For comparison: "ML-DSA for JOSE and COSE <https://www.ietf.org/archive/id/draft-ietf-cose-dilithium-11.html#name-ml-dsa-algorithms>" defines that "The ctx parameter *MUST* be the empty string for ML-DSA-44, ML-DSA-65 and ML-DSA-87."
I'll also note that the draft "Split Signing Algorithms for COSE <https://datatracker.ietf.org/doc/draft-lundberg-cose-two-party-signing-algs/>" defines a COSE_Sign_Args data structure designed to convey additional arguments such as this, but only internally during the signing operation. Signed objects would need to be tagged with `ctx` in some other way, for example using some JOSE/COSE header. Emil Lundberg Staff Engineer | Yubico <http://www.yubico.com/> Den tors 19 mars 2026 kl 10:18 skrev Scott Fluhrer (sfluhrer) <sfluhrer= [email protected]>: > I glanced through the document, and noticed that it never mentioned the > 'context' input to SLH-DSA. > > 'Context' is a string, from 0 to 255 bytes, that the signer and the verify > both specify (and if they disagree, the signature verification will fail). > > The goal behind this is to allow you to use the same private key in > different contexts without the uses interfering with each other. For > example, if a COBR signature generation uses a context of "COSE", and a > JSON signature generation uses a context of "JOSE", then a signature > generated by COBR cannot be used by an adversary in a JSON context. > > What does this mean for this document? Well, you should specify what it > is (and I have no opinion about what you select). > > You may decide to use an empty (0 byte) context; that's perfectly valid. > You don't get this 'an attacker cannot take the signature and plop it down > into a different context' protection, but you might decide it's not needed > (perhaps you never expect that the same private/public key to be used for > both CBOR and JSON, or because the data being signed doesn't make sense in > a different context, or that traditional RSA or ECDSA signatures didn't > provide such protection and you never had a problem there). > > Alternatively, you can specify a nonempty context, and gain some > protection. > > Whichever you choose, the document should specify it. > > Thanks you (and most likely the Falcon draft will need to specify that as > well) > _______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
