From 4aeff6c633b08cb69b112aec23fff2995714f53e Mon Sep 17 00:00:00 2001 From: Daniel Van Geest Date: Sat, 9 Nov 2024 12:58:54 +0000 Subject: [PATCH] Digest algorithm cleanup Fixes #1 and #4. --- draft-ietf-lamps-cms-ml-dsa.md | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/draft-ietf-lamps-cms-ml-dsa.md b/draft-ietf-lamps-cms-ml-dsa.md index 5e75248..38df010 100644 --- a/draft-ietf-lamps-cms-ml-dsa.md +++ b/draft-ietf-lamps-cms-ml-dsa.md @@ -56,7 +56,7 @@ normative: RFC5652: informative: - FIPS202: DOI.10.6028/NIST.FIPS.202 + FIPS180: DOI.10.6028/NIST.FIPS.180 FIPS203: DOI.10.6028/NIST.FIPS.203 RFC5911: X680: @@ -225,7 +225,6 @@ As described in {{Section 5.4 of RFC5652}}, this encoding does include the tag a The signedAttrs field MUST at minimum include a content-type attribute and a message-digest attribute. The message-digest attribute contains a hash of the content of the signed-data, where the content is as described for the absent signed attributes case above. Recalculation of the hash value by the recipient is an important step in signature verification. -Choice of digest algorithm is up to the signer; algorithms for each parameter set are recommended below. {{Section 4 of ?I-D.ietf-lamps-cms-sphincs-plus}} describes how, when the content of a signed-data is large, performance may be improved by including signed attributes. This is as true for ML-DSA as it is for SLH-DSA, although ML-DSA signature generation and verification is significantly faster than SLH-DSA. @@ -245,15 +244,8 @@ When using ML-DSA, the fields of a SignerInfo are used as follows: digestAlgorithm: : Per {{Section 5.3 of RFC5652}}, the digestAlgorithm field identifies the message digest algorithm used by the signer, and any associated parameters. -To ensure collision resistance, the identified message digest algorithm SHOULD produce a hash value of a size that is at least twice the collision strength of the internal commitment hash used by ML-DSA.\\ -The SHAKE hash functions defined in {{FIPS202}} are used internally by ML-DSA, and hence the combinations in {{tab-digests}} are RECOMMENDED for use with ML-DSA. -{{?RFC8702}} describes how SHAKE128 and SHAKE256 are used in CMS. The id-shake128 and id-shake256 digest algorithm identifiers are used and the parameters field MUST be omitted. - -| Signature algorithm | Message digest algorithm | -| ML-DSA-44 | SHAKE128 | -| ML-DSA-65 | SHAKE256 | -| ML-DSA-87 | SHAKE256 | -{: #tab-digests title="Recommended message digest algorithms for ML-DSA signature algorithms"} +To ensure collision resistance, the identified message digest algorithm SHOULD produce a hash value of a size that is at least twice the collision strength of the internal commitment hash used by ML-DSA. +SHA-512 {{FIPS180}} MUST be supported for use with the variants of SLH-DSA in this document; however, other hash functions MAY also be supported. When SHA-512 is used, the id-sha512 {{!RFC8017}} digest algorithm identifier is used and the parameters field MUST be omitted. signatureAlgorithm: