Internet X.509 Public Key Infrastructure - Algorithm Identifiers for FrodoKEM

Internet X.509 Public Key Infrastructure - Algorithm Identifiers for FrodoKEM ELVIS-PLUS

Russian Federation svan@elvis.ru

LAMPS FrodoKEM is an unstructured lattice-based Key Encapsulation Mechanism (KEM). Compared to ML-KEM, FrodoKEM is considered as having more conservative design. This document specifies the conventions for using FrodoKEM in X.509 Public Key Infrastructure. The conventions for the subject public keys and private keys are also specified.

FrodoKEM is an unstructured lattice-based Key Encapsulation Mechanism (KEM). At the time of writing this document, FrodoKEM is being standardized in ISO (International Organization for Standardization) as a quantum-resistant key-encapsulation mechanism. This document specifies the use of FrodoFEM in Public Key Infrastructure X.509 (PKIX) certificates at two security levels: FrodoKEM-976 and FrodoKEM-1344, using object identifiers assigned by ISO. The private key format is also specified.

FrodoKEM certificates are used in protocols where the public key is used to generate and encapsulate a shared secret used to derive a symmetric key used to encrypt a payload, like in CMS. To be used in TLS, FrodoKEM certificates could only be used as end-entity identity certificates and would require significant updates to the protocol; see, for example, .

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The AlgorithmIdentifier type is defined in [RFC5912] as follows:

The fields in AlgorithmIdentifier have the following meanings: algorithm identifies the cryptographic algorithm with an object identifier. parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field. The AlgorithmIdentifier for a FrodoKEM public key MUST use one of the object identifiers (OID) from ISO listed below, based on the security level. The parameters field of the AlgorithmIdentifier for the FrodoKEM public key MUST be absent.

In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:

The fields in SubjectPublicKeyInfo have the following meaning: algorithm is the algorithm identifier and parameters for the public key (see above). subjectPublicKey contains the byte stream of the public key. For each FrodoKEM security level, see , we define a PUBLIC-KEY ASN.1 type as follows.

When a FrodoKEM public key appears outside of a SubjectPublicKeyInfo type in an environment that uses ASN.1 encoding, it can be encoded as an OCTET STRING by using the frodokem976-shake-PublicKey, frodokem1344-shake-PublicKey, efrodokem976-shake-PublicKey, efrodokem1344-shake-PublicKey, frodokem976-aes-PublicKey, frodokem1344-aes-PublicKey, efrodokem976-aes-PublicKey, and efrodokem1344-aes-PublicKey types corresponding to the correct key size. describes the Asymmetric Key Package's OneAsymmetricKey type for encoding asymmetric keypairs. When a FrodoKEM private key or keypair is encoded as a OneAsymmetricKey, it follows the description in .

The intended application for the key is indicated in the keyUsage certificate extension; see Section 4.2.1.3 of . If the keyUsage extension is present in certificates, then keyEncipherement MUST be the only key usage set for certificates that indicate id-kem-frodokem976-shake, id-kem-frodokem1344-shake, id-kem-efrodokem976-shake, id-kem-efrodokem1344-shake, id-kem-frodokem976-aes, id-kem-frodokem1344-aes, id-kem-efrodokem976-aes, id-kem-efrodokem1344-aes in SubjectPublicKeyInfo.

"Asymmetric Key Packages" describes how to encode a private key in a structure that both identifies which algorithm the private key is for and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below.

For FrodoKEM private keys, the privateKey field in OneAsymmetricKey contains the OCTET STRING representation of the FrodoKEM private key. The privateKeyAlgorithm field uses the AlgorithmIdentifier structure with the appropriate OID as defined in . The publicKey field contains the byte stream of the public key. If present, the publicKey field will hold the encoded public key as defined in .

The Security Considerations section of applies to this specification as well. Protection of the private-key information, i.e., the seed, is vital to public-key cryptography. Disclosure of the private-key material to another entity can lead to masquerades. The generation of private keys relies on random numbers. The use of inadequate pseudo-random number generators (PRNGs) to generate these values can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys, searching the resulting small set of possibilities, rather than brute force searching the whole key space. The generation of quality random numbers is difficult. For more detailed FrodoKEM specific security considerations refer to .

For the ASN.1 Module in Appendix A, IANA is requested to assign an object identifier (OID) for the module identifier (TBD) with a Description of "id-mod-frodokem-kem-2026". The OID for the module should be allocated in the "SMI Security for PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).

&I-D.longa-cfrg-frodokem; &RFC2119; &RFC5280; &RFC5912; &RFC5958; &RFC8174; &RFC9629; Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation ITU-T &I-D.celi-wiggers-tls-authkem;

This appendix includes the ASN.1 module for FrodoKEM. Note that as per , certificates use the Distinguished Encoding Rules; see [X690]. This module imports objects from and .

