diff --git a/Composite-MLDSA-2024.asn b/Composite-MLDSA-2024.asn index 9a2256c..8f1159f 100644 --- a/Composite-MLDSA-2024.asn +++ b/Composite-MLDSA-2024.asn @@ -14,30 +14,6 @@ IMPORTS { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } - - SubjectPublicKeyInfo - FROM PKIX1Explicit-2009 - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-pkix1-explicit-02(51) } - - OneAsymmetricKey - FROM AsymmetricKeyPackageModuleV1 - { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) - pkcs-9(9) smime(16) modules(0) - id-mod-asymmetricKeyPkgV1(50) } - - RSAPublicKey, ECPoint - FROM PKIXAlgs-2009 - { iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-pkix1-algorithms2008-02(56) } - - sa-rsaSSA-PSS - FROM PKIX1-PSS-OAEP-Algorithms-2009 - {iso(1) identified-organization(3) dod(6) internet(1) security(5) - mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} - ; -- @@ -48,60 +24,48 @@ IMPORTS der OBJECT IDENTIFIER ::= {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)} - --- Just for testing, to be assigned by IANA -id-raw-key OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) raw(999) 1 } - - -- -- Signature Algorithm -- - -- -- Composite Signature basic structures -- -CompositeSignaturePublicKey ::= SEQUENCE SIZE (2) OF BIT STRING - -CompositeSignaturePublicKeyOs ::= OCTET STRING (CONTAINING - CompositeSignaturePublicKey ENCODED BY der) +-- +-- When a CompositeMLDSAPublicKey is used with an RSA public key, the BIT STRING is generated +-- by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}}, +-- and an RSAPublicKey (which is a DER encoded RSAPublicKey). -CompositeSignaturePublicKeyBs ::= BIT STRING (CONTAINING - CompositeSignaturePublicKey ENCODED BY der) +-- When a CompositeMLDSAPublicKey is used with an EC public key, the BIT STRING is generated +-- by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}} +-- and an ECDSAPublicKey according to [RFC5480]. -CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING +-- When a CompositeMLDSAPublicKey is used with an Edwards public key, the BIT STRING is generated +-- by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}} +-- and a raw Edwards public key according to [RFC8410]. -CompositeSignatureValue ::= SEQUENCE SIZE (2) OF BIT STRING +CompositeMLDSAPublicKey ::= BIT STRING -RsaCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (CONTAINING RSAPublicKey) - } +-- +-- When a CompositeMLDSAPrivateKey is used with an RSA public key, the OCTET STRING is generated +-- by the concatenation of an ML-DSA private key according to {{I-D.ietf-lamps-dilithium-certificates}}, +-- and an RSAPrivateKey (which is a DER encoded RSAPrivateKey). -EcCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (CONTAINING ECPoint) - } +-- When a CompositeMLDSAPrivateKey is used with an EC public key, the OCTET STRING is generated +-- by the concatenation of an ML-DSA private key according to {{I-D.ietf-lamps-dilithium-certificates}}, +-- and an ECDSAPrivateKey according to [RFC5915]. -EdCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (ENCODED BY id-raw-key) - } +-- When a CompositeMLDSAPrivateKey is used with an Edwards public key, the OCTET STRING is generated +-- by the concatenation of an ML-DSA private key according to {{I-D.ietf-lamps-dilithium-certificates}}, +-- and a raw Edwards private key according to [RFC8410]. --- Composite Signature Value is just a sequence of OCTET STRINGS +CompositeMLDSAPrivateKey ::= OCTET STRING --- CompositeSignaturePair{FirstSignatureValue, SecondSignatureValue} ::= --- SEQUENCE { --- signaturevalue1 FirstSignatureValue, --- signaturevalue2 SecondSignatureValue } +-- Composite Signature Value is just an BIT STRING and is a concatenation of the component signature +-- algorithms. --- An Explicit Compsite Signature is a set of Signatures which --- are composed of OCTET STRINGS --- ExplicitCompositeSignatureValue ::= CompositeSignaturePair { --- OCTET STRING,OCTET STRING} +CompositeSignatureValue ::= BIT STRING -- @@ -134,7 +98,7 @@ id-MLDSA44-RSA2048-PSS OBJECT IDENTIFIER ::= { pk-MLDSA44-RSA2048-PSS PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA44-RSA2048-PSS, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA44-RSA2048-PSS SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -148,7 +112,7 @@ id-MLDSA44-RSA2048-PKCS15 OBJECT IDENTIFIER ::= { pk-MLDSA44-RSA2048-PKCS15 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA44-RSA2048-PKCS15, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA44-RSA2048-PKCS15 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -163,7 +127,7 @@ id-MLDSA44-Ed25519 OBJECT IDENTIFIER ::= { pk-MLDSA44-Ed25519 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA44-Ed25519, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA44-Ed25519 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -178,7 +142,7 @@ id-MLDSA44-ECDSA-P256 OBJECT IDENTIFIER ::= { pk-MLDSA44-ECDSA-P256 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA44-ECDSA-P256, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA44-ECDSA-P256 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -193,7 +157,7 @@ id-MLDSA65-RSA3072-PSS OBJECT IDENTIFIER ::= { pk-MLDSA65-RSA3072-PSS PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-RSA3072-PSS, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-RSA3072-PSS SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -208,7 +172,7 @@ id-MLDSA65-RSA3072-PKCS15 OBJECT IDENTIFIER ::= { pk-MLDSA65-RSA3072-PKCS15 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-RSA3072-PKCS15, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-RSA3072-PKCS15 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -222,7 +186,7 @@ id-MLDSA65-RSA4096-PSS OBJECT IDENTIFIER ::= { pk-MLDSA65-RSA4096-PSS PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-RSA4096-PSS, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-RSA4096-PSS SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -237,12 +201,12 @@ id-MLDSA65-RSA4096-PKCS15 OBJECT IDENTIFIER ::= { pk-MLDSA65-RSA4096-PKCS15 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-RSA4096-PKCS15, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-RSA4096-PKCS15 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ - id-MLDSA65-RSA4096-SHA512, - pk-MLDSA65-RSA4096-SHA512 } + id-MLDSA65-RSA4096-PKCS15, + pk-MLDSA65-RSA4096-PKCS15 } -- TODO: OID to be replaced by IANA id-MLDSA65-ECDSA-P384 OBJECT IDENTIFIER ::= { @@ -251,7 +215,7 @@ id-MLDSA65-ECDSA-P384 OBJECT IDENTIFIER ::= { pk-MLDSA65-ECDSA-P384 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-ECDSA-P384, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-ECDSA-P256 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -266,7 +230,7 @@ id-MLDSA65-ECDSA-brainpoolP256r1 OBJECT IDENTIFIER ::= { pk-MLDSA65-ECDSA-brainpoolP256r1 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-ECDSA-brainpoolP256r1, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-ECDSA-brainpoolP256r1 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -281,7 +245,7 @@ id-MLDSA65-Ed25519 OBJECT IDENTIFIER ::= { pk-MLDSA65-Ed25519 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-Ed25519, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA65-Ed25519 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -296,7 +260,7 @@ id-MLDSA87-ECDSA-P384 OBJECT IDENTIFIER ::= { pk-MLDSA87-ECDSA-P384 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-ECDSA-P384, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA87-ECDSA-P384 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -311,7 +275,7 @@ id-MLDSA87-ECDSA-brainpoolP384r1 OBJECT IDENTIFIER ::= { pk-MLDSA87-ECDSA-brainpoolP384r1 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-ECDSA-brainpoolP384r1, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA87-ECDSA-brainpoolP384r1 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -326,7 +290,7 @@ id-MLDSA87-Ed448 OBJECT IDENTIFIER ::= { pk-MLDSA87-Ed448 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-Ed448, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-MLDSA87-Ed448 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -343,7 +307,7 @@ id-HashMLDSA44-RSA2048-PSS-SHA256 OBJECT IDENTIFIER ::= { pk-HashMLDSA44-RSA2048-PSS-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-RSA2048-PSS-SHA256, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA44-RSA2048-PSS-SHA256 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -357,7 +321,7 @@ id-HashMLDSA44-RSA2048-PKCS15-SHA256 OBJECT IDENTIFIER ::= { pk-HashMLDSA44-RSA2048-PKCS15-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-RSA2048-PKCS15-SHA256, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA44-RSA2048-PKCS15-SHA256 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -372,7 +336,7 @@ id-HashMLDSA44-Ed25519-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA44-Ed25519-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-Ed25519-SHA512, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA44-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -387,7 +351,7 @@ id-HashMLDSA44-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { pk-HashMLDSA44-ECDSA-P256-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-ECDSA-P256-SHA256, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA44-ECDSA-P256-SHA256 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -402,7 +366,7 @@ id-HashMLDSA65-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-RSA3072-PSS-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA3072-PSS-SHA512, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-RSA3072-PSS-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -417,7 +381,7 @@ id-HashMLDSA65-RSA3072-PKCS15-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-RSA3072-PKCS15-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA3072-PKCS15-SHA512, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-RSA3072-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -431,7 +395,7 @@ id-HashMLDSA65-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-RSA4096-PSS-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA4096-PSS-SHA512, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-RSA4096-PSS-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -446,7 +410,7 @@ id-HashMLDSA65-RSA4096-PKCS15-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-RSA4096-PKCS15-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA4096-PKCS15-SHA512, - RsaCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -460,7 +424,7 @@ id-HashMLDSA65-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-ECDSA-P384-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-ECDSA-P384-SHA512, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -475,7 +439,7 @@ id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -490,7 +454,7 @@ id-HashMLDSA65-Ed25519-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA65-Ed25519-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-Ed25519-SHA512, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA65-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -505,7 +469,7 @@ id-HashMLDSA87-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA87-ECDSA-P384-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-ECDSA-P384-SHA512, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA87-ECDSA-P384-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -520,7 +484,7 @@ id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512, - EcCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ @@ -535,7 +499,7 @@ id-HashMLDSA87-Ed448-SHA512 OBJECT IDENTIFIER ::= { pk-HashMLDSA87-Ed448-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-Ed448-SHA512, - EdCompositeSignaturePublicKey} + CompositeMLDSAPublicKey} sa-HashMLDSA87-Ed448-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md index efc1af7..b29e276 100644 --- a/draft-ietf-lamps-pq-composite-sigs.md +++ b/draft-ietf-lamps-pq-composite-sigs.md @@ -164,24 +164,15 @@ This document defines combinations of ML-DSA [FIPS.204] in hybrid with tradition --- middle -# Changes in -03 +# Changes in -04 Interop-affecting changes: -* Compacted CompositeSignaturePrivateKey to SEQUENCE SIZE (2) OF OCTET STRING instead of OneAsymmetricKey to remove redundancy -* Added support for the ML-DSA context String, and use the Composite Domain as the context for the underlying ML-DSA component algorithm. -* Added Pre-Hash and Pure modes and changed the