Diff: rfc9881v2.txt - rfc9881.txt

	rfc9881v2.txt	rfc9881.txt

	skipping to change at line 115 ¶	skipping to change at line 115 ¶
	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and	"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
	"OPTIONAL" in this document are to be interpreted as described in	"OPTIONAL" in this document are to be interpreted as described in
	BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all	BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
	capitals, as shown here.	capitals, as shown here.

	2. Identifiers	2. Identifiers

	The AlgorithmIdentifier type is defined in [RFC5912] as follows:	The AlgorithmIdentifier type is defined in [RFC5912] as follows:

	AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=	AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=

	SEQUENCE {	SEQUENCE {
	algorithm ALGORITHM-TYPE.id({AlgorithmSet}),	algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
	parameters ALGORITHM-TYPE.	parameters ALGORITHM-TYPE.
	&Params({AlgorithmSet}{@algorithm}) OPTIONAL	&Params({AlgorithmSet}{@algorithm}) OPTIONAL
	}	}

	\| NOTE: The above syntax is from [RFC5912] and is compatible with	\| NOTE: The above syntax is from [RFC5912] and is compatible with
	\| the 2021 ASN.1 syntax [X680]. See [RFC5280] for the 1988 ASN.1	\| the 2021 ASN.1 syntax [X680]. See [RFC5280] for the 1988 ASN.1
	\| syntax.	\| syntax.

	The fields in AlgorithmIdentifier have the following meanings:	The fields in AlgorithmIdentifier have the following meanings:

	* algorithm identifies the cryptographic algorithm with an object	* algorithm identifies the cryptographic algorithm with an object
	identifier (OID).	identifier (OID).


	skipping to change at line 682 ¶	skipping to change at line 682 ¶
	Encoding Rules (CER) and Distinguished Encoding Rules	Encoding Rules (CER) and Distinguished Encoding Rules
	(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021,	(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021,
	February 2021, <https://www.itu.int/rec/T-REC-X.690>.	February 2021, <https://www.itu.int/rec/T-REC-X.690>.

	10.2. Informative References	10.2. Informative References

	[CDFFJ21] Cremers, C., Düzlü, S., Fiedler, R., Fischlin, M., and C.	[CDFFJ21] Cremers, C., Düzlü, S., Fiedler, R., Fischlin, M., and C.
	Janson, "BUFFing signature schemes beyond unforgeability	Janson, "BUFFing signature schemes beyond unforgeability
	and the case of post-quantum signatures", Cryptology	and the case of post-quantum signatures", Cryptology
	ePrint Archive, Paper 2020/1525, October 2023,	ePrint Archive, Paper 2020/1525, October 2023,

	<https://eprint.iacr.org/2020/1525>.	<https://eprint.iacr.org/
		archive/2020/1525/20231023:114351>.

	[Dilithium]	[Dilithium]
	Bai, S., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky,	Bai, S., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky,
	V., Schwabe, P., Seiler, G., and D. Stehlé, "CRYSTALS-	V., Schwabe, P., Seiler, G., and D. Stehlé, "CRYSTALS-
	Dilithium Algorithm Specifications and Supporting	Dilithium Algorithm Specifications and Supporting
	Documentation (Version 3.1)", 8 February 2021,	Documentation (Version 3.1)", 8 February 2021,
	<https://pq-crystals.org/dilithium/data/dilithium-	<https://pq-crystals.org/dilithium/data/dilithium-
	specification-round3-20210208.pdf>.	specification-round3-20210208.pdf>.

	[Fiat-Shamir]	[Fiat-Shamir]

	skipping to change at line 4045 ¶	skipping to change at line 4046 ¶

	Implementations of ML-DSA using the External μ pre-hashing mode	Implementations of ML-DSA using the External μ pre-hashing mode
	requires the following algorithms, which are modified versions of the	requires the following algorithms, which are modified versions of the
	algorithms presented in [FIPS204]. The nomenclature used here has	algorithms presented in [FIPS204]. The nomenclature used here has
	been modified from the NIST FAQ [FIPS204-ExternalMuFAQ] for clarity.	been modified from the NIST FAQ [FIPS204-ExternalMuFAQ] for clarity.

	Pre-hash operation:	Pre-hash operation:

	Computeμ(pk, M, ctx):	Computeμ(pk, M, ctx):


	# Referred to as 'Externalμ-ML-DSA.Prehash(pk, M, ctx)'	# Referred to as 'ExternalMu-ML-DSA.Prehash(pk, M, ctx)'
	# in the FIPS 204 FAQ.	# in the FIPS 204 FAQ.
	# M is the message, a bit-string	# M is the message, a bit-string
	# μ and ctx are byte-strings.	# μ and ctx are byte-strings.
	# ctx is the context string, which defaults to the empty string.	# ctx is the context string, which defaults to the empty string.

	μ = H(BytesToBits(H(pk, 64) \|\| IntegerToBytes(0, 1) \|\|	μ = H(BytesToBits(H(pk, 64) \|\| IntegerToBytes(0, 1) \|\|
	IntegerToBytes(\|ctx\|, 1) \|\| ctx) \|\| M, 64)	IntegerToBytes(\|ctx\|, 1) \|\| ctx) \|\| M, 64)
	# The functions `BytesToBits` and `IntegerToBytes` are defined	# The functions `BytesToBits` and `IntegerToBytes` are defined
	# in FIPS 204.	# in FIPS 204.
	return μ	return μ

	Figure 1: Computeμ Pre-Hash Operation	Figure 1: Computeμ Pre-Hash Operation

	Sign operations:	Sign operations:

	Signμ(sk, μ):	Signμ(sk, μ):


	# Referred to as 'Externalμ-ML-DSA.Sign(sk, μ)'	# Referred to as 'ExternalMu-ML-DSA.Sign(sk, μ)'
	# in the FIPS 204 FAQ.	# in the FIPS 204 FAQ.

	if \|μ\| != 64 then	if \|μ\| != 64 then
	return error # return an error indication if the input μ is not	return error # return an error indication if the input μ is not
	# 64 bytes.	# 64 bytes.
	end if	end if

	rnd = rand(32) # for the optional deterministic variant,	rnd = rand(32) # for the optional deterministic variant,
	# set rnd to all zeroes	# set rnd to all zeroes
	if rnd = NULL then	if rnd = NULL then

End of changes. 4 change blocks.
	8 lines changed or deleted	9 lines changed or added
This html diff was produced by rfcdiff 1.48.