Limited Additional Mechanisms for PKIX and SMIME J. Gray Internet-Draft Entrust Intended status: Standards Track J. P. Fiset Expires: 7 January 2027 Crypto4a 6 July 2026 Composite FN-DSA and LMS Digital Signature Algorithm for use in X.509 Public Key Infrastructure draft-gray-lamps-composite-fndsa-lms-00 Abstract This document defines a composite signature scheme combining the FN- DSA (Falcon) digital signature algorithm with the Leighton-Micali Signature (LMS) scheme defined in RFC 8554. This construction is designed for use within X.509 Public Key Infrastructure (PKI) and follows the composite signature paradigm defined in [I-D.ietf-lamps-pq-composite-sigs]. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://johngray- dev.github.io/draft-gray-lamps-composite-fndsa-lms/draft-gray-lamps- composite-fndsa-lms.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-gray-lamps- composite-fndsa-lms/. Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/. Source for this draft and an issue tracker can be found at https://github.com/johngray-dev/draft-gray-lamps-composite-fndsa-lms. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Gray & Fiset Expires 7 January 2027 [Page 1] Internet-Draft composite-fndsa-lms July 2026 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Overview of the Composite FN-DSA-LMS Scheme . . . . . . . . . 3 3.1. Pre-hashing . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. Prefix, Label, and Context . . . . . . . . . . . . . . . 4 4. Composite Functions . . . . . . . . . . . . . . . . . . . . . 4 4.1. Key Generation . . . . . . . . . . . . . . . . . . . . . 4 4.2. Sign . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.3. Verify . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.4. Serialization of Public and Privates Keys and Sigantures . . . . . . . . . . . . . . . . . . . . . . . 5 4.4.1. Public Key . . . . . . . . . . . . . . . . . . . . . 5 4.4.2. Private Key . . . . . . . . . . . . . . . . . . . . . 5 4.4.3. Signature . . . . . . . . . . . . . . . . . . . . . . 6 5. Use within X.509 and PKIX . . . . . . . . . . . . . . . . . . 6 6. Algorithm Identifiers . . . . . . . . . . . . . . . . . . . . 6 6.1. id-FNDSA512-LMS_M24-SHAKE . . . . . . . . . . . . . . . . 6 6.2. id-FNDSA512-LMS_M32-SHAKE . . . . . . . . . . . . . . . . 6 6.3. id-FNDSA1024-LMS_M32-SHAKE . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7.1. LMS Statefulness Requirement . . . . . . . . . . . . . . 7 7.2. Hybrid Security . . . . . . . . . . . . . . . . . . . . . 7 7.3. SUF-CMA . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.4. Key Reuse . . . . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 Gray & Fiset Expires 7 January 2027 [Page 2] Internet-Draft composite-fndsa-lms July 2026 9. Normative References . . . . . . . . . . . . . . . . . . . . 7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction This document defines a composite signature scheme combining: * FN-DSA (Falcon), a lattice-based signature algorithm * LMS, a stateful hash-based signature algorithm [RFC8554] The reason for this choice of algorithm combination: * Both FN-DSA and LMS are believed to be quantum resistant algorithms (PQ/PQ Hybrid). * They use completely different hardness problems (lattice based versus stateful hash based). * If relevent attacks or implementations bugs are found in either algorithm there is resiliency. * FN-DSA can help mitigate the risk of operational errors that lead to state failure in LMS. * Combined together they produce a compact PQ/PQ composite signature ideally suited for high value assets in constrained environments. The composite construction presents a single algorithm interface while internally invoking both primitives. This specification follows the composite design framework described in [I-D.ietf-lamps-pq-composite-sigs]. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3. Overview of the Composite FN-DSA-LMS Scheme Composite FN-DSA-LMS is a hybrid signature scheme formed by combining FN-DSA and LMS. Gray & Fiset Expires 7 January 2027 [Page 3] Internet-Draft composite-fndsa-lms July 2026 The construction follows the composite signature combiner approach: M' := Prefix || Label || len(ctx) || ctx || PH(M) Both component algorithms independently sign M'. 3.1. Pre-hashing Composite FN-DSA-LMS uses a pre-hash function PH: PH(M) This is incorporated into the message representative: M' := Prefix || Label || len(ctx) || ctx || PH(M) 3.2. Prefix, Label, and Context Prefix: Always set to "CompositeAlgorithmSignatures2025" as in [I-D.ietf-lamps-pq-composite-sigs]. Label: Unique per algorithm OID (defined in Algorithm Identifier section below) ctx: Application-defined context (0–255 bytes). 