X509-FRODOKEM-2026 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-frodokem-kem-2026(TBD) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS PUBLIC-KEY FROM AlgorithmInformation-2009 -- [RFC 5912] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } KEM-ALGORITHM FROM KEMAlgorithmInformation-2023 -- [RFC 9629] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-kemAlgorithmInformation-2023(109) }; -- -- FrodoKEM Identifiers -- frodokem OBJECT IDENTIFIER ::= { iso(1) standard(0) encryption-algorithms(18033) part2(2) key-encapsulation-mechanism(2) 7 } id-kem-frodokem976-shake OBJECT IDENTIFIER ::= { frodokem 1 } id-kem-frodokem1344-shake OBJECT IDENTIFIER ::= { frodokem 2 } id-kem-efrodokem976-shake OBJECT IDENTIFIER ::= { frodokem 3 } id-kem-efrodokem1344-shake OBJECT IDENTIFIER ::= { frodokem 4 } id-kem-frodokem976-aes OBJECT IDENTIFIER ::= { frodokem 5 } id-kem-frodokem1344-aes OBJECT IDENTIFIER ::= { frodokem 6 } id-kem-efrodokem976-aes OBJECT IDENTIFIER ::= { frodokem 7 } id-kem-efrodokem1344-aes OBJECT IDENTIFIER ::= { frodokem 8 } -- -- Public Key Algorithms -- PublicKeys PUBLIC-KEY ::= { -- This expands PublicKeys from [RFC 5912] pk-frodokem976-shake | pk-frodokem1344-shake | pk-efrodokem976-shake | pk-efrodokem1344-shake | pk-frodokem976-aes | pk-frodokem1344-aes | pk-efrodokem976-aes | pk-efrodokem1344-aes, ... } -- -- FrodoKEM Public Keys -- pk-frodokem976-shake PUBLIC-KEY ::= { IDENTIFIER id-kem-frodokem976-shake -- KEY no ASN.1 wrapping; 15632 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY frodokem976-shake-PrivateKey -- defined in Section 6 } pk-frodokem1344-shake PUBLIC-KEY ::= { IDENTIFIER id-kem-frodokem1344-shake -- KEY no ASN.1 wrapping; 21520 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY frodokem1344-shake-PrivateKey -- defined in Section 6 } pk-efrodokem976-shake PUBLIC-KEY ::= { IDENTIFIER id-kem-efrodokem976-shake -- KEY no ASN.1 wrapping; 15632 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY efrodokem976-shake-PrivateKey -- defined in Section 6 } pk-efrodokem1344-shake PUBLIC-KEY ::= { IDENTIFIER id-kem-efrodokem1344-shake -- KEY no ASN.1 wrapping; 21520 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY efrodokem1344-shake-PrivateKey -- defined in Section 6 } pk-frodokem976-aes PUBLIC-KEY ::= { IDENTIFIER id-kem-frodokem976-aes -- KEY no ASN.1 wrapping; 15632 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY frodokem976-aes-PrivateKey -- defined in Section 6 } pk-frodokem1344-aes PUBLIC-KEY ::= { IDENTIFIER id-kem-frodokem1344-aes -- KEY no ASN.1 wrapping; 21520 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY frodokem1344-aes-PrivateKey -- defined in Section 6 } pk-efrodokem976-aes PUBLIC-KEY ::= { IDENTIFIER id-kem-efrodokem976-aes -- KEY no ASN.1 wrapping; 15632 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY efrodokem976-aes-PrivateKey -- defined in Section 6 } pk-efrodokem1344-aes PUBLIC-KEY ::= { IDENTIFIER id-kem-efrodokem1344-aes -- KEY no ASN.1 wrapping; 21520 octets -- PARAMS ARE absent CERT-KEY-USAGE { keyEncipherment } PRIVATE-KEY efrodokem1344-aes-PrivateKey -- defined in Section 6 } frodokem976-shake-PublicKey ::= OCTET STRING (SIZE (15632)) frodokem1344-shake-PublicKey ::= OCTET STRING (SIZE (21520)) efrodokem976-shake-PublicKey ::= OCTET STRING (SIZE (15632)) efrodokem1344-shake-PublicKey ::= OCTET STRING (SIZE (21520)) frodokem976-aes-PublicKey ::= OCTET STRING (SIZE (15632)) frodokem1344-aes-PublicKey ::= OCTET STRING (SIZE (21520)) efrodokem976-aes-PublicKey ::= OCTET STRING (SIZE (15632)) efrodokem1344-aes-PublicKey ::= OCTET STRING (SIZE (21520)) END

]]>



	
     Instead of defining the strength of a quantum algorithm in a
   traditional manner using the imprecise notion of bits of security,
   NIST has defined security levels by picking a reference scheme, which
   NIST expects to offer notable levels of resistance to both quantum
   and classical attack.  To wit, a KEM algorithm that achieves NIST PQC
   security must require computational resources to break IND-CCA
   security comparable or greater than that required for key search on
   AES-128, AES-192, and AES-256 for Levels 1, 3, and 5, respectively.
   Levels 2 and 4 use collision search for SHA-256 and SHA-384 as
   reference.


  
    
        Level
        Parameter Set
        Public Key pk
        Secret Key sk
        Ciphertext ct
        Shared Secret ss
    
  
  
    
        3
        FrodoKEM-976
        15,632
        31,296
        15,792
        24
    
    
        3
        eFrodoKEM-976
        15,632
        31,296
        15,744
        24
    
    
        5
        FrodoKEM-1344
        21,520
        43,088
        21,696
        32
    
    
        5
        eFrodoKEM-1344
        21,520
        43,088
        21,632
        32
    
  


	

	
         Most of the text was impudently stolen from draft-ietf-lamps-kyber-certificates.

Level	Parameter Set	Public Key pk	Secret Key sk	Ciphertext ct	Shared Secret ss
3	FrodoKEM-976	15,632	31,296	15,792	24
3	eFrodoKEM-976	15,632	31,296	15,744	24
5	FrodoKEM-1344	21,520	43,088	21,696	32
5	eFrodoKEM-1344	21,520	43,088	21,632	32