]> PQ/T Hybrid Composite Signatures for JOSE and COSE Huawei
lucas.prabel@huawei.com
Huawei
sunshuzhou@huawei.com
Security JOSE JOSE COSE PQC ML-DSA Signature Hybrid This document describes JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for PQ/T hybrid composite signatures. The composite algorithms described combine ML-DSA as the post-quantum component and ECDSA as the traditional component. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Javascript Object Signing and Encryption Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction The impact of a potential Cryptographically Relevant Quantum Computer (CRQC) on algorithms whose security is based on mathematical problems such as integer factorisation or discrete logarithms over finite fields or elliptic curves raises the need for new algorithms that are perceived to be secure against CRQC as well as classical computers. Such algorithms are called post-quantum, while algorithms based on integer factorisation or discrete logarithms are called traditional. While switching from a traditional algorithm to a post-quantum one intends to strengthen the security against an adversary possessing a quantum computer, the lack of maturing time of post-quantum algorithms compared to traditional algorithms raises uncertainty about their security. Thus, the joint use of a traditional algorithm and a post-quantum algorithm in protocols represents a solution to this problem by providing security as long as at least one of the traditional or post-quantum components remains secure. This document describes JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for hybrid composite signatures. The composite algorithms described combine ML-DSA as the post-quantum component and ECDSA as the traditional component.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document follows the terminology for post-quantum hybrid schemes defined in . This section recalls some of this terminology, but also adds other definitions used throughout the whole document: "Asymmetric Traditional Cryptographic Algorithm": An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms, elliptic curve discrete logarithms, or related mathematical problems. A related mathematical problem is one that can be solved by solving the integer factorisation, finite field discrete logarithm or elliptic curve discrete logarithm problem. Where there is little risk of confusion asymmetric traditional cryptographic algorithms can also be referred to as traditional algorithms for brevity. "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that is intended to be secure against attacks using quantum computers as well as classical computers. As with all cryptography, it always remains the case that attacks, either quantum or classical, may be found against post-quantum algorithms. Therefore it should not be assumed that just because an algorithm is designed to provide post-quantum security it will not be compromised. "Component Algorithm": Each cryptographic algorithm that forms part of a cryptographic scheme. "Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm scheme where at least one component algorithm is a post-quantum algorithm and at least one is a traditional algorithm. "PQ/T Hybrid Digital Signature": A multi-algorithm digital signature scheme made up of two or more component digital signature algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. "Composite Algorithm": An algorithm which is a sequence of two component algorithms, as defined in .
Composite Keys and Signatures Structures The structures of the composite keys and composite signatures follow the approach of . This design was chosen so that composite keys and signatures can be used as a drop-in replacement in JOSE / COSE object formats. This section gives some details about their construction.
Composite Key Structures Composite public and private keys are generated by calling the key generation functions of the two component algorithms and concatenating the keys in an order given by the registered composite algorithm. Composite Public Key <- Public Key of the 1st Algorithm || Public Key of the 2nd Algorithm and Composite Private Key <- Private Key of the 1st Algorithm || Private Key of the 2nd Algorithm For the composite algorithms described in this document (ML-DSA with ECDSA), the Key Generation process is as follows: Point compression for ECDSA is not performed for the "AKP-EC" JSON Web Key Type but can be performed for the "AKP-EC2" COSE Key Type. Both key types are defined in . In this document, as it is specified in , the ML-DSA private key is stored as a 32-byte seed, which is sufficient to generate the full expanded private key.
Composite Signature Structures Composite signatures are generated by:
  • pre-hashing the message to be signed;
  • concatenating it with a domain separator;
  • encoding the resulting message;
  • calling the two signature component algorithms on this new message;
  • concatenating the two output signatures.
For the composite algorithms described in this document (ML-DSA with ECDSA), the signature process of a message M is as follows: The domain separator is defined as the octets of the ASCII representation of the Composite Signature "alg" (algorithm) Header Parameter value. For JOSE (resp. COSE), M' is base64url-encoded (resp. binary encoded) before signature computations.
