Skip to main content

Hybrid key exchange in JOSE and COSE
draft-ra-cose-hybrid-encrypt-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Authors Tirumaleswar Reddy.K , Aritra Banerjee
Last updated 2023-07-05
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ra-cose-hybrid-encrypt-00
COSE                                                            T. Reddy
Internet-Draft                                               A. Banerjee
Intended status: Standards Track                                   Nokia
Expires: 6 January 2024                                      5 July 2023

                  Hybrid key exchange in JOSE and COSE
                    draft-ra-cose-hybrid-encrypt-00

Abstract

   Hybrid key exchange refers to using multiple key exchange algorithms
   simultaneously and combining the result with the goal of providing
   security even if all but one of the component algorithms is broken.
   It is motivated by transition to post-quantum cryptography.  This
   document provides a construction for hybrid key exchange in JOSE and
   COSE.  It defines the use of traditional and PQC algorithms, a hybrid
   post-quantum KEM, for JOSE and COSE.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-ra-cose-hybrid/.

   Discussion of this document takes place on the cose Working Group
   mailing list (mailto:cose@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/cose/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/cose/.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 6 January 2024.

Reddy & Banerjee         Expires 6 January 2024                 [Page 1]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
     2.1.  Key Encapsulation Mechanisms  . . . . . . . . . . . . . .   4
   3.  Construction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  KEM Combiner  . . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  KEM PQC Algorithms  . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  Kyber . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   6.  Hybrid Key Representation with JOSE . . . . . . . . . . . . .   7
     6.1.  "kem" . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     6.2.  Example Hybrid Key Agreement Computation  . . . . . . . .  10
   7.  Hybrid Key Representation with COSE . . . . . . . . . . . . .  11
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  13
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
     9.1.  JOSE  . . . . . . . . . . . . . . . . . . . . . . . . . .  13
       9.1.1.  JSON PQC KEM Registry . . . . . . . . . . . . . . . .  20
     9.2.  COSE  . . . . . . . . . . . . . . . . . . . . . . . . . .  21
       9.2.1.  COSE PQC KEM Registry . . . . . . . . . . . . . . . .  26
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  28
   References  . . . . . . . . . . . . . . . . . . . . . . . . . . .  28
     Normative References  . . . . . . . . . . . . . . . . . . . . .  28
     Informative References  . . . . . . . . . . . . . . . . . . . .  28
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  30

1.  Introduction

   The migration to PQC is unique in the history of modern digital
   cryptography in that neither the traditional algorithms nor the post-
   quantum algorithms are fully trusted to protect data for the required
   data lifetimes.  The traditional algorithms, such as RSA and elliptic
   curve, will fall to quantum cryptalanysis, while the post-quantum
   algorithms face uncertainty about the underlying mathematics,
   compliance issues, unknown vulnerabilities, hardware and software

Reddy & Banerjee         Expires 6 January 2024                 [Page 2]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   implementations that have not had sufficient maturing time to rule
   out classical cryptanalytic attacks and implementation bugs.

   During the transition from traditional to post-quantum algorithms,
   there is a desire or a requirement for protocols that use both
   algorithm types.  [I-D.ietf-pquip-pqt-hybrid-terminology] defines
   terminology for the Post-Quantum and Traditional Hybrid Schemes.

   This document gives a construction for hybrid key exchange in
   Javascript Object Signing and Encryption (JOSE) and CBOR Object
   Signing and Encryption (COSE).  The overall design approach is a
   simple, "hash and concatenation" based approach to use a “hybrid”
   shared secret.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document makes use of the terms defined in
   [I-D.ietf-pquip-pqt-hybrid-terminology].  For the purposes of this
   document, it is helpful to be able to divide cryptographic algorithms
   into two classes:

   "Traditional Algorithm": An asymmetric cryptographic algorithm based
   on integer factorisation, finite field discrete logarithms or
   elliptic curve discrete logarithms.  In the context of JOSE, examples
   of traditional key exchange algorithms include Elliptic Curve Diffie-
   Hellman Ephemeral Static [RFC6090] [RFC8037].  In the context of
   COSE, examples of traditional key exchange algorithms include
   Ephemeral-Static (ES) DH and Static-Static (SS) DH [RFC9052].

   "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that
   is believed to be secure against attacks using quantum computers as
   well as classical computers.  Examples of PQC key exchange algorithms
   include Kyber.

   "Hybrid" key exchange, in this context, means the use of two key
   exchange algorithms based on different cryptographic assumptions,
   e.g., one traditional algorithm and one Post-Quantum algorithm, with
   the purpose of the final shared secret key being secure as long as at
   least one of the component key exchange algorithms remains unbroken.
   It is referred to as PQ/T Hybrid Scheme in
   [I-D.ietf-pquip-pqt-hybrid-terminology].

Reddy & Banerjee         Expires 6 January 2024                 [Page 3]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   PQ/T Hybrid Key Encapsulation Mechanism: A Key Encapsulation
   mechanism (KEM) made up of two or more component KEM algorithms where
   at least one is a post-quantum algorithm and at least one is a
   traditional algorithm.

