RustCrypto · Jun 5, 2025
diff --git a/‎Cargo.lock
Lines changed: 2 additions & 2 deletions b/‎Cargo.lock
Lines changed: 2 additions & 2 deletions
diff --git a/‎dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎dsa/src/signing_key.rs
Lines changed: 9 additions & 2 deletions b/‎dsa/src/signing_key.rs
Lines changed: 9 additions & 2 deletions
diff --git a/‎dsa/src/verifying_key.rs
Lines changed: 14 additions & 2 deletions b/‎dsa/src/verifying_key.rs
Lines changed: 14 additions & 2 deletions
diff --git a/‎ecdsa/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎ecdsa/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎ecdsa/src/recovery.rs
Lines changed: 16 additions & 2 deletions b/‎ecdsa/src/recovery.rs
Lines changed: 16 additions & 2 deletions
diff --git a/‎ecdsa/src/signing.rs
Lines changed: 69 additions & 4 deletions b/‎ecdsa/src/signing.rs
Lines changed: 69 additions & 4 deletions
diff --git a/‎ecdsa/src/verifying.rs
Lines changed: 59 additions & 6 deletions b/‎ecdsa/src/verifying.rs
Lines changed: 59 additions & 6 deletions
diff --git a/‎ed25519/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎ed25519/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎lms/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎lms/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎lms/src/lms/private.rs
Lines changed: 13 additions & 2 deletions b/‎lms/src/lms/private.rs
Lines changed: 13 additions & 2 deletions
diff --git a/‎lms/src/lms/public.rs
Lines changed: 8 additions & 2 deletions b/‎lms/src/lms/public.rs
Lines changed: 8 additions & 2 deletions
diff --git a/‎lms/src/ots/private.rs
Lines changed: 18 additions & 8 deletions b/‎lms/src/ots/private.rs
Lines changed: 18 additions & 8 deletions
diff --git a/‎lms/src/ots/public.rs
Lines changed: 14 additions & 2 deletions b/‎lms/src/ots/public.rs
Lines changed: 14 additions & 2 deletions
diff --git a/‎lms/src/ots/signature.rs
Lines changed: 16 additions & 7 deletions b/‎lms/src/ots/signature.rs
Lines changed: 16 additions & 7 deletions
diff --git a/‎ml-dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎ml-dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎ml-dsa/src/lib.rs
Lines changed: 55 additions & 10 deletions b/‎ml-dsa/src/lib.rs
Lines changed: 55 additions & 10 deletions
diff --git a/‎slh-dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎slh-dsa/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎slh-dsa/src/hashes.rs
Lines changed: 4 additions & 4 deletions b/‎slh-dsa/src/hashes.rs
Lines changed: 4 additions & 4 deletions
diff --git a/‎slh-dsa/src/hashes/sha2.rs
Lines changed: 16 additions & 6 deletions b/‎slh-dsa/src/hashes/sha2.rs
Lines changed: 16 additions & 6 deletions
diff --git a/‎slh-dsa/src/hashes/shake.rs
Lines changed: 7 additions & 3 deletions b/‎slh-dsa/src/hashes/shake.rs
Lines changed: 7 additions & 3 deletions
diff --git a/‎slh-dsa/src/signing_key.rs
Lines changed: 34 additions & 5 deletions b/‎slh-dsa/src/signing_key.rs
Lines changed: 34 additions & 5 deletions
diff --git a/‎slh-dsa/src/verifying_key.rs
Lines changed: 27 additions & 4 deletions b/‎slh-dsa/src/verifying_key.rs
Lines changed: 27 additions & 4 deletions
@@ -22,7 +22,7 @@ crypto-primes = { version = "=0.7.0-pre.1", default-features = false }
 pkcs8 = { version = "0.11.0-rc.1", default-features = false, features = ["alloc"] }
 rfc6979 = { version = "0.5.0-rc.0" }
 sha2 = { version = "0.11.0-rc.0", default-features = false }
-signature = { version = "3.0.0-rc.0", default-features = false, features = ["alloc", "digest", "rand_core"] }
+signature = { version = "3.0.0-rc.1", default-features = false, features = ["alloc", "digest", "rand_core"] }
 zeroize = { version = "1", default-features = false }
 
 [dev-dependencies]
 
@@ -22,7 +22,7 @@ use pkcs8::{
 #[cfg(feature = "hazmat")]
 use signature::rand_core::CryptoRng;
 use signature::{
-    DigestSigner, RandomizedDigestSigner, Signer,
+    DigestSigner, MultipartSigner, RandomizedDigestSigner, Signer,
     hazmat::{PrehashSigner, RandomizedPrehashSigner},
     rand_core::TryCryptoRng,
 };
@@ -149,7 +149,14 @@ impl ZeroizeOnDrop for SigningKey {}
 
 impl Signer<Signature> for SigningKey {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature, signature::Error> {
-        let digest = sha2::Sha256::new_with_prefix(msg);
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+impl MultipartSigner<Signature> for SigningKey {
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<Signature, signature::Error> {
+        let mut digest = sha2::Sha256::new();
+        msg.iter().for_each(|slice| digest.update(slice));
         self.try_sign_digest(digest)
     }
 }
 
