COSE (CBOR Object Signing and Encryption) is a compact binary format for attaching signatures, encryption, or MACs directly to a piece of data, so that the proof travels with the object no matter how it is stored, cached, or forwarded.
That is the whole idea. If you know JOSE, JWT, JWS, JWE, COSE is the same concept built on CBOR instead of JSON, defined in RFC 9052 and RFC 9053. The structures look familiar; every object is just smaller.
Why a Smaller Format Exists
JSON is verbose because it is meant to be read by humans. That is a fine trade in a browser. It is the wrong trade on a sensor that talks over LoRaWAN with a 51-byte payload budget, or a microcontroller that does not have the flash for a JSON parser plus a Base64URL decoder plus an X.509 stack.
CBOR encodes the same data model as JSON does. It maps, arrays, integers, byte strings, text strings, booleans, and null in far fewer bytes and with no parsing ambiguity. A small integer is one byte. There are no quotes, commas, or whitespace to skip. COSE then wraps cryptographic operations around that CBOR payload. The result: a signed message that is roughly a third the size of the JSON equivalent, with a parser that fits in single-digit kilobytes.
The Three Things It Does
COSE has six message types, in three pairs; A one-actor variant and a many-actor variant for each:
| Operation | One actor | Many actors |
|---|---|---|
| Digital signature | COSE_Sign1 | COSE_Sign |
| Authenticated encryption | COSE_Encrypt0 | COSE_Encrypt |
| Message authentication code | COSE_Mac0 | COSE_Mac |
Sign proves who produced the bytes and that nobody changed them. Encrypt keeps the bytes secret to intended recipients. MAC proves integrity using a shared secret. That is the entire surface.
Where You Have Already Seen It
You may be using COSE without knowing it. It is the signature format under firmware update manifests (SUIT), device attestation tokens (EAT), CBOR web Tokens (CWT), FIDO2 passkey credentials, Wi-Fi Easy Connect (DPP) onboarding, and Matter smart-home commissioning.
If a constrained device signs, encrypts, or authenticates a message, there is a good chance a COSE structure is doing the work.
If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.
Download wolfSSL Now