Should we use the context string?

[bwesterb]

Mike asks which context string to use. At the moment we don't set any.

This question is not specific to ML-DSA. Context strings have been discussed in general in this LAMPS thread.

[ounsworth]

The correct answer is probably to use the empty string. One good reason for this is backwards-compatibility with signature primitives that do not have ctx params (ie if we want to use the same context string across all signature schemes, then this is the only option), and even compatibility with crypto libraries that offer ML-DSA but no not have a .Sign() interface that accepts a ctx parameter.

Empty string is already the default in FIPS 204, so in theory nothing needs to be said in draft-dilithium-certificates, but it would probably be polite to put in a sentence.

[bwesterb]

There is an argument to be made to set a context string. Over time, the signature algorithms used will all have context. Also, requiring it here forces libraries to adopt it, which is very helpful to protocols where a context string is more useful but don't have the reach of X509. The clear downside is more work and added complexity. I have not made up my mind.

[jakemas]

I think we should probably include the context string, as any FIPS implementation of ML-DSA will have it included. However, I do agree that minimizing complexity is important. The use of the empty string seems the most reasonable solution here.

[csosto-pk]

I vote for empty string. It does not add anything in the X.509 context.

If folks insist, a simple context like the ASCII characters of "X.509 ML-DSA" would suffice imo.