Encoding Rules In each combination, the byte streams of the keys or signatures are directly concatenated. Signature of the 1st Algorithm || Signature of the 2nd Algorithm Since all combinations presented in this document start with the ML-DSA algorithm and the key or signature sizes are fixed as defined in , it is unambiguous to encode or decode a composite key or signature. lists sizes of the three parameter sets of the ML-DSA algorithm. Sizes (in bytes) of keys and signatures of ML-DSA
  Private Key Public Key Signature Size
ML-DSA-44 2560 1312 2420
ML-DSA-65 4032 1952 3309
ML-DSA-87 4896 2592 4627
Composite Signature Algorithms The ML-DSA signature scheme supports three possible parameter sets, each of which corresponding to a specific security strength. See for more considerations on that matter. The hybrid composite schemes are described in more detail in . The traditional signature algorithm for each combination in and was chosen to match the security level of the ML-DSA post-quantum component. More precisely, NIST security levels 1-3 are matched with 256-bit curves and NIST security levels 4-5 are matched with 384-bit elliptic curves.
JOSE algorithms The following table defines a list of algorithms associated with specific PQ/T combinations to be registered in . JOSE Composite Signature Algorithms for ML-DSA
Name First Algorithm Second Algorithm Pre-Hash Description
MLDSA44-ES256 ML-DSA-44 ecdsa-with-SHA256 with secp256r1 id-sha256 Composite Signature with ML-DSA-44 and ECDSA using P-256 curve and SHA-256
MLDSA65-ES512 ML-DSA-65 ecdsa-with-SHA512 with secp256r1 id-sha512 Composite Signature with ML-DSA-65 and ECDSA using P-256 curve and SHA-512
MLDSA87-ES512 ML-DSA-87 ecdsa-with-SHA512 with secp384r1 id-sha512 Composite Signature with ML-DSA-87 and ECDSA using P-384 curve and SHA-512
Examples can be found in .
COSE algorithms The following table defines a list of algorithms associated with specific PQ/T combinations to be registered in . COSE Composite Signature Algorithms for ML-DSA
Name COSE Value First Algorithm Second Algorithm Description  
MLDSA44-ES256 TBD (request assignment -51) ML-DSA-44 ecdsa-with-SHA256 with secp256r1 id-sha256 Composite Signature with ML-DSA-44 and ECDSA using P-256 curve and SHA-256
MLDSA65-ES512 TBD (request assignment -52) ML-DSA-65 ecdsa-with-SHA512 with secp256r1 id-sha512 Composite Signature with ML-DSA-65 and ECDSA using P-256 curve and SHA-512
MLDSA87-ES512 TBD (request assignment -53) ML-DSA-87 ecdsa-with-SHA512 with secp384r1 id-sha512 Composite Signature with ML-DSA-87 and ECDSA using P-384 curve and SHA-512
Examples can be found in .
Composite Signature Key Types
JOSE Key Type This document requests the registration of the following key type in , for use in the optional JWS Header parameter "jwk". "AKP" stands for "Algorithm Key Pair" and is used in this document, as in , to express the ML-DSA public and private keys. When this key type is used, the JSON Web Key Parameter "alg" is REQUIRED. JWK key type for composite algorithm
kty Description
AKP-EC JWK key type for composite signature with ECDSA as the traditional component.
Examples can be found in .
COSE Key type This document requests the registration of the following key type in . "AKP" stands for "Algorithm Key Pair" and is used in this document, as in , to express the ML-DSA public and private keys. When this key type is used, the COSE Key Common Parameter "alg" is REQUIRED. COSE key type for composite algorithm
Name kty Description
AKP-EC2 TBD COSE key type for composite algorithm with ECDSA as the traditional component.
Examples can be found in .
