Struct HashMLDSA 

pub struct HashMLDSA<HASH: Hash + Default, const HASH_LEN: usize, const oid: &'static [u8], const PK_LEN: usize, const SK_LEN: usize, const SIG_LEN: usize, PK: MLDSAPublicKeyTrait<k, PK_LEN> + MLDSAPublicKeyInternalTrait<k, PK_LEN>, SK: MLDSAPrivateKeyTrait<k, l, ETA, SK_LEN, PK_LEN> + MLDSAPrivateKeyInternalTrait<k, l, ETA, SK_LEN, PK_LEN>, const TAU: i32, const LAMBDA: i32, const GAMMA1: i32, const GAMMA2: i32, const k: usize, const l: usize, const ETA: usize, const BETA: i32, const OMEGA: i32, const C_TILDE: usize, const POLY_Z_PACKED_LEN: usize, const POLY_W1_PACKED_LEN: usize, const W1_PACKED_LEN: usize, const POLY_ETA_PACKED_LEN: usize, const LAMBDA_over_4: usize, const GAMMA1_MASK_LEN: usize> { /* private fields */ }

An instance of the HashML-DSA algorithm.

We are exposing the HashMLDSA struct this way so that alternative hash functions can be used without requiring modification of this source code; you can add your own hash function by specifying the hash function to use (in the verifier), and specifying the bytes of the OID to to use as its domain separator in constructing the message representative M’.

Implementations

impl<HASH: Hash + Default, const PH_LEN: usize, const oid: &'static [u8], const PK_LEN: usize, const SK_LEN: usize, const SIG_LEN: usize, PK: MLDSAPublicKeyTrait<k, PK_LEN> + MLDSAPublicKeyInternalTrait<k, PK_LEN>, SK: MLDSAPrivateKeyTrait<k, l, ETA, SK_LEN, PK_LEN> + MLDSAPrivateKeyInternalTrait<k, l, ETA, SK_LEN, PK_LEN>, const TAU: i32, const LAMBDA: i32, const GAMMA1: i32, const GAMMA2: i32, const k: usize, const l: usize, const ETA: usize, const BETA: i32, const OMEGA: i32, const C_TILDE: usize, const POLY_Z_PACKED_LEN: usize, const POLY_W1_PACKED_LEN: usize, const W1_PACKED_LEN: usize, const POLY_ETA_PACKED_LEN: usize, const LAMBDA_over_4: usize, const GAMMA1_MASK_LEN: usize> HashMLDSA<HASH, PH_LEN, oid, PK_LEN, SK_LEN, SIG_LEN, PK, SK, TAU, LAMBDA, GAMMA1, GAMMA2, k, l, ETA, BETA, OMEGA, C_TILDE, POLY_Z_PACKED_LEN, POLY_W1_PACKED_LEN, W1_PACKED_LEN, POLY_ETA_PACKED_LEN, LAMBDA_over_4, GAMMA1_MASK_LEN>

pub fn keygen_from_seed( seed: &KeyMaterialSized<32>, ) -> Result<(PK, SK), SignatureError>

Imports a secret key from a seed.

pub fn sign_ph_deterministic( sk: &SK, ctx: Option<&[u8]>, ph: &[u8; PH_LEN], rnd: [u8; 32], ) -> Result<[u8; SIG_LEN], SignatureError>

Algorithm 7 ML-DSA.Sign_internal(𝑠𝑘, 𝑀′, 𝑟𝑛𝑑) (modified to take an externally-computed ph instead of M’, thus combining Algorithm 4 with Algorithm 7).

Security note: This mode exposes deterministic signing (called “hedged mode” and allowed by FIPS 204). The ML-DSA algorithm is considered safe to use in deterministic mode, but be aware that the responsibility is on you to ensure that your nonce rnd is unique per signature. If not, you may lose some privacy properties; for example it becomes easy to tell if a signer has signed the same message twice or two different messages, or to tell if the same message has been signed by the same signer twice or two different signers.

