]> AWS

US jakemas@amazon.com

AWS

US kpanos@amazon.com

sn3rd

sean@sn3rd.com

Cloudflare

bas@cloudflare.com

SEC LAMPS WG ML-DSA Certificate X.509 PKIX Digital signatures are used within X.509 certificates, Certificate Revocation Lists (CRLs), and to sign messages. This document describes the conventions for using FIPS 204, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and certificate revocation lists. The conventions for the associated signatures, subject public keys, and private key are also described. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME (lamps) Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a quantum-resistant digital signature scheme standardized by the US National Institute of Standards and Technology (NIST) PQC project in . This document specifies the use of the ML-DSA in Public Key Infrastructure X.509 (PKIX) certificates and Certificate Revocation Lists (CRLs) at three security levels: ML-DSA-44, ML-DSA-65, and ML-DSA-87. defines two variants of ML-DSA: a pure and a prehash variant. Only the former is specified in this document. See for the rationale. The pure variant of ML-DSA supports the typical prehash flow. Refer to for more details. Prior to standardisation, ML-DSA was known as Dilithium. ML-DSA and Dilithium are not compatible.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Identifiers The AlgorithmIdentifier type is defined in as follows: The fields in AlgorithmIdentifier have the following meanings:

• algorithm identifies the cryptographic algorithm with an object identifier (OID).
• parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field.

The OIDs are: The contents of the parameters component for each algorithm MUST be absent.

ML-DSA Signatures in PKIX ML-DSA is a digital signature scheme built upon the Fiat-Shamir-with-aborts framework . The security is based upon the hardness of lattice problems over module lattices . ML-DSA provides three parameter sets for the NIST PQC security categories 2, 3 and 5. Signatures are used in a number of different ASN.1 structures. As shown in the ASN.1 representation from below, in an X.509 certificate, a signature is encoded with an algorithm identifier in the signatureAlgorithm attribute and a signatureValue attribute that contains the actual signature. Signatures are also used in the CRL list ASN.1 representation from below. In a X.509 CRL, a signature is encoded with an algorithm identifier in the signatureAlgorithm attribute and a signatureValue attribute that contains the actual signature. The following SIGNATURE-ALGORITHM ASN.1 classes are for ML-DSA-44, ML-DSA-65, and ML-DSA-87: The identifiers defined in can be used as the AlgorithmIdentifier in the signatureAlgorithm field in the sequence Certificate/CertificateList and the signature field in the sequence TBSCertificate/TBSCertList in certificates and CRLs, respectively, . The parameters of these signature algorithms MUST be absent, as explained in . That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id-ml-dsa-*. The signatureValue field contains the corresponding ML-DSA signature computed upon the ASN.1 DER encoded tbsCertificate/tbsCertList . The optional context string (ctx) parameter as defined in Section 5.2 of is left to its default value: the empty string. Conforming Certification Authority (CA) implementations MUST specify the algorithms explicitly by using the OIDs specified in when encoding ML-DSA signatures in certificates and CRLs. Conforming client implementations that process certificates and CRLs using ML-DSA MUST recognize the corresponding OIDs. Encoding rules for ML-DSA signature values are specified in .

ML-DSA Public Keys in PKIX In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax: The fields in SubjectPublicKeyInfo have the following meaning:

• algorithm is the algorithm identifier and parameters for the public key (see above).
• subjectPublicKey contains the public key.

The PUBLIC-KEY ASN.1 types for ML-DSA are defined here: Algorithm 22 in Section 7.2 of defines the raw byte string encoding of an ML-DSA public key. When used in a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contains this raw byte string encoding of the public key. When an ML-DSA public key appears outside of a SubjectPublicKeyInfo type in an environment that uses ASN.1 encoding, it can be encoded as an OCTET STRING by using the ML-DSA-44-PublicKey, ML-DSA-65-PublicKey, and ML-DSA-87-PublicKey types corresponding to the correct key size. describes the Asymmetric Key Package's OneAsymmetricKey type for encoding asymmetric keypairs. When an ML-DSA private key or keypair is encoded as a OneAsymmetricKey, it follows the description in . When the ML-DSA private key appears outside of an Asymmetric Key Package in an environment that uses ASN.1 encoding, it can be encoded using one of the the ML-DSA-PrivateKey CHOICE formats defined in . The seed format is RECOMMENDED as it efficiently stores both the private and public key. contains example ML-DSA public keys encoded using the textual encoding defined in .

