| Internet-Draft | COSE HPKE PQ | April 2026 |
| Reddy, et al. | Expires 24 October 2026 | [Page] |
This document registers Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid algorithm identifiers for use with CBOR Object Signing and Encryption (COSE), building on the Hybrid Public Key Encryption (HPKE) framework.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://tireddy2.github.io/Hybrid-KEM-with-COSE-JOSE/draft-reddy-cose-hpke-pq-pqt.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-reddy-cose-hpke-pq-pqt/.¶
Discussion of this document takes place on the cose Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/.¶
Source for this draft and an issue tracker can be found at https://github.com/tireddy2/Hybrid-KEM-with-COSE-JOSE.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 24 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
[I-D.ietf-cose-hpke] defines how to use Hybrid Public Key Encryption (HPKE) with COSE_Encrypt0 and COSE_Encrypt structures ([RFC9052]) using traditional Key Encapsulation Mechanisms (KEM) based on Elliptic-curve Diffie-Hellman (ECDH).¶
This document extends the set of registered HPKE algorithms to include Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid KEMs, as defined in [I-D.ietf-hpke-pq]. These algorithms provide protection against attacks by cryptographically relevant quantum computers.¶
The term "PQ/T hybrid" is used here consistent with [I-D.ietf-hpke-pq] to denote a combination of post-quantum and traditional algorithms, and should not be confused with HPKE's use of "hybrid" to describe the combination of asymmetric and symmetric encryption.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the terms "Traditional Algorithm", "Post-Quantum Algorithm", "PQ/T Hybrid Scheme", and "PQ/T Hybrid KEM" as defined in [RFC9794]. The term "pure post-quantum" is used in this document to refer to a single-algorithm scheme using only a post-quantum algorithm, with no traditional component.¶
This section defines the algorithm identifiers for PQ and PQ/T HPKE-based encryption in COSE. Each algorithm is defined by a combination of an HPKE KEM, a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) algorithm.¶
All algorithms defined in this section follow the same operational model as those in [I-D.ietf-cose-hpke], supporting both integrated encryption as defined in Section 3.2 of [I-D.ietf-cose-hpke] and key encryption as defined in Section 3.3 of [I-D.ietf-cose-hpke].¶
Test vectors for all algorithms defined in this section are provided in Appendix A.¶
The following table lists the algorithm identifiers for PQ/T hybrid integrated encryption, where HPKE directly encrypts the plaintext without a separate Content Encryption Key:¶
| Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD |
|---|---|---|---|---|
| HPKE-8 | TBD (Assumed: 54) | MLKEM768-P256 (0x0050) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-9 | TBD (Assumed: 56) | MLKEM768-X25519 (0x647a) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-10 | TBD (Assumed: 58) | MLKEM1024-P384 (0x0051) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
These algorithms combine ML-KEM with a traditional elliptic curve algorithm in a PQ/T hybrid KEM, with the goal that compromise of either the post-quantum or the traditional component alone does not undermine the security of the resulting encryption.¶
The following table lists the algorithm identifiers for pure post-quantum integrated encryption:¶
| Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD |
|---|---|---|---|---|
| HPKE-11 | TBD (Assumed: 60) | ML-KEM-512 (0x0040) |
SHAKE256 (0x0011) |
AES-128-GCM (0x0001) |
| HPKE-12 | TBD (Assumed: 62) | ML-KEM-768 (0x0041) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-13 | TBD (Assumed: 64) | ML-KEM-1024 (0x0042) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
These algorithms provide pure post-quantum security using ML-KEM without a traditional algorithm component.¶
The following table lists the algorithm identifiers for PQ/T hybrid key encryption, where HPKE encrypts the Content Encryption Key:¶
| Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD |
