COSE T. Reddy Internet-Draft Nokia Intended status: Standards Track H. Tschofenig Expires: 13 June 2025 10 December 2024 PQ/T Hybrid KEM: HPKE with JOSE/COSE draft-reddy-cose-jose-pqc-hybrid-hpke-06 Abstract This document outlines the construction of a PQ/T Hybrid Key Encapsulation Mechanism (KEM) in Hybrid Public-Key Encryption (HPKE) for integration with JOSE and COSE. It specifies the utilization of both traditional and Post-Quantum Cryptography (PQC) algorithms, referred to as PQ/T Hybrid KEM, within the context of JOSE and COSE. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid/. Discussion of this document takes place on the cose Working Group mailing list (mailto:cose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cose/. Subscribe at https://www.ietf.org/mailman/listinfo/cose/. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 13 June 2025. Reddy & Tschofenig Expires 13 June 2025 [Page 1] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3 3. Construction . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Ciphersuite Registration . . . . . . . . . . . . . . . . . . 4 5. AKP Key for X-Wing . . . . . . . . . . . . . . . . . . . . . 5 5.1. Required Parameters . . . . . . . . . . . . . . . . . . . 5 5.1.1. Example . . . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 6.1. Post-Quantum Security for Multiple Recipients . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7.1. JOSE . . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1.1. JOSE Algorithms Registry . . . . . . . . . . . . . . 6 7.2. COSE . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7.2.1. COSE Algorithms Registry . . . . . . . . . . . . . . 7 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Normative References . . . . . . . . . . . . . . . . . . . . . 8 Informative References . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction The migration to Post-Quantum Cryptography (PQC) is unique in the history of modern digital cryptography in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required data lifetimes. The traditional algorithms, such as RSA and elliptic curve, will fall to quantum cryptalanysis, while the post-quantum algorithms face uncertainty about the underlying mathematics, compliance issues, unknown vulnerabilities, hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs. Reddy & Tschofenig Expires 13 June 2025 [Page 2] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 During the transition from traditional to post-quantum algorithms, there is a desire or a requirement for protocols that use both algorithm types. Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. HPKE offers a variant of public-key encryption of arbitrary-sized plaintexts for a recipient public key. The specifications for the use of HPKE with JOSE and COSE are described in [I-D.ietf-jose-hpke-encrypt] and [I-D.ietf-cose-hpke], respectively. HPKE can be extended to support PQ/T Hybrid KEM as defined in [I-D.connolly-cfrg-xwing-kem]. This specification defines PQ/T Hybrid KEM in HPKE for use with JOSE and COSE. 2. Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. This document makes use of the terms defined in [I-D.ietf-pquip-pqt-hybrid-terminology]. For the purposes of this document, it is helpful to be able to divide cryptographic algorithms into two classes: "Traditional Algorithm": An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms, elliptic curve discrete logarithms, or related mathematical problems. In the context of JOSE, examples of traditional key exchange algorithms include Elliptic Curve Diffie-Hellman Ephemeral Static [RFC6090] [RFC8037]. In the context of COSE, examples of traditional key exchange algorithms include Ephemeral-Static (ES) DH and Static- Static (SS) DH [RFC9052]. "Post-Quantum Algorithm": An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Examples of PQC key exchange algorithms include ML-KEM. "Post-Quantum Traditional (PQ/T) Hybrid Scheme": A multi-algorithm scheme where at least one component algorithm is a post-quantum algorithm and at least one is a traditional algorithm. Reddy & Tschofenig Expires 13 June 2025 [Page 3] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 "PQ/T Hybrid Key Encapsulation Mechanism": A multi-algorithm KEM made up of two or more component KEM algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. 