PQ/T Hybrid KEM: HPKE with JOSE/COSE
draft-reddy-cose-jose-pqc-hybrid-hpke-05
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Tirumaleswar Reddy.K , Hannes Tschofenig | ||
| Last updated | 2024-12-09 (Latest revision 2024-12-02) | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-reddy-cose-jose-pqc-hybrid-hpke-05
COSE T. Reddy
Internet-Draft Nokia
Intended status: Standards Track H. Tschofenig
Expires: 12 June 2025 9 December 2024
PQ/T Hybrid KEM: HPKE with JOSE/COSE
draft-reddy-cose-jose-pqc-hybrid-hpke-05
Abstract
This document outlines the construction of a PQ/T Hybrid Key
Encapsulation Mechanism (KEM) in Hybrid Public-Key Encryption (HPKE)
for integration with JOSE and COSE. It specifies the utilization of
both traditional and Post-Quantum Cryptography (PQC) algorithms,
referred to as PQ/T Hybrid KEM, within the context of JOSE and COSE.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid/.
Discussion of this document takes place on the cose Working Group
mailing list (mailto:cose@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at
https://www.ietf.org/mailman/listinfo/cose/.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 June 2025.
Reddy & Tschofenig Expires 12 June 2025 [Page 1]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Construction . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Ciphersuite Registration . . . . . . . . . . . . . . . . . . 4
5. AKP Key for X-Wing . . . . . . . . . . . . . . . . . . . . . 5
5.1. Required Parameters . . . . . . . . . . . . . . . . . . . 5
5.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
6.1. Post-Quantum Security for Multiple Recipients . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7.1. JOSE . . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1.1. JOSE Algorithms Registry . . . . . . . . . . . . . . 6
7.2. COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 7
7.2.1. COSE Algorithms Registry . . . . . . . . . . . . . . 7
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Normative References . . . . . . . . . . . . . . . . . . . . . 8
Informative References . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
The migration to Post-Quantum Cryptography (PQC) is unique in the
history of modern digital cryptography in that neither the
traditional algorithms nor the post-quantum algorithms are fully
trusted to protect data for the required data lifetimes. The
traditional algorithms, such as RSA and elliptic curve, will fall to
quantum cryptalanysis, while the post-quantum algorithms face
uncertainty about the underlying mathematics, compliance issues,
unknown vulnerabilities, hardware and software implementations that
have not had sufficient maturing time to rule out classical
cryptanalytic attacks and implementation bugs.
Reddy & Tschofenig Expires 12 June 2025 [Page 2]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
During the transition from traditional to post-quantum algorithms,
there is a desire or a requirement for protocols that use both
algorithm types. Hybrid key exchange refers to using multiple key
exchange algorithms simultaneously and combining the result with the
goal of providing security even if all but one of the component
algorithms is broken. It is motivated by transition to post-quantum
cryptography.
HPKE offers a variant of public-key encryption of arbitrary-sized
plaintexts for a recipient public key. The specifications for the
use of HPKE with JOSE and COSE are described in
[I-D.ietf-jose-hpke-encrypt] and [I-D.ietf-cose-hpke], respectively.
HPKE can be extended to support PQ/T Hybrid KEM as defined in
[I-D.connolly-cfrg-xwing-kem]. This specification defines PQ/T
Hybrid KEM in HPKE for use with JOSE and COSE.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document makes use of the terms defined in
[I-D.ietf-pquip-pqt-hybrid-terminology]. For the purposes of this
document, it is helpful to be able to divide cryptographic algorithms
into two classes:
"Traditional Algorithm": An asymmetric cryptographic algorithm based
on integer factorisation, finite field discrete logarithms, elliptic
curve discrete logarithms, or related mathematical problems. In the
context of JOSE, examples of traditional key exchange algorithms
include Elliptic Curve Diffie-Hellman Ephemeral Static [RFC6090]
[RFC8037]. In the context of COSE, examples of traditional key
exchange algorithms include Ephemeral-Static (ES) DH and Static-
Static (SS) DH [RFC9052].
"Post-Quantum Algorithm": An asymmetric cryptographic algorithm that
is believed to be secure against attacks using quantum computers as
well as classical computers. Examples of PQC key exchange algorithms
include ML-KEM.
"Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm
scheme where at least one component algorithm is a post-quantum
algorithm and at least one is a traditional algorithm.
Reddy & Tschofenig Expires 12 June 2025 [Page 3]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
"PQ/T Hybrid Key Encapsulation Mechanism": A multi-algorithm KEM made
up of two or more component KEM algorithms where at least one is a
post-quantum algorithm and at least one is a traditional algorithm.
