CBOR Object Signing and Encryption T. Reddy Internet-Draft Nokia Intended status: Standards Track H. Tschofenig Expires: 24 October 2026 UniBw M. F. Skokan Okta 22 April 2026 COSE HPKE PQ & PQ/T Algorithm Registrations draft-reddy-cose-hpke-pq-pqt-00 Abstract This document registers Post-Quantum (PQ) and Post-Quantum/ Traditional (PQ/T) hybrid algorithm identifiers for use with CBOR Object Signing and Encryption (COSE), building on the Hybrid Public Key Encryption (HPKE) framework. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://tireddy2.github.io/Hybrid-KEM-with-COSE-JOSE/draft-reddy- cose-hpke-pq-pqt.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-reddy-cose-hpke-pq- pqt/. Discussion of this document takes place on the cose Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/. Source for this draft and an issue tracker can be found at https://github.com/tireddy2/Hybrid-KEM-with-COSE-JOSE. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Reddy, et al. Expires 24 October 2026 [Page 1] Internet-Draft COSE HPKE PQ April 2026 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 24 October 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Algorithm Identifiers . . . . . . . . . . . . . . . . . . . . 3 3.1. PQ/T Hybrid Integrated Encryption Algorithms . . . . . . 4 3.2. Pure PQ Integrated Encryption Algorithms . . . . . . . . 4 3.3. PQ/T Hybrid Key Encryption Algorithms . . . . . . . . . . 5 3.4. Pure PQ Key Encryption Algorithms . . . . . . . . . . . . 5 4. COSE_Key Representation . . . . . . . . . . . . . . . . . . . 6 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 5.1. Security Strength . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 6.1. COSE Algorithms Registry . . . . . . . . . . . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 14 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18 Document History . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Reddy, et al. Expires 24 October 2026 [Page 2] Internet-Draft COSE HPKE PQ April 2026 1. Introduction [I-D.ietf-cose-hpke] defines how to use Hybrid Public Key Encryption (HPKE) with COSE_Encrypt0 and COSE_Encrypt structures ([RFC9052]) using traditional Key Encapsulation Mechanisms (KEM) based on Elliptic-curve Diffie-Hellman (ECDH). This document extends the set of registered HPKE algorithms to include Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid KEMs, as defined in [I-D.ietf-hpke-pq]. These algorithms provide protection against attacks by cryptographically relevant quantum computers. The term "PQ/T hybrid" is used here consistent with [I-D.ietf-hpke-pq] to denote a combination of post-quantum and traditional algorithms, and should not be confused with HPKE's use of "hybrid" to describe the combination of asymmetric and symmetric encryption. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This document uses the terms "Traditional Algorithm", "Post-Quantum Algorithm", "PQ/T Hybrid Scheme", and "PQ/T Hybrid KEM" as defined in [RFC9794]. The term "pure post-quantum" is used in this document to refer to a single-algorithm scheme using only a post-quantum algorithm, with no traditional component. 3. Algorithm Identifiers This section defines the algorithm identifiers for PQ and PQ/T HPKE- based encryption in COSE. Each algorithm is defined by a combination of an HPKE KEM, a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) algorithm. All algorithms defined in this section follow the same operational model as those in [I-D.ietf-cose-hpke], supporting both integrated encryption as defined in Section 3.2 of [I-D.ietf-cose-hpke] and key encryption as defined in Section 3.3 of [I-D.ietf-cose-hpke]. Test vectors for all algorithms defined in this section are provided in Appendix A. Reddy, et al. Expires 24 October 2026 [Page 3] Internet-Draft COSE HPKE PQ April 2026 3.1. PQ/T Hybrid Integrated Encryption Algorithms The following table lists the algorithm identifiers