diff --git a/Composite-MLDSA-2024.asn b/Composite-MLDSA-2024.asn new file mode 100644 index 0000000..2fc4a30 --- /dev/null +++ b/Composite-MLDSA-2024.asn @@ -0,0 +1,349 @@ +Composite-MLDSA-2024 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-composite-mldsa(TBDMOD) } + + +DEFINITIONS IMPLICIT TAGS ::= BEGIN + +EXPORTS ALL; + +IMPORTS + PUBLIC-KEY, SIGNATURE-ALGORITHM, AlgorithmIdentifier{} + FROM AlgorithmInformation-2009 -- RFC 5912 [X509ASN1] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58) } + + SubjectPublicKeyInfo + FROM PKIX1Explicit-2009 + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-explicit-02(51) } + + OneAsymmetricKey + FROM AsymmetricKeyPackageModuleV1 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) modules(0) + id-mod-asymmetricKeyPkgV1(50) } + + RSAPublicKey, ECPoint + FROM PKIXAlgs-2009 + { iso(1) identified-organization(3) dod(6) + internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-pkix1-algorithms2008-02(56) } + + sa-rsaSSA-PSS + FROM PKIX1-PSS-OAEP-Algorithms-2009 + {iso(1) identified-organization(3) dod(6) internet(1) security(5) + mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} + +; + +-- +-- Object Identifiers +-- + +-- Defined in ITU-T X.690 +der OBJECT IDENTIFIER ::= + {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)} + + +-- Just for testing, to be assigned by IANA +id-raw-key OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) raw(999) 1 } + + +-- +-- Signature Algorithm +-- + + +-- +-- Composite Signature basic structures +-- + +CompositeSignaturePublicKey ::= SEQUENCE SIZE (2) OF BIT STRING + +CompositeSignaturePublicKeyOs ::= OCTET STRING (CONTAINING + CompositeSignaturePublicKey ENCODED BY der) + +CompositeSignaturePublicKeyBs ::= BIT STRING (CONTAINING + CompositeSignaturePublicKey ENCODED BY der) + +CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey + +CompositeSignatureValue ::= SEQUENCE SIZE (2) OF BIT STRING + +RsaCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (CONTAINING RSAPublicKey) + } + +EcCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (CONTAINING ECPoint) + } + +EdCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (ENCODED BY id-raw-key) + } + +-- Composite Signature Value is just a sequence of OCTET STRINGS + +-- CompositeSignaturePair{FirstSignatureValue, SecondSignatureValue} ::= +-- SEQUENCE { +-- signaturevalue1 FirstSignatureValue, +-- signaturevalue2 SecondSignatureValue } + +-- An Explicit Compsite Signature is a set of Signatures which +-- are composed of OCTET STRINGS +-- ExplicitCompositeSignatureValue ::= CompositeSignaturePair { +-- OCTET STRING,OCTET STRING} + + +-- +-- Information Object Classes +-- + +pk-CompositeSignature {OBJECT IDENTIFIER:id, PublicKeyType} + PUBLIC-KEY ::= { + IDENTIFIER id + KEY PublicKeyType + PARAMS ARE absent + CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign} + } + +sa-CompositeSignature{OBJECT IDENTIFIER:id, + PUBLIC-KEY:publicKeyType } + SIGNATURE-ALGORITHM ::= { + IDENTIFIER id + VALUE CompositeSignatureValue + PARAMS ARE absent + PUBLIC-KEYS {publicKeyType} + } + +-- TODO: OID to be replaced by IANA +id-MLDSA44-RSA2048-PSS-SHA256 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 21 } + +pk-MLDSA44-RSA2048-PSS-SHA256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-RSA2048-PSS-SHA256, + RsaCompositeSignaturePublicKey} + +sa-MLDSA44-RSA2048-PSS-SHA256 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA44-RSA2048-PSS-SHA256, + pk-MLDSA44-RSA2048-PSS-SHA256 } + +-- TODO: OID to be replaced by IANA +id-MLDSA44-RSA2048-PKCS15-SHA256 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 22 } + +pk-MLDSA44-RSA2048-PKCS15-SHA256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-RSA2048-PKCS15-SHA256, + RsaCompositeSignaturePublicKey} + +sa-MLDSA44-RSA2048-PKCS15-SHA256 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA44-RSA2048-PKCS15-SHA256, + pk-MLDSA44-RSA2048-PKCS15-SHA256 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA44-Ed25519-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 23 } + +pk-MLDSA44-Ed25519-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-Ed25519-SHA512, + EdCompositeSignaturePublicKey} + +sa-MLDSA44-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA44-Ed25519-SHA512, + pk-MLDSA44-Ed25519-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA44-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 24 } + +pk-MLDSA44-ECDSA-P256-SHA256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-ECDSA-P256-SHA256, + EcCompositeSignaturePublicKey} + +sa-MLDSA44-ECDSA-P256-SHA256 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA44-ECDSA-P256-SHA256, + pk-MLDSA44-ECDSA-P256-SHA256 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 25 } + +pk-MLDSA44-ECDSA-brainpoolP256r1-SHA256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-ECDSA-brainpoolP256r1-SHA256, + EcCompositeSignaturePublicKey} + +sa-MLDSA44-ECDSA-brainpoolP256r1-SHA256 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA44-ECDSA-brainpoolP256r1-SHA256, + pk-MLDSA44-ECDSA-brainpoolP256r1-SHA256 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 26 } + +pk-MLDSA65-RSA3072-PSS-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-RSA3072-PSS-SHA512, + RsaCompositeSignaturePublicKey} + +sa-MLDSA65-RSA3072-PSS-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-RSA3072-PSS-SHA512, + pk-MLDSA65-RSA3072-PSS-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-RSA3072-PKCS15-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 27 } + +pk-MLDSA65-RSA3072-PKCS15-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-RSA3072-PKCS15-SHA512, + RsaCompositeSignaturePublicKey} + +sa-MLDSA65-RSA3072-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-RSA3072-PKCS15-SHA512, + pk-MLDSA65-RSA3072-PKCS15-SHA512 } + +-- TODO: OID to be replaced by IANA +id-MLDSA65-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 34 } + +pk-MLDSA65-RSA4096-PSS-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-RSA4096-PSS-SHA512, + RsaCompositeSignaturePublicKey} + +sa-MLDSA65-RSA4096-PSS-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-RSA4096-PSS-SHA512, + pk-MLDSA65-RSA4096-PSS-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-RSA4096-PKCS15-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 35 } + +pk-MLDSA65-RSA4096-PKCS15-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-RSA4096-PKCS15-SHA512, + RsaCompositeSignaturePublicKey} + +sa-MLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-RSA4096-PKCS15-SHA512, + pk-MLDSA65-RSA4096-PKCS15-SHA512 } + +-- TODO: OID to be replaced by IANA +id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 28 } + +pk-MLDSA65-ECDSA-P256-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-ECDSA-P256-SHA512, + EcCompositeSignaturePublicKey} + +sa-MLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-ECDSA-P256-SHA512, + pk-MLDSA65-ECDSA-P256-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 29 } + +pk-MLDSA65-ECDSA-brainpoolP256r1-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-ECDSA-brainpoolP256r1-SHA512, + EcCompositeSignaturePublicKey} + +sa-MLDSA65-ECDSA-brainpoolP256r1-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-ECDSA-brainpoolP256r1-SHA512, + pk-MLDSA65-ECDSA-brainpoolP256r1-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA65-Ed25519-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 