| Internet-Draft | cose-sqisign | April 2026 |
| Mott | Expires 25 October 2026 | [Page] |
NOTE: This document describes a signature scheme based on an algorithm currently under evaluation in the NIST Post-Quantum Cryptography standardization process. Be aware that the underlying primitive may change as a result of that process.¶
This document specifies the algorithm encodings and representations for the SQIsign digital signature scheme within the CBOR Object Signing and Encryption (COSE) and JSON Object Signing and Encryption (JOSE) frameworks.¶
SQIsign is an isogeny-based post-quantum signature scheme that provides the most compact signature and public key sizes of any candidate in the NIST Post-Quantum Cryptography (PQC) standardization and on-ramp-to-standardization processes.¶
The standardization of SQIsign is critical to addressing immediate infrastructure bottlenecks, specifically the FIDO2 CTAP2 specification used by an estimated 6.25 billion in-service devices and browser installations. CTAP2 enforces a 1024-byte default limit for external key communication. Most standardized post-quantum signatures exceed this limit, so cannot easily be deployed in these ecosystems without prohibitive protocol renegotiation, complex message fragmentation or hardware replacement. SQIsign-L1 signatures are small enough to enable delivery over highly constrained networks like 802.15.4 with minimal fragmentation.¶
This document clarifies that SQIsign's security relies on the general supersingular isogeny problem and is fundamentally unaffected by the torsion-point attacks that deprecated the SIDH/SIKE key exchange. By establishing stable COSE and JOSE identifiers, this document ensures the interoperability required for the seamless integration of post-quantum security into high-density, bandwidth-constrained, and legacy-compatible hardware environments.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at https://datatracker.ietf.org/doc/draft-mott-cose-sqisign/.¶
Discussion of this document takes place on the COSE Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/.¶
Source for this draft and an issue tracker can be found at https://github.com/https://github.com/antonymott/quantum-resistant-rustykey.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 25 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This document registers algorithm identifiers and key type parameters for SQIsign in COSE and JOSE.¶
Post-quantum cryptography readiness is critical for constrained devices. As of 2026, while FIDO2/WebAuthn supports various COSE algorithms, hardware authenticators (like YubiKeys) and platform authenticators (like TPMs) have strict memory/storage constraints, effectively limiting public keys to 1024 bytes or less, hindering the adoption of large-key post-quantum algorithms.¶
FN-DSA (Falcon) and ML-DSA (Dilithium) have larger signatures that may not fit in constrained environments.¶
The fundamental differences between ML-DSA, FN-DSA, and SQIsign lie in their underlying hard mathematical problems, implementation complexity, and performance trade-offs.¶
Falcon (NIST secondary) uses NTRU lattices to achieve very small signatures and fast verification, but requires complex floating-point math. Dilithium (NIST primary) is a balanced, high-efficiency lattice scheme using Module-LWE/SIS, easy to implement.¶
