Internet DRAFT - draft-prorock-cose-post-quantum-signatures

draft-prorock-cose-post-quantum-signatures







None                                                          M. Prorock
Internet-Draft                                                  mesur.io
Intended status: Standards Track                               O. Steele
Expires: 12 January 2023                                       Transmute
                                                             R. Misoczki
                                                                  Google
                                                              M. Osborne
                                                                     IBM
                                                         C. Cloostermans
                                                                     NXP
                                                            11 July 2022


               JSON Encoding for Post Quantum Signatures
             draft-prorock-cose-post-quantum-signatures-01

Abstract

   This document describes JSON and CBOR serializations for several post
   quantum cryptography (PQC) based suites including CRYSTALS Dilithium,
   Falcon, and SPHINCS+.

   This document does not define any new cryptography, only
   seralizations of existing cryptographic systems.

   This document registers key types for JOSE and COSE, specifically
   LWE, NTRU, and HASH.

   Key types in this document are specified by the cryptographic
   algorithm family in use by a particular algorithm as discussed in
   RFC7517.

   This document registers signature algorithms types for JOSE and COSE,
   specifically CRYDI3 and others as required for use of various post
   quantum signature schemes.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.






Prorock, et al.          Expires 12 January 2023                [Page 1]

Internet-Draft           post-quantum-signatures               July 2022


   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 12 January 2023.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Notational Conventions  . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  CRYSTALS-Dilithium  . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Parameters  . . . . . . . . . . . . . . . . . . . . . . .   5
       3.2.1.  Parameter sets  . . . . . . . . . . . . . . . . . . .   5
     3.3.  Core Operations . . . . . . . . . . . . . . . . . . . . .   5
     3.4.  Using CRYDI with JOSE . . . . . . . . . . . . . . . . . .   5
       3.4.1.  CRYDI Key Representations . . . . . . . . . . . . . .   6
       3.4.2.  CRYDI Algorithms  . . . . . . . . . . . . . . . . . .   7
       3.4.3.  CRYDI Signature Representation  . . . . . . . . . . .  16
     3.5.  Using CRYDI with COSE . . . . . . . . . . . . . . . . . .  20
   4.  Falcon  . . . . . . . . . . . . . . . . . . . . . . . . . . .  20
     4.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  20
     4.2.  Core Operations . . . . . . . . . . . . . . . . . . . . .  21
     4.3.  Using FALCON with JOSE  . . . . . . . . . . . . . . . . .  21
       4.3.1.  FALCON Key Representations  . . . . . . . . . . . . .  22
       4.3.2.  FALCON Algorithms . . . . . . . . . . . . . . . . . .  23
     4.4.  Using FALCON with COSE  . . . . . . . . . . . . . . . . .  24
   5.  SPHINCS-PLUS  . . . . . . . . . . . . . . . . . . . . . . . .  24
     5.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .  24
     5.2.  Core Operations . . . . . . . . . . . . . . . . . . . . .  26
     5.3.  Using SPHINCS-PLUS with JOSE  . . . . . . . . . . . . . .  26
       5.3.1.  SPHINCS-PLUS Key Representations  . . . . . . . . . .  26
       5.3.2.  SPHINCS-PLUS Algorithms . . . . . . . . . . . . . . .  27



Prorock, et al.          Expires 12 January 2023                [Page 2]

Internet-Draft           post-quantum-signatures               July 2022


       5.3.3.  SPHINCS-PLUS Signature Representation . . . . . . . .  28
     5.4.  Using HASH with COSE  . . . . . . . . . . . . . . . . . .  28
   6.  CRYSTALS-Kyber  . . . . . . . . . . . . . . . . . . . . . . .  29
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  29
     7.1.  Validating public keys  . . . . . . . . . . . . . . . . .  29
     7.2.  Side channel attacks  . . . . . . . . . . . . . . . . . .  30
     7.3.  Randomness considerations . . . . . . . . . . . . . . . .  30
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  30
   9.  Appendix  . . . . . . . . . . . . . . . . . . . . . . . . . .  34
     9.1.  Test Vectors  . . . . . . . . . . . . . . . . . . . . . .  35
   10. Normative References  . . . . . . . . . . . . . . . . . . . .  35
   11. Informative References  . . . . . . . . . . . . . . . . . . .  36
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  36

1.  Notational Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Terminology

   The following terminology is used throughout this document:

   PK  The public key for the signature scheme.
   SK  The secret key for the signature scheme.
   signature  The digital signature output.
   message  The input to be signed by the signature scheme.
   sha256  The SHA-256 hash function defined in [RFC6234].
   shake256  The SHAKE256 hash function defined in [RFC8702].

3.  CRYSTALS-Dilithium

3.1.  Overview

   This section of the document describes the lattice signature scheme
   CRYSTALS-Dilithium (CRYDI).  The scheme is based on "Fiat-Shamir with
   Aborts"[Lyu09, Lyu12] utlizing a matrix of polynomials for key
   material, and a vector of polynomials for signatures.  The parameter
   set is strategically chosen such that the signing algorithm is large
   enough to maintain zero-knowledge properties but small enough to
   prevent forgery of signatures.  An example implementation and test
   vectors are provided.

   CRYSTALS-Dilithium is a Post Quantum approach to digital signatures
   that is an algorithmic apprach that seeks to ensure key pair and
   signing properties that is a strong implementation meeting
   Existential Unforgeability under Chosen Message Attack (EUF-CMA)



Prorock, et al.          Expires 12 January 2023                [Page 3]

Internet-Draft           post-quantum-signatures               July 2022


   properties, while ensuring that the security levels reached meet
   security needs for resistance to both classical and quantum attacks.
   The algoritm itself is based on hard problems over module lattices,
   specifically Ring Learning with Errors (Ring-LWE).  For all security
   levels the only operations required are variants of Keccak and number
   theoretic transforms (NTT) for the ring Zq[X]/(X256+1).  This ensures
   that to increase or decrease the security level invovles only the
   change of parameters rather than re-implementation of a related
   algorithm.

   While based on Ring-LWE, CRYSTALS-Dilithium has less algebraic
   structure than direct Ring-LWE implementations and more closely
   resembles the unstructured lattices used in Learning with Errors
   (LWE).  This brings a theorectical protection against future
   algebraic attacks on Ring-LWE that may be developed.

   CRYSTALS-Dilithium, brings several advantages over other approaches
   to signature suites:

   *  Post Quantum in nature - use of lattices and other approaches that
      should remain hard problems even when under attack utilizing
      quantum approaches
   *  Simple implementation while maintaing security - a danger in many
      possible approaches to cryptography is that it may be possible
      inadvertantly introduce errors in code that lead to weakness or
      decreases in security level
   *  Signature and Public Key Size - compared to other post quantum
      approaches a reasonable key size has been achieved that also
      preserves desired security properties
   *  Conservative parameter space - parameterization is utilized for
      the purposes of defining the sizes of marices in use, and thereby
      the number of polynomials described by the key material.
   *  Parameter set adjustment for greater security - increasing this
      matrix size increases the number of polynomials, and thereby the
      security level
   *  Performance and optimization - the approach makes use of well
      known transforms that can be highly optimized, especially with use
      of hardware optimizations without being so large that it cannot be
      deployed in embedded or IoT environments without some degree of
      optimization.

   The primary known disadvantage to CRYSTALS-Dilithium is the size of
   keys and signatures, especially as compared to classical approaches
   for digital signing.







Prorock, et al.          Expires 12 January 2023                [Page 4]

Internet-Draft           post-quantum-signatures               July 2022


3.2.  Parameters

   Unlike certain other approaches such as Ed25519 that have a large set
   of parameters, CRYSTALS-Dilithium uses distinct numbers of paramters
   to increase or decrease the security level according to the required
   level for a particular scenario.  Under CRYSTALS-Dilithium, the key
   parameter specificiation determines the size of the matrix and
   thereby the number of polynomials that describe he lattice.  For use
   according to this specification we do not recommend a parameter set
   of less than 3, which should be sufficient to maintain 128bits of
   security for all known classical and quantum attacks.  Under a
   parameter set at NIST level 3, a 6x5 matrix is utilized that thereby
   consists of 30 polynomials.

3.2.1.  Parameter sets

   Parameter sets are identified by the corresponding NIST level per the
   table below

   +============+=============+================+
   | NIST Level | Matrix Size | memory in bits |
   +============+=============+================+
   | 2          | 4x4         | 97.8           |
   +------------+-------------+----------------+
   | 3          | 6x5         | 138.7          |
   +------------+-------------+----------------+
   | 5          | 8x7         | 187.4          |
   +------------+-------------+----------------+

                      Table 1

3.3.  Core Operations

   Core operations used by the signature scheme should be implemented
   according to the details in [CRYSTALS-Dilithium].  Core operations
   include key generation, sign, and verify.

3.4.  Using CRYDI with JOSE

   This sections is based on CBOR Object Signing and Encryption (COSE)
   and JSON Object Signing and Encryption (JOSE)
   (https://datatracker.ietf.org/doc/html/rfc8812#section-3)









Prorock, et al.          Expires 12 January 2023                [Page 5]

Internet-Draft           post-quantum-signatures               July 2022


3.4.1.  CRYDI Key Representations

   A new key type (kty) value "LWE" (for keys related to the family of
   algorithms that utilize Learning With Errors approaches to Post
   Quantum lattice based cryptography) is defined for public key
   algorithms that use base 64 encoded strings of the underlying binary
   materia as private and public keys and that support cryptographic
   sponge functions.  It has the following parameters:

   *  The parameter "kty" MUST be "LWE".

   *  The parameter "alg" MUST be specified, and its value MUST be one
      of the values specified in the table below

              +========+===================================+
              | alg    | Description                       |
              +========+===================================+
              | CRYDI5 | CRYSTALS-Dilithium paramter set 5 |
              +--------+-----------------------------------+
              | CRYDI3 | CRYSTALS-Dilithium paramter set 3 |
              +--------+-----------------------------------+
              | CRYDI2 | CRYSTALS-Dilithium paramter set 2 |
              +--------+-----------------------------------+

                                 Table 2

   *  The parameter "pset" MAY be specfied to indicate the not only
      paramter set in use for the algorithm, but SHOULD also reflect the
      targeted NIST level for the algorithm in combination with the
      specified paramter set.  For "alg" "CRYDI" one of the described
      parameter sets "2", "3", or "5" MUST be specified.  Parameter set
      "3" or above SHOULD be used with "CRYDI" for any situation
      requiring at least 128bits of security against both quantum and
      classical attacks

   *  The parameter "x" MUST be present and contain the public key
      encoded using the base64url [RFC4648] encoding.

   *  The parameter "d" MUST be present for private keys and contain the
      private key encoded using the base64url encoding.  This parameter
      MUST NOT be present for public keys.

   Sizes of various key and signature material is as follows (for "pset"
   value "2")







Prorock, et al.          Expires 12 January 2023                [Page 6]

Internet-Draft           post-quantum-signatures               July 2022


    +===========+===============+==============+======+==============+
    | Variable  | Paramter Name | Paramter Set | Size | base64url    |
    |           |               |              |      | encoded size |
    +===========+===============+==============+======+==============+
    | Signature | sig           | 2            | 3293 | 4393         |
    +-----------+---------------+--------------+------+--------------+
    | Public    | x             | 2            | 1952 | 2605         |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Private   | d             | 2            | 4000 | 5337         |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+

                                 Table 3

   When calculating JWK Thumbprints [RFC7638], the four public key
   fields are included in the hash input in lexicographic order: "kty",
   "alg", and "x".

