Skip to content

SLH-DSA: align HashSLH-DSA pre-hash API with HashML-DSA#19

Closed
Frauschi wants to merge 4 commits into
masterfrom
claude/fix-dsa-api-inconsistency-uCvHV
Closed

SLH-DSA: align HashSLH-DSA pre-hash API with HashML-DSA#19
Frauschi wants to merge 4 commits into
masterfrom
claude/fix-dsa-api-inconsistency-uCvHV

Conversation

@Frauschi
Copy link
Copy Markdown
Owner

@Frauschi Frauschi commented May 10, 2026

Summary

Fixes an API inconsistency between wolfSSL's two FIPS-standardised post-quantum signature schemes:

  • ML-DSA (wc_dilithium_sign_ctx_hash / wc_dilithium_verify_ctx_hash) takes the caller's pre-hashed digest.
  • SLH-DSA (wc_SlhDsaKey_*Hash*) used to take the full message and hash it internally.

This makes SLH-DSA the outlier within wolfSSL and against every other library checked (OpenSSL HASH-ML-DSA, mldsa-native, leancrypto SLH-DSA, sphincsplus reference) and against NIST ACVP signatureInterface=external/preHash=preHash test vectors — all of which take the digest at the pre-hash boundary. Breaking by design.

Changes

  • wolfcrypt/src/wc_slhdsa.c — refactor slhdsakey_validate_prehash (renamed from slhdsakey_prehash_msg) to validate msgSz == digest size for hashType and copy, instead of calling wc_*Hash. Returns BAD_LENGTH_E on size mismatch. SHAKE128/SHAKE256 lengths are fixed at 256/512 bits per FIPS 205 Section 10.2.2. Sign- and verify-side M' construction is unchanged.
  • wc_SlhDsaKey_SignMsg{Deterministic,WithRandom} — gain front-door NULL / sigSz / key-flag validation matching the *Hash* family. These functions are the SLH-DSA analog of wc_dilithium_verify_mu for ACVP signatureInterface=internal testing — documented as such.
  • In-tree callers updated: wolfcrypt/test/test.c (SHA-256/SHAKE256/SHA-384 paths in slhdsa_test_param) and wolfcrypt/benchmark/benchmark.c (SHA-256 prehash sub-bench, hashed once outside the timed loop, with a SHAKE256 fallback for NO_SHA256 builds).
  • API tests (tests/api/test_slhdsa.c):
    • BAD_LENGTH_E rejection coverage for both *Hash* and *Msg* sigSz paths
    • NOT_COMPILED_IN coverage for unsupported hashType
    • SHA-512 and SHAKE256 round-trips
    • New test_wc_slhdsa_sign_msg covering the SignMsg* family plus a byte-for-byte cross-check that an externally-built M' produces the same signature as the matching SignHashDeterministic call
  • Doxygen updated with the new msg semantics, BAD_LENGTH_E returns, pre-hash examples, and \sa cross-references between the *Hash* and *Msg* API families.
  • ChangeLog.mdBREAKING (FIPS 205 SLH-DSA) entry under the unreleased Enhancements with migration guidance.

Verification

Build Result
--enable-slhdsa (full) testwolfcrypt SLH-DSA pass, all 16 SLH-DSA API tests pass
--enable-slhdsa=verify-only compiles clean, signing tests skipped as expected
benchmark -slhdsa sign-pre / vrfy-pre rows present, no BAD_LENGTH_E

Test plan

  • CI passes on the full SLH-DSA build
  • CI passes on --enable-slhdsa=verify-only
  • CI passes on a SHAKE-only / NO_SHA256 SLH-DSA configuration if such a target exists
  • Manual review of doxygen output for the four *Hash* and three *Msg* functions
  • Optional: integrate at least one NIST ACVP HashSLH-DSA known-answer vector in a follow-up PR (the plan called for this; not done here to keep the diff focused)

Migration

/* Before: */
wc_SlhDsaKey_SignHash(&key, ctx, ctxSz, msg, msgSz,
    WC_HASH_TYPE_SHA256, sig, &sigLen, &rng);

/* After: */
byte digest[WC_SHA256_DIGEST_SIZE];
wc_Sha256Hash(msg, msgSz, digest);
wc_SlhDsaKey_SignHash(&key, ctx, ctxSz, digest, sizeof(digest),
    WC_HASH_TYPE_SHA256, sig, &sigLen, &rng);

Callers that need the previous "pass full message" semantics for SLH-DSA can use wc_SlhDsaKey_Sign / wc_SlhDsaKey_Verify (the pure interface) instead.

https://claude.ai/code/session_015DkU7iXobMCKqSbMoTWCqd

Generated by Claude Code

claude added 2 commits May 10, 2026 13:34
@claude
SLH-DSA: align HashSLH-DSA API with HashML-DSA (caller-pre-hashed dig…
d1f4e56 
…est)

The four wc_SlhDsaKey_*Hash* entry points used to take the full message and
hash it internally, while the ML-DSA counterparts (wc_dilithium_sign_ctx_hash
/ wc_dilithium_verify_ctx_hash) take the caller's pre-hashed digest. That
divergence made HashSLH-DSA the outlier among wolfSSL's PQ signature schemes
and against OpenSSL's HASH-ML-DSA, mldsa-native, leancrypto SLH-DSA, and
NIST ACVP signatureInterface=external/preHash test vectors -- all of which
take the digest at the pre-hash boundary.

Refactor slhdsakey_prehash_msg to validate that msgSz equals the digest size
for hashType (32 bytes for SHAKE128, 64 for SHAKE256 per FIPS 205 §10.2.2)
and copy the digest in place of the previous wc_*Hash call. Returns
BAD_LENGTH_E on size mismatch; BAD_FUNC_ARG / NOT_COMPILED_IN behaviour is
unchanged. Sign-/verify-side M' construction is untouched.