2.1.  Key Encapsulation Mechanisms

   For the purposes of this document, we consider a Key Encapsulation
   Mechanism (KEM) to be any asymmetric cryptographic scheme comprised
   of algorithms satisfying the following interfaces [PQCAPI].

   *  def kemKeyGen() -> (pk, sk)

   *  def kemEncaps(pk) -> (ct, ss)

   *  def kemDecaps(ct, sk) -> ss

   where pk is public key, sk is secret key, ct is the ciphertext
   representing an encapsulated key, and ss is shared secret.

   KEMs are typically used in cases where two parties, hereby refereed
   to as the "encapsulater" and the "decapsulater", wish to establish a
   shared secret via public key cryptography, where the decapsulater has
   an asymmetric key pair and has previously shared the public key with
   the encapsulater.

3.  Construction

   Building a PQ/T hybrid KEM requires a secure function which combines
   the output of both component KEMs to form a single output.  Several
   IETF protocols are adding PQ/T hybrid KEM mechanisms as part of their
   overall post-quantum migration strategies, examples include TLS 1.3
   [I-D.ietf-tls-hybrid-design], IKEv2 [RFC9370].

   The migration to PQ/T Hybrid KEM calls for performing multiple key
   encapsulations in parallel and then combining their outputs to derive
   a single shared secret.  It is compatible with NIST SP 800-56Cr2
   [SP800-56C] when viewed as a key derivation function.  The hybrid
   scheme defined in this document is the combination of Traditional and
   Post-Quantum Algorithms.  The Key agreement Traditional and Post-
   Quantum Algorithms are used in parallel to generate shared secrets.
   The two shared secrets are hashed and concatenated together and used
   as the shared secret in JOSE and COSE.

   The JSON Web Algorithms (JWA) [RFC7518] in Section 4.6 defines two
   ways using the key agreement result.  When Direct Key Agreement is
   employed, the shared secret established through the ECDH algorithm
   will be the content encryption key (CEK).  When Key Agreement with

Reddy & Banerjee         Expires 6 January 2024                 [Page 4]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   Key Wrapping is employed, the shared secret established through the
   ECDH algorithm will wrap the CEK.  Simiarly, COSE in Sections 8.5.4
   and 8.5.5 [RFC9052] define the Direct Key Agreement and Key Agreement
   with Key Wrap classes.  If multiple recipients are needed, then the
   version with key wrap is used.

4.  KEM Combiner

   The specification uses the KEM combiner defined in
   [I-D.ounsworth-cfrg-kem-combiners] that takes in two or more shared
   secrets and returns a combined shared secret.  In case of PQ/T Hybrid
   KEM, the shared secrets are the output of the traditional key
   exchange and PQC KEM.  The KEM combiner function is defined in
   Section 3 of [I-D.ounsworth-cfrg-kem-combiners].  The KDF and Hash
   functions will be KMAC and SHA3 and the counter will be initialized
   with a value of 0x00000001 (Section 4 of
   [I-D.ounsworth-cfrg-kem-combiners]).  The KMAC and Hash functions
   used with the PQ/T hybrid algorithms are specified in the table
   below:

           +==============+=========+=========+==========+
           | PQ/T hybrid algorithm  | KDF     | H        |
           +========================+=========+==========+
           | x25519_kyber512        | KMAC128 | SHA3-256 |
           +------------------------+---------+----------+
           | secp384r1_kyber768     | KMAC256 | SHA3-384 |
           +------------------------+---------+----------+
           | x25519_kyber768        | KMAC256 | SHA3-384 |
           +-----------------------+----------+----------+
           | secp256r1_kyber512     | KMAC128 | SHA3-256 |
           +-----------------------+----------+----------+

                            Table 1

   KMAC is defined in NIST SP 800-185 [SP800-185].  The KMAC(K, X, L, S)
   parameters are instantiated as follows:

   *  K: context-specific string.  In case of JOSE, the context-specific
      string will be set to concat("JOSE", "_", Name of the PQ/T hybrid
      algorithm).  In case of COSE, the context-specific string will be
      set to concat("COSE", "-", Name of the PQ/T hybrid algorithm).
      For example, concat("JOSE", "_","x25519_kyber512") =
      "JOSE_x25519_kyber512".

   *  X: concat(0x00000001, k_1, ... , k_n).

   *  L: length of the output key in bits.

Reddy & Banerjee         Expires 6 January 2024                 [Page 5]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  S: empty string.

   In the case of a traditional key exchange algorithm (e.g., x25519,
   secp384r1) since there is no associated ciphertext present when
   calculating the constant-length input key (k1) defined in Section 3.1
   of [I-D.ounsworth-cfrg-kem-combiners], the key derivation process
   defined in Section 4.6.2 of [RFC7518] for JOSE would be used to
   construct k.  However, in case of COSE, the the HKDF (HMAC based Key
   Derivation Function) defined in Section 5 of [RFC9053] would be used.
   The HKDF algorithm leverages HMAC SHA-256 as the underlying PRF
   (Pseudo-Random function) for secp256r1 and x25519, and HMAC SHA-384
   for secp384r1.  The context structure defined in Section 5.2 of
   [RFC9053], salt and secret from DH key agreement are used as inputs
   to the HKDF.  Note that the result of an ECDH key agreement process
   does not provide a uniformly random secret and it needs to be run
   through a KDF in order to produce a usable key (see Section 6.3.1 of
   [RFC9053]).