Composite Signature Web Key and Key Type Parameters
JSON Web Key Parameters This document requests IANA to register the entries described in this section and summarised in the following to the JSON Web Key Parameters Registry. It also requests to add "AKP-EC" as a usable "kty" value for the parameters "crv", "x", "y" and "d". JSON AKP-EC Web Key Parameters
Parameter Name Parameter Description Used with "kty" Value(s) Parameter Information Class Change Controller Specification Document(s)
pub Public Key AKP-EC Public IETF n\a
priv Private Key AKP-EC Private IETF n\a
COSE Key Type Parameters This document requests IANA to register the entries described in this section and summarised in the following to the COSE Key Type Parameters Registry. COSE AKP-EC2 Key Parameters
Key Type Name Label CBOR Type Description
TBD (request assignment 8) crv -1 int / tstr EC identifier
TBD (request assignment 8) x -2 bstr x-coordinate
TBD (request assignment 8) y -3 bstr / bool y-coordinate
TBD (request assignment 8) d -4 bstr EC Private key
TBD (request assignment 8) pub -5 bstr Public Key
TBD (request assignment 8) priv -6 bstr Private Key
Security Considerations The security considerations of , , and also apply to this document. All security issues that are pertinent to any cryptographic application must be addressed by JWS/JWK agents. Protecting the user's private key and employing countermeasures to various attacks constitute a priority. For security properties and security issues related to the use of a hybrid signature scheme, the user can refer to . For more information about hybrid composite signature schemes and the different hybrid combinations that appear in this document, the user can read .
IANA Considerations
JOSE Algorithms The following values of the JWS "alg" (algorithm) are requested to be added to the "JSON Web Signature and Encryption Algorithms" registry. They are represented following the registration template provided in .
MLDSA44-ES256
  • Algorithm Name: MLDSA44-ES256
  • Algorithm Description: Composite Signature with ML-DSA-44 and ECDSA using P-256 curve and SHA-256
  • Algorithm Usage Location(s): alg
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): n/a
  • Algorithm Analysis Documents(s): TBD
MLDSA65-ES512
  • Algorithm Name: MLDSA65-ES512
  • Algorithm Description: Composite Signature with ML-DSA-65 and ECDSA using P-256 curve and SHA-512
  • Algorithm Usage Location(s): alg
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): n/a
  • Algorithm Analysis Documents(s): TBD
MLDSA87-ES512
  • Algorithm Name: MLDSA87-ES512
  • Algorithm Description: Composite Signature with ML-DSA-87 and ECDSA using P-384 curve and SHA-512
  • Algorithm Usage Location(s): alg
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): n/a
  • Algorithm Analysis Documents(s): TBD
JOSE Key Types IANA is requested to add the following entries to the JSON Web Key Types Registry.
AKP-EC
  • "kty" Parameter Value: AKP-EC
  • Key Type Description: Composite signature algorithm with ECDSA as the traditional component
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): n/a
JOSE Web Key Parameters IANA is requested to add the following entries to the JSON Web Key Parameters Registry.
Public Key
  • Parameter Name: pub
  • Parameter Description: Public or verification key
  • Used with "kty" Value(s): AKP-EC
  • Parameter Information Class: Public
  • Change Controller: IETF
  • Specification Document(s): n/a
Private Key
  • Parameter Name: priv
  • Parameter Description: Secret, private or signing key
  • Used with "kty" Value(s): AKP-EC
  • Parameter Information Class: Private
  • Change Controller: IETF
  • Specification Document(s): n/a
Others The key parameters registered in for use with the kty values "EC" should also be usable with the kty value "AKP-EC" defined in this document.
COSE Algorithms The following values are requested to be added to the "COSE Algorithms" registry. They are represented following the registration template provided in , .