3.4.2.  CRYDI Algorithms

   In order to reduce the complexity of the key representation and
   signature representations we register a unique algorithm name per
   pset.  This allows us to omit registering the pset term, and reduced
   the likelyhood that it will be misused.  These alg values are used in
   both key representations and signatures.

                      +=====+========+==============+
                      | kty | alg    | Paramter Set |
                      +=====+========+==============+
                      | LWE | CRYDI5 | 5            |
                      +-----+--------+--------------+
                      | LWE | CRYDI3 | 3            |
                      +-----+--------+--------------+
                      | LWE | CRYDI2 | 2            |
                      +-----+--------+--------------+

                                  Table 4

3.4.2.1.  Public Key

   Per section 5.1 of [CRYSTALS-Dilithium]:

   |  The public key, containing p and t1, is stored as the
   |  concatenation of the bit-packed representations of p and t1 in
   |  this order.  Therefore, it has a size of 32 + 288 kbytes.





Prorock, et al.          Expires 12 January 2023                [Page 7]

Internet-Draft           post-quantum-signatures               July 2022


   The public key is represented as x and encoded using base64url
   encoding as described in [RFC7517].

   Example public key using only required fields:















































Prorock, et al.          Expires 12 January 2023                [Page 8]

Internet-Draft           post-quantum-signatures               July 2022


   =============== NOTE: '\' line wrapping per RFC 8792 ================

   {
     "kty": "LWE",
     "alg": "CRYDI3",
     "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\
   5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\
   zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\
   imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\
   zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\
   cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\
   9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\
   Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\
   UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\
   miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\
   AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\
   jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\
   md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\
   zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\
   DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\
   vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\
   NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\
   Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\
   8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\
   7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\
   2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\
   4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\
   ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\
   4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\
   LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\
   F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\
   oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\
   elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\
   5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\
   pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\
   6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\
   Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\
   ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\
   6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\
   E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\
   DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\
   xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\
   Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\
   /8uzsSQk0AbuhxWFQpSiBP8OZ/U="
   }

   Example public key including optional fields:




Prorock, et al.          Expires 12 January 2023                [Page 9]

Internet-Draft           post-quantum-signatures               July 2022


   =============== NOTE: '\' line wrapping per RFC 8792 ================

   {
     "kid": "key-0",
     "kty": "LWE",
     "alg": "CRYDI3",
     "key_ops": ["verify"],
     "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\
   5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\
   zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\
   imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\
   zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\
   cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\
   9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\
   Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\
   UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\
   miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\
   AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\
   jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\
   md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\
   zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\
   DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\
   vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\
   NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\
   Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\
   8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\
   7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\
   2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\
   4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\
   ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\
   4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\
   LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\
   F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\
   oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\
   elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\
   5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\
   pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\
   6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\
   Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\
   ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\
   6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\
   E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\
   DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\
   xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\
   Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\
   /8uzsSQk0AbuhxWFQpSiBP8OZ/U="
   }




Prorock, et al.          Expires 12 January 2023               [Page 10]

Internet-Draft           post-quantum-signatures               July 2022


3.4.2.2.  Private Key

   Per section 5.1 of [CRYSTALS-Dilithium]:

   |  The secret key contains p,K,tr,s1,s2 and t0 and is also stored as
   |  a bit-packed representation of these quantities in the given
   |  order.  Consequently, a secret key requires 64 + 48 + 32((k+l) *
   |  dlog (2n+ 1)e + 14k) bytes.  For the weak, medium and high
   |  security level this is equal to 112 + 576k+ 128l bytes.  With the
   |  very high security parameters one needs 112 + 544k + 96l = 3856
   |  bytes.

   The private key is represented as d and encoded using base64url
   encoding as described in [RFC7517].

   Example private key using only required fields:

   =============== NOTE: '\' line wrapping per RFC 8792 ================

   {
     "kty": "LWE",
     "alg": "CRYDI3",
     "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\
   5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\
   zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\
   imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\
   zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\
   cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\
   9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\
   Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\
   UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\
   miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\
   AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\
   jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\
   md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\
   zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\
   DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\
   vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\
   NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\
   Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\
   8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\
   7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\
   2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\
   4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\
   ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\
   4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\
   LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\
   F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\



Prorock, et al.          Expires 12 January 2023               [Page 11]

Internet-Draft           post-quantum-signatures               July 2022


   oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\
   elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\
   5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\
   pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\
   6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\
   Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\
   ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\
   6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\
   E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\
   DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\
   xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\
   Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\
   /8uzsSQk0AbuhxWFQpSiBP8OZ/U=",
     "d": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDUBgL6FklHURz5btM5\
   yrI5FQdWk+U2srVuSmfDV7EYG897mUFY35Z0WQ0mZ9XvIOKCh+GFFOk56b5FOFq6xnV8\
   UDQnFyY2JREUOHdiUjcUNxA1YxR3QiQ0BkE1AUBmFEOAUHZGBzQAU2dxVIgTQRV3U3g4\
   GGiISEYQhHRSWDIBQ2Z3UIIWdSV1EWhwBTYiWGI3VmJVI1UIU2REdUhHBoJ2gRhFUThy\
   BSQnhBIGI1AoMVB2MCNhUXQiNUGCKHgzUmQxU3dEgBhmQyIQgmFjdxY1dCJgGBSEB4Ij\
   CEJ0MBGIQWRRN3QjRmRSQWQIJgNjcjdnMlJhJIU1MlJRd1NmF4dwhHIIdEYYcAhEclBQ\
   JjESAiBwBQYzYlAIIocBcoZFcGVkA2SDMCVTBjgzCAAzNnQGYHI1VwJzYxQRckBIZBV4\
   VxZmZiVlYXgHFRNjdEFIYVOFIVdhcnIINEhhIURjg0cxJ0SCIWYUUVcHJzdDUTASciAW\
   UiJAglIoQkIwNjMlcwACZxcHZVJAh4EnNnWAZVVoBjNnNEcicTdyEEUHBVFjETETNjd0\
   YUFmFDVXNUcHFVJoE2AlVwFhMzc0dQckMYJUaBJ0JkUBdyd1AnZiJ3hYYkWAgyR1VziD\
   BERVh1NQAFIGWIhUZXCEQxIThyR1FIGGNTKAcwdRNBGDYEd2RVEwUDMzWAAhNQEEMYAS\
   hUSCgTJ3VIdXUlFBFxFkhVCCZEABJjQCAxFGNkhHQzM1YSSHNlEBEmJkgWZCVwZHRSVD\
   GDZzRCQiNhE3IghDhSFoBYCHNFVHMxZAZTSGAVMUQkhBKIFRQEVBB0cHNGEiJVVScQQh\
   hzQiBzKBYRY4Q0R2MVUldwVCIkQYEEgFYEREY2NERyFVdHJzdAZHBmhmdSCFIgh1IwGB\
   AxNzFjEoUWFCF4AhZRJSEROEEThxAGYBJTgUcUdFJBOFRmcVYnZUUFCAY1AnZEZBVThS\
   ECBQYBNGeAdzQ3KGhIE3ZiFxQoVCgQBjEFdFcIV0IAaFcgI0iAgAUVQAhEInQWECY1I4\
   E2U0MkAXQSZkdSRRc2I4BjEiSGd4hgQEEDcTRmhFd3MBMmY2gERxNwiISAVkFVETGCcI\
   gYhzRXByGBgzKGVXJUhoGEY1hgFmZWgmEWYWVoISd4Vlhid4VUMHgSZXhXUSaCgmJ3Eg\
   MQIzIDIThwRSARQhBFB2QQBjEgIoEHN1BhMCiIIBUlZWCHdBMyZFQoQ2UUJXJCFnZyFD\
   RTFUUTQoQmUjB0aHJXJHeDZlJGBCExATEUEDg3BTAChWImN0AWcFB3IUgBEARxVUREdX\
   QzhVBEBBF4UgcRhCg4gUcoRkdYCAIUQBRUJUYjFjEBYUhSBjIyV2cXBYckEiMic1N4ED\
   gDUGVSCHhCYURXcQB1ODg4hDJFJ3Jld2gyYnQYclRjE3VWcQNXJBYnOGhYFoU2dHATAw\
   OEeBUGQjJHcDgUJTRXBXJ3IAEjEXhXeEEmghIAAGdjUVBndnI2FCAVcyV4cxIyZ2dYE1\
   ZEiHcYJYaCcXQXJCaER1coIDRWJkcSNhEVF3JGOCQkYWYkcndRA1QTh0MFgzIyVocYJY\
   cwIAFRNiE1VAUECBI3MzQiZkUhR1cid1NSAXFXN0gUNnRCV0ISNmYnB3NIZyMIQWEVVz\
   ElEohnQyKBNoY1cCdmdjVYiGhVUlA0CHMTZIURBgR4aIJwJQJlIDMYhwNGNwiGcIBUdA\
   NXMBETUgICJyMkMIN1BAIAB4gEMDUwhndFJkQDEgRRMld4EzhRM0ZhGAYHMgZ4NhEEhn\
   U2I2VicBBXZUFUNoczcmBzBnUEBxUWcDg4RHUXZSOEZogABHRAISVEAzdoQhRmBgEWYE\
   Z4U1dgQ2gjgQUjMScgIIFQR3YFczhTYoB1IiVCYGBAVmVAFIdhRmZ1InhwdTRjJjNhVx\
   IzcWgjFlFCaChlIWUySIaDFwAWV3RAIxg2QWYgAYMUjP7wmwOwPp7Ukl3L1KalY/6dN4\
   dBr1AYS8JnkVq6pPeBfO7ccX95SrVfAO7EX7RVEYyhVR9QOQyEpLBUMcfcfnHCZWKM0o\
   OBF7BXiWMR9BQo4ybtpJGKQ+IZyCKUJVRhZ+uae182qYcBKFMdOOzXiO8kAa98eUy6SR\
   pPfKPD6D+xXgtJ0FWtYnp1Jy2aIG3HqMiTHoSdVIvccGkf94gpVWTMeJQsQpgq7dAJiJ\
   5JOMQjk7JIHcIzxb4T8sQHzA55MFfvM7Hus/8FUX7NfIN1JRmc2zHL/7kdfCFSwG67iW\
   U4ob2kTwdKzPvOL+d3e+AOE0PihJ4vVJAOjhWmO2fIFNvFhNqPh0MSiSkatPGbSVdqQ1\



Prorock, et al.          Expires 12 January 2023               [Page 12]

