Skip to main content

PQ/T Hybrid KEM: HPKE with JOSE/COSE
draft-reddy-cose-jose-pqc-hybrid-hpke-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Active".
Authors Tirumaleswar Reddy.K , Hannes Tschofenig
Last updated 2024-03-16
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-reddy-cose-jose-pqc-hybrid-hpke-00
COSE                                                            T. Reddy
Internet-Draft                                                     Nokia
Intended status: Standards Track                           H. Tschofenig
Expires: 18 September 2024                                 17 March 2024

                  PQ/T Hybrid KEM: HPKE with JOSE/COSE
                draft-reddy-cose-jose-pqc-hybrid-hpke-00

Abstract

   This document outlines the construction of a PQ/T Hybrid Key
   Encapsulation Mechanism (KEM) in Hybrid Public-Key Encryption (HPKE)
   for integration with JOSE and COSE.  It specifies the utilization of
   both traditional and Post-Quantum Cryptography (PQC) algorithms,
   referred to as PQ/T Hybrid KEM, within the context of JOSE and COSE.

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid/.

   Discussion of this document takes place on the cose Working Group
   mailing list (mailto:cose@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/cose/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/cose/.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 18 September 2024.

Reddy & Tschofenig      Expires 18 September 2024               [Page 1]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Construction  . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Ciphersuite Registration  . . . . . . . . . . . . . . . . . .   4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
     6.1.  JOSE  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     6.2.  JOSE Algorithms Registry  . . . . . . . . . . . . . . . .   5
     6.3.  COSE  . . . . . . . . . . . . . . . . . . . . . . . . . .   5
       6.3.1.  COSE Algorithms Registry  . . . . . . . . . . . . . .   5
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   6
   References  . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
     Normative References  . . . . . . . . . . . . . . . . . . . . .   6
     Informative References  . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   The migration to Post-Quantum Cryptography (PQC) is unique in the
   history of modern digital cryptography in that neither the
   traditional algorithms nor the post-quantum algorithms are fully
   trusted to protect data for the required data lifetimes.  The
   traditional algorithms, such as RSA and elliptic curve, will fall to
   quantum cryptalanysis, while the post-quantum algorithms face
   uncertainty about the underlying mathematics, compliance issues,
   unknown vulnerabilities, hardware and software implementations that
   have not had sufficient maturing time to rule out classical
   cryptanalytic attacks and implementation bugs.

   During the transition from traditional to post-quantum algorithms,
   there is a desire or a requirement for protocols that use both
   algorithm types.  Hybrid key exchange refers to using multiple key

Reddy & Tschofenig      Expires 18 September 2024               [Page 2]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

   exchange algorithms simultaneously and combining the result with the
   goal of providing security even if all but one of the component
   algorithms is broken.  It is motivated by transition to post-quantum
   cryptography.

   HPKE offers a variant of public-key encryption of arbitrary-sized
   plaintexts for a recipient public key.  The specifications for the
   use of HPKE with JOSE and COSE are described in
   [I-D.rha-jose-hpke-encrypt] and [I-D.ietf-cose-hpke], respectively.
   HPKE can be extended to support PQ/T Hybrid KEM as defined in
   [I-D.connolly-cfrg-xwing-kem].  This specification defines PQ/T
   Hybrid KEM in HPKE for use with JOSE and COSE.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document makes use of the terms defined in
   [I-D.ietf-pquip-pqt-hybrid-terminology].  For the purposes of this
   document, it is helpful to be able to divide cryptographic algorithms
   into two classes:

   "Traditional Algorithm": An asymmetric cryptographic algorithm based
   on integer factorisation, finite field discrete logarithms, elliptic
   curve discrete logarithms, or related mathematical problems.  In the
   context of JOSE, examples of traditional key exchange algorithms
   include Elliptic Curve Diffie-Hellman Ephemeral Static [RFC6090]
   [RFC8037].  In the context of COSE, examples of traditional key
   exchange algorithms include Ephemeral-Static (ES) DH and Static-
   Static (SS) DH [RFC9052].