for PQ/T hybrid integrated encryption, where HPKE directly encrypts the plaintext without a separate Content Encryption Key: +=========+===========+=================+==========+=============+ | Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD | +=========+===========+=================+==========+=============+ | HPKE-8 | TBD | MLKEM768-P256 | SHAKE256 | AES-256-GCM | | | (Assumed: | (0x0050) | (0x0011) | (0x0002) | | | 54) | | | | +---------+-----------+-----------------+----------+-------------+ | HPKE-9 | TBD | MLKEM768-X25519 | SHAKE256 | AES-256-GCM | | | (Assumed: | (0x647a) | (0x0011) | (0x0002) | | | 56) | | | | +---------+-----------+-----------------+----------+-------------+ | HPKE-10 | TBD | MLKEM1024-P384 | SHAKE256 | AES-256-GCM | | | (Assumed: | (0x0051) | (0x0011) | (0x0002) | | | 58) | | | | +---------+-----------+-----------------+----------+-------------+ Table 1: PQ/T Hybrid Integrated Encryption Algorithms These algorithms combine ML-KEM with a traditional elliptic curve algorithm in a PQ/T hybrid KEM, with the goal that compromise of either the post-quantum or the traditional component alone does not undermine the security of the resulting encryption. 3.2. Pure PQ Integrated Encryption Algorithms The following table lists the algorithm identifiers for pure post- quantum integrated encryption: +=========+===============+=============+==========+=============+ | Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD | +=========+===============+=============+==========+=============+ | HPKE-11 | TBD (Assumed: | ML-KEM-512 | SHAKE256 | AES-128-GCM | | | 60) | (0x0040) | (0x0011) | (0x0001) | +---------+---------------+-------------+----------+-------------+ | HPKE-12 | TBD (Assumed: | ML-KEM-768 | SHAKE256 | AES-256-GCM | | | 62) | (0x0041) | (0x0011) | (0x0002) | +---------+---------------+-------------+----------+-------------+ | HPKE-13 | TBD (Assumed: | ML-KEM-1024 | SHAKE256 | AES-256-GCM | | | 64) | (0x0042) | (0x0011) | (0x0002) | +---------+---------------+-------------+----------+-------------+ Table 2: Pure PQ Integrated Encryption Algorithms Reddy, et al. Expires 24 October 2026 [Page 4] Internet-Draft COSE HPKE PQ April 2026 These algorithms provide pure post-quantum security using ML-KEM without a traditional algorithm component. 3.3. PQ/T Hybrid Key Encryption Algorithms The following table lists the algorithm identifiers for PQ/T hybrid key encryption, where HPKE encrypts the Content Encryption Key: +============+===========+=================+========+=============+ | Name | Value | HPKE KEM |HPKE KDF| HPKE AEAD | +============+===========+=================+========+=============+ | HPKE-8-KE | TBD | MLKEM768-P256 |SHAKE256| AES-256-GCM | | | (Assumed: | (0x0050) |(0x0011)| (0x0002) | | | 55) | | | | +------------+-----------+-----------------+--------+-------------+ | HPKE-9-KE | TBD | MLKEM768-X25519 |SHAKE256| AES-256-GCM | | | (Assumed: | (0x647a) |(0x0011)| (0x0002) | | | 57) | | | | +------------+-----------+-----------------+--------+-------------+ | HPKE-10-KE | TBD | MLKEM1024-P384 |SHAKE256| AES-256-GCM | | | (Assumed: | (0x0051) |(0x0011)| (0x0002) | | | 59) | | | | +------------+-----------+-----------------+--------+-------------+ Table 3: PQ/T Hybrid Key Encryption Algorithms These are the key encryption counterparts of the PQ/T hybrid integrated encryption algorithms defined in Table 1. 