Key Usage Bits The intended application for the key is indicated in the keyUsage certificate extension; see . If the keyUsage extension is present in a certificate that indicates id-ml-dsa-* in the SubjectPublicKeyInfo, then at least one of following MUST be present: If the keyUsage extension is present in a certificate that indicates id-ml-dsa-* in the SubjectPublicKeyInfo, then the following MUST NOT be present: Requirements about the keyUsage extension bits defined in still apply.

Private Key Format specifies two formats for an ML-DSA private key: a 32-octet seed (xi) and an (expanded) private key. The expanded private key (and public key) is computed from the seed using ML-DSA.KeyGen_internal(xi) (algorithm 6). "Asymmetric Key Packages" describes how to encode a private key in a structure that both identifies what algorithm the private key is for and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below. For ML-DSA private keys, the privateKey field in OneAsymmetricKey contains one of the following DER-encoded CHOICE structures. The seed format is a fixed 32 byte OCTET STRING (34 bytes total with the 0x8020 tag and length) for all security levels, while the expandedKey and both formats vary in size by security level: The CHOICE allows three representations of the private key:

1. The seed format (tag [0]) contains just the 32-byte seed value (xi) from which both the expanded private key and public key can be derived using ML-DSA.KeyGen_internal(xi).
2. The expandedKey format contains the expanded private key that was derived from the seed.
3. The both format contains both the seed and expanded private key, allowing for for interoperability; some may want to use and retain the seed and others may only support expanded private keys.

When encoding an ML-DSA private key in a OneAsymmetricKey object, any of these three formats may be used, though the seed format is RECOMMENDED for storage efficiency. The privateKeyAlgorithm field uses the AlgorithmIdentifier structure with the appropriate OID as defined in . If present, the publicKey field will hold the encoded public key as defined in . NOTE: While the private key can be stored in multiple formats, the seed-only format is RECOMMENDED as it is the most compact representation. Both the expanded private key and the public key can be deterministically derived from the seed using ML-DSA.KeyGen_internal(xi). Alternatively, the public key can be generated from the private key. While the publicKey field and expandedKey format are technically redundant when using the seed-only format, they MAY be included to enable keypair consistency checks during import operations. When parsing the private key, the ASN.1 tag explicitly indicates which variant of CHOICE is present. Implementations should use the context-specific tag IMPLICIT [0] (raw value 0x80) for seed, OCTET STRING (0x04) for expandedKey, and SEQUENCE (0x30) for both to parse the private key, rather than any other heuristic like length of the enclosing OCTET STRING. contains example ML-DSA private keys encoded using the textual encoding defined in .

IANA Considerations For the ASN.1 module in , IANA is requested to assign an object identifier (OID) for the module identifier (TBD1) with a Description of "id-mod-x509-ml-dsa-2025". The OID for the module should be allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).

Implementation Considerations An ML-DSA.KeyGen seed (xi) represents the RECOMMENDED format for storing and transmitting ML-DSA private keys. This format is explicitly permitted by as an acceptable representation of a keypair. In particular, generating the seed in one cryptographic module and then importing or exporting it into another cryptographic module is allowed. The internal key generation function ML-DSA.KeyGen_internal(xi) can be accessed for this purpose. Note also that unlike other private key compression methods in other algorithms, expanding a private key from a seed is a one-way function, meaning that once a full key is expanded from seed and the seed discarded, the seed cannot be re-created even if the full expanded private key is available. For this reason it is RECOMMENDED that implementations retain and export the seed, even when also exporting the expanded private key. ML-DSA seed extraction can be implemented by including the seed xi randomly generated at line 1 of Algorithm 1 ML-DSA.KeyGen in the returned output.