   The KEM combiner instantiation of the first entry of Table 1 would
   be:

     ss = KMAC128("COSE_x25519_kyber512", "0x00000001 ||
                   HKDF-256(DH-Shared-Secret, salt, context) ||
                   SHA3-256(ss_1 || ct_1)" , 256, "")

   In Direct Key Agreement mode, the output of the KEM combiner MUST be
   a key of the same length as that used by encryption algorithm.  In
   Key Agreement with Key Wrapping mode, the output of the KEM combiner
   MUST be a key of the length needed for the specified key wrap
   algorithm.

5.  KEM PQC Algorithms

   The National Institute of Standards and Technology (NIST) started a
   process to solicit, evaluate, and standardize one or more quantum-
   resistant public-key cryptographic algorithms, as seen here
   (https://csrc.nist.gov/projects/post-quantum-cryptography).  Said
   process has reached its first announcement
   (https://csrc.nist.gov/publications/detail/nistir/8413/final) in July
   5, 2022, which stated which candidates to be standardized for KEM:

   *  Key Encapsulation Mechanisms (KEMs): CRYSTALS-Kyber (https://pq-
      crystals.org/kyber/): Kyber is a module learning with errors
      (MLWE)-based key encapsulation mechanism.

   NIST announced as well that they will be opening a fourth round
   (https://csrc.nist.gov/csrc/media/Projects/post-quantum-
   cryptography/documents/round-4/guidelines-for-submitting-tweaks-

Reddy & Banerjee         Expires 6 January 2024                 [Page 6]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   fourth-round.pdf) to standardize an alternative KEM, and a call
   (https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/
   call-for-proposals-dig-sig-sept-2022.pdf) for new candidates for a
   post-quantum signature algorithm.

5.1.  Kyber

   Kyber offers several parameter sets with varying levels of security
   and performance trade-offs.  This document specifies the use of the
   Kyber algorithm at two security levels: Kyber512 and Kyber768.  Kyber
   key generation, encapsulation and decaspulation functions are defined
   in [I-D.cfrg-schwabe-kyber].

6.  Hybrid Key Representation with JOSE

   A new key type (kty) value "HYBRID" is defined for expressing the
   cryptographic keys for PQ/T Hybrid KEM in JSON Web Key (JWK) form,
   the following rules apply:

*  The parameter "kty" MUST be present and set to "HYBRID".

*  The parameter "alg" MUST be specified, and its value MUST be one
   of the values specified in the table below:

Reddy & Banerjee         Expires 6 January 2024                 [Page 7]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

        +============================+===================================+
        | alg                        | Description                       |
        +============================+===================================+
        | x25519_kyber512            | Curve25519 elliptic curve +       |
        |                            | Kyber512 parameter                |
        |                            | Direct Key Agreement              |
        +============================+===================================+
        | secp384r1_kyber768         | P-384 + Kyber768 parameter        |
        |                            | Direct Key Agreement              |
        +============================+===================================+
        | x25519_kyber768            | Curve25519 elliptic curve +       |
        |                            | Kyber768 parameter                |
        |                            | Direct Key Agreement              |
        +============================+===================================+
        | secp256r1_kyber512         | P-256 +  Kyber512 parameter       |
        |                            | Direct Key Agreement              |
        +============================+===================================+
        | x25519_kyber512+A128KW     | Curve25519 elliptic curve +       |
        |                            | Kyber512 parameter + CEK wrapped  |
        |                            | with "A128KW"                     |
        +========+===================+===================================+
        | secp384r1_kyber768+A128KW  | P-384 + Kyber768 parameter        |
        |                            |  + CEK wrapped with "A128KW"      |
        +========+===================+===================================+
        | x25519_kyber768+A128KW     | Curve25519 elliptic curve +       |
        |                            | Kyber768 parameter + CEK wrapped  |
        |                            | with "A128KW"                     |
        +========+===================+===================================+
        | secp256r1_kyber512+A128KW  | P-256 +  Kyber512 parameter       |
        |                            | + CEK wrapped with "A128KW"       |
        +============================+===================================+
        | x25519_kyber512+A256KW     | Curve25519 elliptic curve +       |
        |                            | Kyber512 parameter + CEK wrapped  |
        |                            | with "A256KW"                     |
        +============================+==================================+
        | secp384r1_kyber768+A256KW  | P-384 + Kyber768 parameter        |
        |                            |  + CEK wrapped  with "A256KW"     |
        +========+===================+===================================+
        | x25519_kyber768+A256KW     | Curve25519 elliptic curve +       |
        |                            | Kyber768 parameter + CEK wrapped  |
        |                            | with "A256KW"                     |
        +========+===================+===================================+
        | secp256r1_kyber512+A256KW  | P-256 +  Kyber512 parameter       |
        |                            | + CEK wrapped with "A256KW"       |
        +============================+===================================+

                           Table 2

Reddy & Banerjee         Expires 6 January 2024                 [Page 8]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

*  The parameter "kem" MUST be present and set to the PQC KEM
   algorithm.

