                        ML-DSA for JOSE and COSE


   This document describes JOSE and COSE serializations for ML-DSA,
   which was derived from Dilithium, a Post-Quantum Cryptography (PQC)
   based digital signature scheme.

   This document does not define any new cryptography, only
   seralizations of existing cryptographic systems described in

1.  Introduction

   ML-DSA is derived from Version 3.1 of CRYSTALS-DILITHIUM, as noted in

   CRYSTALS-DILITHIUM is one of the post quantum cryptography algorithms
   selected in [NIST-PQC-2022].

   TODO: Add complete examples for ML-DSA-44, ML-DSA-65, ML-DSA-87.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

3.  The ML-DSA Algorithm Family

   The ML-DSA Signature Scheme is paramaterized to support different
   security level.

   This document requests the registration of the following algorithms
   in [IANA.jose]:

   | Name      | alg       | Description             |
   | ML-DSA-44 | ML-DSA-44 | JSON Web Signature      |
   |           |           | Algorithm for ML-DSA-44 |
   | ML-DSA-65 | ML-DSA-65 | JSON Web Signature      |
   |           |           | Algorithm for ML-DSA-65 |
   | ML-DSA-87 | ML-DSA-87 | JSON Web Signature      |
   |           |           | Algorithm for ML-DSA-87 |

           Table 1: JOSE algorithms for ML-DSA

   This document requests the registration of the following algorithms
   in [IANA.cose]:

   | Name      | alg             | Description             |
   | ML-DSA-44 | TBD (requested  | CBOR Object Signing     |
   |           | assignment -48) | Algorithm for ML-DSA-44 |
   | ML-DSA-65 | TBD (requested  | CBOR Object Signing     |
   |           | assignment -49) | Algorithm for ML-DSA-65 |
   | ML-DSA-87 | TBD (requested  | CBOR Object Signing     |
   |           | assignment -50) | Algorithm for ML-DSA-87 |

              Table 2: COSE algorithms for ML-DSA

4.  The ML-DSA Key Type

   Private and Public Keys are produced to enable the sign and verify
   opertaions for each of the ML-DSA Algorithms.

   This document requests the registration of the following key types in

   | Name   | kty    | Description               |
   | ML-DSA | ML-DSA | JSON Web Key Type for the |
   |        |        | ML-DSA Algorithm Family.  |

        Table 3: JSON Web Key Type for ML-DSA

   This document requests the registration of the following algorithms
   in [IANA.cose]:

   | Name   | kty                          | Description              |
   | ML-DSA | TBD (requested assignment 7) | COSE Key Type for the    |
   |        |                              | ML-DSA Algorithm Family. |

                    Table 4: COSE Key Type for ML-DSA

5.  Security Considerations

   TODO Security

6.  IANA Considerations

6.1.  Additions to Existing Registries

6.1.1.  New COSE Algorithms

   *  Name: ML-DSA-44

   *  Label: TBD (requested assignment -48)

   *  Value type: int

   *  Value registry: [IANA.cose]

   *  Description: CBOR Object Signing Algorithm for ML-DSA-44

   *  Name: ML-DSA-65

   *  Label: TBD (requested assignment -49)

   *  Value type: int

   *  Value registry: [IANA.cose]

   *  Description: CBOR Object Signing Algorithm for ML-DSA-65

   *  Name: ML-DSA-87

   *  Label: TBD (requested assignment -50)

   *  Value type: int

   *  Value registry: [IANA.cose]

   *  Description: CBOR Object Signing Algorithm for ML-DSA-87

6.1.2.  New COSE Key Types

   *  Name: ML-DSA

   *  Label: TBD (requested assignment 7)

   *  Value type: int

   *  Value registry: [IANA.cose]

   *  Description: COSE Key Type for the ML-DSA Algorithm Family

6.1.3.  New JOSE Algorithms

   *  Name: ML-DSA-44

   *  Value registry: [IANA.jose] Algorithms

   *  Description: JSON Web Signature Algorithm for ML-DSA-44

   *  Name: ML-DSA-65

   *  Value registry: [IANA.jose] Algorithms

   *  Description: JSON Web Signature Algorithm for ML-DSA-65

   *  Name: ML-DSA-87

   *  Value registry: [IANA.jose] Algorithms

   *  Description: JSON Web Signature Algorithm for ML-DSA-87

6.1.4.  New JOSE Key Types

   *  Name: ML-DSA

   *  Value registry: [IANA.jose] Algorithms

   *  Description: JSON Web Key Type for the ML-DSA Algorithm Family.

7.  References

7.1.  Normative References

              IANA, "CBOR Object Signing and Encryption (COSE)",

              IANA, "JSON Object Signing and Encryption (JOSE)",

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <>.

7.2.  Informative References

   [FIPS-204] "Module-Lattice-Based Digital Signature Standard", n.d.,

              "Selected Algorithms 2022", n.d.,

Appendix A.  Examples

A.1.  JOSE

A.1.1.  Key Pair

     "kty": "ML-DSA",
     "alg": "ML-DSA-44",
     "pub": "V53SIdVF...uvw2nuCQ",
     "priv": "V53SIdVF...cDKLbsBY"

              Figure 1: Example ML-DSA-44 Private JSON Web Key

     "kty": "ML-DSA",
     "alg": "ML-DSA-44",
     "pub": "V53SIdVF...uvw2nuCQ"

              Figure 2: Example ML-DSA-44 Public JSON Web Key

A.1.2.  Thumbprint URI


A.1.3.  JSON Web Signature

     "alg": "ML-DSA-44"

            Figure 3: Example ML-DSA-44 Decoded Protected Header


           Figure 4: Example ML-DSA-44 Compact JSON Web Signature

A.2.  COSE

A.2.1.  Key Pair

   {                                   / COSE Key                /
     1: 7,                             / ML-DSA Key Type         /
     3: -48,                           / ML-DSA-44 Algorithm     /
     -13: h'7803c0f9...3f6e2c70',      / ML-DSA Private Key      /
     -14: h'7803c0f9...3bba7abd',      / ML-DSA Public Key       /

                Figure 5: Example ML-DSA-44 Private COSE Key

   {                                   / COSE Key                /
     1: 7,                             / ML-DSA Key Type         /
     3: -48,                           / ML-DSA-44 Algorithm     /
     -13: h'7803c0f9...3f6e2c70'       / ML-DSA Private Key      /

                Figure 6: Example ML-DSA-44 Public COSE Key

A.2.2.  Thumbprint URI


A.2.3.  COSE Sign 1

   {                               / Protected                 /
     1: -48                        / Algorithm                 /

             Figure 7: Example ML-DSA-44 COSE Protected Header

   18(                                 / COSE Sign 1            /
         h'a10139d902',                / Protected              /
         {},                           / Unprotected            /
         h'66616b65',                  / Payload                /
         h'53e855e8...0f263549'        / Signature              /

                  Figure 8: Example ML-DSA-44 COSE Sign 1