Message format to align with FIPS-204. This breaks backwards compatibility with all previous versions. -* Updated the OID table for new Pre-Hash OIDs and added them to the IANA section. -* Updated Use in CMS section to reflect content is hashed and pure Composite ML-DSA should be used. +* Remove the ASN.1 SEQUENCE Wrapping around the Public Keys, Private Keys and Composite Signature Value +* TODO Remove the HashComposite-ML-DSA algorithms in favour of the external Mu hashing Editorial changes: -* Added the ASN.1 encodings for the component public keys and signature algorithm identifiers -* ASN.1 Module changes: - * Renamed the module from Composite-Signatures-2023 -> Composite-MLDSA-2024 - * Simplified the ASN.1 module to make it more compiler-friendly (thanks Carl!) -- should not affect wire encodings. -* Updated Security Considerations about Non-separability, EUF-CMA and key reuse. - # Introduction {#sec-intro} @@ -261,6 +252,18 @@ Composite schemes are defined as cryptographic primitives that consist of three of the Message. If the signature and public key cannot verify the Message, it returns false. +We define the following algorithms which we use to serialize and deserialize the public and private keys + + * `SerializeKey(key) -> bytes`: Produce a fixed-length byte string encoding the public or private key. + + * `DeserializeKey(bytes) -> pk`: Parse a fixed-length byte string to recover a public or private key. This function can fail if the input byte string is malformed. + +We define the following algorithms which are used to serialize and deseralize the composite signature value + + * `SerializeSignatureValue(CompositeSignatureValue) -> bytes`: Produce a fixed-length byte string encoding the CompositeSignatureValue. + + * `DeserializeSignatureValue(bytes) -> pk`: Parse a fixed-length byte string to recover a CompositeSignatureValue. This function can fail if the input byte string is malformed. + A composite signature allows the security properties of the two underlying algorithms to be combined via standard signature operations `Sign()` and `Verify()`. This specification uses the Post-Quantum signature scheme ML-DSA as specified in [FIPS.204] and {{I-D.ietf-lamps-dilithium-certificates}}. For Traditional signature schemes, this document uses the RSA PKCS#1v1.5 and RSA-PSS algorithms defined in [RFC8017], the Elliptic Curve Digital Signature Algorithm ECDSA scheme defined in section 6 of [FIPS.186-5], and Ed25519 / Ed448 which are defined in [RFC8410]. A simple "signature combiner"function which prepends a domain separator value specific to the composite algorithm is used to bind the two component signatures to the composite algorithm and achieve weak non-separablity. @@ -396,7 +399,7 @@ Signature Generation Process: 6. Encode each component signature into a CompositeSignatureValue. - signature := CompositeSignatureValue(mldsaSig, tradSig) + signature = CompositeSignatureValue(mldsaSig, tradSig) 7. Output signature @@ -655,50 +658,244 @@ Signature Verification Process: Note that in step 4 above, the function fails early if the first component fails to verify. Since no private keys are involved in a signature verification, there are no timing attacks to consider, so this is ok. +## SerializeKey and DeserializeKey + +The serialization routine for keys simply concatenates the fixed-length public or private keys of the component signatures, as defined below: + +~~~ +Composite-ML-DSA.SerializeKey(key) -> bytes + +Explicit Input: + + key Composite ML-DSA public key or private key + +Implicit inputs: + + ML-DSA A placeholder for the specific ML-DSA algorithm and + parameter set to use, for example, could be "ML-DSA-65". + + Trad A placeholder for the specific traditional algorithm and + parameter set to use, for example "RSA" or "ECDSA". + +Output: + + bytes The encoded public key + +Serialization Process: + + 1. Separate the keys + + (mldsaKey, tradKey) = key + + 2. Serialize each of the constituent public keys + + mldsaEncodedKey = MLDSA.SerializeKey(mldsaKey) + tradEncodedKey = Trad.SerializeKey(tradKey) + + 3. Combine and output the