3. Construction ML-KEM is a one-pass (store-and-forward) cryptographic mechanism for an originator to securely send keying material to a recipient using the recipient's ML-KEM public key. Three parameters sets for ML-KEMs are specified by [FIPS203]. In order of increasing security strength (and decreasing performance), these parameter sets are ML-KEM-512, ML-KEM-768, and ML-KEM-1024. X-Wing [I-D.connolly-cfrg-xwing-kem] uses a multi-algorithm scheme, where one component algorithm is a post-quantum algorithm and another one is a traditional algorithm. X-Wing uses the final version of ML-KEM-768 and X25519. The Combiner function defined in Section 5.3 of [I-D.connolly-cfrg-xwing-kem] combines the output of a post-quantum KEM and a traditional KEM to generate a single shared secret. 4. Ciphersuite Registration This specification registers a number of PQ/T Hybrid KEMs for use with HPKE. A ciphersuite is thereby a combination of several algorithm configurations: * KEM algorithm (PQ KEM + Traditional Algorithm, for example, MLKEM768 + X25519 defined as "X-Wing" in [I-D.connolly-cfrg-xwing-kem]) * KDF algorithm * AEAD algorithm The "KEM", "KDF", and "AEAD" values are conceptually taken from the HPKE IANA registry [HPKE-IANA]. Hence, JOSE and COSE cannot use an algorithm combination that is not already available with HPKE. For readability the algorithm ciphersuites labels are built according to the following scheme: HPKE--- The HPKE PQ/T hybrid ciphersuites for JOSE and COSE are defined in Section 7. Note that the PQ/T Hybrid KEM in HPKE is not an authenticated KEM. The HPKE Base mode can only be supported with the PQ/T Hybrid KEM. Reddy & Tschofenig Expires 13 June 2025 [Page 4] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 5. AKP Key for X-Wing This section describes the required parameters for an "AKP" key type, as defined in [I-D.ietf-cose-dilithium], and its use with the X-Wing algorithms, as defined in {#XWING}. An example JWK is also provided for illustration. 5.1. Required Parameters A JSON Web Key (JWK) or COSE_Key with a key type ("kty") for use with the "X-Wing" algorithm includes the following parameters: * kty (Key Type) The key type parameter MUST be present and set to "AKP". * alg (Algorithm) The algorithm parameter MUST be present and MUST represent the X-Wing algorithm, as defined in {#XWING}. X-Wing algorithms are those registered in the "JSON Web Signature and Encryption Algorithms" and "COSE Algorithms" registries, derived from the KEM identifier in the HPKE IANA registry. * pub (Public Key) The public key parameter MUST be present and MUST contain the X-Wing encapsulation key (pk) as defined in Section 5.2 of [I-D.connolly-cfrg-xwing-kem]. When represented as a JWK, this value MUST be base64url-encoded. * priv (Private Key) When representing an X-Wing private key, the private key parameter MUST be present and MUST contain the X-Wing decapsulation key (sk) as defined in Section 5.2 of [I-D.connolly-cfrg-xwing-kem]. When represented as a JWK, this value MUST be base64url-encoded. 5.1.1. Example The following is an example JWK representation of an "AKP" private key for the "HPKE-XWING-SHA256-AES256GCM" algorithm: { "kty" : "AKP", "alg" : "HPKE-XWING-SHA256-AES256GCM", "pub" : "4iNrNajCSz...tmrrIzQSQQO9lNA", "priv" : "f5wrpOiP...rPpm7yY" } Reddy & Tschofenig Expires 13 June 2025 [Page 5] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 6. Security Considerations The security considerations in [I-D.connolly-cfrg-xwing-kem] and [I-D.ietf-jose-hpke-encrypt] are to be taken into account. The shared secrets computed in the hybrid key exchange should be computed in a way that achieves the "hybrid" property: the resulting secret is secure as long as at least one of the component key exchange algorithms is unbroken. PQC KEMs used in the manner described in this document MUST explicitly be designed to be secure in the event that the public key is reused, such as achieving IND- CCA2 security. ML-KEM has such security properties. 