3.4. Pure PQ Key Encryption Algorithms The following table lists the algorithm identifiers for pure post- quantum key encryption: Reddy, et al. Expires 24 October 2026 [Page 5] Internet-Draft COSE HPKE PQ April 2026 +============+===============+=============+==========+=============+ | Name | Value | HPKE KEM | HPKE KDF | HPKE AEAD | +============+===============+=============+==========+=============+ | HPKE-11-KE | TBD | ML-KEM-512 | SHAKE256 | AES-128-GCM | | | (Assumed: | (0x0040) | (0x0011) | (0x0001) | | | 61) | | | | +------------+---------------+-------------+----------+-------------+ | HPKE-12-KE | TBD | ML-KEM-768 | SHAKE256 | AES-256-GCM | | | (Assumed: | (0x0041) | (0x0011) | (0x0002) | | | 63) | | | | +------------+---------------+-------------+----------+-------------+ | HPKE-13-KE | TBD | ML-KEM-1024 | SHAKE256 | AES-256-GCM | | | (Assumed: | (0x0042) | (0x0011) | (0x0002) | | | 65) | | | | +------------+---------------+-------------+----------+-------------+ Table 4: Pure PQ Key Encryption Algorithms These are the key encryption counterparts of the pure PQ integrated encryption algorithms defined in Table 2. 4. COSE_Key Representation Keys for the algorithms defined in this document use the "AKP" (Algorithm Key Pair) COSE key type defined in Section 3 of [I-D.ietf-cose-dilithium]. The required "alg" (label 3) parameter identifies the HPKE ciphersuite as well as whether the key is used for Integrated Encryption or Key Encryption. The public key parameter (label -1) contains the SerializePublicKey() output for the corresponding KEM, and for private keys the private key parameter (label -2) contains the SerializePrivateKey() output, both as defined in Section 4 of [I-D.ietf-hpke-hpke]. Both values are encoded as CBOR byte strings. Examples of COSE_Keys for each algorithm are provided in Appendix A. 5. Security Considerations The security considerations of [I-D.ietf-cose-hpke] and [I-D.ietf-hpke-pq] apply to this document. [I-D.ietf-pquip-pqc-engineers] provides general background on the threat posed by cryptographically relevant quantum computers (CRQCs), the properties of KEMs, and considerations for PQ/T hybrid schemes. This document registers ciphersuites based on ML-KEM-512. As noted in Section 3 of [I-D.ietf-hpke-pq], given the relative novelty of ML- KEM, there is concern that new cryptanalysis might reduce the Reddy, et al. Expires 24 October 2026 [Page 6] Internet-Draft COSE HPKE PQ April 2026 security level of ML-KEM-512. Use of ML-KEM-768 or ML-KEM-1024 acts as a hedge against such cryptanalysis at a modest performance penalty, and is RECOMMENDED where the additional overhead is acceptable. The PQ/T hybrid ciphersuites registered by this document are motivated by the PQ/T Hybrid Confidentiality property (Section 5 of [RFC9794], Section 13.1 of [I-D.ietf-pquip-pqc-engineers]): confidentiality is preserved as long as at least one of the component algorithms remains secure. The traditional component protects against unforeseen cryptanalysis of ML-KEM, while the post-quantum component protects against Harvest Now, Decrypt Later (HNDL) attacks (Section 7 of [I-D.ietf-pquip-pqc-engineers]) by a future CRQC. PQ/T hybrid ciphersuites are generally preferred for this reason during the transition to post-quantum cryptography. The pure PQ ciphersuites are registered to accommodate deployments with regulatory or compliance mandates that require the exclusive use of post-quantum algorithms, such as those governed by the Commercial National Security Algorithm Suite 2.0 [CNSA2.0], as well as deployments where the size or performance overhead of a traditional component is undesirable. When the Key Encryption algorithms defined in Table 3 or Table 4 are used in a COSE_Encrypt structure with multiple COSE_Recipient entries, all recipients MUST use a quantum-resistant Key Management algorithm. Including a recipient that uses an algorithm that is not quantum-resistant would allow an adversary performing an HNDL attack to recover the Content Encryption Key once a CRQC becomes available; see Section 15.4 of [I-D.ietf-pquip-pqc-engineers]. 