idnits 2.17.1 draft-prorock-cose-post-quantum-signatures-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (5 March 2022) is 782 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'CRYSTALS-Dilithium' Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 None M. Prorock 3 Internet-Draft mesur.io 4 Intended status: Standards Track O. Steele 5 Expires: 6 September 2022 Transmute 6 R. Misoczki 7 Google 8 M. Osborne 9 IBM 10 C. Cloostermans 11 NXP 12 5 March 2022 14 JSON Encoding for Post Quantum Signatures 15 draft-prorock-cose-post-quantum-signatures-00 17 Abstract 19 This document describes JSON and CBOR serializations for several post 20 quantum cryptography (PQC) based suites. 22 This document does not define any new cryptography, only 23 seralizations of existing cryptographic systems. 25 This document registers key types for JOSE and COSE, specifically 26 PQK, CRYDI, pset. 28 This document registers signature algorithms types for JOSE and COSE, 29 specifically CRYDI3 and others as required for various post quantum 30 signature schemes. 32 Status of This Memo 34 This Internet-Draft is submitted in full conformance with the 35 provisions of BCP 78 and BCP 79. 37 Internet-Drafts are working documents of the Internet Engineering 38 Task Force (IETF). Note that other groups may also distribute 39 working documents as Internet-Drafts. The list of current Internet- 40 Drafts is at https://datatracker.ietf.org/drafts/current/. 42 Internet-Drafts are draft documents valid for a maximum of six months 43 and may be updated, replaced, or obsoleted by other documents at any 44 time. It is inappropriate to use Internet-Drafts as reference 45 material or to cite them other than as "work in progress." 47 This Internet-Draft will expire on 6 September 2022. 49 Copyright Notice 51 Copyright (c) 2022 IETF Trust and the persons identified as the 52 document authors. All rights reserved. 54 This document is subject to BCP 78 and the IETF Trust's Legal 55 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 56 license-info) in effect on the date of publication of this document. 57 Please review these documents carefully, as they describe your rights 58 and restrictions with respect to this document. Code Components 59 extracted from this document must include Revised BSD License text as 60 described in Section 4.e of the Trust Legal Provisions and are 61 provided without warranty as described in the Revised BSD License. 63 Table of Contents 65 1. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 66 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 3. CRYSTALS-Dilithium . . . . . . . . . . . . . . . . . . . . . 3 68 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 69 3.2. Parameters . . . . . . . . . . . . . . . . . . . . . . . 5 70 3.2.1. Parameter sets . . . . . . . . . . . . . . . . . . . 5 71 3.3. Core Operations . . . . . . . . . . . . . . . . . . . . . 5 72 3.3.1. Generate . . . . . . . . . . . . . . . . . . . . . . 5 73 3.3.2. Sign . . . . . . . . . . . . . . . . . . . . . . . . 5 74 3.3.3. Verify . . . . . . . . . . . . . . . . . . . . . . . 5 75 3.4. Using CRYDI with JOSE . . . . . . . . . . . . . . . . . . 6 76 3.4.1. CRYDI Key Representations . . . . . . . . . . . . . . 6 77 3.4.2. CRYDI Algorithms . . . . . . . . . . . . . . . . . . 7 78 3.4.3. CRYDI Signature Representation . . . . . . . . . . . 16 79 3.5. Using CRYDI with COSE . . . . . . . . . . . . . . . . . . 20 80 4. Falcon . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 81 5. SPHINCS+ . . . . . . . . . . . . . . . . . . . . . . . . . . 20 82 5.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 20 83 5.2. Parameters . . . . . . . . . . . . . . . . . . . . . . . 22 84 5.2.1. Parameter sets . . . . . . . . . . . . . . . . . . . 22 85 5.3. Core Operations . . . . . . . . . . . . . . . . . . . . . 22 86 5.3.1. Generate . . . . . . . . . . . . . . . . . . . . . . 22 87 5.3.2. Sign . . . . . . . . . . . . . . . . . . . . . . . . 22 88 5.3.3. Verify . . . . . . . . . . . . . . . . . . . . . . . 22 89 5.4. Using SPHINCS+ with JOSE . . . . . . . . . . . . . . . . 22 90 5.4.1. SPHINCS+ Key Representations . . . . . . . . . . . . 22 91 5.4.2. SPHINCS+ Algorithms . . . . . . . . . . . . . . . . . 22 92 5.4.3. SPHINCS+ Signature Representation . . . . . . . . . . 23 93 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 94 6.1. Validating public keys . . . . . . . . . . . . . . . . . 23 95 6.2. Side channel attacks . . . . . . . . . . . . . . . . . . 23 96 6.3. Randomness considerations . . . . . . . . . . . . . . . . 23 98 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 99 8. Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . 25 100 8.1. Test Vectors . . . . . . . . . . . . . . . . . . . . . . 26 101 9. Normative References . . . . . . . . . . . . . . . . . . . . 26 102 10. Informative References . . . . . . . . . . . . . . . . . . . 26 103 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 105 1. Notational Conventions 107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 109 document are to be interpreted as described in [RFC2119]. 111 2. Terminology 113 The following terminology is used throughout this document: 115 PK The public key for the signature scheme. 116 SK The secret key for the signature scheme. 117 signature The digital signature output. 118 message The input to be signed by the signature scheme. 119 sha256 The SHA-256 hash function defined in [RFC6234]. 120 shake256 The SHAKE256 hash function defined in [RFC8702]. 122 3. CRYSTALS-Dilithium 124 3.1. Overview 126 This section of the document describes the lattice signature scheme 127 CRYSTALS-Dilithium (CRYDI). The scheme is based on "Fiat-Shamir with 128 Aborts"[Lyu09, Lyu12] utlizing a matrix of polynomials for key 129 material, and a vector of polynomials for signatures. The parameter 130 set is strategically chosen such that the signing algorithm is large 131 enough to maintain zero-knowledge properties but small enough to 132 prevent forgery of signatures. An example implementation and test 133 vectors are provided. 135 CRYSTALS-Dilithium is a Post Quantum approach to digital signatures 136 that is an algorithmic apprach that seeks to ensure key pair and 137 signing properties that is a strong implementation meeting 138 Existential Unforgeability under Chosen Message Attack (EUF-CMA) 139 properties, while ensuring that the security levels reached meet 140 security needs for resistance to both classical and quantum attacks. 141 The algoritm itself is based on hard problems over module lattices, 142 specifically Ring Learning with Errors (Ring-LWE). For all security 143 levels the only operations required are variants of Keccak and number 144 theoretic transforms (NTT) for the ring Zq[X]/(X256+1). This ensures 145 that to increase or decrease the security level invovles only the 146 change of parameters rather than re-implementation of a related 147 algorithm. 149 While based on Ring-LWE, CRYSTALS-Dilithium has less algebraic 150 structure than direct Ring-LWE implementations and more closely 151 resembles the unstructured lattices used in Learning with Errors 152 (LWE). This brings a theorectical protection against future 153 algebraic attacks on Ring-LWE that may be developed. 