Private Key Consistency Testing When receiving a private key that contains both the seed and the expandedKey, the recipient SHOULD perform a seed consistency check to ensure that the sender properly generated the private key. Recipients that do not perform this seed consistency check avoid keygen and compare operations, but are unable to ensure that the seed and expandedKey match. If the check is done and the seed and the expandedKey are not consistent, the recipient MUST reject the private key as malformed. The seed consistency check consists of regenerating the expanded form from the seed via ML-DSA.KeyGen_internal and ensuring it is bytewise equal to the value presented in the private key. includes some examples of inconsistent seeds and expanded private keys.

Security Considerations The Security Considerations section of applies to this specification as well. The ML-DSA signature scheme is strongly unforgeable under chosen message attacks (SUF-CMA). For the purpose of estimating security strength, it has been assumed that the attacker has access to signatures for no more than 2^{64} chosen messages. ML-DSA depends on high quality random numbers that are suitable for use in cryptography. The use of inadequate pseudo-random number generators (PRNGs) to generate such values can significantly undermine various security properties. For instance, using an inadequate PRNG for key generation, might allow an attacker to efficiently recover the private key by trying a small set of possibilities, rather than brute force search the whole keyspace. The generation of random numbers of a sufficient level of quality for use in cryptography is difficult, and offers important guidance in this area. In the design of ML-DSA, care has been taken to make side-channel resilience easier to achieve. For instance, ML-DSA does not depend on Gaussian sampling. Implementations must still take great care not to leak information via various side channels. While deliberate design decisions such as these can help to deliver a greater ease of secure implementation - particularly against side-channel attacks - it does not necessarily provide resistance to more powerful attacks such as differential power analysis. Some amount of side-channel leakage has been demonstrated in parts of the signing algorithm (specifically the bit-unpacking function), from which a demonstration of key recovery has been made over a large sample of signatures. Masking countermeasures exist for ML-DSA, but come with a performance overhead. ML-DSA offers both deterministic and randomized signing. Signatures generated with either mode are compatible and a verifyer can't tell them apart. In the deterministic case, a signature only depends on the private key and the message to be signed. This makes the implementation easier to test and does not require a randomness source during signing. In the randomized case, signing mixes in a 256-bit random string from an approved random bit generator (RBG). When randomized, ML-DSA is easier to harden against fault and hardware side-channel attacks. A security property also associated with digital signatures is non-repudiation. Non-repudiation refers to the assurance that the owner of a signature key pair that was capable of generating an existing signature corresponding to certain data cannot convincingly deny having signed the data, unless its private key was compromised. The digital signature scheme ML-DSA possess three security properties beyond unforgeability, that are associated with non-repudiation. These are exclusive ownership, message-bound signatures, and non-resignability. These properties are based tightly on the assumed collision resistance of the hash function used (in this case SHAKE-256). A full discussion of these properties in ML-DSA can be found at .