SQIsign [SQIsign-Spec] [SQIsign-Analysis] is a non-lattice, isogeny-based scheme (Short Quaternion and Isogeny Signature) that offers the smallest signature sizes but suffers from significantly slower signature generation where even vI may take seconds to minutes, or longer with WASM implementations for browsers of particular relevance to signatures required for WebAuthn PassKeys [WebAuthn-PQC-Signature-size-constraints]. SQIsign is an isogeny-based digital signature scheme participating in NIST's Round 2 Additional Digital Signature Schemes, not yet a NIST standard [NIST-Finalized-Standards].¶
Speed: SQIsign is significantly slower at signing (roughly 100x to 1000x) compared to ML-DSA, though the math is changing fast and variants improve this.¶
| Algorithm | Public Key Size | Signature Size | PK + Sig Fits < 1024? |
|---|---|---|---|
| ML-DSA-44 | 1,312 bytes | 2,420 bytes | ❌ |
| ML-DSA-65 | 1,952 bytes | 3,293 bytes | ❌ |
| ML-DSA-87 | 2,592 bytes | 4,595 bytes | ❌ |
| FN-DSA-512 | 897 bytes | 666 bytes | ❌ (1,563 total) |
| FN-DSA-1024 | 1,793 bytes | 1,280 bytes | ❌ |
| SQIsign-L1 | 65 bytes | 148 bytes | ✅ (213 total) |
| SQIsign-L3 | 97 bytes | 224 bytes | ✅ (321 total) |
| SQIsign-L5 | 129 bytes | 292 bytes | ✅ (421 total) |
The total addressable market for SQIsign in constrained devices is estimated at ~6.25 billion units.¶
YubiKeys in Service: Based on Yubico’s historical growth and preliminary 2026 financial estimates, there are approximately 80 million legacy YubiKeys in active circulation (Series 5 and older). While firmware 5.7+ introduced some PQC readiness, older keys cannot be updated to increase buffer sizes - Other Vendors: Competitors (Google Titan, Feitian, Thales) contribute another 40–50 million active legacy keys¶
Trusted Platform Modules (TPMs) are integrated into PCs and servers, but their WebAuthn implementation often inherits protocol-level constraints. Estimated ~2.5 billion active chips worldwide. Constrained Subset: We estimate ~1.1 billion of these are in older Windows 10/11 or Linux machines where the OS "virtual authenticator" or TPM driver still enforces the 1024-byte message default to maintain backward compatibility with external CTAP1/2 tools.¶
This category refers to the "User-Agent" layer that mediates between the web and the hardware. Global Browser Agents: There are over 5 billion active browser instances across mobile and desktop (Chrome, Safari, Edge, Firefox). Legacy Protocols: Even on modern hardware, browsers often use the FIDO2 CTAP2 specification which, unless explicitly negotiated for larger messages, maintains a 1024-byte default for external key communication.¶
Industrial/Government: Agencies like the U.S. Department of Defense rely on high-security FIPS-certified keys that are notoriously slow to upgrade. We estimate ~50 million "frozen" government keys. IoT Security: Of the 21.9 billion connected IoT devices in 2026, only a fraction use WebAuthn. However, for those that do (smart locks, secure gateways), approximately 250 million are estimated to use older, non-upgradable secure elements limited to 1024-byte payloads. Recent government-level initiatives highlight the necessity to "...effectively deprecate the use of RSA, Diffie-Hellman (DH), and elliptic curve cryptography (ECDH and ECDSA) when mandated." [CNSA-2], Page 4.¶
Adversaries are collecting encrypted data today to decrypt when quantum computers become available. The transition to post-quantum cryptography (PQC) is critical for ensuring long-term security of digital communications against adversaries equipped with large-scale quantum computers. The National Institute of Standards and Technology (NIST) has been leading standardization efforts, having selected initial PQC algorithms and continuing to evaluate additional candidates.¶
