Composite ML-DSA Signatures for SSH
draft-sun-ssh-composite-sigs-02
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Sun Shuzhou , Lucas Prabel | ||
| Last updated | 2026-01-05 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-sun-ssh-composite-sigs-02
sshm S. Sun
Internet-Draft L. Prabel
Intended status: Standards Track Huawei
Expires: 9 July 2026 5 January 2026
Composite ML-DSA Signatures for SSH
draft-sun-ssh-composite-sigs-02
Abstract
This document describes the use of PQ/T composite signatures for the
Secure Shell (SSH) protocol. The composite signatures described
combine ML-DSA as the post-quantum part and the elliptic curve
signature schemes ECDSA, Ed25519 and Ed448 as the traditional part.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://example.com/LATEST. Status information for this document may
be found at https://datatracker.ietf.org/doc/draft-sun-ssh-composite-
sigs/.
Discussion of this document takes place on the Secure Shell
Maintenance (sshm) Working Group mailing list (mailto:ssh@ietf.org),
which is archived at https://mailarchive.ietf.org/arch/browse/ssh/.
Subscribe at https://www.ietf.org/mailman/listinfo/ssh/.
Source for this draft and an issue tracker can be found at
https://github.com/USER/REPO.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Sun & Prabel Expires 9 July 2026 [Page 1]
Internet-Draft SSH Composite Signatures January 2026
This Internet-Draft will expire on 9 July 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Composite Algorithms . . . . . . . . . . . . . . . . . . . . 3
3.1. Composite Key Generation . . . . . . . . . . . . . . . . 3
3.2. Composite Sign . . . . . . . . . . . . . . . . . . . . . 4
3.3. Composite Verify . . . . . . . . . . . . . . . . . . . . 6
4. Public Key Algorithm . . . . . . . . . . . . . . . . . . . . 7
5. Public Key Format . . . . . . . . . . . . . . . . . . . . . . 8
6. Signature Format . . . . . . . . . . . . . . . . . . . . . . 10
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. Normative References . . . . . . . . . . . . . . . . . . 12
9.2. Informative References . . . . . . . . . . . . . . . . . 13
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
The development of quantum computers has raised concern towards
traditional asymmetric cryptographic algorithms. A Cryptographically
Relevant Quantum Computer (CRQC) will break RSA and elliptic curve
signature schemes. There is a need to migrate to quantum-resistant
signature schemes.
Recently, NIST publised the ML-DSA [FIPS204] algorithm, which is a
post-quantum signature scheme. However, when using relatively new
cryptographic schemes, the lack of maturing time makes people worry.
Many hybrid solutions are thus proposed, which combine a traditional
algorithm with a post-quantum algorithm.
Sun & Prabel Expires 9 July 2026 [Page 2]
Internet-Draft SSH Composite Signatures January 2026
[FIPS204] defines both pure ML-DSA and pre-hash ML-DSA. This
document only uses pure ML-DSA.
This document describes how to combine ML-DSA with the elliptic curve
signature schemes ECDSA, Ed25519 and Ed448 for authentication in the
SSH [RFC4251] protocol.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document is consistent with the terminology for hybrid
signatures defined in [I-D.draft-ietf-pquip-pqt-hybrid-terminology].
The key and signature formats follows the notation introduced in
[RFC4251], Section 3, and the string data type format follows the
notation from [RFC4251], Section 5.
3. Composite Algorithms
A composite algorithm has one post-quantum algorithm, and one
traditional algorithm.
3.1. Composite Key Generation
Composite public and private keys are generated by calling the key
generation functions of the two component algorithms and
concatenating the keys in an order given by the registered composite
algorithm.
For the composite algorithms described in this document, the Key
Generation process is as follows:
Sun & Prabel Expires 9 July 2026 [Page 3]
Internet-Draft SSH Composite Signatures January 2026
1. Generate component keys
(mldsaPK, mldsaSK) = ML-DSA.KeyGen()
(tradPK, tradSK) = ECCSigAlg.KeyGen()
2. Check for component key generation failure
if NOT (mldsaPK, mldsaSK) or NOT (tradPK, tradSK):
output "Key generation error"
3. Serialize keys into composite form
Composite Public Key <- SerializePublicKey(mldsaPK, tradPK)
Composite Private Key <- SerializePrivateKey(mldsaSK, tradSK)
It makes use of the serialization routines from
[I-D.draft-ietf-lamps-pq-composite-sigs] to obtain the byte string
encodings of the composite public and private keys.