Rationale for disallowing HashML-DSA The HashML-DSA mode defined in Section 5.4 of MUST NOT be used; in other words, public keys identified by id-hash-ml-dsa-44-with-sha512, id-hash-ml-dsa-65-with-sha512, and id-hash-ml-dsa-87-with-sha512 MUST NOT be in X.509 certificates used for CRLs, OCSP, certificate issuance and related PKIX protocols. This restriction is primarily to increase interoperability. ML-DSA and HashML-DSA are incompatible algorithms that require different Verify() routines. This introduces the complexity of informing the verifier whether to use ML-DSA.Verify() or HashML-DSA.Verify(). Additionally, since the same OIDs are used to identify the ML-DSA public keys and ML-DSA signature algorithms, an implementation would need to commit a given public key to be either of type ML-DSA or HashML-DSA at the time of certificate creation. This is anticipated to cause operational issues in contexts where the operator does not know whether the key will need to produce pure or pre-hashed signatures at key generation time. The External Mu mode described in avoids all of these operational concerns. A minor security reason for disallowing HashML-DSA is that the design of the ML-DSA algorithm provides enhanced resistance against collision attacks, compared with HashML-DSA or conventional RSA or ECDSA signature algorithms. Specifically, ML-DSA prepends the SHAKE256 hash of the public key (tr) to the message to-be-signed prior to hashing, as described in line 6 of Algorithm 7 of . This means that in the unlikely discovery of a collision attack against the SHA-3 family, an attacker would have to perform a public-key-specific collision search in order to find message pairs such that H(tr || m1) = H(tr || m2) since a direct hash collision H(m1) = H(m2) will not suffice. HashML-DSA removes this enhanced security property. In spite of its lack of targeted collision protection, the practical security risk of using HashML-DSA in X.509 signatures would be immaterial. That is because a hash of the issuing CA's public key is already included in the Authority Key Identifier (AKI) extension which is signed as part of the tbsCertificate structure. Even when it is a SHA-1 hash, general second pre-images against the AKI hash of existing issuing CAs would be impractical.

References Normative References ITU-T ITU-T National Institute of Standards and Technology (NIST) In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK] Informative References National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST) This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate. Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space. Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527.

ASN.1 Module This appendix includes the ASN.1 module for the ML-DSA. Note that as per , certificates use the Distinguished Encoding Rules; see . This module imports objects from .

Security Strengths Instead of defining the strength of a quantum algorithm in a traditional manner using the imprecise notion of bits of security, NIST has instead elected to define security levels by picking a reference scheme, which NIST expects to offer notable levels of resistance to both quantum and classical attack. To wit, an algorithm that achieves NIST PQC security level 1 must require computational resources to break the relevant security property, which are greater than those required for a brute-force key search on AES-128. Levels 3 and 5 use AES-192 and AES-256 as reference respectively. Levels 2 and 4 use collision search for SHA-256 and SHA-384 as reference. The parameter sets defined for NIST security levels 2, 3 and 5 are listed in the Figure 1, along with the resulting signature size, public key, and private key sizes in bytes. Note that these are the sizes of the raw keys, not including ASN.1 encoding overhead from OneAsymmetricKey and SubjectPublicKeyInfo wrappers. Private key sizes are shown for both the seed format and expanded format.

ML-DSA Parameters

Examples This appendix contains examples of ML-DSA private keys, public keys, certificates, and inconsistent seed and expanded private keys.

Example Private Keys The following examples show ML-DSA private keys in different formats, all derived from the same seed 000102...1e1f. For each security level, we show the seed-only format (using a context-specific [0] primitive tag with an implicit encoding of OCTET STRING), the expanded format, and both formats together. NOTE: All examples use the same seed value, showing how the same seed produces different expanded private keys for each security level.

ML-DSA-44 Private Key Examples Each of the examples includes the textual encoding followed by the so-called "pretty print"; the private keys are the same.

Seed Format

Expanded Format

Both Format

ML-DSA-65 Private Key Examples Each of the examples includes the textual encoding followed by the so-called "pretty print"; the private keys are the same.

Seed Format

Expanded Format

Both Format

ML-DSA-87 Private Key Examples Each of the examples includes the textual encoding followed by the so-called "pretty print"; the private keys are the same.

Seed Format

Expanded Format

Both Format

Example Public Keys The following is the ML-DSA-44 public key corresponding to the private key in the previous section. The textual encoding is followed by the so-called "pretty print"; the public keys are the same. The following is the ML-DSA-65 public key corresponding to the private key in the previous section. The textual encoding is followed by the so-called "pretty print"; the public keys are the same. The following is the ML-DSA-87 public key corresponding to the private key in the previous section. The textual encoding is followed by the so-called "pretty print"; the public keys are the same.

Example Certificates The following is a self-signed certificate for the ML-DSA-44 public key in the previous section. The textual encoding is followed by the so-called "pretty print"; the certificates are the same. The following is a self-signed certificate for the ML-DSA-65 public key in the previous section. The textual encoding is followed by the so-called "pretty print"; the certificates are the same. The following is a self-signed certificate for the ML-DSA-87 public key in the previous section. The textual encoding is followed by the so-called "pretty print"; the certificates are the same.