   "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that
   is believed to be secure against attacks using quantum computers as
   well as classical computers.  Examples of PQC key exchange algorithms
   include ML-KEM.

   "Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm
   scheme where at least one component algorithm is a post-quantum
   algorithm and at least one is a traditional algorithm.

   "PQ/T Hybrid Key Encapsulation Mechanism": A multi-algorithm KEM made
   up of two or more component KEM algorithms where at least one is a
   post-quantum algorithm and at least one is a traditional algorithm.

Reddy & Tschofenig      Expires 18 September 2024               [Page 3]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

3.  Construction

   ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for
   an originator to securely send keying material to a recipient using
   the recipient's ML-KEM public key.  Three parameters sets for ML-KEMs
   are specified by [FIPS203-ipd].  In order of increasing security
   strength (and decreasing performance), these parameter sets are ML-
   KEM-512, ML-KEM-768, and ML-KEM-1024.  [I-D.connolly-cfrg-xwing-kem]
   uses a multi-algorithm scheme, where one component algorithm is a
   post-quantum algorithm and another one is a traditional algorithm.
   The Combiner function defined in Section 5.3 of
   [I-D.connolly-cfrg-xwing-kem] combines the output of a post-quantum
   KEM and a traditional KEM to generate a single shared secret.

4.  Ciphersuite Registration

   This specification registers a number of PQ/T Hybrid KEMs for use
   with HPKE.  A ciphersuite is thereby a combination of several
   algorithm configurations:

   *  HPKE Mode

   *  KEM algorithm (Traditional Algorithm + PQ KEM, for example,
      X25519Kyber768)

   *  KDF algorithm

   *  AEAD algorithm

   The "KEM", "KDF", and "AEAD" values are conceptually taken from the
   HPKE IANA registry [HPKE-IANA].  Hence, JOSE and COSE cannot use an
   algorithm combination that is not already available with HPKE.

   The HPKE PQ/T hybrid ciphersuites for JOSE and COSE are defined in
   Section 6.

5.  Security Considerations

   The shared secrets computed in the hybrid key exchange should be
   computed in a way that achieves the "hybrid" property: the resulting
   secret is secure as long as at least one of the component key
   exchange algorithms is unbroken.  PQC KEMs used in the manner
   described in this document MUST explicitly be designed to be secure
   in the event that the public key is reused, such as achieving IND-
   CCA2 security.  ML-KEM has such security properties.

6.  IANA Considerations

Reddy & Tschofenig      Expires 18 September 2024               [Page 4]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

6.1.  JOSE

   This document requests IANA to add new values to the "JSON Web
   Signature and Encryption Algorithms" registry.

6.2.  JOSE Algorithms Registry

   *  Algorithm Name: HPKE-Base-X25519Kyber768-SHA256-AES256GCM

   *  Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
      that uses the X25519Kyber768Draft00 Hybrid KEM, the HKDF-SHA256
      KDF, and the AES-256-GCM AEAD.

   *  Algorithm Usage Location(s): "alg, enc"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IANA

   *  Specification Document(s): [[TBD: This RFC]]

   *  Algorithm Analysis Documents(s): TODO

   *  Algorithm Name: HPKE-Base-X25519Kyber768-SHA256-ChaCha20Poly1305

   *  Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
      that uses the X25519Kyber768Draft00 Hybrid
      KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.

   *  Algorithm Usage Location(s): "alg, enc"

   *  JOSE Implementation Requirements: Optional

   *  Change Controller: IANA

   *  Specification Document(s): [[TBD: This RFC]]

   *  Algorithm Analysis Documents(s): TODO

6.3.  COSE

   This document requests IANA to add new values to the 'COSE
   Algorithms' registry.

6.3.1.  COSE Algorithms Registry

   *  Name: HPKE-Base-X25519Kyber768-SHA256-AES256GCM

Reddy & Tschofenig      Expires 18 September 2024               [Page 5]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

   *  Value: TBD1

   *  Description: Cipher suite for COSE-HPKE in Base Mode that uses the
      X25519Kyber768Draft00 Hybrid KEM, the
      HKDF-SHA256 KDF, and the AES-256-GCM AEAD.