@@ -17,7 +17,7 @@ use pkcs8::{
     },
     spki,
 };
-use signature::{DigestVerifier, Verifier, hazmat::PrehashVerifier};
+use signature::{DigestVerifier, MultipartVerifier, Verifier, hazmat::PrehashVerifier};
 
 /// DSA public key.
 #[derive(Clone, Debug, PartialEq, PartialOrd)]
@@ -108,7 +108,19 @@ impl VerifyingKey {
 
 impl Verifier<Signature> for VerifyingKey {
     fn verify(&self, msg: &[u8], signature: &Signature) -> Result<(), signature::Error> {
-        self.verify_digest(sha2::Sha256::new_with_prefix(msg), signature)
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl MultipartVerifier<Signature> for VerifyingKey {
+    fn multipart_verify(
+        &self,
+        msg: &[&[u8]],
+        signature: &Signature,
+    ) -> Result<(), signature::Error> {
+        let mut digest = sha2::Sha256::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.verify_digest(digest, signature)
     }
 }
 
 
@@ -18,7 +18,7 @@ rust-version = "1.85"
 
 [dependencies]
 elliptic-curve = { version = "0.14.0-rc.3", default-features = false, features = ["sec1"] }
-signature = { version = "3.0.0-rc.0", default-features = false, features = ["rand_core"] }
+signature = { version = "3.0.0-rc.1", default-features = false, features = ["rand_core"] }
 zeroize = { version = "1.5", default-features = false }
 
 # optional dependencies
 
@@ -7,7 +7,7 @@ use {
     crate::{SigningKey, hazmat::sign_prehashed_rfc6979},
     elliptic_curve::{FieldBytes, subtle::CtOption},
     signature::{
-        DigestSigner, RandomizedDigestSigner, Signer,
+        DigestSigner, MultipartSigner, RandomizedDigestSigner, Signer,
         digest::FixedOutput,
         hazmat::{PrehashSigner, RandomizedPrehashSigner},
         rand_core::TryCryptoRng,
@@ -291,7 +291,21 @@ where
     SignatureSize<C>: ArraySize,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<(Signature<C>, RecoveryId)> {
-        self.sign_recoverable(msg)
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+#[cfg(feature = "signing")]
+impl<C> MultipartSigner<(Signature<C>, RecoveryId)> for SigningKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArraySize,
+{
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<(Signature<C>, RecoveryId)> {
+        let mut digest = C::Digest::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.sign_digest_recoverable(digest)
     }
 }
 
 
@@ -15,7 +15,8 @@ use elliptic_curve::{
     zeroize::{Zeroize, ZeroizeOnDrop},
 };
 use signature::{
-    DigestSigner, RandomizedDigestSigner, RandomizedSigner, Signer,
+    DigestSigner, MultipartSigner, RandomizedDigestSigner, RandomizedMultipartSigner,
+    RandomizedSigner, Signer,
     hazmat::{PrehashSigner, RandomizedPrehashSigner},
     rand_core::{CryptoRng, TryCryptoRng},
 };
@@ -176,7 +177,20 @@ where
     SignatureSize<C>: ArraySize,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<C>> {
-        self.try_sign_digest(C::Digest::new_with_prefix(msg))
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+impl<C> MultipartSigner<Signature<C>> for SigningKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArraySize,
+{
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> core::result::Result<Signature<C>, Error> {
+        let mut digest = C::Digest::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.try_sign_digest(digest)
     }
 }
 
@@ -234,7 +248,25 @@ where
         rng: &mut R,
         msg: &[u8],
     ) -> Result<Signature<C>> {
-        self.try_sign_digest_with_rng(rng, C::Digest::new_with_prefix(msg))
+        self.try_multipart_sign_with_rng(rng, &[msg])
+    }
+}
+
+impl<C> RandomizedMultipartSigner<Signature<C>> for SigningKey<C>
+where
+    Self: RandomizedDigestSigner<C::Digest, Signature<C>>,
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArraySize,
+{
+    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &self,
+        rng: &mut R,
+        msg: &[&[u8]],
+    ) -> Result<Signature<C>> {
+        let mut digest = C::Digest::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.try_sign_digest_with_rng(rng, digest)
     }
 }
 
@@ -260,7 +292,21 @@ where
     SignatureSize<C>: ArraySize,
 {
     fn try_sign(&self, msg: &[u8]) -> Result<SignatureWithOid<C>> {
-        self.try_sign_digest(C::Digest::new_with_prefix(msg))
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+impl<C> MultipartSigner<SignatureWithOid<C>> for SigningKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    C::Digest: AssociatedOid,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArraySize,
+{
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<SignatureWithOid<C>> {
+        let mut digest = C::Digest::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.try_sign_digest(digest)
     }
 }
 
@@ -364,6 +410,25 @@ where
     }
 }
 
+#[cfg(feature = "der")]
+impl<C> RandomizedMultipartSigner<der::Signature<C>> for SigningKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    Scalar<C>: Invert<Output = CtOption<Scalar<C>>>,
+    SignatureSize<C>: ArraySize,
+    der::MaxSize<C>: ArraySize,
+    <FieldBytesSize<C> as Add>::Output: Add<der::MaxOverhead> + ArraySize,
+{
+    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &self,
+        rng: &mut R,
+        msg: &[&[u8]],
+    ) -> Result<der::Signature<C>> {
+        RandomizedMultipartSigner::<Signature<C>>::try_multipart_sign_with_rng(self, rng, msg)
+            .map(Into::into)
+    }
+}
+
 //
 // Other trait impls
 //
 
