ML-DSA for JOSE and COSE

ML-DSA for JOSE and COSE mesur.io

mprorock@mesur.io

Transmute

orie@transmute.industries

Google

rafaelmisoczki@google.com

IBM

osb@zurich.ibm.com

NXP

christine.cloostermans@nxp.com

Security CBOR Object Signing and Encryption JOSE COSE PQC DILITHIUM ML-DSA This document describes JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for Module-Lattice-Based Digital Signature Standard (ML-DSA), which was derived from Dilithium, a Post-Quantum Cryptography (PQC) based digital signature scheme. This document does not define any new cryptography, only seralizations of existing cryptographic systems described in . Note to RFC Editor: This document should not proceed to AUTH48 until NIST completes paramater tuning and selection as a part of the PQC standardization process. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the CBOR Object Signing and Encryption Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction As noted in , ML-DSA is derived from Version 3.1 of CRYSTALS-DILITHIUM, and is believed to be secure even against adversaries in possession of a large-scale quantum computer. CRYSTALS-DILITHIUM is one of the post quantum cryptography algorithms selected in .

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The ML-DSA Algorithm Family The ML-DSA Signature Scheme is paramaterized to support different security levels. This document requests the registration of the following algorithms in : JOSE algorithms for ML-DSA

Name	alg	Description
ML-DSA-44	ML-DSA-44	JSON Web Signature Algorithm for ML-DSA-44
ML-DSA-65	ML-DSA-65	JSON Web Signature Algorithm for ML-DSA-65
ML-DSA-87	ML-DSA-87	JSON Web Signature Algorithm for ML-DSA-87

This document requests the registration of the following algorithms in : COSE algorithms for ML-DSA

Name	alg	Description
ML-DSA-44	TBD (requested assignment -48)	CBOR Object Signing Algorithm for ML-DSA-44
ML-DSA-65	TBD (requested assignment -49)	CBOR Object Signing Algorithm for ML-DSA-65
ML-DSA-87	TBD (requested assignment -50)	CBOR Object Signing Algorithm for ML-DSA-87

The ML-DSA Key Type The ML-DSA Key Type is used to express Public and Private Keys for use with ML-DSA Algorithms. This document requests the registration of the following key types in : JSON Web Key Type for ML-DSA

Name	kty	Description
ML-DSA	ML-DSA	JSON Web Key Type for the ML-DSA Algorithm Family.

This document requests the registration of the following algorithms in : COSE Key Type for ML-DSA

Name	kty	Description
ML-DSA	TBD (requested assignment 7)	COSE Key Type for the ML-DSA Algorithm Family.

Security Considerations The security considerations of , and applies to this specification as well. A detailed security analysis of ML-DSA is beyond the scope of this specification, see for additional details.

IANA Considerations

Additions to Existing Registries

New COSE Algorithms IANA is requested to add the following entries to the COSE Algorithms Registry. The following completed registration templates are provided as described in RFC9053 and RFC9054.

ML-DSA-44

Name: ML-DSA-44
Value: TBD (requested assignment -48)
Description: CBOR Object Signing Algorithm for ML-DSA-44
Capabilities: [kty]
Reference: RFC XXXX
Recommended: Yes

ML-DSA-65

Name: ML-DSA-65
Value: TBD (requested assignment -49)
Description: CBOR Object Signing Algorithm for ML-DSA-65
Capabilities: [kty]
Reference: RFC XXXX
Recommended: Yes

ML-DSA-87

Name: ML-DSA-87
Value: TBD (requested assignment -50)
Description: CBOR Object Signing Algorithm for ML-DSA-87
Capabilities: [kty]
Reference: RFC XXXX
Recommended: Yes

New COSE Key Types IANA is requested to add the following entries to the COSE Key Types Registry. The following completed registration templates are provided as described in RFC9053.