   *  Capabilities: [kty]

   *  Change Controller: IANA

   *  Reference: [[TBD: This RFC]]

   *  Name: HPKE-Base-X25519Kyber768-SHA256-ChaCha20Poly1305

   *  Value: TBD2

   *  Description: Cipher suite for COSE-HPKE in Base Mode that uses the
      X25519Kyber768Draft00 Hybrid
      KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.

   *  Capabilities: [kty]

   *  Change Controller: IANA

   *  Reference: [[TBD: This RFC]]

Acknowledgments

   Thanks to Ilari Liusvaara for the discussion and comments.

References

Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Informative References

Reddy & Tschofenig      Expires 18 September 2024               [Page 6]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

   [FIPS203-ipd]
              "Module-Lattice-based Key-Encapsulation Mechanism
              Standard", <https://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.203.ipd.pdf>.

   [HPKE-IANA]
              IANA, "Hybrid Public Key Encryption (HPKE) IANA Registry",
              <https://www.iana.org/assignments/hpke/hpke.xhtml>.

   [I-D.connolly-cfrg-xwing-kem]
              Connolly, D., Schwabe, P., and B. Westerbaan, "X-Wing:
              general-purpose hybrid post-quantum KEM", Work in
              Progress, Internet-Draft, draft-connolly-cfrg-xwing-kem-
              01, 23 January 2024,
              <https://datatracker.ietf.org/doc/html/draft-connolly-
              cfrg-xwing-kem-01>.

   [I-D.ietf-cose-hpke]
              Tschofenig, H., Steele, O., Daisuke, A., and L. Lundblade,
              "Use of Hybrid Public-Key Encryption (HPKE) with CBOR
              Object Signing and Encryption (COSE)", Work in Progress,
              Internet-Draft, draft-ietf-cose-hpke-07, 22 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cose-
              hpke-07>.

   [I-D.ietf-pquip-pqt-hybrid-terminology]
              D, F., "Terminology for Post-Quantum Traditional Hybrid
              Schemes", Work in Progress, Internet-Draft, draft-ietf-
              pquip-pqt-hybrid-terminology-02, 2 February 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-pquip-
              pqt-hybrid-terminology-02>.

   [I-D.rha-jose-hpke-encrypt]
              Reddy.K, T., Tschofenig, H., Banerjee, A., Steele, O., and
              M. B. Jones, "Use of Hybrid Public-Key Encryption (HPKE)
              with Javascript Object Signing and Encryption (JOSE)",
              Work in Progress, Internet-Draft, draft-rha-jose-hpke-
              encrypt-06, 16 March 2024,
              <https://datatracker.ietf.org/doc/html/draft-rha-jose-
              hpke-encrypt-06>.

   [RFC6090]  McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
              Curve Cryptography Algorithms", RFC 6090,
              DOI 10.17487/RFC6090, February 2011,
              <https://www.rfc-editor.org/rfc/rfc6090>.

Reddy & Tschofenig      Expires 18 September 2024               [Page 7]
Internet-Draft    PQ/T Hybrid KEM: HPKE with JOSE/COSE        March 2024

   [RFC8037]  Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH)
              and Signatures in JSON Object Signing and Encryption
              (JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017,
              <https://www.rfc-editor.org/rfc/rfc8037>.

   [RFC9052]  Schaad, J., "CBOR Object Signing and Encryption (COSE):
              Structures and Process", STD 96, RFC 9052,
              DOI 10.17487/RFC9052, August 2022,
              <https://www.rfc-editor.org/rfc/rfc9052>.

Authors' Addresses

   Tirumaleswar Reddy
   Nokia
   Bangalore
   Karnataka
   India
   Email: kondtir@gmail.com

   Hannes Tschofenig
   Germany
   Email: hannes.tschofenig@gmx.net

Reddy & Tschofenig      Expires 18 September 2024               [Page 8]