encoded public key + + bytes = mldsaEncodedPK || tradEncodedPK + output bytes +~~~ +{: #alg-composite-serialize title="Composite SerializeKey(pk)"} + + +Deserialization reverses this process, raising an error in the event that the input is malformed. + +~~~ +Composite-ML-DSA.DeserializeKey(bytes) -> pk + +Explicit Input: + + bytes An encoded public key or private key + +Implicit inputs: + + ML-DSA A placeholder for the specific ML-DSA algorithm and + parameter set to use, for example, could be "ML-DSA-65". + + Trad A placeholder for the specific traditional algorithm and + parameter set to use, for example "RSA" or "ECDSA". + +Output: + + key The composite ML-DSA public key or private key + +Deserialization Process: + + 1. Validate the length of the the input byte string + + if bytes is not the correct length: + output "Deserialization error" + + 2. Parse each constituent encoded key. + The length of the mldsaEncodedKey is known based on the size of + the ML-DSA component key length specified by the Object ID + + (mldsaEncodedKey, tradEncodedKey) = bytes + + 3. Deserialize the constituent public or private keys + + mldsaKey = MLDSA.DeserializeKey(mldsaEncodedKey) + tradKey = Trad.DeserializeKey(tradEncodedKey) + + 4. If either ML-DSA.DeserializeKey() or + Trad.DeserializeKey() return an error, + then this process must return an error. + + if NOT mldsaKey or NOT tradKey: + output "Deserialization error" + + 5. Output the composite ML-DSA key + + output (mldsaPK, tradPK) +~~~ +{: #alg-composite-deserialize title="Composite DeserializeKey(bytes)"} + +## SerializeSignatureValue and DeSerializeSignatureValue + +The serialization routine for the CompositeSignatureValue simply concatenates the fixed-length +ML-DSA signature value with the signature value from the traditional algorithm, as defined below: + +~~~ +Composite-ML-DSA.SerializeSignatureValue(CompositeSignatureValue) -> bytes + +Explicit Input: + + CompositeSignatureValue The Composite Signature Value obtained from Composite-ML-DSA.Sign() + +Implicit inputs: + + ML-DSA A placeholder for the specific ML-DSA algorithm and + parameter set to use, for example, could be "ML-DSA-65". + + Trad A placeholder for the specific traditional algorithm and + parameter set to use, for example "RSA" or "ECDSA". + +Output: + + bytes The encoded CompositeSignatureValue + +Serialization Process: + + 1. Separate the signatures + + (mldsaSig, tradSig) = CompositeSignatureValue + + 2. Serialize each of the constituent signatures + + mldsaEncodedSignature = ML-DSA.SerializeSignature(mldsaSig) + tradEncodedSignature = Trad.SerializeSignature(tradSig) + + 3. Combine and output the encoded composite signature + + bytes = mldsaEncodedSignature || tradEncodedSignature + output bytes +~~~ +{: #alg-composite-serialize-sig title="Composite SerializeSignatureValue(CompositeSignatureValue)"} + + +Deserialization reverses this process, raising an error in the event that the input is malformed. + +~~~ +Composite-ML-DSA.DeserializeSignatureValue(bytes) -> CompositeSignatureValue + +Explicit Input: + + bytes An encoded CompositeSignatureValue + +Implicit inputs: + + ML-DSA A placeholder for the specific ML-DSA algorithm and + parameter set to use, for example, could be "ML-DSA-65". + + Trad A placeholder for the specific traditional algorithm and + parameter set to use, for example "RSA" or "ECDSA". + +Output: + + CompositeSignatureValue The CompositeSignatureValue + +Deserialization Process: + + 1. Validate the length of the the input byte string + + if bytes is not the correct length: + output "Deserialization error" + + 2. Parse each constituent encoded signature. + The length of the mldsaEncodedSignature is known based on the size of + the ML-DSA component signature length specified by the Object ID + + (mldsaEncodedSignature, tradEncodedSignature) = bytes + + 3. Deserialize the constituent signature values + + mldsaSig = ML-DSA.DeserializeSignature(mldsaEncodedSignature) + tradSig = Trad.DeserializeSignature(tradEncodedSignature) + + 4. If either ML-DSA.DeserializeSignature() or + Trad.DeserializeSignature() return