*  The parameter "kem-pk" MUST be present and contains the PQC KEM
   public key encoded using the base64url [RFC4648] encoding.

*  The parameter "kem-sk" MUST be present for private key and
   contains the PQC KEM private key encoded using the base64url
   encoding.  This parameter MUST NOT be present for public key.

*  The parameter "kem-ct" MUST be present for KEM ciphertext encoded
   using the base64url [RFC4648] encoding.

*  The parameter "crv" MUST be present and contains the Elliptic
   Curve Algorithm used (from the "JSON Web Key Elliptic Curve"
   registry).

*  The parameter "x" MUST be present and contains the x coordinate
   for the Elliptic Curve point encoded using the base64url [RFC4648]
   encoding.

*  The parameter "y" MUST be present and contains the y coordinate
   for the Elliptic Curve point encoded using the base64url [RFC4648]
   encoding.  This parameter is not present for "X25519".

*  The parameter "d" MUST be present for private keys and contains
   the Elliptic Curve Algorithm private key encoded using the
   base64url encoding.  This parameter MUST NOT be present for public
   keys.

   In Table 1, "A128KW" and "A256KW" are AES Key Wrap with 128-bit key
   and 256-bit key respectively.

6.1.  "kem"

   The "kem" (KEM) parameter identifies PQC KEM algorithm used with the
   "kem-pk" key.  KEM values used by this specification are:

     "kem"            PQC KEM Applied
     Kyber512            Kyber512
     Kyber768            Kyber768

   These values are registered in the IANA "JSON PQC KEM" registry
   defined in Section 9.1.1.  Additional "kem" values can be registered
   by other specifications.

Reddy & Banerjee         Expires 6 January 2024                 [Page 9]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

6.2.  Example Hybrid Key Agreement Computation

   This example uses secp256r1_kyber512 Key Agreement and the KEM
   Combiner to derive the CEK in the manner described in Section 4.  In
   this example, the secp256r1_kyber512 Direct Key Agreement mode ("alg"
   value "secp256r1_kyber512") is used to produce an agreed-upon key for
   AES GCM with a 128-bit key ("enc" value "A128GCM").

   In this example, a producer Alice is encrypting content to a consumer
   Bob.  The producer (Alice) generates an ephemeral key for the key
   agreement computation.  Alice's ephemeral key (in JWK format) used
   for the key agreement computation in this example (including the
   private part) is:

    {"kty":"EC",
     "crv":"P-256",
     "x":"alice_eph_public_key_x",
     "y":"alice_eph_public_key_y",
     "d":"alice_eph_private_key"
    }

   The consumer's (Bob's) key (in JWK format) used for the key agreement
   computation in this example (including the private part) is:

    {"kty":"HYBRID",
     "kem": "kyber512",
     "kem-pk":"bob_kyber_public_key",
     "kem-sk":"bob_kyber_private_key"
     "crv":"P-256",
     "x":"bob_public_key_x",
     "y":"bob_public_key_y",
     "d":"bob_private_key"
    }

   Header Parameter values used in this example are as follows.

    {"alg":"secp256r1_kyber512",
     "enc":"A128GCM",
     "apu":"QWxpY2U",  // base64url encoding of the UTF-8 string "Alice"
     "apv":"Qm9i",    // base64url encoding of the UTF-8 string "Bob"
     "epk":
      {"kty":"EC",
       "crv":"P-256",
       "x":"alice_eph_public_key_x",
       "y":"alice_eph_public_key_y",
      }
    }

Reddy & Banerjee         Expires 6 January 2024                [Page 10]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

7.  Hybrid Key Representation with COSE

   The approach taken here matches the work done to support secp256k1 in
   JOSE and COSE in [RFC8812].  The following tables map terms between
   JOSE and COSE for Key Type Parameters.

    +======================+========================================+==+
    | Name                 | Value | Description                       |
    +======================+===========================================+
    | crv                  | -1    | EC used                           |
    +----------------------+-------------------------------------------+
    | d                    | -4    | Private key                       |
    +----------------------+-------------------------------------------+
    | x                    | -2    | x coordinate for the public key   |
    +----------------- ----+-------------------------------------------+
    | y                    | -3    | y coordinate for the public key   |
    +---------------- -----+-------------------------------------------+
    | kem                  | TBD2  | PQC KEM Algorithm                 |
    +----------------------+-------------------------------------------+
    | kem-pk               | TBD3  | PQC KEM Public Key                |
    +----------------------+-------------------------------------------+
    | kem-sk               | TBD4  | PQC KEM Private Key               |
    +----------------------+-------------------------------------------+
    | kem-ct               | TBD5  | PQC KEM ciphertext                |
    +----------------------+-------------------------------------------+

                             Table 3

   The following tables map terms between JOSE and COSE for PQ/T Hybrid
   KEM.

