I have the following proposed editing changes to
[draft-ietf-lamps-pq-composite-sigs-03.txt]:
Title
Composite ML-DSA For use in X.509 Public Key Infrastructure and CMS
Composite ML-DSA for use in X.509 Public Key Infrastructure and CMS
Section 3
separablity
separability
Section 4.2.2
conisting
consisting
Section 4.2.2 and 4.3.2
A placeholder for the specific ML-DSA algorithm and
parameter set to use, for example "RSASA-PSS with id-sha256"
or "Ed25519".
A placeholder for the specific traditional algorithm and
parameter set to use, for example "RSASA-PSS with id-sha256"
or "Ed25519".
Section 4.3 and 4.3.1
In the pre-hash mode the Domain separator Section 7.3 is concatenated
(...)
In the pre-hash mode the Domain separator (see Section 7.3) is concatenated
(...)
Section 4.3.1
This mode mirrors HashML-DSA.Sign(sk, M, ctx, PH) defined in Section 5.4.1
of [FIPS.204].
This mode mirrors HashML-DSA.Sign(sk, M, ctx, PH) defined in Algorithm 4
in Section 5.4.1 of [FIPS.204].
Rationale: similar to Section 4.2.2.
Section 5.1
For use with this document, ML-DSA keys MUST be be the raw BIT STRING
representation as specified in (...)
For use with this document, ML-DSA keys MUST be the raw BIT STRING
representation as specified in (...)
Section 5.4
I suggest considering changing nonRepudiation to contentCommitment as it is
more in line with the current version of RFC 5280.
Section 6.2
encoing
encoding
Section 7.1
Composite-ML-DSA Algorithm Identifiers
PureComposite-ML-DSA Algorithm Identifiers
Rationale: similar to Section 7.2.
Section 7.2
The Pre-Hash algorithm is used as the PH algorithm in and the DER Encoded
OID value (...)
The Pre-Hash algorithm is used as the PH algorithm and the DER Encoded OID
value (...)
Section 7.4
At the higher security levels of pre-hashed Composite ML-DSA, for
example id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512, the 384-bit
elliptic curve component is used with SHA2-384 is its pre-hash (i.e.
the pre-hash that is considered to be internal to the ECDSA
component), yet SHA2-512 is used as the pre-hash for the overall
composite because in this case the pre-hash must not weaken the ML-
DSA-87 component against a collision attack.
At the higher security levels of pre-hashed Composite ML-DSA, for
example id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512, the 384-bit
elliptic curve component is used with SHA2-384 which is its pre-hash
(i.e. the pre-hash that is considered to be internal to the ECDSA
component), yet SHA2-512 is used as the pre-hash for the overall
composite because in this case the pre-hash must not weaken the ML-
DSA-87 component against a collision attack.
Rationale: adding "which" seems reasonable to me, but I'm not a native
English speaker, so maybe my suggestion is inappropriate (I'm not sure).
I have the following proposed editing changes to [draft-ietf-lamps-pq-composite-sigs-03.txt]:
Composite ML-DSA for use in X.509 Public Key Infrastructure and CMS
separability
consisting
A placeholder for the specific traditional algorithm and parameter set to use, for example "RSASA-PSS with id-sha256" or "Ed25519".
In the pre-hash mode the Domain separator (see Section 7.3) is concatenated (...)
This mode mirrors HashML-DSA.Sign(sk, M, ctx, PH) defined in Algorithm 4 in Section 5.4.1 of [FIPS.204]. Rationale: similar to Section 4.2.2.
For use with this document, ML-DSA keys MUST be the raw BIT STRING representation as specified in (...)
encoding
PureComposite-ML-DSA Algorithm Identifiers Rationale: similar to Section 7.2.
The Pre-Hash algorithm is used as the PH algorithm and the DER Encoded OID value (...)
At the higher security levels of pre-hashed Composite ML-DSA, for example id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512, the 384-bit elliptic curve component is used with SHA2-384 which is its pre-hash (i.e. the pre-hash that is considered to be internal to the ECDSA component), yet SHA2-512 is used as the pre-hash for the overall composite because in this case the pre-hash must not weaken the ML- DSA-87 component against a collision attack. Rationale: adding "which" seems reasonable to me, but I'm not a native English speaker, so maybe my suggestion is inappropriate (I'm not sure).
Regards - Piotr Popis