Merge pull request #51 from lamps-wg/22-24AlgorithmCombos

22 24 algorithm combos

Composite-MLDSA-2024.asn

@@ -228,6 +228,34 @@ sa-MLDSA65-RSA3072-PKCS15-SHA512 SIGNATURE-ALGORITHM ::=
        id-MLDSA65-RSA3072-PKCS15-SHA512,
        pk-MLDSA65-RSA3072-PKCS15-SHA512 }
 
+-- TODO: OID to be replaced by IANA
+id-MLDSA65-RSA4096-PSS-SHA512 OBJECT IDENTIFIER ::= {
+   joint-iso-itu-t(2) country(16) us(840) organization(1)
+   entrust(114027) algorithm(80) composite(8) signature(1) 34 }
+
+pk-MLDSA65-RSA4096-PSS-SHA512 PUBLIC-KEY ::=
+  pk-CompositeSignature{ id-MLDSA65-RSA4096-PSS-SHA512,
+  RsaCompositeSignaturePublicKey}
+
+sa-MLDSA65-RSA4096-PSS-SHA512 SIGNATURE-ALGORITHM ::=
+    sa-CompositeSignature{
+       id-MLDSA65-RSA4096-PSS-SHA512,
+       pk-MLDSA65-RSA4096-PSS-SHA512 }
+
+
+-- TODO: OID to be replaced by IANA
+id-MLDSA65-RSA4096-PKCS15-SHA512 OBJECT IDENTIFIER ::= {
+   joint-iso-itu-t(2) country(16) us(840) organization(1)
+   entrust(114027) algorithm(80) composite(8) signature(1) 35 }
+
+pk-MLDSA65-RSA4096-PKCS15-SHA512 PUBLIC-KEY ::=
+  pk-CompositeSignature{ id-MLDSA65-RSA4096-PKCS15-SHA512,
+  RsaCompositeSignaturePublicKey}
+
+sa-MLDSA65-RSA4096-PKCS15-SHA512 SIGNATURE-ALGORITHM ::=
+    sa-CompositeSignature{
+       id-MLDSA65-RSA4096-PKCS15-SHA512,
+       pk-MLDSA65-RSA4096-PKCS15-SHA512 }
 
 -- TODO: OID to be replaced by IANA
 id-MLDSA65-ECDSA-P256-SHA512 OBJECT IDENTIFIER ::= {
@@ -318,4 +346,4 @@ sa-MLDSA87-Ed448-SHA512 SIGNATURE-ALGORITHM ::=
        id-MLDSA87-Ed448-SHA512,
        pk-MLDSA87-Ed448-SHA512 }
 
-END
+END

draft-ietf-lamps-pq-composite-sigs.md

@@ -632,6 +632,8 @@ Signature public key types:
 | id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | <CompSig>.25 | id-ML-DSA-44  | ecdsa-with-SHA256 with brainpoolP256r1 | id-sha256 |
 | id-MLDSA65-RSA3072-PSS-SHA512           | <CompSig>.26 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 |
 | id-MLDSA65-RSA3072-PKCS15-SHA512        | <CompSig>.27  | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 |
+| id-MLDSA65-RSA4096-PSS-SHA512           | <CompSig>.34 | id-ML-DSA-65 | id-RSASA-PSS with id-sha512 | id-sha512 |
+| id-MLDSA65-RSA4096-PKCS15-SHA512        | <CompSig>.35  | id-ML-DSA-65 | sha512WithRSAEncryption | id-sha512 |
 | id-MLDSA65-ECDSA-P256-SHA512            | <CompSig>.28  | id-ML-DSA-65 | ecdsa-with-SHA512 with secp256r1 | id-sha512 |
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | <CompSig>.29  | id-ML-DSA-65 | ecdsa-with-SHA512 with brainpoolP256r1 | id-sha512 |
 | id-MLDSA65-Ed25519-SHA512              | <CompSig>.30  | id-ML-DSA-65 | id-Ed25519 | id-sha512 |
@@ -658,6 +660,8 @@ As mentioned above, the OID input value is used as a domain separator for the Co
 | id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 |060B6086480186FA6B50080119|
 | id-MLDSA65-RSA3072-PSS-SHA512 |060B6086480186FA6B5008011A|
 | id-MLDSA65-RSA3072-PKCS15-SHA512 |060B6086480186FA6B5008011B|
+| id-MLDSA65-RSA4096-PSS-SHA512 |060B6086480186FA6B50080122|
+| id-MLDSA65-RSA4096-PKCS15-SHA512 |060B6086480186FA6B50080123|
 | id-MLDSA65-ECDSA-P256-SHA512 |060B6086480186FA6B5008011C|
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 |060B6086480186FA6B5008011D|
 | id-MLDSA65-Ed25519-SHA512 |060B6086480186FA6B5008011E|
@@ -708,6 +712,24 @@ where:
 * `Mask Generation Function (mgf1)` is defined in [RFC8017]
 * `SHA-512` is defined in [RFC6234].
 