Internet-Draft           post-quantum-signatures               July 2022


   PsG6C+1YqMrTM7KFr4hTQM8a3+tAOsImMjXSSPDkVeuJFq1rw642SJJx8yZTXVe8g75D\
   ZTYghbeX5LLzaVkt9mZS7cW16Zy+C3MwnWDrGQ6hUDxYaYJp7SOGJHepcmVV214oD6nw\
   5QprgpGIxVcdXQUO0fhKwerYDkoOIj+uqk7NYDvOt8zANphYcE3v+6yVFyYh3eg7DYRJ\
   rIzIcbaG91ySv2iRRC+cWaymH6xuqaHRwZu/p962/u8/c3rITJzCoVc+ObnZ5oItZFBe\
   AYFhLBx7PvPdBULXyCqmtkOtnT/jnaCUVxtGeaIeQmmeM4yPq3d5uWBfOvIyuPmfBSKd\
   Y0NETGlsaoQuqFpOkCmQdMVZKh3UZ8AOjw22LlqaZlrUf0akb0fs7le2HT47KV9yOJHC\
   tec9tjHUeBVmma5O4AofGcVXLbkqKv+Soax9GooHVOv+uxa8iwjAdTZKtqwKnKDx4jaR\
   +zotCsYi4BuB2JbkjnHG6NL7ubN+aNKnwnzZnMKQZIh2Q7vSRYKTM8j9OGLq7IP8q2NS\
   oc7iT//eAvb4oF6LaY7qebxQ6ROXCSRrrXgpo+pw3ltfuUCuGzAxD4+wMZU3dlXsivhJ\
   PnTEjI/V6GmkRlfZ9XnYfj8SILETWk03dMFJh3LmUwkbRV+C3mL2GzjgQVTkvP82KDBL\
   DAR9iKyPkJnMnK9Ix/StVyJbGAtGp4jHnp+PSjz9ja4qI9jVRjGgIUQhw0DnI0fnplUn\
   Qhz3F9MQXMPLSPvFw8M0xkUKsAcxQvxZGb5LkYByZ0ZrO/ipphwnE6zQuOva+8uTyBX/\
   B9VR24tUItvlhy7SS6JrULrvTA+D/ZCiqKRx61iF6pU3BoC8fgA9D/AifiQnPz0SI5kx\
   FJfDTz1LWMjUlQKBHFvRFLE9eFD0rnwAGx7Pgpyc/KrLqVmcmj/96TYtoedp/iW4asfY\
   C2vs+GVyxVoumIdFPHJpencWbE/niZnVDaJCih1iqgXzDsI8bENh2B9cutDWX+bsHZSC\
   jSQb9YkGN+MoNiJlXmQHSJDyfPhzWPibdS/lpS90ppPWIY+PpLOfzDSGFFWswQ4q5Phc\
   pLWHx5lw9KSye+T86p6kadnBBTLTyfn0dG7NpO9QKQObMN60MnybkVGx5nH9yLJlFlmV\
   0H+K0VZIKm4UzYV+RYfqqXYtMqTQxeQ1U7L7o0H+6viErxuKj5rS3i+r1rdfECAGgCoq\
   0mixATHISAHi2eSV5fk3r5xMkKSwwPIRuMt50+kklRPUoLohTj7G1CnL6O2xwBdQMTUx\
   4Jq5JBWnfB+U4D9n0si1DwikIhpaUyOoBeaWo4iFQiWVLwjeeQvY6zj66l7OXsPHjZXg\
   uCitsWfp5MYV3cLTkb80uCM/xhp4Y0Edobt6x3k1FD8vbh8g3YAG0Xe/U+Iz3klnpCt2\
   ROQ2lGQa0JMl4nbQr3tqTLoXv4szaErfP/Xw05Cnt9DsBzN5DNrmfF6EDcfVf/hn8v9a\
   wrg6Rfv8Jpys1YFpwLanhb3Wz+x1yaDsa54IdlFOFnyBxv8GppbFrMpVFx/nLAXGIocc\
   WjcRKs0tBJUW/IoXeKOMPUd1wHR4dqUCEXsoexHJiNe5sH+akr6UIDObF70hhupBoiY9\
   AzVXi5zXf2VdafyQrkGfKz4BEUkiqcaajHr1CF9ZJ+Mjdmfr3z0xyCmCAWir5ZLOBXDj\
   T7sYCV3QjCz4a2mGvee9IxC9kSLapCq90UMAxnTLjJGQM/dlpgjDsjsCZX5wKdsnMs79\
   60Z75BGDOC1dDINj4f5kHZmwwcmw/04mi/1RPBUABXse3Up3eJQOX2haZPqmY0+2PZTF\
   exku9pETHtKcfSdRe1oJLmlB34JSogRmNp1eBxakcIL09huiFVtGVZng/pC/ryoJ/T9q\
   9w4aV5H+4u2dHc29Vb77SasxCdRH0sDaLaPpesRXsrdJwjbizOgzRlIx+83oO7NuhE+C\
   kKfO7cZMrFm8r8g1MlzDiFrTf3RTusMtiW6CVlVuTROPZFngqaR5yeYPprpSELtQHSwz\
   U5AaY5Qd8tbky5ec+2/QkXO+cdyWhQUuBRpibwpRpD3x1yTgT4E91cwTFpvSLk54ZHf+\
   D3EsZf0PYMN6d4jVdh9iv+0tCebnfMqP65wY26YBopSLtCXXb1anUlRPlzPzRq99yKnt\
   FM7gK1XnBAZoZBBqCyZw9OHWmttIFWcml4Wd5BxF9uZh2Y8gtcN8UKWHv43tsNBa7j/T\
   ikIBSkIVI/6EQvyPW4YTdyz2V8RKHN5XcdpdWFaVhgSJMC4I6Bm0Lwenhkmal7Sd247q\
   uCtEow8qh+w7Jk4SxrmvJxd5sBnvz15OKEaHPeWNNJW00bWEDT+0ZzzD8vMN1/GkbbB3\
   s7UfcJXZbRu7HtQ+wHIblBKVstX3hMonra+k6wS9KPhcAaC3IjZ7ZApSedKk1sW1SuDg\
   l48YW2/cyS3LvmISQn9KPWK7yEpNQnV0vurn3ZFOGO0eDjSXUjI+xIrRia5GQ1yb31ma\
   nJnf2PdHcMmVr0wu4lMGno7a14nMRdnXkBU8bVOp8wF6Toz59hBJ3a/F+mP4/a19Ixra\
   wiVVeEPgoi9QQ9NcLgQEFCoskA+EpcLK0FxV2rYI9JFNF/nDxP5nmGtnkmlFaLo+pleH\
   CJYS0OTGKQr6X+Y65NOllx5nNwsnWkIUkCodoSt4Givdoe/S9JNIu8tW+jTBae2hNr9c\
   glErCNKDYe1+T+Ldyr9rfOKm9LKNyTBsodgF4KI/hFh9Iv/i55DTWtqjpN0eQnPTB3/6\
   +7KzTfSE9il5UMcP3zKKC2mAQvtyYxF3k0m24ZTwPs2LAPJkr/xtPH3BnGE/UfUDmvDS\
   TBp9m049Nh9oDZvI4HKsY8auiyENk0ys67F9GTHhOYM0FgHyP5qk4/IR5YC3lnq7xx6i\
   owebEJAy63htMytq+xd3cJyZR0lWBUOqvSpd/A=="
   }

   Example private key using optional fields:




Prorock, et al.          Expires 12 January 2023               [Page 13]

Internet-Draft           post-quantum-signatures               July 2022


   =============== NOTE: '\' line wrapping per RFC 8792 ================

   {
     "kid": "key-0",
     "kty": "LWE",
     "alg": "CRYDI3",
     "key_ops": ["sign"],
     "x": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDdrOO+nfXRVUZVy9q1\
   5zDn77zTgrIskM3WX8bqslc+B1fq12iA/wxD2jc1d6j+YjKCtkGH26OR7vc0YC2ZiMzW\
   zGl7yebt7JkmjRbN1N+u/2fAKFLuziMcLNP6WLoWbMqxoC2XOOVNAWX3QjXrCcGU23Nr\
   imtdmWz5NrP43E592Sctt5M+SVlfgQeYv8pHmtkQknE8/jr7TrgNpuiV7nXmhWHTMJ4I\
   zoGXgq43odFFthboEdKNT/enyu+VvUGoIJ6cN8C/1B6o1WlYHEaL0BEIFFbAiAhZ/vnf\
   cUYMaVPqsDJuETsjetcE32kGCD7Jkume2tO68DlIhB/2Z2JX8mkcbxFI6KrmXiRxXQj9\
   9LVn1fEzdf3Vfpcs/C3omsFGqmTpLDK+AvW/SWVkDi2NKq7hL/AyxlW2u2cqVErQZUTS\
   Z+ic6V8kZfxr3gRMnH0KuF5BtjleZ/yVvqqPjwPOZegCKEl2Gd8duhcUde7CR55pil1o\
   UXy5AwgCcZTdEcJn1OPObGoots9T19gw1x4vnZCQUKVDPZuZ1gIkGqDUYXS0lcNTjCMs\
   miFEmnOZvB88jxULpb1vl9HoQ3ocM2oZu4AZRt9G/L07Mwcui0uFCWtAIau+2gqNAn/Z\
   AS10l0j2N0LLtAaOxoF+Ctzscrt0ZMyGHmoQ9daHkpUvEq0cO8hDtLplnq3lQIIIfROQ\
   jcNs9vNKBu87COBjukZD+L8vV4zy8FNO59MCSb9UCLwz2xvfdI1js9/J7hTGaVec8VPx\
   md42yPFrGw5Na1oefm8vW49EDmevc8AjAtwDirRBDFv9pX3+5S+M6jhteSLYvpKJXQT1\
   zs1379KvIHwkn9VHpA+PiUUw9TgF6xF8xWEGSNlOo1Vn1xtM3givehjYxJ5p5/kBEFZI\
   DCyFzstAirJ2GadNhae+P1JFZzJWnX5jaLwzldquZwF3yTzNho4sgBA+fKqiXcgn2nw1\
   vz0Dkbxr6cMaUool0eFScU1nAz1Z39W64LtT2nEuYsORx/ht2RzJxxFc21X3nLeEDFCe\
   NkNDxQFBSfpZjKKgJtXEx23mp+CbBVMrbagsLnzsAGLYbnroVmATU5Iqr6LgYBpuFs+N\
   Rkq7ZXh6CZPukMGQbcOGuNwO6NBuuMNhir5ayGk1ZBiW82C7Nu0hs2pLcgNqWMtt1+LW\
   8R96KyoSc784ZYAZ40QqvoySwmxQPBRTRJ+wB0sVpGBLTxdY9Gw3pXeXN5nao340d2ZA\
   7YEMlqcTHCAv3F8B9ewl7OfQlmg6bvdMuoVdVE+p0er7IAmWMRgviIzYv9sKEEQrCmua\
   2qL5xPSbD05KRf8ZAZ2B8lSCDR1nzXrQXZbXBKJivsCVQDuzxrwGE0gqRMpbk4f5GYCG\
   4i/O8Knoru+jjf6wVQDYKfyz1QUGRlXHkGUGlXfv03r7UbJugycjVO5kbGxhoZkqOq8z\
   ZEpkefvrrNoxeotw/z4QpjI8JlY97GDb0mGVHbmdHugjMtVTGhVJFBbPIinmR+emt7O+\
   4qOr7ywRxCvt2lziWtpPBwaf/1XDnN5Gesex1gR1YrcTRNmB808b01sxLQmxcTt4eQ0/\
   LUkas7qTJ3AQThOfDdtIpkqsthsBFy+WjSQuoXCYMRcPi6MlpxJndDF32lCnL1ranV6e\
   F2ST0SYT+NwNDesMzTRmNbHUW5KAhu0k9WABTvcM5ba0Uq6iOa1NsFrcLag+KhxN6HPn\
   oobwJ/EsDi5S7TAl8WrjqIhZ8x6h9eRRXerpaOw/FYk+2MpWByp/98VE12/EwOqAIiPp\
   elAvUeMOlRkpG64bJsmyYtHuNWgcv5Qiy7/eGw9ZpvB3J3G3jxvbynExqdFyDc067EKi\
   5WxDFPuZUjkfKpekNvzQuIrqs49BzcRyMt5ndEVE21TPPfZ/R8B7Rxnb2LiK+hQc+cc9\
   pEEaWgwAOiMILcp/1CyY6ImdO6RHsxwflMH7gej+hN41kaoEghIOl9kMGTLZbq5Pc8Pz\
   6F2LKTBMJWg9o/0blvilMH9EPblcLeF/bR1AZTUD6ZFdi2TxN6Epn3QVqeG/qPm1EBTF\
   Gw1V92m6/08Dd6zI1HPqwKbkHx4F567owofKHaM2imin0yVUpwxoRJrulRHMCB3tn8C4\
   ZpFl+sGV3Gip3tKlS7PKQkTqI6DMwxEbdrvtdY1sHZagpclLDisA/yFT4RR2m3VNJR9P\
   6Nx3teqN1eg6RXmD/MlKCdWrlcjZ/6yeIQYwbr9CjItY/tLQX2gtAR1SXOh99UUBVv+Z\
   E03VOZ+Ecsc78lSB9G/6n6CFzlbk/HgAF+cu0yMbGnEM8W3mTUspS4JBACwk5w0XWNNQ\
   DWVEdgzuLGhPq+hYExDjVZrLELhkH8YgZA+7RXXUZHM/joNOGHUhpUG/bFo3ktnaILCu\
   xsOXMUbDC3VcitFFHsGK1svtcERDFxk1HA8pGa59jT0do6n3wEbnBDU1soKNFtpmcVkE\
   Ul3XpvuoW3BgCwJzBUCWvPs47DJRgGxO11bSaEYYlhTVaaShcvzgz46AkqO+Q7TjckDP\
   /8uzsSQk0AbuhxWFQpSiBP8OZ/U=",
     "d": "z7u7GwhsjjnfHH3Nkrs2xvvw020Rcw5ymdlTnhRenjDUBgL6FklHURz5btM5\
   yrI5FQdWk+U2srVuSmfDV7EYG897mUFY35Z0WQ0mZ9XvIOKCh+GFFOk56b5FOFq6xnV8\



