If |operation| is not one of "`encrypt`", "`decrypt`", "`sign`", "`verify`", + "`signDigest`", "`verifyDigest`", "`digest`", "`generateKey`", "`deriveKey`", "`deriveBits`", "`importKey`", "`exportKey`", "`wrapKey`", "`unwrapKey`", "`encapsulateKey`", "`encapsulateBits`", @@ -944,6 +945,7 @@
If |operation| is not one of "`encrypt`", "`decrypt`", "`sign`", "`verify`", + "`signDigest`", "`verifyDigest`", "`digest`", "`generateKey`", "`deriveKey`", "`deriveBits`", "`importKey`", "`exportKey`", "`wrapKey`", "`unwrapKey`", "`encapsulateKey`", "`encapsulateBits`", @@ -2468,6 +2470,16 @@
+ The |digest| parameter is an externally computed μ value + (64 bytes), which is passed directly to ML-DSA.Sign_internal + (Section 6.2 of [[FIPS-204]]). +
++ This can be used to implement Pre-Hash ML-DSA (HashML-DSA, Sections + 5.4 and 5.5 of [[FIPS-204]]) by computing μ externally. +
++ If the `[[type]]` internal slot of + |key| is not {{KeyType/"private"}}, then [= exception/throw =] an {{InvalidAccessError}}. +
++ If the [= byte sequence/length =] of |digest| is not 64, + then [= exception/throw =] an {{OperationError}}. +
++ Let |result| be the result of performing the ML-DSA.Sign_internal + algorithm, as specified in Section 6.2 of [[FIPS-204]], + with the parameter set indicated by the {{Algorithm/name}} member of |normalizedAlgorithm|, + using the ML-DSA private key associated with |key| as |sk|, + and |digest| as μ. +
++ If the ML-DSA.Sign_internal algorithm returned an error, + [= exception/throw =] an {{OperationError}}. +
++ Return |result|. +
++ The |digest| parameter is an externally computed μ value + (64 bytes), which is passed directly to ML-DSA.Verify_internal + (Section 6.3 of [[FIPS-204]]). +
++ This can be used to implement Pre-Hash ML-DSA (HashML-DSA, Sections + 5.4 and 5.5 of [[FIPS-204]]) by computing μ externally. +
++ If the `[[type]]` internal slot of + |key| is not {{KeyType/"public"}}, then [= exception/throw =] an {{InvalidAccessError}}. +
++ If the [= byte sequence/length =] of |digest| is not 64, + then return false. +
++ Let |result| be the result of performing the ML-DSA.Verify_internal + algorithm, as specified in Section 6.3 of [[FIPS-204]], + with the parameter set indicated by the {{Algorithm/name}} member of |normalizedAlgorithm|, + using the ML-DSA public key associated with |key| as |pk|, + |digest| as μ, and |signature| as σ. +
++ If the ML-DSA.Verify_internal algorithm returned an error, + [= exception/throw =] an {{OperationError}}. +
++ Return |result|. +
++ This section defines the computation of the ML-DSA message representative + μ, as specified in Sections 6.2 and 6.3 of [[FIPS-204]]. + Normally, μ is computed internally as part of an ML-DSA + sign or verify operation. Computing μ externally allows + large messages to be processed before they are passed to + the signing or verification step. +
++ Both Pure ML-DSA and Pre-Hash ML-DSA (HashML-DSA, Sections 5.4 and 5.5 + of [[FIPS-204]]) are supported. When the {{MlDsaMuParams/hash}} member + is not present, the input is the full message (Pure ML-DSA). + When present, the input is the pre-computed hash digest of the message. +
++ The resulting μ value can be passed to + the signDigest() and + verifyDigest() methods + with an ML-DSA algorithm. +
+
+ The recognized algorithm name for
+ this algorithm is "ML-DSA-MU".
