]> PQ/T Hybrid KEM: HPKE with JOSE/COSE Nokia
Bangalore Karnataka India k.tirumaleswar_reddy@nokia.com
Germany hannes.tschofenig@gmx.net
Security COSE PQC COSE JOSE Hybrid HPKE This document outlines the construction of a PQ/T Hybrid Key Encapsulation Mechanism (KEM) in Hybrid Public-Key Encryption (HPKE) for integration with JOSE and COSE. It specifies the utilization of both traditional and Post-Quantum Cryptography (PQC) algorithms, referred to as PQ/T Hybrid KEM, within the context of JOSE and COSE. About This Document Status information for this document may be found at . Discussion of this document takes place on the cose Working Group mailing list (), which is archived at . Subscribe at .
Introduction The migration to Post-Quantum Cryptography (PQC) is unique in the history of modern digital cryptography in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required data lifetimes. The traditional algorithms, such as RSA and elliptic curve, will fall to quantum cryptalanysis, while the post-quantum algorithms face uncertainty about the underlying mathematics, compliance issues, unknown vulnerabilities, hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs. During the transition from traditional to post-quantum algorithms, there is a desire or a requirement for protocols that use both algorithm types. Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. HPKE offers a variant of public-key encryption of arbitrary-sized plaintexts for a recipient public key. The specifications for the use of HPKE with JOSE and COSE are described in and , respectively. HPKE can be extended to support PQ/T Hybrid KEM as defined in . This specification defines PQ/T Hybrid KEM in HPKE for use with JOSE and COSE.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in . For the purposes of this document, it is helpful to be able to divide cryptographic algorithms into two classes: "Traditional Algorithm": An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms, elliptic curve discrete logarithms, or related mathematical problems. In the context of JOSE, examples of traditional key exchange algorithms include Elliptic Curve Diffie-Hellman Ephemeral Static . In the context of COSE, examples of traditional key exchange algorithms include Ephemeral-Static (ES) DH and Static-Static (SS) DH . "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Examples of PQC key exchange algorithms include ML-KEM. "Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm scheme where at least one component algorithm is a post-quantum algorithm and at least one is a traditional algorithm. "PQ/T Hybrid Key Encapsulation Mechanism": A multi-algorithm KEM made up of two or more component KEM algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.
Construction ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for an originator to securely send keying material to a recipient using the recipient's ML-KEM public key. Three parameters sets for ML-KEMs are specified by . In order of increasing security strength (and decreasing performance), these parameter sets are ML-KEM-512, ML-KEM-768, and ML-KEM-1024. PQ/T algorithms for HPKE uses a multi-algorithm scheme, where one component algorithm is a post-quantum algorithm and another one is a traditional algorithm. The QSF combiner functions defined in Sections 6.1, 6.2 and 6.3 of combines the output of a post-quantum KEM and a traditional KEM to generate a single shared secret.
Ciphersuite Registration This specification registers a number of PQ/T Hybrid KEMs for use with HPKE. A ciphersuite is thereby a combination of several algorithm configurations:
  • KEM algorithm (PQ KEM + Traditional Algorithm, for example, MLKEM768 + X25519 defined as "X25519-MLKEM768-SHAKE256-SHA3256" in )
  • KDF algorithm
  • AEAD algorithm
The "KEM", "KDF", and "AEAD" values are conceptually taken from the HPKE IANA registry . Hence, JOSE and COSE cannot use an algorithm combination that is not already available with HPKE. The HPKE PQ/T hybrid ciphersuites for JOSE and COSE are defined in . Note that the PQ/T Hybrid KEM in HPKE is not an authenticated KEM. The HPKE Base mode can only be supported with the PQ/T Hybrid KEM.
AKP Key for PQ/T Hybrid Algorithms in HPKE This section describes the required parameters for an "AKP" key type, as defined in , and its use with the PQ/T Hybrid Algorithms for HPKE, as defined in {#XWING}. An example JWK is also provided for illustration.