ECCSigAlg is an elliptic curve signature scheme, i.e., ECDSA, Ed25519
or Ed448.
3.2. Composite Sign
A composite signature's value MUST include two signature components
and MUST be in the same order as the components from the
corresponding signing key.
For the composite algorithms described in this document, the
signature process of a message M follows Section 4.2 of
[I-D.draft-ietf-lamps-pq-composite-sigs], with an empty application
context string:
Sun & Prabel Expires 9 July 2026 [Page 4]
Internet-Draft SSH Composite Signatures January 2026
1. Compute the Message representative M'
M' <- Prefix || Label || 0x00 || PH(M)
2. Get the component keys
(mldsaSK, tradSK) = DeserializePrivateKey(sk)
3. Generate the two component signatures
sig_1 <- ML-DSA.Sign(mldsaSK, M', ctx=Label)
sig_2 <- ECCSigAlg.Sign(tradSK, M')
4. If either ML-DSA.Sign() or ECCSigAlg.Sign() return an error, then this process MUST return an error.
if NOT sig_1 or NOT sig_2:
output "Signature generation error"
5. Output the encoded composite signature value.
CompositeSignature <- SerializeSignatureValue(sig_1, sig_2)
return CompositeSignature
It makes use of the serialization routines from
[I-D.draft-ietf-lamps-pq-composite-sigs] to obtain the byte string
encodings of the composite signature.
The prefix "Prefix" string is defined as in
[I-D.draft-ietf-lamps-pq-composite-sigs] as the byte encoding of the
string "CompositeAlgorithmSignatures2025", which in hex is
436F6D706F73697465416C676F726974686D5369676E61747572657332303235. It
can be used by a traditional verifier to detect if the composite
signature has been stripped apart.
The label "Label" is defined in the same way as
[I-D.draft-ietf-lamps-pq-composite-sigs] and is passed as a context
argument into the underlying ML-DSA component algorithm. The label
values, specific to each composite algorithm, can be found in
Table 1.
Sun & Prabel Expires 9 July 2026 [Page 5]
Internet-Draft SSH Composite Signatures January 2026
+===============+======================+==================================================================+
|Key Format |Label (in ASCII) |Label (in Hex encoding) |
|identifier | | |
+===============+======================+==================================================================+
|ssh- |COMPSIG-MLDSA44-ECDSA-|434F4D505349472D4D4C44534134342D45434453412D503235362D534841323536|
|mldsa44-es256 |P256-SHA256 | |
+---------------+----------------------+------------------------------------------------------------------+
|ssh- |COMPSIG-MLDSA65-ECDSA-|434F4D505349472D4D4C44534136352D45434453412D503235362D534841353132|
|mldsa65-es256 |P256-SHA512 | |
+---------------+----------------------+------------------------------------------------------------------+
|ssh- |COMPSIG-MLDSA87-ECDSA-|434F4D505349472D4D4C44534138372D45434453412D503338342D534841353132|
|mldsa87-es384 |P384-SHA512 | |
+---------------+----------------------+------------------------------------------------------------------+
|ssh- |COMPSIG- |434F4D505349472D4D4C44534134342D456432353531392D534841353132 |
|mldsa44-ed25519|MLDSA44-Ed25519-SHA512| |
+---------------+----------------------+------------------------------------------------------------------+
|ssh- |COMPSIG- |434F4D505349472D4D4C44534136352D456432353531392D534841353132 |
|mldsa65-ed25519|MLDSA65-Ed25519-SHA512| |
+---------------+----------------------+------------------------------------------------------------------+
|ssh- |COMPSIG- |434F4D505349472D4D4C44534138372D45643434382D5348414B45323536 |
|mldsa87-ed448 |MLDSA87-Ed448-SHAKE256| |
+---------------+----------------------+------------------------------------------------------------------+
Table 1: Composite Label Values
3.3. Composite Verify
The Verify algorithm MUST validate a signature only if all component
signatures are successfully validated.
