OASIS PKCS 11 TC

In 6.64.2 ML-DSA public key objects:

The Data Type of CKA_VALUE should be defined as "Byte array" (or perhaps "Byte string"), not Big Integer.

We may also want to change the Meaning of CKA_VALUE to mention "Public key" instead of "Public value".

This is how the algorithm that defines how to calculate the public key is defined in FIPS 204, and the above changes would make it more clear what we refer to:

Algorithm 22 pkEncode(𝜌, 𝐭1 )
Encodes a public key for ML-DSA into a byte string.

In 6.64.3 ML-DSA private key objects:

The Data Type of CKA_VALUE should be defined as "Byte array" (or perhaps "Byte string"), not Big Integer.

We may also want to change the Meaning of CKA_VALUE to mention "Secret key" instead of "Private value".

This is how the algorithm that defines how to calculate the public key is defined in FIPS 204, and the above changes would make it more clear what we refer to:

Algorithm 24 skEncode(𝜌, 𝐾, 𝑡𝑟, 𝐬1 , 𝐬2 , 𝐭0 )
Encodes a secret key for ML-DSA into a byte string.

Additionally the CKA_SEED value we agreed to add seem to be missing from the table and is not mentioned anywhere in the document.

In 6.65.2 ML-KEM public key objects:

We may want to change the Meaning of CKA_VALUE to mention "Encapsulation key" instead of "Public value".

In 6.65.3 ML-KEM private key objects:

We may want to change the Meaning of CKA_VALUE to mention "Decapsulation key" instead of "Private value".

This is how the algorithm that defines how to calculate the key pair is defined in FIPS 203, and the above changes would make it more clear what we refer to:

Algorithm 19 ML-KEM.KeyGen()
Generates an encapsulation key and a corresponding decapsulation key.

In 6.66.2 SLH-DSA public key objects:

The Data Type of CKA_VALUE should be defined as "Byte array", not Big Integer.

We may also want to change the Meaning of CKA_VALUE to mention "Public key" instead of "Public value".

In FIPS 205 section 9.1 that's how the public value is called, and in other areas public seed is referenced, which is only part of the public key, using the term "public value" would be ambiguous as "public values" are mentioned as part of the spec but they are not public keys (nor seeds).

In 6.66.3 SLH-DSA private key objects: 

The Data Type of CKA_VALUE should be defined as "Byte array", not Big Integer.

We may also want to change the Meaning of CKA_VALUE to mention "Private key" instead of "Private value".

A search on "private value" in FIPS 205 yields nothing, while private key is well defined, see above.

Simo,

I agree with all suggestions wrt. ML-KEM and SLH-DSA.

For ML-DSA

• I support changing Big Integer into Byte Array. I would not change Big Integer into Byte String, because Byte String is not defined as data type in section 4, while Byte Array is defined, and it's used for various other key types already.
• I have a split opinion about using the term "secret key" for the ML-DSA private value: Although "secret key" is the term used in FIPS 204, we always talk about private keys in the context of key pairs. Not using the same terminology as in FIPS 204 may confuse some people, but using the term secret key when talking about a private key may be confusing as well. I think I would stick to the term private, but change "private value" to "private key".

In case this has not yet been discussed in the meeting on Dec 18 (meeting notes are not available yet), we should discuss and agree in our next meeting. I will then update the draft specification and publish a new v3.2 working draft 08 shortly.