@@ -13,7 +13,7 @@ use elliptic_curve::{
     sec1::{self, CompressedPoint, EncodedPoint, FromEncodedPoint, ToEncodedPoint},
 };
 use signature::{
-    DigestVerifier, Verifier,
+    DigestVerifier, MultipartVerifier, Verifier,
     digest::{Digest, FixedOutput},
     hazmat::PrehashVerifier,
 };
@@ -178,7 +178,19 @@ where
     SignatureSize<C>: ArraySize,
 {
     fn verify(&self, msg: &[u8], signature: &Signature<C>) -> Result<()> {
-        self.verify_digest(C::Digest::new_with_prefix(msg), signature)
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl<C> MultipartVerifier<Signature<C>> for VerifyingKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    SignatureSize<C>: ArraySize,
+{
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &Signature<C>) -> Result<()> {
+        let mut digest = C::Digest::new();
+        msg.iter().for_each(|slice| digest.update(slice));
+        self.verify_digest(digest, signature)
     }
 }
 
@@ -189,11 +201,38 @@ where
     SignatureSize<C>: ArraySize,
 {
     fn verify(&self, msg: &[u8], sig: &SignatureWithOid<C>) -> Result<()> {
+        self.multipart_verify(&[msg], sig)
+    }
+}
+
+#[cfg(feature = "sha2")]
+impl<C> MultipartVerifier<SignatureWithOid<C>> for VerifyingKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    SignatureSize<C>: ArraySize,
+{
+    fn multipart_verify(&self, msg: &[&[u8]], sig: &SignatureWithOid<C>) -> Result<()> {
         match sig.oid() {
-            ECDSA_SHA224_OID => self.verify_prehash(&Sha224::digest(msg), sig.signature()),
-            ECDSA_SHA256_OID => self.verify_prehash(&Sha256::digest(msg), sig.signature()),
-            ECDSA_SHA384_OID => self.verify_prehash(&Sha384::digest(msg), sig.signature()),
-            ECDSA_SHA512_OID => self.verify_prehash(&Sha512::digest(msg), sig.signature()),
+            ECDSA_SHA224_OID => {
+                let mut digest = Sha224::new();
+                msg.iter().for_each(|slice| digest.update(slice));
+                self.verify_prehash(&digest.finalize(), sig.signature())
+            }
+            ECDSA_SHA256_OID => {
+                let mut digest = Sha256::new();
+                msg.iter().for_each(|slice| digest.update(slice));
+                self.verify_prehash(&digest.finalize(), sig.signature())
+            }
+            ECDSA_SHA384_OID => {
+                let mut digest = Sha384::new();
+                msg.iter().for_each(|slice| digest.update(slice));
+                self.verify_prehash(&digest.finalize(), sig.signature())
+            }
+            ECDSA_SHA512_OID => {
+                let mut digest = Sha512::new();
+                msg.iter().for_each(|slice| digest.update(slice));
+                self.verify_prehash(&digest.finalize(), sig.signature())
+            }
             _ => Err(Error::new()),
         }
     }
@@ -242,6 +281,20 @@ where
     }
 }
 
+#[cfg(feature = "der")]
+impl<C> MultipartVerifier<der::Signature<C>> for VerifyingKey<C>
+where
+    C: EcdsaCurve + CurveArithmetic + DigestPrimitive,
+    SignatureSize<C>: ArraySize,
+    der::MaxSize<C>: ArraySize,
+    <FieldBytesSize<C> as Add>::Output: Add<der::MaxOverhead> + ArraySize,
+{
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &der::Signature<C>) -> Result<()> {
+        let signature = Signature::<C>::try_from(signature.clone())?;
+        MultipartVerifier::<Signature<C>>::multipart_verify(self, msg, &signature)
+    }
+}
+
 //
 // Other trait impls
 //
 
@@ -18,7 +18,7 @@ edition = "2024"
 rust-version = "1.85"
 
 [dependencies]
-signature = { version = "3.0.0-rc.0", default-features = false }
+signature = { version = "3.0.0-rc.1", default-features = false }
 
 # optional dependencies
 pkcs8 = { version = "0.11.0-rc.2", optional = true }
 
@@ -18,7 +18,7 @@ rand = "0.9.0"
 sha2 = "0.11.0-rc.0"
 static_assertions = "1.1.0"
 rand_core = "0.9.0"
-signature = { version = "3.0.0-rc.0", features = ["alloc", "digest", "rand_core"] }
+signature = { version = "3.0.0-rc.1", features = ["alloc", "digest", "rand_core"] }
 typenum = { version = "1.17.0", features = ["const-generics"] }
 zeroize = "1.8.1"
 