155 CRYSTALS-Dilithium, brings several advantages over other approaches 156 to signature suites: 158 * Post Quantum in nature - use of lattices and other approaches that 159 should remain hard problems even when under attack utilizing 160 quantum approaches 161 * Simple implementation while maintaing security - a danger in many 162 possible approaches to cryptography is that it may be possible 163 inadvertantly introduce errors in code that lead to weakness or 164 decreases in security level 165 * Signature and Public Key Size - compared to other post quantum 166 approaches a reasonable key size has been achieved that also 167 preserves desired security properties 168 * Conservative parameter space - parameterization is utilized for 169 the purposes of defining the sizes of marices in use, and thereby 170 the number of polynomials described by the key material. 171 * Parameter set adjustment for greater security - increasing this 172 matrix size increases the number of polynomials, and thereby the 173 security level 174 * Performance and optimization - the approach makes use of well 175 known transforms that can be highly optimized, especially with use 176 of hardware optimizations without being so large that it cannot be 177 deployed in embedded or IoT environments without some degree of 178 optimization. 180 The primary known disadvantage to CRYSTALS-Dilithium is the size of 181 keys and signatures, especially as compared to classical approaches 182 for digital signing. 184 3.2. Parameters 186 Unlike certain other approaches such as Ed25519 that have a large set 187 of parameters, CRYSTALS-Dilithium uses distinct numbers of paramters 188 to increase or decrease the security level according to the required 189 level for a particular scenario. Under DILITHIUM-Crustals, the key 190 parameter specificiation determines the size of the matrix and 191 thereby the number of polynomials that describe he lattice. For use 192 according to this specification we do not recommend a parameter set 193 of less than 3, which should be sufficient to maintain 128bits of 194 security for all known classical and quantum attacks. Under a 195 parameter set at NIST level 3, a 6x5 matrix is utilized that thereby 196 consists of 30 polynomials. 198 3.2.1. Parameter sets 200 Parameter sets are identified by the corresponding NIST level per the 201 table below 203 +============+=============+================+ 204 | NIST Level | Matrix Size | memory in bits | 205 +============+=============+================+ 206 | 2 | 4x4 | 97.8 | 207 +------------+-------------+----------------+ 208 | 3 | 6x5 | 138.7 | 209 +------------+-------------+----------------+ 210 | 5 | 8x7 | 187.4 | 211 +------------+-------------+----------------+ 213 Table 1 215 3.3. Core Operations 217 This section defines core operations used by the signature scheme, as 218 proposed in [CRYSTALS-Dilithium]. 220 3.3.1. Generate 222 See [CRYSTALS-Dilithium] 224 3.3.2. Sign 226 See [CRYSTALS-Dilithium] 228 3.3.3. Verify 230 See [CRYSTALS-Dilithium] 232 3.4. Using CRYDI with JOSE 234 Basing off of this (https://datatracker.ietf.org/doc/html/ 235 rfc8812#section-3) 237 3.4.1. CRYDI Key Representations 239 A new key type (kty) value "PQK" (Post Quantum Key Pair) is defined 240 for public key algorithms that use base 64 encoded strings of the 241 underlying binary materia as private and public keys and that support 242 cryptographic sponge functions. It has the following parameters: 244 * The parameter "kty" MUST be "PQK". 246 * The parameter "alg" MUST be specified, and its value MUST be one 247 of the values specified in table *TBD*. 249 * The parameter "pset" MUST be specfied to indicate the not only 250 paramter set in use for the algorithm, but SHOULD also reflect the 251 targeted NIST level for the algorithm in combination with the 252 specified paramter set. For "alg" "CRYDI" one of the described 253 parameter sets "2", "3", or "5" MUST be specified. Parameter set 254 "3" or above SHOULD be used with "CRYDI" for any situation 255 requiring at least 128bits of security against both quantum and 256 classical attacks 258 * The parameter "x" MUST be present and contain the public key 259 encoded using the base64url [RFC4648] encoding. 261 * The parameter "xs" MAY be present and contain the shake256 of the 262 public key encoded using the base64url [RFC4648] encoding. 264 * The parameter "d" MUST be present for private keys and contain the 265 private key encoded using the base64url encoding. This parameter 266 MUST NOT be present for public keys. 268 * The parameter "ds" MAY be present for private keys and contain the 269 shake256 of the private key encoded using the base64url encoding. 270 This parameter MUST NOT be present for public keys. 272 Sizes of various key and signature material is as follows (for "pset" 273 value "2") 274 +===========+===============+==============+======+==============+ 275 | Variable | Paramter Name | Paramter Set | Size | base64url | 276 | | | | | encoded size | 277 +===========+===============+==============+======+==============+ 278 | Signature | sig | 2 | 3293 | 4393 | 279 +-----------+---------------+--------------+------+--------------+ 280 | Public | x | 2 | 1952 | 2605 | 281 | Key | | | | | 282 +-----------+---------------+--------------+------+--------------+ 283 | Private | d | 2 | 4000 | 5337 | 284 | Key | | | | | 285 +-----------+---------------+--------------+------+--------------+ 287 Table 2 289 When calculating JWK Thumbprints [RFC7638], the four public key 290 fields are included in the hash input in lexicographic order: "kty", 291 "pset", and "x". 293 3.4.2. CRYDI Algorithms 295 In order to reduce the complexity of the key representation and 296 signature representations we register a unique algorithm name per 297 pset. This allows us to omit registering the pset term, and reduced 298 the likelyhood that it will be misused. These alg values are used in 299 both key representations and signatures. 301 +=====+========+==============+ 302 | kty | alg | Paramter Set | 303 +=====+========+==============+ 304 | PQK | CRYDI5 | 5 | 305 +-----+--------+--------------+ 306 | PQK | CRYDI3 | 3 | 307 +-----+--------+--------------+ 308 | PQK | CRYDI2 | 2 | 309 +-----+--------+--------------+ 311 Table 3 313 3.4.2.1. Public Key 315 Per section 5.1 of [CRYSTALS-Dilithium]: 317 | The public key, containing p and t1, is stored as the 318 | concatenation of the bit-packed representations of p and t1 in 319 | this order. Therefore, it has a size of 32 + 288 kbytes. 321 The public key is represented as x and encoded using base64url 322 encoding as described in [RFC7517]. 