Prorock, et al.          Expires 12 January 2023               [Page 14]

Internet-Draft           post-quantum-signatures               July 2022


   UDQnFyY2JREUOHdiUjcUNxA1YxR3QiQ0BkE1AUBmFEOAUHZGBzQAU2dxVIgTQRV3U3g4\
   GGiISEYQhHRSWDIBQ2Z3UIIWdSV1EWhwBTYiWGI3VmJVI1UIU2REdUhHBoJ2gRhFUThy\
   BSQnhBIGI1AoMVB2MCNhUXQiNUGCKHgzUmQxU3dEgBhmQyIQgmFjdxY1dCJgGBSEB4Ij\
   CEJ0MBGIQWRRN3QjRmRSQWQIJgNjcjdnMlJhJIU1MlJRd1NmF4dwhHIIdEYYcAhEclBQ\
   JjESAiBwBQYzYlAIIocBcoZFcGVkA2SDMCVTBjgzCAAzNnQGYHI1VwJzYxQRckBIZBV4\
   VxZmZiVlYXgHFRNjdEFIYVOFIVdhcnIINEhhIURjg0cxJ0SCIWYUUVcHJzdDUTASciAW\
   UiJAglIoQkIwNjMlcwACZxcHZVJAh4EnNnWAZVVoBjNnNEcicTdyEEUHBVFjETETNjd0\
   YUFmFDVXNUcHFVJoE2AlVwFhMzc0dQckMYJUaBJ0JkUBdyd1AnZiJ3hYYkWAgyR1VziD\
   BERVh1NQAFIGWIhUZXCEQxIThyR1FIGGNTKAcwdRNBGDYEd2RVEwUDMzWAAhNQEEMYAS\
   hUSCgTJ3VIdXUlFBFxFkhVCCZEABJjQCAxFGNkhHQzM1YSSHNlEBEmJkgWZCVwZHRSVD\
   GDZzRCQiNhE3IghDhSFoBYCHNFVHMxZAZTSGAVMUQkhBKIFRQEVBB0cHNGEiJVVScQQh\
   hzQiBzKBYRY4Q0R2MVUldwVCIkQYEEgFYEREY2NERyFVdHJzdAZHBmhmdSCFIgh1IwGB\
   AxNzFjEoUWFCF4AhZRJSEROEEThxAGYBJTgUcUdFJBOFRmcVYnZUUFCAY1AnZEZBVThS\
   ECBQYBNGeAdzQ3KGhIE3ZiFxQoVCgQBjEFdFcIV0IAaFcgI0iAgAUVQAhEInQWECY1I4\
   E2U0MkAXQSZkdSRRc2I4BjEiSGd4hgQEEDcTRmhFd3MBMmY2gERxNwiISAVkFVETGCcI\
   gYhzRXByGBgzKGVXJUhoGEY1hgFmZWgmEWYWVoISd4Vlhid4VUMHgSZXhXUSaCgmJ3Eg\
   MQIzIDIThwRSARQhBFB2QQBjEgIoEHN1BhMCiIIBUlZWCHdBMyZFQoQ2UUJXJCFnZyFD\
   RTFUUTQoQmUjB0aHJXJHeDZlJGBCExATEUEDg3BTAChWImN0AWcFB3IUgBEARxVUREdX\
   QzhVBEBBF4UgcRhCg4gUcoRkdYCAIUQBRUJUYjFjEBYUhSBjIyV2cXBYckEiMic1N4ED\
   gDUGVSCHhCYURXcQB1ODg4hDJFJ3Jld2gyYnQYclRjE3VWcQNXJBYnOGhYFoU2dHATAw\
   OEeBUGQjJHcDgUJTRXBXJ3IAEjEXhXeEEmghIAAGdjUVBndnI2FCAVcyV4cxIyZ2dYE1\
   ZEiHcYJYaCcXQXJCaER1coIDRWJkcSNhEVF3JGOCQkYWYkcndRA1QTh0MFgzIyVocYJY\
   cwIAFRNiE1VAUECBI3MzQiZkUhR1cid1NSAXFXN0gUNnRCV0ISNmYnB3NIZyMIQWEVVz\
   ElEohnQyKBNoY1cCdmdjVYiGhVUlA0CHMTZIURBgR4aIJwJQJlIDMYhwNGNwiGcIBUdA\
   NXMBETUgICJyMkMIN1BAIAB4gEMDUwhndFJkQDEgRRMld4EzhRM0ZhGAYHMgZ4NhEEhn\
   U2I2VicBBXZUFUNoczcmBzBnUEBxUWcDg4RHUXZSOEZogABHRAISVEAzdoQhRmBgEWYE\
   Z4U1dgQ2gjgQUjMScgIIFQR3YFczhTYoB1IiVCYGBAVmVAFIdhRmZ1InhwdTRjJjNhVx\
   IzcWgjFlFCaChlIWUySIaDFwAWV3RAIxg2QWYgAYMUjP7wmwOwPp7Ukl3L1KalY/6dN4\
   dBr1AYS8JnkVq6pPeBfO7ccX95SrVfAO7EX7RVEYyhVR9QOQyEpLBUMcfcfnHCZWKM0o\
   OBF7BXiWMR9BQo4ybtpJGKQ+IZyCKUJVRhZ+uae182qYcBKFMdOOzXiO8kAa98eUy6SR\
   pPfKPD6D+xXgtJ0FWtYnp1Jy2aIG3HqMiTHoSdVIvccGkf94gpVWTMeJQsQpgq7dAJiJ\
   5JOMQjk7JIHcIzxb4T8sQHzA55MFfvM7Hus/8FUX7NfIN1JRmc2zHL/7kdfCFSwG67iW\
   U4ob2kTwdKzPvOL+d3e+AOE0PihJ4vVJAOjhWmO2fIFNvFhNqPh0MSiSkatPGbSVdqQ1\
   PsG6C+1YqMrTM7KFr4hTQM8a3+tAOsImMjXSSPDkVeuJFq1rw642SJJx8yZTXVe8g75D\
   ZTYghbeX5LLzaVkt9mZS7cW16Zy+C3MwnWDrGQ6hUDxYaYJp7SOGJHepcmVV214oD6nw\
   5QprgpGIxVcdXQUO0fhKwerYDkoOIj+uqk7NYDvOt8zANphYcE3v+6yVFyYh3eg7DYRJ\
   rIzIcbaG91ySv2iRRC+cWaymH6xuqaHRwZu/p962/u8/c3rITJzCoVc+ObnZ5oItZFBe\
   AYFhLBx7PvPdBULXyCqmtkOtnT/jnaCUVxtGeaIeQmmeM4yPq3d5uWBfOvIyuPmfBSKd\
   Y0NETGlsaoQuqFpOkCmQdMVZKh3UZ8AOjw22LlqaZlrUf0akb0fs7le2HT47KV9yOJHC\
   tec9tjHUeBVmma5O4AofGcVXLbkqKv+Soax9GooHVOv+uxa8iwjAdTZKtqwKnKDx4jaR\
   +zotCsYi4BuB2JbkjnHG6NL7ubN+aNKnwnzZnMKQZIh2Q7vSRYKTM8j9OGLq7IP8q2NS\
   oc7iT//eAvb4oF6LaY7qebxQ6ROXCSRrrXgpo+pw3ltfuUCuGzAxD4+wMZU3dlXsivhJ\
   PnTEjI/V6GmkRlfZ9XnYfj8SILETWk03dMFJh3LmUwkbRV+C3mL2GzjgQVTkvP82KDBL\
   DAR9iKyPkJnMnK9Ix/StVyJbGAtGp4jHnp+PSjz9ja4qI9jVRjGgIUQhw0DnI0fnplUn\
   Qhz3F9MQXMPLSPvFw8M0xkUKsAcxQvxZGb5LkYByZ0ZrO/ipphwnE6zQuOva+8uTyBX/\
   B9VR24tUItvlhy7SS6JrULrvTA+D/ZCiqKRx61iF6pU3BoC8fgA9D/AifiQnPz0SI5kx\
   FJfDTz1LWMjUlQKBHFvRFLE9eFD0rnwAGx7Pgpyc/KrLqVmcmj/96TYtoedp/iW4asfY\
   C2vs+GVyxVoumIdFPHJpencWbE/niZnVDaJCih1iqgXzDsI8bENh2B9cutDWX+bsHZSC\



Prorock, et al.          Expires 12 January 2023               [Page 15]

