diff --git a/.gitignore b/.gitignore index 0dd18cd..72a59ae 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ *.html *~ lib/ +.includes.mk diff --git a/Composite-MLDSA-2024.asn b/Composite-MLDSA-2024.asn index d42ac42..35d910f 100644 --- a/Composite-MLDSA-2024.asn +++ b/Composite-MLDSA-2024.asn @@ -208,16 +208,32 @@ sa-MLDSA65-RSA4096-PKCS15 SIGNATURE-ALGORITHM ::= id-MLDSA65-RSA4096-PKCS15, pk-MLDSA65-RSA4096-PKCS15 } + -- TODO: OID to be replaced by IANA -id-MLDSA65-ECDSA-P384 OBJECT IDENTIFIER ::= { +id-MLDSA65-ECDSA-P256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) algorithm(80) composite(8) signature(1) 68 } +pk-MLDSA65-ECDSA-P256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-ECDSA-P256, + CompositeMLDSAPublicKey} + +sa-MLDSA65-ECDSA-P256 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-ECDSA-P256, + pk-MLDSA65-ECDSA-P256 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-ECDSA-P384 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 69 } + pk-MLDSA65-ECDSA-P384 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-ECDSA-P384, CompositeMLDSAPublicKey} -sa-MLDSA65-ECDSA-P256 SIGNATURE-ALGORITHM ::= +sa-MLDSA65-ECDSA-P384 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ id-MLDSA65-ECDSA-P384, pk-MLDSA65-ECDSA-P384 } @@ -226,7 +242,7 @@ sa-MLDSA65-ECDSA-P256 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-MLDSA65-ECDSA-brainpoolP256r1 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 69 } + entrust(114027) algorithm(80) composite(8) signature(1) 70 } pk-MLDSA65-ECDSA-brainpoolP256r1 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-ECDSA-brainpoolP256r1, @@ -241,7 +257,7 @@ sa-MLDSA65-ECDSA-brainpoolP256r1 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-MLDSA65-Ed25519 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 70 } + entrust(114027) algorithm(80) composite(8) signature(1) 71 } pk-MLDSA65-Ed25519 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA65-Ed25519, @@ -252,11 +268,10 @@ sa-MLDSA65-Ed25519 SIGNATURE-ALGORITHM ::= id-MLDSA65-Ed25519, pk-MLDSA65-Ed25519 } - -- TODO: OID to be replaced by IANA id-MLDSA87-ECDSA-P384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 71 } + entrust(114027) algorithm(80) composite(8) signature(1) 72 } pk-MLDSA87-ECDSA-P384 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-ECDSA-P384, @@ -271,7 +286,7 @@ sa-MLDSA87-ECDSA-P384 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-MLDSA87-ECDSA-brainpoolP384r1 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 72 } + entrust(114027) algorithm(80) composite(8) signature(1) 73 } pk-MLDSA87-ECDSA-brainpoolP384r1 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-ECDSA-brainpoolP384r1, @@ -286,7 +301,7 @@ sa-MLDSA87-ECDSA-brainpoolP384r1 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-MLDSA87-Ed448 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 73 } + entrust(114027) algorithm(80) composite(8) signature(1) 74 } pk-MLDSA87-Ed448 PUBLIC-KEY ::= pk-CompositeSignature{ id-MLDSA87-Ed448, @@ -303,7 +318,7 @@ sa-MLDSA87-Ed448 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA44-RSA2048-PSS-SHA256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 74 } + entrust(114027) algorithm(80) composite(8) signature(1) 80 } pk-HashMLDSA44-RSA2048-PSS-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-RSA2048-PSS-SHA256, @@ -317,7 +332,7 @@ sa-HashMLDSA44-RSA2048-PSS-SHA256 