Skip to main content

7. Private Key Format

This section preserves the RFC text for X.509 SLH-DSA algorithm identifiers, including ASN.1, OIDs, AlgorithmIdentifier, id-slh-dsa-* and id-hash-slh-dsa-* names, DER examples, certificates, key usage, IANA registrations, and security requirements.

Original RFC Text

7.  Private Key Format

"Asymmetric Key Packages" [RFC5958] describes how to encode a private
key in a structure that both identifies what algorithm the private
key is for and optionally allows for the public key and additional
attributes about the key to be included as well. For illustration,
the ASN.1 structure OneAsymmetricKey is replicated below.

OneAsymmetricKey ::= SEQUENCE {
version Version,
privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] IMPLICIT Attributes OPTIONAL,
...,
[[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
...
}

PrivateKey ::= OCTET STRING

PublicKey ::= BIT STRING

| NOTE: The above syntax is from [RFC5958] and is compatible with
| the 2021 ASN.1 syntax [X680].

Section 9.1 of [FIPS205] defines an SLH-DSA private key as four
n-byte elements: SK.seed, SK.prf, PK.seed, and PK.root. The raw
octet string encoding of an SLH-DSA private key is the concatenation
of these four elements, i.e., SK.seed || SK.prf || PK.seed ||
PK.root. The octet string length is 4*n bytes, where n is 16, 24, or
32, depending on the SLH-DSA parameter set. When used in a
OneAsymmetricKey type, the privateKey OCTET STRING contains the raw
octet string encoding of the private key.

When an SLH-DSA public key is included in a OneAsymmetricKey type, it
is encoded in the same manner as in a SubjectPublicKeyInfo type.
That is, the publicKey BIT STRING contains the raw octet string
encoding of the public key.

Appendix C.2 contains an example of an id-slh-dsa-sha2-128s private
key encoded using the textual encoding defined in [RFC7468].

| NOTE: There exist some private key import functions that have
| not picked up the ASN.1 structure OneAsymmetricKey, which is
| defined in [RFC5958]. This means that they will not accept a
| private key structure that contains the public key field. This
| means a balancing act needs to be done between being able to do
| a consistency check on the key pair and widest ability to
| import the key.