30 } + +pk-MLDSA65-Ed25519-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA65-Ed25519-SHA512, + EdCompositeSignaturePublicKey} + +sa-MLDSA65-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA65-Ed25519-SHA512, + pk-MLDSA65-Ed25519-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA87-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 31 } + +pk-MLDSA87-ECDSA-P384-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA87-ECDSA-P384-SHA512, + EcCompositeSignaturePublicKey} + +sa-MLDSA87-ECDSA-P384-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA87-ECDSA-P384-SHA512, + pk-MLDSA87-ECDSA-P384-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 32 } + +pk-MLDSA87-ECDSA-brainpoolP384r1-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA87-ECDSA-brainpoolP384r1-SHA512, + EcCompositeSignaturePublicKey} + +sa-MLDSA87-ECDSA-brainpoolP384r1-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA87-ECDSA-brainpoolP384r1-SHA512, + pk-MLDSA87-ECDSA-brainpoolP384r1-SHA512 } + + +-- TODO: OID to be replaced by IANA +id-MLDSA87-Ed448-SHA512 OBJECT IDENTIFIER ::= { + joint-iso-itu-t(2) country(16) us(840) organization(1) + entrust(114027) algorithm(80) composite(8) signature(1) 33 } + +pk-MLDSA87-Ed448-SHA512 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA87-Ed448-SHA512, + EdCompositeSignaturePublicKey} + +sa-MLDSA87-Ed448-SHA512 SIGNATURE-ALGORITHM ::= + sa-CompositeSignature{ + id-MLDSA87-Ed448-SHA512, + pk-MLDSA87-Ed448-SHA512 } + +END diff --git a/Composite-Signatures-2023.asn b/Composite-Signatures-2023.asn deleted file mode 100644 index d24fc97..0000000 --- a/Composite-Signatures-2023.asn +++ /dev/null @@ -1,349 +0,0 @@ - - Composite-Signatures-2023 - { joint-iso-itu-t(2) country(16) us(840) organization(1) entrust(114027) - algorithm(80) id-composite-signatures-2023 (TBDMOD) } - -DEFINITIONS IMPLICIT TAGS ::= BEGIN - -EXPORTS ALL; - -IMPORTS - PUBLIC-KEY, SIGNATURE-ALGORITHM, AlgorithmIdentifier{} - FROM AlgorithmInformation-2009 -- RFC 5912 [X509ASN1] - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-algorithmInformation-02(58) } - - SubjectPublicKeyInfo - FROM PKIX1Explicit-2009 - { iso(1) identified-organization(3) dod(6) internet(1) - security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-pkix1-explicit-02(51) } - - OneAsymmetricKey - FROM AsymmetricKeyPackageModuleV1 - { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) - pkcs-9(9) smime(16) modules(0) - id-mod-asymmetricKeyPkgV1(50) } - - RSAPublicKey, ECPoint - FROM PKIXAlgs-2009 - { iso(1) identified-organization(3) dod(6) - internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-pkix1-algorithms2008-02(56) } - - sa-rsaSSA-PSS - FROM PKIX1-PSS-OAEP-Algorithms-2009 - {iso(1) identified-organization(3) dod(6) internet(1) security(5) - mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54)} - -; - --- --- Object Identifiers --- - --- Defined in ITU-T X.690 -der OBJECT IDENTIFIER ::= - {joint-iso-itu-t asn1(1) ber-derived(2) distinguished-encoding(1)} - - - - --- --- Signature Algorithm --- - - --- --- Composite Signature basic structures --- - -CompositeSignaturePublicKey ::= SEQUENCE SIZE (2) OF BIT STRING - -CompositeSignaturePublicKeyOs ::= OCTET STRING (CONTAINING - CompositeSignaturePublicKey ENCODED BY der) - -CompositeSignaturePublicKeyBs ::= BIT STRING (CONTAINING - CompositeSignaturePublicKey ENCODED BY der) - -CompositeSignaturePrivateKey ::= SEQUENCE SIZE (2) OF OneAsymmetricKey - -CompositeSignatureValue ::= SEQUENCE SIZE (2) OF BIT STRING - --- Composite Signature Value is just a sequence of OCTET STRINGS - --- CompositeSignaturePair{FirstSignatureValue, SecondSignatureValue}  ::= --- SEQUENCE { --- signaturevalue1 FirstSignatureValue, --- signaturevalue2 SecondSignatureValue } - - -- An Explicit Compsite Signature is a set of Signatures which - -- are composed of OCTET STRINGS --- ExplicitCompositeSignatureValue ::= CompositeSignaturePair { --- OCTET STRING,OCTET STRING} - - --- --- Information Object Classes --- - -pk-CompositeSignature {OBJECT IDENTIFIER:id, - FirstPublicKeyType,SecondPublicKeyType} - PUBLIC-KEY ::= { - IDENTIFIER id - KEY SEQUENCE { - firstPublicKey BIT STRING (CONTAINING FirstPublicKeyType), - secondPublicKey BIT STRING (CONTAINING SecondPublicKeyType) - } - PARAMS ARE absent - CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign} - } - - -sa-CompositeSignature{OBJECT IDENTIFIER:id, - PUBLIC-KEY:publicKeyType } - SIGNATURE-ALGORITHM ::= { - IDENTIFIER id - VALUE CompositeSignatureValue - PARAMS ARE absent - PUBLIC-KEYS {publicKeyType} - } - --- TODO: OID to be replaced by IANA -id-MLDSA44-RSA2048-PSS-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 1 } - -pk-MLDSA44-RSA2048-PSS-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA44-RSA2048-PSS-SHA256, - OCTET STRING, RSAPublicKey} - -sa-MLDSA44-RSA2048-PSS-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA44-RSA2048-PSS-SHA256, - pk-MLDSA44-RSA2048-PSS-SHA256 } - --- TODO: OID to be replaced by IANA -id-MLDSA44-RSA2048-PKCS15-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 2 } - -pk-MLDSA44-RSA2048-PKCS15-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA44-RSA2048-PKCS15-SHA256, - OCTET STRING, RSAPublicKey} - -sa-MLDSA44-RSA2048-PKCS15-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA44-RSA2048-PKCS15-SHA256, - pk-MLDSA44-RSA2048-PKCS15-SHA256 } - - --- TODO: OID to be replaced by IANA -id-MLDSA44-Ed25519-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 3 } - -pk-MLDSA44-Ed25519-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA44-Ed25519-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA44-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA44-Ed25519-SHA512, - pk-MLDSA44-Ed25519-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA44-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 4 } - -pk-MLDSA44-ECDSA-P256-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA44-ECDSA-P256-SHA256, - OCTET STRING, ECPoint} - -sa-MLDSA44-ECDSA-P256-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA44-ECDSA-P256-SHA256, - pk-MLDSA44-ECDSA-P256-SHA256 } - - --- TODO: OID to be replaced by IANA -id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 5 } - -pk-MLDSA44-ECDSA-brainpoolP256r1-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA44-ECDSA-brainpoolP256r1-SHA256, - OCTET STRING, ECPoint} - -sa-MLDSA44-ECDSA-brainpoolP256r1-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA44-ECDSA-brainpoolP256r1-SHA256, - pk-MLDSA44-ECDSA-brainpoolP256r1-SHA256 } - - --- TODO: OID to be replaced by IANA -id-MLDSA65-RSA3072-PSS-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 6 } - -pk-MLDSA65-RSA3072-PSS-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-RSA3072-PSS-SHA512, - OCTET STRING, RSAPublicKey} - -sa-MLDSA65-RSA3072-PSS-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA65-RSA3072-PSS-SHA512, - pk-MLDSA65-RSA3072-PSS-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA65-RSA3072-PKCS15-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 7 } - -pk-MLDSA65-RSA3072-PKCS15-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-RSA3072-PKCS15-SHA512, - OCTET STRING, RSAPublicKey} - -sa-MLDSA65-RSA3072-PKCS15-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA65-RSA3072-PKCS15-SHA512, - pk-MLDSA65-RSA3072-PKCS15-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 