5.1. Security Strength Ciphersuites based on ML-KEM-512 target NIST post-quantum security level 1; those based on ML-KEM-768 target security level 3; and those based on ML-KEM-1024 target security level 5 (see Section 11 of [I-D.ietf-pquip-pqc-engineers]). In the PQ/T hybrid ciphersuites, the traditional component provides an additional classical security floor: P-256 and X25519 offer approximately 128-bit classical security, while P-384 offers approximately 192-bit classical security. The -KE variants share the same cryptographic properties as their integrated encryption counterparts. All ciphersuites use SHAKE256 as the KDF, aligning with the hash family used internally by ML-KEM. The AEAD is paired with the KEM security level: ML-KEM-512 ciphersuites use AES-128-GCM, while ML- KEM-768, ML-KEM-1024, and the PQ/T hybrid ciphersuites use AES- 256-GCM. As discussed in Section 3.1 of Reddy, et al. Expires 24 October 2026 [Page 7] Internet-Draft COSE HPKE PQ April 2026 [I-D.ietf-pquip-pqc-engineers], symmetric primitives are only modestly affected by quantum attacks and doubling key sizes is not strictly required; AES-256-GCM is nonetheless selected for the higher-strength ciphersuites to provide a comfortable margin consistent with security level 3 and 5 parameter sets and with contemporary guidance such as [CNSA2.0]. AES-128-GCM is used with ML-KEM-512 since pairing a level-1 KEM with a level-5 AEAD would not improve the overall security level while increasing implementation and bandwidth cost. The widespread hardware acceleration and broad deployment of AES-GCM make it a reasonable choice for all ciphersuites defined in this document. 6. IANA Considerations 6.1. COSE Algorithms Registry This document requests registration of the following values in the IANA "COSE Algorithms" registry established by [RFC9053]: 6.1.1. HPKE-8 * Name: HPKE-8 * Value: TBD (Assumed: 54) * Description: Integrated Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 1 of this document * Recommended: Yes 6.1.2. HPKE-8-KE * Name: HPKE-8-KE * Value: TBD (Assumed: 55) * Description: Key Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF Reddy, et al. Expires 24 October 2026 [Page 8] Internet-Draft COSE HPKE PQ April 2026 * Reference: Table 3 of this document * Recommended: Yes 6.1.3. HPKE-9 * Name: HPKE-9 * Value: TBD (Assumed: 56) * Description: Integrated Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 1 of this document * Recommended: Yes 6.1.4. HPKE-9-KE * Name: HPKE-9-KE * Value: TBD (Assumed: 57) * Description: Key Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 3 of this document * Recommended: Yes 6.1.5. HPKE-10 * Name: HPKE-10 * Value: TBD (Assumed: 58) * Description: Integrated Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] Reddy, et al. Expires 24 October 2026 [Page 9] Internet-Draft COSE HPKE PQ April 2026 * Change Controller: IETF * Reference: Table 1 of this document * Recommended: Yes 6.1.6. HPKE-10-KE * Name: HPKE-10-KE * Value: TBD (Assumed: 59) * Description: Key Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 3 of this document * Recommended: Yes 6.1.7. HPKE-11 * Name: HPKE-11 * Value: TBD (Assumed: 60) * Description: Integrated Encryption with HPKE using ML-KEM-512 KEM, SHAKE256 KDF, and AES-128-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 2 of this document * Recommended: Yes 6.1.8. HPKE-11-KE * Name: HPKE-11-KE * Value: TBD (Assumed: 61) * Description: Key Encryption with HPKE using ML-KEM-512 KEM, SHAKE256 KDF, and AES-128-GCM AEAD Reddy, et al. Expires 24 October 2026 [Page 10] Internet-Draft COSE HPKE PQ April 2026 * Capabilities: [kty] * Change Controller: IETF * Reference: Table 4 of this document * Recommended: Yes 6.1.9. HPKE-12 * Name: HPKE-12 * Value: TBD (Assumed: 62) * Description: Integrated Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 2 of this document * Recommended: Yes 6.1.10. HPKE-12-KE * Name: HPKE-12-KE * Value: TBD (Assumed: 63) * Description: Key Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 4 of this document * Recommended: Yes 6.1.11. HPKE-13 * Name: HPKE-13 * Value: TBD (Assumed: 64) Reddy, et al. Expires 24 October 2026 [Page 11] Internet-Draft COSE HPKE PQ April 2026 * Description: Integrated Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 