 
@@ -8,7 +8,7 @@ use crate::types::{Identifier, Typecode};
 use digest::{Digest, Output, OutputSizeUser};
 use hybrid_array::{Array, ArraySize};
 use rand_core::{CryptoRng, TryCryptoRng};
-use signature::{Error, RandomizedSignerMut};
+use signature::{Error, RandomizedMultipartSignerMut, RandomizedSignerMut};
 
 use core::array::TryFromSliceError;
 use std::cmp::Ordering;
@@ -109,14 +109,25 @@ impl<Mode: LmsMode> RandomizedSignerMut<Signature<Mode>> for SigningKey<Mode> {
         &mut self,
         rng: &mut R,
         msg: &[u8],
+    ) -> Result<Signature<Mode>, Error> {
+        self.try_multipart_sign_with_rng(rng, &[msg])
+    }
+}
+
+// this implements the algorithm from Appendix D in <https://datatracker.ietf.org/doc/html/rfc8554#appendix-D>
+impl<Mode: LmsMode> RandomizedMultipartSignerMut<Signature<Mode>> for SigningKey<Mode> {
+    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &mut self,
+        rng: &mut R,
+        msg: &[&[u8]],
     ) -> Result<Signature<Mode>, Error> {
         if self.q >= Mode::LEAVES {
             return Err(Error::from_source(LmsOutOfPrivateKeys {}));
         }
 
         let mut ots_priv_key =
             OtsPrivateKey::<Mode::OtsMode>::new_from_seed(self.q, self.id, &self.seed);
-        let ots_sig = ots_priv_key.try_sign_with_rng(rng, msg)?;
+        let ots_sig = ots_priv_key.try_multipart_sign_with_rng(rng, msg)?;
 
         let r = (1 << Mode::H) + self.q;
 
 
@@ -9,7 +9,7 @@ use crate::types::Typecode;
 use crate::{constants::D_INTR, lms::LmsMode};
 use digest::{Digest, OutputSizeUser};
 use hybrid_array::{Array, ArraySize};
-use signature::{Error, Verifier};
+use signature::{Error, MultipartVerifier, Verifier};
 use typenum::{Sum, U24};
 
 //use crate::signature::Signature as Signature;
@@ -57,12 +57,18 @@ impl<Mode: LmsMode> VerifyingKey<Mode> {
 
 impl<Mode: LmsMode> Verifier<Signature<Mode>> for VerifyingKey<Mode> {
     fn verify(&self, msg: &[u8], signature: &Signature<Mode>) -> Result<(), Error> {
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl<Mode: LmsMode> MultipartVerifier<Signature<Mode>> for VerifyingKey<Mode> {
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &Signature<Mode>) -> Result<(), Error> {
         // Compute the LMS Public Key Candidate Tc from the signature,
         //    message, identifier, pubtype, and ots_typecode, using
         //    Algorithm 6a.
         let key_candidate = signature
             .lmots_sig
-            .recover_pubkey(self.id, signature.q, msg);
+            .raw_recover_pubkey(self.id, signature.q, msg);
 
         let mut node_num = signature.q + Mode::LEAVES;
         let mut tmp = Mode::Hasher::new()
 
@@ -8,7 +8,7 @@ use crate::types::Identifier;
 use digest::{Digest, Output};
 use hybrid_array::Array;
 use rand_core::{CryptoRng, TryCryptoRng};
-use signature::{Error, RandomizedSignerMut};
+use signature::{Error, RandomizedMultipartSignerMut, RandomizedSignerMut};
 use zeroize::Zeroize;
 //use std::mem::MaybeUninit;
 
@@ -100,6 +100,16 @@ impl<Mode: LmsOtsMode> RandomizedSignerMut<Signature<Mode>> for SigningKey<Mode>
         &mut self,
         rng: &mut R,
         msg: &[u8],
+    ) -> Result<Signature<Mode>, Error> {
+        self.try_multipart_sign_with_rng(rng, &[msg])
+    }
+}
+
+impl<Mode: LmsOtsMode> RandomizedMultipartSignerMut<Signature<Mode>> for SigningKey<Mode> {
+    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &mut self,
+        rng: &mut R,
+        msg: &[&[u8]],
     ) -> Result<Signature<Mode>, Error> {
         if !self.valid {
             return Err(Error::from_source(LmsOtsInvalidPrivateKey {}));
@@ -110,13 +120,13 @@ impl<Mode: LmsOtsMode> RandomizedSignerMut<Signature<Mode>> for SigningKey<Mode>
         rng.try_fill_bytes(&mut c).map_err(|_| Error::new())?;
 
         // Q is the randomized message hash
-        let q = Mode::Hasher::new()
-            .chain_update(self.id)
-            .chain_update(self.q.to_be_bytes())
-            .chain_update(D_MESG)
-            .chain_update(&c)
-            .chain_update(msg)
-            .finalize();
+        let mut q_hasher = Mode::Hasher::new();
+        q_hasher.update(self.id);
+        q_hasher.update(self.q.to_be_bytes());
+        q_hasher.update(D_MESG);
+        q_hasher.update(&c);
+        msg.iter().for_each(|slice| q_hasher.update(slice));
+        let q = q_hasher.finalize();
 
         // Y is the signature. We iterate over the message hash and checksum expanded into Winternitz coefficients
         let y = Mode::expand(&q).into_iter().enumerate().map(|(i, a)| {
 