8 } - -pk-MLDSA65-ECDSA-P256-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-ECDSA-P256-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA65-ECDSA-P256-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA65-ECDSA-P256-SHA512, - pk-MLDSA65-ECDSA-P256-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 9 } - -pk-id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-ECDSA-brainpoolP256r1-SHA512, - OCTET STRING, ECPoint} - -sa-id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA65-ECDSA-brainpoolP256r1-SHA512, - pk-id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA65-Ed25519-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 10 } - -pk-MLDSA65-Ed25519-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-Ed25519-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA65-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA65-Ed25519-SHA512, - pk-MLDSA65-Ed25519-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA87-ECDSA-P384-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 11 } - -pk-MLDSA87-ECDSA-P384-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA87-ECDSA-P384-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA87-ECDSA-P384-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA87-ECDSA-P384-SHA512, - pk-MLDSA87-ECDSA-P384-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA87-ECDSA-brainpoolP384r1-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 12 } - -pk-MLDSA87-ECDSA-brainpoolP384r1-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA87-ECDSA-brainpoolP384r1-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA87-ECDSA-brainpoolP384r1-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA87-ECDSA-brainpoolP384r1-SHA512, - pk-MLDSA87-ECDSA-brainpoolP384r1-SHA512 } - - --- TODO: OID to be replaced by IANA -id-MLDSA87-Ed448-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 13 } - -pk-MLDSA87-Ed448-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA87-Ed448-SHA512, - OCTET STRING, ECPoint} - -sa-MLDSA87-Ed448-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-MLDSA87-Ed448-SHA512, - pk-MLDSA87-Ed448-SHA512 } - --- TODO: OID to be replaced by IANA -id-Falon512-ECDSA-P256-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 14 } - -pk-Falon512-ECDSA-P256-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-Falon512-ECDSA-P256-SHA256, - OCTET STRING, ECPoint} - -sa-Falon512-ECDSA-P256-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-Falon512-ECDSA-P256-SHA256, - pk-Falon512-ECDSA-P256-SHA256 } - --- TODO: OID to be replaced by IANA -id-Falcon512-ECDSA-brainpoolP256r1-SHA256 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 15 } - -pk-Falcon512-ECDSA-brainpoolP256r1-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-Falcon512-ECDSA-brainpoolP256r1-SHA256, - OCTET STRING, ECPoint} - -sa-Falcon512-ECDSA-brainpoolP256r1-SHA256 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-Falcon512-ECDSA-brainpoolP256r1-SHA256, - pk-Falcon512-ECDSA-brainpoolP256r1-SHA256 } - --- TODO: OID to be replaced by IANA -id-Falcon512-Ed25519-SHA512 OBJECT IDENTIFIER ::= { - joint-iso-itu-t(2) country(16) us(840) organization(1) - entrust(114027) algorithm(80) composite(8) signature(1) 16 } - -pk-Falcon512-Ed25519-SHA512 PUBLIC-KEY ::= - pk-CompositeSignature{ id-Falcon512-Ed25519-SHA512, - OCTET STRING, ECPoint} - -sa-Falcon512-Ed25519-SHA512 SIGNATURE-ALGORITHM ::= - sa-CompositeSignature{ - id-Falcon512-Ed25519-SHA512, - pk-Falcon512-Ed25519-SHA512 } - - -END diff --git a/draft-ietf-lamps-pq-composite-sigs.md b/draft-ietf-lamps-pq-composite-sigs.md