4. Composite Functions 4.1. Key Generation Composite-FNDSA-LMS.KeyGen() -> (pk, sk) Steps: 1. Generate component keys: (fndsaPK, fndsaSK) = FNDSA.KeyGen() (lmsPK, lmsSK) = LMS.KeyGen() 2. Output: pk = SerializePublicKey(fndsaPK, lmsPK) sk = SerializePrivateKey(fndsaSK, lmsSK) 4.2. Sign Signing follows a similar procedure as in [I-D.ietf-lamps-pq-composite-sigs]. Gray & Fiset Expires 7 January 2027 [Page 4] Internet-Draft composite-fndsa-lms July 2026 Composite-FNDSA-LMS.Sign(sk, M, ctx) -> s Steps: 1. Check: if len(ctx) > 255: error 2. Compute: M' := Prefix || Label || len(ctx) || ctx || PH(M) 3. Deserialize keys: (fndsaSK, lmsSK) = DeserializePrivateKey(sk) 4. Sign: fndsaSig = FNDSA.Sign(fndsaSK, M') lmsSig = LMS.Sign(lmsSK, M') 5. Output: s = SerializeSignatureValue(fndsaSig, lmsSig) 4.3. Verify Composite-FNDSA-LMS.Verify(pk, M, s, ctx) -> boolean Steps: 1. Deserialize: (fndsaPK, lmsPK) = DeserializePublicKey(pk) (fndsaSig, lmsSig) = DeserializeSignatureValue(s) 2. Compute: M' := Prefix || Label || len(ctx) || ctx || PH(M) 3. Verify: FNDSA.Verify(fndsaPK, M', fndsaSig) LMS.Verify(lmsPK, M', lmsSig) Both FNDSA.Verify() and LMS.Verify() MUST verify correctly. 4.4. Serialization of Public and Privates Keys and Sigantures 4.4.1. Public Key SerializePublicKey(fndsaPK, lmsPK): return fndsaPK || lmsPK 4.4.2. Private Key Gray & Fiset Expires 7 January 2027 [Page 5] Internet-Draft composite-fndsa-lms July 2026 SerializePrivateKey(fndsaSK, lmsSK): return fndsaSK || lmsSK 4.4.3. Signature LMS signatures are variable length. Parsing relies on the fixed size of the FN-DSA signature. SerializeSignatureValue(fndsaSig, lmsSig): return fndsaSig || lmsSig 5. Use within X.509 and PKIX Composite FN-DSA-LMS is used identically to other composite algorithms. * Public key encoded as BIT STRING * Signature encoded as BIT STRING * Raw serialized values used without ASN.1 wrapping 6. Algorithm Identifiers 6.1. id-FNDSA512-LMS_M24-SHAKE * Label: COMPSIG-FNDSA512-LMS_M24-SHAKE * PH: SHAKE256 * FN-DSA: FN-DSA-512 * LMS: LMS_SHAKE_M24_H10 6.2. id-FNDSA512-LMS_M32-SHAKE * Label: COMPSIG-FNDSA512-LMS_M32-SHAKE * PH: SHAKE256 * FN-DSA: FN-DSA-512 * LMS: LMS_SHAKE_M32_H10 6.3. id-FNDSA1024-LMS_M32-SHAKE * Label: COMPSIG-FNDSA1024-LMS_M32-SHAKE Gray & Fiset Expires 7 January 2027 [Page 6] Internet-Draft composite-fndsa-lms July 2026 * PH: SHAKE256 * FN-DSA: FN-DSA-1024 * LMS: LMS_SHAKE_M32_H15 TODO: Define other combinations here. We want to keep the list as small as possible. 7. Security Considerations 7.1. LMS Statefulness Requirement LMS private keys are stateful. Each invocation of LMS.Sign MUST use a unique leaf index. Reuse of a leaf index results in catastrophic loss of security. 7.2. Hybrid Security Composite FN-DSA-LMS is EUF-CMA secure if at least one component remains secure. 7.3. SUF-CMA Composite FN-DSA-LMS is NOT SUF-CMA secure. 7.4. Key Reuse Component keys MUST NOT be reused between: * composite vs standalone * multiple composites 8. IANA Considerations IANA is requested to assign OIDs under: 1.3.6.1.5.5.7.6 TODO for each combination 9. Normative References [I-D.ietf-lamps-fn-dsa-certificates] Massimo, J., Kampanakis, P., Turner, S., and B. Westerbaan, "Internet X.509 Public Key Infrastructure -- Gray & Fiset Expires 7 January 2027 [Page 7] Internet-Draft composite-fndsa-lms July 2026 Algorithm Identifiers for the Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA)", Work in Progress, Internet-Draft, draft-ietf-lamps-fn-dsa- certificates-00, 20 May 2026, . [I-D.ietf-lamps-pq-composite-sigs] Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for use in X.509 Public Key Infrastructure", Work in Progress, Internet-Draft, draft- ietf-lamps-pq-composite-sigs-19, 21 April 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8554] McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali Hash-Based Signatures", RFC 8554, DOI 10.17487/RFC8554, April 2019, . [RFC9858] Fluhrer, S. and Q. Dang, "Additional Parameter Sets for HSS/LMS Hash-Based Signatures", RFC 9858, DOI 10.17487/RFC9858, October 2025, . Acknowledgments TODO acknowledge. Authors' Addresses John Gray Entrust 2500 Solandt Road – Suite 100 Ottawa, Ontario K2K 3G5 Canada Email: john.gray@entrust.com Gray & Fiset Expires 7 January 2027 [Page 8] Internet-Draft composite-fndsa-lms July 2026 Jean-Pierre Fiset Crypto4a Canada Email: jp@crypto4a.com Gray & Fiset Expires 7 January 2027 [Page 9]