]> JOSE HPKE PQ & PQ/T Algorithm Registrations Okta
panva.ip@gmail.com
Ping Identity
bcampbell@pingidentity.com
Security Javascript Object Signing and Encryption JOSE HPKE post-quantum hybrid ML-KEM PQ PQ/T JWE CRQC This document registers Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid algorithm identifiers for use with JSON Object Signing and Encryption (JOSE), building on the Hybrid Public Key Encryption (HPKE) framework. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Javascript Object Signing and Encryption Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction defines how to use Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE) using traditional Key Encapsulation Mechanisms (KEM) based on Elliptic-curve Diffie-Hellman (ECDH). This document extends the set of registered HPKE algorithms to include Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid KEMs, as defined in . These algorithms provide protection against attacks by cryptographically relevant quantum computers. The term “PQ/T hybrid” is used here consistent with to denote a combination of post-quantum and traditional algorithms, and should not be confused with HPKE’s use of “hybrid” to describe internal KEM composition.
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Algorithm Identifiers This section defines the algorithm identifiers for PQ and PQ/T HPKE-based encryption in JOSE. Each algorithm is defined by a combination of an HPKE KEM, a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) algorithm. All algorithms defined in this section follow the same operational model as those in , supporting both integrated encryption as defined in and key encryption as defined in .
PQ/T Hybrid Integrated Encryption Algorithms The following table lists the algorithm identifiers for PQ/T hybrid integrated encryption, where HPKE directly encrypts the plaintext without a separate Content Encryption Key: PQ/T Hybrid Integrated Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-8 MLKEM768-P256 (0x0050) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-9 MLKEM768-P256 (0x0050) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-10 MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-11 MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-12 MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-13 MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
These algorithms combine ML-KEM with a traditional elliptic curve algorithm in a PQ/T hybrid KEM construction, with the goal that compromise of either the post-quantum or the traditional component alone does not undermine the security of the resulting encryption.
Pure PQ Integrated Encryption Algorithms The following table lists the algorithm identifiers for pure post-quantum integrated encryption: Pure PQ Integrated Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-14 ML-KEM-768 (0x0041) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-15 ML-KEM-768 (0x0041) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-16 ML-KEM-1024 (0x0042) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-17 ML-KEM-1024 (0x0042) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
These algorithms provide pure post-quantum security using ML-KEM without a traditional algorithm component.
PQ/T Hybrid Key Encryption Algorithms The following table lists the algorithm identifiers for PQ/T hybrid key encryption, where HPKE encrypts the Content Encryption Key: PQ/T Hybrid Key Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-8-KE MLKEM768-P256 (0x0050) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-9-KE MLKEM768-P256 (0x0050) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-10-KE MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-11-KE MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-12-KE MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-13-KE MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
Pure PQ Key Encryption Algorithms The following table lists the algorithm identifiers for pure post-quantum key encryption: Pure PQ Key Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-14-KE ML-KEM-768 (0x0041) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-15-KE ML-KEM-768 (0x0041) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-16-KE ML-KEM-1024 (0x0042) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-17-KE ML-KEM-1024 (0x0042) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
JSON Web Key Representation Keys for the algorithms defined in this document use the "AKP" (Algorithm Key Pair) key type defined in . For the algorithms in this document, the "pub" parameter contains the base64url encoding of HPKE's SerializePublicKey() output for the corresponding KEM, and the "priv" parameter contains the base64url encoding of HPKE's SerializePrivateKey() output.
Examples The following are example JWK representations for each of the KEMs used by the algorithms defined in this document.
Example HPKE-8 Private JWK (uses MLKEM768-P256)
Example HPKE-11 Private JWK (uses MLKEM768-X25519)
Example HPKE-13 Private JWK (uses MLKEM1024-P384)
Example HPKE-14 Private JWK (uses ML-KEM-768)
Example HPKE-17 Private JWK (uses ML-KEM-1024)
Security Considerations The security considerations of and apply to this document.
IANA Considerations
JSON Web Signature and Encryption Algorithms Registry This document requests registration of the following values in the IANA "JSON Web Signature and Encryption Algorithms" registry established by :
HPKE-8
  • Algorithm Name: HPKE-8
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-8-KE
  • Algorithm Name: HPKE-8-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-9
  • Algorithm Name: HPKE-9
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-9-KE
  • Algorithm Name: HPKE-9-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-10
  • Algorithm Name: HPKE-10
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-10-KE
  • Algorithm Name: HPKE-10-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-11
  • Algorithm Name: HPKE-11
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-11-KE
  • Algorithm Name: HPKE-11-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-12
  • Algorithm Name: HPKE-12
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-12-KE
  • Algorithm Name: HPKE-12-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-13
  • Algorithm Name: HPKE-13
  • Algorithm Description: Integrated Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-13-KE
  • Algorithm Name: HPKE-13-KE
  • Algorithm Description: Key Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-14
  • Algorithm Name: HPKE-14
  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-14-KE
  • Algorithm Name: HPKE-14-KE
  • Algorithm Description: Key Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-15
  • Algorithm Name: HPKE-15
  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-15-KE
  • Algorithm Name: HPKE-15-KE
  • Algorithm Description: Key Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-16
  • Algorithm Name: HPKE-16
  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-16-KE
  • Algorithm Name: HPKE-16-KE
  • Algorithm Description: Key Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-17
  • Algorithm Name: HPKE-17
  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
HPKE-17-KE
  • Algorithm Name: HPKE-17-KE
  • Algorithm Description: Key Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD
  • Algorithm Usage Location(s): "alg"
  • JOSE Implementation Requirements: Optional
  • Change Controller: IETF
  • Specification Document(s): of this document
  • Algorithm Analysis Documents(s):
References Normative References Use of Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE) Nokia University of Applied Sciences Bonn-Rhein-Sieg Nokia Tradeverifyd Self-Issued Consulting This specification defines how to use Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE). HPKE enables public key encryption of arbitrary-sized plaintexts to a recipient's public key, and provides security against adaptive chosen ciphertext attacks. This specification chooses a specific subset of the HPKE features to use with JWE. This specification updates RFC 7516 (JWE) to enable use of the Integrated Encryption Key Establishment Mode. Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE Cisco Selkie Cryptography Updating key exchange and public-key encryption protocols to resist attack by quantum computers is a high priority given the possibility of "harvest now, decrypt later" attacks. Hybrid Public Key Encryption (HPKE) is a widely-used public key encryption scheme based on combining a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. In this document, we define KEM algorithms for HPKE based on both post-quantum KEMs and hybrid constructions of post- quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3 that is suitable for use with these KEMs. When used with these algorithms, HPKE is resilient with respect to attacks by a quantum computer. ML-DSA for JOSE and COSE Tradeverifyd Tradeverifyd This document specifies JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) serializations for Module- Lattice-Based Digital Signature Standard (ML-DSA), a Post-Quantum Cryptography (PQC) digital signature scheme defined in US NIST FIPS 204. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References JSON Web Algorithms (JWA) This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.
Acknowledgments TODO acknowledge.
Document History draft-skokan-jose-hpke-pq-pqt-01
  • Added example JWK representations
draft-skokan-jose-hpke-pq-pqt-00
  • Initial draft