ML-DSA

Name: ML-DSA
Value: TBD (requested assignment 7)
Description: COSE Key Type for the ML-DSA Algorithm Family
Capabilities: [kty(7)]
Reference: RFC XXXX

New COSE Key Type Parameters IANA is requested to add the following entries to the COSE Key Type Parameters. The following completed registration templates are provided as described in RFC9053.

ML-DSA Public Key

Key Type: TBD (requested assignment 7)
Name: public_key
Label: -1
CBOR Type: bstr
Description: Public key
Reference: RFC XXXX

ML-DSA Secret Key

Key Type: TBD (requested assignment 7)
Name: secret_key
Label: -2
CBOR Type: bstr
Description: Secret (or private) key.
Reference: RFC XXXX

New JOSE Algorithms IANA is requested to add the following entries to the JSON Web Signature and Encryption Algorithms Registry. The following completed registration templates are provided as described in RFC7518.

ML-DSA-44

Algorithm Name: ML-DSA-44
Algorithm Description: ML-DSA-44 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: Algorithms
Specification Document(s): RFC XXXX
Algorithm Analysis Documents(s): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf

ML-DSA-65

Algorithm Name: ML-DSA-65
Algorithm Description: ML-DSA-65 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: Algorithms
Specification Document(s): RFC XXXX
Algorithm Analysis Documents(s): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf

ML-DSA-87

Algorithm Name: ML-DSA-87
Algorithm Description: ML-DSA-87 as described in FIPS 204.
Algorithm Usage Location(s): alg
JOSE Implementation Requirements: Optional
Change Controller: IETF
Value registry: Algorithms
Specification Document(s): RFC XXXX
Algorithm Analysis Documents(s): https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf

New JOSE Key Types IANA is requested to add the following entries to the JSON Web Key Types Registry. The following completed registration templates are provided as described in RFC7518 RFC7638.

ML-DSA

"kty" Parameter Value: ML-DSA
Key Type Description: Module-Lattice-Based Digital Signature Algorithm
JOSE Implementation Requirements: Optional
Change Controller: IETF
Specification Document(s): RFC XXXX

New JSON Web Key Parameters IANA is requested to add the following entries to the JSON Web Key Parameters Registry. The following completed registration templates are provided as described in RFC7517, and RFC7638.

ML-DSA Public Key

Parameter Name: pub
Parameter Description: Public or verification key
Used with "kty" Value(s): ML-DSA
Parameter Information Class: Public
Change Controller: IETF
Specification Document(s): RFC XXXX

ML-DSA Secret Key

Parameter Name: priv
Parameter Description: Secret, private or signing key
Used with "kty" Value(s): ML-DSA
Parameter Information Class: Private
Change Controller: IETF
Specification Document(s): RFC XXXX

References Normative References JSON Object Signing and Encryption (JOSE) IANA CBOR Object Signing and Encryption (COSE) IANA JSON Web Signature (JWS) JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JSON Web Key (JWK) A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification. CBOR Object Signing and Encryption (COSE): Initial Algorithms Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Module-Lattice-Based Digital Signature Standard n.d. Selected Algorithms 2022 n.d.

Examples

JOSE

Key Pair

Example ML-DSA-44 Private JSON Web Key

Example ML-DSA-44 Public JSON Web Key

Thumbprint URI TODO

JSON Web Signature

Example ML-DSA-44 Decoded Protected Header

Example ML-DSA-44 Compact JSON Web Signature

COSE

Key Pair

Example ML-DSA-44 Private COSE Key

Example ML-DSA-44 Public COSE Key

Thumbprint URI TODO

COSE Sign 1

Example ML-DSA-44 COSE Sign 1 > / unprotected / {}, / payload / h'66616b65', / signature / h'53e855e8...0f263549' ] ) ]]>

Acknowledgments We would like to thank Simo Sorce, Ilari Liusvaara, Neil Madden, Anders Rundgren, David Waite, and Russ Housley for their review feedback.