|---|---|---|---|---|
| HPKE-8-KE | TBD (Assumed: 55) | MLKEM768-P256 (0x0050) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-9-KE | TBD (Assumed: 57) | MLKEM768-X25519 (0x647a) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-10-KE | TBD (Assumed: 59) | MLKEM1024-P384 (0x0051) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
These are the key encryption counterparts of the PQ/T hybrid integrated encryption algorithms defined in Table 1.¶
The following table lists the algorithm identifiers for pure post-quantum key encryption:¶
| Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD |
|---|---|---|---|---|
| HPKE-11-KE | TBD (Assumed: 61) | ML-KEM-512 (0x0040) |
SHAKE256 (0x0011) |
AES-128-GCM (0x0001) |
| HPKE-12-KE | TBD (Assumed: 63) | ML-KEM-768 (0x0041) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
| HPKE-13-KE | TBD (Assumed: 65) | ML-KEM-1024 (0x0042) |
SHAKE256 (0x0011) |
AES-256-GCM (0x0002) |
These are the key encryption counterparts of the pure PQ integrated encryption algorithms defined in Table 2.¶
Keys for the algorithms defined in this document use the "AKP" (Algorithm Key Pair) COSE key type defined in Section 3 of [I-D.ietf-cose-dilithium]. The required "alg" (label 3) parameter identifies the HPKE ciphersuite as well as whether the key is used for Integrated Encryption or Key Encryption.¶
The public key parameter (label -1) contains the SerializePublicKey() output for the corresponding KEM, and for private keys the private key parameter (label -2) contains the SerializePrivateKey() output, both as defined in Section 4 of [I-D.ietf-hpke-hpke]. Both values are encoded as CBOR byte strings.¶
Examples of COSE_Keys for each algorithm are provided in Appendix A.¶
The security considerations of [I-D.ietf-cose-hpke] and [I-D.ietf-hpke-pq] apply to this document. [I-D.ietf-pquip-pqc-engineers] provides general background on the threat posed by cryptographically relevant quantum computers (CRQCs), the properties of KEMs, and considerations for PQ/T hybrid schemes.¶
This document registers ciphersuites based on ML-KEM-512. As noted in Section 3 of [I-D.ietf-hpke-pq], given the relative novelty of ML-KEM, there is concern that new cryptanalysis might reduce the security level of ML-KEM-512. Use of ML-KEM-768 or ML-KEM-1024 acts as a hedge against such cryptanalysis at a modest performance penalty, and is RECOMMENDED where the additional overhead is acceptable.¶
The PQ/T hybrid ciphersuites registered by this document are motivated by the PQ/T Hybrid Confidentiality property (Section 5 of [RFC9794], Section 13.1 of [I-D.ietf-pquip-pqc-engineers]): confidentiality is preserved as long as at least one of the component algorithms remains secure. The traditional component protects against unforeseen cryptanalysis of ML-KEM, while the post-quantum component protects against Harvest Now, Decrypt Later (HNDL) attacks (Section 7 of [I-D.ietf-pquip-pqc-engineers]) by a future CRQC. PQ/T hybrid ciphersuites are generally preferred for this reason during the transition to post-quantum cryptography.¶
The pure PQ ciphersuites are registered to accommodate deployments with regulatory or compliance mandates that require the exclusive use of post-quantum algorithms, such as those governed by the Commercial National Security Algorithm Suite 2.0 [CNSA2.0], as well as deployments where the size or performance overhead of a traditional component is undesirable.¶
When the Key Encryption algorithms defined in Table 3 or Table 4 are used in a COSE_Encrypt structure with multiple COSE_Recipient entries, all recipients MUST use a quantum-resistant Key Management algorithm. Including a recipient that uses an algorithm that is not quantum-resistant would allow an adversary performing an HNDL attack to recover the Content Encryption Key once a CRQC becomes available; see Section 15.4 of [I-D.ietf-pquip-pqc-engineers].¶