324 Example public key using only required fields: 326 =============== NOTE: '\' line wrapping per RFC 8792 ================ 328 { 329 "kty": "PQK", 330 "alg": "CRYDI3", 331 "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\ 332 5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\ 333 zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\ 334 imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\ 335 zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\ 336 cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\ 337 9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\ 338 Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\ 339 UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\ 340 miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\ 341 AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\ 342 jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\ 343 md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\ 344 zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\ 345 DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\ 346 vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\ 347 NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\ 348 Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\ 349 8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\ 350 7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\ 351 2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\ 352 4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\ 353 ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\ 354 4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\ 355 LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\ 356 F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\ 357 oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\ 358 elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\ 359 5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\ 360 pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\ 361 6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\ 362 Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\ 363 ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\ 364 6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\ 365 E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\ 366 DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\ 367 xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\ 368 Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\ 369 /8uzsSQk0AbuhxWFQpSiBP8OZ/U=" 370 } 372 Example public key including optional fields: 374 =============== NOTE: '\' line wrapping per RFC 8792 ================ 376 { 377 "kid": "key-0", 378 "kty": "PQK", 379 "alg": "CRYDI3", 380 "key_ops": ["verify"], 381 "xs": "z3uZQVjflnRZDSZn1e8g4oKH4YUU6TnpvkU4WrrGdXw=", 382 "ds": "5DuZ8XoJQirc/5TE23tBcoGoHo+JTj1+9ULLXtCiySU=", 383 "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\ 384 5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\ 385 zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\ 386 imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\ 387 zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\ 388 cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\ 389 9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\ 390 Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\ 391 UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\ 392 miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\ 393 AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\ 394 jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\ 395 md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\ 396 zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\ 397 DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\ 398 vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\ 399 NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\ 400 Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\ 401 8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\ 402 7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\ 403 2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\ 404 4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\ 405 ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\ 406 4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\ 407 LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\ 408 F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\ 409 oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\ 410 elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\ 411 5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\ 412 pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\ 413 6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\ 414 Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\ 415 ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\ 416 6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\ 417 E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\ 418 DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\ 419 xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\ 420 Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\ 421 /8uzsSQk0AbuhxWFQpSiBP8OZ/U=" 422 } 424 3.4.2.2. Private Key 426 Per section 5.1 of [CRYSTALS-Dilithium]: 428 | The secret key contains p,K,tr,s1,s2 and t0 and is also stored as 429 | a bit-packed representation of these quantities in the given 430 | order. Consequently, a secret key requires 64 + 48 + 32((k+l) * 431 | dlog (2n+ 1)e + 14k) bytes. For the weak, medium and high 432 | security level this is equal to 112 + 576k+ 128l bytes. With the 433 | very high security parameters one needs 112 + 544k + 96l = 3856 434 | bytes. 436 The private key is represented as d and encoded using base64url 437 encoding as described in [RFC7517]. 439 Example private key using only required fields: 441 =============== NOTE: '\' line wrapping per RFC 8792 ================ 443 { 444 "kty": "PQK", 445 "alg": "CRYDI3", 446 "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\ 447 5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\ 448 zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\ 449 imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\ 450 zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\ 451 cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\ 452 9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\ 453 Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\ 454 UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\ 455 miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\ 456 AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\ 457 jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\ 458 md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\ 459 zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\ 460 DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\ 461 vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\ 462 NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\ 463 Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\ 464 8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\ 465 7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\ 466 2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\ 467 4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\ 468 ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\ 469 4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\ 470 LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\ 471 F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\ 