Section 2.1 says: "... each element in the proof ...". In the previous
sentence, there is a discussion of "batching DLEQ proofs". I think
this is talking about each proof in the batch. Please clarify.
Section 6.1: Please consider definitions for domain and range.
The definitions probably go in Section 1.3, nit in this section.
Comment: I think the description is abstract, and there is no need to define these terms.
Nits:
The document uses "byte array" and "byte string". I think it would be
helpful to pick one and use it throughout. (I have a mild preference
for byte string because it makes it easier to define "ASCII string
literals".)
Throughout the document: s/SHAKE-256/SHAKE256/
The curves referenced in [X9.62] are also available in [SEC2], which is
already being referenced. I think you can get away with one less
reference.
Comment: Still using X9.62 as appeared before than SEC2.
Section 3.1: s/a one-byte value/a one-byte value (in hexadecimal)/
Section 6.2.1 says: "... VOPRF protocol Section 6.1 ...". There seem
to be some words missing. I think this is trying to say: "... VOPRF
protocol specified in Section 6.1 of this document ...".
Suggestion:
Once the change log is removed by the RFC Editor, the rationale for
having both ComputeComposites and ComputeCompositesFast will be lost.
Please add some text to the body of the document to capture this
detail.
Addresses comments by RH.
Comment: I think the description is abstract, and there is no need to define these terms.
Comment: Still using X9.62 as appeared before than SEC2.