Merge pull request #52 from lamps-wg/26-nist-is-suggesting-that-both-…

…pq-l3-+-l5-should-be-paired-with-p-384

Update ML-DSA and ECC combinations

Composite-MLDSA-2024.asn

@@ -258,18 +258,18 @@ sa-MLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::=
        pk-MLDSA65-RSA4096-PKCS15-SHA512 }
 
 -- TODO: OID to be replaced by IANA
-id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= {
+id-MLDSA65-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= {
    joint-iso-itu-t(2) country(16) us(840) organization(1)
    entrust(114027) algorithm(80) composite(8) signature(1) 28 }
 
-pk-MLDSA65-ECDSA-P256-SHA512 PUBLIC-KEY ::=
-  pk-CompositeSignature{ id-MLDSA65-ECDSA-P256-SHA512,
+pk-MLDSA65-ECDSA-P384-SHA512 PUBLIC-KEY ::=
+  pk-CompositeSignature{ id-MLDSA65-ECDSA-P384-SHA512,
   EcCompositeSignaturePublicKey}
 
 sa-MLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::=
     sa-CompositeSignature{
-       id-MLDSA65-ECDSA-P256-SHA512,
-       pk-MLDSA65-ECDSA-P256-SHA512 }
+       id-MLDSA65-ECDSA-P384-SHA512,
+       pk-MLDSA65-ECDSA-P384-SHA512 }
 
 
 -- TODO: OID to be replaced by IANA

draft-ietf-lamps-pq-composite-sigs.md

@@ -629,12 +629,11 @@ Signature public key types:
 | id-MLDSA44-RSA2048-PKCS15-SHA256    | <CompSig>.22 | id-ML-DSA-44  | sha256WithRSAEncryption | id-sha256 |
 | id-MLDSA44-Ed25519-SHA512             | <CompSig>.23 | id-ML-DSA-44  | id-Ed25519 | id-sha512 |
 | id-MLDSA44-ECDSA-P256-SHA256         | <CompSig>.24 | id-ML-DSA-44  | ecdsa-with-SHA256 with secp256r1 | id-sha256 |
-| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | <CompSig>.25 | id-ML-DSA-44  | ecdsa-with-SHA256 with brainpoolP256r1 | id-sha256 |
 | id-MLDSA65-RSA3072-PSS-SHA512           | <CompSig>.26 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 |
 | id-MLDSA65-RSA3072-PKCS15-SHA512        | <CompSig>.27  | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 |
 | id-MLDSA65-RSA4096-PSS-SHA512           | <CompSig>.34 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 |
 | id-MLDSA65-RSA4096-PKCS15-SHA512        | <CompSig>.35  | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 |
-| id-MLDSA65-ECDSA-P256-SHA512            | <CompSig>.28  | id-ML-DSA-65 | ecdsa-with-SHA512 with secp256r1 | id-sha512 |
+| id-MLDSA65-ECDSA-P384-SHA512            | <CompSig>.28  | id-ML-DSA-65 | ecdsa-with-SHA512 with secp384r1 | id-sha512 |
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.29  | id-ML-DSA-65 | ecdsa-with-SHA512 with brainpoolP256r1 | id-sha512 |
 | id-MLDSA65-Ed25519-SHA512              | <CompSig>.30  | id-ML-DSA-65 | id-Ed25519 | id-sha512 |
 | id-MLDSA87-ECDSA-P384-SHA512            | <CompSig>.31  | id-ML-DSA-87 | ecdsa-with-SHA512 with secp384r1 | id-sha512|
@@ -657,12 +656,11 @@ As mentioned above, the OID input value is used as a domain separator for the Co
 | id-MLDSA44-RSA2048-PKCS15-SHA256 |060B6086480186FA6B50080116|
 | id-MLDSA44-Ed25519-SHA512 |060B6086480186FA6B50080117|
 | id-MLDSA44-ECDSA-P256-SHA256 |060B6086480186FA6B50080118|
-| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 |060B6086480186FA6B50080119|
 | id-MLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B5008011A|
 | id-MLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B5008011B|
 | id-MLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080122|
 | id-MLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080123|
-| id-MLDSA65-ECDSA-P256-SHA512 |060B6086480186FA6B5008011C|
+| id-MLDSA65-ECDSA-P384-SHA512 |060B6086480186FA6B5008011C|
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B5008011D|
 | id-MLDSA65-Ed25519-SHA512 |060B6086480186FA6B5008011E|
 | id-MLDSA87-ECDSA-P384-SHA512 |060B6086480186FA6B5008011F|
@@ -752,12 +750,11 @@ The following table lists the MANDATORY HASH algorithms to preserve security and
 | id-MLDSA44-RSA2048-PKCS15-SHA256    | SHA256 |
 | id-MLDSA44-Ed25519-SHA512             | SHA512 |
 | id-MLDSA44-ECDSA-P256-SHA256         | SHA256 |
-| id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | SHA256 |
 | id-MLDSA65-RSA3072-PSS-SHA512           | SHA512 |
 | id-MLDSA65-RSA3072-PKCS15-SHA512        | SHA512 |
 | id-MLDSA65-RSA4096-PSS-SHA512           | SHA512 |
 | id-MLDSA65-RSA4096-PKCS15-SHA512        | SHA512 |
-| id-MLDSA65-ECDSA-P256-SHA512            | SHA512 |
+| id-MLDSA65-ECDSA-P384-SHA512            | SHA512 |
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | SHA512 |
 | id-MLDSA65-Ed25519-SHA512              | SHA512 |
 | id-MLDSA87-ECDSA-P384-SHA512            | SHA512|
@@ -869,11 +866,6 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{
   - Description:  id-MLDSA44-ECDSA-P256-SHA256
   - References: This Document
 