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA44-RSA2048-PKCS15-SHA256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 75 } + entrust(114027) algorithm(80) composite(8) signature(1) 81 } pk-HashMLDSA44-RSA2048-PKCS15-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-RSA2048-PKCS15-SHA256, @@ -332,7 +347,7 @@ sa-HashMLDSA44-RSA2048-PKCS15-SHA256 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA44-Ed25519-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 76 } + entrust(114027) algorithm(80) composite(8) signature(1) 82 } pk-HashMLDSA44-Ed25519-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-Ed25519-SHA512, @@ -347,7 +362,7 @@ sa-HashMLDSA44-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA44-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 77 } + entrust(114027) algorithm(80) composite(8) signature(1) 83 } pk-HashMLDSA44-ECDSA-P256-SHA256 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA44-ECDSA-P256-SHA256, @@ -362,7 +377,7 @@ sa-HashMLDSA44-ECDSA-P256-SHA256 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 78 } + entrust(114027) algorithm(80) composite(8) signature(1) 84 } pk-HashMLDSA65-RSA3072-PSS-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA3072-PSS-SHA512, @@ -377,7 +392,7 @@ sa-HashMLDSA65-RSA3072-PSS-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-RSA3072-PKCS15-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 79 } + entrust(114027) algorithm(80) composite(8) signature(1) 85 } pk-HashMLDSA65-RSA3072-PKCS15-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA3072-PKCS15-SHA512, @@ -391,7 +406,7 @@ sa-HashMLDSA65-RSA3072-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 80 } + entrust(114027) algorithm(80) composite(8) signature(1) 86 } pk-HashMLDSA65-RSA4096-PSS-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA4096-PSS-SHA512, @@ -406,7 +421,7 @@ sa-HashMLDSA65-RSA4096-PSS-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-RSA4096-PKCS15-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 81 } + entrust(114027) algorithm(80) composite(8) signature(1) 87 } pk-HashMLDSA65-RSA4096-PKCS15-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-RSA4096-PKCS15-SHA512, @@ -417,16 +432,34 @@ sa-HashMLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= id-HashMLDSA65-RSA4096-PKCS15-SHA512, pk-HashMLDSA65-RSA4096-PKCS15-SHA512 } + +-- TODO: OID to be replaced by IANA +id-HashMLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 88 } + +pk-HashMLDSA65-ECDSA-P256-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-HashMLDSA65-ECDSA-P256-SHA512, + CompositeMLDSAPublicKey} + +sa-HashMLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-HashMLDSA65-ECDSA-P256-SHA512, + pk-HashMLDSA65-ECDSA-P256-SHA512 } + + + + -- TODO: OID to be replaced by IANA id-HashMLDSA65-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 82 } + entrust(114027) algorithm(80) composite(8) signature(1) 89 } pk-HashMLDSA65-ECDSA-P384-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-ECDSA-P384-SHA512, CompositeMLDSAPublicKey} -sa-HashMLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= +sa-HashMLDSA65-ECDSA-P384-SHA512 SIGNATURE-ALGORITHM ::= sa-CompositeSignature{ id-HashMLDSA65-ECDSA-P384-SHA512, pk-HashMLDSA65-ECDSA-P384-SHA512 } @@ -435,7 +468,7 @@ sa-HashMLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 83 } + entrust(114027) algorithm(80) composite(8) signature(1) 90 } pk-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512, @@ -450,7 +483,7 @@ sa-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA65-Ed25519-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 84 } + entrust(114027) algorithm(80) composite(8) signature(1) 91 } pk-HashMLDSA65-Ed25519-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA65-Ed25519-SHA512, @@ -465,7 +498,7 @@ sa-HashMLDSA65-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA87-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 85 } + entrust(114027) algorithm(80) composite(8) signature(1) 92 } pk-HashMLDSA87-ECDSA-P384-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-ECDSA-P384-SHA512, @@ -480,7 +513,7 @@ sa-HashMLDSA87-ECDSA-P384-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 86 } + entrust(114027) algorithm(80) composite(8) signature(1) 93 } pk-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512, @@ -495,7 +528,7 @@ sa-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 SIGNATURE-ALGORITHM ::= -- TODO: OID to be replaced by IANA id-HashMLDSA87-Ed448-SHA512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 87 } + entrust(114027) algorithm(80) composite(8) signature(1) 94 } pk-HashMLDSA87-Ed448-SHA512 PUBLIC-KEY ::= pk-CompositeSignature{ id-HashMLDSA87-Ed448-SHA512, diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md index 9f2e276..ee8626e 100644 --- a/draft-ietf-lamps-pq-composite-sigs.md +++ b/draft-ietf-lamps-pq-composite-sigs.md @@ -1047,7 +1047,7 @@ EDNOTE: these are prototyping OIDs to be replaced by IANA. Pure Composite-ML-DSA Signature public key types: -| Composite Signature AlgorithmID | OID | First AlgorithmID | Second AlgorithmID | +| Composite Signature Algorithm | OID | First Algorithm | Second Algorithm | | ----------- | ----------- | ----------- | ----------- | | id-MLDSA44-RSA2048-PSS | <CompSig>.60 | id-ML-DSA-44 | id-RSASA-PSS with id-sha256 | | id-MLDSA44-RSA2048-PKCS15 | <CompSig>.61 | id-ML-DSA-44 | sha256WithRSAEncryption | @@ -1057,12 +1057,13 @@ Pure Composite-ML-DSA Signature public key types: | id-MLDSA65-RSA3072-PKCS15 | <CompSig>.65 | id-ML-DSA-65 | sha256WithRSAEncryption | | id-MLDSA65-RSA4096-PSS | <CompSig>.66 | id-ML-DSA-65 | id-RSASA-PSS with id-sha384 | | id-MLDSA65-RSA4096-PKCS15 | <CompSig>.67 | id-ML-DSA-65 | sha384WithRSAEncryption | -| id-MLDSA65-ECDSA-P384 | <CompSig>.68 | id-ML-DSA-65 | ecdsa-with-SHA384 with secp384r1 | -| id-MLDSA65-ECDSA-brainpoolP256r1 | <CompSig>.69 | id-ML-DSA-65 | ecdsa-with-SHA256 with brainpoolP256r1 | -| id-MLDSA65-Ed25519 | <CompSig>.70 | id-ML-DSA-65 | id-Ed25519 | -| id-MLDSA87-ECDSA-P384 | <CompSig>.71 | id-ML-DSA-87 | ecdsa-with-SHA384 with secp384r1 | -| id-MLDSA87-ECDSA-brainpoolP384r1 | <CompSig>.72 | id-ML-DSA-87 | ecdsa-with-SHA384 with brainpoolP384r1 | -| id-MLDSA87-Ed448 | <CompSig>.73 | id-ML-DSA-87 | id-Ed448 | +| id-MLDSA65-ECDSA-P256 | <CompSig>.68 | id-ML-DSA-65 | ecdsa-with-SHA256 with secp256r1 | +| id-MLDSA65-ECDSA-P384 | <CompSig>.69 | id-ML-DSA-65 | ecdsa-with-SHA384 with secp384r1 | +| id-MLDSA65-ECDSA-brainpoolP256r1 | <CompSig>.70 | id-ML-DSA-65 | ecdsa-with-SHA256 with brainpoolP256r1 | +| id-MLDSA65-Ed25519 | <CompSig>.71 | id-ML-DSA-65 | id-Ed25519 | +| id-MLDSA87-ECDSA-P384 | <CompSig>.72 | id-ML-DSA-87 | ecdsa-with-SHA384 with secp384r1 | +| id-MLDSA87-ECDSA-brainpoolP384r1 | <CompSig>.73 | id-ML-DSA-87 | ecdsa-with-SHA384 with brainpoolP384r1 | +| id-MLDSA87-Ed448 | <CompSig>.74 | id-ML-DSA-87 | id-Ed448 | {: #tab-sig-algs title="Pure