3. Construction
ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for
an originator to securely send keying material to a recipient using
the recipient's ML-KEM public key. Three parameters sets for ML-KEMs
are specified by [FIPS203]. In order of increasing security strength
(and decreasing performance), these parameter sets are ML-KEM-512,
ML-KEM-768, and ML-KEM-1024. X-Wing [I-D.connolly-cfrg-xwing-kem]
uses a multi-algorithm scheme, where one component algorithm is a
post-quantum algorithm and another one is a traditional algorithm.
X-Wing uses the final version of ML-KEM-768 and X25519. The Combiner
function defined in Section 5.3 of [I-D.connolly-cfrg-xwing-kem]
combines the output of a post-quantum KEM and a traditional KEM to
generate a single shared secret.
4. Ciphersuite Registration
This specification registers a number of PQ/T Hybrid KEMs for use
with HPKE. A ciphersuite is thereby a combination of several
algorithm configurations:
* KEM algorithm (PQ KEM + Traditional Algorithm, for example,
MLKEM768 + X25519 defined as "X-Wing" in
[I-D.connolly-cfrg-xwing-kem])
* KDF algorithm
* AEAD algorithm
The "KEM", "KDF", and "AEAD" values are conceptually taken from the
HPKE IANA registry [HPKE-IANA]. Hence, JOSE and COSE cannot use an
algorithm combination that is not already available with HPKE.
For readability the algorithm ciphersuites labels are built according
to the following scheme:
HPKE-<KEM>-<KDF>-<AEAD>
The HPKE PQ/T hybrid ciphersuites for JOSE and COSE are defined in
Section 7. Note that the PQ/T Hybrid KEM in HPKE is not an
authenticated KEM. The HPKE Base mode can only be supported with the
PQ/T Hybrid KEM.
Reddy & Tschofenig Expires 12 June 2025 [Page 4]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
5. AKP Key for X-Wing
This section describes the required parameters for an "AKP" key type,
as defined in [I-D.ietf-cose-dilithium], and its use with the X-Wing
algorithms, as defined in {#XWING}. An example JWK is also provided
for illustration.
5.1. Required Parameters
A JSON Web Key (JWK) or COSE_Key with a key type ("kty") for use with
the "X-Wing" algorithm includes the following parameters:
* kty (Key Type)
The key type parameter MUST be present and set to "AKP".
* alg (Algorithm)
The algorithm parameter MUST be present and MUST represent the
X-Wing algorithm, as defined in {#XWING}. X-Wing algorithms are
those registered in the "JSON Web Signature and Encryption
Algorithms" and "COSE Algorithms" registries, derived from the KEM
identifier in the HPKE IANA registry.
* pub (Public Key)
The public key parameter MUST be present and MUST contain the
X-Wing encapsulation key (pk) as defined in Section 5.2 of
[I-D.connolly-cfrg-xwing-kem]. When represented as a JWK, this
value MUST be base64url-encoded.
* priv (Private Key)
The private key parameter MUST be present and MUST contain the
X-Wing decapsulation key (sk) as defined in Section 5.2 of
[I-D.connolly-cfrg-xwing-kem]. When represented as a JWK, this
value MUST be base64url-encoded.
5.1.1. Example
The following is an example JWK representation of an "AKP" key for
the "HPKE-XWING-SHA256-AES256GCM" algorithm:
{
"kty" : "AKP",
"alg" : "HPKE-XWING-SHA256-AES256GCM",
"pub" : "4iNrNajCSz...tmrrIzQSQQO9lNA",
"priv" : "f5wrpOiP...rPpm7yY"
}
Reddy & Tschofenig Expires 12 June 2025 [Page 5]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
6. Security Considerations
The security considerations in [I-D.connolly-cfrg-xwing-kem] and
[I-D.ietf-jose-hpke-encrypt] are to be taken into account.
The shared secrets computed in the hybrid key exchange should be
computed in a way that achieves the "hybrid" property: the resulting
secret is secure as long as at least one of the component key
exchange algorithms is unbroken. PQC KEMs used in the manner
described in this document MUST explicitly be designed to be secure
in the event that the public key is reused, such as achieving IND-
CCA2 security. ML-KEM has such security properties.
6.1. Post-Quantum Security for Multiple Recipients
In HPKE JWE Key Encryption, when encrypting the Content Encryption
Key (CEK) for multiple recipients, it is crucial to consider the
security requirements of the message to safeguard against "Harvest
Now, Decrypt Later" attack. For messages requiring post-quantum
security, all recipients MUST use algorithms supporting post-quantum
cryptographic methods, such as PQC KEMs or Hybrid PQ/T KEMs. Using
traditional algorithms (e.g., ECDH-ES) for any recipient in these
scenarios compromises the overall security of the message.
7. IANA Considerations
7.1. JOSE
This document requests IANA to add new values to the "JSON Web
Signature and Encryption Algorithms" registry.