an error, + then this process must return an error. + + if NOT mldsaSig or NOT tradSig: + output "Deserialization error" + + 5. Output the CompositeSignatureValue + + output (mldsaPK, tradPK) +~~~ +{: #alg-composite-deserialize-sig title="Composite DeserializeSignatureValue(bytes)"} + +## ML-DSA public key, private key and signature sizes for serialization and deserialization + +As noted above in the public key, private key and CompositeSignatureValue +serialization and deserialization methods, ML-DSA uses fixed-length values for +all of these components. This means the length encoding of the first component is +known and does NOT need to be encoded into the serialization and deserialization process +which simplifies the encoding. If future composite combinations make use of +algorithms where the first component uses variable length keys or signatures, then +that specification will need to ensure the length is encoded in a +fixed-length prefix so the components can be correctly deserialized. + +The following table shows the fixed length values in bytes for the public, private and signature +sizes for ML-DSA which can be used to deserialzie the components. + +| Algorithm | Public key | Private key | Signature | +| ----------- | ----------- | ----------- | ----------- | +| ML-DSA-44 | 1312 | 32 | 2420 | +| ML-DSA-65 | 1952 | 32 | 3309 | +| ML-DSA-87 | 2592 | 32 | 4627 | +{: #tab-mldsa-sizes title="ML-DSA Key and Signature Sizes"} + # Composite Key Structures {#sec-composite-structs} In order to form composite public keys and signature values, we define ASN.1-based composite encodings such that these structures can be used as a drop-in replacement for existing public key and signature fields such as those found in PKCS#10 [RFC2986], CMP [RFC4210], X.509 [RFC5280], CMS [RFC5652]. -## CompositeSignaturePublicKey {#sec-composite-pub-keys} +## CompositeMLDSAPublicKey {#sec-composite-pub-keys} The wire encoding of a Composite ML-DSA public key is: ~~~ ASN.1 -CompositeSignaturePublicKey ::= SEQUENCE SIZE (2) OF BIT STRING +CompositeMLDSAPublicKey ::= BIT STRING ~~~ -{: artwork-name="CompositeSignaturePublicKey-asn.1-structures"} +{: artwork-name="CompositeMLDSAPublicKey-asn.1-structures"} -Since RSA and ECDSA component public keys are themselves in a DER encoding, the following ASN.1 structures show the internal structure of the various public key types used in this specification: +Since RSA and ECDSA component public keys are themselves in a DER encoding, the following show the internal structure of the various public key types used in this specification: -~~~ ASN.1 -RsaCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (CONTAINING RSAPublicKey) - } - -EcCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (CONTAINING ECPoint) - } - -EdCompositeSignaturePublicKey ::= SEQUENCE { - firstPublicKey BIT STRING (ENCODED BY id-raw-key), - secondPublicKey BIT STRING (ENCODED BY id-raw-key) - } -~~~ +When a CompositeMLDSAPublicKey is used with an RSA public key, the BIT STRING is generated by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}}, and an RSAPublicKey (which is a DER encoded RSAPublicKey). -`id-raw-key` is defined by this document. It signifies that the public key has no ASN.1 wrapping and the raw bits are placed here according to the encoding of the underlying algorithm specification. In some situations and protocols, the key might be wrapped in ASN.1 or -may have some other additional decoration or encoding. If so, such wrapping MUST be removed prior to encoding the key itself as a BIT STRING. +When a CompositeMLDSAPublicKey is used with an EC public key, the BIT STRING is generated by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}} and an ECDSAPublicKey (which is a DER encoded ECPoint). -For use with this document, ML-DSA keys MUST be be the raw BIT STRING representation as specified in {{I-D.ietf-lamps-dilithium-certificates}} and Edwards Curve keys MUST be the raw BIT STRING representation as specified in [RFC8410]. +When a CompositeMLDSAPublicKey is used with an Edwards public key, the BIT STRING is generated by the