CBOR Object Signing and Encryption (COSE) [RFC9052] is specifically designed for constrained node networks and IoT environments where bandwidth, storage, and computational resources are limited. The compact nature of SQIsign makes it an ideal candidate for COSE deployments.¶
This document is published on the Standards track rather than Informational Track for the following reasons:¶
Algorithm Maturity: SQIsign is currently undergoing evaluation in NIST's on-ramp process¶
Continued Cryptanalysis: The algorithm has active ongoing review by the cryptographic research community, including the IRTF CFRG¶
High anticipated demand: This specification enables experimentation and early deployment to gather implementation experience¶
This document does not represent Working Group consensus on algorithm innovation. The COSE and JOSE working groups focus on algorithm integration and encoding, not cryptographic algorithm design. The cryptographic properties of SQIsign are being evaluated through NIST's process and academic peer review.¶
This document follows the precedent established by [I-D.ietf-cose-falcon] and [I-D.ietf-cose-dilithium] for integrating NIST PQC candidate algorithms into COSE and JOSE. The structure and approach are intentionally aligned to provide consistency across post-quantum signature scheme integrations.¶
SQIsign is particularly attractive for:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terms:¶
SQIsign is based on the hardness of finding isogenies between supersingular elliptic curves over finite fields. The security assumption relies on:¶
The difficulty of the Isogeny Path Problem¶
The quaternion-based key generation providing computational hardness equivalent to quantum-resistant assumptions¶
Unlike lattice-based schemes, isogeny-based cryptography offers:¶
SQIsign is defined with three parameter sets corresponding to NIST security levels:¶
| Parameter Set | NIST Level | Public Key | Signature | Classical Sec |
|---|---|---|---|---|
| SQIsign-L1 | I | 65 bytes | 148 bytes | ~128 bits |
| SQIsign-L3 | III | 97 bytes | 224 bytes | ~192 bits |
| SQIsign-L5 | V | 129 bytes | 292 bytes | ~256 bits |
Signing: Computationally intensive (slower than lattice schemes)¶
Verification: Moderate computational cost¶
Key Generation: Intensive computation required¶
Size: Exceptional efficiency (10 - 20x smaller than lattice alternatives)¶
Recommended Use Cases: - Sign-once, verify-many scenarios (firmware, certificates) - Bandwidth-constrained environments - Storage-limited devices - Applications where signature/key size dominates performance considerations¶
This section defines the identifiers for SQIsign in COSE [RFC8152].¶
The algorithms defined in this document are:¶
A new key type is defined for SQIsign with the name "SQIsign".¶
SQIsign keys use the following COSE Key common parameters:¶
| Key Parameter | COSE Label | CBOR Type | Description |
|---|---|---|---|
| kty | 1 | int | Key type: IETF (SQIsign) |
| kid | 2 | bstr | Key ID (optional) |
| alg | 3 | int | Algorithm identifier (-61, -62, or -63) |
| key_ops | 4 | array | Key operations (sign, verify) |
| Key Parameter | Label | CBOR Type | Description |
|---|---|---|---|
| pub | -1 | bstr | SQIsign public key |
| priv | -2 | bstr | SQIsign private key (sensitive) |
