ML-DSA Public Key Algorithms for the Secure Shell (SSH) Protocol
Sofia 1750 Bulgaria pkixssh@roumenpetrov.info https://roumenpetrov.info/secsh/
sec sshm Module-Lattice-Based Digital Signature Standard ML-DSA Secure Shell SSH Secure remote-login Public Key Algorithm This document describes the use of the ML-DSA digital signature algorithms in the Secure Shell (SSH) protocol. Accordingly, this RFC updates RFC 4253. Document and implementation details The datatracker status page of the draft is draft-rpe-ssh-mldsa. The source of this document is located at I-D ssh-mldsa. Implementation could be found at PKIX-SSHMLDSA-DEMO branch. Discussion of this document takes place on the Secure Shell Maintenance (sshm)" mailing list which is archived here.
Introduction Secure Shell (SSH) is a secure remote-login protocol. It provides for an extensible variety of public key algorithms for identifying servers and users to one another. This document describes the use of ML-DSA algorithms to be implemented by Secure Shells (SSH) and standardize the use of names mldsa-44, mldsa-65, and mldsa-87. These algorithms correspond to the Table 1. "ML-DSA parameter sets" defined in Section 4 "Parameter Sets".
Conventions Used in This Document The descriptions of key and signature formats use the notation introduced in and the string data type from .
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Public Key Algorithm This document describes a public key algorithms for use with SSH, as per . The name of the algorithms are mldsa-44, mldsa-65, and mldsa-87. These algorithms only supports signing and not encryption. Keys are generated according to the procedure described in Algorithm 1 step 5. Standard implementations of SSH SHOULD implement mldsa-65 public Key algorithm. It MAY implement mldsa-44 and mldsa-87 public key algorithms.
Public Key Format
  • The mldsa-44 key format has the following encoding:
    string
    mldsa-44
    string
    key
    Here, 'key' is the 1312-octet public key encoded as is described in Algorithm 22.
  • The mldsa-65 key format has the following encoding:
    string
    mldsa-65
    string
    key
    Here, 'key' is the 1952-octet public key encoded as is described in Algorithm 22.
  • The mldsa-87 key format has the following encoding:
    string
    mldsa-87
    string
    key
    Here, 'key' is the 2592-octet public key encoded as is described in Algorithm 22.
Signature Algorithm Signatures are generated according to the procedure described in . Signature generation should use normal signing process (Pure ML-DSA Signature Generation) with empty string as context parameter. The process is defined in Algorithm 2 step 10(sign) and Algorithm 3 step 5(verify).
Signature Format
  • The mldsa-44 public key algorithm has the following format for encoding the signature:
    string
    mldsa-44
    string
    signature
    Here, 'signature' is the 2420-octet signature produced in accordance with Algorithm 2.
  • The mldsa-65 public key algorithm has the following format for encoding the signature:
    string
    mldsa-65
    string
    signature
    Here, 'signature' is the 3309-octet signature produced in accordance with Algorithm 2.
  • The mldsa-87 public key algorithm has the following format for encoding the signature:
    string
    mldsa-87
    string
    signature
    Here, 'signature' is the 4627-octet signature produced in accordance with Algorithm 2.
Verification Algorithm ML-DSA signatures are verified according to the procedure in Algorithm 3 step 5.
IANA Considerations This document augments the Public Key Algorithm Names in . This document requests new entries to "Public Key Algorithm Names" in the "Secure Shell (SSH) Protocol Parameters" registry according to the procedures in :
Public Key Algorithm Name Reference
mldsa-44 This document.
mldsa-65 This document.
mldsa-87 This document.
Security Considerations The security considerations in apply to all SSH implementations, including those using ML-DSA-44, ML-DSA-65, and ML-DSA-87. Also rules in Section 3.6 "Additional Requirements" apply as well.
References Normative References Module-lattice-based digital signature standard National Institute of Standards and Technology (U.S.) Informative References Secure Shell (SSH) Protocol Parameters IANA
Acknowledgements TBD