472 oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\ 473 elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\ 474 5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\ 475 pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\ 476 6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\ 477 Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\ 478 ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\ 479 6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\ 480 E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\ 481 DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\ 482 xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\ 483 Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\ 484 /8uzsSQk0AbuhxWFQpSiBP8OZ/U=", 485 "d": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDUBgL6FklHURz5btM5\ 486 yrI5FQdWk+U2srVuSmfDV7EYG897mUFY35Z0WQ0mZ9XvIOKCh+GFFOk56b5FOFq6xnV8\ 487 UDQnFyY2JREUOHdiUjcUNxA1YxR3QiQ0BkE1AUBmFEOAUHZGBzQAU2dxVIgTQRV3U3g4\ 488 GGiISEYQhHRSWDIBQ2Z3UIIWdSV1EWhwBTYiWGI3VmJVI1UIU2REdUhHBoJ2gRhFUThy\ 489 BSQnhBIGI1AoMVB2MCNhUXQiNUGCKHgzUmQxU3dEgBhmQyIQgmFjdxY1dCJgGBSEB4Ij\ 490 CEJ0MBGIQWRRN3QjRmRSQWQIJgNjcjdnMlJhJIU1MlJRd1NmF4dwhHIIdEYYcAhEclBQ\ 491 JjESAiBwBQYzYlAIIocBcoZFcGVkA2SDMCVTBjgzCAAzNnQGYHI1VwJzYxQRckBIZBV4\ 492 VxZmZiVlYXgHFRNjdEFIYVOFIVdhcnIINEhhIURjg0cxJ0SCIWYUUVcHJzdDUTASciAW\ 493 UiJAglIoQkIwNjMlcwACZxcHZVJAh4EnNnWAZVVoBjNnNEcicTdyEEUHBVFjETETNjd0\ 494 YUFmFDVXNUcHFVJoE2AlVwFhMzc0dQckMYJUaBJ0JkUBdyd1AnZiJ3hYYkWAgyR1VziD\ 495 BERVh1NQAFIGWIhUZXCEQxIThyR1FIGGNTKAcwdRNBGDYEd2RVEwUDMzWAAhNQEEMYAS\ 496 hUSCgTJ3VIdXUlFBFxFkhVCCZEABJjQCAxFGNkhHQzM1YSSHNlEBEmJkgWZCVwZHRSVD\ 497 GDZzRCQiNhE3IghDhSFoBYCHNFVHMxZAZTSGAVMUQkhBKIFRQEVBB0cHNGEiJVVScQQh\ 498 hzQiBzKBYRY4Q0R2MVUldwVCIkQYEEgFYEREY2NERyFVdHJzdAZHBmhmdSCFIgh1IwGB\ 499 AxNzFjEoUWFCF4AhZRJSEROEEThxAGYBJTgUcUdFJBOFRmcVYnZUUFCAY1AnZEZBVThS\ 500 ECBQYBNGeAdzQ3KGhIE3ZiFxQoVCgQBjEFdFcIV0IAaFcgI0iAgAUVQAhEInQWECY1I4\ 501 E2U0MkAXQSZkdSRRc2I4BjEiSGd4hgQEEDcTRmhFd3MBMmY2gERxNwiISAVkFVETGCcI\ 502 gYhzRXByGBgzKGVXJUhoGEY1hgFmZWgmEWYWVoISd4Vlhid4VUMHgSZXhXUSaCgmJ3Eg\ 503 MQIzIDIThwRSARQhBFB2QQBjEgIoEHN1BhMCiIIBUlZWCHdBMyZFQoQ2UUJXJCFnZyFD\ 504 RTFUUTQoQmUjB0aHJXJHeDZlJGBCExATEUEDg3BTAChWImN0AWcFB3IUgBEARxVUREdX\ 505 QzhVBEBBF4UgcRhCg4gUcoRkdYCAIUQBRUJUYjFjEBYUhSBjIyV2cXBYckEiMic1N4ED\ 506 gDUGVSCHhCYURXcQB1ODg4hDJFJ3Jld2gyYnQYclRjE3VWcQNXJBYnOGhYFoU2dHATAw\ 507 OEeBUGQjJHcDgUJTRXBXJ3IAEjEXhXeEEmghIAAGdjUVBndnI2FCAVcyV4cxIyZ2dYE1\ 508 ZEiHcYJYaCcXQXJCaER1coIDRWJkcSNhEVF3JGOCQkYWYkcndRA1QTh0MFgzIyVocYJY\ 509 cwIAFRNiE1VAUECBI3MzQiZkUhR1cid1NSAXFXN0gUNnRCV0ISNmYnB3NIZyMIQWEVVz\ 510 ElEohnQyKBNoY1cCdmdjVYiGhVUlA0CHMTZIURBgR4aIJwJQJlIDMYhwNGNwiGcIBUdA\ 511 NXMBETUgICJyMkMIN1BAIAB4gEMDUwhndFJkQDEgRRMld4EzhRM0ZhGAYHMgZ4NhEEhn\ 512 U2I2VicBBXZUFUNoczcmBzBnUEBxUWcDg4RHUXZSOEZogABHRAISVEAzdoQhRmBgEWYE\ 513 Z4U1dgQ2gjgQUjMScgIIFQR3YFczhTYoB1IiVCYGBAVmVAFIdhRmZ1InhwdTRjJjNhVx\ 514 IzcWgjFlFCaChlIWUySIaDFwAWV3RAIxg2QWYgAYMUjP7wmwOwPp7Ukl3L1KalY/6dN4\ 515 dBr1AYS8JnkVq6pPeBfO7ccX95SrVfAO7EX7RVEYyhVR9QOQyEpLBUMcfcfnHCZWKM0o\ 516 OBF7BXiWMR9BQo4ybtpJGKQ+IZyCKUJVRhZ+uae182qYcBKFMdOOzXiO8kAa98eUy6SR\ 517 pPfKPD6D+xXgtJ0FWtYnp1Jy2aIG3HqMiTHoSdVIvccGkf94gpVWTMeJQsQpgq7dAJiJ\ 518 5JOMQjk7JIHcIzxb4T8sQHzA55MFfvM7Hus/8FUX7NfIN1JRmc2zHL/7kdfCFSwG67iW\ 519 U4ob2kTwdKzPvOL+d3e+AOE0PihJ4vVJAOjhWmO2fIFNvFhNqPh0MSiSkatPGbSVdqQ1\ 520 PsG6C+1YqMrTM7KFr4hTQM8a3+tAOsImMjXSSPDkVeuJFq1rw642SJJx8yZTXVe8g75D\ 521 ZTYghbeX5LLzaVkt9mZS7cW16Zy+C3MwnWDrGQ6hUDxYaYJp7SOGJHepcmVV214oD6nw\ 522 5QprgpGIxVcdXQUO0fhKwerYDkoOIj+uqk7NYDvOt8zANphYcE3v+6yVFyYh3eg7DYRJ\ 523 rIzIcbaG91ySv2iRRC+cWaymH6xuqaHRwZu/p962/u8/c3rITJzCoVc+ObnZ5oItZFBe\ 524 AYFhLBx7PvPdBULXyCqmtkOtnT/jnaCUVxtGeaIeQmmeM4yPq3d5uWBfOvIyuPmfBSKd\ 525 Y0NETGlsaoQuqFpOkCmQdMVZKh3UZ8AOjw22LlqaZlrUf0akb0fs7le2HT47KV9yOJHC\ 526 tec9tjHUeBVmma5O4AofGcVXLbkqKv+Soax9GooHVOv+uxa8iwjAdTZKtqwKnKDx4jaR\ 527 +zotCsYi4BuB2JbkjnHG6NL7ubN+aNKnwnzZnMKQZIh2Q7vSRYKTM8j9OGLq7IP8q2NS\ 528 oc7iT//eAvb4oF6LaY7qebxQ6ROXCSRrrXgpo+pw3ltfuUCuGzAxD4+wMZU3dlXsivhJ\ 529 PnTEjI/V6GmkRlfZ9XnYfj8SILETWk03dMFJh3LmUwkbRV+C3mL2GzjgQVTkvP82KDBL\ 530 DAR9iKyPkJnMnK9Ix/StVyJbGAtGp4jHnp+PSjz9ja4qI9jVRjGgIUQhw0DnI0fnplUn\ 531 Qhz3F9MQXMPLSPvFw8M0xkUKsAcxQvxZGb5LkYByZ0ZrO/ipphwnE6zQuOva+8uTyBX/\ 532 B9VR24tUItvlhy7SS6JrULrvTA+D/ZCiqKRx61iF6pU3BoC8fgA9D/AifiQnPz0SI5kx\ 533 FJfDTz1LWMjUlQKBHFvRFLE9eFD0rnwAGx7Pgpyc/KrLqVmcmj/96TYtoedp/iW4asfY\ 534 C2vs+GVyxVoumIdFPHJpencWbE/niZnVDaJCih1iqgXzDsI8bENh2B9cutDWX+bsHZSC\ 535 jSQb9YkGN+MoNiJlXmQHSJDyfPhzWPibdS/lpS90ppPWIY+PpLOfzDSGFFWswQ4q5Phc\ 536 pLWHx5lw9KSye+T86p6kadnBBTLTyfn0dG7NpO9QKQObMN60MnybkVGx5nH9yLJlFlmV\ 537 0H+K0VZIKm4UzYV+RYfqqXYtMqTQxeQ1U7L7o0H+6viErxuKj5rS3i+r1rdfECAGgCoq\ 538 0mixATHISAHi2eSV5fk3r5xMkKSwwPIRuMt50+kklRPUoLohTj7G1CnL6O2xwBdQMTUx\ 539 4Jq5JBWnfB+U4D9n0si1DwikIhpaUyOoBeaWo4iFQiWVLwjeeQvY6zj66l7OXsPHjZXg\ 540 uCitsWfp5MYV3cLTkb80uCM/xhp4Y0Edobt6x3k1FD8vbh8g3YAG0Xe/U+Iz3klnpCt2\ 541 ROQ2lGQa0JMl4nbQr3tqTLoXv4szaErfP/Xw05Cnt9DsBzN5DNrmfF6EDcfVf/hn8v9a\ 542 wrg6Rfv8Jpys1YFpwLanhb3Wz+x1yaDsa54IdlFOFnyBxv8GppbFrMpVFx/nLAXGIocc\ 543 WjcRKs0tBJUW/IoXeKOMPUd1wHR4dqUCEXsoexHJiNe5sH+akr6UIDObF70hhupBoiY9\ 544 AzVXi5zXf2VdafyQrkGfKz4BEUkiqcaajHr1CF9ZJ+Mjdmfr3z0xyCmCAWir5ZLOBXDj\ 545 T7sYCV3QjCz4a2mGvee9IxC9kSLapCq90UMAxnTLjJGQM/dlpgjDsjsCZX5wKdsnMs79\ 546 60Z75BGDOC1dDINj4f5kHZmwwcmw/04mi/1RPBUABXse3Up3eJQOX2haZPqmY0+2PZTF\ 547 exku9pETHtKcfSdRe1oJLmlB34JSogRmNp1eBxakcIL09huiFVtGVZng/pC/ryoJ/T9q\ 548 9w4aV5H+4u2dHc29Vb77SasxCdRH0sDaLaPpesRXsrdJwjbizOgzRlIx+83oO7NuhE+C\ 549 kKfO7cZMrFm8r8g1MlzDiFrTf3RTusMtiW6CVlVuTROPZFngqaR5yeYPprpSELtQHSwz\ 550 U5AaY5Qd8tbky5ec+2/QkXO+cdyWhQUuBRpibwpRpD3x1yTgT4E91cwTFpvSLk54ZHf+\ 551 D3EsZf0PYMN6d4jVdh9iv+0tCebnfMqP65wY26YBopSLtCXXb1anUlRPlzPzRq99yKnt\ 552 FM7gK1XnBAZoZBBqCyZw9OHWmttIFWcml4Wd5BxF9uZh2Y8gtcN8UKWHv43tsNBa7j/T\ 553 ikIBSkIVI/6EQvyPW4YTdyz2V8RKHN5XcdpdWFaVhgSJMC4I6Bm0Lwenhkmal7Sd247q\ 554 uCtEow8qh+w7Jk4SxrmvJxd5sBnvz15OKEaHPeWNNJW00bWEDT+0ZzzD8vMN1/GkbbB3\ 555 s7UfcJXZbRu7HtQ+wHIblBKVstX3hMonra+k6wS9KPhcAaC3IjZ7ZApSedKk1sW1SuDg\ 556 l48YW2/cyS3LvmISQn9KPWK7yEpNQnV0vurn3ZFOGO0eDjSXUjI+xIrRia5GQ1yb31ma\ 557 nJnf2PdHcMmVr0wu4lMGno7a14nMRdnXkBU8bVOp8wF6Toz59hBJ3a/F+mP4/a19Ixra\ 558 wiVVeEPgoi9QQ9NcLgQEFCoskA+EpcLK0FxV2rYI9JFNF/nDxP5nmGtnkmlFaLo+pleH\ 559 CJYS0OTGKQr6X+Y65NOllx5nNwsnWkIUkCodoSt4Givdoe/S9JNIu8tW+jTBae2hNr9c\ 560 glErCNKDYe1+T+Ldyr9rfOKm9LKNyTBsodgF4KI/hFh9Iv/i55DTWtqjpN0eQnPTB3/6\ 561 +7KzTfSE9il5UMcP3zKKC2mAQvtyYxF3k0m24ZTwPs2LAPJkr/xtPH3BnGE/UfUDmvDS\ 562 TBp9m049Nh9oDZvI4HKsY8auiyENk0ys67F9GTHhOYM0FgHyP5qk4/IR5YC3lnq7xx6i\ 563 owebEJAy63htMytq+xd3cJyZR0lWBUOqvSpd/A==" 564 } 565 Example private key using optional fields: 567 =============== NOTE: '\' line wrapping per RFC 8792 ================ 569 { 570 "kid": "key-0", 571 "kty": "PQK", 572 "alg": "CRYDI3", 573 "key_ops": ["sign"], 574 "xs": "z3uZQVjflnRZDSZn1e8g4oKH4YUU6TnpvkU4WrrGdXw=", 575 "ds": "5DuZ8XoJQirc/5TE23tBcoGoHo+JTj1+9ULLXtCiySU=", 576 "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\ 577 5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\ 578 zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\ 579 imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\ 