+
| Operation | +Parameters | +Result | +
|---|---|---|
| digest | +{{MlDsaMuParams}} | +[= byte sequence =] | +
+dictionary MlDsaMuParams : ContextParams {
+ required CryptoKey public;
+ HashAlgorithmIdentifier hash;
+};
+
+ + The public + member represents the ML-DSA public key from which tr is derived. +
++ The hash + member, if present, identifies the hash function that was used to produce |message|, + for use as PH in HashML-DSA (Section 5.4 of [[FIPS-204]]). + When present, |message| is the hash digest PH(M), not the original message. +
++ Let |publicKey| be the {{MlDsaMuParams/public}} member of |normalizedAlgorithm|. +
++ If the `[[type]]` internal slot of + |publicKey| is not {{KeyType/"public"}}, then [= exception/throw =] an {{InvalidAccessError}}. +
++ If the {{KeyAlgorithm/name}} attribute of the + `[[algorithm]]` internal slot of + |publicKey| is not one of "`ML-DSA-44`", "`ML-DSA-65`" or "`ML-DSA-87`", + then [= exception/throw =] an {{InvalidAccessError}}. +
++ Let |context| be the {{ContextParams/context}} member of |normalizedAlgorithm| + or the empty [= byte sequence =] if the {{ContextParams/context}} member of + |normalizedAlgorithm| is not present. +
++ Let |pk| be the raw encoded ML-DSA public key associated with |publicKey|. +
++ Let tr be the result of applying SHAKE-256 ([[FIPS-202]]) + to |pk| with an output length of 64 bytes. +
++ Let |hashAlgorithm| be the {{MlDsaMuParams/hash}} member of |normalizedAlgorithm|. +
++ Let |oid| be the DER encoding of `id-sha256` (2.16.840.1.101.3.4.2.1) + and let |expectedLength| be 32. +
++ Let |oid| be the DER encoding of `id-sha384` (2.16.840.1.101.3.4.2.2) + and let |expectedLength| be 48. +
++ Let |oid| be the DER encoding of `id-sha512` (2.16.840.1.101.3.4.2.3) + and let |expectedLength| be 64. +
++ Let |oid| be the DER encoding of `id-sha3-256` (2.16.840.1.101.3.4.2.8) + and let |expectedLength| be 32. +
++ Let |oid| be the DER encoding of `id-sha3-384` (2.16.840.1.101.3.4.2.9) + and let |expectedLength| be 48. +
++ Let |oid| be the DER encoding of `id-sha3-512` (2.16.840.1.101.3.4.2.10) + and let |expectedLength| be 64. +
++ If the {{CShakeParams/functionName}} member of |hashAlgorithm| is present + and is not an empty [= byte sequence =], + then [= exception/throw =] an {{OperationError}}. +
++ If the {{CShakeParams/customization}} member of |hashAlgorithm| is present + and is not an empty [= byte sequence =], + then [= exception/throw =] an {{OperationError}}. +
++ If the {{CShakeParams/outputLength}} member of |hashAlgorithm| is not 256, + then [= exception/throw =] an {{OperationError}}. +
++ Let |oid| be the DER encoding of `id-shake128` (2.16.840.1.101.3.4.2.11) + and let |expectedLength| be 32. +
++ If the {{CShakeParams/functionName}} member of |hashAlgorithm| is present + and is not an empty [= byte sequence =], + then [= exception/throw =] an {{OperationError}}. +
++ If the {{CShakeParams/customization}} member of |hashAlgorithm| is present + and is not an empty [= byte sequence =], + then [= exception/throw =] an {{OperationError}}. +
++ If the {{CShakeParams/outputLength}} member of |hashAlgorithm| is not 512, + then [= exception/throw =] an {{OperationError}}. +
++ Let |oid| be the DER encoding of `id-shake256` (2.16.840.1.101.3.4.2.12) + and let |expectedLength| be 64. +
++ [= exception/throw =] a {{NotSupportedError}}. +
++ If the [= byte sequence/length =] of |message| is not equal to |expectedLength|, + then [= exception/throw =] an {{OperationError}}. +
++ Let M′ be the concatenation of + the byte 0x01, + the single-byte encoding of the [= byte sequence/length =] of |context| (i.e., IntegerToBytes(|ctx|, 1) per [[FIPS-204]]), + |context|, + |oid|, and + |message|. +
++ Let M′ be the concatenation of + the byte 0x00, + the single-byte encoding of the [= byte sequence/length =] of |context| (i.e., IntegerToBytes(|ctx|, 1) per [[FIPS-204]]), + |context|, and + |message|. +
++ Let μ be the result of applying SHAKE-256 ([[FIPS-202]]) + to the concatenation of tr and M′ + with an output length of 64 bytes. +
++ Return μ. +
+