]> AWS

US jakemas@amazon.com

AWS

US kpanos@amazon.com

sn3rd

sean@sn3rd.com

Cloudflare

bas@cloudflare.com

Security Limited Additional Mechanisms for PKIX and SMIME FN-DSA Falcon Certificate X.509 PKIX Digital signatures are used within X.509 certificates and Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using, the forthcoming, FIPS 206, the Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA), in Internet X.509 certificates and CRLs. The conventions for the associated signatures, subject public keys, and private key are also described. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA) is a quantum-resistant digital signature scheme standardized by the US National Institute of Standards and Technology (NIST) PQC project in, the forthcoming, . This document specifies the use of the FN-DSA in Public Key Infrastructure X.509 (PKIX) certificates and Certificate Revocation Lists (CRLs) at two security levels: FN-DSA-512 and FN-DSA-1024. Prior to standardization, FN-DSA was known as Falcon. FN-DSA and Falcon are not compatible. defines two variants of FL-DSA: pure and pre-hash. Only the former is specified in this document. See for the rationale. The pure variant of FN-DSA supports the typical pre-hash flow.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Identifiers The AlgorithmIdentifier type is defined in as follows: The fields in AlgorithmIdentifier have the following meanings:

• algorithm identifies the cryptographic algorithm with an object identifier (OID).
• parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field.

The NIST-registered OIDs are: The contents of the parameters component for each algorithm MUST be absent.

FN-DSA Signatures in PKIX FN-DSA is a lattice-based digital signature scheme based on the GPV hash-and-sign framework , instantiated over NTRU (N-th Degree Truncated Polynomial Ring Unit) lattices with Fast Fourier sampling techniques . The security is based upon the hardness of the underlying FN-DSA is the SIS (Short Integer Solution) problem over NTRU lattices. FN-DSA provides two parameter sets for the NIST PQC security categories 512 and 1024. Signatures are used in a number of different ASN.1 structures. As shown in the ASN.1 equivalent to that in below, in an X.509 certificate, a signature is encoded with an algorithm identifier in the signatureAlgorithm attribute and a signatureValue attribute that contains the actual signature. Signatures are also used in the CRL list ASN.1, the representation below is equivalent to that in . In an X.509 CRL, a signature is encoded with an algorithm identifier in the signatureAlgorithm attribute and a signatureValue attribute that contains the actual signature. The following SIGNATURE-ALGORITHM ASN.1 classes are for FN-DSA-512 and FN-DSA-1024: The identifiers defined in can be used as the AlgorithmIdentifier in the signatureAlgorithm field in the sequence Certificate/CertificateList and the signature field in the sequence TBSCertificate/TBSCertList in certificates and CRLs, respectively, . The parameters of these signature algorithms MUST be absent, as explained in . That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id-fn-dsa-*, where * is 512 or 1024 -- see . The signatureValue field contains the corresponding FN-DSA signature computed upon the ASN.1 DER-encoded TBSCertificate/TBSCertList . The optional context string (ctx) parameter as defined in Section X of is left to its default value: the empty string. Conforming Certification Authority (CA) implementations MUST specify the algorithms explicitly by using the OIDs specified in when encoding FN-DSA signatures in certificates and CRLs. Conforming client implementations that process certificates and CRLs using FN-DSA MUST recognize the corresponding OIDs. Encoding rules for FN-DSA signature values are specified in .

FN-DSA Public Keys in PKIX In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax: The fields in SubjectPublicKeyInfo have the following meaning:

• algorithm is the algorithm identifier and parameters for the public key (see above).
• subjectPublicKey contains the public key.

Section XX of defines the raw byte string encoding of an FN-DSA public key. When used in a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contains this raw byte string encoding of the public key. When an FN-DSA public key appears outside of a SubjectPublicKeyInfo type in an environment that uses ASN.1 encoding, it could be encoded as an OCTET STRING by using the FN-DSA-512-PublicKey and FN-DSA-1024-PublicKey types corresponding to the correct key size defined below. The PUBLIC-KEY ASN.1 types for FN-DSA are defined here: specifies the Asymmetric Key Package's OneAsymmetricKey type for encoding asymmetric keypairs. When an FN-DSA private key or keypair is encoded as a OneAsymmetricKey, it follows the description in . When the FN-DSA private key appears outside of an Asymmetric Key Package in an environment that uses ASN.1 encoding, it can be encoded using FN-DSA-PrivateKey. contains example FN-DSA public keys encoded using the textual encoding defined in .

Key Usage Bits The intended application for the key is indicated in the keyUsage certificate extension; see . If the keyUsage extension is present in a certificate that includes id-fn-dsa-* (where * is 512 or 1024 -- see ) in the SubjectPublicKeyInfo, then the subject public key can only be used for verifying digital signatures on certificates or CRLs, or those used in an entity authentication service, a data origin authentication service, an integrity service, and/or a non-repudiation service that protects against the signing entity falsely denying some action. This means that the keyUsage extension MUST have at least one of the following bits set:

• digitalSignature
• nonRepudiation
• keyCertSign
• cRLSign

FN-DSA subject public keys cannot be used to establish keys or encrypt data, so the keyUsage extension MUST NOT have any of following bits set:

• keyEncipherment
• dataEncipherment
• keyAgreement
• encipherOnly
• decipherOnly

Requirements about the keyUsage extension bits defined in still apply.

Private Key Format specifies an FN-DSA private key as a 32-octet seed (ξ) (GREEK SMALL LETTER XI, U+03BE). "Asymmetric Key Packages" specifies how to encode a private key in a structure that both identifies what algorithm the private key is for and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below. For FN-DSA private keys, the privateKey field in OneAsymmetricKey contains raw octet string encoding of the 32-octet seed. contains example FN-DSA private keys encoded using the textual encoding defined in .