Internet-Draft           post-quantum-signatures               July 2022


   jSQb9YkGN+MoNiJlXmQHSJDyfPhzWPibdS/lpS90ppPWIY+PpLOfzDSGFFWswQ4q5Phc\
   pLWHx5lw9KSye+T86p6kadnBBTLTyfn0dG7NpO9QKQObMN60MnybkVGx5nH9yLJlFlmV\
   0H+K0VZIKm4UzYV+RYfqqXYtMqTQxeQ1U7L7o0H+6viErxuKj5rS3i+r1rdfECAGgCoq\
   0mixATHISAHi2eSV5fk3r5xMkKSwwPIRuMt50+kklRPUoLohTj7G1CnL6O2xwBdQMTUx\
   4Jq5JBWnfB+U4D9n0si1DwikIhpaUyOoBeaWo4iFQiWVLwjeeQvY6zj66l7OXsPHjZXg\
   uCitsWfp5MYV3cLTkb80uCM/xhp4Y0Edobt6x3k1FD8vbh8g3YAG0Xe/U+Iz3klnpCt2\
   ROQ2lGQa0JMl4nbQr3tqTLoXv4szaErfP/Xw05Cnt9DsBzN5DNrmfF6EDcfVf/hn8v9a\
   wrg6Rfv8Jpys1YFpwLanhb3Wz+x1yaDsa54IdlFOFnyBxv8GppbFrMpVFx/nLAXGIocc\
   WjcRKs0tBJUW/IoXeKOMPUd1wHR4dqUCEXsoexHJiNe5sH+akr6UIDObF70hhupBoiY9\
   AzVXi5zXf2VdafyQrkGfKz4BEUkiqcaajHr1CF9ZJ+Mjdmfr3z0xyCmCAWir5ZLOBXDj\
   T7sYCV3QjCz4a2mGvee9IxC9kSLapCq90UMAxnTLjJGQM/dlpgjDsjsCZX5wKdsnMs79\
   60Z75BGDOC1dDINj4f5kHZmwwcmw/04mi/1RPBUABXse3Up3eJQOX2haZPqmY0+2PZTF\
   exku9pETHtKcfSdRe1oJLmlB34JSogRmNp1eBxakcIL09huiFVtGVZng/pC/ryoJ/T9q\
   9w4aV5H+4u2dHc29Vb77SasxCdRH0sDaLaPpesRXsrdJwjbizOgzRlIx+83oO7NuhE+C\
   kKfO7cZMrFm8r8g1MlzDiFrTf3RTusMtiW6CVlVuTROPZFngqaR5yeYPprpSELtQHSwz\
   U5AaY5Qd8tbky5ec+2/QkXO+cdyWhQUuBRpibwpRpD3x1yTgT4E91cwTFpvSLk54ZHf+\
   D3EsZf0PYMN6d4jVdh9iv+0tCebnfMqP65wY26YBopSLtCXXb1anUlRPlzPzRq99yKnt\
   FM7gK1XnBAZoZBBqCyZw9OHWmttIFWcml4Wd5BxF9uZh2Y8gtcN8UKWHv43tsNBa7j/T\
   ikIBSkIVI/6EQvyPW4YTdyz2V8RKHN5XcdpdWFaVhgSJMC4I6Bm0Lwenhkmal7Sd247q\
   uCtEow8qh+w7Jk4SxrmvJxd5sBnvz15OKEaHPeWNNJW00bWEDT+0ZzzD8vMN1/GkbbB3\
   s7UfcJXZbRu7HtQ+wHIblBKVstX3hMonra+k6wS9KPhcAaC3IjZ7ZApSedKk1sW1SuDg\
   l48YW2/cyS3LvmISQn9KPWK7yEpNQnV0vurn3ZFOGO0eDjSXUjI+xIrRia5GQ1yb31ma\
   nJnf2PdHcMmVr0wu4lMGno7a14nMRdnXkBU8bVOp8wF6Toz59hBJ3a/F+mP4/a19Ixra\
   wiVVeEPgoi9QQ9NcLgQEFCoskA+EpcLK0FxV2rYI9JFNF/nDxP5nmGtnkmlFaLo+pleH\
   CJYS0OTGKQr6X+Y65NOllx5nNwsnWkIUkCodoSt4Givdoe/S9JNIu8tW+jTBae2hNr9c\
   glErCNKDYe1+T+Ldyr9rfOKm9LKNyTBsodgF4KI/hFh9Iv/i55DTWtqjpN0eQnPTB3/6\
   +7KzTfSE9il5UMcP3zKKC2mAQvtyYxF3k0m24ZTwPs2LAPJkr/xtPH3BnGE/UfUDmvDS\
   TBp9m049Nh9oDZvI4HKsY8auiyENk0ys67F9GTHhOYM0FgHyP5qk4/IR5YC3lnq7xx6i\
   owebEJAy63htMytq+xd3cJyZR0lWBUOqvSpd/A=="
   }

3.4.3.  CRYDI Signature Representation

   For the purpose of using the CRYSTALS-Dilithium Signature Algorithm
   (CRYDI) for signing data using "JSON Web Signature (JWS)" [RFC7515],
   algorithm "CRYDI" is defined here, to be applied as the value of the
   "alg" parameter.

   The following key subtypes are defined here for use with CRYDI:












Prorock, et al.          Expires 12 January 2023               [Page 16]

Internet-Draft           post-quantum-signatures               July 2022


                    +============+====================+
                    | "paramter" | CRYDI Paramter Set |
                    +============+====================+
                    | 5          | CRYDI5             |
                    +------------+--------------------+
                    | 3          | CRYDI3             |
                    +------------+--------------------+
                    | 2          | CRYDI2             |
                    +------------+--------------------+

                                  Table 5

   The key type used with these keys is "PQK" and the algorithm used for
   signing is "CRYDI".  These subtypes MUST NOT be used for key
   agreement.

   The CRYDI variant used is determined by the subtype of the key
   (CRYDI3 for "pset 3" and CRYDI2 for "pset 2").

   Implementations need to check that the key type is "PQK" for JOSE and
   that the pset of the key is a valid subtype when creating a
   signature.

   The CRYDI digital signature is generated as follows:

   1.  Generate a digital signature of the JWS Signing Input using CRYDI
       with the desired private key, as described in Section 3.2 (#name-
       sign).  The signature bit string is the concatenation of a bit
       packed representation of z and encodings of h and c in this
       order.

   2.  The resulting octet sequence is the JWS Signature.

   When using a JWK for this algorithm, the following checks are made:

   *  The "kty" field MUST be present, and it MUST be "LWE" for JOSE.

   *  The "alg" field MUST be present, and it MUST represent the
      algorith and parameter set.

   *  If the "key_ops" field is present, it MUST include "sign" when
      creating an CRYDI signature.

   *  If the "key_ops" field is present, it MUST include "verify" when
      verifying an CRYDI signature.

   *  If the JWK "use" field is present, its value MUST be "sig".




Prorock, et al.          Expires 12 January 2023               [Page 17]

Internet-Draft           post-quantum-signatures               July 2022


   Example signature using only required fields, represented in compact
   form:

   eyJhbGciOiJQUzM4NCIsImtpZCI6ImJpbGJvLmJhZ2dpbnNAaG9iYml0b24uZX
   hhbXBsZSJ9
   .
   SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IH
   lvdXIgZG9vci4gWW91IHN0ZXAgb250byB0aGUgcm9hZCwgYW5kIGlmIHlvdSBk
   b24ndCBrZWVwIHlvdXIgZmVldCwgdGhlcmXigJlzIG5vIGtub3dpbmcgd2hlcm
   UgeW91IG1pZ2h0IGJlIHN3ZXB0IG9mZiB0by4
   .
   cu22eBqkYDKgIlTpzDXGvaFfz6WGoz7fUDcfT0kkOy42miAh2qyBzk1xEsnk2I
   pN6-tPid6VrklHkqsGqDqHCdP6O8TTB5dDDItllVo6_1OLPpcbUrhiUSMxbbXU
   vdvWXzg-UD8biiReQFlfz28zGWVsdiNAUf8ZnyPEgVFn442ZdNqiVJRmBqrYRX
   e8P_ijQ7p8Vdz0TTrxUeT3lm8d9shnr2lfJT8ImUjvAA2Xez2Mlp8cBE5awDzT
   0qI0n6uiP1aCN_2_jLAeQTlqRHtfa64QQSUmFAAjVKPbByi7xho0uTOcbH510a
   6GYmJUAfmWjwZ6oD4ifKo8DYM-X72Eaw

   The same example decoded for readability:

   =============== NOTE: '\\' line wrapping per RFC 8792 ===============

   {
     "header": { "alg": "CRYDI3", "kid": "did:example:123#key-0" },
     "payload": "It's a dangerous business, Frodo, going out your door.\
   \ You step onto the road, and if you don't keep your feet, there's\
   \ no knowing where you might be swept off to.",
     "signature": "2As8T1AHenWzLuTojcAYFDnT05n4bmDGIWenHqoXVizL7311HtVg\
   \7PEJHYmpc1fIvFNrm0xJt0asD5bQk3ZY8WuEQDUjsn4j+zbyob8MPQI5u3p5ZkqlLhG\
   \6Q8p1q0Hd5voY4a78vNxFJpYsETc0bECAft196z5hml2VjuDBqI7W4ju/iDKambJIDz\
   \NLYgYinNyPcHjlfBP7aCfOqGBAOQrWuVgrAkdeM+uH6djaXW25+FeUl4Lg1uOIBPrcj\
   \ZJO4MO7j7BmiuHJDB74QG/ifVqnvr4z2alMWHjjR7nPPr2CIKpuRthSpNWYVTRSN3mM\
   \v0GjVLyaqhJpmUmewhjaQCi3iP7c59yKatGYjLPPEapsbN7ypIo1Bod/R2PZR0zeool\
   \d9k30VmGsVLkJ4OEIFnlA8epv+bJISApZWrGuU6NBP8vr4UB2D9DRd8zwvd/vI0BWdq\
   \nfglX4x18lWe8Tnd+21UC9n4zUb+KQlo9RR14VfXEOt9g5aOIzCWjAN+Oz8vqJ/ZwgH\
   \zZotZNF+nZehtFPcPLM3dpoUkEI391VH3QQ6VTYfbMW9wGJ6UnylxZFEzNCnMFF9Qhs\
   \7Xehy4yEDgJBFYIvbTRCfD+EbZbWQAnLKsm7UXXBR7HdUsJMhTkwdffGziWJBTf1UsG\
   \tqaCF1bvXgbcCSe0XGhc0QkQKwwj3kNWY9/hnhH1bn7kyySqaI+W4Ph3pKwRb38sCS/\
   \Gb3ryptI8zez0JR+lClWnu18noJjGincZq7jCGMiMCRFpzUV6rpY/FiM26IpZ8M9ShF\
   \BHsTN7KGpyIqG6Yc3GzOJ/4ir7V3I3wYguK7iBUiuTM+OKwxtM75carZJPX/2lkn2Hh\
   \TC+JVb2/yaHS2oDrlCwQosNhA/cB/cm+YmYgHc3KQwrZ/3Axr6weUSrWJ8qV+vJ5QKK\
   \a1+CLrkVGJX6vh+ps1NB5EV9yyMhBXAbbJZ3K+dGed3G7Vj/qF2kbnIUlSIeP1f6LsH\
   \XASuVLTU6qG0rTaCMYKwaAc5ROwAgyZmPXuOUwyCtNFb0+S73uX5/N2drrUPdXiURW+\
   \luFKCtaNimU8myoz6YkoY234kz8pedST8eqBZAioe8HeYEKtZSAyYov4YfLgkqHqJG6\
   \ycD2uA33kwnMim+jg/hIrWAIYYP9R90KECTvFR877RtfFgfn3+tZjWlmsxHZ5pNsTIA\
   \dNR+VmNpoUZkQ0dgHuFLztyAnCaumL38LHYHFHj2boa0zYsMGw8WtpEQ3+BNgoanNax\
   \dJ5THRRmhvMS3EDwanERimsZ6ZjdK8uchuVhytNiiKvBwEFWYIyoK9uUMBoEfDje4DX\
   \wIAefXYCqPK8eXhL+9qDLxADlDQbCu+Ey3whX/r4r2Q6l+34HpRrn3g5ok+GtO/3ni9\