580 zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\ 581 cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\ 582 9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\ 583 Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\ 584 UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\ 585 miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\ 586 AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\ 587 jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\ 588 md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\ 589 zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\ 590 DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\ 591 vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\ 592 NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\ 593 Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\ 594 8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\ 595 7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\ 596 2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\ 597 4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\ 598 ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\ 599 4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\ 600 LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\ 601 F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\ 602 oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\ 603 elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\ 604 5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\ 605 pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\ 606 6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\ 607 Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\ 608 ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\ 609 6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\ 610 E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\ 611 DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\ 612 xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\ 613 Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\ 614 /8uzsSQk0AbuhxWFQpSiBP8OZ/U=", 615 "d": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDUBgL6FklHURz5btM5\ 616 yrI5FQdWk+U2srVuSmfDV7EYG897mUFY35Z0WQ0mZ9XvIOKCh+GFFOk56b5FOFq6xnV8\ 617 UDQnFyY2JREUOHdiUjcUNxA1YxR3QiQ0BkE1AUBmFEOAUHZGBzQAU2dxVIgTQRV3U3g4\ 618 GGiISEYQhHRSWDIBQ2Z3UIIWdSV1EWhwBTYiWGI3VmJVI1UIU2REdUhHBoJ2gRhFUThy\ 619 BSQnhBIGI1AoMVB2MCNhUXQiNUGCKHgzUmQxU3dEgBhmQyIQgmFjdxY1dCJgGBSEB4Ij\ 620 CEJ0MBGIQWRRN3QjRmRSQWQIJgNjcjdnMlJhJIU1MlJRd1NmF4dwhHIIdEYYcAhEclBQ\ 621 JjESAiBwBQYzYlAIIocBcoZFcGVkA2SDMCVTBjgzCAAzNnQGYHI1VwJzYxQRckBIZBV4\ 622 VxZmZiVlYXgHFRNjdEFIYVOFIVdhcnIINEhhIURjg0cxJ0SCIWYUUVcHJzdDUTASciAW\ 623 UiJAglIoQkIwNjMlcwACZxcHZVJAh4EnNnWAZVVoBjNnNEcicTdyEEUHBVFjETETNjd0\ 624 YUFmFDVXNUcHFVJoE2AlVwFhMzc0dQckMYJUaBJ0JkUBdyd1AnZiJ3hYYkWAgyR1VziD\ 625 BERVh1NQAFIGWIhUZXCEQxIThyR1FIGGNTKAcwdRNBGDYEd2RVEwUDMzWAAhNQEEMYAS\ 626 hUSCgTJ3VIdXUlFBFxFkhVCCZEABJjQCAxFGNkhHQzM1YSSHNlEBEmJkgWZCVwZHRSVD\ 627 GDZzRCQiNhE3IghDhSFoBYCHNFVHMxZAZTSGAVMUQkhBKIFRQEVBB0cHNGEiJVVScQQh\ 628 hzQiBzKBYRY4Q0R2MVUldwVCIkQYEEgFYEREY2NERyFVdHJzdAZHBmhmdSCFIgh1IwGB\ 629 AxNzFjEoUWFCF4AhZRJSEROEEThxAGYBJTgUcUdFJBOFRmcVYnZUUFCAY1AnZEZBVThS\ 630 ECBQYBNGeAdzQ3KGhIE3ZiFxQoVCgQBjEFdFcIV0IAaFcgI0iAgAUVQAhEInQWECY1I4\ 631 E2U0MkAXQSZkdSRRc2I4BjEiSGd4hgQEEDcTRmhFd3MBMmY2gERxNwiISAVkFVETGCcI\ 632 gYhzRXByGBgzKGVXJUhoGEY1hgFmZWgmEWYWVoISd4Vlhid4VUMHgSZXhXUSaCgmJ3Eg\ 633 MQIzIDIThwRSARQhBFB2QQBjEgIoEHN1BhMCiIIBUlZWCHdBMyZFQoQ2UUJXJCFnZyFD\ 634 RTFUUTQoQmUjB0aHJXJHeDZlJGBCExATEUEDg3BTAChWImN0AWcFB3IUgBEARxVUREdX\ 635 QzhVBEBBF4UgcRhCg4gUcoRkdYCAIUQBRUJUYjFjEBYUhSBjIyV2cXBYckEiMic1N4ED\ 636 gDUGVSCHhCYURXcQB1ODg4hDJFJ3Jld2gyYnQYclRjE3VWcQNXJBYnOGhYFoU2dHATAw\ 637 OEeBUGQjJHcDgUJTRXBXJ3IAEjEXhXeEEmghIAAGdjUVBndnI2FCAVcyV4cxIyZ2dYE1\ 638 ZEiHcYJYaCcXQXJCaER1coIDRWJkcSNhEVF3JGOCQkYWYkcndRA1QTh0MFgzIyVocYJY\ 639 cwIAFRNiE1VAUECBI3MzQiZkUhR1cid1NSAXFXN0gUNnRCV0ISNmYnB3NIZyMIQWEVVz\ 640 ElEohnQyKBNoY1cCdmdjVYiGhVUlA0CHMTZIURBgR4aIJwJQJlIDMYhwNGNwiGcIBUdA\ 641 NXMBETUgICJyMkMIN1BAIAB4gEMDUwhndFJkQDEgRRMld4EzhRM0ZhGAYHMgZ4NhEEhn\ 642 U2I2VicBBXZUFUNoczcmBzBnUEBxUWcDg4RHUXZSOEZogABHRAISVEAzdoQhRmBgEWYE\ 643 Z4U1dgQ2gjgQUjMScgIIFQR3YFczhTYoB1IiVCYGBAVmVAFIdhRmZ1InhwdTRjJjNhVx\ 644 IzcWgjFlFCaChlIWUySIaDFwAWV3RAIxg2QWYgAYMUjP7wmwOwPp7Ukl3L1KalY/6dN4\ 645 dBr1AYS8JnkVq6pPeBfO7ccX95SrVfAO7EX7RVEYyhVR9QOQyEpLBUMcfcfnHCZWKM0o\ 646 OBF7BXiWMR9BQo4ybtpJGKQ+IZyCKUJVRhZ+uae182qYcBKFMdOOzXiO8kAa98eUy6SR\ 647 pPfKPD6D+xXgtJ0FWtYnp1Jy2aIG3HqMiTHoSdVIvccGkf94gpVWTMeJQsQpgq7dAJiJ\ 648 5JOMQjk7JIHcIzxb4T8sQHzA55MFfvM7Hus/8FUX7NfIN1JRmc2zHL/7kdfCFSwG67iW\ 649 U4ob2kTwdKzPvOL+d3e+AOE0PihJ4vVJAOjhWmO2fIFNvFhNqPh0MSiSkatPGbSVdqQ1\ 650 PsG6C+1YqMrTM7KFr4hTQM8a3+tAOsImMjXSSPDkVeuJFq1rw642SJJx8yZTXVe8g75D\ 651 ZTYghbeX5LLzaVkt9mZS7cW16Zy+C3MwnWDrGQ6hUDxYaYJp7SOGJHepcmVV214oD6nw\ 652 5QprgpGIxVcdXQUO0fhKwerYDkoOIj+uqk7NYDvOt8zANphYcE3v+6yVFyYh3eg7DYRJ\ 653 rIzIcbaG91ySv2iRRC+cWaymH6xuqaHRwZu/p962/u8/c3rITJzCoVc+ObnZ5oItZFBe\ 654 AYFhLBx7PvPdBULXyCqmtkOtnT/jnaCUVxtGeaIeQmmeM4yPq3d5uWBfOvIyuPmfBSKd\ 655 Y0NETGlsaoQuqFpOkCmQdMVZKh3UZ8AOjw22LlqaZlrUf0akb0fs7le2HT47KV9yOJHC\ 656 tec9tjHUeBVmma5O4AofGcVXLbkqKv+Soax9GooHVOv+uxa8iwjAdTZKtqwKnKDx4jaR\ 657 +zotCsYi4BuB2JbkjnHG6NL7ubN+aNKnwnzZnMKQZIh2Q7vSRYKTM8j9OGLq7IP8q2NS\ 658 oc7iT//eAvb4oF6LaY7qebxQ6ROXCSRrrXgpo+pw3ltfuUCuGzAxD4+wMZU3dlXsivhJ\ 659 PnTEjI/V6GmkRlfZ9XnYfj8SILETWk03dMFJh3LmUwkbRV+C3mL2GzjgQVTkvP82KDBL\ 660 DAR9iKyPkJnMnK9Ix/StVyJbGAtGp4jHnp+PSjz9ja4qI9jVRjGgIUQhw0DnI0fnplUn\ 661 Qhz3F9MQXMPLSPvFw8M0xkUKsAcxQvxZGb5LkYByZ0ZrO/ipphwnE6zQuOva+8uTyBX/\ 662 B9VR24tUItvlhy7SS6JrULrvTA+D/ZCiqKRx61iF6pU3BoC8fgA9D/AifiQnPz0SI5kx\ 663 FJfDTz1LWMjUlQKBHFvRFLE9eFD0rnwAGx7Pgpyc/KrLqVmcmj/96TYtoedp/iW4asfY\ 664 C2vs+GVyxVoumIdFPHJpencWbE/niZnVDaJCih1iqgXzDsI8bENh2B9cutDWX+bsHZSC\ 665 jSQb9YkGN+MoNiJlXmQHSJDyfPhzWPibdS/lpS90ppPWIY+PpLOfzDSGFFWswQ4q5Phc\ 666 pLWHx5lw9KSye+T86p6kadnBBTLTyfn0dG7NpO9QKQObMN60MnybkVGx5nH9yLJlFlmV\ 667 0H+K0VZIKm4UzYV+RYfqqXYtMqTQxeQ1U7L7o0H+6viErxuKj5rS3i+r1rdfECAGgCoq\ 668 0mixATHISAHi2eSV5fk3r5xMkKSwwPIRuMt50+kklRPUoLohTj7G1CnL6O2xwBdQMTUx\ 669 4Jq5JBWnfB+U4D9n0si1DwikIhpaUyOoBeaWo4iFQiWVLwjeeQvY6zj66l7OXsPHjZXg\ 670 uCitsWfp5MYV3cLTkb80uCM/xhp4Y0Edobt6x3k1FD8vbh8g3YAG0Xe/U+Iz3klnpCt2\ 671 ROQ2lGQa0JMl4nbQr3tqTLoXv4szaErfP/Xw05Cnt9DsBzN5DNrmfF6EDcfVf/hn8v9a\ 672 wrg6Rfv8Jpys1YFpwLanhb3Wz+x1yaDsa54IdlFOFnyBxv8GppbFrMpVFx/nLAXGIocc\ 673 WjcRKs0tBJUW/IoXeKOMPUd1wHR4dqUCEXsoexHJiNe5sH+akr6UIDObF70hhupBoiY9\ 674 AzVXi5zXf2VdafyQrkGfKz4BEUkiqcaajHr1CF9ZJ+Mjdmfr3z0xyCmCAWir5ZLOBXDj\ 675 T7sYCV3QjCz4a2mGvee9IxC9kSLapCq90UMAxnTLjJGQM/dlpgjDsjsCZX5wKdsnMs79\ 676 60Z75BGDOC1dDINj4f5kHZmwwcmw/04mi/1RPBUABXse3Up3eJQOX2haZPqmY0+2PZTF\ 677 exku9pETHtKcfSdRe1oJLmlB34JSogRmNp1eBxakcIL09huiFVtGVZng/pC/ryoJ/T9q\ 678 9w4aV5H+4u2dHc29Vb77SasxCdRH0sDaLaPpesRXsrdJwjbizOgzRlIx+83oO7NuhE+C\ 679 kKfO7cZMrFm8r8g1MlzDiFrTf3RTusMtiW6CVlVuTROPZFngqaR5yeYPprpSELtQHSwz\ 680 U5AaY5Qd8tbky5ec+2/QkXO+cdyWhQUuBRpibwpRpD3x1yTgT4E91cwTFpvSLk54ZHf+\ 681 D3EsZf0PYMN6d4jVdh9iv+0tCebnfMqP65wY26YBopSLtCXXb1anUlRPlzPzRq99yKnt\ 682 FM7gK1XnBAZoZBBqCyZw9OHWmttIFWcml4Wd5BxF9uZh2Y8gtcN8UKWHv43tsNBa7j/T\ 