| rfc9882v1.txt | rfc9882.txt | |||
|---|---|---|---|---|
| skipping to change at line 74 ¶ | skipping to change at line 74 ¶ | |||
| 7.1. Normative References | 7.1. Normative References | |||
| 7.2. Informative References | 7.2. Informative References | |||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| Appendix B. Examples | Appendix B. Examples | |||
| Acknowledgments | Acknowledgments | |||
| Authors' Addresses | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a | The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a | |||
| digital signature algorithm standardised by the US National Institute | post-quantum digital signature algorithm standardised by the US | |||
| of Standards and Technology (NIST) as part of their post-quantum | National Institute of Standards and Technology (NIST) as part of | |||
| cryptography standardisation process. It is intended to be secure | their post-quantum cryptography standardisation process. It offers | |||
| against both "traditional" cryptographic attacks, as well as attacks | smaller signatures and significantly faster runtimes than SLH-DSA | |||
| utilising a quantum computer. It offers smaller signatures and | [FIPS205], an alternative post-quantum signature algorithm also | |||
| significantly faster runtimes than SLH-DSA [FIPS205], an alternative | standardised by NIST. This document specifies the use of the ML-DSA | |||
| post-quantum signature algorithm also standardised by NIST. This | in the CMS at three security levels: ML-DSA-44, ML-DSA-65, and ML- | |||
| document specifies the use of the ML-DSA in the CMS at three security | DSA-87. See Appendix B of [RFC9881] for more information on the | |||
| levels: ML-DSA-44, ML-DSA-65, and ML-DSA-87. See Appendix B of | security levels and key sizes of ML-DSA. | |||
| [RFC9881] for more information on the security levels and key sizes | ||||
| of ML-DSA. | ||||
| Prior to standardisation, ML-DSA was known as Dilithium. ML-DSA and | Prior to standardisation, ML-DSA was known as Dilithium. ML-DSA and | |||
| Dilithium are not compatible. | Dilithium are not compatible. | |||
| For each of the ML-DSA parameter sets, an algorithm identifier OID | For each of the ML-DSA parameter sets, an algorithm identifier OID | |||
| has been specified. | has been specified. | |||
| [FIPS204] also specifies a pre-hashed variant of ML-DSA, called | [FIPS204] also specifies a pre-hashed variant of ML-DSA, called | |||
| HashML-DSA. Use of HashML-DSA in the CMS is not specified in this | HashML-DSA. Use of HashML-DSA in the CMS is not specified in this | |||
| document. See Section 3.1 for more details. | document. See Section 3.1 for more details. | |||
| skipping to change at line 357 ¶ | skipping to change at line 355 ¶ | |||
| DSA's internal functions. Implementers SHOULD consider implementing | DSA's internal functions. Implementers SHOULD consider implementing | |||
| such protection measures if it would be beneficial for their | such protection measures if it would be beneficial for their | |||
| particular use cases. | particular use cases. | |||
| To avoid algorithm substitution attacks, the CMSAlgorithmProtection | To avoid algorithm substitution attacks, the CMSAlgorithmProtection | |||
| attribute defined in [RFC6211] SHOULD be included in signed | attribute defined in [RFC6211] SHOULD be included in signed | |||
| attributes. | attributes. | |||
| 5. Operational Considerations | 5. Operational Considerations | |||
| If ML-DSA signing is implemented in a hardware device such as the | If ML-DSA signing is implemented in a hardware device such as a | |||
| hardware security module (HSM) or portable cryptographic token, | hardware security module (HSM) or a portable cryptographic token, | |||
| implementers might want to avoid sending the full content to the | implementers might want to avoid sending the full content to the | |||
| device for performance reasons. By including signed attributes, | device for performance reasons. By including signed attributes, | |||
| which necessarily includes the message-digest attribute and the | which necessarily includes the message-digest attribute and the | |||
| content-type attribute as described in Section 5.3 of [RFC5652], the | content-type attribute as described in Section 5.3 of [RFC5652], the | |||
| much smaller set of signed attributes are sent to the device for | much smaller set of signed attributes are sent to the device for | |||
| signing. | signing. | |||
| Additionally, the pure variant of ML-DSA does support a form of pre- | Additionally, the pure variant of ML-DSA does support a form of pre- | |||
| hash via external calculation of the "μ" (GREEK SMALL LETTER MU, | hash via external calculation of the "μ" (GREEK SMALL LETTER MU, | |||
| U+03BC) "message representative" value described in Section 6.2 of | U+03BC) "message representative" value described in Section 6.2 of | |||
| skipping to change at line 381 ¶ | skipping to change at line 379 ¶ | |||
| than requiring the entire message to be transmitted. Appendix D of | than requiring the entire message to be transmitted. Appendix D of | |||
| [RFC9881] describes use of external μ calculations in further detail. | [RFC9881] describes use of external μ calculations in further detail. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| For the ASN.1 module in Appendix A, IANA has assigned the following | For the ASN.1 module in Appendix A, IANA has assigned the following | |||
| object identifier in the "SMI Security for S/MIME Module Identifier | object identifier in the "SMI Security for S/MIME Module Identifier | |||
| (1.2.840.113549.1.9.16.0)" registry: | (1.2.840.113549.1.9.16.0)" registry: | |||
| +=========+====================+===========+ | +=========+====================+===========+ | |||
| | Decimal | Description | Refernece | | | Decimal | Description | Reference | | |||
| +=========+====================+===========+ | +=========+====================+===========+ | |||
| | 83 | id-mod-ml-dsa-2024 | RFC 9882 | | | 83 | id-mod-ml-dsa-2024 | RFC 9882 | | |||
| +---------+--------------------+-----------+ | +---------+--------------------+-----------+ | |||
| Table 3 | Table 3: Object Identifier Assignments | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [CSOR] NIST, "Computer Security Objects Register (CSOR)", 13 June | [CSOR] NIST, "Computer Security Objects Register (CSOR)", 13 June | |||
| 2025, <https://csrc.nist.gov/projects/computer-security- | 2025, <https://csrc.nist.gov/projects/computer-security- | |||
| objects-register/algorithm-registration>. | objects-register/algorithm-registration>. | |||
| [FIPS204] NIST, "Module-Lattice-Based Digital Signature Standard", | [FIPS204] NIST, "Module-Lattice-Based Digital Signature Standard", | |||
| End of changes. 4 change blocks. | ||||
| 15 lines changed or deleted | 13 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||