Ciphersuites based on ML-KEM-512 target NIST post-quantum security level 1; those based on ML-KEM-768 target security level 3; and those based on ML-KEM-1024 target security level 5 (see Section 11 of [I-D.ietf-pquip-pqc-engineers]). In the PQ/T hybrid ciphersuites, the traditional component provides an additional classical security floor: P-256 and X25519 offer approximately 128-bit classical security, while P-384 offers approximately 192-bit classical security. The -KE variants share the same cryptographic properties as their integrated encryption counterparts.¶
All ciphersuites use SHAKE256 as the KDF, aligning with the hash family used internally by ML-KEM. The AEAD is paired with the KEM security level: ML-KEM-512 ciphersuites use AES-128-GCM, while ML-KEM-768, ML-KEM-1024, and the PQ/T hybrid ciphersuites use AES-256-GCM. As discussed in Section 3.1 of [I-D.ietf-pquip-pqc-engineers], symmetric primitives are only modestly affected by quantum attacks and doubling key sizes is not strictly required; AES-256-GCM is nonetheless selected for the higher-strength ciphersuites to provide a comfortable margin consistent with security level 3 and 5 parameter sets and with contemporary guidance such as [CNSA2.0]. AES-128-GCM is used with ML-KEM-512 since pairing a level-1 KEM with a level-5 AEAD would not improve the overall security level while increasing implementation and bandwidth cost. The widespread hardware acceleration and broad deployment of AES-GCM make it a reasonable choice for all ciphersuites defined in this document.¶
This document requests registration of the following values in the IANA "COSE Algorithms" registry established by [RFC9053]:¶
This appendix provides test vectors for each algorithm defined in this document. For each algorithm, a private COSE_Key and an example encrypted COSE message (COSE_Encrypt0 for integrated encryption suites, or COSE_Encrypt with a single COSE_Recipient for key encryption suites) are provided, each shown in CBOR diagnostic notation and as hex-encoded CBOR.¶
{::include examples/cose-keys/HPKE-8-diag.txt}
{::include examples/cose-keys/HPKE-8-hex.txt}
{::include examples/cose/HPKE-8-diag.txt}
{::include examples/cose/HPKE-8-hex.txt}
{::include examples/cose-keys/HPKE-8-KE-diag.txt}
{::include examples/cose-keys/HPKE-8-KE-hex.txt}
{::include examples/cose/HPKE-8-KE-diag.txt}
{::include examples/cose/HPKE-8-KE-hex.txt}
{::include examples/cose-keys/HPKE-9-diag.txt}
{::include examples/cose-keys/HPKE-9-hex.txt}
{::include examples/cose/HPKE-9-diag.txt}
{::include examples/cose/HPKE-9-hex.txt}
{::include examples/cose-keys/HPKE-9-KE-diag.txt}
{::include examples/cose-keys/HPKE-9-KE-hex.txt}
{::include examples/cose/HPKE-9-KE-diag.txt}
{::include examples/cose/HPKE-9-KE-hex.txt}
{::include examples/cose-keys/HPKE-10-diag.txt}
{::include examples/cose-keys/HPKE-10-hex.txt}
{::include examples/cose/HPKE-10-diag.txt}
{::include examples/cose/HPKE-10-hex.txt}
{::include examples/cose-keys/HPKE-10-KE-diag.txt}
{::include examples/cose-keys/HPKE-10-KE-hex.txt}
{::include examples/cose/HPKE-10-KE-diag.txt}
{::include examples/cose/HPKE-10-KE-hex.txt}
{::include examples/cose-keys/HPKE-11-diag.txt}
{::include examples/cose-keys/HPKE-11-hex.txt}
{::include examples/cose/HPKE-11-diag.txt}
{::include examples/cose/HPKE-11-hex.txt}
{::include examples/cose-keys/HPKE-11-KE-diag.txt}
{::include examples/cose-keys/HPKE-11-KE-hex.txt}
{::include examples/cose/HPKE-11-KE-diag.txt}
{::include examples/cose/HPKE-11-KE-hex.txt}
{::include examples/cose-keys/HPKE-12-diag.txt}
{::include examples/cose-keys/HPKE-12-hex.txt}
{::include examples/cose/HPKE-12-diag.txt}
{::include examples/cose/HPKE-12-hex.txt}
{::include examples/cose-keys/HPKE-12-KE-diag.txt}
{::include examples/cose-keys/HPKE-12-KE-hex.txt}
{::include examples/cose/HPKE-12-KE-diag.txt}
{::include examples/cose/HPKE-12-KE-hex.txt}
{::include examples/cose-keys/HPKE-13-diag.txt}
{::include examples/cose-keys/HPKE-13-hex.txt}
{::include examples/cose/HPKE-13-diag.txt}
{::include examples/cose/HPKE-13-hex.txt}
{::include examples/cose-keys/HPKE-13-KE-diag.txt}
{::include examples/cose-keys/HPKE-13-KE-hex.txt}
{::include examples/cose/HPKE-13-KE-diag.txt}
{::include examples/cose/HPKE-13-KE-hex.txt}
Thanks to Ilari Liusvaara and Orie Steele for the discussion and comments.¶