concatenation of a raw ML-DSA key according to {{I-D.ietf-lamps-dilithium-certificates}} and a raw Edwards public key according to [RFC8410]. -Some applications may need to reconstruct the `SubjectPublicKeyInfo` objects corresponding to each component public key. {{tab-sig-algs}} or {{tab-hash-sig-algs}} in {{sec-alg-ids}} provides the necessary mapping between composite and their component algorithms for doing this reconstruction. This also motivates the design choice of `SEQUENCE OF BIT STRING` instead of `SEQUENCE OF OCTET STRING`; using `BIT STRING` allows for easier transcription between CompositeSignaturePublicKey and SubjectPublicKeyInfo. +Some applications may need to reconstruct the `SubjectPublicKeyInfo` objects corresponding to each component public key. {{tab-sig-algs}} or {{tab-hash-sig-algs}} in {{sec-alg-ids}} provides the necessary mapping between composite and their component algorithms for doing this reconstruction. -When the CompositeSignaturePublicKey must be provided in octet string or bit string format, the data structure is encoded as specified in {{sec-encoding-rules}}. +When the CompositeMLDSAPublicKey must be provided in octet string or bit string format, the data structure is encoded as specified in {{sec-encoding-rules}}. -Component keys of a CompositeSignaturePublicKey MUST NOT be used in any other type of key or as a standalone key. For more details on the security considerations around key reuse, see section {{sec-cons-key-reuse}}. +Component keys of a CompositeMLDSAPublicKey MUST NOT be used in any other type of key or as a standalone key. For more details on the security considerations around key reuse, see section {{sec-cons-key-reuse}}. The following ASN.1 Information Object Class is defined to allow for compact definitions of each composite algorithm, leading to a smaller overall ASN.1 module. @@ -718,25 +915,25 @@ As an example, the public key type `id-MLDSA44-ECDSA-P256` is defined as: id-MLDSA44-ECDSA-P256 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA44-ECDSA-P256, - EcCompositeSignaturePublicKey } + CompositeMLDSAPublicKey } ~~~ The full set of key types defined by this specification can be found in the ASN.1 Module in {{sec-asn1-module}}. -## CompositeSignaturePrivateKey {#sec-priv-key} +## CompositeMLDSAPrivateKey {#sec-priv-key} When a Composite ML-DSA private key is to be exported from a cryptographic module, it uses an analogous definition to the public keys: ~~~ ASN.1 -CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OCTET STRING +CompositeMLDSAPrivateKey ::= OCTET STRING ~~~ -{: artwork-name="CompositeSignaturePrivateKey-asn.1-structures"} +{: artwork-name="CompositeMLDSAPrivateKey-asn.1-structures"} -Each element of the `CompositeSignaturePrivateKey` Sequence is an `OCTET STRING` according to the encoding of the underlying algorithm specification and will decode into the respective private key structures in an analogous way to the public key structures defined in {{sec-composite-pub-keys}}. This document does not provide helper classes for private keys. The PrivateKey for each component algorithm MUST be in the same order as defined in {{sec-composite-pub-keys}}. +Each element of the `CompositeMLDSAPrivateKey` is an `OCTET STRING` according to the encoding of the underlying algorithm specification and will decode into the respective private key structures in an analogous way to the public key structures defined in {{sec-composite-pub-keys}}. The ASN.1 module in this document does not provide helper classes for private keys. The PrivateKey for each component algorithm MUST be in the same order as defined in {{sec-composite-pub-keys}}. -Use cases that require an interoperable encoding for composite private keys will often need to place a `CompositeSignaturePrivateKey` inside a `OneAsymmetricKey` structure defined in [RFC5958], such as when private keys are carried in PKCS #12 [RFC7292], CMP [RFC4210] or CRMF [RFC4211]. The definition of `OneAsymmetricKey` is copied here for convenience: +Use cases that require an interoperable encoding for composite private keys will often need to