Internet-Draft JOSE HPKE PQ February 2026
Skokan & Campbell Expires 11 August 2026 [Page]
Workgroup:
Javascript Object Signing and Encryption
Internet-Draft:
draft-skokan-jose-hpke-pq-pqt-00
Published:
Intended Status:
Standards Track
Expires:
Authors:
F. Skokan
Okta
B. Campbell
Ping Identity

JOSE HPKE PQ & PQ/T Algorithm Registrations

Abstract

This document registers Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid algorithm identifiers for use with JSON Object Signing and Encryption (JOSE), building on the Hybrid Public Key Encryption (HPKE) framework.

About This Document

This note is to be removed before publishing as an RFC.

The latest revision of this draft can be found at https://panva.github.io/jose-hpke-pq-pqt/draft-skokan-jose-hpke-pq-pqt.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-skokan-jose-hpke-pq-pqt/.

Discussion of this document takes place on the Javascript Object Signing and Encryption Working Group mailing list (mailto:jose@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/jose/. Subscribe at https://www.ietf.org/mailman/listinfo/jose/.

Source for this draft and an issue tracker can be found at https://github.com/panva/jose-hpke-pq-pqt.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 August 2026.

Table of Contents

1. Introduction

[I-D.ietf-jose-hpke-encrypt] defines how to use Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE) using traditional Key Encapsulation Mechanisms (KEM) based on Elliptic-curve Diffie-Hellman (ECDH).

This document extends the set of registered HPKE algorithms to include Post-Quantum (PQ) and Post-Quantum/Traditional (PQ/T) hybrid KEMs, as defined in [I-D.ietf-hpke-pq]. These algorithms provide protection against attacks by cryptographically relevant quantum computers.

The term “PQ/T hybrid” is used here consistent with [I-D.ietf-hpke-pq] to denote a combination of post-quantum and traditional algorithms, and should not be confused with HPKE’s use of “hybrid” to describe internal KEM composition.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Algorithm Identifiers

This section defines the algorithm identifiers for PQ and PQ/T HPKE-based encryption in JOSE. Each algorithm is defined by a combination of an HPKE KEM, a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) algorithm.

All algorithms defined in this section follow the same operational model as those in [I-D.ietf-jose-hpke-encrypt], supporting both integrated encryption as defined in Section 5 of [I-D.ietf-jose-hpke-encrypt] and key encryption as defined in Section 6 of [I-D.ietf-jose-hpke-encrypt].

3.1. PQ/T Hybrid Integrated Encryption Algorithms

The following table lists the algorithm identifiers for PQ/T hybrid integrated encryption, where HPKE directly encrypts the plaintext without a separate Content Encryption Key:

Table 1: PQ/T Hybrid Integrated Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-8 MLKEM768-P256 (0x0050) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-9 MLKEM768-P256 (0x0050) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-10 MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-11 MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-12 MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-13 MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)

These algorithms combine ML-KEM with a traditional elliptic curve algorithm in a PQ/T hybrid KEM construction, with the goal that compromise of either the post-quantum or the traditional component alone does not undermine the security of the resulting encryption.

3.2. Pure PQ Integrated Encryption Algorithms

The following table lists the algorithm identifiers for pure post-quantum integrated encryption:

Table 2: Pure PQ Integrated Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-14 ML-KEM-768 (0x0041) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-15 ML-KEM-768 (0x0041) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-16 ML-KEM-1024 (0x0042) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-17 ML-KEM-1024 (0x0042) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)

These algorithms provide pure post-quantum security using ML-KEM without a traditional algorithm component.

3.3. PQ/T Hybrid Key Encryption Algorithms

The following table lists the algorithm identifiers for PQ/T hybrid key encryption, where HPKE encrypts the Content Encryption Key:

Table 3: PQ/T Hybrid Key Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-8-KE MLKEM768-P256 (0x0050) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-9-KE MLKEM768-P256 (0x0050) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-10-KE MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-11-KE MLKEM768-X25519 (0x647a) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-12-KE MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-13-KE MLKEM1024-P384 (0x0051) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)

3.4. Pure PQ Key Encryption Algorithms

The following table lists the algorithm identifiers for pure post-quantum key encryption:

Table 4: Pure PQ Key Encryption Algorithms
"alg" value HPKE KEM HPKE KDF HPKE AEAD
HPKE-14-KE ML-KEM-768 (0x0041) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-15-KE ML-KEM-768 (0x0041) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)
HPKE-16-KE ML-KEM-1024 (0x0042) SHAKE256 (0x0011) AES-256-GCM (0x0002)
HPKE-17-KE ML-KEM-1024 (0x0042) SHAKE256 (0x0011) ChaCha20Poly1305 (0x0003)

4. JSON Web Key Representation

Keys for the algorithms defined in this document use the "AKP" (Algorithm Key Pair) key type defined in [I-D.ietf-cose-dilithium].

For the algorithms in this document, the "pub" parameter contains the base64url encoding of HPKE's SerializePublicKey() output for the corresponding KEM, and the "priv" parameter contains the base64url encoding of HPKE's SerializePrivateKey() output.

5. Security Considerations

The security considerations of [I-D.ietf-jose-hpke-encrypt] and [I-D.ietf-hpke-pq] apply to this document.

6. IANA Considerations

6.1. JSON Web Signature and Encryption Algorithms Registry

This document requests registration of the following values in the IANA "JSON Web Signature and Encryption Algorithms" registry established by [RFC7518]:

6.1.1. HPKE-8

  • Algorithm Name: HPKE-8

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.2. HPKE-8-KE

  • Algorithm Name: HPKE-8-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.3. HPKE-9

  • Algorithm Name: HPKE-9

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.4. HPKE-9-KE

  • Algorithm Name: HPKE-9-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM768-P256 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.5. HPKE-10

  • Algorithm Name: HPKE-10

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.6. HPKE-10-KE

  • Algorithm Name: HPKE-10-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.7. HPKE-11

  • Algorithm Name: HPKE-11

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.8. HPKE-11-KE

  • Algorithm Name: HPKE-11-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM768-X25519 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.9. HPKE-12

  • Algorithm Name: HPKE-12

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.10. HPKE-12-KE

  • Algorithm Name: HPKE-12-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.11. HPKE-13

  • Algorithm Name: HPKE-13

  • Algorithm Description: Integrated Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 1 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.12. HPKE-13-KE

  • Algorithm Name: HPKE-13-KE

  • Algorithm Description: Key Encryption with HPKE using MLKEM1024-P384 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 3 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.13. HPKE-14

  • Algorithm Name: HPKE-14

  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 2 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.14. HPKE-14-KE

  • Algorithm Name: HPKE-14-KE

  • Algorithm Description: Key Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 4 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.15. HPKE-15

  • Algorithm Name: HPKE-15

  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 2 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.16. HPKE-15-KE

  • Algorithm Name: HPKE-15-KE

  • