Fixed further typos.

TODO_review

@@ -65,8 +65,10 @@ that CI "may also include confidential information", which means that it
 is not, in fact, public. Maybe what is meant here is that it is a common
 value known to both parties.
 
-6.2: "was properly generated conform with" -> "was properly generated,
-in conformity with" ("conform" is a verb, it cannot be used that way).
+# 6.2: "was properly generated conform with" -> "was properly generated,
+# in conformity with" ("conform" is a verb, it cannot be used that way).
+#
+# Fixed.
 
 6.2: "Otherwise B returns ISK = H.hash(...). B returns ISK and terminates."
 -> the first "returns ISK" should be "computes ISK"
@@ -157,15 +159,21 @@ the quadratic twist". Or the comma could be simply removed.
 #
 # Fixed
 
-9.2: "the length of of all" -> "the length of all"
+# 9.2: "the length of of all" -> "the length of all"
+#
+# Fixed
 
-9.4: "calculate mac_key as as" -> "calculate mac_key as"
+# 9.4: "calculate mac_key as as" -> "calculate mac_key as"
+#
+# Fixed
 
-9.4: Starting at the point, we begin to see notations like b"CPaceMac",
-i.e. the Python-like syntax for character strings which really are octet
-strings. This should be harmonized with the previous use of character
-strings (G.DSI, "_ISK",...) since these strings also implicitly assumed
-some sort of characters-to-octets conversion.
+#9.4: Starting at the point, we begin to see notations like b"CPaceMac",
+# i.e. the Python-like syntax for character strings which really are octet
+# strings. This should be harmonized with the previous use of character
+# strings (G.DSI, "_ISK",...) since these strings also implicitly assumed
+# some sort of characters-to-octets conversion.
+#
+# Yes Removed b"" syntax in the text body
 
 9.5: "We do so in order to reduce both, complexity of the implementation
 and reducing the attack surface" -> "We do so in order to reduce both the
@@ -192,7 +200,10 @@ document (section 7.4.3 says "MUST BE uniformly random"; it does not say
 selection"). It might be worth adding a note in section 9.5 that the
 oversampling+reduction method is actually OK?
 
-9.5: "begning" -> "benign"
+# 9.5: "begning" -> "benign"
+#
+# Fixed.
+
 
 9.6: "The cofactor c' of the twist MUST BE EQUAL to or an integer
 multiple of the cofactor c of the curve." -> it's the opposite! The

draft-irtf-cfrg-cpace.md

@@ -391,7 +391,7 @@ optional associated data ADa to B.
 
 B computes a generator g = G.calculate_generator(H,PRS,CI,sid), scalar yb = G.sample\_scalar() and group element Yb = G.scalar\_pow(yb,g). B sends MSGb = network\_encode(Yb, ADb) with optional associated data ADb to A.
 
-Upon reception of MSGa, B checks that MSGa was properly generated conform with the chosen encoding of network messages (notably correct length fields).
+Upon reception of MSGa, B checks that MSGa was properly generated in conformity with the chosen encoding of network messages (notably correct length fields).
 If this parsing fails, then B MUST abort. (Testvectors of examples for invalid messages when using lv\_cat() as network\_encode function for
 CPace are given in the appendix.)
 B then computes K = G.scalar\_pow\_vfy(yb,Ya). B MUST abort if K=G.I.
@@ -684,7 +684,7 @@ Including and checking party identifiers can fend off such relay attacks.
 
 It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the network by using network\_encode(Y,AD) = lv\_cat(Y,AD). I.e. we RECOMMEND
 to prepend an encoding of the length of the subfields. Prepending the length of
-of all variable-size input strings results in a so-called prefix-free encoding of transcript strings, using terminology introduced in {{CDMP05}}. This property allows for disregarding length-extension imperfections that come with the commonly used Merkle-Damgard hash function constructions such as SHA256 and SHA512.
+all variable-size input strings results in a so-called prefix-free encoding of transcript strings, using terminology introduced in {{CDMP05}}. This property allows for disregarding length-extension imperfections that come with the commonly used Merkle-Damgard hash function constructions such as SHA256 and SHA512.
 
 Other alternative network encoding formats which prepend an encoding of the length of variable-size data fields in the protocol
 messages are equally suitable.
@@ -722,7 +722,7 @@ CMAC {{?RFC4493}} using a key mac\_key derived from ISK.
 
 One suitable option that works also in the parallel setting without message ordering is to proceed as follows.
 
-- First calculate mac\_key as as mac\_key = H.hash(b"CPaceMac" \|\| ISK).
+- First calculate mac\_key as mac\_key = H.hash("CPaceMac" \|\| ISK).
 
 - Then let each party send an authenticator tag Ta, Tb that is calculated over the protocol message that it has sent previously. I.e.
   let party A calculate its transmitted authentication code Ta as Ta = MAC(mac\_key, MSGa) and let party B calculate its transmitted
@@ -735,7 +735,7 @@ One suitable option that works also in the parallel setting without message orde
 
 For curves over fields F\_p where p is a prime close to a power of two, we recommend sampling scalars as a uniform bit string of length field\_size\_bits. We do so in order to reduce both, complexity of the implementation and reducing the attack surface
 with respect to side-channels for embedded systems in hostile environments.
-The effect of non-uniform sampling on security was demonstrated to be begning in {{AHH21}} for the case of Curve25519 and Curve448.
+The effect of non-uniform sampling on security was demonstrated to be begnin in {{AHH21}} for the case of Curve25519 and Curve448.
 This analysis however does not transfer to most curves in Short-Weierstrass form. As a result, we recommend rejection sampling if G is as in {{CPaceWeierstrass}}.
 
 ## Single-coordinate CPace on Montgomery curves