Prorock, et al.          Expires 12 January 2023               [Page 18]

Internet-Draft           post-quantum-signatures               July 2022


   \dYiIYpcXYfhMGDoXJLZ3IMkK7L6e5u4/Wye7lot2B5ekSGRrkLkjv+bTIkppxbTU4Pi\
   \n40qbD91sRzw2/GzZmJsfcFaKbj5dhoNWyh5cZr1PqsxMI5EdXSxJ69VWf8e+h4iPoB\
   \YS1JnUjhicVWslpA1rdAvTkAsVY8rC22e09Hxzbkb/E7bt3iLDpekbbQAghZ31AwDv5\
   \KEG72bBbXIYHzPvhJzrlS2LR0XKTJVd8tAxOSdxQDOt8tE2eKpmWZ38MJfRIxt2Rzol\
   \p+bpKrR++pMLRrpViekVpZl/tlEojImNO5rLqxZhLxvZOyDfcT37jc1oqire527/Y9L\
   \3k894eHNYcXxjb0LGGPDeLuTSEX+afHZLNbd93Qa5VTmLwsPxEW/Erua6nXUrAR/87P\
   \0gIyce3h3sl5jzCXsQm/iODgyn7PTEo5ksQCFRPiyXq5xgiXGKGGkqTGg28Ohdby+lN\
   \DPnNHU2J0F6GLTqwK3qGbBLzDGIMR2sePGpxZ/pecoX7yn5bTOf4iY1OCyLo5nEgSeb\
   \JdBJh0ZU+QodLRN0cnenLmP1oNK2yCuT9uIAlWH9C1CLhBiEOfoIs9/r1W1XHPiPsX7\
   \c21w+B1IPfzUX1cVdndnNo4XdHl9CH1tYJDLr8LfeuYnz+bnaFlqEUryTc8zUl4A+qB\
   \SIDDDjefCbmDsTrdqzGT2J89MKViOogy3qJzyt3jo04xq+Q3OGjbOFJikyJEqUm8BmX\
   \d3ctGfzsEr+5w7fDRco40/tDQUSH0qOWOsPkhuelLqKDziJXwhPQI42miVN2A4+OAS4\
   \f2uTgpDNn1gIfH2+dOCkBjlhZeA1Tgrp8FHQxcaO5kut6cTLrL7CSBqINa7Khe1zyXa\
   \PZG/tXUk+iv0BYT92b7CRNmg1qhE0G8V3q3QrB6EePYa1WxRQ7ij4rRcQWcj66A1hZ5\
   \KjDUVJh+02cZTFrv97wM/im3vb3dbiSxAiQExSa2KATfLI2oS+y7RlRNJ+9nF/vTaFc\
   \0HOdKfmuJAUkAcyk/h0Quvdaf9jxEcstj95mva+HkIqPuFifidlvGiafKr4fHZryp1h\
   \g7QUtDRU2a4BRfzcLz6PKOBFV3xVI7qoQbKEqQyldv8mZRd0LBRKprxHW7PdUqutH2V\
   \GEmZ4UuCYXT11UweBx2W9lHrQX+xaKAjTu6oLYIOvmFVCUr4mCrYRcLZnzwORcsqIl4\
   \G88x8r5aeilL4lsQZO3kNotR4n0qzFVRU2+EXO7QJFm+NKxB7aRZ5oH+dSy+Ye6aMeG\
   \Epv491LU0LVnZNMBP2eUhoEoOgimmZGtUobjRdLuYyNiJfJzVkjwF3gYQtY59zb+46N\
   \SzvWUqpFUG80Vswns8GNAQ5hfLoH8OGGohT+UvoqvpTEXhiAAFstT/EQrHLZrYpXHJI\
   \YaICW+6uo9ixL0oWkfI0HlYaXyNkaFKHQ5ZbPaP45dbWq/dqXdrRe2YU8AqdjCxyyzO\
   \lyZR6zH9wHj0k1AIOHvnKZ/B2v4bS8YAtNZ1zgKbOvM4qqSIFETfr8N4yIteumHEznP\
   \prD7Gr6W2VCS/0FXnQt5y0QC8z4ffrnggwPjcZfsCRSknktQB1q6Cx8KUOipf+RhOvs\
   \HnNN3qJZmxz6YCvo2M7fxJtyRvm34UEVaj8QKXrmzX70Y9rDl6wEhhvSThaeq4dcfAC\
   \vczGXWgCLB10gl+Iz6hVDTgCx7bC2BQ2oHtzSDc+v/UuJewvVaIL9tn4CtMZU86f3Zc\
   \fTN2zke5alNpoJP9A+mkbcfy0aD6yFcn3nw2ueFDsssRg1ZcS5CujNeylAwxRYaNSmU\
   \zDzMygHu0CTxfGEG2c63J32HkG4Ds58KSk7HSD58jgScBv+QjBUAGSJozFG9y7yIF5R\
   \kD74aSJMYmuzow2UnGayR9yM5ONbW1brD4wNyJHqDIroCUvrL8zu24ErFWDKy6VaZ0m\
   \ggPvX38IoxIPnE+PmOtRGr+ua9r9zO47TtEoADjIEtwQuNem0S1fqeVx2Fd1TmKc5+v\
   \cxMsmuEKQiewTbviLdIWHTz4snU/dt77cxQEFWkS3pu31kCLyLbpiCKMrn1nELafNBg\
   \RbzwEqGTT0i24Kz/kvC5RYr2USuHKksZxPfgx7Y0OpY3IbemFO11EmnG9odSwnVcww+\
   \9/IIevZHUw1qqTxZu1re/AMfqhKgaD8XiwuKxPZQQo7Z6jj3yOugAVWYOw/88bAXO2k\
   \deVc0mG53sKH9ChLg35LdPrpLgHeFjIHJ27L9ucqUw70Pu58vRJUnYDey997y57k1vh\
   \9RwPkNvIs269v6s/xfg9VM9N4aY4X25EWCxchMWlH9LMamYF6JTP0v7v00cdHycmX5D\
   \EnwqspYYNomVpJlOOxgMAO9oy1E4dhg3IJo+fJgL9rgOxJ4INTJOg/9tUz21LPI3c1c\
   \D5pPs/y0zy0cF9f6ahaYxMDk/nfout2FGmoesMCaTN11JngYYC5H95cDeMwErm6ppSU\
   \woCqut45noJq0VS4V3PKfASIfuUwP3vgFKo+82Wy3dqEr+sBAsve44CKQ8Tq1GLYjet\
   \L3xugCkl0uaGh6TFqj2X/vJlXOW0Ouyvzt62fxeQ4esOrs4LdRxkJbKT2I2p6rQAlBi\
   \GaZLvOuccQh7NSt7BEJBy8QUrPV10vPmCNGQrKS6alC/JNFLaxmsP4CPQqwRQ3fg2ia\
   \qQRol0htD+UFjWUBXrQdrs48b9TdLHmbPHPbG6+ZeuCi87kJ/zJyjHA0SYUP6awkfga\
   \ckiLUppo0oNIc9/qsVr2lFIWIO9+UWnIFR9nNFPzgbqw/cMOC/uWAOOsGS8ADQ/rePO\
   \fTXx0mfkvI2YeTdiIayy+uwUxoLdz90DGhUysP+JGU9kZTqYNJYsjC4OgLXS+qKCYai\
   \oW/leFs1fdP6SH+E24pOOJARU/f/ZajcMMXAwQdIVeOo7jvDhMydne90/18fcwpNVN0\
   \tswhRsnW4uMCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIEBMZHyE="
   }





Prorock, et al.          Expires 12 January 2023               [Page 19]

Internet-Draft           post-quantum-signatures               July 2022


3.5.  Using CRYDI with COSE

   The approach taken here matches the work done to support secp256k1 in
   JOSE and COSE in [RFC8812].

   The following tables map terms between JOSE and COSE for signatures.

              +========+=======+=============+=============+
              | Name   | Value | Description | Recommended |
              +========+=======+=============+=============+
              | CRYDI5 | TBD   | TBD         | No          |
              +--------+-------+-------------+-------------+
              | CRYDI3 | TBD   | TBD         | No          |
              +--------+-------+-------------+-------------+
              | CRYDI2 | TBD   | TBD         | No          |
              +--------+-------+-------------+-------------+

                                 Table 6

   The following tables map terms between JOSE and COSE for key types.

               +======+=======+=============+=============+
               | Name | Value | Description | Recommended |
               +======+=======+=============+=============+
               | PQK  | TBD   | TBD         | No          |
               +------+-------+-------------+-------------+

                                 Table 7

4.  Falcon

4.1.  Overview

   This section of the document describes the lattice signature scheme
   [Falcon], the "Fast Fourier lattice-based compact signatures over
   NTRU".  Falcon is based on the GPV hash-and-sign lattice-based
   signature framework introduced by Gentry, Peikert and Vaikuntanathan
   [GPV08], which is a framework that requires a class of lattices and a
   trapdoor sampler technique.  For the class of lattices, Flacon uses
   the well-known NTRU lattices, while for the trapdoor sampler, it uses
   a new fast Fourier sampling technique [DP16].  The underlying hard
   problem is the short integer solution problem (SIS) over NTRU
   lattices, for which no efficient solving algorithm is currently known
   for both classical as well as quantum settings.

   The main design principle of Falcon is compactness, i.e. it was
   designed in a way that achieves minimal total memory bandwidth
   requirement (the sum of the signature size plus the public key size).



Prorock, et al.          Expires 12 January 2023               [Page 20]

Internet-Draft           post-quantum-signatures               July 2022


   This is possible due to the compactness of NTRU lattices.  Falcon
   also offers very efficient signing and verification procedures.  The
   main potential downsides of Falcon refer to the non-triviality of its
   algorithms and the need for floating point arithmetic support.

   The GPV framework, which underpins the Falcon design, is proven to be
   secure in the (quantum) random oracle model as long as the SIS
   problem remains intractable.  Falcon requires an adaption of this
   prove to account for the fact it uses NTRU lattices.

   Falcon brings several advantages over other approaches to signature
   suites:

   *  Post quantum secure as long as the NTRU-SIS problem remains
      intractable.
   *  Compactness: Falcon aims at minimum signature plus public key
      sizes.  This should be contrasted with hash-based signature
      schemes (e.g.  SPHINCS+), which minimizes public key sizes but
      suffer from long signatures, and multivariate quadratic schemes,
      which minimizes signatures sizes but suffers from long public
      keys.  It also offers substantially shorter signatures than other
      lattice schemes while public keys are about the same size.
   *  Efficiency: Falcon can produce thousands of signatures per second
      on a common computer, while verification is up to ten times
      faster.  The operations in Falcon have O(n log n) complexity for
      degree n.
   *  Side-channel resistance: Falcon used to have an important
      limitation regarding side-channel attacks due to the hardness of
      implementing discrete Gaussian sampling over the integers in
      constant-time, a gap that has been recently filled in the
      literature.

4.2.  Core Operations

   Core operations used by the signature scheme should be implemented
   according to the details in [Falcon].  Core operations include key
   generation, sign, and verify.