@@ -9,7 +9,7 @@ use crate::types::Identifier;
 use digest::{Output, OutputSizeUser};
 
 use hybrid_array::{Array, ArraySize};
-use signature::{Error, Verifier};
+use signature::{Error, MultipartVerifier, Verifier};
 use std::cmp::Ordering;
 use std::ops::Add;
 use typenum::{Sum, U2, U24};
@@ -48,9 +48,21 @@ where
 {
     // this implements algorithm 4a of https://datatracker.ietf.org/doc/html/rfc8554#section-4.6
     fn verify(&self, msg: &[u8], signature: &Signature<Mode>) -> Result<(), Error> {
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl<Mode: LmsOtsMode> MultipartVerifier<Signature<Mode>> for VerifyingKey<Mode>
+where
+    // required to concat Q and cksm(Q)
+    <Mode::Hasher as OutputSizeUser>::OutputSize: Add<U2>,
+    Sum<<Mode::Hasher as OutputSizeUser>::OutputSize, U2>: ArraySize,
+{
+    // this implements algorithm 4a of https://datatracker.ietf.org/doc/html/rfc8554#section-4.6
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &Signature<Mode>) -> Result<(), Error> {
         // If the public key is not at least four bytes long, return INVALID.
         // We are calling this method on a valid public key so there's no worry here.
-        let kc = signature.recover_pubkey(self.id, self.q, msg);
+        let kc = signature.raw_recover_pubkey(self.id, self.q, msg);
         // 4. If Kc is equal to K, return VALID; otherwise, return INVALID.
         if self.k == kc.k {
             Ok(())
 
@@ -106,16 +106,25 @@ impl<Mode: LmsOtsMode> Signature<Mode> {
     /// algorithm 4b of the LMS RFC. The signature will always be valid for
     /// the returned public key candidate.
     pub fn recover_pubkey(&self, id: Identifier, q: u32, msg: &[u8]) -> VerifyingKey<Mode> {
+        self.raw_recover_pubkey(id, q, &[msg])
+    }
+
+    pub(crate) fn raw_recover_pubkey(
+        &self,
+        id: Identifier,
+        q: u32,
+        msg: &[&[u8]],
+    ) -> VerifyingKey<Mode> {
         // algorithm 4b
 
         // Q = H(I || u32str(q) || u16str(D_MESG) || C || message)
-        let msg_hash = Mode::Hasher::new()
-            .chain_update(id)
-            .chain_update(q.to_be_bytes())
-            .chain_update(D_MESG)
-            .chain_update(&self.c)
-            .chain_update(msg)
-            .finalize();
+        let mut msg_hasher = Mode::Hasher::new();
+        msg_hasher.update(id);
+        msg_hasher.update(q.to_be_bytes());
+        msg_hasher.update(D_MESG);
+        msg_hasher.update(&self.c);
+        msg.iter().for_each(|slice| msg_hasher.update(slice));
+        let msg_hash = msg_hasher.finalize();
 
         // first part of
         // Kc = H(I || u32str(q) || u16str(D_PBLC) || z[0] || z[1] || ... || z[p-1])
 
@@ -36,7 +36,7 @@ hybrid-array = { version = "0.3", features = ["extra-sizes"] }
 num-traits = "0.2.19"
 rand_core = { version = "0.9", optional = true }
 sha3 = "0.11.0-rc.0"
-signature = "3.0.0-rc.0"
+signature = "3.0.0-rc.1"
 zeroize = { version = "1.8.1", optional = true, default-features = false }
 
 const-oid = { version = "0.10", features = ["db"], optional = true }
 
@@ -89,7 +89,7 @@ use core::fmt;
 
 pub use crate::param::{EncodedSignature, EncodedSigningKey, EncodedVerifyingKey, MlDsaParams};
 pub use crate::util::B32;
-pub use signature::{self, Error};
+pub use signature::{self, Error, MultipartSigner, MultipartVerifier};
 
 /// An ML-DSA signature
 #[derive(Clone, PartialEq, Debug)]
@@ -168,10 +168,10 @@ where
 // This method takes a slice of slices so that we can accommodate the varying calculations (direct
 // for test vectors, 0... for sign/sign_deterministic, 1... for the pre-hashed version) without
 // having to allocate memory for components.
-fn message_representative(tr: &[u8], Mp: &[&[u8]]) -> B64 {
+fn message_representative(tr: &[u8], Mp: &[&[&[u8]]]) -> B64 {
     let mut h = H::default().absorb(tr);
 
-    for m in Mp {
+    for m in Mp.iter().copied().flatten() {
         h = h.absorb(m);
     }
 
@@ -245,7 +245,15 @@ where
 /// only supports signing with an empty context string.
 impl<P: MlDsaParams> signature::Signer<Signature<P>> for KeyPair<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.signing_key.sign_deterministic(msg, &[])
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+/// The `Signer` implementation for `KeyPair` uses the optional deterministic variant of ML-DSA, and
+/// only supports signing with an empty context string.
+impl<P: MlDsaParams> MultipartSigner<Signature<P>> for KeyPair<P> {
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.signing_key.raw_sign_deterministic(msg, &[])
     }
 }
 