+## Notes on id-MLDSA65-RSA4096-PSS-SHA512
+
+The RSA component keys MUST be generated at the 4096-bit security level in order to match with ML-DSA-65.
+
+As with the other composite signature algorithms, when `id-MLDSA65-RSA4096-PSS-SHA512`  is used in an AlgorithmIdentifier, the parameters MUST be absent. `id-MLDSA65-RSA4096-PSS-SHA512` SHALL instantiate RSA-PSS with the following parameters:
+
+| RSA-PSS Parameter          | Value                      |
+| -------------------------- | -------------------------- |
+| Mask Generation Function   | mgf1 |
+| Mask Generation params     | SHA-512                |
+| Message Digest Algorithm   | SHA-512                |
+| Salt Length in bits        | 512                    |
+{: #rsa-pss-params4096 title="RSA-PSS 4096 Parameters"}
+
+where:
+
+* `Mask Generation Function (mgf1)` is defined in [RFC8017]
+* `SHA-512` is defined in [RFC6234].
 
 <!-- End of Composite Signature Algorithm section -->
 
@@ -733,6 +755,8 @@ The following table lists the MANDATORY HASH algorithms to preserve security and
 | id-MLDSA44-ECDSA-brainpoolP256r1-SHA256 | SHA256 |
 | id-MLDSA65-RSA3072-PSS-SHA512           | SHA512 |
 | id-MLDSA65-RSA3072-PKCS15-SHA512        | SHA512 |
+| id-MLDSA65-RSA4096-PSS-SHA512           | SHA512 |
+| id-MLDSA65-RSA4096-PKCS15-SHA512        | SHA512 |
 | id-MLDSA65-ECDSA-P256-SHA512            | SHA512 |
 | id-MLDSA65-ECDSA-brainpoolP256r1-SHA512 | SHA512 |
 | id-MLDSA65-Ed25519-SHA512              | SHA512 |
@@ -860,6 +884,16 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{
   - Description:  id-MLDSA65-RSA3072-PKCS15-SHA512
   - References: This Document
 
+-  id-MLDSA65-RSA4096-PSS-SHA512
+  - Decimal: IANA Assigned
+  - Description:  id-MLDSA65-RSA4096-PSS-SHA512
+  - References: This Document
+
+-  id-MLDSA65-RSA4096-PKCS15-SHA512
+  - Decimal: IANA Assigned
+  - Description:  id-MLDSA65-RSA4096-PKCS15-SHA512
+  - References: This Document
+
 -  id-MLDSA65-ECDSA-P256-SHA512
   - Decimal: IANA Assigned
   - Description:  id-MLDSA65-ECDSA-P256-SHA512
@@ -899,7 +933,7 @@ EDNOTE to IANA: OIDs will need to be replaced in both the ASN.1 module and in {{
 
 The composite algorithm combinations defined in this document were chosen according to the following guidelines:
 
-1. A single RSA combination is provided at a key size of 3072 bits, matched with NIST PQC Level 3 algorithms.
+1. RSA combinations are provided at a key size of 2048, 3072, and 4096 bits matched with NIST PQC Level 2 and 3 algorithms.
 1. Elliptic curve algorithms are provided with combinations on each of the NIST [RFC6090], Brainpool [RFC5639], and Edwards [RFC7748] curves. NIST PQC Levels 1 - 3 algorithms are matched with 256-bit curves, while NIST levels 4 - 5 are matched with 384-bit elliptic curves. This provides a balance between matching classical security levels of post-quantum and traditional algorithms, and also selecting elliptic curves which already have wide adoption.
 1. NIST level 1 candidates are provided, matched with 256-bit elliptic curves, intended for constrained use cases.