Skip to content

Commit eff0c06

Browse files
mkannwischermkannwischer
committed
Adjust README to indicate support for HashML-DSA
Signed-off-by: Matthias J. Kannwischer <[email protected]>
1 parent bf39a81 commit eff0c06

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

README.md

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -85,15 +85,19 @@ By default, mldsa-native uses the "hedged" signing variant as specified in FIPS
8585

8686
The deterministic variant can be enabled by undefining `MLD_RANDOMIZED_SIGNING`, but FIPS 204 warns that this should not be used on platforms where fault injection attacks and side-channel attacks are a concern, as the lack of fresh randomness makes fault attacks more difficult to mitigate.
8787

88-
### Does mldsa-native support the pre-hash/digest sign/verify mode (external mu)?
88+
### Does mldsa-native support the external mu mode?
8989

9090
Yes. mldsa-native supports external mu mode, which allows for pre-hashing of messages before signing. This addresses the pre-hashing capability described in the NIST PQC FAQ[^NIST_FAQ] and detailed in NIST's guidance on FIPS 204 Section 6[^NIST_FIPS204_SEC6].
9191

9292
External mu mode enables applications to compute the message digest (mu) externally and provide it to the signing implementation, which is particularly useful for large messages or streaming applications where the entire message cannot be held in memory during signing.
9393

9494
### Does mldsa-native support HashML-DSA?
9595

96-
No. mldsa-native does not currently implement HashML-DSA, the hash-based variant of ML-DSA defined in FIPS 204. The current implementation focuses on the standard ML-DSA signature scheme.
96+
Yes. mldsa-native supports HashML-DSA, the pre-hashing variant of ML-DSA defined in FIPS 204 Algorithms 4 and 5.
97+
98+
mldsa-native provides two levels of API:
99+
- `crypto_sign_signature_pre_hash_internal` and `crypto_sign_verify_pre_hash_internal` - Low-level functions that accept a pre-hashed message digest. This function supports all 12 allowed hash functions.
100+
- `crypto_sign_signature_pre_hash_shake256` and `crypto_sign_verify_pre_hash_shake256` - High-level functions that perform SHAKE256 pre-hashing internally for convenience. Currently, only SHAKE256 is supported. If you require another hash function, use the `*_pre_hash_internal` functions or open an issue.
97101

98102
### Will I be able to bring my own backend?
99103

0 commit comments

Comments
 (0)