1. Get the component keys and signatures
(mldsaPK, tradPK) <- DeserializePublicKey(pk)
(sig_1, sig_2) <- DeserializeSignatureValue(sig)
2. Compute the message representative M'
M' <- Prefix || Label || 0x00 || PH(M)
3. Check each component signature individually, according to its algorithm specification.
if NOT ML-DSA.Verify(mldsaPK, M', ctx=Label)
output "Invalid signature"
if NOT ECCSigAlg.Verify(tradPK, M')
output "Invalid signature"
if all succeeded, then
output "Valid signature"
Sun & Prabel Expires 9 July 2026 [Page 6]
Internet-Draft SSH Composite Signatures January 2026
It makes use of the serialization routines from
[I-D.draft-ietf-lamps-pq-composite-sigs] to obtain the component
public keys and the component signatures.
4. Public Key Algorithm
This section gives the concrete composite signature algorithms and
their component algorithms. Their usage within SSH follows
Section 6.6 of [RFC4253].
The following table defines a list of algorithms associated with
specific PQ/T combinations.
+=================+===========+===========+==========+=============+
| Key Format | First | Second | Pre-Hash | Description |
| Identifier | Algorithm | Algorithm | | |
+=================+===========+===========+==========+=============+
| ssh- | ML-DSA-44 | ecdsa- | SHA256 | Composite |
| mldsa44-es256 | | with- | | Signature |
| | | SHA256 | | with ML- |
| | | with | | DSA-44 and |
| | | secp256r1 | | ECDSA using |
| | | | | P-256 curve |
| | | | | and SHA-256 |
+-----------------+-----------+-----------+----------+-------------+
| ssh- | ML-DSA-65 | ecdsa- | SHA512 | Composite |
| mldsa65-es256 | | with- | | Signature |
| | | SHA256 | | with ML- |
| | | with | | DSA-65 and |
| | | secp256r1 | | ECDSA using |
| | | | | P-256 curve |
| | | | | and SHA-256 |
+-----------------+-----------+-----------+----------+-------------+
| ssh- | ML-DSA-87 | ecdsa- | SHA512 | Composite |
| mldsa87-es384 | | with- | | Signature |
| | | SHA384 | | with ML- |
| | | with | | DSA-87 and |
| | | secp384r1 | | ECDSA using |
| | | | | P-384 curve |
| | | | | and SHA-384 |
+-----------------+-----------+-----------+----------+-------------+
| ssh- | ML-DSA-44 | Ed25519 | SHA512 | Composite |
| mldsa44-ed25519 | | | | Signature |
| | | | | with ML- |
| | | | | DSA-44 and |
| | | | | Ed25519 |
+-----------------+-----------+-----------+----------+-------------+
| ssh- | ML-DSA-65 | Ed25519 | SHA512 | Composite |
Sun & Prabel Expires 9 July 2026 [Page 7]
Internet-Draft SSH Composite Signatures January 2026
| mldsa65-ed25519 | | | | Signature |
| | | | | with ML- |
| | | | | DSA-65 and |
| | | | | Ed25519 |
+-----------------+-----------+-----------+----------+-------------+
| ssh- | ML-DSA-87 | Ed448 | SHAKE256 | Composite |
| mldsa87-ed448 | | | | Signature |
| | | | | with ML- |
| | | | | DSA-87 and |
| | | | | Ed448 |
+-----------------+-----------+-----------+----------+-------------+
Table 2: Composite ML-DSA Signature Algorithms for SSH
5. Public Key Format
The key format for all parameter sets defined in this document
follows the encoding pattern from [RFC4253], Section 6.6.
*string* identifier
*string* key
The 'identifier' is the key format identifier given in Table 2.
The 'key' is the composite public key generated as defined in
Section 3.1. It is the concatenation of the public keys of the
component schemes.
For ML-DSA, the public keys are defined in [FIPS204].
For ECDSA with curves secp256r1 or secp384r1, the public keys are
defined in [RFC5656], Section 3.1. The public key is encoded from an
elliptic curve point into an octet string as defined in Section 2.3.3
of [SEC1]; point compression MAY be used.
For Ed25519 and Ed448, the public keys are defined in [RFC8709],
Section 6.
The "ssh-mldsa44-es256" key format has the following encoding:
*string* ssh-mldsa44-es256
*string* key
Here, 'key' is the concatenation of the 1312-octet ML-DSA-44 public
key and the ECDSA public key using the secp256r1 curve.