cbor
{
1: IETF, / kty: SQIsign /
3: -61, / alg: SQIsign-L1 /
-1: h'[PUBLIC_KEY]' / pub: SQIsign public key bytes /
}
¶
cbor
{
1: IETF, / kty: SQIsign /
3: -61, / alg: SQIsign-L1 /
-1: h'[PUBLIC_KEY]', / pub: SQIsign public key bytes /
-2: h'[PRIVATE_KEY]' / priv: SQIsign private key bytes /
}
¶
SQIsign signatures in COSE follow the standard COSE_Sign1 structure [RFC9052]:¶
COSE_Sign1 = [
protected: bstr .cbor header_map,
unprotected: header_map,
payload: bstr / nil,
signature: bstr
]
¶
The signature field contains the raw SQIsign signature bytes.¶
The protected header MUST include:¶
cbor
{
1: -61 / alg: SQIsign-L1, -62 for L3, -63 for L5 /
}
¶
cbor
18( / COSE_Sign1 tag /
[
h'A10139003C', / protected: {"alg": -61} /
{}, / unprotected /
h'546869732069732074686520636F6E74656E742E', / payload /
h'[SQISIGN_SIGNATURE_BYTES]' / signature /
]
)
¶
The following algorithm identifiers are registered for use in the JWS "alg" header parameter for JSON Web Signatures [RFC7515]:¶
| Algorithm Name | Description | Implementation Requirements |
|---|---|---|
| SQIsign-L1 | SQIsign NIST Level I | Optional |
| SQIsign-L3 | SQIsign NIST Level III | Optional |
| SQIsign-L5 | SQIsign NIST Level V | Optional |
SQIsign keys are represented in JWK [RFC7517] format as follows:¶
| Parameter | Type | Description |
|---|---|---|
| kty | string | Key type: "SQIsign" |
| alg | string | Algorithm: "SQIsign-L1", "SQIsign-L3", or "SQIsign-L5" |
| pub | string | Base64url-encoded public key |
| kid | string | Key ID (optional) |
| use | string | Public key use: "sig" (optional) |
| key_ops | array | Key operations: [verify] (optional) |
Private keys include all public key parameters plus:¶
| Parameter | Type | Description |
|---|---|---|
| priv | string | Base64url-encoded private key |
json
{
"kty": "SQIsign",
"alg": "SQIsign-L1",
"pub": "KxtQx8s8RcBEU67wr57K37fdPEztN4M8NUC_\
5xZuqgMwkaeJhM94YHi_-2UsQllbnmm-W4XFSLm2hUwiMylrAh0",
"kid": "2027-01-device-key",
"use": "sig",
"key_ops": ["verify"]
}
¶
json
{
"kty": "SQIsign",
"alg": "SQIsign-L1",
"pub": "KxtQx8s8RcBEU67wr57K37fdPEztN4M8NUC_\
5xZuqgMwkaeJhM94YHi_-2UsQllbnmm-W4XFSLm2hUwiMylrAh0",
"priv": "KxtQx8s8RcBEU67wr57K37fdPEztN4M8NUC_5xZuqgMwkaeJhM94YHi_\
-2UsQllbnmm-W4XFSLm2hUwiMylrAh1VwP9vNkBZH0Bjj2wc-\
p7sUgQAAAAAAAAAAAAAAAAAAN68tviJbcCpQ84fh-4IJB4-\
____________________P38m3fKOhfhMspQU9GmA4CD5___\
_______________________________________________\
___________wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\
AAAAAAA5cP9aha40v-8mFd_bdAgpR93Ug2iPhu4_NxG97C7\
8wBvVMGOrQTCli7NxrR2KlPZR1AC5VddGf4p-ZjCzrWfAJv\
xhEh4uOKXq1MmuS9TwZGuz1YIYMIguu1wqjdmfaQAfOmK2g\
WWO3vcld5s7GR2AcrTv65ocK_pVUWY8eJDcQA",
"kid": "2027-01-device-key",
"use": "sig",
"key_ops": ["sign"]
}
¶
A JWS using SQIsign follows the standard compact serialization:¶
BASE64URL(UTF8(JWS Protected Header)) || '.' ||
BASE64URL(JWS Payload) || '.' ||
BASE64URL(JWS Signature)
¶
json
{
"alg": "SQIsign-L1",
"typ": "JWT"
}
¶
Base64url-encoded: eyJhbGciOiJTUUlzaWduLUwxIiwidHlwIjoiSldUIn0¶
eyJhbGciOiJTUUlzaWduLUwxIiwidHlwIjoiSldUIn0
.
[BASE64URL_PAYLOAD]
.
[BASE64URL_SQISIGN_SIGNATURE]
¶
Implementations MUST follow the SQIsign specification [SQIsign-Spec] for:¶
SQIsign signature generation requires high-quality randomness. Implementations MUST use a cryptographically secure random number generator (CSRNG) compliant with [RFC4086] or equivalent.¶
Implementations SHOULD implement protections against:¶
Particularly for constrained devices deployed in physically accessible environments.¶
