ML-DSA 65/Ed255192 Composite Signatures in SSH

Introduction The Secure Shell (SSH) protocol is a protocol for secure remote login and other secure network services over an untrusted network. The expected arrival of quantum computing poses a threat to traditional asymmetric cryptography. Post-quantum algorithms such as ML-DSA have been developed to remain secure against a quantum computer-equipped adversary. However, given the relative novelty of the post-quantum algoritms, it is desirable to use composite schemes that combine post-quantum and classical algorithms to protect against quantum attacks while promising to be "no worse" than the chosen classical algorithm should a vulnerability be discovered in the post-quantum algorithm or its implementation. This document specifies a composite signature scheme for SSH, mapping the COMPSIG-MLDSA65-Ed25519-SHA512 scheme defined in to the SSH protocol using the identifier ssh-mldsa65-ed25519@openssh.com.

The ssh-mldsa65-ed25519@openssh.com Algorithm The algorithm name for this composite signature scheme is "ssh-mldsa65-ed25519@openssh.com". The underlying key generation, signing and verification primitives are as specified in , but are also described briefly below.

Key generation Keys are generated using the process specified in . Specifically, ML-DSA and Ed25519 keys are generated separately from seeds and the resultant public for each are combined to form the composite public key. Private keys are combined as seeds and not as expanded keys. ML-DSA key generation uses the ML-DSA.KeyGen_internal algorithm as defined in section 6.1 and not the usual ML-DSA.KeyGen algorithm as the latter emits an expanded private key and not the required seed. Ed25519 key generation is described in . Seeds to both ML-DSA and Ed25519 MUST be sourced from a cryptographically sound source, such as a CSPRNG/RBG.

Composite raw public key The resultant public keys from the respective ML-DSA and Ed25519 key generation algorithms are combined by simple concatenation to form a composite public key. Specifically it consists of the raw ML-DSA-65 public key (1952 bytes) and the Ed25519 public key (32 bytes), for a total of 1984 bytes: byte[1952] mldsa_pk byte[32] ed25519_pk This 1984-byte combination is referred to as "composite_public_key" henceforth in this document.

Composite raw private key The composite private key is also a concatenation, but its elements are the private key seeds for the respective algorithms. Each of these seeds is 32 bytes. byte[32] mldsa_seed byte[32] ed25519_seed This 64-byte combination is referred to as "composite_private_key" henceforth in this document.

SSH Public Key Format The "ssh-mldsa65-ed25519@openssh.com" public key as it appears in the SSH protocol has the following format: string "ssh-mldsa65-ed25519@openssh.com" string composite_public_key Where "composite_public_key" is as described in .

SSH Private Key Format When adding a key to an agent using the SSH_AGENTC_ADD_IDENTITY or SSH_AGENTC_ADD_ID_CONSTRAINED messages, the key data MUST have the following format: string "ssh-mldsa65-ed25519@openssh.com" string composite_public_key string composite_private_key Where "composite_public_key" is as described in and "composite_private_key" is as described in . This private key serialisation may also be used as the basis of on-disk key formats, though these are beyond the scope of this document.

Signatures

Signature Generation To sign a message M, the signer first constructs a message representative M' as follows: M' = Prefix || Label || len(ctx) || ctx || SHA512(M) Where:

Prefix: The ASCII string "CompositeAlgorithmSignatures2025" [43 6F 6D 70 6F 73 69 74 65 41 6C 67 6F 72 69 74 68 6D 53 69 67 6E 61 74 75 72 65 73 32 30 32 35].
Label: The ASCII string "COMPSIG-MLDSA65-Ed25519-SHA512" [43 4F 4D 50 53 49 47 2D 4D 4C 44 53 41 36 35 2D 45 64 32 35 35 31 39 2D 53 48 41 35 31 32].
len(ctx): A single byte representing the length of the context string.
ctx: The context string.
SHA512(M): The SHA-512 hash of the original message M.

The signer then computes:

mldsa_sig = ML-DSA-65.Sign(mldsa_sk, M', ctx=Label)
ed25519_sig = Ed25519.Sign(ed25519_sk, M')

The final composite signature is the concatenation of mldsa_sig and ed25519_sig. byte[3309] mldsa_sig byte[64] ed25519_sig This 3373-byte combination is henceforth referred to as "composite_signature".

Signature Verification To verify a signature, the verifiere reconstructs M' using the same process as defined for generation. The signature is valid if and only if both underlying signature verifications succeed:

ML-DSA-65.Verify(mldsa_pk, M', mldsa_sig, ctx=Label)
Ed25519.Verify(ed25519_pk, M', ed25519_sig)

SSH signature wire encoding Signatures are represented in SSH using the following format: string "ssh-mldsa65-ed25519@openssh.com" string composite_signature Where "composite_signature" is as defined in .

Signture contexts The COMPSIG-MLDSA65-Ed25519-SHA512 signature algorithm, like its underlying ML-DSA component, accepts a Context parameter that may be used to enforce domain separation between signatues. TODO TODO TODO In all cases in the SSH protocol, this context value is the empty string, but if we ever change our minds then this is where we'd describe what contexts are used for each signature/verification operation. TODO TODO TODO.