Since rnd should be either a per-signature nonce, or a fixed value, therefore, to help prevent accidental nonce reuse, this function moves rnd.

pub fn sign_ph_deterministic_out( sk: &SK, ctx: Option<&[u8]>, ph: &[u8; PH_LEN], rnd: [u8; 32], output: &mut [u8; SIG_LEN], ) -> Result<usize, SignatureError>

Algorithm 7 ML-DSA.Sign_internal(𝑠𝑘, 𝑀′, 𝑟𝑛𝑑) (modified to take an externally-computed ph instead of M’, thus combining Algorithm 4 with Algorithm 7).

Performs an ML-DSA signature using the provided external message representative mu. This implements FIPS 204 Algorithm 7 with line 6 removed; a modification that is allowed by both FIPS 204 itself, as well as subsequent FAQ documents. This mode exposes deterministic signing (called “hedged mode” in FIPS 204) using an internal RNG.

Since rnd should be either a per-signature nonce, or a fixed value, therefore, to help prevent accidental nonce reuse, this function moves rnd.

Returns the number of bytes written to the output buffer. Can be called with an oversized buffer.

pub fn set_signer_rnd(&mut self, rnd: [u8; 32])

To be used for deterministic signing in conjunction with the Signature::sign_init, Signature::sign_update, and Signature::sign_final flow. Can be set anywhere after Signature::sign_init and before Signature::sign_final

pub fn sign_init_from_seed( seed: &KeyMaterialSized<32>, ctx: Option<&[u8]>, ) -> Result<Self, SignatureError>

Alternative initialization of the streaming signer where you have your private key as a seed and you want to delay its expansion as late as possible for memory-usage reasons.

Trait Implementations

impl<HASH: Hash + Default, const PH_LEN: usize, const oid: &'static [u8], const PK_LEN: usize, const SK_LEN: usize, const SIG_LEN: usize, PK: MLDSAPublicKeyTrait<k, PK_LEN> + MLDSAPublicKeyInternalTrait<k, PK_LEN>, SK: MLDSAPrivateKeyTrait<k, l, ETA, SK_LEN, PK_LEN> + MLDSAPrivateKeyInternalTrait<k, l, ETA, SK_LEN, PK_LEN>, const TAU: i32, const LAMBDA: i32, const GAMMA1: i32, const GAMMA2: i32, const k: usize, const l: usize, const ETA: usize, const BETA: i32, const OMEGA: i32, const C_TILDE: usize, const POLY_Z_PACKED_LEN: usize, const POLY_W1_PACKED_LEN: usize, const W1_PACKED_LEN: usize, const POLY_ETA_PACKED_LEN: usize, const LAMBDA_over_4: usize, const GAMMA1_MASK_LEN: usize> PHSignature<PK, SK, PH_LEN> for HashMLDSA<HASH, PH_LEN, oid, PK_LEN, SK_LEN, SIG_LEN, PK, SK, TAU, LAMBDA, GAMMA1, GAMMA2, k, l, ETA, BETA, OMEGA, C_TILDE, POLY_Z_PACKED_LEN, POLY_W1_PACKED_LEN, W1_PACKED_LEN, POLY_ETA_PACKED_LEN, LAMBDA_over_4, GAMMA1_MASK_LEN>

fn sign_ph_out( sk: &SK, ph: &[u8; PH_LEN], ctx: Option<&[u8]>, output: &mut [u8], ) -> Result<usize, SignatureError>

Note that the PH expected here is not the same as the mu computed by MuBuilder. To make use of this function, you need to compute a straight hash of the message using the same hash function as the indicated in the HashML-DSA variant; for example SHA256 for HashMDSA44_with_SHA256, SHA512 for HashMLDSA65_with_SHA512, etc.

fn sign_ph( sk: &SK, ph: &[u8; PH_LEN], ctx: Option<&[u8]>, ) -> Result<Vec<u8>, SignatureError>