Implementers should be aware:¶
The security of SQIsign relies on:¶
The hardness of finding isogenies between supersingular elliptic curves¶
The computational difficulty of solving quaternion-based problems¶
These assumptions are different from lattice-based schemes, providing cryptographic diversity in the post-quantum landscape.¶
SQIsign is designed to resist attacks by large-scale quantum computers. The three parameter sets provide security equivalent to AES-128, AES-192, and AES-256 against both classical and quantum adversaries.¶
As of this writing, SQIsign is undergoing active cryptanalytic review:¶
NIST Round 2 evaluation: [NIST-Finalized-Standards]¶
Academic research: Ongoing analysis of isogeny-based cryptography¶
Known attacks: No practical breaks of the security assumptions¶
Implementers are advised: - Monitor NIST announcements and updates - Follow academic literature on isogeny cryptanalysis - Be prepared to deprecate or update as cryptanalysis evolves¶
Poor randomness can completely compromise SQIsign security. Implementations MUST use robust CSRNGs, especially on constrained devices with limited entropy sources.¶
Constrained devices may be physically accessible to attackers. Implementations SHOULD:¶
Organizations deploying SQIsign SHOULD:¶
IoT devices face unique challenges:¶
Physical access: Devices may be deployed in hostile environments¶
Limited update capability: Firmware updates may be infrequent or impossible¶
Long deployment lifetimes: Devices may operate for 10+ years¶
Design systems with: - Defense in depth (multiple security layers) - Remote update capability when possible - Graceful degradation if algorithm is compromised¶
IANA is requested to add the following entries to the COSE and JOSE registries. The following completed registration actions are provided as described in [RFC9053] and [RFC9054].¶
IANA is requested to register the following entries in the "COSE Algorithms" registry:¶
| Name | Value | Description | Capabilities | Change Cont | Ref | Rec'd |
|---|---|---|---|---|---|---|
| SQIsign-L1 | -61 | SQIsign NIST L I | kty | IETF | THIS-RFC | No |
| SQIsign-L3 | -62 | SQIsign NIST L III | kty | IETF | THIS-RFC | No |
| SQIsign-L5 | -63 | SQIsign NIST L V | kty | IETF | THIS-RFC | No |
IANA is requested to register the following entry in the "COSE Key Types" registry:¶
| Name | Value | Description | Capabilities | Change Cont | Ref |
|---|---|---|---|---|---|
| SQIsign | IETF | SQIsign pub key | sign, verify | IETF | THIS-RFC |
IANA is requested to register the following entries in the "COSE Key Type Parameters" registry:¶
| Key Type | Name | Label | CBOR Type | Desc | Change Cont | Reference |
|---|---|---|---|---|---|---|
| SQIsign | pub | -1 | bstr | Public key | IETF | THIS-RFC |
| SQIsign | priv | -2 | bstr | Private key | IETF | THIS-RFC |
IANA is requested to register the following entries in the "JSON Web Signature and Encryption Algorithms" registry:¶
| Algorithm Name | Desc | Impl Req | Change Cont | Ref | Recommended |
|---|---|---|---|---|---|
| SQIsign-L1 | SQIsign NIST L I | Optional | IETF | THIS-RFC | No |
| SQIsign-L3 | SQIsign NIST L III | Optional | IETF | THIS-RFC | No |
| SQIsign-L5 | SQIsign NIST L V | Optional | IETF | THIS-RFC | No |
IANA is requested to register the following entry in the "JSON Web Key Types" registry:¶
| "kty" Param Value | Key Type Desc | Change Cont | Reference |
|---|---|---|---|
| SQIsign | SQIsign public key | IETF | THIS-RFC |
