COSE T. Reddy
Internet-Draft Nokia
Intended status: Standards Track H. Tschofenig
Expires: 18 September 2024 17 March 2024
PQ/T Hybrid KEM: HPKE with JOSE/COSE
draft-reddy-cose-jose-pqc-hybrid-hpke-00
Abstract
This document outlines the construction of a PQ/T Hybrid Key
Encapsulation Mechanism (KEM) in Hybrid Public-Key Encryption (HPKE)
for integration with JOSE and COSE. It specifies the utilization of
both traditional and Post-Quantum Cryptography (PQC) algorithms,
referred to as PQ/T Hybrid KEM, within the context of JOSE and COSE.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid/.
Discussion of this document takes place on the cose Working Group
mailing list (mailto:cose@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at
https://www.ietf.org/mailman/listinfo/cose/.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 September 2024.
Reddy & Tschofenig Expires 18 September 2024 [Page 1]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Construction . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Ciphersuite Registration . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6.1. JOSE . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.2. JOSE Algorithms Registry . . . . . . . . . . . . . . . . 5
6.3. COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 5
6.3.1. COSE Algorithms Registry . . . . . . . . . . . . . . 5
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . . 6
Informative References . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
The migration to Post-Quantum Cryptography (PQC) is unique in the
history of modern digital cryptography in that neither the
traditional algorithms nor the post-quantum algorithms are fully
trusted to protect data for the required data lifetimes. The
traditional algorithms, such as RSA and elliptic curve, will fall to
quantum cryptalanysis, while the post-quantum algorithms face
uncertainty about the underlying mathematics, compliance issues,
unknown vulnerabilities, hardware and software implementations that
have not had sufficient maturing time to rule out classical
cryptanalytic attacks and implementation bugs.
During the transition from traditional to post-quantum algorithms,
there is a desire or a requirement for protocols that use both
algorithm types. Hybrid key exchange refers to using multiple key
Reddy & Tschofenig Expires 18 September 2024 [Page 2]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
exchange algorithms simultaneously and combining the result with the
goal of providing security even if all but one of the component
algorithms is broken. It is motivated by transition to post-quantum
cryptography.
HPKE offers a variant of public-key encryption of arbitrary-sized
plaintexts for a recipient public key. The specifications for the
use of HPKE with JOSE and COSE are described in
[I-D.rha-jose-hpke-encrypt] and [I-D.ietf-cose-hpke], respectively.
HPKE can be extended to support PQ/T Hybrid KEM as defined in
[I-D.connolly-cfrg-xwing-kem]. This specification defines PQ/T
Hybrid KEM in HPKE for use with JOSE and COSE.
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document makes use of the terms defined in
[I-D.ietf-pquip-pqt-hybrid-terminology]. For the purposes of this
document, it is helpful to be able to divide cryptographic algorithms
into two classes:
"Traditional Algorithm": An asymmetric cryptographic algorithm based
on integer factorisation, finite field discrete logarithms, elliptic
curve discrete logarithms, or related mathematical problems. In the
context of JOSE, examples of traditional key exchange algorithms
include Elliptic Curve Diffie-Hellman Ephemeral Static [RFC6090]
[RFC8037]. In the context of COSE, examples of traditional key
exchange algorithms include Ephemeral-Static (ES) DH and Static-
Static (SS) DH [RFC9052].
"Post-Quantum Algorithm": An asymmetric cryptographic algorithm that
is believed to be secure against attacks using quantum computers as
well as classical computers. Examples of PQC key exchange algorithms
include ML-KEM.
"Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm
scheme where at least one component algorithm is a post-quantum
algorithm and at least one is a traditional algorithm.
"PQ/T Hybrid Key Encapsulation Mechanism": A multi-algorithm KEM made
up of two or more component KEM algorithms where at least one is a
post-quantum algorithm and at least one is a traditional algorithm.
Reddy & Tschofenig Expires 18 September 2024 [Page 3]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
3. Construction
ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for
an originator to securely send keying material to a recipient using
the recipient's ML-KEM public key. Three parameters sets for ML-KEMs
are specified by [FIPS203-ipd]. In order of increasing security
strength (and decreasing performance), these parameter sets are ML-
KEM-512, ML-KEM-768, and ML-KEM-1024. [I-D.connolly-cfrg-xwing-kem]
uses a multi-algorithm scheme, where one component algorithm is a
post-quantum algorithm and another one is a traditional algorithm.
The Combiner function defined in Section 5.3 of
[I-D.connolly-cfrg-xwing-kem] combines the output of a post-quantum
KEM and a traditional KEM to generate a single shared secret.
4. Ciphersuite Registration
This specification registers a number of PQ/T Hybrid KEMs for use
with HPKE. A ciphersuite is thereby a combination of several
algorithm configurations:
* HPKE Mode
* KEM algorithm (Traditional Algorithm + PQ KEM, for example,
X25519Kyber768)
* KDF algorithm
* AEAD algorithm
The "KEM", "KDF", and "AEAD" values are conceptually taken from the
HPKE IANA registry [HPKE-IANA]. Hence, JOSE and COSE cannot use an
algorithm combination that is not already available with HPKE.