@@ -350,6 +358,13 @@ impl<P: MlDsaParams> SigningKey<P> {
     // Algorithm 7 ML-DSA.Sign_internal
     // TODO(RLB) Only expose based on a feature.  Tests need access, but normal code shouldn't.
     pub fn sign_internal(&self, Mp: &[&[u8]], rnd: &B32) -> Signature<P>
+    where
+        P: MlDsaParams,
+    {
+        self.raw_sign_internal(&[Mp], rnd)
+    }
+
+    fn raw_sign_internal(&self, Mp: &[&[&[u8]]], rnd: &B32) -> Signature<P>
     where
         P: MlDsaParams,
     {
@@ -440,13 +455,17 @@ impl<P: MlDsaParams> SigningKey<P> {
     /// This method will return an opaque error if the context string is more than 255 bytes long.
     // Algorithm 2 ML-DSA.Sign (optional deterministic variant)
     pub fn sign_deterministic(&self, M: &[u8], ctx: &[u8]) -> Result<Signature<P>, Error> {
+        self.raw_sign_deterministic(&[M], ctx)
+    }
+
+    fn raw_sign_deterministic(&self, M: &[&[u8]], ctx: &[u8]) -> Result<Signature<P>, Error> {
         if ctx.len() > 255 {
             return Err(Error::new());
         }
 
         let rnd = B32::default();
-        let Mp = &[&[0], &[Truncate::truncate(ctx.len())], ctx, M];
-        Ok(self.sign_internal(Mp, &rnd))
+        let Mp = &[&[&[0], &[Truncate::truncate(ctx.len())], ctx], M];
+        Ok(self.raw_sign_internal(Mp, &rnd))
     }
 
     /// Encode the key in a fixed-size byte array.
@@ -492,7 +511,16 @@ impl<P: MlDsaParams> SigningKey<P> {
 /// string, use the [`SigningKey::sign_deterministic`] method.
 impl<P: MlDsaParams> signature::Signer<Signature<P>> for SigningKey<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.sign_deterministic(msg, &[])
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+/// The `Signer` implementation for `SigningKey` uses the optional deterministic variant of ML-DSA, and
+/// only supports signing with an empty context string.  If you would like to include a context
+/// string, use the [`SigningKey::sign_deterministic`] method.
+impl<P: MlDsaParams> MultipartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.raw_sign_deterministic(msg, &[])
     }
 }
 
@@ -576,6 +604,13 @@ impl<P: MlDsaParams> VerifyingKey<P> {
     /// and it does not separate the context string from the rest of the message.
     // Algorithm 8 ML-DSA.Verify_internal
     pub fn verify_internal(&self, Mp: &[&[u8]], sigma: &Signature<P>) -> bool
+    where
+        P: MlDsaParams,
+    {
+        self.raw_verify_internal(&[Mp], sigma)
+    }
+
+    fn raw_verify_internal(&self, Mp: &[&[&[u8]]], sigma: &Signature<P>) -> bool
     where
         P: MlDsaParams,
     {
@@ -605,12 +640,16 @@ impl<P: MlDsaParams> VerifyingKey<P> {
     /// This algorithm reflect the ML-DSA.Verify algorithm from FIPS 204.
     // Algorithm 3 ML-DSA.Verify
     pub fn verify_with_context(&self, M: &[u8], ctx: &[u8], sigma: &Signature<P>) -> bool {
+        self.raw_verify_with_context(&[M], ctx, sigma)
+    }
+
+    fn raw_verify_with_context(&self, M: &[&[u8]], ctx: &[u8], sigma: &Signature<P>) -> bool {
         if ctx.len() > 255 {
             return false;
         }
 
-        let Mp = &[&[0], &[Truncate::truncate(ctx.len())], ctx, M];
-        self.verify_internal(Mp, sigma)
+        let Mp = &[&[&[0], &[Truncate::truncate(ctx.len())], ctx], M];
+        self.raw_verify_internal(Mp, sigma)
     }
 
     fn encode_internal(rho: &B32, t1: &Vector<P::K>) -> EncodedVerifyingKey<P> {
@@ -635,7 +674,13 @@ impl<P: MlDsaParams> VerifyingKey<P> {
 
 impl<P: MlDsaParams> signature::Verifier<Signature<P>> for VerifyingKey<P> {
     fn verify(&self, msg: &[u8], signature: &Signature<P>) -> Result<(), Error> {
-        self.verify_with_context(msg, &[], signature)
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl<P: MlDsaParams> MultipartVerifier<Signature<P>> for VerifyingKey<P> {
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &Signature<P>) -> Result<(), Error> {
+        self.raw_verify_with_context(msg, &[], signature)
             .then_some(())
             .ok_or(Error::new())
     }
 
@@ -21,7 +21,7 @@ typenum = { version = "1.17.0", features = ["const-generics"] }
 sha3 = { version = "0.11.0-rc.0", default-features = false }
 zerocopy = { version = "0.7.34", features = ["derive"] }
 rand_core = { version = "0.9.2" }
-signature = { version = "3.0.0-rc.0", features = ["rand_core"] }
+signature = { version = "3.0.0-rc.1", features = ["rand_core"] }
 hmac = "0.13.0-prc.0"
 sha2 = { version = "0.11.0-rc.0", default-features = false }
 digest = "0.11.0-rc.0"
 
@@ -23,15 +23,15 @@ pub(crate) trait HashSuite: Sized + Clone + Debug + PartialEq + Eq {
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N>;
 
     /// Hashes a message using a given randomizer
     fn h_msg(
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M>;
 
     /// PRF that is used to generate the secret values in WOTS+ and FORS private keys.
@@ -76,7 +76,7 @@ mod tests {
         let opt_rand = Array::<u8, H::N>::from_fn(|_| 1);
         let msg = [2u8; 32];
 
-        let result = H::prf_msg(&sk_prf, &opt_rand, &[msg]);
+        let result = H::prf_msg(&sk_prf, &opt_rand, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }
@@ -87,7 +87,7 @@ mod tests {
         let pk_root = Array::<u8, H::N>::from_fn(|_| 2);
         let msg = [3u8; 32];
 