Sun & Prabel Expires 9 July 2026 [Page 8]
Internet-Draft SSH Composite Signatures January 2026
The "ssh-mldsa65-es256" key format has the following encoding:
*string* ssh-mldsa65-es256
*string* key
Here, 'key' is the concatenation of the 1952-octet ML-DSA-65 public
key and the ECDSA public key using the secp256r1 curve.
The "ssh-mldsa87-es384" key format has the following encoding:
*string* ssh-mldsa87-es384
*string* key
Here, 'key' is the concatenation of the 2592-octet ML-DSA-87 public
key and the ECDSA public key using the secp384r1 curve.
The "ssh-mldsa44-ed25519" key format has the following encoding:
*string* ssh-mldsa44-ed25519
*string* key
Here, 'key' is the concatenation of the 1312-octet ML-DSA-44 public
key and the 32-octet Ed25519 public key.
The "ssh-mldsa65-ed25519" key format has the following encoding:
*string* ssh-mldsa65-ed25519
*string* key
Here, 'key' is the concatenation of the 1952-octet ML-DSA-65 public
key and the 32-octet Ed25519 public key.
The "ssh-mldsa87-ed448" key format has the following encoding:
*string* ssh-mldsa87-ed448
*string* key
Here, 'key' is the concatenation of the 2592-octet ML-DSA-87 public
key and the 57-octet Ed448 public key.
Sun & Prabel Expires 9 July 2026 [Page 9]
Internet-Draft SSH Composite Signatures January 2026
6. Signature Format
The signature format for all parameter sets defined in this document
follows the encoding pattern defined in Section 6.6 of [RFC4253].
*string* identifier
*string* signature
The 'identifier' is the key format identifier given in Section 4.
The 'signature' is the composite signature generated as defined in
Section 3.1. It is the concatenation of the signatures of the
component schemes.
For ML-DSA, the signatures are defined in [FIPS204].
For ECDSA with curves secp256r1 and secp384r1, the signatures and
their encodings are defined in [RFC5656], Section 3.1.2.
For Ed25519 and Ed448, the signature are defined in [RFC8709],
Section 6.
The "ssh-mldsa44-es256" signature format has the following encoding:
*string* ssh-mldsa44-es256
*string* signature
Here, 'signature' is the concatenation of the 2420-octet ML-DSA-44
signature and the ECDSA signature using the secp256r1 curve.
The "ssh-mldsa65-es256" signature format has the following encoding:
*string* ssh-mldsa65-es256
*string* signature
Here, 'signature' is the concatenation of the 3309-octet ML-DSA-65
signature and the ECDSA signature using the secp256r1 curve.
The "ssh-mldsa87-es384" signature format has the following encoding:
*string* ssh-mldsa87-es384
*string* signature
Sun & Prabel Expires 9 July 2026 [Page 10]
Internet-Draft SSH Composite Signatures January 2026
Here, 'signature' is the concatenation of the 4627-octet ML-DSA-44
signature and the ECDSA signature using the secp384r1 curve.
The "ssh-mldsa44-ed25519" signature format has the following
encoding:
*string* ssh-mldsa44-ed25519
*string* signature
Here, 'signature' is the concatenation of the 2420-octet ML-DSA-44
signature and the 64-octet Ed25519 signature.
The "ssh-mldsa65-ed25519" signature format has the following
encoding:
*string* ssh-mldsa65-ed25519
*string* signature
Here, 'signature' is the concatenation of the 3309-octet ML-DSA-44
signature and the 64-octet Ed25519 signature.
The "ssh-mldsa87-ed448" signature format has the following encoding:
*string* ssh-mldsa87-ed448
*string* signature
Here, 'signature' is the concatenation of the 4627-octet ML-DSA-44
signature and the 114-octet Ed448 signature.
7. Security Considerations
The Security Considerations section of [RFC4251] also applies to this
document.
The user can refer to [FIPS204] for security issues related to the
ML-DSA post-quantum component of the composite algorithm and to the
Security Considerations sections of [RFC5656] and [RFC8709] for the
traditional component.
For the specific security issues raising from the use of a hybrid
composite signature scheme, the user can refer to
[I-D.draft-ietf-pquip-hybrid-signature-spectrums].
Sun & Prabel Expires 9 July 2026 [Page 11]
Internet-Draft SSH Composite Signatures January 2026
For more information about hybrid composite signature schemes and the
different hybrid combinations that appear in this document, the user
can read [I-D.draft-ietf-lamps-pq-composite-sigs].
