I glanced through the document, and noticed that it never mentioned the 'context' input to SLH-DSA.
'Context' is a string, from 0 to 255 bytes, that the signer and the verify both specify (and if they disagree, the signature verification will fail). The goal behind this is to allow you to use the same private key in different contexts without the uses interfering with each other. For example, if a COBR signature generation uses a context of "COSE", and a JSON signature generation uses a context of "JOSE", then a signature generated by COBR cannot be used by an adversary in a JSON context. What does this mean for this document? Well, you should specify what it is (and I have no opinion about what you select). You may decide to use an empty (0 byte) context; that's perfectly valid. You don't get this 'an attacker cannot take the signature and plop it down into a different context' protection, but you might decide it's not needed (perhaps you never expect that the same private/public key to be used for both CBOR and JSON, or because the data being signed doesn't make sense in a different context, or that traditional RSA or ECDSA signatures didn't provide such protection and you never had a problem there). Alternatively, you can specify a nonempty context, and gain some protection. Whichever you choose, the document should specify it. Thanks you (and most likely the Falcon draft will need to specify that as well)
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