-        let result = H::h_msg(&rand, &pk_seed, &pk_root, &[msg]);
+        let result = H::h_msg(&rand, &pk_seed, &pk_root, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }
 
@@ -61,11 +61,13 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut mac = Hmac::<Sha256>::new_from_slice(sk_prf.as_ref()).unwrap();
         mac.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| mac.update(msg_part.as_ref()));
         let result = mac.finalize().into_bytes();
         Array::clone_from_slice(&result[..Self::N::USIZE])
@@ -75,13 +77,16 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut h = Sha256::new();
         h.update(rand);
         h.update(pk_seed);
         h.update(pk_root);
-        msg.iter().for_each(|msg_part| h.update(msg_part.as_ref()));
+        msg.iter()
+            .copied()
+            .flatten()
+            .for_each(|msg_part| h.update(msg_part.as_ref()));
         let result = Array(h.finalize().into());
         let seed = rand.clone().concat(pk_seed.0.clone()).concat(result);
         mgf1::<Sha256, Self::M>(&seed)
@@ -224,11 +229,13 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut mac = Hmac::<Sha512>::new_from_slice(sk_prf.as_ref()).unwrap();
         mac.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| mac.update(msg_part.as_ref()));
         let result = mac.finalize().into_bytes();
         Array::clone_from_slice(&result[..Self::N::USIZE])
@@ -238,13 +245,16 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut h = Sha512::new();
         h.update(rand);
         h.update(pk_seed);
         h.update(pk_root);
-        msg.iter().for_each(|msg_part| h.update(msg_part.as_ref()));
+        msg.iter()
+            .copied()
+            .flatten()
+            .for_each(|msg_part| h.update(msg_part.as_ref()));
         let result = Array(h.finalize().into());
         let seed = rand.clone().concat(pk_seed.0.clone()).concat(result);
         mgf1::<Sha512, Self::M>(&seed)
 
@@ -35,12 +35,14 @@ where
     fn prf_msg(
         sk_prf: &SkPrf<Self::N>,
         opt_rand: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::N> {
         let mut hasher = Shake256::default();
         hasher.update(sk_prf.as_ref());
         hasher.update(opt_rand.as_slice());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| hasher.update(msg_part.as_ref()));
         let mut output = Array::<u8, Self::N>::default();
         hasher.finalize_xof_into(&mut output);
@@ -51,13 +53,15 @@ where
         rand: &Array<u8, Self::N>,
         pk_seed: &PkSeed<Self::N>,
         pk_root: &Array<u8, Self::N>,
-        msg: &[impl AsRef<[u8]>],
+        msg: &[&[impl AsRef<[u8]>]],
     ) -> Array<u8, Self::M> {
         let mut hasher = Shake256::default();
         hasher.update(rand.as_slice());
         hasher.update(pk_seed.as_ref());
         hasher.update(pk_root.as_ref());
         msg.iter()
+            .copied()
+            .flatten()
             .for_each(|msg_part| hasher.update(msg_part.as_ref()));
         let mut output = Array::<u8, Self::M>::default();
         hasher.finalize_xof_into(&mut output);
@@ -276,7 +280,7 @@ mod tests {
 
         let expected = hex!("bc5c062307df0a41aeeae19ad655f7b2");
 
-        let result = H::prf_msg(&sk_prf, &opt_rand, &[msg]);
+        let result = H::prf_msg(&sk_prf, &opt_rand, &[&[msg]]);
 
         assert_eq!(result.as_slice(), expected);
     }
 
@@ -4,7 +4,7 @@ use crate::util::split_digest;
 use crate::verifying_key::VerifyingKey;
 use crate::{ParameterSet, PkSeed, Sha2L1, Sha2L35, Shake, VerifyingKeyLen};
 use ::signature::{
-    Error, KeypairRef, RandomizedSigner, Signer,
+    Error, KeypairRef, MultipartSigner, RandomizedMultipartSigner, RandomizedSigner, Signer,
     rand_core::{CryptoRng, TryCryptoRng},
 };
 use hybrid_array::{Array, ArraySize};
@@ -133,6 +133,10 @@ impl<P: ParameterSet> SigningKey<P> {
     /// Published for KAT validation purposes but not intended for general use.
     /// opt_rand must be a P::N length slice, panics otherwise.
     pub fn slh_sign_internal(&self, msg: &[&[u8]], opt_rand: Option<&[u8]>) -> Signature<P> {
+        self.raw_slh_sign_internal(&[msg], opt_rand)
+    }
+
+    fn raw_slh_sign_internal(&self, msg: &[&[&[u8]]], opt_rand: Option<&[u8]>) -> Signature<P> {
         let rand = opt_rand
             .unwrap_or(&self.verifying_key.pk_seed.0)
             .try_into()
@@ -167,12 +171,21 @@ impl<P: ParameterSet> SigningKey<P> {
         msg: &[u8],
         ctx: &[u8],
         opt_rand: Option<&[u8]>,
+    ) -> Result<Signature<P>, Error> {
+        self.raw_try_sign_with_context(&[msg], ctx, opt_rand)
+    }
+
+    fn raw_try_sign_with_context(
+        &self,
+        msg: &[&[u8]],
+        ctx: &[u8],
+        opt_rand: Option<&[u8]>,
     ) -> Result<Signature<P>, Error> {
         let ctx_len = u8::try_from(ctx.len()).map_err(|_| Error::new())?;
         let ctx_len_bytes = ctx_len.to_be_bytes();
 
