5. Subject Public Key Fields
This section preserves the RFC text for X.509 SLH-DSA algorithm identifiers, including ASN.1, OIDs, AlgorithmIdentifier, id-slh-dsa-* and id-hash-slh-dsa-* names, DER examples, certificates, key usage, IANA registrations, and security requirements.
Original RFC Text
5. Subject Public Key Fields
In the X.509 certificate, the subjectPublicKeyInfo field has the
SubjectPublicKeyInfo type, which has the following ASN.1 syntax:
SubjectPublicKeyInfo {PUBLIC-KEY: IOSet} ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {IOSet}},
subjectPublicKey BIT STRING }
| NOTE: The above syntax is from [RFC5912] and is compatible with
| the 2021 ASN.1 syntax [X680]. See [RFC5280] for the 1988 ASN.1
| syntax.
The fields in SubjectPublicKeyInfo have the following meanings:
* algorithm is the algorithm identifier and parameters for the
public key (see above).
* subjectPublicKey contains the byte stream of the public key.
[RFC9814] defines the following public key identifiers for Pure SLH-
DSA:
pk-slh-dsa-sha2-128s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-128s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-sha2-128f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-128f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-sha2-192s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-192s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-sha2-192f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-192f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-sha2-256s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-256s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-sha2-256f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-sha2-256f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-128s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-128s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-128f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-128f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-192s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-192s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-192f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-192f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-256s PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-256s
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-slh-dsa-shake-256f PUBLIC-KEY ::= {
IDENTIFIER id-slh-dsa-shake-256f
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
SLH-DSA-PublicKey ::= OCTET STRING
SLH-DSA-PrivateKey ::= OCTET STRING
The public key identifiers for HashSLH-DSA are defined here:
pk-hash-slh-dsa-sha2-128s-with-sha256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-128s-with-sha256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-sha2-128f-with-sha256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-128f-with-sha256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-sha2-192s-with-sha512 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-192s-with-sha512
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-sha2-192f-with-sha512 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-192f-with-sha512
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-sha2-256s-with-sha512 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-256s-with-sha512
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-sha2-256f-with-sha512 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-sha2-256f-with-sha512
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-128s-with-shake128 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-128s-with-shake128
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-128f-with-shake128 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-128f-with-shake128
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-192s-with-shake256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-192s-with-shake256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-192f-with-shake256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-192f-with-shake256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-256s-with-shake256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-256s-with-shake256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
pk-hash-slh-dsa-shake-256f-with-shake256 PUBLIC-KEY ::= {
IDENTIFIER id-hash-slh-dsa-shake-256f-with-shake256
-- KEY no ASN.1 wrapping --
CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign }
-- PRIVATE-KEY no ASN.1 wrapping -- }
Section 9.1 of [FIPS205] defines an SLH-DSA public key as two n-byte
elements: PK.seed and PK.root. The raw octet string encoding of an
SLH-DSA public key is the concatenation of these two elements, i.e.,
PK.seed || PK.root. The octet string length is 2*n bytes, where n is
16, 24, or 32, depending on the SLH-DSA parameter set. When used in
a SubjectPublicKeyInfo type, the subjectPublicKey BIT STRING contains
the raw octet string encoding of the public key.
[RFC9814] defines the SLH-DSA-PublicKey and SLH-DSA-PrivateKey ASN.1
OCTET STRING types to provide an option for encoding a Pure SLH-DSA
public or private key in an environment that uses ASN.1 encoding but
doesn't define its own mapping of an SLH-DSA raw octet string to
ASN.1. HashSLH-DSA public and private keys can use SLH-DSA-PublicKey
and SLH-DSA-PrivateKey in the same way. To map an SLH-DSA-PublicKey
OCTET STRING to a SubjectPublicKeyInfo, the OCTET STRING is mapped to
the subjectPublicKey field (a value of type BIT STRING) as follows:
The most significant bit of the OCTET STRING value becomes the most
significant bit of the BIT STRING value, and so on; the least
significant bit of the OCTET STRING becomes the least significant bit
of the BIT STRING.
The AlgorithmIdentifier for an SLH-DSA public key MUST use one of the
id-slh-dsa-* or id-hash-slh-dsa-* object identifiers from Section 3.
The parameters field of the AlgorithmIdentifier for the SLH-DSA
public key MUST be absent.
Appendix C.1 contains an example of an id-slh-dsa-sha2-128s public
key encoded using the textual encoding defined in [RFC7468].