7.1.1. JOSE Algorithms Registry
* Algorithm Name: HPKE-XWING-SHA256-AES256GCM
* Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
that uses the XWING Hybrid KEM, the HKDF-SHA256 KDF, and the AES-
256-GCM AEAD.
* Algorithm Usage Location(s): "alg"
* JOSE Implementation Requirements: Optional
* Change Controller: IANA
* Specification Document(s): [[TBD: This RFC]]
* Algorithm Analysis Documents(s): TODO
Reddy & Tschofenig Expires 12 June 2025 [Page 6]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
* Algorithm Name: HPKE-XWING-SHA256-ChaCha20Poly1305
* Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
that uses the XWING Hybrid
KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.
* Algorithm Usage Location(s): "alg"
* JOSE Implementation Requirements: Optional
* Change Controller: IANA
* Specification Document(s): [[TBD: This RFC]]
* Algorithm Analysis Documents(s): TODO
7.2. COSE
This document requests IANA to add new values to the 'COSE
Algorithms' registry.
7.2.1. COSE Algorithms Registry
* Name: HPKE-Base-XWING-SHA256-AES256GCM
* Value: TBD1
* Description: Cipher suite for COSE-HPKE in Base Mode that uses the
XWING Hybrid KEM, the
HKDF-SHA256 KDF, and the AES-256-GCM AEAD.
* Capabilities: [kty]
* Change Controller: IANA
* Reference: [[TBD: This RFC]]
* Name: HPKE-Base-XWING-SHA256-ChaCha20Poly1305
* Value: TBD2
* Description: Cipher suite for COSE-HPKE in Base Mode that uses the
XWING Hybrid
KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.
* Capabilities: [kty]
* Change Controller: IANA
Reddy & Tschofenig Expires 12 June 2025 [Page 7]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
* Reference: [[TBD: This RFC]]
Acknowledgments
Thanks to Ilari Liusvaara and Orie Steele for the discussion and
comments.
References
Normative References
[I-D.ietf-cose-dilithium]
Prorock, M., Steele, O., Misoczki, R., Osborne, M., and C.
Cloostermans, "ML-DSA for JOSE and COSE", Work in
Progress, Internet-Draft, draft-ietf-cose-dilithium-04, 20
October 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-cose-dilithium-04>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
Informative References
[FIPS203] "Module-Lattice-based Key-Encapsulation Mechanism
Standard", <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.203.pdf>.
[HPKE-IANA]
IANA, "Hybrid Public Key Encryption (HPKE) IANA Registry",
<https://www.iana.org/assignments/hpke/hpke.xhtml>.
[I-D.connolly-cfrg-xwing-kem]
Connolly, D., Schwabe, P., and B. Westerbaan, "X-Wing:
general-purpose hybrid post-quantum KEM", Work in
Progress, Internet-Draft, draft-connolly-cfrg-xwing-kem-
06, 21 October 2024,
<https://datatracker.ietf.org/doc/html/draft-connolly-
cfrg-xwing-kem-06>.
[I-D.ietf-cose-hpke]
Tschofenig, H., Steele, O., Daisuke, A., and L. Lundblade,
"Use of Hybrid Public-Key Encryption (HPKE) with CBOR
Reddy & Tschofenig Expires 12 June 2025 [Page 8]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024
Object Signing and Encryption (COSE)", Work in Progress,
Internet-Draft, draft-ietf-cose-hpke-09, 12 July 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-cose-
hpke-09>.
[I-D.ietf-jose-hpke-encrypt]
Reddy.K, T., Tschofenig, H., Banerjee, A., Steele, O., and
M. B. Jones, "Use of Hybrid Public Key Encryption (HPKE)
with JSON Object Signing and Encryption (JOSE)", Work in
Progress, Internet-Draft, draft-ietf-jose-hpke-encrypt-03,
5 December 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-jose-hpke-encrypt-03>.
[I-D.ietf-pquip-pqt-hybrid-terminology]
D, F., P, M., and B. Hale, "Terminology for Post-Quantum
Traditional Hybrid Schemes", Work in Progress, Internet-
Draft, draft-ietf-pquip-pqt-hybrid-terminology-04, 10
September 2024, <https://datatracker.ietf.org/doc/html/
draft-ietf-pquip-pqt-hybrid-terminology-04>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090,
DOI 10.17487/RFC6090, February 2011,
<https://www.rfc-editor.org/rfc/rfc6090>.
[RFC8037] Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH)
and Signatures in JSON Object Signing and Encryption
(JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017,
<https://www.rfc-editor.org/rfc/rfc8037>.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
<https://www.rfc-editor.org/rfc/rfc9052>.
Authors' Addresses
Tirumaleswar Reddy
Nokia
Bangalore
Karnataka
India
Email: kondtir@gmail.com
Hannes Tschofenig
Germany
Email: hannes.tschofenig@gmx.net
Reddy & Tschofenig Expires 12 June 2025 [Page 9]