683 ikIBSkIVI/6EQvyPW4YTdyz2V8RKHN5XcdpdWFaVhgSJMC4I6Bm0Lwenhkmal7Sd247q\ 684 uCtEow8qh+w7Jk4SxrmvJxd5sBnvz15OKEaHPeWNNJW00bWEDT+0ZzzD8vMN1/GkbbB3\ 685 s7UfcJXZbRu7HtQ+wHIblBKVstX3hMonra+k6wS9KPhcAaC3IjZ7ZApSedKk1sW1SuDg\ 686 l48YW2/cyS3LvmISQn9KPWK7yEpNQnV0vurn3ZFOGO0eDjSXUjI+xIrRia5GQ1yb31ma\ 687 nJnf2PdHcMmVr0wu4lMGno7a14nMRdnXkBU8bVOp8wF6Toz59hBJ3a/F+mP4/a19Ixra\ 688 wiVVeEPgoi9QQ9NcLgQEFCoskA+EpcLK0FxV2rYI9JFNF/nDxP5nmGtnkmlFaLo+pleH\ 689 CJYS0OTGKQr6X+Y65NOllx5nNwsnWkIUkCodoSt4Givdoe/S9JNIu8tW+jTBae2hNr9c\ 690 glErCNKDYe1+T+Ldyr9rfOKm9LKNyTBsodgF4KI/hFh9Iv/i55DTWtqjpN0eQnPTB3/6\ 691 +7KzTfSE9il5UMcP3zKKC2mAQvtyYxF3k0m24ZTwPs2LAPJkr/xtPH3BnGE/UfUDmvDS\ 692 TBp9m049Nh9oDZvI4HKsY8auiyENk0ys67F9GTHhOYM0FgHyP5qk4/IR5YC3lnq7xx6i\ 693 owebEJAy63htMytq+xd3cJyZR0lWBUOqvSpd/A==" 694 } 696 3.4.3. CRYDI Signature Representation 698 For the purpose of using the CRYSTALS-Dilithium Signature Algorithm 699 (CRYDI) for signing data using "JSON Web Signature (JWS)" [RFC7515], 700 algorithm "CRYDI" is defined here, to be applied as the value of the 701 "alg" parameter. 703 The following key subtypes are defined here for use with CRYDI: 705 +========+====================+ 706 | "pset" | CRYDI Paramter Set | 707 +========+====================+ 708 | 5 | CRYDI5 | 709 +--------+--------------------+ 710 | 3 | CRYDI3 | 711 +--------+--------------------+ 712 | 2 | CRYDI2 | 713 +--------+--------------------+ 715 Table 4 717 The key type used with these keys is "PQK" and the algorithm used for 718 signing is "CRYDI". These subtypes MUST NOT be used for key 719 agreement. 721 The CRYDI variant used is determined by the subtype of the key 722 (CRYDI3 for "pset 3" and CRYDI2 for "pset 2"). 724 Implementations need to check that the key type is "PQK" for JOSE and 725 that the pset of the key is a valid subtype when creating a 726 signature. 728 The CRYDI digital signature is generated as follows: 730 1. Generate a digital signature of the JWS Signing Input using CRYDI 731 with the desired private key, as described in Section 3.2 (#name- 732 sign). The signature bit string is the concatenation of a bit 733 packed representation of z and encodings of h and c in this 734 order. 736 2. The resulting octet sequence is the JWS Signature. 738 When using a JWK for this algorithm, the following checks are made: 740 * The "kty" field MUST be present, and it MUST be "PQK" for JOSE. 742 * The "alg" field MUST be present, and it MUST represent the pset 743 subtype. 745 * If the "key_ops" field is present, it MUST include "sign" when 746 creating an CRYDI signature. 748 * If the "key_ops" field is present, it MUST include "verify" when 749 verifying an CRYDI signature. 751 * If the JWK "use" field is present, its value MUST be "sig". 753 Example signature using only required fields, represented in compact 754 form: 756 eyJhbGciOiJQUzM4NCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZX 757 hhbXBsZSJ9 758 . 759 SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IH 760 lvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBk 761 b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcm 762 UgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4 763 . 764 cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfT0kkOy42miAh2qyBzk1xEsnk2I 765 pN6-tPid6VrklHkqsGqDqHCdP6O8TTB5dDDItllVo6_1OLPpcbUrhiUSMxbbXU 766 vdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf8ZnyPEgVFn442ZdNqiVJRmBqrYRX 767 e8P_ijQ7p8Vdz0TTrxUeT3lm8d9shnr2lfJT8ImUjvAA2Xez2Mlp8cBE5awDzT 768 0qI0n6uiP1aCN_2_jLAeQTlqRHtfa64QQSUmFAAjVKPbByi7xho0uTOcbH510a 769 6GYmJUAfmWjwZ6oD4ifKo8DYM-X72Eaw 771 The same example decoded for readability: 773 =============== NOTE: '\\' line wrapping per RFC 8792 =============== 775 { 776 "header": { "alg": "CRYDI3", "kid": "did:example:123#key-0" }, 777 "payload": "It's a dangerous business, Frodo, going out your door.\ 778 \ You step onto the road, and if you don't keep your feet, there's\ 779 \ no knowing where you might be swept off to.", 780 "signature": "2As8T1AHenWzLuTojcAYFDnT05n4bmDGIWenHqoXVizL7311HtVg\ 781 \7PEJHYmpc1fIvFNrm0xJt0asD5bQk3ZY8WuEQDUjsn4j+zbyob8MPQI5u3p5ZkqlLhG\ 782 \6Q8p1q0Hd5voY4a78vNxFJpYsETc0bECAft196z5hml2VjuDBqI7W4ju/iDKambJIDz\ 783 \NLYgYinNyPcHjlfBP7aCfOqGBAOQrWuVgrAkdeM+uH6djaXW25+FeUl4Lg1uOIBPrcj\ 784 \ZJO4MO7j7BmiuHJDB74QG/ifVqnvr4z2alMWHjjR7nPPr2CIKpuRthSpNWYVTRSN3mM\ 785 \v0GjVLyaqhJpmUmewhjaQCi3iP7c59yKatGYjLPPEapsbN7ypIo1Bod/R2PZR0zeool\ 786 \d9k30VmGsVLkJ4OEIFnlA8epv+bJISApZWrGuU6NBP8vr4UB2D9DRd8zwvd/vI0BWdq\ 787 \nfglX4x18lWe8Tnd+21UC9n4zUb+KQlo9RR14VfXEOt9g5aOIzCWjAN+Oz8vqJ/ZwgH\ 788 \zZotZNF+nZehtFPcPLM3dpoUkEI391VH3QQ6VTYfbMW9wGJ6UnylxZFEzNCnMFF9Qhs\ 789 \7Xehy4yEDgJBFYIvbTRCfD+EbZbWQAnLKsm7UXXBR7HdUsJMhTkwdffGziWJBTf1UsG\ 790 \tqaCF1bvXgbcCSe0XGhc0QkQKwwj3kNWY9/hnhH1bn7kyySqaI+W4Ph3pKwRb38sCS/\ 791 \Gb3ryptI8zez0JR+lClWnu18noJjGincZq7jCGMiMCRFpzUV6rpY/FiM26IpZ8M9ShF\ 792 \BHsTN7KGpyIqG6Yc3GzOJ/4ir7V3I3wYguK7iBUiuTM+OKwxtM75carZJPX/2lkn2Hh\ 793 \TC+JVb2/yaHS2oDrlCwQosNhA/cB/cm+YmYgHc3KQwrZ/3Axr6weUSrWJ8qV+vJ5QKK\ 794 \a1+CLrkVGJX6vh+ps1NB5EV9yyMhBXAbbJZ3K+dGed3G7Vj/qF2kbnIUlSIeP1f6LsH\ 795 \XASuVLTU6qG0rTaCMYKwaAc5ROwAgyZmPXuOUwyCtNFb0+S73uX5/N2drrUPdXiURW+\ 796 \luFKCtaNimU8myoz6YkoY234kz8pedST8eqBZAioe8HeYEKtZSAyYov4YfLgkqHqJG6\ 797 \ycD2uA33kwnMim+jg/hIrWAIYYP9R90KECTvFR877RtfFgfn3+tZjWlmsxHZ5pNsTIA\ 798 \dNR+VmNpoUZkQ0dgHuFLztyAnCaumL38LHYHFHj2boa0zYsMGw8WtpEQ3+BNgoanNax\ 799 \dJ5THRRmhvMS3EDwanERimsZ6ZjdK8uchuVhytNiiKvBwEFWYIyoK9uUMBoEfDje4DX\ 800 \wIAefXYCqPK8eXhL+9qDLxADlDQbCu+Ey3whX/r4r2Q6l+34HpRrn3g5ok+GtO/3ni9\ 801 \dYiIYpcXYfhMGDoXJLZ3IMkK7L6e5u4/Wye7lot2B5ekSGRrkLkjv+bTIkppxbTU4Pi\ 802 \n40qbD91sRzw2/GzZmJsfcFaKbj5dhoNWyh5cZr1PqsxMI5EdXSxJ69VWf8e+h4iPoB\ 803 \YS1JnUjhicVWslpA1rdAvTkAsVY8rC22e09Hxzbkb/E7bt3iLDpekbbQAghZ31AwDv5\ 804 \KEG72bBbXIYHzPvhJzrlS2LR0XKTJVd8tAxOSdxQDOt8tE2eKpmWZ38MJfRIxt2Rzol\ 805 \p+bpKrR++pMLRrpViekVpZl/tlEojImNO5rLqxZhLxvZOyDfcT37jc1oqire527/Y9L\ 806 \3k894eHNYcXxjb0LGGPDeLuTSEX+afHZLNbd93Qa5VTmLwsPxEW/Erua6nXUrAR/87P\ 807 \0gIyce3h3sl5jzCXsQm/iODgyn7PTEo5ksQCFRPiyXq5xgiXGKGGkqTGg28Ohdby+lN\ 808 \DPnNHU2J0F6GLTqwK3qGbBLzDGIMR2sePGpxZ/pecoX7yn5bTOf4iY1OCyLo5nEgSeb\ 809 \JdBJh0ZU+QodLRN0cnenLmP1oNK2yCuT9uIAlWH9C1CLhBiEOfoIs9/r1W1XHPiPsX7\ 810 \c21w+B1IPfzUX1cVdndnNo4XdHl9CH1tYJDLr8LfeuYnz+bnaFlqEUryTc8zUl4A+qB\ 811 \SIDDDjefCbmDsTrdqzGT2J89MKViOogy3qJzyt3jo04xq+Q3OGjbOFJikyJEqUm8BmX\ 812 \d3ctGfzsEr+5w7fDRco40/tDQUSH0qOWOsPkhuelLqKDziJXwhPQI42miVN2A4+OAS4\ 813 \f2uTgpDNn1gIfH2+dOCkBjlhZeA1Tgrp8FHQxcaO5kut6cTLrL7CSBqINa7Khe1zyXa\ 814 \PZG/tXUk+iv0BYT92b7CRNmg1qhE0G8V3q3QrB6EePYa1WxRQ7ij4rRcQWcj66A1hZ5\ 815 \KjDUVJh+02cZTFrv97wM/im3vb3dbiSxAiQExSa2KATfLI2oS+y7RlRNJ+9nF/vTaFc\ 816 \0HOdKfmuJAUkAcyk/h0Quvdaf9jxEcstj95mva+HkIqPuFifidlvGiafKr4fHZryp1h\ 817 \g7QUtDRU2a4BRfzcLz6PKOBFV3xVI7qoQbKEqQyldv8mZRd0LBRKprxHW7PdUqutH2V\ 818 \GEmZ4UuCYXT11UweBx2W9lHrQX+xaKAjTu6oLYIOvmFVCUr4mCrYRcLZnzwORcsqIl4\ 819 \G88x8r5aeilL4lsQZO3kNotR4n0qzFVRU2+EXO7QJFm+NKxB7aRZ5oH+dSy+Ye6aMeG\ 820 \Epv491LU0LVnZNMBP2eUhoEoOgimmZGtUobjRdLuYyNiJfJzVkjwF3gYQtY59zb+46N\ 821 \SzvWUqpFUG80Vswns8GNAQ5hfLoH8OGGohT+UvoqvpTEXhiAAFstT/EQrHLZrYpXHJI\ 822 \YaICW+6uo9ixL0oWkfI0HlYaXyNkaFKHQ5ZbPaP45dbWq/dqXdrRe2YU8AqdjCxyyzO\ 