Reddy & Banerjee         Expires 6 January 2024                [Page 11]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

    +==============+===================+====================+============================+
    | Name                          | Value  | Description                 | Recommended |
    +===================+===========+========+=============================+=============+
    | x25519_kyber512               | TBD10  | Curve25519 elliptic curve + | No          |
    |                               |        | Kyber512 parameter          |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp384r1_kyber768            | TBD11  | P-384 + Kyber768 parameter  | No          |
    |                               |        |                             |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | x25519_kyber768               | TBD12  | Curve25519 elliptic curve   | No          |
    |                               |        | + Kyber768 parameter        |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp256r1_kyber512            | TBD13  | P-256 + Kyber512 parameter  | No          |
    |                               |        |                             |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | x25519_kyber512+A128KW        | TBD14  | Curve25519 elliptic curve + | No          |
    |                               |        | Kyber512 parameter +        |             |
    |                               |        | CEK wrapped with "A128KW"   |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp384r1_kyber768+A128KW     | TBD15  | P-384 + Kyber768 parameter  | No          |
    |                               |        | + CEK wrapped with "A128KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | x25519_kyber768+A128KW        | TBD16  | Curve25519 elliptic curve   | No          |
    |                               |        | + Kyber768 parameter        |             |
    |                               |        | + CEK wrapped with "A128KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp256r1_kyber512+A128KW     | TBD17  | P-256 + Kyber512 parameter  | No          |
    |                               |        | + CEK wrapped with "A128KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | x25519_kyber512+A256KW        | TBD18  | Curve25519 elliptic curve + | No          |
    |                               |        | Kyber512 parameter +        |             |
    |                               |        | CEK wrapped with "A256KW"   |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp384r1_kyber768+A256KW     | TBD19  | P-384 + Kyber768 parameter  | No          |
    |                               |        | + CEK wrapped with "A256KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | x25519_kyber768+A256KW        | TBD20  | Curve25519 elliptic curve   | No          |
    |                               |        | + Kyber768 parameter        |             |
    |                               |        | + CEK wrapped with "A256KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+
    | secp256r1_kyber512+A256KW     | TBD21  | P-256 + Kyber512 parameter  | No          |
    |                               |        | + CEK wrapped with "A256KW" |             |
    +-------------------------------+--------+-----------------------------+-------------+

                                   Table 4

   The following tables map terms between JOSE and COSE for key types.

Reddy & Banerjee         Expires 6 January 2024                [Page 12]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

    +==============+=======+====================+===============================+
    | Name                 | Value | Description                 | Recommended  |
    +==============+=======+====================+=============--------==========+
    | HYBRID               | TBD1  | kty for PQ/T Hybrid KEM     | No           |
    |                      |       |                             |              |
    +---------------------+--------+-----------------------------+--------------+

                                   Table 5

   The following tables map terms between JOSE and COSE for PQC KEM
   algorithms.

    +==============+=======+====================+===============================+
    | Name                 | Value | Description                 | Recommended  |
    +==============+=======+====================+=============--------==========+
    | Kyber512             | TBD7  | Kyber512                    | No           |
    |                      |       |                             |              |
    +---------------------+--------+-----------------------------+--------------+
    | Kyber768             | TBD9  | Kyber768                    | No           |
    |                      |       |                             |              |
    +---------------------+--------+-----------------------------+--------------+

                                   Table 6

8.  Security Considerations

   Security considerations from [RFC7748] and
   [I-D.ounsworth-cfrg-kem-combiners] apply here.  The shared secrets
   computed in the hybrid key exchange should be computed in a way that
   achieves the "hybrid" property: the resulting secret is secure as
   long as at least one of the component key exchange algorithms is
   unbroken.

   PQC KEMs used in the manner described in this document MUST
   explicitly be designed to be secure in the event that the public key
   is reused, such as achieving IND-CCA2 security.  Kyber has such
   security properties.

9.  IANA Considerations

9.1.  JOSE

   The following has to be been added to the "JSON Web Key Types"
   registry:

   *  Name: "HYBRID"

   *  Description: Hybrid Key Exchange

Reddy & Banerjee         Expires 6 January 2024                [Page 13]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   The following has to be added to the "JSON Web Key Parameters"
   registry:

   *  Parameter Name: "crv"

   *  Parameter Description: The EC used

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "d"

   *  Parameter Description: The private key

   *  Parameter Information Class: Private

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "x"

   *  Parameter Description: x coordinate for the public key

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "y"

   *  Parameter Description: y coordinate for the public key

Reddy & Banerjee         Expires 6 January 2024                [Page 14]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "kem"

   *  Parameter Description: PQC KEM Algorithm

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "kem-pk"

   *  Parameter Description: PQC KEM Public Key

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "kem-sk"

   *  Parameter Description: PQC KEM Private Key

   *  Parameter Information Class: Private

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Parameter Name: "kem-ct"

   *  Parameter Description: PQC KEM ciphertext

Reddy & Banerjee         Expires 6 January 2024                [Page 15]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Parameter Information Class: Public