index 1e82533..5fd0427 100644 --- a/draft-ietf-lamps-pq-composite-sigs.md +++ b/draft-ietf-lamps-pq-composite-sigs.md @@ -110,7 +110,7 @@ informative: I-D.draft-driscoll-pqt-hybrid-terminology-01: I-D.draft-vaira-pquip-pqc-use-cases-00: I-D.draft-massimo-lamps-pq-sig-certificates-00: - I-D.draft-ietf-lamps-dilithium-certificates-01: + I-D.draft-ietf-lamps-dilithium-certificates-04: Bindel2017: title: "Transitioning to a quantum-resistant public key infrastructure" target: "https://link.springer.com/chapter/10.1007/978-3-319-59879-6_22" @@ -153,20 +153,12 @@ This document introduces a set of signature schemes that use pairs of cryptograp --- middle -# Changes since the -01 version -* Added a "Use in CMS" section -* Removed a Falon reference from the ASN.1 document (which was a typo in reference to Falcon) -* Added SMIME-CAPS into the sa-CompositeSignature definition in the ASN.1 module -* Fixed nits and other typos -* Added PSS parameter Salt Lengths -* Changed the OID concatenation section to Domain Separators for clarity -* Accepted some edits by José Ignacio Escribano -* Expanded description for KeyGen algorithm -* Clarified the Subject Public Key Usage -* Various editorial changes - -## Changes since adoption by the lamps working group -* Changed prototype version OIDs so that standard ML-DSA may be used with composite instead of the initial public draft version + +## Changes in -03 + +* ASN.1 Module changes: + * Renamed the module from Composite-Signatures-2023 -> Composite-MLDSA-2024 + * Simplified the ASN.1 module to make it more compiler-friendly (thanks Carl!) -- should not affect wire encodings. # Introduction {#sec-intro} @@ -439,29 +431,47 @@ In order for signatures to be composed of multiple algorithms, we define encodin ## pk-CompositeSignature -The following ASN.1 Information Object Class is a template to be used in defining all composite Signature public key types. +The following ASN.1 structures represent a composite public key combined with an RSA and Elliptic Curve public key, respectively. + +~~~ ASN.1 +RsaCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (CONTAINING RSAPublicKey) + } + +EcCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (CONTAINING ECPoint) + } + +EdCompositeSignaturePublicKey ::= SEQUENCE { + firstPublicKey BIT STRING (ENCODED BY id-raw-key), + secondPublicKey BIT STRING (CONTAINING id-raw-key) + } +~~~ + +`id-raw-key` is defined by this document. + +This structure is intentionally generic in the first public key slot since ML-DSA, as defined in {{I-D.ietf-lamps-dilithium-certificates}}, does not define any ASN.1 public key structures. For use with this document, the `firstPublicKey` MUST be the BIT STRING representation of an ML-DSA key as specified in {{I-D.ietf-lamps-dilithium-certificates}}. Note that here we used BIT STRING rather than OCTET STRING so that these keys can be trivially transcoded into a SubjectPublicKeyInfo as necessary, for example when a crypto library requires this for invoking the component algorithm. The public key for Edwards curve DSA component is also encoded as a raw key. + +The following ASN.1 Information Object Class is defined to then allow for compact definitions of each composite algorithm. ~~~ ASN.1 -pk-CompositeSignature {OBJECT IDENTIFIER:id, - FirstPublicKeyType,SecondPublicKeyType} +pk-CompositeSignature {OBJECT IDENTIFIER:id, PublicKeyType} PUBLIC-KEY ::= { IDENTIFIER id - KEY SEQUENCE { - firstPublicKey BIT STRING (CONTAINING FirstPublicKeyType), - secondPublicKey BIT STRING (CONTAINING SecondPublicKeyType) - } + KEY PublicKeyType PARAMS ARE absent CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign} } ~~~ -{: artwork-name="CompositeKeyObject-asn.1-structures"} -As an example, the public key type `pk-MLDSA65-ECDSA-P256-SHA256` is defined as: +As an example, the public key type `pk-MLDSA44-ECDSA-P256-SHA256` is defined as: ~~~ -pk-MLDSA65-ECDSA-P256-SHA256 PUBLIC-KEY ::= - pk-CompositeSignature{ id-MLDSA65-ECDSA-P256-SHA256, - OCTET STRING, ECPoint} +pk-MLDSA44-ECDSA-P256-SHA256 PUBLIC-KEY ::= + pk-CompositeSignature{ id-MLDSA44-ECDSA-P256-SHA256, + EcCompositeSignaturePublicKey} ~~~ The full set of key types defined by this specification can be found in the ASN.1 Module in {{sec-asn1-module}}. @@ -512,13 +522,15 @@ Many protocol specifications will require that the composite public key and comp When an octet string is required, the DER encoding of the composite data structure SHALL be used directly. ~~~ ASN.1 -CompositeSignaturePublicKeyOs ::= OCTET STRING (CONTAINING CompositeSignaturePublicKey ENCODED BY der) +CompositeSignaturePublicKeyOs ::= OCTET STRING (CONTAINING + CompositeSignaturePublicKey ENCODED BY der) ~~~ When a bit string is required, the octets of the DER encoded composite data structure SHALL be used as the bits of the bit string, with the most significant bit of the first octet becoming the first bit, and so on, ending with the least significant bit of the last octet becoming the last bit of the bit string. ~~~ ASN.1 -CompositeSignaturePublicKeyBs ::= BIT STRING (CONTAINING CompositeSignaturePublicKey ENCODED BY der) +CompositeSignaturePublicKeyBs ::= BIT STRING (CONTAINING + CompositeSignaturePublicKey ENCODED BY der) ~~~ In the interests of simplicity and avoiding compatibility issues, implementations that parse these structures MAY accept both BER and DER. @@ -557,16 +569,14 @@ nonRepudiation; The ASN.1 algorithm object for a composite signature is: ~~~ asn.1 -sa-CompositeSignature { - OBJECT IDENTIFIER:id, - PUBLIC-KEY:publicKeyType } - SIGNATURE-ALGORITHM ::= { - IDENTIFIER id - VALUE CompositeSignatureValue - PARAMS ARE absent - PUBLIC-KEYS { publicKeyType } - SMIME-CAPS { IDENTIFIED BY id } - } +sa-CompositeSignature{OBJECT IDENTIFIER:id, + PUBLIC-KEY:publicKeyType } + SIGNATURE-ALGORITHM ::= { + IDENTIFIER id + VALUE CompositeSignatureValue + PARAMS ARE absent + PUBLIC-KEYS {publicKeyType} + } ~~~ The following is an explanation how SIGNATURE-ALGORITHM elements are used @@ -621,6 +631,8 @@ Signature public key types: | id-MLDSA44-ECDSA-P256-SHA256 | <CompSig>.24 | id-ML-DSA-44 | ecdsa-with-SHA256 with secp256r1 | id-sha256 | | id-MLDSA65-RSA3072-PSS-SHA512 | <CompSig>.26 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 | | id-MLDSA65-RSA3072-PKCS15-SHA512 | <CompSig>.27 | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 | +| id-MLDSA65-RSA4096-PSS-SHA512 | <CompSig>.34 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 | +| id-MLDSA65-RSA4096-PKCS15-SHA512 | <CompSig>.35 | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 | | id-MLDSA65-ECDSA-P384-SHA512 | <CompSig>.28 | id-ML-DSA-65 | ecdsa-with-SHA512 with secp384r1 | id-sha512 | | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.29 | id-ML-DSA-65 | ecdsa-with-SHA512 with brainpoolP256r1 | id-sha512 | | id-MLDSA65-Ed25519-SHA512 | <CompSig>.30 | id-ML-DSA-65 | id-Ed25519 | id-sha512 | @@ -646,6 +658,8 @@ As mentioned above, the OID input value is used as a domain separator for the Co | id-MLDSA44-ECDSA-P256-SHA256 |060B6086480186FA6B50080118| | id-MLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B5008011A| | id-MLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B5008011B| +| id-MLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080122| +| id-MLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080123| | id-MLDSA65-ECDSA-P384-SHA512 |060B6086480186FA6B5008011C| | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B5008011D| | id-MLDSA65-Ed25519-SHA512 |060B6086480186FA6B5008011E| @@ -696,6 +710,24 @@ where: * `Mask Generation Function (mgf1)` is defined in [RFC8017] * `SHA-512` is defined in [RFC6234]. +## Notes on id-MLDSA65-RSA4096-PSS-SHA512 + +The RSA component keys MUST be generated at the 4096-bit security level in order to match with ML-DSA-65. + +As with the other composite signature algorithms, when `id-MLDSA65-RSA4096-PSS-SHA512` is used in an AlgorithmIdentifier, the parameters MUST be absent. `id-MLDSA65-RSA4096-PSS-SHA512` SHALL instantiate RSA-PSS with the following parameters: + +| RSA-PSS Parameter | Value | +| -------------------------- | -------------------------- | +| Mask Generation Function | mgf1 | +| Mask Generation params | SHA-512 | +| Message Digest Algorithm | SHA-512 | +| Salt Length in bits | 512 | +{: #rsa-pss-params4096 title="RSA-PSS 4096 Parameters"} + +where: + +* `Mask Generation Function (mgf1)` is defined in [RFC8017] +* `SHA-512` is defined in [RFC6234]. @@ -720,6 +752,8 @@ The following table lists the MANDATORY HASH algorithms to preserve security and | id-MLDSA44-ECDSA-P256-SHA256 | SHA256 | | id-MLDSA65-RSA3072-PSS-SHA512 | SHA512 | | id-MLDSA65-RSA3072-PKCS15-SHA512 | SHA512 | +| id-MLDSA65-RSA4096-PSS-SHA512 | SHA512 | +| id-MLDSA65-RSA4096-PKCS15-SHA512 | SHA512 | | id-MLDSA65-ECDSA-P384-SHA512 | SHA512 | | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | SHA512 | | id-MLDSA65-Ed25519-SHA512 | SHA512 | @@ -787,7 +821,7 @@ The SMIMECapability SEQUENCE representing a composite signature Algorithm MUST i -{::include Composite-Signatures-2023.asn} +{::include Composite-MLDSA-2024.asn} @@ -807,6 +841,11 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ ### Object Identifier Registrations - SMI Security for PKIX Algorithms +- id-raw-key + - Decimal: IANA Assigned + - Description: Designates a public key BIT STRING with no ASN.1 structure. + - References: This Document + - id-MLDSA44-RSA2048-PSS-SHA256 - Decimal: IANA Assigned - Description: id-MLDSA44-RSA2048-PSS-SHA256 @@ -837,6 +876,16 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ - Description: id-MLDSA65-RSA3072-PKCS15-SHA512 - References: This Document +- id-MLDSA65-RSA4096-PSS-SHA512 + - Decimal: IANA Assigned + - Description: id-MLDSA65-RSA4096-PSS-SHA512 + - References: This Document + +- id-MLDSA65-RSA4096-PKCS15-SHA512 + - Decimal: IANA Assigned + - Description: id-MLDSA65-RSA4096-PKCS15-SHA512 + - References: This Document + - id-MLDSA65-ECDSA-P384-SHA512 - Decimal: IANA Assigned - Description: id-MLDSA65-ECDSA-P384-SHA512 @@ -876,7 +925,7 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{ The composite algorithm combinations defined in this document were chosen according to the following guidelines: -1. A single RSA combination is provided at a key size of 3072 bits, matched with NIST PQC Level 3 algorithms. +1. RSA combinations are provided at a key size of 2048, 3072, and 4096 bits matched with NIST PQC Level 2 and 3 algorithms. 1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases. NIST levels 3 algorithms are matched with NIST 384-bit, brainpool 256-bit and and Ed25519 curves, while NIST level 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption. If other combinations are needed, a separate specification should be submitted to the IETF LAMPS working group. To ease implementation, these specifications are encouraged to follow the construction pattern of the algorithms specified in this document.