IANA is requested to register the following entries in the "JSON Web Key Parameters" registry:¶
| Param Name | Desc | Used with "kty" Val | Change Cont | Reference |
|---|---|---|---|---|
| pub | Public key | SQIsign | IETF | THIS-RFC |
| priv | Private key | SQIsign | IETF | THIS-RFC |
The authors would like to thank:¶
The SQIsign design team (De Feo, Kohel, Leroux, Petit, Wesolowski) for their groundbreaking work on isogeny-based signatures¶
The NIST PQC team for managing the standardization process¶
The COSE and JOSE working groups for guidance on integration¶
The IRTF Crypto Forum Research Group for ongoing cryptanalytic review¶
Early implementers who provide valuable feedback¶
This work builds upon the template established by [I-D.ietf-cose-falcon] and similar PQC integration efforts.¶
Populated automatically from metadata¶
Populated automatically from metadata¶
The following test vector exhibits a SQIsign Level I signature over a short message.¶
Message (hex): d81c4d8d734fcbfbeade3d3f8a039faa2a2c9957e835ad55b2 \
2e75bf57bb556ac8
Message (ASCII): MsO=?*,W5U.uWUj¶
Public Key (hex): 07CCD21425136F6E865E497D2D4D208F0054AD81372066E \
817480787AAF7B2029550C89E892D618CE3230F23510BFBE68FCCDDAEA51DB1436 \
B462ADFAF008A010B
Public Key (Base64url): B8zSFCUTb26GXkl9LU0gjwBUrYE3IGboF0gHh6r3s \
gKVUMieiS1hjOMjDyNRC_vmj8zdrqUdsUNrRirfrwCKAQs¶
Signature (hex): 84228651f271b0f39f2f19f2e8718f31ed3365ac9e5cb303 \
afe663d0cfc11f0455d891b0ca6c7e653f9ba2667730bb77befe1b1a3182840428 \
4af8fd7baacc010001d974b5ca671ff65708d8b462a5a84a1443ee9b5fed721876 \
7c9d85ceed04db0a69a2f6ec3be835b3b2624b9a0df68837ad00bcacc27d1ec806 \
a44840267471d86eff3447018adb0a6551ee8322ab30010202
Signature (Base64url): hCKGUfJxsPOfLxny6HGPMe0zZayeXLMDr-Zj0M_BHw \
RV2JGwymx-ZT-bomZ3MLt3vv4bGjGChAQoSvj9e6rMAQAB2XS1ymcf9lcI2LRipahK \
FEPum1_tchh2fJ2Fzu0E2wppovbsO-g1s7JiS5oN9og3rQC8rMJ9HsgGpEhAJnRx2G \
7_NEcBitsKZVHugyKrMAECAg¶
cbor
18(
[
h'a10139003c', / protected: {"alg": -61} /
{}, / unprotected /
h'd81c4d8d734fcbfbeade3d3f8a039faa2a2c9957e835ad55b22e75bf57bb \
556ac8', / payload /
h'84228651f271b0f39f2f19f2e8718f31ed3365ac9e5cb303afe663d0cfc1 \
1f0455d891b0ca6c7e653f9ba2667730bb77befe1b1a31828404284af8fd7b \
aacc010001d974b5ca671ff65708d8b462a5a84a1443ee9b5fed7218767c9d \
85ceed04db0a69a2f6ec3be835b3b2624b9a0df68837ad00bcacc27d1ec806 \
a44840267471d86eff3447018adb0a6551ee8322ab30010202'
]
)
¶
eyJhbGciOiJTUUlzaWduLUwxIiwidHlwIjoiSldUIn0
.
2BxNjXNPy_vq3j0_igOfqiosmVfoNa1Vsi51v1e7VWrI
.
hCKGUfJxsPOfLxny6HGPMe0zZayeXLMDr-Zj0M_BHwRV2JGwymx-ZT-bomZ3MLt3vv \
4bGjGChAQoSvj9e6rMAQAB2XS1ymcf9lcI2LRipahKFEPum1_tchh2fJ2Fzu0E2wpp \
ovbsO-g1s7JiS5oN9og3rQC8rMJ9HsgGpEhAJnRx2G7_NEcBitsKZVHugyKrMAECAg
¶
[PLACEHOLDER FOR L3 TEST VECTORS]
¶
[PLACEHOLDER FOR L5 TEST VECTORS]
¶
[RFC Editor: Please remove this section before publication]¶
This section records the status of known implementations at the time of writing.¶
[RFC EDITOR: To be populated as vendors implement]¶
The requested algorithm identifiers (-61, -62, -63) are:¶
The SQIsign key type is intentionally simple:¶
Only two parameters (pub, priv) following minimalist design¶
Binary encoding (bstr) for efficiency¶
No algorithm-specific encoding—raw bytes from SQIsign spec¶
This approach: - Minimizes CBOR encoding overhead (critical for constrained devices) - Simplifies implementation - Provides future flexibility for parameter set evolution¶
[RFC Editor Note:** Please remove this section before publication]¶