   *  Used with "kty" Value(s): "HYBRID"

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   The following has to be added to the "JSON Web Signature and
   Encryption Algorithms" registry:

   *  Algorithm Name: "x25519_kyber768"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber768
      parameter

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp384r1_kyber768"

   *  Algorithm Description: P-384 + Kyber768 parameter

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "x25519_kyber512"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber512
      parameter

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

Reddy & Banerjee         Expires 6 January 2024                [Page 16]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp256r1_kyber512"

   *  Algorithm Description: P-256 + Kyber512 parameter

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "x25519_kyber768+A128KW"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber768
      parameter and CEK wrapped with "A128KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp384r1_kyber768+A128KW"

   *  Algorithm Description: P-384 + Kyber768 parameter and CEK wrapped
      with "A128KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

Reddy & Banerjee         Expires 6 January 2024                [Page 17]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "x25519_kyber512+A128KW"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber512
      parameter and CEK wrapped with "A128KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp256r1_kyber512+A128KW"

   *  Algorithm Description: P-256 + Kyber512 parameter and CEK wrapped
      with "A128KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "x25519_kyber768+A256KW"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber768
      parameter and CEK wrapped with "A256KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp384r1_kyber768+A256KW"

Reddy & Banerjee         Expires 6 January 2024                [Page 18]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Algorithm Description: P-384 + Kyber768 parameter and CEK wrapped
      with "A256KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): SSection 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "x25519_kyber512+A256KW"

   *  Algorithm Description: Curve25519 elliptic curve + Kyber512
      parameter and CEK wrapped with "A256KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

   *  Algorithm Name: "secp256r1_kyber512+A256KW"

   *  Algorithm Description: P-256 + Kyber512 parameter and CEK wrapped
      with "A256KW"

   *  Algorithm Usage Location(s): "alg"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6 of this document (TBD)

   *  Algorithm Analysis Documents(s): (TBD20)

Reddy & Banerjee         Expires 6 January 2024                [Page 19]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

9.1.1.  JSON PQC KEM Registry

   This section establishes the IANA "JSON PQC KEM" registry for JWK
   "kem" member values.  The registry records the PQC KEM name,
   implementation requirements, and a reference to the specification
   that defines it.  This specification registers the PQC KEM algorithms
   defined in Section 6.1.

   The implementation requirements of a PQC KEM may be changed over time
   as the cryptographic landscape evolves, for instance, to change the
   status of a PQC KEM to Deprecated or to change the status of a PQC
   KEM from Optional to Recommended+ or Required.  Changes of
   implementation requirements are only permitted on a Specification
   Required basis after review by the Designated Experts, with the new
   specification defining the revised implementation requirements level.

9.1.1.1.  Registration Template

   PQC KEM name: The name requested (e.g., "Kyber512").  Because a core
   goal of this specification is for the resulting representations to be
   compact, it is RECOMMENDED that the name be short -- not to exceed 12
   characters without a compelling reason to do so.  This name is case
   sensitive.  Names may not match other registered names in a case-
   insensitive manner unless the Designated Experts state that there is
   a compelling reason to allow an exception.

   PQC KEM Description: Brief description of the PQC KEM (e.g.,
   "Kyber512").

   JOSE Implementation Requirements: The PQC KEM implementation
   requirements for JWE, which must be one the words Required,
   Recommended, Optional, Deprecated, or Prohibited.  Optionally, the
   word can be followed by a "+" or "-".  The use of "+" indicates that
   the requirement strength is likely to be increased in a future
   version of the specification.  The use of "-" indicates that the
   requirement strength is likely to be decreased in a future version of
   the specification.

   Change Controller: For Standards Track RFCs, list "IESG".  For
   others, give the name of the responsible party.  Other details (e.g.,
   postal address, email address, home page URI) may also be included.

   Specification Document(s): Reference to the document or documents
   that specify the parameter, preferably including URIs that can be
   used to retrieve copies of the documents.  An indication of the
   relevant sections may also be included but is not required.

Reddy & Banerjee         Expires 6 January 2024                [Page 20]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

9.1.1.2.  Initial Registry Contents

   *  PQC KEM name: "Kyber512"

   *  PQC KEM Description: Kyber512

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6.1

   *  PQC KEM name: "Kyber768"

   *  PQC KEM Description: Kyber768

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IESG

   *  Specification Document(s): Section 6.1

9.2.  COSE

   The following has to be been added to the "COSE Key Types" registry:

   *  Name: "HYBRID"

   *  Value: TBD1

   *  Description: Hybrid Key Exchange

   *  Reference: This document (TBD)

   The following has to be added to the "COSE Key Type Parameters"
   registry:

   *  Key Type: TBD1

   *  Name: crv

   *  Label : -1

   *  CBOR Type: int / tstr

   *  Description: The EC used

   *  Reference: This document (TBD)

Reddy & Banerjee         Expires 6 January 2024                [Page 21]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Key Type: TBD1

   *  Name: d

   *  Label : -4

   *  CBOR Type: bstr

   *  Description: The Private key

   *  Reference: This document (TBD)

