Internet-Draft composite-fndsa-lms July 2026
Gray & Fiset Expires 7 January 2027 [Page]
Workgroup:
Limited Additional Mechanisms for PKIX and SMIME
Internet-Draft:
draft-gray-lamps-composite-fndsa-lms-latest
Published:
Intended Status:
Standards Track
Expires:
Authors:
J. Gray
Entrust
J. P. Fiset
Crypto4a

Composite FN-DSA and LMS Digital Signature Algorithm for use in X.509 Public Key Infrastructure

Abstract

This document defines a composite signature scheme combining the FN-DSA (Falcon) digital signature algorithm with the Leighton-Micali Signature (LMS) scheme defined in RFC 8554. This construction is designed for use within X.509 Public Key Infrastructure (PKI) and follows the composite signature paradigm defined in [I-D.ietf-lamps-pq-composite-sigs].

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://johngray-dev.github.io/draft-gray-lamps-composite-fndsa-lms/draft-gray-lamps-composite-fndsa-lms.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-gray-lamps-composite-fndsa-lms/.

Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.

Source for this draft and an issue tracker can be found at https://github.com/johngray-dev/draft-gray-lamps-composite-fndsa-lms.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

This document defines a composite signature scheme combining:

The reason for this choice of algorithm combination:

The composite construction presents a single algorithm interface while internally invoking both primitives.

This specification follows the composite design framework described in [I-D.ietf-lamps-pq-composite-sigs].

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Overview of the Composite FN-DSA-LMS Scheme

Composite FN-DSA-LMS is a hybrid signature scheme formed by combining FN-DSA and LMS.

The construction follows the composite signature combiner approach:

M' := Prefix || Label || len(ctx) || ctx || PH(M)

Both component algorithms independently sign M'.

3.1. Pre-hashing

Composite FN-DSA-LMS uses a pre-hash function PH:

PH(M)

This is incorporated into the message representative:

M' := Prefix || Label || len(ctx) || ctx || PH(M)

3.2. Prefix, Label, and Context

Prefix: Always set to "CompositeAlgorithmSignatures2025" as in [I-D.ietf-lamps-pq-composite-sigs].

Label: Unique per algorithm OID (defined in Algorithm Identifier section below)

ctx: Application-defined context (0–255 bytes).

4. Composite Functions

4.1. Key Generation

Composite-FNDSA-LMS.KeyGen() -> (pk, sk)

Steps:

1. Generate component keys:

(fndsaPK, fndsaSK) = FNDSA.KeyGen()
(lmsPK, lmsSK)     = LMS.KeyGen()

2. Output:

pk = SerializePublicKey(fndsaPK, lmsPK)
sk = SerializePrivateKey(fndsaSK, lmsSK)

4.2. Sign

Signing follows a similar procedure as in [I-D.ietf-lamps-pq-composite-sigs].

Composite-FNDSA-LMS.Sign(sk, M, ctx) -> s

Steps:

1. Check:
   if len(ctx) > 255: error

2. Compute:
   M' := Prefix || Label || len(ctx) || ctx || PH(M)

3. Deserialize keys:
  (fndsaSK, lmsSK) = DeserializePrivateKey(sk)

4. Sign:
  fndsaSig = FNDSA.Sign(fndsaSK, M')
  lmsSig   = LMS.Sign(lmsSK, M')

5. Output:
  s = SerializeSignatureValue(fndsaSig, lmsSig)

4.3. Verify

Composite-FNDSA-LMS.Verify(pk, M, s, ctx) -> boolean

Steps:

1. Deserialize:
   (fndsaPK, lmsPK) = DeserializePublicKey(pk)
   (fndsaSig, lmsSig) = DeserializeSignatureValue(s)

2. Compute:
   M' := Prefix || Label || len(ctx) || ctx || PH(M)

3. Verify:
  FNDSA.Verify(fndsaPK, M', fndsaSig)
  LMS.Verify(lmsPK, M', lmsSig)

Both FNDSA.Verify() and LMS.Verify() MUST verify correctly.

4.4. Serialization of Public and Privates Keys and Sigantures

4.4.1. Public Key

SerializePublicKey(fndsaPK, lmsPK):
return fndsaPK || lmsPK

4.4.2. Private Key

SerializePrivateKey(fndsaSK, lmsSK):
return fndsaSK || lmsSK

4.4.3. Signature

LMS signatures are variable length. Parsing relies on the fixed size of the FN-DSA signature.

SerializeSignatureValue(fndsaSig, lmsSig):
return fndsaSig || lmsSig

5. Use within X.509 and PKIX

Composite FN-DSA-LMS is used identically to other composite algorithms.

6. Algorithm Identifiers

6.1. id-FNDSA512-LMS_M24-SHAKE

  • Label: COMPSIG-FNDSA512-LMS_M24-SHAKE

  • PH: SHAKE256

  • FN-DSA: FN-DSA-512

  • LMS: LMS_SHAKE_M24_H10

6.2. id-FNDSA512-LMS_M32-SHAKE

  • Label: COMPSIG-FNDSA512-LMS_M32-SHAKE

  • PH: SHAKE256

  • FN-DSA: FN-DSA-512

  • LMS: LMS_SHAKE_M32_H10

6.3. id-FNDSA1024-LMS_M32-SHAKE

  • Label: COMPSIG-FNDSA1024-LMS_M32-SHAKE

  • PH: SHAKE256

  • FN-DSA: FN-DSA-1024

  • LMS: LMS_SHAKE_M32_H15

TODO: Define other combinations here. We want to keep the list as small as possible.

7. Security Considerations

7.1. LMS Statefulness Requirement

LMS private keys are stateful.

Each invocation of LMS.Sign MUST use a unique leaf index. Reuse of a leaf index results in catastrophic loss of security.

7.2. Hybrid Security

Composite FN-DSA-LMS is EUF-CMA secure if at least one component remains secure.

7.3. SUF-CMA

Composite FN-DSA-LMS is NOT SUF-CMA secure.

7.4. Key Reuse

Component keys MUST NOT be reused between:

  • composite vs standalone

  • multiple composites

8. IANA Considerations

IANA is requested to assign OIDs under:

1.3.6.1.5.5.7.6

TODO for each combination

9. Normative References

[I-D.ietf-lamps-fn-dsa-certificates]
Massimo, J., Kampanakis, P., Turner, S., and B. Westerbaan, "Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Fast-Fourier Transform over NTRU-Lattice-Based Digital Signature Algorithm (FN-DSA)", Work in Progress, Internet-Draft, draft-ietf-lamps-fn-dsa-certificates-00, , <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-fn-dsa-certificates-00>.
[I-D.ietf-lamps-pq-composite-sigs]
Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite Module-Lattice-Based Digital Signature Algorithm (ML-DSA) for use in X.509 Public Key Infrastructure", Work in Progress, Internet-Draft, draft-ietf-lamps-pq-composite-sigs-19, , <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-pq-composite-sigs-19>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8554]
McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali Hash-Based Signatures", RFC 8554, DOI 10.17487/RFC8554, , <https://www.rfc-editor.org/rfc/rfc8554>.
[RFC9858]
Fluhrer, S. and Q. Dang, "Additional Parameter Sets for HSS/LMS Hash-Based Signatures", RFC 9858, DOI 10.17487/RFC9858, , <https://www.rfc-editor.org/rfc/rfc9858>.

Acknowledgments

TODO acknowledge.

Authors' Addresses

John Gray
Entrust
2500 Solandt Road – Suite 100
Ottawa, Ontario K2K 3G5
Canada
Jean-Pierre Fiset
Crypto4a
Canada