The HPKE PQ/T hybrid ciphersuites for JOSE and COSE are defined in
Section 6.
5. Security Considerations
The shared secrets computed in the hybrid key exchange should be
computed in a way that achieves the "hybrid" property: the resulting
secret is secure as long as at least one of the component key
exchange algorithms is unbroken. PQC KEMs used in the manner
described in this document MUST explicitly be designed to be secure
in the event that the public key is reused, such as achieving IND-
CCA2 security. ML-KEM has such security properties.
6. IANA Considerations
Reddy & Tschofenig Expires 18 September 2024 [Page 4]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
6.1. JOSE
This document requests IANA to add new values to the "JSON Web
Signature and Encryption Algorithms" registry.
6.2. JOSE Algorithms Registry
* Algorithm Name: HPKE-Base-X25519Kyber768-SHA256-AES256GCM
* Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
that uses the X25519Kyber768Draft00 Hybrid KEM, the HKDF-SHA256
KDF, and the AES-256-GCM AEAD.
* Algorithm Usage Location(s): "alg, enc"
* JOSE Implementation Requirements: Optional
* Change Controller: IANA
* Specification Document(s): [[TBD: This RFC]]
* Algorithm Analysis Documents(s): TODO
* Algorithm Name: HPKE-Base-X25519Kyber768-SHA256-ChaCha20Poly1305
* Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode
that uses the X25519Kyber768Draft00 Hybrid
KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.
* Algorithm Usage Location(s): "alg, enc"
* JOSE Implementation Requirements: Optional
* Change Controller: IANA
* Specification Document(s): [[TBD: This RFC]]
* Algorithm Analysis Documents(s): TODO
6.3. COSE
This document requests IANA to add new values to the 'COSE
Algorithms' registry.
6.3.1. COSE Algorithms Registry
* Name: HPKE-Base-X25519Kyber768-SHA256-AES256GCM
Reddy & Tschofenig Expires 18 September 2024 [Page 5]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
* Value: TBD1
* Description: Cipher suite for COSE-HPKE in Base Mode that uses the
X25519Kyber768Draft00 Hybrid KEM, the
HKDF-SHA256 KDF, and the AES-256-GCM AEAD.
* Capabilities: [kty]
* Change Controller: IANA
* Reference: [[TBD: This RFC]]
* Name: HPKE-Base-X25519Kyber768-SHA256-ChaCha20Poly1305
* Value: TBD2
* Description: Cipher suite for COSE-HPKE in Base Mode that uses the
X25519Kyber768Draft00 Hybrid
KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD.
* Capabilities: [kty]
* Change Controller: IANA
* Reference: [[TBD: This RFC]]
Acknowledgments
Thanks to Ilari Liusvaara for the discussion and comments.
References
Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
Informative References
Reddy & Tschofenig Expires 18 September 2024 [Page 6]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
[FIPS203-ipd]
"Module-Lattice-based Key-Encapsulation Mechanism
Standard", .
[HPKE-IANA]
IANA, "Hybrid Public Key Encryption (HPKE) IANA Registry",
.
[I-D.connolly-cfrg-xwing-kem]
Connolly, D., Schwabe, P., and B. Westerbaan, "X-Wing:
general-purpose hybrid post-quantum KEM", Work in
Progress, Internet-Draft, draft-connolly-cfrg-xwing-kem-
01, 23 January 2024,
.
[I-D.ietf-cose-hpke]
Tschofenig, H., Steele, O., Daisuke, A., and L. Lundblade,
"Use of Hybrid Public-Key Encryption (HPKE) with CBOR
Object Signing and Encryption (COSE)", Work in Progress,
Internet-Draft, draft-ietf-cose-hpke-07, 22 October 2023,
.
[I-D.ietf-pquip-pqt-hybrid-terminology]
D, F., "Terminology for Post-Quantum Traditional Hybrid
Schemes", Work in Progress, Internet-Draft, draft-ietf-
pquip-pqt-hybrid-terminology-02, 2 February 2024,
.
[I-D.rha-jose-hpke-encrypt]
Reddy.K, T., Tschofenig, H., Banerjee, A., Steele, O., and
M. B. Jones, "Use of Hybrid Public-Key Encryption (HPKE)
with Javascript Object Signing and Encryption (JOSE)",
Work in Progress, Internet-Draft, draft-rha-jose-hpke-
encrypt-06, 16 March 2024,
.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic
Curve Cryptography Algorithms", RFC 6090,
DOI 10.17487/RFC6090, February 2011,
.
Reddy & Tschofenig Expires 18 September 2024 [Page 7]
Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE March 2024
[RFC8037] Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH)
and Signatures in JSON Object Signing and Encryption
(JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017,
.
[RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE):
Structures and Process", STD 96, RFC 9052,
DOI 10.17487/RFC9052, August 2022,
.
Authors' Addresses
Tirumaleswar Reddy
Nokia
Bangalore
Karnataka
India
Email: kondtir@gmail.com
Hannes Tschofenig
Germany
Email: hannes.tschofenig@gmx.net
Reddy & Tschofenig Expires 18 September 2024 [Page 8]