-
Notifications
You must be signed in to change notification settings - Fork 33
Missing hash algorithm for HashML-DSA #323
Copy link
Copy link
Closed
Labels
Crypto APIIssue or PR related to the Cryptography APIIssue or PR related to the Cryptography APIbugSomething is incorrect or inconsistent in the documentationSomething is incorrect or inconsistent in the documentationclarificationSomething is confusing or missing in the documentationSomething is confusing or missing in the documentation
Milestone
Description
Metadata
Metadata
Assignees
Labels
Crypto APIIssue or PR related to the Cryptography APIIssue or PR related to the Cryptography APIbugSomething is incorrect or inconsistent in the documentationSomething is incorrect or inconsistent in the documentationclarificationSomething is confusing or missing in the documentationSomething is confusing or missing in the documentation
Type
Projects
Status
Done
As discussed in our call today, FIPS 204 specifies that HashML-DSA may only be used with one of three hash functions: SHA-256, SHA-512, or SHAKE128/256. In order to be able to use these hash functions with
psa_sign_hashandpsa_verify_hash, we need a hash algorithm identifier for them. We're missing SHAKE128/256. (We have SHAKE256/512 for a similar reason, namely that it's used for Ed448.)Also consider listing the OID involved in HashML-DSA, similar to the table that #322 adds for RSA-PKCS#1v1.5. I don't know if we can expect all similar algorithms to use the same OIDs. (Certainly there are different OIDs for MD5, SHA1, SHA-256, etc., in different contexts, but until version 1.4 of the API specification, the only place where they appeared in our specification was RSA PKCS#1v1.5.)
Also check if SLH-DSA (FIPS 205) needs something similar.