place a `CompositeMLDSAPrivateKey` inside a `OneAsymmetricKey` structure defined in [RFC5958], such as when private keys are carried in PKCS #12 [RFC7292], CMP [RFC4210] or CRMF [RFC4211]. The definition of `OneAsymmetricKey` is copied here for convenience: ~~~ ASN.1 OneAsymmetricKey ::= SEQUENCE { @@ -757,11 +954,11 @@ Use cases that require an interoperable encoding for composite private keys will {: artwork-name="RFC5958-OneAsymmetricKey-asn.1-structure"} -When a `CompositeSignaturePrivateKey` is conveyed inside a OneAsymmetricKey structure (version 1 of which is also known as PrivateKeyInfo) [RFC5958], the privateKeyAlgorithm field SHALL be set to the corresponding composite algorithm identifier defined according to {{sec-alg-ids}} and its parameters field MUST be absent. The privateKey field SHALL contain the `CompositeSignaturePrivateKey`, and the `publicKey` field remains OPTIONAL. If the `publicKey` field is present, it MUST be a `CompositeSignaturePublicKey`. +When a `CompositeMLDSAPrivateKey` is conveyed inside a OneAsymmetricKey structure (version 1 of which is also known as PrivateKeyInfo) [RFC5958], the privateKeyAlgorithm field SHALL be set to the corresponding composite algorithm identifier defined according to {{sec-alg-ids}} and its parameters field MUST be absent. The privateKey field SHALL contain the `CompositeMLDSAPrivateKey`, and the `publicKey` field remains OPTIONAL. If the `publicKey` field is present, it MUST be a `CompositeMLDSAPublicKey`. Some applications may need to reconstruct the `OneAsymmetricKey` objects corresponding to each component private key. {{sec-alg-ids}} provides the necessary mapping between composite and their component algorithms for doing this reconstruction. -Component keys of a CompositeSignaturePrivateKey MUST NOT be used in any other type of key or as a standalone key. For more details on the security considerations around key reuse, see section {{sec-cons-key-reuse}}. +Component keys of a CompositeMLDSAPrivateKey MUST NOT be used in any other type of key or as a standalone key. For more details on the security considerations around key reuse, see section {{sec-cons-key-reuse}}. ## Encoding Rules {#sec-encoding-rules} @@ -771,18 +968,8 @@ Many protocol specifications will require that the composite public key and comp When an octet string is required, the DER encoding of the composite data structure SHALL be used directly. -~~~ ASN.1 -CompositeSignaturePublicKeyOs ::= OCTET STRING - (CONTAINING CompositeSignaturePublicKey ENCODED BY der) -~~~ - When a bit string is required, the octets of the DER encoded composite data structure SHALL be used as the bits of the bit string, with the most significant bit of the first octet becoming the first bit, and so on, ending with the least significant bit of the last octet becoming the last bit of the bit string. -~~~ ASN.1 -CompositeSignaturePublicKeyBs ::= BIT STRING - (CONTAINING CompositeSignaturePublicKey ENCODED BY der) -~~~ - In the interests of simplicity and avoiding compatibility issues, implementations that parse these structures MAY accept both BER and DER. ## Key Usage Bits @@ -833,11 +1020,11 @@ sa-CompositeSignature{OBJECT IDENTIFIER:id, The output of a Composite ML-DSA algorithm is the DER encoding of the following structure: -The `CompositeSignatureValue` is the DER encoing of a SEQUENCE of the signature values from the +The `CompositeSignatureValue` is the DER encoding of a concatenation of the signature values from the underlying component algorithms. It is represented in ASN.1 as follows: ~~~ asn.1 -CompositeSignatureValue ::= SEQUENCE SIZE (2) OF BIT STRING +CompositeSignatureValue ::= BIT STRING ~~~ {: artwork-name="composite-sig-asn.1"} @@ -1138,11 +1325,6 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ ### Object Identifier Registrations - SMI Security for PKIX Algorithms -- id-raw-key - - Decimal: IANA Assigned - - Description: Designates a public key BIT STRING with no ASN.1 structure. - - References: This Document - - id-MLDSA44-RSA2048-PSS-SHA256 - Decimal: IANA Assigned - Description: id-MLDSA44-RSA2048-PSS-SHA256