Composite vs component context

[danvangeest]

I've been going through all the closed context related issues. #42 says that you decided on ML-DSA.Sign( K1, A1, M', ctx ), ctx being what was passed into the composite Sign function (#42 (comment)). I haven't seen any more recent comments that update that. However, draft -03 says ML-DSA.Sign( mldsaSK, M', ctx=Domain ). Here the context is Domain.

I just want to verify that this was an intended change between that commend and the draft, and not a mistake.

FWIW, I think that the draft is correct and Domain is the way to go because it protects against (signature collisions) / (EUF-CMA attacks) / (I don't know the terminology) where Composite.Sign(M, ctx) would have the same signature as ML-DSA.Sign(Domain || len(ctx) || ctx || M, ctx). Changing the latter context to Domain avoids the collision.

I also feel in the back of my head that using Domain || HASH(ctx) would be even better, but I can't express why. It just feels safer to mix the application context in all the way down. But perhaps because the application context is already in M' this doesn't matter.

[johngray-dev]

Yes, that change was made on purpose, based on comments in the mailing list. We had a marathon weekend working on issues. Sorry if the reasons for the change weren't entirely clear, but they were specifically added to protect against the attacks you mention.

As for using Domain || HASH(ctx), we can discuss if this strengthens it at all. I think since it is in M' it shouldn't be needed. Originally we didn't think we needed in the ML-DSA context since ctx was in M', but it turns out having it as something different does strengthen it. Adding it would also add another HASH to the computation... probably not a big if we thought it added value.