Example Inconsistent Seed and Expanded Private Keys The following examples demonstrate inconsistent seed and expanded private keys. Three ML-DSA-44-PrivateKey examples of inconsistent seed and expanded private keys follow:

1. The first ML-DSA-PrivateKey example includes the both CHOICE , i.e., both seed and expandedKey are included. The seed and expanded values can be checked for inconsistencies.
2. The second ML-DSA-PrivateKey example includes only expandedKey. The public key fails to match the tr hash value in the private key.
3. The third ML-DSA-PrivateKey example also includes only expandedKey. The private s_1 and s_2 vectors imply a t vector whose private low bits do not match the t_0 vector portion of the private key (its high bits t_1 are the primary content of the public key).

The second and third examples would not be detected by implementations that do not regenerate the public key from the private key, or neglect to then check consistency of tr or t_0. The following is the first example: The following is the second example: The following is the third example:

Pre-hashing (ExternalMu-ML-DSA) Some applications require pre-hashing that ease operational requirements around large or inconsistently-sized payloads. When signing with pre-hashing, the signature generation process can be separated into a pre-hash step requiring only the message and other public information, and a core signature step which uses the public key. In the context of ML-DSA, pre-hashing can be performed with the HashML-DSA algorithm defined in Section 5.4 of . ML-DSA itself supports a External Mu pre-hashing mode which externalizes the message pre-hashing originally performed inside the signing operation. This mode is also laid out in . This document specifies only the use of ML-DSA's External Mu mode, and not HashML-DSA, in PKIX for reasons laid out in . Implementations of ML-DSA using the External Mu pre-hashing mode requires the following algorithms, which are modified versions of the algorithms presented in . The nomenclature used here has been modified from the NIST FAQ for clarity. Pre-hash operation:

ComputeMu prehash operation

Sign operations:

The operations for signing mu

There is no need to specify an External Mu Verify() routine because this is identical to the original ML-DSA.Verify(). This makes External Mu mode simply an internal optimization of the signer, and allows an ML-DSA key to sometimes be used with the "one-shot" Sign() API and sometimes the External Mu API without any interoperability concens. The External Mu mode requires the ComputeMu routine to have access to the hash of the signer's public key which may not be available in some architectures, or require fetching it. That may allow for mismatches between tr and sk. At worst, this will produce a signature which will fail to verify under the intended public key since a compliant Verify() routine will independently compute tr from the public key. That is not believed to be a security concern since mu is never used as-is within ML-DSA.Sign_internal() (Algorithm 7 in ). Rather, it is hashed with values unknown to an attacker on lines 7 and 15. Thus, a signing oracle exposing SignMu() does not leak any bits of the secret key. The External Mu mode also requires SHAKE256 to be available to the ComputeMu routine.

Acknowledgments The authors wish to thank the following people for their contributions to this document: Corey Bonnell, Dierdre Connolly, Viktor Dukhovni, Russ Housley, Alicja Kario, Mike Ounsworth, and Daniel Van Geest. In addition, we would like to thank those who contributed to the private key format discussion: Tony Arcieri, Bob Beck, Dmitry Belyavskiy, David Benjamin, Daniel Bernstein, Uri Blumenthal, Theo Buehler, Stephen Farrell, Jean-Pierre Fiset, Scott Fluhrer, Alex Gaynor, John Gray, Peter Gutmann, David Hook, Tim Hudson, Paul Kehrer, John Kemp, Watson Ladd, Adam Langley, John Mattsson, Damien Miller, Robert Relyea, Michael Richardson, Markku-Juhani O. Saarinen, Rich Salz, Roland Shoemaker, Sophie Schmieg, Simo Sorce, Michael St. Johns, Falko Strenzke, Filippo Valsorda, Loganaden Velvindron, Carl Wallace, and Wei-Jun Wang.