ML-DSA Composite Signature Algorithms"} See the ASN.1 module in section {{sec-asn1-module}} for the explicit definitions of the above Composite ML-DSA algorithms. @@ -1073,22 +1074,23 @@ Full specifications for the referenced algorithms can be found in {{appdx_compon HashComposite-ML-DSA Signature public key types: -| Composite Signature AlgorithmID | OID | First AlgorithmID | Second AlgorithmID | Pre-Hash | +| Composite Signature Algorithm | OID | First Algorithm | Second Algorithm | Pre-Hash | | ----------- | ----------- | ----------- | ----------- | ----------- | -| id-HashMLDSA44-RSA2048-PSS-SHA256 | <CompSig>.74 | id-ML-DSA-44 | id-RSASA-PSS with id-sha256 | id-sha256 | -| id-HashMLDSA44-RSA2048-PKCS15-SHA256 | <CompSig>.75 | id-ML-DSA-44 | sha256WithRSAEncryption | id-sha256 | -| id-HashMLDSA44-Ed25519-SHA512 | <CompSig>.76 | id-ML-DSA-44 | id-Ed25519 | id-sha512 | -| id-HashMLDSA44-ECDSA-P256-SHA256 | <CompSig>.77 | id-ML-DSA-44 | ecdsa-with-SHA256 with secp256r1 | id-sha256 | -| id-HashMLDSA65-RSA3072-PSS-SHA512 | <CompSig>.78 | id-ML-DSA-65 | id-RSASA-PSS with id-sha256 | id-sha512 | -| id-HashMLDSA65-RSA3072-PKCS15-SHA512 | <CompSig>.79 | id-ML-DSA-65 | sha256WithRSAEncryption | id-sha512 | -| id-HashMLDSA65-RSA4096-PSS-SHA512 | <CompSig>.80 | id-ML-DSA-65 | id-RSASA-PSS with id-sha384 | id-sha512 | -| id-HashMLDSA65-RSA4096-PKCS15-SHA512 | <CompSig>.81 | id-ML-DSA-65 | sha384WithRSAEncryption | id-sha512 | -| id-HashMLDSA65-ECDSA-P384-SHA512 | <CompSig>.82 | id-ML-DSA-65 | ecdsa-with-SHA384 with secp384r1 | id-sha512 | -| id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.83 | id-ML-DSA-65 | ecdsa-with-SHA256 with brainpoolP256r1 | id-sha512 | -| id-HashMLDSA65-Ed25519-SHA512 | <CompSig>.84 | id-ML-DSA-65 | id-Ed25519 | id-sha512 | -| id-HashMLDSA87-ECDSA-P384-SHA512 | <CompSig>.85 | id-ML-DSA-87 | ecdsa-with-SHA384 with secp384r1 | id-sha512| -| id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 | <CompSig>.86 | id-ML-DSA-87 | ecdsa-with-SHA384 with brainpoolP384r1 | id-sha512 | -| id-HashMLDSA87-Ed448-SHA512 | <CompSig>.87 | id-ML-DSA-87 | id-Ed448 | id-sha512 | +| id-HashMLDSA44-RSA2048-PSS-SHA256 | <CompSig>.80 | id-ML-DSA-44 | id-RSASA-PSS with id-sha256 | id-sha256 | +| id-HashMLDSA44-RSA2048-PKCS15-SHA256 | <CompSig>.81 | id-ML-DSA-44 | sha256WithRSAEncryption | id-sha256 | +| id-HashMLDSA44-Ed25519-SHA512 | <CompSig>.82 | id-ML-DSA-44 | id-Ed25519 | id-sha512 | +| id-HashMLDSA44-ECDSA-P256-SHA256 | <CompSig>.83 | id-ML-DSA-44 | ecdsa-with-SHA256 with secp256r1 | id-sha256 | +| id-HashMLDSA65-RSA3072-PSS-SHA512 | <CompSig>.84 | id-ML-DSA-65 | id-RSASA-PSS with id-sha256 | id-sha512 | +| id-HashMLDSA65-RSA3072-PKCS15-SHA512 | <CompSig>.85 | id-ML-DSA-65 | sha256WithRSAEncryption | id-sha512 | +| id-HashMLDSA65-RSA4096-PSS-SHA512 | <CompSig>.86 | id-ML-DSA-65 | id-RSASA-PSS with id-sha384 | id-sha512 | +| id-HashMLDSA65-RSA4096-PKCS15-SHA512 | <CompSig>.87 | id-ML-DSA-65 | sha384WithRSAEncryption | id-sha512 | +| id-HashMLDSA65-ECDSA-P256-SHA512 | <CompSig>.88 | id-ML-DSA-65 | ecdsa-with-SHA256 with secp256r1 | id-sha512 | +| id-HashMLDSA65-ECDSA-P384-SHA512 | <CompSig>.89 | id-ML-DSA-65 | ecdsa-with-SHA384 with secp384r1 | id-sha512 | +| id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.90 | id-ML-DSA-65 | ecdsa-with-SHA256 with brainpoolP256r1 | id-sha512 | +| id-HashMLDSA65-Ed25519-SHA512 | <CompSig>.91 | id-ML-DSA-65 | id-Ed25519 | id-sha512 | +| id-HashMLDSA87-ECDSA-P384-SHA512 | <CompSig>.92 | id-ML-DSA-87 | ecdsa-with-SHA384 with secp384r1 | id-sha512| +| id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 | <CompSig>.93 | id-ML-DSA-87 | ecdsa-with-SHA384 with brainpoolP384r1 | id-sha512 | +| id-HashMLDSA87-Ed448-SHA512 | <CompSig>.94 | id-ML-DSA-87 | id-Ed448 | id-sha512 | {: #tab-hash-sig-algs title="Hash ML-DSA Composite Signature Algorithms"} @@ -1100,9 +1102,9 @@ Full specifications for the referenced algorithms can be found in {{appdx_compon ## Domain Separators {#sec-domsep-values} -As mentioned above, the OID input value is used as a domain separator for the Composite Signature Generation and verification process and is the DER encoding of the OID. The following table shows the HEX encoding for each Signature AlgorithmID. +As mentioned above, the OID input value is used as a domain separator for the Composite Signature Generation and verification process and is the DER encoding of the OID. The following table shows the HEX encoding for each Signature Algorithm. -| Composite Signature AlgorithmID | Domain Separator (in Hex encoding)| +| Composite Signature Algorithm | Domain Separator (in Hex encoding)| | ----------- | ----------- | | id-MLDSA44-RSA2048-PSS | 060B6086480186FA6B5008013C| | id-MLDSA44-RSA2048-PKCS15 |060B6086480186FA6B5008013D| @@ -1112,34 +1114,38 @@ As mentioned above, the OID input value is used as a domain separator for the Co | id-MLDSA65-RSA3072-PKCS15 |060B6086480186FA6B50080141| | id-MLDSA65-RSA4096-PSS |060B6086480186FA6B50080142| | id-MLDSA65-RSA4096-PKCS15 |060B6086480186FA6B50080143| -| id-MLDSA65-ECDSA-P384 |060B6086480186FA6B50080144| -| id-MLDSA65-ECDSA-brainpoolP256r1 |060B6086480186FA6B50080145| -| id-MLDSA65-Ed25519 |060B6086480186FA6B50080146| -| id-MLDSA87-ECDSA-P384 |060B6086480186FA6B50080147| -| id-MLDSA87-ECDSA-brainpoolP384r1 |060B6086480186FA6B50080148| -| id-MLDSA87-Ed448 |060B6086480186FA6B50080149| +| id-MLDSA65-ECDSA-P256 |060B6086480186FA6B50080144| +| id-MLDSA65-ECDSA-P384 |060B6086480186FA6B50080145| +| id-MLDSA65-ECDSA-brainpoolP256r1 |060B6086480186FA6B50080146| +| id-MLDSA65-Ed25519 |060B6086480186FA6B50080147| +| id-MLDSA87-ECDSA-P384 |060B6086480186FA6B50080148| +| id-MLDSA87-ECDSA-brainpoolP384r1 |060B6086480186FA6B50080149| +| id-MLDSA87-Ed448 |060B6086480186FA6B5008014A| {: #tab-sig-alg-oids title="Pure ML-DSA Composite Signature Domain Separators"} -| Composite Signature AlgorithmID | Domain Separator (in Hex encoding)| +| Composite Signature Algorithm | Domain Separator (in Hex encoding)| | ----------- | ----------- | -| id-HashMLDSA44-RSA2048-PSS-SHA256 | 060B6086480186FA6B5008014A| -| id-HashMLDSA44-RSA2048-PKCS15-SHA256 |060B6086480186FA6B5008014B| -| id-HashMLDSA44-Ed25519-SHA512 |060B6086480186FA6B5008014C| -| id-HashMLDSA44-ECDSA-P256-SHA256 |060B6086480186FA6B5008014D| -| id-HashMLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B5008014E| -| id-HashMLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B5008014F| -| id-HashMLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080150| -| id-HashMLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080151| -| id-HashMLDSA65-ECDSA-P384-SHA512 |060B6086480186FA6B50080152| -| id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B50080153| -| id-HashMLDSA65-Ed25519-SHA512 |060B6086480186FA6B50080154| -| id-HashMLDSA87-ECDSA-P384-SHA512 |060B6086480186FA6B50080155| -| id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 |060B6086480186FA6B50080156| -| id-HashMLDSA87-Ed448-SHA512 |060B6086480186FA6B50080157| +| id-HashMLDSA44-RSA2048-PSS-SHA256 | 060B6086480186FA6B50080150| +| id-HashMLDSA44-RSA2048-PKCS15-SHA256 |060B6086480186FA6B50080151| +| id-HashMLDSA44-Ed25519-SHA512 |060B6086480186FA6B50080152| +| id-HashMLDSA44-ECDSA-P256-SHA256 |060B6086480186FA6B50080153| +| id-HashMLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B50080154| +| id-HashMLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B50080155| +| id-HashMLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080156| +| id-HashMLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080157| +| id-HashMLDSA65-ECDSA-P256-SHA512 |060B6086480186FA6B50080158| +| id-HashMLDSA65-ECDSA-P384-SHA512 |060B6086480186FA6B50080159| +| id-HashMLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B5008015A| +| id-HashMLDSA65-Ed25519-SHA512 |060B6086480186FA6B5008015B| +| id-HashMLDSA87-ECDSA-P384-SHA512 |060B6086480186FA6B5008015C| +| id-HashMLDSA87-ECDSA-brainpoolP384r1-SHA512 |060B6086480186FA6B5008015D| +| id-HashMLDSA87-Ed448-SHA512 |060B6086480186FA6B5008015E| {: #tab-hash-sig-alg-oids title="Hash ML-DSA Composite Signature Domain Separators"} ## Rationale for choices +In generating the list of Composite algorithms, the following general guidance was used, however during development of this specification several algorithms were added by direct request even though they do not fit this guidance. + * Pair equivalent levels. * NIST-P-384 is CNSA approved [CNSA2.0] for all classification levels. * 521 bit curve not widely used. @@ -1216,7 +1222,7 @@ where: # Use in CMS -\[EDNOTE: The convention in LAMPS is to specify algorithms and their CMS conventions in separate documents. Here we have presented them in the same document, but this section has been written so that it can easily be moved to a standalone document.\] +\[EDNOTE: The convention in LAMPS is to specify algorithms and their CMS conventions in separate documents. Here we have presented them in the same document, but this section has been written so that it can easily be moved to a stand-alone document.\] Composite Signature algorithms MAY be employed for one or more recipients in the CMS signed-data content type [RFC5652]. @@ -1227,28 +1233,31 @@ All recommendations for using Composite ML-DSA in CMS are fully aligned with the A compliant implementation MUST support the following algorithms for the SignerInfo `digestAlgorithm` field when the corresponding Composite ML-DSA algorithm is listed in the SignerInfo `signatureAlgorithm` field. Implementations MAY also support other algorithms for the SignerInfo `digestAlgorithm` and SHOULD use algorithms of equivalent strength or greater. -| Composite Signature AlgorithmID | digestAlgorithm | +| Composite Signature Algorithm | digestAlgorithm | | ----------- | ----------- | -| id-MLDSA44-RSA2048-PSS | SHA256 | -| id-MLDSA44-RSA2048-PKCS15 | SHA256 | -| id-MLDSA44-Ed25519 | SHA512 | -| id-MLDSA44-ECDSA-P256 | SHA256 | +| id-MLDSA44-RSA2048-PSS | SHA256 | +| id-MLDSA44-RSA2048-PKCS15 | SHA256 | +| id-MLDSA44-Ed25519 | SHA512 | +| id-MLDSA44-ECDSA-P256 | SHA256 | | id-MLDSA65-RSA3072-PSS | SHA512 | -| id-MLDSA65-RSA3072-PKCS15 | SHA512 | +| id-MLDSA65-RSA3072-PKCS15 | SHA512 | | id-MLDSA65-RSA4096-PSS | SHA512 | | id-MLDSA65-RSA4096-PKCS15 | SHA512 | +| id-MLDSA65-ECDSA-P256 | SHA512 | | id-MLDSA65-ECDSA-P384 | SHA512 | | id-MLDSA65-ECDSA-brainpoolP256r1 | SHA512 | -| id-MLDSA65-Ed25519 | SHA512 | -| id-MLDSA87-ECDSA-P384 | SHA512| -| id-MLDSA87-ECDSA-brainpoolP384r1 | SHA512 | -| id-MLDSA87-Ed448 | SHA512 | +| id-MLDSA65-Ed25519 | SHA512 | +| id-MLDSA87-ECDSA-P384 | SHA512 | +| id-MLDSA87-ECDSA-brainpoolP384r1 | SHA512 | +| id-MLDSA87-Ed448 | SHA512 | {: #tab-cms-shas title="Recommended Composite Signature Digest Algorithms"} where: * SHA2 instantiations are defined in [FIPS180]. +Note: The rationale for using SHA512 with id-MLDSA44-Ed25519 is that Section 5.1 in [RFC8032] explicitly defines SHA512 as hash algorithm for Ed25519. + Note: The Hash ML-DSA Composite identifiers are not included in this list because the message content is already digested before being passed to the Composite-ML-DSA.Sign() function. ## SignedData Conventions @@ -1329,14 +1338,14 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ ### Object Identifier Registrations - SMI Security for PKIX Algorithms -- id-MLDSA44-RSA2048-PSS-SHA256 +- id-MLDSA44-RSA2048-PSS - Decimal: IANA Assigned - - Description: id-MLDSA44-RSA2048-PSS-SHA256 + - Description: id-MLDSA44-RSA2048-PSS - References: This Document -- id-MLDSA44-RSA2048-PKCS15-SHA256 +- id-MLDSA44-RSA2048-PKCS15 - Decimal: IANA Assigned - - Description: id-MLDSA44-RSA2048-PKCS15-SHA256 + - Description: id-MLDSA44-RSA2048-PKCS15 - References: This Document - id-MLDSA44-Ed25519 @@ -1344,39 +1353,44 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-MLDSA44-Ed25519 - References: This Document -- id-MLDSA44-ECDSA-P256-SHA256 +- id-MLDSA44-ECDSA-P256 + - Decimal: IANA Assigned + - Description: id-MLDSA44-ECDSA-P256 + - References: This Document + +- id-MLDSA65-RSA3072-PSS - Decimal: IANA Assigned - - Description: id-MLDSA44-ECDSA-P256-SHA256 + - Description: id-MLDSA65-RSA3072-PSS - References: This Document -- id-MLDSA65-RSA3072-PSS-SHA512 +- id-MLDSA65-RSA3072-PKCS15 - Decimal: IANA Assigned - - Description: id-MLDSA65-RSA3072-PSS-SHA512 + - Description: id-MLDSA65-RSA3072-PKCS15 - References: This Document -- id-MLDSA65-RSA3072-PKCS15-SHA512 +- id-MLDSA65-RSA4096-PSS - Decimal: IANA Assigned - - Description: id-MLDSA65-RSA3072-PKCS15-SHA512 + - Description: id-MLDSA65-RSA4096-PSS - References: This Document -- id-MLDSA65-RSA4096-PSS-SHA512 +- id-MLDSA65-RSA4096-PKCS15 - Decimal: IANA Assigned - - Description: id-MLDSA65-RSA4096-PSS-SHA512 + - Description: id-MLDSA65-RSA4096-PKCS15 - References: This Document -- id-MLDSA65-RSA4096-PKCS15-SHA512 +- id-MLDSA65-ECDSA-P256 - Decimal: IANA Assigned - - Description: id-MLDSA65-RSA4096-PKCS15-SHA512 + - Description: id-MLDSA65-ECDSA-P256 - References: This Document -- id-MLDSA65-ECDSA-P384-SHA512 +- id-MLDSA65-ECDSA-P384 - Decimal: IANA Assigned - - Description: id-MLDSA65-ECDSA-P384-SHA512 + - Description: id-MLDSA65-ECDSA-P384 - References: This Document -- id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 +- id-MLDSA65-ECDSA-brainpoolP256r1 - Decimal: IANA Assigned - - Description: id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 + - Description: id-MLDSA65-ECDSA-brainpoolP256r1 - References: This Document - id-MLDSA65-Ed25519 @@ -1384,14 +1398,14 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-MLDSA65-Ed25519 - References: This Document -- id-MLDSA87-ECDSA-P384-SHA512 +- id-MLDSA87-ECDSA-P384 - Decimal: IANA Assigned - - Description: id-MLDSA87-ECDSA-P384-SHA512 + - Description: id-MLDSA87-ECDSA-P384 - References: This Document -- id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 +- id-MLDSA87-ECDSA-brainpoolP384r1 - Decimal: IANA Assigned - - Description: id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 + - Description: id-MLDSA87-ECDSA-brainpoolP384r1 - References: This Document - id-MLDSA87-Ed448 @@ -1439,6 +1453,11 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-HashMLDSA65-RSA4096-PKCS15-SHA512 - References: This Document +- id-HashMLDSA65-ECDSA-P256-SHA512 + - Decimal: IANA Assigned + - Description: id-HashMLDSA65-ECDSA-P256-SHA512 + - References: This Document + - id-HashMLDSA65-ECDSA-P384-SHA512 - Decimal: IANA Assigned - Description: id-HashMLDSA65-ECDSA-P384-SHA512 @@ -1473,6 +1492,14 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ # Security Considerations +## Why Hybrids? + +In broad terms, a PQ/T Hybrid can be used either to provide dual-algorithm security or to provide migration flexibility. Let's quickly explore both. + +Dual-algorithm security. The general idea is that the data is proctected by two algorithms such that an attacker would need to break both in order to compromise the data. As with most of cryptography, this property is easy to state in general terms, but becomes more complicated when expressed in formalisms. {{sec-cons-non-separability}} goes into more detail here. One common counter-argument against PQ/T hybrid signatures is that if an attacker can forge one of the component algorithms, then why attack the hybrid-signed message at all when they could simply forge a completely new message? The answer to this question must be found outside the cryptographic primitives themselves, and instead in policy; once an algorithm is known to be broken it ought to be disallowed for single-algorithm use by cryptographic policy, while hybrids involving that algorithm may continue to be used and to provide value. + +Migration flexibility. Some PQ/T hybrids exist to provide a sort of "OR" mode where the client can choose to use one algorithm or the other or both. The intention is that the PQ/T hybrid mechanism builds in backwards compatibility to allow legacy and upgraded clients to co-exist and communicate. The Composites presented in this specification do not provide this since they operate in a strict "AND" mode, but they do provide codebase migration flexibility. Consider that an organization has today a mature, validated, certified, hardened implementation of RSA or ECC. Composites allow them to add to this an ML-DSA implementation which immediately starts providing benefits against long-term document integrity attacks even if that ML-DSA implemtation is still experimental, non-validated, non-certified, non-hardened implementation. More details of obtaining FIPS certification of a composite algorithm can be found in {{sec-fips}}. + ## Non-separability and EUF-CMA {#sec-cons-non-separability} The signature combiner defined in this document is Weakly Non-Separable (WNS), as defined in {{I-D.ietf-pquip-hybrid-signature-spectrums}}, since the forged message `M’` will include the composite domain separator as evidence. The prohibition on key reuse between composite and single-algorithm contexts discussed in {{sec-cons-key-reuse}} further strengthens the non-separability in practice, but does not achieve Strong Non-Separability (SNS) since policy mechanisms such as this are outside the definition of SNS.