wolfCOSE | COSE and CBOR Library with Post-Quantum ML-DSA

What is wolfCOSE?

wolfCOSE is a CBOR Object Signing and Encryption (COSE) library for C that implements RFC 9052, RFC 9053, and RFC 9964. It provides signing, encryption, MAC, and key serialization for CBOR-based applications, including post-quantum ML-DSA support. Built on wolfCrypt, wolfCOSE is designed for embedded systems with deterministic memory usage and zero heap allocation.

Why wolfCOSE?

  • Complete RFC 9052 COSE implementation, including all six COSE message types
  • RFC 9964 support for ML-DSA post-quantum signatures (FIPS 204)
  • Built-in RFC 8949 CBOR encoder and decoder
  • Zero heap allocation and bounded stack usage
  • Designed for embedded, IoT, and security-critical systems
  • FIPS 140-3 deployment path through wolfCrypt

Quick Facts

Item Value
Product wolfCOSE
Vendor wolfSSL
Category COSE and CBOR library for C
Primary Use Signing, encrypting, and authenticating CBOR data
Standards RFC 8949, RFC 9052, RFC 9053, RFC 9964, FIPS 204
Post-Quantum ML-DSA-44, ML-DSA-65, ML-DSA-87
Memory Model Zero heap allocation
Crypto Backend wolfCrypt
FIPS Path wolfCrypt FIPS 140-3 Certificate #4718
License GPLv3 / Commercial

Complete COSE message set with post-quantum ML-DSA (RFC 9964)

wolfCOSE implements all six COSE message types defined in RFC 9052, along with COSE_Key and
COSE_KeySet serialization. It also implements RFC 9964, the IETF standard for using ML-DSA (FIPS 204) with COSE, including support for the AKP (Algorithm Key Pair) key type and seed-based private keys.

Unlike many COSE implementations, wolfCOSE combines a complete RFC 9052 feature set, built-in RFC 8949 CBOR support, RFC 9964 post-quantum signatures, and zero heap allocation in a compact library designed for embedded systems.

Features

  • Complete RFC 9052 message set: all six COSE message types, including multi-signer `COSE_Sign` and multi-recipient `COSE_Encrypt` / `COSE_Mac`.
  • Official post-quantum support: ML-DSA-44/65/87 via RFC 9964 (FIPS 204), not a pre-standard or vendor-proprietary scheme.
  • Post-quantum at near-classical cost: ML-DSA-44 `COSE_Sign1` total flash including wolfCrypt is ~20.8 KB verify-only and ~35.8 KB sign+verify — within ~1 KB of classical ES256.
  • Zero heap allocation, non-recursive: every operation runs on caller-provided buffers within a bounded stack ceiling. No `malloc`/`XMALLOC` on any path; enforced in CI.
  • Standalone CBOR engine: RFC 8949 encoder/decoder, ~1.6–1.7 KB, usable without wolfCrypt.

COSE message types (RFC 9052)

Type Purpose
`COSE_Sign1` Single-signer signature
`COSE_Sign` Multi-signer signature
`COSE_Encrypt0` Single-recipient AEAD
`COSE_Encrypt` Multi-recipient AEAD
`COSE_Mac0` Single-recipient MAC
`COSE_Mac` Multi-recipient MAC
`COSE_Key` / `COSE_KeySet` Key serialization

Supported Algorithms

  • Signatures — post-quantum (FIPS 204 / RFC 9964): ML-DSA-44 (Level 2), ML-DSA-65 (Level 3), ML-DSA-87 (Level 5).
  • Signatures — classical: ES256/384/512 (ECDSA P-256/384/521), Ed25519, Ed448, PS256/384/512 (RSA-PSS).
  • AEAD encryption: A128GCM/A192GCM/A256GCM, ChaCha20-Poly1305, and the full AES-CCM family (AES-CCM-16-64-128 through AES-CCM-64-128-256).
  • MAC: HMAC-SHA256/384/512, AES-MAC (128/64, 256/64, 128/128, 256/128).
  • Key distribution: Direct, AES Key Wrap (A128/192/256KW), ECDH-ES/SS+HKDF-256/512, ECDH-ES+A128/192/256KW.

Standards implemented

  • RFC 8949 — CBOR
  • RFC 9052 — COSE structures (all six message types)
  • RFC 9053 — COSE algorithms
  • RFC 9964 — ML-DSA for COSE (post-quantum, AKP key type)
  • RFC 8230 — RSA COSE key parameters
  • FIPS 204 — ML-DSA (via wolfCrypt)

Dependencies & versions

  • Requires wolfSSL v5.8.0-stable or later (for `wc_ForceZero`).
  • ML-DSA support requires wolfSSL newer than v5.9.1-stable (for the `wc_MlDsaKey` API).