-        let ctx_msg = [&[0], &ctx_len_bytes, ctx, msg];
-        Ok(self.slh_sign_internal(&ctx_msg, opt_rand))
+        let ctx_msg = [&[&[0], &ctx_len_bytes, ctx], msg];
+        Ok(self.raw_slh_sign_internal(&ctx_msg, opt_rand))
     }
 
     /// Serialize the signing key to a new stack-allocated array
@@ -218,7 +231,13 @@ impl<P: ParameterSet> TryFrom<&[u8]> for SigningKey<P> {
 
 impl<P: ParameterSet> Signer<Signature<P>> for SigningKey<P> {
     fn try_sign(&self, msg: &[u8]) -> Result<Signature<P>, Error> {
-        self.try_sign_with_context(msg, &[], None)
+        self.try_multipart_sign(&[msg])
+    }
+}
+
+impl<P: ParameterSet> MultipartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multipart_sign(&self, msg: &[&[u8]]) -> Result<Signature<P>, Error> {
+        self.raw_try_sign_with_context(msg, &[], None)
     }
 }
 
@@ -228,10 +247,20 @@ impl<P: ParameterSet> RandomizedSigner<Signature<P>> for SigningKey<P> {
         rng: &mut R,
         msg: &[u8],
     ) -> Result<Signature<P>, signature::Error> {
+        self.try_multipart_sign_with_rng(rng, &[msg])
+    }
+}
+
+impl<P: ParameterSet> RandomizedMultipartSigner<Signature<P>> for SigningKey<P> {
+    fn try_multipart_sign_with_rng<R: TryCryptoRng + ?Sized>(
+        &self,
+        rng: &mut R,
+        msg: &[&[u8]],
+    ) -> Result<Signature<P>, Error> {
         let mut randomizer = Array::<u8, P::N>::default();
         rng.try_fill_bytes(randomizer.as_mut_slice())
             .map_err(|_| signature::Error::new())?;
-        self.try_sign_with_context(msg, &[], Some(&randomizer))
+        self.raw_try_sign_with_context(msg, &[], Some(&randomizer))
     }
 }
 
 
@@ -5,7 +5,7 @@ use crate::Shake;
 use crate::address::ForsTree;
 use crate::signature_encoding::Signature;
 use crate::util::split_digest;
-use ::signature::{Error, Verifier};
+use ::signature::{Error, MultipartVerifier, Verifier};
 use hybrid_array::{Array, ArraySize};
 use pkcs8::{der, spki};
 use rand_core::CryptoRng;
@@ -59,6 +59,14 @@ impl<P: ParameterSet + VerifyingKeyLen> VerifyingKey<P> {
         &self,
         msg: &[&[u8]],
         signature: &Signature<P>,
+    ) -> Result<(), Error> {
+        self.raw_slh_verify_internal(&[msg], signature)
+    }
+
+    fn raw_slh_verify_internal(
+        &self,
+        msg: &[&[&[u8]]],
+        signature: &Signature<P>,
     ) -> Result<(), Error> {
         let pk_seed = &self.pk_seed;
         let randomizer = &signature.randomizer;
@@ -84,12 +92,21 @@ impl<P: ParameterSet + VerifyingKeyLen> VerifyingKey<P> {
         msg: &[u8],
         ctx: &[u8],
         signature: &Signature<P>,
+    ) -> Result<(), Error> {
+        self.raw_try_verify_with_context(&[msg], ctx, signature)
+    }
+
+    fn raw_try_verify_with_context(
+        &self,
+        msg: &[&[u8]],
+        ctx: &[u8],
+        signature: &Signature<P>,
     ) -> Result<(), Error> {
         let ctx_len = u8::try_from(ctx.len()).map_err(|_| Error::new())?;
         let ctx_len_bytes = ctx_len.to_be_bytes();
 
-        let ctx_msg = [&[0], &ctx_len_bytes, ctx, msg];
-        self.slh_verify_internal(&ctx_msg, signature) // TODO - context processing
+        let ctx_msg = [&[&[0], &ctx_len_bytes, ctx], msg];
+        self.raw_slh_verify_internal(&ctx_msg, signature) // TODO - context processing
     }
 
     /// Serialize the verifying key to a new stack-allocated array
@@ -151,7 +168,13 @@ impl<P: ParameterSet> TryFrom<&[u8]> for VerifyingKey<P> {
 
 impl<P: ParameterSet> Verifier<Signature<P>> for VerifyingKey<P> {
     fn verify(&self, msg: &[u8], signature: &Signature<P>) -> Result<(), Error> {
-        self.try_verify_with_context(msg, &[], signature) // TODO - context processing
+        self.multipart_verify(&[msg], signature)
+    }
+}
+
+impl<P: ParameterSet> MultipartVerifier<Signature<P>> for VerifyingKey<P> {
+    fn multipart_verify(&self, msg: &[&[u8]], signature: &Signature<P>) -> Result<(), Error> {
+        self.raw_try_verify_with_context(msg, &[], signature) // TODO - context processing
     }
 }