4.3.  Using FALCON with JOSE

   This sections is based on CBOR Object Signing and Encryption (COSE)
   and JSON Object Signing and Encryption (JOSE)
   (https://datatracker.ietf.org/doc/html/rfc8812#section-3)








Prorock, et al.          Expires 12 January 2023               [Page 21]

Internet-Draft           post-quantum-signatures               July 2022


4.3.1.  FALCON Key Representations

   A new key type (kty) value "NTRU" (for keys related to the family of
   algorithms that utilize NTRU based approaches to Post Quantum lattice
   based cryptography) is defined for public key algorithms that use
   base 64 encoded strings of the underlying binary materia as private
   and public keys and that support cryptographic sponge functions.  It
   has the following parameters:

   *  The parameter "kty" MUST be "NTRU".

   *  The parameter "alg" MUST be specified, and its value MUST be one
      of the values specified the below table

              +============+================================+
              | alg        | Description                    |
              +============+================================+
              | FALCON512  | Falcon with parameter set 512  |
              +------------+--------------------------------+
              | FALCON1024 | Falcon with parameter set 1024 |
              +------------+--------------------------------+

                                  Table 8

   *  The parameter "pset" MAY be specfied to indicate the paramter set
      in use for the algorithm, but SHOULD also reflect the targeted
      NIST level for the algorithm in combination with the specified
      paramter set.  For "alg" "FALCON" one of the described parameter
      sets "512" or "1024" MUST be specified.  Parameter set "512" or
      above SHOULD be used with "FALCON" for any situation requiring at
      least 128bits of security against both quantum and classical
      attacks

   *  The parameter "x" MUST be present and contain the public key
      encoded using the base64url [RFC4648] encoding.

   *  The parameter "d" MUST be present for private keys and contain the
      private key encoded using the base64url encoding.  This parameter
      MUST NOT be present for public keys.

   Sizes of various key and signature material is as follows










Prorock, et al.          Expires 12 January 2023               [Page 22]

Internet-Draft           post-quantum-signatures               July 2022


    +===========+===============+==============+======+==============+
    | Variable  | Paramter Name | Paramter Set | Size | base64url    |
    |           |               |              |      | encoded size |
    +===========+===============+==============+======+==============+
    | Signature | sig           | 512          | 666  |              |
    +-----------+---------------+--------------+------+--------------+
    | Public    | x             | 512          | 897  |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Private   | d             | 512          | 1281 |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Signature | sig           | 1024         | 1280 |              |
    +-----------+---------------+--------------+------+--------------+
    | Public    | x             | 1024         | 1793 |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Private   | d             | 1024         | 2305 |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+

                                 Table 9

   When calculating JWK Thumbprints [RFC7638], the four public key
   fields are included in the hash input in lexicographic order: "kty",
   "alg", and "x".

4.3.2.  FALCON Algorithms

   In order to reduce the complexity of the key representation and
   signature representations we register a unique algorithm name per
   pset.  This allows us to omit registering the pset term, and reduced
   the likelyhood that it will be misused.  These alg values are used in
   both key representations and signatures.

                   +======+============+==============+
                   | kty  | alg        | Paramter Set |
                   +======+============+==============+
                   | NTRU | FALCON512  | 512          |
                   +------+------------+--------------+
                   | NTRU | FALCON1024 | 1024         |
                   +------+------------+--------------+

                                 Table 10







Prorock, et al.          Expires 12 January 2023               [Page 23]

Internet-Draft           post-quantum-signatures               July 2022


4.4.  Using FALCON with COSE

   The approach taken here matches the work done to support secp256k1 in
   JOSE and COSE in [RFC8812].

   The following tables map terms between JOSE and COSE for signatures.

            +============+=======+=============+=============+
            | Name       | Value | Description | Recommended |
            +============+=======+=============+=============+
            | FALCON512  | TBD   | TBD         | No          |
            +------------+-------+-------------+-------------+
            | FALCON1024 | TBD   | TBD         | No          |
            +------------+-------+-------------+-------------+

                                 Table 11

   The following tables map terms between JOSE and COSE for key types.

               +======+=======+=============+=============+
               | Name | Value | Description | Recommended |
               +======+=======+=============+=============+
               | NTRU | TBD   | TBD         | No          |
               +------+-------+-------------+-------------+

                                 Table 12

5.  SPHINCS-PLUS

   This section defines core operations used by the signature scheme, as
   proposed in [SPHINCS-PLUS].

5.1.  Overview

   This section of the document describes the hash-based signature
   scheme SPHINCS+. The scheme is based on the concept of authenticating
   a large number or few-time signatures keypair using a combination of
   Merkle-tree signatures, a so-called hypertree.  For each message to
   be signed a (pseudo-)random FTS keypair is selected with which the
   message can be signed.  Combining this signature along with an
   authentication path through the hyper-tree consisting of hash-based
   many-time signatures then gives the SPHINC+ signature.  The parameter
   set is strategically chosen such that the probability of signing too
   many messages with a specific FTS keypair to impact security is small
   enough to prevent forgery attacks.  A trade-off in parameter set can
   be made on security guarantees, performance and signature size.





Prorock, et al.          Expires 12 January 2023               [Page 24]

Internet-Draft           post-quantum-signatures               July 2022


   SPHINCS+ is a post-quantum approach to digital signatures that is
   promises Post-Quantum Existential Unforgeability under Chosen Message
   Attack (PQ-EU-CMA), while ensuring that the security levels reached
   meet security needs for resistance to both classical and quantum
   attacks.  The algoritm itself is based on the hardness assumptions of
   its underlying hash functions, which can be chosen from the set
   Haraka, SHA-256 or SHAKE256.  For all security levels the only
   operations required are calls to these hash functions on various
   combinations of parameters and internal states.

   Contrary to CRYSTALS-Dilithium and Falcon, SPHINCS+ is not based on
   any algebraic structure.  This reduces the possible attack surface of
   the algorithm.

   SPHINCS+ brings several advantages over other approaches to signature
   suites:

   *  Post Quantum in nature - use of cryptographically secure hash
      functions and other approaches that should remain hard problems
      even when under an attack utilizing quantum approaches
   *  Minimal security assumptions - compared to other schemes does not
      base its security on a new paradigm.  The security is solely based
      on the security of the assumptions of the underlying hash
      function.
   *  Performance and Optimization - based on combining a great many
      hash function calls of SHA-256, SHAKE256 or Haraka means existing
      (secure) SW and HW implementations of those hash functions can be
      re-used for increased performance
   *  Private and Public Key Size - compared to other post quantum
      approaches a very small key size is the form of hash inputs-
      outputs.  This then has the drawback that either a large signature
      or low signing speed has to be accepted
   *  Cryptanalysis assuarance - attacks (both pre-quantum and quantum)
      are easy to relate to existing attacks on hash functions.  This
      allows for precise quantification of the security levels
   *  Overlap with stateful hash-based algorithms - means there are
      possibilities to combine implementions with those of XMSS and LMS
      (TODO refs)
   *  Inherent resistance against side-channel attacks - since its core
      primitive is a hash function, it thereby is hard to attack with
      side-channels.

   The primary known disadvantage to SPHINCS+ is the size signatures, or
   the speed of signing, depending on the chosen parameter set.
   Especially in IoT applications this might pose a problem.
   Additionally hash-based schemes are also vulnerable to differential
   and fault attacks.




Prorock, et al.          Expires 12 January 2023               [Page 25]

Internet-Draft           post-quantum-signatures               July 2022


5.2.  Core Operations

   Core operations used by the signature scheme should be implemented
   according to the details in [SPHINCS-PLUS].  Core operations include
   key generation, sign, and verify.

5.3.  Using SPHINCS-PLUS with JOSE

   This sections is based on CBOR Object Signing and Encryption (COSE)
   and JSON Object Signing and Encryption (JOSE)
   (https://datatracker.ietf.org/doc/html/rfc8812#section-3)

5.3.1.  SPHINCS-PLUS Key Representations

   A new key type (kty) value "HASH" (for keys related to the family of
   algorithms that utilize hash based approaches to Post Quantum
   Cryptography) is defined for public key algorithms that use base 64
   encoded strings of the underlying binary materia as private and
   public keys and that support cryptographic sponge functions.  It has
   the following parameters:

   *  The parameter "kty" MUST be "HASH".

   *  The parameter "alg" MUST be specified, and its value MUST be one
      of the values specified the below table

          +==============+=====================================+
          | alg          | Description                         |
          +==============+=====================================+
          | SPHINCS+128s | SPHINCS+ with parameter set of 128s |
          +--------------+-------------------------------------+
          | SPHINCS+128f | SPHINCS+ with parameter set of 128f |
          +--------------+-------------------------------------+
          | SPHINCS+192s | SPHINCS+ with parameter set of 192s |
          +--------------+-------------------------------------+
          | SPHINCS+192f | SPHINCS+ with parameter set of 192f |
          +--------------+-------------------------------------+
          | SPHINCS+256s | SPHINCS+ with parameter set of 256s |
          +--------------+-------------------------------------+
          | SPHINCS+256f | SPHINCS+ with parameter set of 256f |
          +--------------+-------------------------------------+

                                 Table 13








Prorock, et al.          Expires 12 January 2023               [Page 26]

Internet-Draft           post-quantum-signatures               July 2022


   *  The parameter "pset" MAY be specfied to indicate the paramter set
      in use for the algorithm, but SHOULD also reflect the targeted
      NIST level for the algorithm in combination with the specified
      paramter set.  For "alg" "HAS" one of the described parameter sets
      as listed in the section SPHINCS+ Algorithms MUST be specified.

   *  The parameter "x" MUST be present and contain the public key
      encoded using the base64url [RFC4648] encoding.

   *  The parameter "d" MUST be present for private keys and contain the
      private key encoded using the base64url encoding.  This parameter
      MUST NOT be present for public keys.

   Sizes of various key and signature material is as follows (TBD)

    +===========+===============+==============+======+==============+
    | Variable  | Paramter Name | Paramter Set | Size | base64url    |
    |           |               |              |      | encoded size |
    +===========+===============+==============+======+==============+
    | Signature | sig           |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Public    | x             |              |      |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+
    | Private   | d             |              |      |              |
    | Key       |               |              |      |              |
    +-----------+---------------+--------------+------+--------------+

                                 Table 14

   When calculating JWK Thumbprints [RFC7638], the four public key
   fields are included in the hash input in lexicographic order: "kty",
   "alg", and "x".

5.3.2.  SPHINCS-PLUS Algorithms

   In order to reduce the complexity of the key representation and
   signature representations we register a unique algorithm name per
   pset.  This allows us to omit registering the pset term, and reduced
   the likelyhood that it will be misused.  These alg values are used in
   both key representations and signatures.










Prorock, et al.          Expires 12 January 2023               [Page 27]

Internet-Draft           post-quantum-signatures               July 2022


                  +======+==============+==============+
                  | kty  | alg          | Paramter Set |
                  +======+==============+==============+
                  | HASH | SPHINCS+128s | 128s         |
                  +------+--------------+--------------+
                  | HASH | SPHINCS+128f | 128f         |
                  +------+--------------+--------------+
                  | HASH | SPHINCS+192s | 192s         |
                  +------+--------------+--------------+
                  | HASH | SPHINCS+192f | 192f         |
                  +------+--------------+--------------+
                  | HASH | SPHINCS+256s | 256s         |
                  +------+--------------+--------------+
                  | HASH | SPHINCS+256f | 256f         |
                  +------+--------------+--------------+

                                 Table 15

5.3.2.1.  Public Key

   TODO

5.3.2.2.  Private Key

   TODO

5.3.3.  SPHINCS-PLUS Signature Representation

   TODO

5.4.  Using HASH with COSE

   The approach taken here matches the work done to support secp256k1 in
   JOSE and COSE in [RFC8812].

