Internet-Draft D-CBOR August 2023
Rundgren Expires 9 February 2024 [Page]
Intended Status:
A. Rundgren, Ed.

Deterministically Encoded CBOR (D-CBOR)


This document describes a deterministic encoding scheme for CBOR intended for usage in high-end computing platforms like mobile phones, Web browsers, and Web servers. In addition to enhancing interoperability, deterministic encoding can also support cryptographic operations like signing CBOR data items. Using this specification, the latter can achieved without wrapping such data in byte strings or depend on non-standard canonicalization procedures.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 9 February 2024.

1. Introduction

This specification introduces a deterministic encoding scheme for data expressed in the CBOR [RFC8949] format. This scheme is subsequently referred to as D‑CBOR.

1.1. Objectives

The primary objective of D‑CBOR is providing an interoperable CBOR profile for high-end computing platforms like mobile phones, Web browsers, and Web servers. However, D‑CBOR also enables performing digital signatures over "raw" (unwrapped) CBOR data items since signatures depend on a unified representation of the data to be signed. In addition, D‑CBOR permits decoded CBOR data to be subjected to simple and secure transformation and reencoding operations.

The deterministic encoding scheme described in this document is characterized by being bidirectional also when CBOR is provided in diagnostic notation (Section 8 of [RFC8949]), making D‑CBOR comparatively easy to understand, debug, and implement.

See also [I-D.mcnally-deterministic-cbor] which represents an alternative approach to deterministic encoding.

1.2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

2. Specification

The deterministic encoding scheme used by D‑CBOR builds on Section 4.2 of [RFC8949]. However, to achieve a fixed and bidirectional representation of numbers, Rule 2 in Section 4.2.2 MUST also be adhered to. Also see Appendix A.

Occurrences of CBOR data items that do not conform to this specification MUST be flagged as an error.

For applications that depend on reencoding of CBOR data items, compliant decoder implementations MUST be able to recreate such data in its original form. This means for example that the string component of date items (tag 0) MUST be kept "as is" in order to maintain deterministic reencoding.

The optional numerical extensions described in Section 3.4.4. of [RFC8949] MUST be treated as distinct data items as well as not be subjected to any transformations at the encoding level.

A compliant D‑CBOR implementation SHOULD support the following CBOR data items:

Table 1: Supported CBOR Data Items
Data Item Tag
integer Major type 0 and 1
bignum 0xc2 and 0xc3
floating point 0xf9, 0xfa and 0xfb
byte string Major type 2
text string Major type 3
false 0xf4
true 0xf5
null 0xf6
array Major type 4
map Major type 5
tag Major type 6

CBOR data items that do not match Table 1 MUST be rejected.

See also Appendix B.

3. IANA Considerations

This document has no IANA actions.

4. Security Considerations

This specification inherits all the security considerations of CBOR [RFC8949].

Applications that exploit the uniqueness of deterministic encoding should verify that the used decoder actually flags incorrectly formatted CBOR data items.

5. References

5.1. Normative References

Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <>.
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <>.
Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10.17487/RFC8949, , <>.

5.2. Informative References

McNally, W. and C. Allen, "Gordian dCBOR: Deterministic CBOR Implementation Practices", Work in Progress, Internet-Draft, draft-mcnally-deterministic-cbor-01, , <>.

Appendix A. Encoding of Numbers

This section is normative.

The following sub sections hold examples of numbers and their encoding using D‑CBOR.

Note that the values and encodings are supposed to work in both directions.

A.1. Integer Numbers

The following table holds a set of integers highlighting the selection between integer and bignum data items.

Table 2: Integer Numbers
Value Encoding
0 00
-1 20
23 17
24 1818
-24 37
-25 3818
255 18ff
256 190100
-256 38ff
-257 390100
65535 19ffff
65536 1a00010000
1099511627775 1b000000ffffffffff
18446744073709551615 1bffffffffffffffff
18446744073709551616 c249010000000000000000
-18446744073709551616 3bffffffffffffffff
-18446744073709551617 c349010000000000000000

A.2. Floating Point Numbers

A.2.1. Dedicated Floating Point Numbers

The following table holds the set of dedicated IEEE 754 values. Note that NaN "signaling" MUST be flagged as an error.

Table 3: Dedicated Floating Point Numbers
Value Encoding
0.0 f90000
-0.0 f98000
Infinity f97c00
-Infinity f9fc00
NaN f97e00

A.2.2. Assorted Floating Point Numbers

The following table holds a set of "ordinary" IEEE 754 values including some edge cases. Note that subnormal floating point values MUST be supported.

Table 4: Assorted Floating Point Numbers
Value Encoding
-5.960464477539062e-8 fbbe6fffffffffffff
-5.9604644775390625e-8 f98001
-5.960464477539064e-8 fbbe70000000000001
-5.960465188081798e-8 fab3800001
0.00006097555160522461 f903ff
65504.0 f97bff
65504.00390625 fa477fe001
65536.0 fa47800000
10.559998512268066 fa4128f5c1
10.559998512268068 fb40251eb820000001
3.4028234663852886e+38 fa7f7fffff
3.402823466385289e+38 fb47efffffe0000001
1.401298464324817e-45 fa00000001
1.1754942106924411e-38 fa007fffff
5.0e-324 fb0000000000000001
-1.7976931348623157e+308 fbffefffffffffffff

Appendix B. Implementation Constraints

This section is informative.

Note that even if an application does not support (or need) bignum or floating point data items, you can still use D-CBOR since a strict subset is upwardly compatible with full-blown implementations. Low-end platforms typically also restrict CBOR map keys to integer and text string data items. Since these issues are application specific, they are out of scope for this specification.

Appendix C. Reference Implementations

This section is informative.

Reference implementations that conform to this specification include:

Appendix D. Online Tools

This section is informative.

The following online tools enable testing D‑CBOR without installing any software:

Document History

[[ This section to be removed by the RFC Editor before publication as an RFC ]]

Version 00:

  • Initial publication.

Version 01:

  • Added Table 1: Supported CBOR Data Types

Version 02:

  • Added bidirectional + reencoding to 2

Version 03:

  • Added ref to 3.4.4. Decimal Fractions and Bigfloats.
  • Type => Data Item (throughout the spec).

Version 04:

  • Document name spelling error.

Author's Address

Anders Rundgren (editor)