--  id-MLDSA44-ECDSA-brainpoolP256r1-SHA256
-  - Decimal: IANA Assigned
-  - Description:  id-MLDSA44-ECDSA-brainpoolP256r1-SHA256
-  - References: This Document
-
 -  id-MLDSA65-RSA3072-PSS-SHA512
   - Decimal: IANA Assigned
   - Description:  id-MLDSA65-RSA3072-PSS-SHA512
@@ -894,9 +886,9 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{
   - Description:  id-MLDSA65-RSA4096-PKCS15-SHA512
   - References: This Document
 
--  id-MLDSA65-ECDSA-P256-SHA512
+-  id-MLDSA65-ECDSA-P384-SHA512
   - Decimal: IANA Assigned
-  - Description:  id-MLDSA65-ECDSA-P256-SHA512
+  - Description:  id-MLDSA65-ECDSA-P384-SHA512
   - References: This Document
 
 -  id-MLDSA65-ECDSA-brainpoolP256r1-SHA512
@@ -926,16 +918,15 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{
 
 <!-- End of IANA Considerations section -->
 
-
 # Security Considerations
 
+
 ## Public Key Algorithm Selection Criteria
 
 The composite algorithm combinations defined in this document were chosen according to the following guidelines:
 
 1. RSA combinations are provided at a key size of 2048, 3072, and 4096 bits matched with NIST PQC Level 2 and 3 algorithms.
-1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC Levels 1 - 3 algorithms are matched with 256-bit curves, while NIST levels 4 - 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption.
-1. NIST level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases.
+1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases. NIST levels 3 algorithms are matched with NIST 384-bit, brainpool 256-bit and and Ed25519 curves, while NIST level 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption.
 
 If other combinations are needed, a separate specification should be submitted to the IETF LAMPS working group.  To ease implementation, these specifications are encouraged to follow the construction pattern of the algorithms specified in this document.
 
@@ -1001,7 +992,7 @@ This section provides references to the full specification of the algorithms use
 | ----------- | ----------- | ----------- |
 | secp256r1 | iso(1) member-body(2) us(840) ansi-x962(10045) curves(3) prime(1) 7 | [RFC6090] |
 | secp384r1 | iso(1) identified-organization(3) certicom(132) curve(0) 34 | [RFC6090] |
-|  brainpoolP256r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 7 | [RFC5639] |
+| brainpoolP256r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 7 | [RFC5639] |
 | brainpoolP384r1 | iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecStdCurvesAndGeneration(8) ellipticCurve(1) versionOne(1) 11 | [RFC5639] |
 {: #tab-component-curve-algs title="Elliptic Curves used in Composite Constructions"}