   The following tables map terms between JOSE and COSE for signatures.















Prorock, et al.          Expires 12 January 2023               [Page 28]

Internet-Draft           post-quantum-signatures               July 2022


           +==============+=======+=============+=============+
           | Name         | Value | Description | Recommended |
           +==============+=======+=============+=============+
           | SPHINCS+128s | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+
           | SPHINCS+128f | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+
           | SPHINCS+192s | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+
           | SPHINCS+192f | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+
           | SPHINCS+256s | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+
           | SPHINCS+256f | TBD   | TBD         | No          |
           +--------------+-------+-------------+-------------+

                                 Table 16

   The following tables map terms between JOSE and COSE for key types.

               +======+=======+=============+=============+
               | Name | Value | Description | Recommended |
               +======+=======+=============+=============+
               | HASH | TBD   | TBD         | No          |
               +------+-------+-------------+-------------+

                                 Table 17

6.  CRYSTALS-Kyber

   TBD

7.  Security Considerations

   The following considerations SHOULD apply to all signature schemes
   described in this specification, unless otherwise noted.

7.1.  Validating public keys

   All algorithms in that operate on public keys require first
   validating those keys.  For the sign, verify and proof schemes, the
   use of KeyValidate is REQUIRED.









Prorock, et al.          Expires 12 January 2023               [Page 29]

Internet-Draft           post-quantum-signatures               July 2022


7.2.  Side channel attacks

   Implementations of the signing algorithm SHOULD protect the secret
   key from side-channel attacks.  Multiple best practices exist to
   protect against side-channel attacks.  Any implementation of the the
   CRYSTALS-Dilithium signing algorithm SHOULD utilize the following
   best practices at a minimum:

   *  Constant timing - the implementation should ensure that constant
      time is utilized in operations
   *  Sequence and memory access persistance - the implemention SHOULD
      execute the exact same sequence of instructions (at a machine
      level) with the exact same memory access independent of which
      polynomial is being operated on.
   *  Uniform sampling - uniform sampling is the default in CRYSTALS-
      Dilithium to prevent information leakage, however care should be
      given in implementations to preserve the property of uniform
      sampling in implementation.
   *  Secrecy of S1 - utmost care must be given to protection of S1 and
      to prevent information or power leakage.  As is the case with most
      proposed lattice based approaches to date, fogery and other
      attacks may succeed, for example, with Dilithium through leakage
      of S1 (https://eprint.iacr.org/2018/821.pdf) through side channel
      mechanisms.

7.3.  Randomness considerations

   It is recommended that the all nonces are from a trusted source of
   randomness.

8.  IANA Considerations

   The following has NOT YET been added to the "JSON Web Key Types"
   registry:

   *  Name: "LWE"
   *  Description: LWE family post quantum signature algorithm key pairs
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)

   The following has NOT YET been added to the "JSON Web Key Types"
   registry:

   *  Name: "NTRU"
   *  Description: NTRU family post quantum signature algorithm key
      pairs
   *  JOSE Implementation Requirements: Optional



Prorock, et al.          Expires 12 January 2023               [Page 30]

Internet-Draft           post-quantum-signatures               July 2022


   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)

   The following has NOT YET been added to the "JSON Web Key Types"
   registry:

   *  Name: "HASH"
   *  Description: Hash based post quantum signature algorithm key pairs
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)

   The following has NOT YET been added to the "JSON Web Key Parameters"
   registry:

   *  Parameter Name: "pset"
   *  Parameter Description: The parameter set of the crypto system
   *  Parameter Information Class: Public
   *  Used with "kty" Value(s): "LWE", "NTRU", "HASH"
   *  Change Controller: IESG
   *  Specification Document(s): Section 2 of this document (TBD)

   The following has NOT YET been added to the "JSON Web Key Parameters"
   registry:

   *  Parameter Name: "d"
   *  Parameter Description: The private key
   *  Parameter Information Class: Private
   *  Used with "kty" Value(s): "LWE", "NTRU", "HASH"
   *  Change Controller: IESG
   *  Specification Document(s): Section 2 of RFC 8037

   The following has NOT YET been added to the "JSON Web Key Parameters"
   registry:

   *  Parameter Name: "x"
   *  Parameter Description: The public key
   *  Parameter Information Class: Public
   *  Used with "kty" Value(s): "LWE", "NTRU", "HASH"
   *  Change Controller: IESG
   *  Specification Document(s): Section 2 of RFC 8037

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "CRYDI2"
   *  Algorithm Description: CRYDI2 signature algorithms
   *  Algorithm Usage Location(s): "alg"



Prorock, et al.          Expires 12 January 2023               [Page 31]

Internet-Draft           post-quantum-signatures               July 2022


   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "CRYDI3"
   *  Algorithm Description: CRYDI3 signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "CRYDI5"
   *  Algorithm Description: CRYDI5 signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 3.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "FALCON512"
   *  Algorithm Description: FALCON512 signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 4.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "FALCON1024"
   *  Algorithm Description: FALCON1024 signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 4.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)



Prorock, et al.          Expires 12 January 2023               [Page 32]

Internet-Draft           post-quantum-signatures               July 2022


   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+128s"
   *  Algorithm Description: SPHINCS+128s signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+128f"
   *  Algorithm Description: SPHINCS+128f signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+192s"
   *  Algorithm Description: SPHINCS+192s signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+192f"
   *  Algorithm Description: SPHINCS+192f signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+256s"



Prorock, et al.          Expires 12 January 2023               [Page 33]

Internet-Draft           post-quantum-signatures               July 2022


   *  Algorithm Description: SPHINCS+256s signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

   The following has NOT YET been added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "SPHINCS+256f"
   *  Algorithm Description: SPHINCS+256f signature algorithms
   *  Algorithm Usage Location(s): "alg"
   *  JOSE Implementation Requirements: Optional
   *  Change Controller: IESG
   *  Specification Document(s): Section 5.1 of this document (TBD)
   *  Algorithm Analysis Documents(s): (TBD)

9.  Appendix

   *  JSON Web Signature (JWS) - RFC7515 (https://tools.ietf.org/html/
      rfc7515)
   *  JSON Web Encryption (JWE) - RFC7516 (https://tools.ietf.org/html/
      rfc7516)
   *  JSON Web Key (JWK) - RFC7517 (https://tools.ietf.org/html/rfc7517)
   *  JSON Web Algorithms (JWA) - RFC7518 (https://tools.ietf.org/html/
      rfc7518)
   *  JSON Web Token (JWT) - RFC7519 (https://tools.ietf.org/html/
      rfc7519)
   *  JSON Web Key Thumbprint - RFC7638 (https://tools.ietf.org/html/
      rfc7638)
   *  JWS Unencoded Payload Option - RFC7797
      (https://tools.ietf.org/html/rfc7797)
   *  CFRG Elliptic Curve ECDH and Signatures - RFC8037
      (https://tools.ietf.org/html/rfc8037)
   *  CRYSTALS-Dilithium - Dilithium (https://www.pq-
      crystals.org/dilithium/data/dilithium-specification-
      round3-20210208.pdf)
   *  SPHINCS+ - SPHINCS-PLUS (https://sphincs.org/data/sphincs+-
      round3-specification.pdf)











Prorock, et al.          Expires 12 January 2023               [Page 34]

Internet-Draft           post-quantum-signatures               July 2022


   [DP16]: Leo Ducas and Thomas Prest.  Fast fourier orthogonalization.
   In Sergei A.  Abramov, Eugene V.  Zima, and Xiao-Shan Gao, editors,
   Proceedings of the ACM on International Symposium on Symbolic and
   Algebraic Computation, ISSAC 2016, Waterloo, ON, Canada, July 19-22,
   2016, pages 191-198.  ACM, 2016.  [GPV08]: Craig Gentry, Chris
   Peikert, and Vinod Vaikuntanathan.  Trapdoors for hard lattices and
   new cryptographic constructions.  In Richard E.  Ladner and Cynthia
   Dwork, editors, 40th ACM STOC, pages 197-206, Victoria, BC, Canada,
   May 17-20, 2008.  ACM Press.

9.1.  Test Vectors

   //TODO

10.  Normative References

   [CRYSTALS-Dilithium]
              Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V.,
              Schwabe, P., Seiler, G., and D. Stehle, "CRYSTALS-
              Dilithium: A Lattice-Based Digital Signature Scheme",
              2018, <https://doi.org/10.13154/tches.v2018.i1.238-268>.

   [Falcon]   Fouque, P., Hoffstein, J., Kirchner, P., Lyubashevsky, V.,
              Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte,
              W., and Z. Zhang, "Fast-Fourier Lattice-based Compact
              Signatures over NTRU", 2017, <https://falcon-sign.info/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/info/rfc4648>.

   [RFC7515]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web
              Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
              2015, <https://www.rfc-editor.org/info/rfc7515>.

   [RFC7517]  Jones, M., "JSON Web Key (JWK)", RFC 7517,
              DOI 10.17487/RFC7517, May 2015,
              <https://www.rfc-editor.org/info/rfc7517>.

   [RFC7638]  Jones, M. and N. Sakimura, "JSON Web Key (JWK)
              Thumbprint", RFC 7638, DOI 10.17487/RFC7638, September
              2015, <https://www.rfc-editor.org/info/rfc7638>.




Prorock, et al.          Expires 12 January 2023               [Page 35]

Internet-Draft           post-quantum-signatures               July 2022


   [RFC8702]  Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash
              Functions in the Cryptographic Message Syntax (CMS)",
              RFC 8702, DOI 10.17487/RFC8702, January 2020,
              <https://www.rfc-editor.org/info/rfc8702>.

   [RFC8812]  Jones, M., "CBOR Object Signing and Encryption (COSE) and
              JSON Object Signing and Encryption (JOSE) Registrations
              for Web Authentication (WebAuthn) Algorithms", RFC 8812,
              DOI 10.17487/RFC8812, August 2020,
              <https://www.rfc-editor.org/info/rfc8812>.

   [SPHINCS-PLUS]
              Hulsing, A., "Sphincs+ Stateless Hash-based Signatures",
              2017, <https://sphincs.org>.

11.  Informative References

   [RFC6234]  Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
              (SHA and SHA-based HMAC and HKDF)", RFC 6234,
              DOI 10.17487/RFC6234, May 2011,
              <https://www.rfc-editor.org/info/rfc6234>.

Authors' Addresses

   Michael Prorock
   mesur.io
   Email: mprorock@mesur.io


   Orie Steele
   Transmute
   Email: orie@transmute.industries


   Rafael Misoczki
   Google
   Email: rafaelmisoczki@google.com


   Michael Osborne
   IBM
   Email: osb@zurich.ibm.com


   Christine Cloostermans
   NXP
   Email: christine.cloostermans@nxp.com




Prorock, et al.          Expires 12 January 2023               [Page 36]