Required Parameters A JSON Web Key (JWK) or COSE_Key with a key type ("kty") for use with the PQ/T Hybrid Algorithm for HPKE includes the following parameters:
  • kty (Key Type)
    The key type parameter MUST be present and set to "AKP".
  • alg (Algorithm)
    The algorithm parameter MUST be present and MUST represent the PQ/T algorithm for HPKE, as defined in {#XWING}. PQ/T algorithms for HPKE are those registered in the "JSON Web Signature and Encryption Algorithms" and "COSE Algorithms" registries, derived from the KEM identifier in the HPKE IANA registry.
  • pub (Public Key)
    The public key parameter MUST be present and MUST contain the public encapsulation key (pk) as defined in Section 5.1 of . When represented as a JWK, this value MUST be base64url-encoded.
  • priv (Private Key)
    When representing an private key, the private key parameter MUST be present and MUST contain the private decapsulation key (sk) as defined in Section 5.1 of . When represented as a JWK, this value MUST be base64url-encoded.
Example The following is an example JWK representation of an "AKP" key for the "QSF-X25519-MLKEM768-SHAKE256-SHA3256" algorithm:
Security Considerations The security considerations in , and are to be taken into account. The shared secrets computed in the hybrid key exchange should be computed in a way that achieves the "hybrid" property: the resulting secret is secure as long as at least one of the component key exchange algorithms is unbroken. PQC KEMs used in the manner described in this document MUST explicitly be designed to be secure in the event that the public key is reused, such as achieving IND-CCA2 security. ML-KEM has such security properties.
Post-Quantum Security for Multiple Recipients In HPKE JWE Key Encryption, when encrypting the Content Encryption Key (CEK) for multiple recipients, it is crucial to consider the security requirements of the message to safeguard against "Harvest Now, Decrypt Later" attack. For messages requiring post-quantum security, all recipients MUST use algorithms supporting post-quantum cryptographic methods, such as PQC KEMs or Hybrid PQ/T KEMs. Using traditional algorithms (e.g., ECDH-ES) for any recipient in these scenarios compromises the overall security of the message.
IANA Considerations
JOSE This document requests IANA to add new values to the "JSON Web Signature and Encryption Algorithms" registry.
JOSE Algorithms Registry
  • Algorithm Name: HPKE-7
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the P-256 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
  • Algorithm Name: HPKE-8
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the P-256 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
  • Algorithm Name: HPKE-9
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the X25519 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
  • Algorithm Name: HPKE-10
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the X25519 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
  • Algorithm Name: HPKE-11
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the P-384 + ML-KEM-1024 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
  • Algorithm Name: HPKE-12
  • Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the P-384 + ML-KEM-1024 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IANA
  • Specification Document(s): [[TBD: This RFC]]
  • Algorithm Analysis Documents(s): TODO
COSE This document requests IANA to add new values to the 'COSE Algorithms' registry.
COSE Algorithms Registry
  • Name: QSF-P256-MLKEM768-SHAKE256-SHA3256-AES-256-GCM
  • Value: TBD1
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the P-256 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
  • Name: QSF-P256-MLKEM768-SHAKE256-SHA3256-ChaCha20Poly1305
  • Value: TBD2
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the P-256 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
  • Name: QSF-X25519-MLKEM768-SHAKE256-SHA3256-AES-256-GCM
  • Value: TBD3
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the X25519 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
  • Name: QSF-X25519-MLKEM768-SHAKE256-SHA3256-ChaCha20Poly1305
  • Value: TBD4
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the X25519 + ML-KEM-768 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
  • Name: QSF-P384-MLKEM1024-SHAKE256-SHA3256-AES-256-GCM
  • Value: TBD5
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the P-384 + ML-KEM-1024 Hybrid KEM, the SHAKE256 KDF, and the AES-256-GCM AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
  • Name: QSF-P384-MLKEM1024-SHAKE256-SHA3256-ChaCha20Poly1305
  • Value: TBD6
  • Description: Cipher suite for COSE-HPKE in Base Mode that uses the P-384 + ML-KEM-1024 Hybrid KEM, the SHAKE256 KDF, and the ChaCha20Poly1305 AEAD.
