simon@josefsson.org

IRTF CFRG mothma PQ/T hybrid post quantum hybrid signature Ed25519 Ed448 EdDSA RSA ECDSA ML-DSA SLH-DSA XMSS LMS This document specify Mothma as a generic family of instantiated Post-Quantum/Traditional (PQ/T) Hybrid Digital Signatures. The goal is to provide a generic hybrid signature pattern that can be analysed separately for security assurance, and to offer concrete instantiated algorithms for integration into protocol and implementations. Identified instances are provided based on combinations of the traditional EdDSA, ECDSA and RSA methods with the post-quantum methods of ML-DSA, SLH-DSA, XMSS and LMS. Status information for this document may be found at . Discussion of this document takes place on the Crypto Forum Research Group (CFRG) Research Group mailing list (), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction To hedge against attacks on a traditional digital signature methods such as Ed25519 or a post-quantum digital signature method such as SLH-DSA , it is possible to combine both algorithms to define a combined method as a joint signature method. Using the terminology of , this combination forms a PQ/T Hybrid Digital Signature. Mothma is a generic pattern to create a PQ/T Hybrid Digital Signature methods based on at least one post-quantum algorithm and at least one traditional algorithm. The idea is that Mothma can be analyzed generally and some assurance can be had that it behaves well. For ease of presentation, this document combine one traditional algorithm with one post-quantum algorithm. While a naive approach would be to integrate a generic Mothma combiner into protocols and have the protocol and implementation negotiate parameters, that leads to complexity detrimental to security. Therefor this document describe specific instances of Mothma applied on selected algorithms. Mothma is based on the hybrid signature scheme suggested in . We initially suggest Mothma as combinations of traditional EdDSA, ECDSA and RSA methods with the post-quantum methods of ML-DSA, SLH-DSA, XMSS and LMS. Other combinations may be added following the same generic pattern, and may be proposed for addition to this document.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Mothma Mothma is defined as follows:

The hash function SHA3-256 is defined in . Using H(hybridpk) instead of hybridpk makes clear that H(hybridpk) can be saved alongside hybridpk, guaranteeing that the key is hashed only once when it's generated or received. Here the fresh randomness MUST be 16 bytes, and only to be used for one signature. The 'hybridsigname' value is specified by each instantiated variant, whereas the 'appname' and 'appcontext' will come from the application using Mothma. These are 0-255 octet long strings, and when text values are put into these fields the encoding is ASCII . The signed message (s2,s1,r,h,m) is the concatenation of its values. The signature SHOULD NOT be detached from its corresponding message 'm' because this leads to fragile implementation, although we recognize that Mothma variants MAY be integrated into existing legacy protocols this way. Verification is done by confirming that the value of 'h' and invoking the verify functions for the traditional and post-quantum system using the received values as follows, and taking the logical AND of their verification outputs.

Naming Protocols wishing to utilize PQ/T Hybrid Signatures described in this document MUST refer to one of the derived instantiated algorithm identifiers and MUST NOT adopt a generic facility where the individual algorithms are parameters. The convention for identifiers is "Mothma-TSIG-PQSIG" replacing "TSIG" and "PQSIG" with a brief mnemonic identifying the traditional and post-quantum algorithm respectively.

EdDSA EdDSA is a digital signature system, with variants Ed25519 and Ed448. This protocol always uses the 'pure' version of EdDSA. The Ed448 'context' input MUST be the Mothma name, e.g., "Mothma-Ed25519-ML-DSA-65".

ECDSA ECDSA is a digital signature system, with variants for the P256, P384 and P521 curves, and the Brainpool curves brainpoolP256r1, brainpoolP384r1, and brainpoolP512r1. This protocol always uses the 'pure' version of ECDSA.

RSA RSA is a digital signature system, with two variants RSASSA-PSS and RSASSA-PKCS1-v1_5. This document do not define any Mothma RSA variants, pending a decision on how to map its arbitrary public key and signature output sizes into Mothma's fixed-size approach, and pending interest from anyone who desire to use RSA for PQ/T hybrid signatures.

ML-DSA CRYSTALS-Dilithium is a post-quantum digital signature system, standardized in as Module-Lattice-Based Digital Signature Standard (ML-DSA). This protocol always uses the 'pure' version of ML-DSA (where ML-DSA signs the message), and not the 'prehashed' variant (where ML-DSA signs a previously hashed message). ML-DSA may be used in deterministic or hedged mode. The ML-DSA 'context' input MUST be the Mothma name, e.g., "Mothma-Ed25519-ML-DSA-65".

SLH-DSA Sphincs+ is a stateless hash-based digital signature system, standardized in as Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). The SLH-DSA 'context' input MUST be the Mothma name, e.g., "Mothma-Ed25519-ML-DSA-65".

XMSS & LMS XMSS and LMS are stateful hash-based digital signature systems, discussed in as Recommendation for Stateful Hash-Based Signature Schemes.