   *  Key Type: TBD1

   *  Name: x

   *  Label : -2

   *  CBOR Type: bstr

   *  Description: x coordinate for the public key

   *  Reference: This document (TBD)

   *  Key Type: TBD1

   *  Name: y

   *  Label : -3

   *  CBOR Type: bstr / bool

   *  Description: y coordinate for the public key

   *  Reference: This document (TBD)

   *  Key Type: TBD1

   *  Name: kem

   *  Label : TBD2

   *  CBOR Type: int / tstr

   *  Description: PQC KEM Algorithm

   *  Reference: This document (TBD)

Reddy & Banerjee         Expires 6 January 2024                [Page 22]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Key Type: TBD1

   *  Name: kem-pk

   *  Label : TBD3

   *  CBOR Type: bstr

   *  Description: PQC KEM Public Key

   *  Reference: This document (TBD)

   *  Key Type: TBD1

   *  Name: kem-sk

   *  Label : TBD4

   *  CBOR Type: bstr

   *  Description: PQC KEM Private Key

   *  Reference: This document (TBD)

   *  Key Type: TBD1

   *  Name: kem-ct

   *  Label : TBD5

   *  CBOR Type: bstr

   *  Description: PQC KEM ciphertext

   *  Reference: This document (TBD)

   The following has to be added to the "COSE Algorithms" registry:

   *  Name: x25519_kyber768

   *  Value: TBD10

   *  Description: Curve25519 elliptic curve + Kyber768 parameter

   *  Reference: This document (TBD)

   *  Recommended: No

Reddy & Banerjee         Expires 6 January 2024                [Page 23]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Name: secp384r1_kyber768

   *  Value: TBD11

   *  Description: P-384 + Kyber768 parameter

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: x25519_kyber512

   *  Value: TBD12

   *  Description: Curve25519 elliptic curve + Kyber512 parameter

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: secp256r1_kyber512

   *  Value: TBD13

   *  Description: P-256 + Kyber512 parameter

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: x25519_kyber768+A128KW

   *  Value: TBD14

   *  Description: Curve25519 elliptic curve + Kyber768 parameter and
      CEK wrapped with "A128KW"

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: secp384r1_kyber768+A128KW

   *  Value: TBD15

   *  Description: P-384 + Kyber768 parameter and CEK wrapped with
      "A128KW"

Reddy & Banerjee         Expires 6 January 2024                [Page 24]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: x25519_kyber512+A128KW

   *  Value: TBD16

   *  Description: Curve25519 elliptic curve + Kyber512 parameter and
      CEK wrapped with "A128KW"

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: secp256r1_kyber512+A128KW

   *  Value: TBD17

   *  Description: P-256 + Kyber512 parameter and CEK wrapped with
      "A128KW"

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: x25519_kyber768+A256KW

   *  Value: TBD18

   *  Description: Curve25519 elliptic curve + Kyber768 parameter and
      CEK wrapped with "A256KW"

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: secp384r1_kyber768+A256KW

   *  Value: TBD19

   *  Description: P-384 + Kyber768 parameter and CEK wrapped with
      "A256KW"

   *  Reference: This document (TBD)

   *  Recommended: No

Reddy & Banerjee         Expires 6 January 2024                [Page 25]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Name: x25519_kyber512+A256KW

   *  Value: TBD20

   *  Description: Curve25519 elliptic curve + Kyber512 parameter and
      CEK wrapped with "A256KW"

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: secp256r1_kyber512+A256KW

   *  Value: TBD21

   *  Description: P-256 + Kyber512 parameter and CEK wrapped with
      "A256KW"

   *  Reference: This document (TBD)

   *  Recommended: No

9.2.1.  COSE PQC KEM Registry

   This section establishes the IANA "COSE PQC KEM" registry for "kem"
   member values.  The registry records the PQC KEM name, implementation
   requirements, and a reference to the specification that defines it.
   This specification registers the PQC KEM algorithms defined in
   Section 7.

   The implementation requirements of a PQC KEM may be changed over time
   as the cryptographic landscape evolves, for instance, to change the
   status of a PQC KEM to Deprecated or to change the status of a PQC
   KEM from Optional to Recommended+ or Required.  Changes of
   implementation requirements are only permitted on a Specification
   Required basis after review by the Designated Experts, with the new
   specification defining the revised implementation requirements level.

9.2.1.1.  Registration Template

   Name: The name requested (e.g., "Kyber512").  Because a core goal of
   this specification is for the resulting representations to be
   compact, it is RECOMMENDED that the name be short -- not to exceed 12
   characters without a compelling reason to do so.  This name is case
   sensitive.  Names may not match other registered names in a case-
   insensitive manner unless the Designated Experts state that there is
   a compelling reason to allow an exception.

Reddy & Banerjee         Expires 6 January 2024                [Page 26]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   Value: This is the value used for the label.  The label can be either
   an integer or a string.  Registration in the table is based on the
   value of the label requested.  Integer values between 1 and 255 and
   strings of length 1 are designated as "Standards Action".  Integer
   values from 256 to 65535 and strings of length 2 are designated as
   "Specification Required".  Integer values of greater than 65535 and
   strings of length greater than 2 are designated as "Expert Review".
   Integer values in the range -1 to -65536 are "delegated to the COSE
   Header Algorithm Parameters registry".  Integer values less than
   -65536 are marked as private use.