6.1. Post-Quantum Security for Multiple Recipients In HPKE JWE Key Encryption, when encrypting the Content Encryption Key (CEK) for multiple recipients, it is crucial to consider the security requirements of the message to safeguard against "Harvest Now, Decrypt Later" attack. For messages requiring post-quantum security, all recipients MUST use algorithms supporting post-quantum cryptographic methods, such as PQC KEMs or Hybrid PQ/T KEMs. Using traditional algorithms (e.g., ECDH-ES) for any recipient in these scenarios compromises the overall security of the message. 7. IANA Considerations 7.1. JOSE This document requests IANA to add new values to the "JSON Web Signature and Encryption Algorithms" registry. 7.1.1. JOSE Algorithms Registry * Algorithm Name: HPKE-XWING-SHA256-AES256GCM * Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the XWING Hybrid KEM, the HKDF-SHA256 KDF, and the AES- 256-GCM AEAD. * Algorithm Usage Location(s): "alg" * JOSE Implementation Requirements: Optional * Change Controller: IANA * Specification Document(s): [[TBD: This RFC]] * Algorithm Analysis Documents(s): TODO Reddy & Tschofenig Expires 13 June 2025 [Page 6] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 * Algorithm Name: HPKE-XWING-SHA256-ChaCha20Poly1305 * Algorithm Description: Cipher suite for JOSE-HPKE in Base Mode that uses the XWING Hybrid KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD. * Algorithm Usage Location(s): "alg" * JOSE Implementation Requirements: Optional * Change Controller: IANA * Specification Document(s): [[TBD: This RFC]] * Algorithm Analysis Documents(s): TODO 7.2. COSE This document requests IANA to add new values to the 'COSE Algorithms' registry. 7.2.1. COSE Algorithms Registry * Name: HPKE-Base-XWING-SHA256-AES256GCM * Value: TBD1 * Description: Cipher suite for COSE-HPKE in Base Mode that uses the XWING Hybrid KEM, the HKDF-SHA256 KDF, and the AES-256-GCM AEAD. * Capabilities: [kty] * Change Controller: IANA * Reference: [[TBD: This RFC]] * Name: HPKE-Base-XWING-SHA256-ChaCha20Poly1305 * Value: TBD2 * Description: Cipher suite for COSE-HPKE in Base Mode that uses the XWING Hybrid KEM, the HKDF-SHA256 KDF, and the ChaCha20Poly1305 AEAD. * Capabilities: [kty] * Change Controller: IANA Reddy & Tschofenig Expires 13 June 2025 [Page 7] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 * Reference: [[TBD: This RFC]] Acknowledgments Thanks to Ilari Liusvaara and Orie Steele for the discussion and comments. References Normative References [I-D.ietf-cose-dilithium] Prorock, M., Steele, O., Misoczki, R., Osborne, M., and C. Cloostermans, "ML-DSA for JOSE and COSE", Work in Progress, Internet-Draft, draft-ietf-cose-dilithium-04, 20 October 2024, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . Informative References [FIPS203] "Module-Lattice-based Key-Encapsulation Mechanism Standard", . [HPKE-IANA] IANA, "Hybrid Public Key Encryption (HPKE) IANA Registry", . [I-D.connolly-cfrg-xwing-kem] Connolly, D., Schwabe, P., and B. Westerbaan, "X-Wing: general-purpose hybrid post-quantum KEM", Work in Progress, Internet-Draft, draft-connolly-cfrg-xwing-kem- 06, 21 October 2024, . [I-D.ietf-cose-hpke] Tschofenig, H., Steele, O., Daisuke, A., and L. Lundblade, "Use of Hybrid Public-Key Encryption (HPKE) with CBOR Reddy & Tschofenig Expires 13 June 2025 [Page 8] Internet-Draft PQ/T Hybrid KEM: HPKE with JOSE/COSE December 2024 Object Signing and Encryption (COSE)", Work in Progress, Internet-Draft, draft-ietf-cose-hpke-09, 12 July 2024, . [I-D.ietf-jose-hpke-encrypt] Reddy.K, T., Tschofenig, H., Banerjee, A., Steele, O., and M. B. Jones, "Use of Hybrid Public Key Encryption (HPKE) with JSON Object Signing and Encryption (JOSE)", Work in Progress, Internet-Draft, draft-ietf-jose-hpke-encrypt-03, 5 December 2024, . [I-D.ietf-pquip-pqt-hybrid-terminology] D, F., P, M., and B. Hale, "Terminology for Post-Quantum Traditional Hybrid Schemes", Work in Progress, Internet- Draft, draft-ietf-pquip-pqt-hybrid-terminology-04, 10 September 2024, . [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, . [RFC8037] Liusvaara, I., "CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)", RFC 8037, DOI 10.17487/RFC8037, January 2017, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . Authors' Addresses Tirumaleswar Reddy Nokia Bangalore Karnataka India Email: kondtir@gmail.com Hannes Tschofenig Germany Email: hannes.tschofenig@gmx.net Reddy & Tschofenig Expires 13 June 2025 [Page 9]