Open
Description
FIPS 204 (ML-DSA), Algorithm 7 (ML-DSA.Sign_internal) has a note:
π β H(BytesToBits(π‘π)||π β², 64) β· message representative that may optionally be
computed in a different cryptographic module
Underlying providers are therefore exposing Sign-Mu operations to be commensurate with RSA/DSA/EC-DSA SignHash (without getting into all of the complexities of HashML-DSA).
We need to design, and implement, API to let callers take advantage of Sign-Mu and Verify-Mu. (And take advantage of it in cases where it makes sense for us to do so, such as SignedCms verification of signatures not using signed attributes)
Extremely early thinking:
partial class MLDsa
{
public void SignExternalMu(ReadOnlySpan<byte> mu, Span<byte> destination, ReadOnlySpan<byte> context = default);
public bool VerifyExternalMu(ReadOnlySpan<byte> mu, ReadOnlySpan<byte> signature, ReadOnlySpan<byte> context = default);
// This is a terrible name, come up with a better one.
public IncrementalHash CreateMuContext();
// Plus Core methods, and alternative overloads.
}