Mothma variants

Mothma-Ed25519-ML-DSA-65 The 'hybridsigname' field is "Mothma-Ed25519-ML-DSA-65". The ML-DSA-65 signature 's2' is 3309 octets, the Ed25519 signature 's1' is 64 octets, 'r' is 16 octets, 'h' is 32 octets, therefor the signature size is 3421 octets plus the message itself.

Mothma-Ed25519-SLH-DSA-SHAKE-128S, Mothma-Ed25519-SLH-DSA-SHAKE-128F, Mothma-Ed448-SLH-DSA-SHAKE-256S, Mothma-Ed448-SLH-DSA-SHAKE-256F The following table describe the mapping from Mothma name to the EdDSA and SLH-DSA variant used. Mothma variant EdDSA variant SLH-DSA variant Mothma-Ed25519-SLH-DSA-SHAKE-128S Ed25519 SLH-DSA-SHAKE-128S Mothma-Ed25519-SLH-DSA-SHAKE-128F Ed25519 SLH-DSA-SHAKE-128F Mothma-Ed448-SLH-DSA-SHAKE-256S Ed448 SLH-DSA-SHAKE-256S Mothma-Ed448-SLH-DSA-SHAKE-256F Ed448 SLH-DSA-SHAKE-256F The 'hybridsigname' field to use is as follows. Mothma variant hybridsigname Mothma-Ed25519-SLH-DSA-SHAKE-128S "Mothma-Ed25519-SLH-DSA-SHAKE-128S" Mothma-Ed25519-SLH-DSA-SHAKE-256F "Mothma-Ed25519-SLH-DSA-SHAKE-128F" Mothma-Ed448-SLH-DSA-SHAKE-256S "Mothma-Ed448-SLH-DSA-SHAKE-256S" Mothma-Ed448-SLH-DSA-SHAKE-256F "Mothma-Ed448-SLH-DSA-SHAKE-256F"

Mothma-ECDSA-P256-ML-DSA-44, Mothma-ECDSA-P384-ML-DSA-65, Mothma-ECDSA-P521-ML-DSA-87

Mothma-ECDSA-brainpoolP256r1-ML-DSA-44, Mothma-ECDSA-brainpoolP384r1-ML-DSA-65, Mothma-ECDSA-brainpoolP521-ML-DSA-87

Mothma-Ed25519-XMSS-SHA2_10_256, Mothma-Ed448-XMSS-SHA2_20_256

Mothma-Ed25519-LMS_SHA256_M32_H5, Mothma-Ed448-LMS_SHA256_M32_H25

Acknowledgments The method was suggested by . This document re-use ideas and some text from .

IANA Considerations None.

Security Considerations The security considerations of all references apply. The intention is that Mothma hybrid signatures should be secure if at least one of the traditional and post-quantum algorithms is secure. Cryptographic algorithms and parameters are usually broken or weakened over time. Implementers and users need to continously re-evaluate that cryptographic algorithms continue to provide the expected level of security.

This memo proposes several elliptic curve domain parameters over finite prime fields for use in cryptographic applications. The domain parameters are consistent with the relevant international standards, and can be used in X.509 certificates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and all applications or protocols based on the cryptographic message syntax (CMS). This document is not an Internet Standards Track specification; it is published for informational purposes. This document provides recommendations for the implementation of public-key cryptography based on the RSA algorithm, covering cryptographic primitives, encryption schemes, signature schemes with appendix, and ASN.1 syntax for representing keys and for identifying the schemes. This document represents a republication of PKCS #1 v2.2 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF. This document also obsoletes RFC 3447. This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is based on existing descriptions in scientific literature. This note specifies Winternitz One-Time Signature Plus (WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers. This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them. National Institute of Standards and Technology

US Gaithersburg

National Institute of Standards and Technology Information Technology Laboratory National Institute of Standards and Technology

US Gaithersburg

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory National Institute of Standards and Technology

US Gaithersburg

This recommendation specifies two algorithms that can be used to generate a digital signature, both of which are stateful hash-based signature schemes: the Leighton-Micali Signature (LMS) system and the eXtended Merkle Signature Scheme (XMSS), along with their multi-tree variants, the Hierarchical Signature System (HSS) and multi-tree XMSS (XMSSMT). One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. This document specify Chempat as a generic family of instantiated Post-Quantum/Traditional (PQ/T) Hybrid Key Exchange Methods (KEMs). The goal is to provide a generic combiner construct that can be analysed separately for security assurance, and to offer concrete instantiated algorithms for integration into protocol and implementations. Identified instances are provided based on some combinations of traditional Diffie-Hellman key agreement using curves P-256, P-384, X25519, X448, brainpoolP256, brainpoolP384 and brainpoolP512 combined with post quantum methods ML-KEM-768, ML-KEM- 1024, Streamlined NTRU Prime sntrup761, Classic McEliece and FrodoKEM. CRYSTALS Team SPHINCS+ Team