);
            shake256Digest.update(ctx, 0, ctx.length);
        }
    }

The computation of M' seems to be different than FIPS 204 which requires the prehash flag byte (0 or 1) and ctx length 0 for empty (null) context.

[roy-basmacier]

Hello @xipki,

If you follow the code for the MLDSASigner.init the ctx should never be a null value. ParametersWithContext will throw an error if you don't provide a valid byte array for the context. If ParametersWithContext is not provided, the ctx will be an empty byte array.

~ Roy

[xipki]

OK. Then the should be changed to

    void absorbCtx(boolean isPreHash, byte[] ctx)
    {
        shake256Digest.update(isPreHash ? (byte)1 : (byte)0);
        shake256Digest.update((byte)ctx.length);
        shake256Digest.update(ctx, 0, ctx.length);
    }

The check "ctx != null" is redundant.