MLDSA44-ES256
  • Name: MLDSA44-ES256
  • Value: TBD (request assignment -51)
  • Description: Composite Signature with ML-DSA-44 and ECDSA using P-256 curve and SHA-256
  • Capabilities: [kty]
  • Change Controller: IETF
  • Reference: n/a
  • Recommended: Yes
MLDSA65-ES512
  • Name: MLDSA65-ES512
  • Value: TBD (request assignment -52)
  • Description: Composite Signature with ML-DSA-65 and ECDSA using P-256 curve and SHA-512
  • Capabilities: [kty]
  • Change Controller: IETF
  • Reference: n/a
  • Recommended: Yes
MLDSA87-ES512
  • Name: MLDSA87-ES512
  • Value: TBD (request assignment -53)
  • Description: Composite Signature with ML-DSA-87 and ECDSA using P-384 curve and SHA-512
  • Capabilities: [kty]
  • Change Controller: IETF
  • Reference: n/a
  • Recommended: Yes
COSE Key Types
AKP-EC2
  • Name: AKP-EC2
  • Value: TBD (request assignment 8)
  • Description: COSE Key Type for Composite Signature Algorithm with ECDSA as the traditional component
  • Capabilities: [kty(8)]
  • Reference: n/a
COSE Key Type Parameters
Public Key
  • Key Type: TBD
  • Name: public_key
  • Label: -1
  • CBOR Type: bstr
  • Description: Public key
  • Reference: n/a
Private Key
  • Key Type: TBD
  • Name: private_key
  • Label: -2
  • CBOR Type: bstr
  • Description: Private key
  • Reference: n/a
Others The key parameters registered in for use with the kty value "EC2" should also be usable with the kty value "AKP-EC2" defined in this document.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. JSON Web Signature (JWS) JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification. JSON Web Key (JWK) A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification. JSON Web Algorithms (JWA) This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers. JSON Object Signing and Encryption (JOSE) IANA n.d. CBOR Object Signing and Encryption (COSE) IANA n.d. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References CBOR Object Signing and Encryption (COSE): Initial Algorithms Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines a set of algorithms that can be used with the CBOR Object Signing and Encryption (COSE) protocol (RFC 9052). This document, along with RFC 9052, obsoletes RFC 8152. CBOR Object Signing and Encryption (COSE): Hash Algorithms The CBOR Object Signing and Encryption (COSE) syntax (see RFC 9052) does not define any direct methods for using hash algorithms. There are, however, circumstances where hash algorithms are used, such as indirect signatures, where the hash of one or more contents are signed, and identification of an X.509 certificate or other object by the use of a fingerprint. This document defines hash algorithms that are identified by COSE algorithm identifiers. Composite ML-DSA for use in Internet PKI Entrust Limited Entrust Limited OpenCA Labs Bundesdruckerei GmbH Cisco Systems This document introduces a set of signature schemes that use pairs of cryptographic elements such as public keys and signatures to combine their security properties. These schemes effectively mitigate risks associated with the adoption of post-quantum cryptography and are fully compatible with existing X.509, PKIX, and CMS data structures and protocols. This document defines thirteen specific pairwise combinations, namely ML-DSA Composite Schemes, that blend ML-DSA with traditional algorithms such as RSA, ECDSA, Ed25519, and Ed448. These combinations are tailored to meet security best practices and regulatory requirements. Terminology for Post-Quantum Traditional Hybrid Schemes UK National Cyber Security Centre UK National Cyber Security Centre Naval Postgraduate School One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. Hybrid signature spectrums SandboxAQ Naval Postgraduate School SandboxAQ UK National Cyber Security Centre This document describes classification of design goals and security considerations for hybrid digital signature schemes, including proof composability, non-separability of the component signatures given a hybrid signature, backwards/forwards compatiblity, hybrid generality, and simultaneous verification. Discussion of this work is encouraged to happen on the IETF PQUIP mailing list pqc@ietf.org or on the GitHub repository which contains the draft: https://github.com/dconnolly/draft-ietf-pquip-hybrid- signature-spectrums ML-DSA for JOSE and COSE mesur.io Transmute Google IBM NXP This document describes JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for Module- Lattice-Based Digital Signature Standard (ML-DSA), which was derived from Dilithium, a Post-Quantum Cryptography (PQC) based digital signature scheme. This document does not define any new cryptography, only seralizations of existing cryptographic systems described in [FIPS-204]. Note to RFC Editor: This document should not proceed to AUTH48 until NIST completes paramater tuning and selection as a part of the PQC (https://csrc.nist.gov/projects/post-quantum-cryptography) standardization process. Module-Lattice-Based Digital Signature Standard National Institute of Standards and Technology (NIST)
Examples Will be added in later versions.