Produce a signature for the provided pre-hashed message and context.

fn verify_ph( pk: &PK, ph: &[u8; PH_LEN], ctx: Option<&[u8]>, sig: &[u8], ) -> Result<(), SignatureError>

On success, returns Ok(()) On failure, returns Err(SignatureError::SignatureVerificationFailed); may also return other types of SignatureError as appropriate (such as for invalid-length inputs).

impl<HASH: Hash + Default, PK: MLDSAPublicKeyTrait<k, PK_LEN> + MLDSAPublicKeyInternalTrait<k, PK_LEN>, SK: MLDSAPrivateKeyTrait<k, l, ETA, SK_LEN, PK_LEN> + MLDSAPrivateKeyInternalTrait<k, l, ETA, SK_LEN, PK_LEN>, const PH_LEN: usize, const oid: &'static [u8], const PK_LEN: usize, const SK_LEN: usize, const SIG_LEN: usize, const TAU: i32, const LAMBDA: i32, const GAMMA1: i32, const GAMMA2: i32, const k: usize, const l: usize, const ETA: usize, const BETA: i32, const OMEGA: i32, const C_TILDE: usize, const POLY_Z_PACKED_LEN: usize, const POLY_W1_PACKED_LEN: usize, const W1_PACKED_LEN: usize, const POLY_ETA_PACKED_LEN: usize, const LAMBDA_over_4: usize, const GAMMA1_MASK_LEN: usize> Signature<PK, SK> for HashMLDSA<HASH, PH_LEN, oid, PK_LEN, SK_LEN, SIG_LEN, PK, SK, TAU, LAMBDA, GAMMA1, GAMMA2, k, l, ETA, BETA, OMEGA, C_TILDE, POLY_Z_PACKED_LEN, POLY_W1_PACKED_LEN, W1_PACKED_LEN, POLY_ETA_PACKED_LEN, LAMBDA_over_4, GAMMA1_MASK_LEN>

fn keygen() -> Result<(PK, SK), SignatureError>

Keygen, and keys in general, are interchangeable between MLDSA and HashMLDSA.

fn sign( sk: &SK, msg: &[u8], ctx: Option<&[u8]>, ) -> Result<Vec<u8>, SignatureError>

Algorithm 4 HashML-DSA.Sign(𝑠𝑘, 𝑀 , 𝑐𝑡𝑥, PH) Generate a “pre-hash” ML-DSA signature.

fn sign_out( sk: &SK, msg: &[u8], ctx: Option<&[u8]>, output: &mut [u8], ) -> Result<usize, SignatureError>

Returns the number of bytes written to the output buffer. Can be called with an oversized buffer.

fn sign_init(sk: &SK, ctx: Option<&[u8]>) -> Result<Self, SignatureError>

Initialize a signer for streaming mode with the provided private key.

fn sign_update(&mut self, msg_chunk: &[u8])

fn sign_final(self) -> Result<Vec<u8>, SignatureError>

Complete the signing operation. Consumes self.

fn sign_final_out(self, output: &mut [u8]) -> Result<usize, SignatureError>

Returns the number of bytes written to the output buffer. Can be called with an oversized buffer.

fn verify( pk: &PK, msg: &[u8], ctx: Option<&[u8]>, sig: &[u8], ) -> Result<(), SignatureError>

On success, returns Ok(()) On failure, returns Err(SignatureError::SignatureVerificationFailed); may also return other types of SignatureError as appropriate (such as for invalid-length inputs).

fn verify_init(pk: &PK, ctx: Option<&[u8]>) -> Result<Self, SignatureError>

fn verify_update(&mut self, msg_chunk: &[u8])

fn verify_final(self, sig: &[u8]) -> Result<(), SignatureError>

On success, returns Ok(()) On failure, returns Err(SignatureError::SignatureVerificationFailed); may also return other types of SignatureError as appropriate (such as for invalid-length inputs).