2 of this document * Recommended: Yes 6.1.12. HPKE-13-KE * Name: HPKE-13-KE * Value: TBD (Assumed: 65) * Description: Key Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD * Capabilities: [kty] * Change Controller: IETF * Reference: Table 4 of this document * Recommended: Yes 7. References 7.1. Normative References [I-D.ietf-cose-dilithium] Prorock, M. and O. Steele, "ML-DSA for JOSE and COSE", Work in Progress, Internet-Draft, draft-ietf-cose- dilithium-11, 15 November 2025, . [I-D.ietf-cose-hpke] Tschofenig, H., Jones, M. B., Steele, O., Daisuke, A., and L. Lundblade, "Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)", Work in Progress, Internet-Draft, draft-ietf-cose-hpke-25, 7 April 2026, . Reddy, et al. Expires 24 October 2026 [Page 12] Internet-Draft COSE HPKE PQ April 2026 [I-D.ietf-hpke-hpke] Barnes, R., Bhargavan, K., Lipp, B., and C. A. Wood, "Hybrid Public Key Encryption", Work in Progress, Internet-Draft, draft-ietf-hpke-hpke-03, 2 March 2026, . [I-D.ietf-hpke-pq] Barnes, R. and D. Connolly, "Post-Quantum and Post- Quantum/Traditional Hybrid Algorithms for HPKE", Work in Progress, Internet-Draft, draft-ietf-hpke-pq-04, 2 March 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2. Informative References [CNSA2.0] National Security Agency, "Announcing the Commercial National Security Algorithm Suite 2.0", May 2025, . [I-D.ietf-pquip-pqc-engineers] Banerjee, A., Reddy.K, T., Schoinianakis, D., Hollebeek, T., and M. Ounsworth, "Post-Quantum Cryptography for Engineers", Work in Progress, Internet-Draft, draft-ietf- pquip-pqc-engineers-14, 25 August 2025, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, August 2022, . Reddy, et al. Expires 24 October 2026 [Page 13] Internet-Draft COSE HPKE PQ April 2026 [RFC9794] Driscoll, F., Parsons, M., and B. Hale, "Terminology for Post-Quantum Traditional Hybrid Schemes", RFC 9794, DOI 10.17487/RFC9794, June 2025, . Appendix A. Test Vectors This appendix provides test vectors for each algorithm defined in this document. For each algorithm, a private COSE_Key and an example encrypted COSE message (COSE_Encrypt0 for integrated encryption suites, or COSE_Encrypt with a single COSE_Recipient for key encryption suites) are provided, each shown in CBOR diagnostic notation and as hex-encoded CBOR. A.1. HPKE-8 {::include examples/cose-keys/HPKE-8-diag.txt} Figure 1: HPKE-8 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-8-hex.txt} Figure 2: HPKE-8 COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-8-diag.txt} Figure 3: HPKE-8 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-8-hex.txt} Figure 4: HPKE-8 COSE_Encrypt0 (Hex-Encoded CBOR) A.2. HPKE-8-KE {::include examples/cose-keys/HPKE-8-KE-diag.txt} Figure 5: HPKE-8-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-8-KE-hex.txt} Figure 6: HPKE-8-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-8-KE-diag.txt} Figure 7: HPKE-8-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-8-KE-hex.txt} Reddy, et al. Expires 24 October 2026 [Page 14] Internet-Draft COSE HPKE PQ April 2026 Figure 8: HPKE-8-KE COSE_Encrypt (Hex-Encoded CBOR) A.3. HPKE-9 {::include examples/cose-keys/HPKE-9-diag.txt} Figure 9: HPKE-9 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-9-hex.txt} Figure 10: HPKE-9 COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-9-diag.txt} Figure 11: HPKE-9 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-9-hex.txt} Figure 12: HPKE-9 COSE_Encrypt0 (Hex-Encoded CBOR) A.4. HPKE-9-KE {::include examples/cose-keys/HPKE-9-KE-diag.txt} Figure 13: HPKE-9-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-9-KE-hex.txt} Figure 14: HPKE-9-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-9-KE-diag.txt} Figure 15: HPKE-9-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-9-KE-hex.txt} Figure 16: HPKE-9-KE COSE_Encrypt (Hex-Encoded CBOR) A.5. HPKE-10 {::include examples/cose-keys/HPKE-10-diag.txt} Figure 17: HPKE-10 