Use Correct Hashing for ML-DSA Pre-hashed Variants
Ensure stronger hashes like SHA-384 or SHA-512 are used with ML-DSA digital signatures for added security.
Plain language
This control is about making sure your digital signatures are extra secure by using strong hashing methods like SHA-384 or SHA-512 before signing. By doing this, you protect sensitive data from being tampered with or faked, which is crucial in maintaining trust and preventing fraud.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for cryptographyOfficial control statement
When the pre-hashed variants of ML-DSA-65 and ML-DSA-87 are used, at least SHA-384 and SHA-512 respectively are used for pre-hashing.
Why it matters
If ML-DSA-65/87 pre-hashed variants use weaker than SHA-384/SHA-512, signature forgery and integrity failures become more likely.
Operational notes
Verify configurations and libraries: ML-DSA-65 pre-hash uses SHA-384 and ML-DSA-87 pre-hash uses SHA-512; test during updates.
Implementation tips
- The IT team should review all current digital signature processes to ensure they include pre-hashing with SHA-384 or SHA-512. This means verifying the algorithms used for hashing are up to the latest standards for security.
- Managers responsible for data security should conduct regular training for staff on the importance of secure digital signatures. This could involve practical demonstrations on how strong hashing protects data.
- Procurement teams should ensure that any new software involving digital signatures supports SHA-384 or SHA-512 hashing. This involves checking technical specifications before purchase and consulting with IT for verification.
- The IT team should update systems and software to the latest versions if they currently do not support SHA-384 or SHA-512. They can do this by implementing patches or reaching out to vendors for software updates.
- Data security officers should document the hashing algorithm used for digital signatures in internal policies. This can be achieved by maintaining a security policy document that includes the requirement for SHA-384 or SHA-512 hashing.
Audit / evidence tips
-
Askthe list of algorithms used in digital signature processes
Goodwill be a clear mention of these algorithms in use
-
Asktraining records that cover secure digital signature practices
-
Askprocurement checklists or specs for digital signature tools
Goodwill have documented evidence of this criterion being checked
-
Asksystem update logs showing recent updates to support secure hashing
Goodlog will show relevant updates applied and verified by IT staff
-
Askthe organisation's documented security policy on digital signatures
Goodpolicy will have these algorithms clearly stated
Cross-framework mappings
How ISM-1994 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.24 | ISM-1994 requires organisations to use specific minimum-strength hash functions (SHA-384 for ML-DSA-65 pre-hash and SHA-512 for ML-DSA-87... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.