Also tighten the pre-existing wc_SlhDsaKey_SignMsg{Deterministic,WithRandom}
input validation (NULL/sigSz/key-flag checks) so they front-match the *Hash*
family. These are the FIPS 205 internal interface (Algorithm 19) and serve
as the SLH-DSA analog of wc_dilithium_verify_mu for ACVP signatureInterface=
internal testing -- documented as such.

In-tree callers updated to pre-hash before calling: wolfcrypt self-test in
slhdsa_test_param (SHA-256/SHAKE256/SHA-384 paths) and benchmark sign-pre/
vrfy-pre rows (SHA-256, hashed once outside the timed loop). API tests gain
BAD_LENGTH_E coverage, SHA-512 and SHAKE256 round-trips, and a new
test_wc_slhdsa_sign_msg covering the SignMsg* family plus a cross-check that
proves an externally-built M' sign matches a SignHashDeterministic byte-for-
byte. Doxygen and ChangeLog updated; entry flagged BREAKING.

https://claude.ai/code/session_015DkU7iXobMCKqSbMoTWCqd
@claude
SLH-DSA: address review feedback on prior HashSLH-DSA API alignment
763a8d6 
- benchmark.c: gate the new prehash bench block on NO_SHA256 with a
  SHAKE256 fallback so SHAKE-only SLH-DSA builds don't add a hard SHA-256
  link-time dependency they didn't have before.
- ChangeLog.md: narrow the "stricter input validation" claim to
  SignMsg{Deterministic,WithRandom}; VerifyMsg already had full validation
  and was not changed.
- wc_slhdsa.c: rename the now-misnamed slhdsakey_prehash_msg helper to
  slhdsakey_validate_prehash to reflect that it validates and copies
  rather than hashing.
- Replace UTF-8 paragraph signs with ASCII "Section" in comments to match
  the surrounding code's style and avoid encoding pitfalls in some
  toolchains.
- doc/dox_comments: add \sa cross-references between the *Hash* and
  *Msg* doxygen entries so users discovering one path can find the other.
- tests/api/test_slhdsa.c: add NOT_COMPILED_IN coverage for an
  unsupported hashType, BAD_LENGTH_E coverage for the new
  SignMsg{Deterministic,WithRandom} sigSz check, and reset sigLen
  explicitly before SignMsgWithRandom in the round-trip rather than
  silently relying on the prior call to have set it.

https://claude.ai/code/session_015DkU7iXobMCKqSbMoTWCqd
Frauschi
Frauschi commented May 10, 2026
View reviewed changes
Comment thread wolfcrypt/src/wc_slhdsa.c Outdated
Comment thread ChangeLog.md Outdated
claude added 2 commits May 10, 2026 15:58
@claude
SLH-DSA: rename Hash-API msg/msgSz to hash/hashSz; drop redundant ph …
281d374 
…buffer

Address PR review feedback:

- Rename the public *Hash* API parameters from msg/msgSz to hash/hashSz to
  match the ML-DSA wc_dilithium_sign_ctx_hash / wc_dilithium_verify_ctx_hash
  parameter naming exactly. Affects wc_SlhDsaKey_SignHash,
  wc_SlhDsaKey_SignHashDeterministic, wc_SlhDsaKey_SignHashWithRandom, and
  wc_SlhDsaKey_VerifyHash. Callers using positional arguments are
  source-compatible.

- Refactor slhdsakey_validate_prehash to drop the now-redundant ph output
  buffer. Previously the helper validated msgSz against the expected digest
  size and copied the input into a separate ph buffer; the callers then
  concatenated oid || ph or streamed them. Since ph was just a copy of the
  input, the helper now returns only oid/oidLen plus the validation error
  code, and the callers feed the caller-supplied digest directly into the
  M' construction. Eliminates the misleading ph[WC_MAX_DIGEST_SIZE] locals
  in slhdsakey_signhash_external and wc_SlhDsaKey_VerifyHash and the
  pointless XMEMCPY hop.

- Update doxygen (source and dox_comments) accordingly.

- ChangeLog: clarify the rename and that callers using positional
  arguments are source-compatible.

https://claude.ai/code/session_015DkU7iXobMCKqSbMoTWCqd
@claude
SLH-DSA: harden phMsg buffer size, fix stale comments, soften ChangeLog
1ee118a 
Address self-review feedback:

- Replace the magic byte phMsg[80] /* Max: 11 byte OID + 64 byte hash */
  in slhdsakey_signhash_external and wc_SlhDsaKey_VerifyHash with
  byte phMsg[SLHDSA_PHMSG_MAX_LEN] where
  SLHDSA_PHMSG_MAX_LEN = SLHDSA_OID_MAX_LEN + WC_MAX_DIGEST_SIZE. The
  derived bound now scales automatically with the project-wide max digest
  size, so adding a future hashType with a larger digest in
  slhdsakey_validate_prehash won't silently overflow these buffers.

- Replace three stale "/* Pre-hash sign. */" inline comments with
  "/* HashSLH-DSA sign with caller-supplied digest. */" since the
  functions no longer pre-hash anything.

- ChangeLog: soften the "matches wc_dilithium_*_ctx_hash exactly" claim
  to acknowledge that ML-DSA uses hashLen while SLH-DSA keeps the local
  Sz suffix convention.

https://claude.ai/code/session_015DkU7iXobMCKqSbMoTWCqd
@Frauschi Frauschi closed this May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Frauschi @claude