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-10-hex.txt} Figure 18: HPKE-10 COSE_Key (Hex-Encoded CBOR) Reddy, et al. Expires 24 October 2026 [Page 15] Internet-Draft COSE HPKE PQ April 2026 {::include examples/cose/HPKE-10-diag.txt} Figure 19: HPKE-10 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-10-hex.txt} Figure 20: HPKE-10 COSE_Encrypt0 (Hex-Encoded CBOR) A.6. HPKE-10-KE {::include examples/cose-keys/HPKE-10-KE-diag.txt} Figure 21: HPKE-10-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-10-KE-hex.txt} Figure 22: HPKE-10-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-10-KE-diag.txt} Figure 23: HPKE-10-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-10-KE-hex.txt} Figure 24: HPKE-10-KE COSE_Encrypt (Hex-Encoded CBOR) A.7. HPKE-11 {::include examples/cose-keys/HPKE-11-diag.txt} Figure 25: HPKE-11 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-11-hex.txt} Figure 26: HPKE-11 COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-11-diag.txt} Figure 27: HPKE-11 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-11-hex.txt} Figure 28: HPKE-11 COSE_Encrypt0 (Hex-Encoded CBOR) A.8. HPKE-11-KE {::include examples/cose-keys/HPKE-11-KE-diag.txt} Reddy, et al. Expires 24 October 2026 [Page 16] Internet-Draft COSE HPKE PQ April 2026 Figure 29: HPKE-11-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-11-KE-hex.txt} Figure 30: HPKE-11-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-11-KE-diag.txt} Figure 31: HPKE-11-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-11-KE-hex.txt} Figure 32: HPKE-11-KE COSE_Encrypt (Hex-Encoded CBOR) A.9. HPKE-12 {::include examples/cose-keys/HPKE-12-diag.txt} Figure 33: HPKE-12 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-12-hex.txt} Figure 34: HPKE-12 COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-12-diag.txt} Figure 35: HPKE-12 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-12-hex.txt} Figure 36: HPKE-12 COSE_Encrypt0 (Hex-Encoded CBOR) A.10. HPKE-12-KE {::include examples/cose-keys/HPKE-12-KE-diag.txt} Figure 37: HPKE-12-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-12-KE-hex.txt} Figure 38: HPKE-12-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-12-KE-diag.txt} Figure 39: HPKE-12-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-12-KE-hex.txt} Reddy, et al. Expires 24 October 2026 [Page 17] Internet-Draft COSE HPKE PQ April 2026 Figure 40: HPKE-12-KE COSE_Encrypt (Hex-Encoded CBOR) A.11. HPKE-13 {::include examples/cose-keys/HPKE-13-diag.txt} Figure 41: HPKE-13 COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-13-hex.txt} Figure 42: HPKE-13 COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-13-diag.txt} Figure 43: HPKE-13 COSE_Encrypt0 (Diagnostic Notation) {::include examples/cose/HPKE-13-hex.txt} Figure 44: HPKE-13 COSE_Encrypt0 (Hex-Encoded CBOR) A.12. HPKE-13-KE {::include examples/cose-keys/HPKE-13-KE-diag.txt} Figure 45: HPKE-13-KE COSE_Key (Diagnostic Notation) {::include examples/cose-keys/HPKE-13-KE-hex.txt} Figure 46: HPKE-13-KE COSE_Key (Hex-Encoded CBOR) {::include examples/cose/HPKE-13-KE-diag.txt} Figure 47: HPKE-13-KE COSE_Encrypt (Diagnostic Notation) {::include examples/cose/HPKE-13-KE-hex.txt} Figure 48: HPKE-13-KE COSE_Encrypt (Hex-Encoded CBOR) Acknowledgments Thanks to Ilari Liusvaara and Orie Steele for the discussion and comments. Document History draft-reddy-cose-hpke-pq-pqt-00 * Replaces draft-reddy-cose-jose-pqc-hybrid-hpke Reddy, et al. Expires 24 October 2026 [Page 18] Internet-Draft COSE HPKE PQ April 2026 * Removed ChaCha20Poly1305 AEAD ciphersuites * Adapted source from draft-skokan-jose-hpke-pq-pqt-04 for COSE * Added Filip Skokan as author Authors' Addresses Tirumaleswar Reddy Nokia Email: k.tirumaleswar_reddy@nokia.com Hannes Tschofenig University of the Bundeswehr Munich Email: hannes.tschofenig@gmx.net Filip Skokan Okta Email: panva.ip@gmail.com Reddy, et al. Expires 24 October 2026 [Page 19]