IANA Considerations For the ASN.1 module in , IANA [is requested/has assigned] the following object identifier (OID) in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0): Object Identifier Assignments

Decimal	Description	Reference
TBD	id-mod-x509-fn-dsa-2026	This RFC

Operational Considerations

Rationale for Disallowing HashFN-DSA The HashFN-DSA mode defined in Section X.X of MUST NOT be used; in other words, public keys identified by id-hash-fn-dsa-512-with-sha512 and id-hash-fn-dsa-1024-with-sha512 MUST NOT be in X.509 certificates used for CRLs, OCSP, certificate issuance, and related PKIX protocols. This restriction is primarily to increase interoperability. FN-DSA and HashFN-DSA are incompatible algorithms that require different Verify() routines. This introduces the complexity of informing the verifier whether to use FN-DSA.Verify() or HashFN-DSA.Verify(). Additionally, since the same OIDs are used to identify the FN-DSA public keys and FN-DSA signature algorithms, an implementation would need to commit a given public key to be either of type FN-DSA or HashFN-DSA at the time of certificate creation. This is anticipated to cause operational issues in contexts where the operator does not know whether the key will need to produce pure or pre-hashed signatures at key-generation time.

Security Considerations The Security Considerations section of applies to this specification as well. The FN-DSA signature scheme is unforgeable under chosen message attacks (EUF-CMA). For the purpose of estimating security strength, it has been assumed that the attacker has access to signatures for no more than 2^{XX} chosen messages. FN-DSA depends on high quality random numbers that are suitable for use in cryptography. The use of inadequate pseudo-random number generators (PRNGs) to generate such values can significantly undermine various security properties. For instance, using an inadequate PRNG for key generation, might allow an attacker to efficiently recover the private key by trying a small set of possibilities, rather than brute force search the whole keyspace. The generation of random numbers of a sufficient level of quality for use in cryptography is difficult; see Section X.X.X of for some additional information. In the design of FN-DSA, care has been taken to make side-channel resilience easier to achieve. Implementations must still take great care not to leak information via various side channels. While deliberate design decisions such as these can help to deliver a greater ease of secure implementation - particularly against side-channel attacks - it does not necessarily provide resistance to more powerful attacks such as differential power analysis. Some amount of side-channel leakage has been demonstrated in parts of the signing algorithm (specifically the bit-unpacking function), from which a demonstration of key recovery has been made over a large sample of signatures. Masking countermeasures exist for FN-DSA, but come with a performance overhead. FN-DSA only offers randomized signing. Deterministic signing could be dangerous as mistakes in floating-point implementation could cause different signatures for same hash. A security property also associated with digital signatures is non-repudiation. Non-repudiation refers to the assurance that the owner of a signature key pair that was capable of generating an existing signature corresponding to certain data cannot convincingly deny having signed the data, unless its private key was compromised. The digital signature scheme FN-DSA possess three security properties beyond unforgeability, that are associated with non-repudiation. These are exclusive ownership, message-bound signatures, and non-resignability. These properties are based tightly on the assumed collision resistance of the hash function used (in this case SHAKE-256). A full discussion of these properties in FN-DSA can be found at XXXX.

References Normative References n.d. ITU-T ITU-T In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK] Informative References National Institute of Standards and Technology (NIST) This document describes and discusses the textual encodings of the Public-Key Infrastructure X.509 (PKIX), Public-Key Cryptography Standards (PKCS), and Cryptographic Message Syntax (CMS). The textual encodings are well-known, are implemented by several applications and libraries, and are widely deployed. This document articulates the de facto rules by which existing implementations operate and defines them so that future implementations can interoperate. This document presents a framework to assist the writers of certificate policies or certification practice statements for participants within public key infrastructures, such as certification authorities, policy authorities, and communities of interest that wish to rely on certificates. In particular, the framework provides a comprehensive list of topics that potentially (at the writer's discretion) need to be covered in a certificate policy or a certification practice statement. This document supersedes RFC 2527.

ASN.1 Module This appendix includes the ASN.1 module for the FN-DSA. Note that as per , certificates use the Distinguished Encoding Rules; see . This module imports objects from .

Security Strengths

Examples This appendix contains examples of FN-DSA private keys, public keys, certificates, and inconsistent seed and expanded private keys.

Example Private Keys The following examples show FN-DSA private keys in different formats, all derived from the same seed 000102...1e1f. For each security level, we show the seed-only format (using a context-specific [0] primitive tag with an implicit encoding of OCTET STRING), the expanded format, and both formats together. NOTE: All examples use the same seed value, showing how the same seed produces different expanded private keys for each security level.

FN-DSA-512 Private Key Examples Each of the examples includes the textual encoding followed by the so-called "pretty print"; the private keys are the same.

FN-DSA-1024 Private Key Examples Each of the examples includes the textual encoding followed by the so-called "pretty print"; the private keys are the same.

Example Public Keys The following is the FN-DSA-512 public key corresponding to the private key in the previous section. The textual encoding is followed by the so-called "pretty print"; the public keys are the same. The following is the FN-DSA-1024 public key corresponding to the private key in the previous section. The textual encoding is followed by the so-called "pretty print"; the public keys are the same.

Example Certificates The following is a self-signed certificate for the FN-DSA-512 public key in the previous section. The textual encoding is followed by the so-called "pretty print"; the certificates are the same. The following is a self-signed certificate for the FN-DSA-1024 public key in the previous section. The textual encoding is followed by the so-called "pretty print"; the certificates are the same.

Acknowledgments