| Internet-Draft | composite-fndsa-lms | July 2026 |
| Gray & Fiset | Expires 7 January 2027 | [Page] |
This document defines a composite signature scheme combining the FN-DSA (Falcon) digital signature algorithm with the Leighton-Micali Signature (LMS) scheme defined in RFC 8554. This construction is designed for use within X.509 Public Key Infrastructure (PKI) and follows the composite signature paradigm defined in [I-D.ietf-lamps-pq-composite-sigs].¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://johngray-dev.github.io/draft-gray-lamps-composite-fndsa-lms/draft-gray-lamps-composite-fndsa-lms.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-gray-lamps-composite-fndsa-lms/.¶
Discussion of this document takes place on the Limited Additional Mechanisms for PKIX and SMIME Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/.¶
Source for this draft and an issue tracker can be found at https://github.com/johngray-dev/draft-gray-lamps-composite-fndsa-lms.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document defines a composite signature scheme combining:¶
FN-DSA (Falcon), a lattice-based signature algorithm¶
The reason for this choice of algorithm combination:¶
Both FN-DSA and LMS are believed to be quantum resistant algorithms (PQ/PQ Hybrid).¶
They use completely different hardness problems (lattice based versus stateful hash based).¶
If relevent attacks or implementations bugs are found in either algorithm there is resiliency.¶
FN-DSA can help mitigate the risk of operational errors that lead to state failure in LMS.¶
Combined together they produce a compact PQ/PQ composite signature ideally suited for high value assets in constrained environments.¶
The composite construction presents a single algorithm interface while internally invoking both primitives.¶
This specification follows the composite design framework described in [I-D.ietf-lamps-pq-composite-sigs].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Composite FN-DSA-LMS is a hybrid signature scheme formed by combining FN-DSA and LMS.¶
The construction follows the composite signature combiner approach:¶
M' := Prefix || Label || len(ctx) || ctx || PH(M)
¶
Both component algorithms independently sign M'.¶
Composite FN-DSA-LMS uses a pre-hash function PH:¶
PH(M)¶
This is incorporated into the message representative:¶
M' := Prefix || Label || len(ctx) || ctx || PH(M)
¶
Prefix: Always set to "CompositeAlgorithmSignatures2025" as in [I-D.ietf-lamps-pq-composite-sigs].¶
Label: Unique per algorithm OID (defined in Algorithm Identifier section below)¶
ctx: Application-defined context (0–255 bytes).¶
Composite-FNDSA-LMS.KeyGen() -> (pk, sk) Steps: 1. Generate component keys: (fndsaPK, fndsaSK) = FNDSA.KeyGen() (lmsPK, lmsSK) = LMS.KeyGen() 2. Output: pk = SerializePublicKey(fndsaPK, lmsPK) sk = SerializePrivateKey(fndsaSK, lmsSK)¶
Signing follows a similar procedure as in [I-D.ietf-lamps-pq-composite-sigs].¶
Composite-FNDSA-LMS.Sign(sk, M, ctx) -> s Steps: 1. Check: if len(ctx) > 255: error 2. Compute: M' := Prefix || Label || len(ctx) || ctx || PH(M) 3. Deserialize keys: (fndsaSK, lmsSK) = DeserializePrivateKey(sk) 4. Sign: fndsaSig = FNDSA.Sign(fndsaSK, M') lmsSig = LMS.Sign(lmsSK, M') 5. Output: s = SerializeSignatureValue(fndsaSig, lmsSig)¶
Composite-FNDSA-LMS.Verify(pk, M, s, ctx) -> boolean Steps: 1. Deserialize: (fndsaPK, lmsPK) = DeserializePublicKey(pk) (fndsaSig, lmsSig) = DeserializeSignatureValue(s) 2. Compute: M' := Prefix || Label || len(ctx) || ctx || PH(M) 3. Verify: FNDSA.Verify(fndsaPK, M', fndsaSig) LMS.Verify(lmsPK, M', lmsSig) Both FNDSA.Verify() and LMS.Verify() MUST verify correctly.¶
SerializePublicKey(fndsaPK, lmsPK): return fndsaPK || lmsPK¶
SerializePrivateKey(fndsaSK, lmsSK): return fndsaSK || lmsSK¶
Composite FN-DSA-LMS is used identically to other composite algorithms.¶
LMS private keys are stateful.¶
Each invocation of LMS.Sign MUST use a unique leaf index. Reuse of a leaf index results in catastrophic loss of security.¶
Composite FN-DSA-LMS is EUF-CMA secure if at least one component remains secure.¶
IANA is requested to assign OIDs under:¶
1.3.6.1.5.5.7.6¶
TODO for each combination¶
TODO acknowledge.¶