| rfc9882v2.txt | rfc9882.txt | |||
|---|---|---|---|---|
| skipping to change at line 20 ¶ | skipping to change at line 20 ¶ | |||
| Syntax (CMS) | Syntax (CMS) | |||
| Abstract | Abstract | |||
| The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as | The Module-Lattice-Based Digital Signature Algorithm (ML-DSA), as | |||
| defined by NIST in FIPS 204, is a post-quantum digital signature | defined by NIST in FIPS 204, is a post-quantum digital signature | |||
| scheme that aims to be secure against an adversary in possession of a | scheme that aims to be secure against an adversary in possession of a | |||
| Cryptographically Relevant Quantum Computer (CRQC). This document | Cryptographically Relevant Quantum Computer (CRQC). This document | |||
| specifies the conventions for using the ML-DSA signature algorithm | specifies the conventions for using the ML-DSA signature algorithm | |||
| with the Cryptographic Message Syntax (CMS). In addition, the | with the Cryptographic Message Syntax (CMS). In addition, the | |||
| algorithm identifier and public key syntax are provided. | algorithm identifier syntax is provided. | |||
| Status of This Memo | Status of This Memo | |||
| This is an Internet Standards Track document. | This is an Internet Standards Track document. | |||
| This document is a product of the Internet Engineering Task Force | This document is a product of the Internet Engineering Task Force | |||
| (IETF). It represents the consensus of the IETF community. It has | (IETF). It represents the consensus of the IETF community. It has | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | Internet Standards is available in Section 2 of RFC 7841. | |||
| skipping to change at line 237 ¶ | skipping to change at line 237 ¶ | |||
| and any associated parameters. Each ML-DSA parameter set has a | and any associated parameters. Each ML-DSA parameter set has a | |||
| collision strength parameter, represented by the "λ" (GREEK SMALL | collision strength parameter, represented by the "λ" (GREEK SMALL | |||
| LETTER LAMDA, U+03BB) symbol in [FIPS204]. When signers utilise | LETTER LAMDA, U+03BB) symbol in [FIPS204]. When signers utilise | |||
| signed attributes, their choice of digest algorithm may impact the | signed attributes, their choice of digest algorithm may impact the | |||
| overall security level of their signature. Selecting a digest | overall security level of their signature. Selecting a digest | |||
| algorithm that offers λ bits of security strength against second | algorithm that offers λ bits of security strength against second | |||
| preimage attacks and collision attacks is sufficient to meet the | preimage attacks and collision attacks is sufficient to meet the | |||
| security level offered by a given parameter set, so long as the | security level offered by a given parameter set, so long as the | |||
| digest algorithm produces at least 2 * λ bits of output. The | digest algorithm produces at least 2 * λ bits of output. The | |||
| overall security strength offered by an ML-DSA signature | overall security strength offered by an ML-DSA signature | |||
| calculated over signed attributes is the floor of the digest | calculated over signed attributes is constrained by either the | |||
| algorithm's strength and is the strength of the ML-DSA parameter | digest algorithm's strength or the strength of the ML-DSA | |||
| set. Verifiers MAY reject a signature if the signer's choice of | parameter set, whichever is lower. Verifiers MAY reject a | |||
| digest algorithm does not meet the security requirements of their | signature if the signer's choice of digest algorithm does not meet | |||
| choice of ML-DSA parameter set. Table 1 shows appropriate SHA-2 | the security requirements of their choice of ML-DSA parameter set. | |||
| and SHA-3 digest algorithms for each parameter set. | Table 1 shows appropriate SHA-2 and SHA-3 digest algorithms for | |||
| each parameter set. | ||||
| SHA-512 [FIPS180] MUST be supported for use with the variants of | SHA-512 [FIPS180] MUST be supported for use with the variants of | |||
| ML-DSA in this document. SHA-512 is suitable for all ML-DSA | ML-DSA in this document. SHA-512 is suitable for all ML-DSA | |||
| parameter sets and provides an interoperable option for legacy CMS | parameter sets and provides an interoperable option for legacy CMS | |||
| implementations that wish to migrate to use post-quantum | implementations that wish to migrate to use post-quantum | |||
| cryptography, but that may not support use of SHA-3 derivatives at | cryptography, but that may not support use of SHA-3 derivatives at | |||
| the CMS layer. However, other hash functions MAY also be | the CMS layer. However, other hash functions MAY also be | |||
| supported; in particular, SHAKE256 SHOULD be supported, as this is | supported; in particular, SHAKE256 SHOULD be supported, as this is | |||
| the digest algorithm used internally in ML-DSA. When SHA-512 is | the digest algorithm used internally in ML-DSA. When SHA-512 is | |||
| used, the id-sha512 [RFC5754] digest algorithm identifier is used | used, the id-sha512 [RFC5754] digest algorithm identifier is used | |||
| End of changes. 2 change blocks. | ||||
| 7 lines changed or deleted | 8 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||