  • Capabilities: [kty]
  • Change Controller: IANA
  • Reference: [[TBD: This RFC]]
Acknowledgments Thanks to Ilari Liusvaara and Orie Steele for the discussion and comments.
References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. ML-DSA for JOSE and COSE mesur.io Transmute Google IBM NXP This document describes JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for Module- Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in FIPS 204. Informative References Module-Lattice-based Key-Encapsulation Mechanism Standard Hybrid Public Key Encryption (HPKE) IANA Registry IANA Use of Hybrid Public Key Encryption (HPKE) with JSON Object Signing and Encryption (JOSE) Nokia University of Applied Sciences Bonn-Rhein-Sieg Nokia Tradeverifyd Self-Issued Consulting This specification defines Hybrid Public Key Encryption (HPKE) for use with JSON Object Signing and Encryption (JOSE). HPKE offers a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. HPKE is a general encryption framework utilizing an asymmetric key encapsulation mechanism (KEM), a key derivation function (KDF), and an authenticated encryption with additional data (AEAD) algorithm. This document defines the use of HPKE with JOSE. The specification chooses a specific subset of the HPKE features to use with JOSE. Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE) University of Applied Sciences Bonn-Rhein-Sieg Transmute bibital Security Theory LLC This specification defines hybrid public-key encryption (HPKE) for use with CBOR Object Signing and Encryption (COSE). HPKE offers a variant of public-key encryption of arbitrary-sized plaintexts for a recipient public key. HPKE works for any combination of an asymmetric key encapsulation mechanism (KEM), key derivation function (KDF), and authenticated encryption with additional data (AEAD) function. Authentication for HPKE in COSE is provided by COSE-native security mechanisms or by the pre-shared key authenticated variant of HPKE. This document defines the use of the HPKE with COSE. Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE Cisco Updating key exchange and public-key encryption protocols to resist attack by quantum computers is a high priority given the possibility of "harvest now, decrypt later" attacks. Hybrid Public Key Encryption (HPKE) is a widely-used public key encryption scheme based on combining a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. In this document, we define KEM algorithms for HPKE based on both post-quantum KEMs and hybrid constructions of post- quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3 that is suitable for use with these KEMs. When used with these algorithms, HPKE is resilient with respect to attacks by a quantum computer. Terminology for Post-Quantum Traditional Hybrid Schemes UK National Cyber Security Centre UK National Cyber Security Centre Naval Postgraduate School One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. Fundamental Elliptic Curve Cryptography Algorithms This note describes the fundamental algorithms of Elliptic Curve Cryptography (ECC) as they were defined in some seminal references from 1994 and earlier. These descriptions may be useful for implementing the fundamental algorithms without using any of the specialized methods that were developed in following years. Only elliptic curves defined over fields of characteristic greater than three are in scope; these curves are those used in Suite B. This document is not an Internet Standards Track specification; it is published for informational purposes. CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE) This document defines how to use the Diffie-Hellman algorithms "X25519" and "X448" as well as the signature algorithms "Ed25519" and "Ed448" from the IRTF CFRG elliptic curves work in JSON Object Signing and Encryption (JOSE). CBOR Object Signing and Encryption (COSE): Structures and Process Concise Binary Object Representation (CBOR) is a data format designed for small code size and small message size. There is a need to be able to define basic security services for this data format. This document defines the CBOR Object Signing and Encryption (COSE) protocol. This specification describes how to create and process signatures, message authentication codes, and encryption using CBOR for serialization. This specification additionally describes how to represent cryptographic keys using CBOR. This document, along with RFC 9053, obsoletes RFC 8152. Hybrid PQ/T Key Encapsulation Mechanisms SandboxAQ This document defines generic techniques to achive hybrid post- quantum/traditional (PQ/T) key encapsulation mechanisms (KEMs) from post-quantum and traditional component algorithms that meet specified security properties. It then uses those generic techniques to construct several concrete instances of hybrid KEMs.