823 \lyZR6zH9wHj0k1AIOHvnKZ/B2v4bS8YAtNZ1zgKbOvM4qqSIFETfr8N4yIteumHEznP\ 824 \prD7Gr6W2VCS/0FXnQt5y0QC8z4ffrnggwPjcZfsCRSknktQB1q6Cx8KUOipf+RhOvs\ 825 \HnNN3qJZmxz6YCvo2M7fxJtyRvm34UEVaj8QKXrmzX70Y9rDl6wEhhvSThaeq4dcfAC\ 826 \vczGXWgCLB10gl+Iz6hVDTgCx7bC2BQ2oHtzSDc+v/UuJewvVaIL9tn4CtMZU86f3Zc\ 827 \fTN2zke5alNpoJP9A+mkbcfy0aD6yFcn3nw2ueFDsssRg1ZcS5CujNeylAwxRYaNSmU\ 828 \zDzMygHu0CTxfGEG2c63J32HkG4Ds58KSk7HSD58jgScBv+QjBUAGSJozFG9y7yIF5R\ 829 \kD74aSJMYmuzow2UnGayR9yM5ONbW1brD4wNyJHqDIroCUvrL8zu24ErFWDKy6VaZ0m\ 830 \ggPvX38IoxIPnE+PmOtRGr+ua9r9zO47TtEoADjIEtwQuNem0S1fqeVx2Fd1TmKc5+v\ 831 \cxMsmuEKQiewTbviLdIWHTz4snU/dt77cxQEFWkS3pu31kCLyLbpiCKMrn1nELafNBg\ 832 \RbzwEqGTT0i24Kz/kvC5RYr2USuHKksZxPfgx7Y0OpY3IbemFO11EmnG9odSwnVcww+\ 833 \9/IIevZHUw1qqTxZu1re/AMfqhKgaD8XiwuKxPZQQo7Z6jj3yOugAVWYOw/88bAXO2k\ 834 \deVc0mG53sKH9ChLg35LdPrpLgHeFjIHJ27L9ucqUw70Pu58vRJUnYDey997y57k1vh\ 835 \9RwPkNvIs269v6s/xfg9VM9N4aY4X25EWCxchMWlH9LMamYF6JTP0v7v00cdHycmX5D\ 836 \EnwqspYYNomVpJlOOxgMAO9oy1E4dhg3IJo+fJgL9rgOxJ4INTJOg/9tUz21LPI3c1c\ 837 \D5pPs/y0zy0cF9f6ahaYxMDk/nfout2FGmoesMCaTN11JngYYC5H95cDeMwErm6ppSU\ 838 \woCqut45noJq0VS4V3PKfASIfuUwP3vgFKo+82Wy3dqEr+sBAsve44CKQ8Tq1GLYjet\ 839 \L3xugCkl0uaGh6TFqj2X/vJlXOW0Ouyvzt62fxeQ4esOrs4LdRxkJbKT2I2p6rQAlBi\ 840 \GaZLvOuccQh7NSt7BEJBy8QUrPV10vPmCNGQrKS6alC/JNFLaxmsP4CPQqwRQ3fg2ia\ 841 \qQRol0htD+UFjWUBXrQdrs48b9TdLHmbPHPbG6+ZeuCi87kJ/zJyjHA0SYUP6awkfga\ 842 \ckiLUppo0oNIc9/qsVr2lFIWIO9+UWnIFR9nNFPzgbqw/cMOC/uWAOOsGS8ADQ/rePO\ 843 \fTXx0mfkvI2YeTdiIayy+uwUxoLdz90DGhUysP+JGU9kZTqYNJYsjC4OgLXS+qKCYai\ 844 \oW/leFs1fdP6SH+E24pOOJARU/f/ZajcMMXAwQdIVeOo7jvDhMydne90/18fcwpNVN0\ 845 \tswhRsnW4uMCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIEBMZHyE=" 846 } 848 3.5. Using CRYDI with COSE 850 The approach taken here matches the work done to support secp256k1 in 851 JOSE and COSE in [RFC8812]. 853 The following tables map terms between JOSE and COSE for signatures. 855 +========+=======+=============+=============+ 856 | Name | Value | Description | Recommended | 857 +========+=======+=============+=============+ 858 | CRYDI5 | TBD | TBD | No | 859 +--------+-------+-------------+-------------+ 860 | CRYDI3 | TBD | TBD | No | 861 +--------+-------+-------------+-------------+ 862 | CRYDI2 | TBD | TBD | No | 863 +--------+-------+-------------+-------------+ 865 Table 5 867 The following tables map terms between JOSE and COSE for key types. 869 +======+=======+=============+=============+ 870 | Name | Value | Description | Recommended | 871 +======+=======+=============+=============+ 872 | PQK | TBD | TBD | No | 873 +------+-------+-------------+-------------+ 875 Table 6 877 4. Falcon 879 TODO 881 5. SPHINCS+ 883 5.1. Overview 885 This section of the document describes the hash-based signature 886 scheme SPHINCS+. The scheme is based on the concept of authenticating 887 a large number or few-time signatures keypair using a combination of 888 Markle-tree signatures, a so-called hypertree. For each message to 889 be signed a (pseudo-)random FTS keypair is selected with which the 890 message can be signed. Combining this signature along with an 891 authentication path through the hyper-tree consisting of hash-based 892 many-time signatures then gives the SPHINC+ signature. The parameter 893 set is strategically chosen such that the probability of signing too 894 many messages with a specific FTS keypair to impact security is small 895 enough to prevent forgery attacks. A trade-off in parameter set can 896 be made on security guarantees, performance and signature size. 898 SPHINCS+ is a post-quantum approach to digital signatures that is 899 promises Post-Quantum Existential Unforgeability under Chosen Message 900 Attack (PQ-EU-CMA), while ensuring that the security levels reached 901 meet security needs for resistance to both classical and quantum 902 attacks. The algoritm itself is based on the hardness assumptions of 903 its underlying hash functions, which can be chosen from the set 904 Haraka, SHA-256 or SHAKE256. For all security levels the only 905 operations required are calls to these hash functions on various 906 combinations of parameters and internal states. 908 Contrary to CRYSTALS-Dilithium and Falcon, SPHINCS+ is not based on 909 any algebraic structure. This reduces the possible attack surface of 910 the algorithm. 912 SPHINCS+ brings several advantages over other approaches to signature 913 suites: 915 * Post Quantum in nature - use of cryptographically secure hash 916 functions and other approaches that should remain hard problems 917 even when under an attack utilizing quantum approaches 918 * Minimal security assumptions - compared to other schemes does not 919 base its security on a new paradigm. The security is solely based 920 on the security of the assumptions of the underlying hash 921 function. 922 * Performance and Optimization - based on combining a great many 923 hash function calls of SHA-256, SHAKE256 or Haraka means existing 924 (secure) SW and HW implementations of those hash functions can be 925 re-used for increased performance 926 * Private and Public Key Size - compared to other post quantum 927 approaches a very small key size is the form of hash inputs- 928 outputs. This then has the drawback that either a large signature 929 or low signing speed has to be accepted 930 * Cryptanalysis assuarance - attacks (both pre-quantum and quantum) 931 are easy to relate to existing attacks on hash functions. This 932 allows for precise quantification of the security levels 933 * Overlap with stateful hash-based algorithms - means there are 934 possibilities to combine implementions with those of XMSS and LMS 935 (TODO refs) 936 * Inherent resistance against side-channel attacks - since its core 937 primitive is a hash function, it thereby is hard to attack with 938 side-channels. 940 The primary known disadvantage to SPHINCS+ is the size signatures, or 941 the speed of signing, depending on the chosen parameter set. 942 Especially in IoT applications this might pose a problem. 943 Additionally hash-based schemes are also vulnerable to differential 944 and fault attacks. 946 5.2. Parameters 948 TODO 950 5.2.1. Parameter sets 952 TODO 954 5.3. Core Operations 956 TODO 958 5.3.1. Generate 960 TODO 962 5.3.2. Sign 964 TODO 966 5.3.3. Verify 968 TODO 970 5.4. Using SPHINCS+ with JOSE 972 Basing off of this (https://datatracker.ietf.org/doc/html/ 973 rfc8812#section-3) 975 5.4.1. SPHINCS+ Key Representations 977 TODO 979 5.4.2. SPHINCS+ Algorithms 981 TODO 983 5.4.2.1. Public Key 985 TODO 987 5.4.2.2. Private Key 989 TODO 991 5.4.3. SPHINCS+ Signature Representation 993 TODO 995 6. Security Considerations 997 The following considerations SHOULD apply to all signature schemes 998 described in this specification, unless otherwise noted. 1000 6.1. Validating public keys 1002 All algorithms in that operate on public keys require first 1003 validating those keys. For the sign, verify and proof schemes, the 1004 use of KeyValidate is REQUIRED. 