8. IANA Considerations
IANA is requested to add the following entries to "Public Key
Algorithm Names" in the "Secure Shell (SSH) Protocol Parameters"
registry [IANA.SSH]:
+===========================+=====================+===========+
| Public Key Algorithm Name | Key Format | Reference |
+===========================+=====================+===========+
| ssh-mldsa44-es256 | ssh-mldsa44-es256 | THIS-RFC |
+---------------------------+---------------------+-----------+
| ssh-mldsa65-es256 | ssh-mldsa65-es256 | THIS-RFC |
+---------------------------+---------------------+-----------+
| ssh-mldsa87-es384 | ssh-mldsa87-es384 | THIS-RFC |
+---------------------------+---------------------+-----------+
| ssh-mldsa44-ed25519 | ssh-mldsa44-ed25519 | THIS-RFC |
+---------------------------+---------------------+-----------+
| ssh-mldsa65-ed25519 | ssh-mldsa65-ed25519 | THIS-RFC |
+---------------------------+---------------------+-----------+
| ssh-mldsa87-ed448 | ssh-mldsa87-ed448 | THIS-RFC |
+---------------------------+---------------------+-----------+
Table 3: SSH Public Key Code Points
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC4251] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, DOI 10.17487/RFC4251,
January 2006, <https://www.rfc-editor.org/rfc/rfc4251>.
[RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253,
January 2006, <https://www.rfc-editor.org/rfc/rfc4253>.
Sun & Prabel Expires 9 July 2026 [Page 12]
Internet-Draft SSH Composite Signatures January 2026
[RFC5656] Stebila, D. and J. Green, "Elliptic Curve Algorithm
Integration in the Secure Shell Transport Layer",
RFC 5656, DOI 10.17487/RFC5656, December 2009,
<https://www.rfc-editor.org/rfc/rfc5656>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8709] Harris, B. and L. Velvindron, "Ed25519 and Ed448 Public
Key Algorithms for the Secure Shell (SSH) Protocol",
RFC 8709, DOI 10.17487/RFC8709, February 2020,
<https://www.rfc-editor.org/rfc/rfc8709>.
9.2. Informative References
[FIPS204] National Institute of Standards and Technology (NIST),
"Module-Lattice-Based Digital Signature Standard", August
2024,
<https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS204.pdf>.
[I-D.draft-ietf-lamps-pq-composite-sigs]
Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S.
Fluhrer, "Composite ML-DSA for use in X.509 Public Key
Infrastructure", Work in Progress, Internet-Draft, draft-
ietf-lamps-pq-composite-sigs-13, 31 October 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
pq-composite-sigs-13>.
[I-D.draft-ietf-pquip-hybrid-signature-spectrums]
Bindel, N., Hale, B., Connolly, D., and F. D, "Hybrid
signature spectrums", Work in Progress, Internet-Draft,
draft-ietf-pquip-hybrid-signature-spectrums-07, 20 June
2025, <https://datatracker.ietf.org/doc/html/draft-ietf-
pquip-hybrid-signature-spectrums-07>.
[I-D.draft-ietf-pquip-pqt-hybrid-terminology]
D, F., P, M., and B. Hale, "Terminology for Post-Quantum
Traditional Hybrid Schemes", Work in Progress, Internet-
Draft, draft-ietf-pquip-pqt-hybrid-terminology-06, 10
January 2025, <https://datatracker.ietf.org/doc/html/
draft-ietf-pquip-pqt-hybrid-terminology-06>.
[IANA.SSH] "Secure Shell (SSH) Protocol Parameters", n.d.,
<https://www.iana.org/assignments/ssh-parameters/ssh-
parameters.xhtml>.
Sun & Prabel Expires 9 July 2026 [Page 13]
Internet-Draft SSH Composite Signatures January 2026
[SEC1] Standards for Efficient Cryptography Group, "Elliptic
Curve Cryptography", May 2009,
<http://www.secg.org/download/aid-780/sec1-v2.pdf>.
Acknowledgments
TODO acknowledge.
Authors' Addresses
Sun Shuzhou
Huawei
Email: sunshuzhou@huawei.com
Lucas Prabel
Huawei
Email: lucas.prabel@huawei.com
Sun & Prabel Expires 9 July 2026 [Page 14]