   Description: Brief description of the PQC KEM (e.g., "Kyber512").

   Change Controller: For Standards Track RFCs, list "IESG".  For
   others, give the name of the responsible party.  Other details (e.g.,
   postal address, email address, home page URI) may also be included.

   Reference: Reference to the document or documents that specify the
   parameter, preferably including URIs that can be used to retrieve
   copies of the documents.  An indication of the relevant sections may
   also be included but is not required.

   Recommended:  Does the IETF have a consensus recommendation to use
     the algorithm?  The legal values are 'Yes', 'No', and
     'Deprecated'.

9.2.1.2.  Initial Registry Contents

   *  Name: "Kyber512"

   *  Value: TBD7

   *  Description: Kyber512

   *  Change Controller: IESG

   *  Reference: This document (TBD)

   *  Recommended: No

   *  Name: "Kyber768"

   *  Value: TBD9

   *  Description: Kyber768

   *  Change Controller: IESG

Reddy & Banerjee         Expires 6 January 2024                [Page 27]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   *  Reference: This document (TBD)

   *  Recommended: No

Acknowledgments

   Thanks to Mike Ounsworth for the discussion and comments.

References

Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Informative References

   [I-D.cfrg-schwabe-kyber]
              Schwabe, P. and B. Westerbaan, "Kyber Post-Quantum KEM",
              Work in Progress, Internet-Draft, draft-cfrg-schwabe-
              kyber-02, 31 March 2023,
              <https://datatracker.ietf.org/doc/html/draft-cfrg-schwabe-
              kyber-02>.

   [I-D.ietf-pquip-pqt-hybrid-terminology]
              D, F., "Terminology for Post-Quantum Traditional Hybrid
              Schemes", Work in Progress, Internet-Draft, draft-ietf-
              pquip-pqt-hybrid-terminology-00, 4 May 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-
              pqt-hybrid-terminology-00>.

   [I-D.ietf-tls-hybrid-design]
              Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key
              exchange in TLS 1.3", Work in Progress, Internet-Draft,
              draft-ietf-tls-hybrid-design-06, 27 February 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
              hybrid-design-06>.

   [I-D.ounsworth-cfrg-kem-combiners]
              Ounsworth, M., Wussler, A., and S. Kousidis, "Combiner
              function for hybrid key encapsulation mechanisms (Hybrid
              KEMs)", Work in Progress, Internet-Draft, draft-ounsworth-

Reddy & Banerjee         Expires 6 January 2024                [Page 28]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

              cfrg-kem-combiners-03, 13 March 2023,
              <https://datatracker.ietf.org/doc/html/draft-ounsworth-
              cfrg-kem-combiners-03>.

   [PQCAPI]   "PQC - API notes",
              <https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-
              Cryptography/documents/example-files/api-notes.pdf>.

   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
              <https://www.rfc-editor.org/rfc/rfc4648>.

   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090,
              DOI 10.17487/RFC6090, February 2011,
              <https://www.rfc-editor.org/rfc/rfc6090>.

   [RFC7518]  Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
              DOI 10.17487/RFC7518, May 2015,
              <https://www.rfc-editor.org/rfc/rfc7518>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/rfc/rfc7748>.

   [RFC8037]  Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH)
              and Signatures in JSON Object Signing and Encryption
              (JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017,
              <https://www.rfc-editor.org/rfc/rfc8037>.

   [RFC8812]  Jones, M., "CBOR Object Signing and Encryption (COSE) and
              JSON Object Signing and Encryption (JOSE) Registrations
              for Web Authentication (WebAuthn) Algorithms", RFC 8812,
              DOI 10.17487/RFC8812, August 2020,
              <https://www.rfc-editor.org/rfc/rfc8812>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9052>.

   [RFC9053]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053,
              August 2022, <https://www.rfc-editor.org/rfc/rfc9053>.

Reddy & Banerjee         Expires 6 January 2024                [Page 29]
Internet-Draft    Hybrid key exchange in JOSE and COSE         July 2023

   [RFC9370]  Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
              Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
              Key Exchanges in the Internet Key Exchange Protocol
              Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
              2023, <https://www.rfc-editor.org/rfc/rfc9370>.

   [SP800-185]
              "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and
              ParallelHash", <https://doi.org/10.6028/NIST.SP.800-185>.

   [SP800-56C]
              "Recommendation for Key-Derivation Methods in Key-
              Establishment Schemes",
              <https://doi.org/10.6028/NIST.SP.800-56Cr2>.

Authors' Addresses

   Tirumaleswar Reddy
   Nokia
   Bangalore
   Karnataka
   India
   Email: kondtir@gmail.com

   Aritra Banerjee
   Nokia
   Munich
   Germany
   Email: aritra.banerjee@nokia.com

Reddy & Banerjee         Expires 6 January 2024                [Page 30]