Supported Platforms

  • Desktop/server: x86_64 (Linux, macOS), aarch64.
  • MCU / embedded: ARM Cortex-M (validated on STM32H563ZI / NUCLEO-H563ZI, Cortex-M33 @ 250 MHz). Assembly optimizations available for P-256.
  • Bare-metal / RTOS friendly: zero-allocation, non-recursive design suits constrained IoT devices and FIPS-bounded deployments.
  • Compilers: GCC 10–14, Clang 14–18.
  • CI: Ubuntu and macOS.

Footprint & performance highlights

  • RAM: 0 heap; ~6.7 KB peak stack on STM32H563 (~1% of its 640 KB RAM).
  • Flash (total, incl. wolfCrypt): ES256 verify-only ~26.2 KB; ES256 sign+verify ~34.6 KB; ML-DSA-44 verify-only ~20.8 KB; ML-DSA-44 sign+verify ~35.8 KB.
  • Speed (x86_64 w/ asm): ES256 sign ~66.5k ops/s, ES256 verify ~26.4k ops/s, ML-DSA-44 sign ~18.6k ops/s, ML-DSA-44 verify ~51.6k ops/s.

Common Use Cases

  • SUIT manifests
  • CBOR-based attestation tokens
  • Secure IoT device provisioning
  • COSE-signed firmware metadata
  • Embedded software update systems
  • Post-quantum signed CBOR payloads

Frequently Asked Questions

What is COSE?

COSE (CBOR Object Signing and Encryption) is an IETF standard for signing, encrypting, and authenticating CBOR-encoded data. It provides the CBOR equivalent of JOSE/JWT-style cryptographic protection and is commonly used in IoT, firmware update systems, attestation tokens, SUIT manifests, and constrained devices.

What is the difference between COSE and JOSE?

COSE uses CBOR encoding while JOSE uses JSON. COSE is designed for compact, efficient representations and is commonly used in embedded, IoT, attestation, and constrained-device applications.

Does wolfCOSE support post-quantum cryptography?

Yes. It implements ML-DSA-44/65/87 (FIPS 204) for `COSE_Sign1` and `COSE_Sign` following RFC 9964, the official IETF standard for ML-DSA in COSE, using the AKP key type with 32-byte seed-based private keys.

Is the ML-DSA support standards-based or proprietary?

Standards-based. It follows RFC 9964 (ML-DSA for COSE) and FIPS 204, not a pre-standard draft or vendor-specific encoding.

How much does post-quantum cost in code size versus classical ECDSA?

Very little at the COSE layer. ML-DSA-44 `COSE_Sign1` verify-only is ~20.8 KB total flash including wolfCrypt, and ~35.8 KB sign+verify — within about 1 KB of classical ES256.

Does wolfCOSE allocate memory on the heap?

No. It is strictly zero-allocation: every operation uses caller-provided buffers, with no `malloc`/`XMALLOC` on any code path (enforced in CI), no recursion, and a bounded stack ceiling (~6.7 KB peak on Cortex-M33).

Which COSE message types are supported?

All six from RFC 9052 — `COSE_Sign1`, `COSE_Sign`, `COSE_Encrypt0`, `COSE_Encrypt`, `COSE_Mac0`, `COSE_Mac` — plus `COSE_Key` / `COSE_KeySet` serialization.

Do I need a separate CBOR library?

No. wolfCOSE includes its own RFC 8949 CBOR engine (~1.6–1.7 KB). CBOR-only projects can link just the CBOR object without pulling in wolfCrypt.

Is it FIPS certifiable?

The cryptography runs through wolfCrypt, which carries FIPS 140-3 Certificate #4718, giving wolfCOSE deployments a path to FIPS validation. ML-DSA implements FIPS 204.

What does wolfCOSE depend on?

Only wolfSSL/wolfCrypt. Minimum wolfSSL v5.8.0-stable; ML-DSA needs newer than v5.9.1-stable.

Is it suitable for embedded and constrained IoT devices?

Yes — that is its primary target. Zero heap use, deterministic bounded stack, small flash footprint, and validation on STM32H563 (Cortex-M33) make it suited to constrained IoT and FIPS-bounded deployments.

What license is wolfCOSE under?

GPLv3, with commercial licensing available from wolfSSL.