1006 6.2. Side channel attacks 1008 Implementations of the signing algorithm SHOULD protect the secret 1009 key from side-channel attacks. Multiple best practices exist to 1010 protect against side-channel attacks. Any implementation of the the 1011 CRYSTALS-Dilithium signing algorithm SHOULD utilize the following 1012 best practices at a minimum: 1014 * Constant timing - the implementation should ensure that constant 1015 time is utilized in operations 1016 * Sequence and memory access persistance - the implemention SHOULD 1017 execute the exact same sequence of instructions (at a machine 1018 level) with the exact same memory access independent of which 1019 polynomial is being operated on. 1020 * Uniform sampling - uniform sampling is the default in CRYSTALS- 1021 Dilithium to prevent information leakage, however care should be 1022 given in implementations to preserve the property of uniform 1023 sampling in implementation. 1024 * Secrecy of S1 - utmost care must be given to protection of S1 and 1025 to prevent information or power leakage. As is the case with most 1026 proposed lattice based approaches to date, fogery and other 1027 attacks may succeed, for example, with Dilithium through leakage 1028 of S1 (https://eprint.iacr.org/2018/821.pdf) through side channel 1029 mechanisms. 1031 6.3. Randomness considerations 1033 It is recommended that the all nonces are from a trusted source of 1034 randomness. 1036 7. IANA Considerations 1038 The following has NOT YET been added to the "JSON Web Key Types" 1039 registry: 1041 * "kty" Parameter Value: "PQK" 1042 * Key Type Description: Base 64 encoded string key pairs 1043 * JOSE Implementation Requirements: Optional 1044 * Change Controller: IESG 1045 * Specification Document(s): Section 2 of this document (TBD) 1047 The following has NOT YET been added to the "JSON Web Key Parameters" 1048 registry: 1050 * Parameter Name: "pset" 1051 * Parameter Description: The parameter set of the crypto system 1052 * Parameter Information Class: Public 1053 * Used with "kty" Value(s): "PQK" 1054 * Change Controller: IESG 1055 * Specification Document(s): Section 2 of this document (TBD) 1056 * Parameter Name: "xs" 1057 * Parameter Description: The shake256 of the public key 1058 * Parameter Information Class: Public 1059 * Used with "kty" Value(s): "PQK" 1060 * Change Controller: IESG 1061 * Specification Document(s): Section 2 of this document (TBD) 1062 * Parameter Name: "ds" 1063 * Parameter Description: The shake256 of the private key 1064 * Parameter Information Class: Private 1065 * Used with "kty" Value(s): "PQK" 1066 * Change Controller: IESG 1067 * Specification Document(s): Section 2 of this document (TBD) 1068 * Parameter Name: "d" 1069 * Parameter Description: The private key 1070 * Parameter Information Class: Private 1071 * Used with "kty" Value(s): "PQK" 1072 * Change Controller: IESG 1073 * Specification Document(s): Section 2 of RFC 8037 1074 * Parameter Name: "x" 1075 * Parameter Description: The public key 1076 * Parameter Information Class: Public 1077 * Used with "kty" Value(s): "PQK" 1078 * Change Controller: IESG 1079 * Specification Document(s): Section 2 of RFC 8037 1081 The following has NOT YET been added to the "JSON Web Signature and 1082 Encryption Algorithms" registry: 1084 * Algorithm Name: "CRYDI3" 1085 * Algorithm Description: CRYDI3 signature algorithms 1086 * Algorithm Usage Location(s): "alg" 1087 * JOSE Implementation Requirements: Optional 1088 * Change Controller: IESG 1089 * Specification Document(s): Section 3.1 of this document (TBD) 1090 * Algorithm Analysis Documents(s): (TBD) 1092 The following has been added to the "JSON Web Key Lattice" registry: 1094 * Lattice Name: "CRYDI5" 1095 * Lattice Description: Dilithium 5 signature algorithm key pairs 1096 * JOSE Implementation Requirements: Optional 1097 * Change Controller: IESG 1098 * Specification Document(s): Section 3.1 of this document (TBD) 1099 * Lattice Name: "CRYDI3" 1100 * Lattice Description: Dilithium 3 signature algorithm key pairs 1101 * JOSE Implementation Requirements: Optional 1102 * Change Controller: IESG 1103 * Specification Document(s): Section 3.1 of this document (TBD) 1104 * Lattice Name: "CRYDI2" 1105 * Lattice Description: Dilithium 2 signature algorithm key pairs 1106 * JOSE Implementation Requirements: Optional 1107 * Change Controller: IESG 1108 * Specification Document(s): Section 3.1 of this document (TBD) 1110 8. Appendix 1112 * JSON Web Signature (JWS) - RFC7515 (https://tools.ietf.org/html/ 1113 rfc7515) 1114 * JSON Web Encryption (JWE) - RFC7516 (https://tools.ietf.org/html/ 1115 rfc7516) 1116 * JSON Web Key (JWK) - RFC7517 (https://tools.ietf.org/html/rfc7517) 1117 * JSON Web Algorithms (JWA) - RFC7518 (https://tools.ietf.org/html/ 1118 rfc7518) 1119 * JSON Web Token (JWT) - RFC7519 (https://tools.ietf.org/html/ 1120 rfc7519) 1121 * JSON Web Key Thumbprint - RFC7638 (https://tools.ietf.org/html/ 1122 rfc7638) 1123 * JWS Unencoded Payload Option - RFC7797 1124 (https://tools.ietf.org/html/rfc7797) 1125 * CFRG Elliptic Curve ECDH and Signatures - RFC8037 1126 (https://tools.ietf.org/html/rfc8037) 1127 * CRYSTALS-Dilithium - Dilithium (https://www.pq- 1128 crystals.org/dilithium/data/dilithium-specification- 1129 round3-20210208.pdf) 1131 8.1. Test Vectors 1133 //TODO 1135 9. Normative References 1137 [CRYSTALS-Dilithium] 1138 Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., 1139 Schwabe, P., Seiler, G., and D. Stehle, "CRYSTALS- 1140 Dilithium: A Lattice-Based Digital Signature Scheme", 1141 2018, . 1143 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1144 Requirement Levels", BCP 14, RFC 2119, 1145 DOI 10.17487/RFC2119, March 1997, 1146 . 1148 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 1149 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 1150 . 1152 [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web 1153 Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 1154 2015, . 1156 [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, 1157 DOI 10.17487/RFC7517, May 2015, 1158 . 1160 [RFC7638] Jones, M. and N. Sakimura, "JSON Web Key (JWK) 1161 Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September 1162 2015, . 1164 [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash 1165 Functions in the Cryptographic Message Syntax (CMS)", 1166 RFC 8702, DOI 10.17487/RFC8702, January 2020, 1167 . 1169 [RFC8812] Jones, M., "CBOR Object Signing and Encryption (COSE) and 1170 JSON Object Signing and Encryption (JOSE) Registrations 1171 for Web Authentication (WebAuthn) Algorithms", RFC 8812, 1172 DOI 10.17487/RFC8812, August 2020, 1173 . 1175 10. Informative References 1177 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1178 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1179 DOI 10.17487/RFC6234, May 2011, 1180 . 1182 Authors' Addresses 1184 Michael Prorock 1185 mesur.io 1186 Email: mprorock@mesur.io 1188 Orie Steele 1189 Transmute 1190 Email: orie@transmute.industries 1192 Rafael Misoczki 1193 Google 1194 Email: rafaelmisoczki@google.com 1196 Michael Osborne 1197 IBM 1198 Email: osb@zurich.ibm.com 1200 Christine Cloostermans 1201 NXP 1202 Email: christine.cloostermans@nxp.com