pub fn slh_sign_internal<P: Params>(
m: &[u8],
sk: &[u8],
addrnd: &[u8],
) -> Result<Vec<u8>, SlhDsaError>Expand description
Internal SLH-DSA signing function.
Implements Algorithm 19 of FIPS 205. Performs the full signing pipeline:
- Generates the per-signature randomizer
RviaPRF_msg(SK.prf, addrnd, M). - Hashes the message with
H_msgto produce a digest, then splits it into FORS indices (md), a tree index (idx_tree), and a leaf index (idx_leaf). - Signs
mdwith FORS to obtainSIG_FORS, then computes the FORS public key. - Signs the FORS public key with the hypertree to obtain
SIG_HT.
The addrnd parameter is n bytes of additional randomness for hedged signing.
Passing PK.seed instead yields deterministic signing.
Returns the full signature: R || SIG_FORS || SIG_HT.
ยงFeature: sca-fors-redundancy
When this cargo feature is enabled, the FORS sub-signature is produced
by fors::fors_sign_into_redundant (T1-C โ recompute-and-compare
against single-fault grafting-tree forgery, per
:cite:genet2023_protecting_sphincs_faults,
:cite:castelnovi2018_grafting_trees,
:cite:adiletta2025_slashdsa_rowhammer). On a detected divergence the
function returns Err(SlhDsaError::FaultDetected) โ
the faulted signature never leaves the device. The validated FORS
public key returned by the redundant routine is fed straight into the
hypertree, saving a third FORS-root derivation.
Without the feature, the result is always Ok โ the unified Result
envelope is paid only to keep one signature across the two
configurations. CAVP / KAT output bytes are unchanged.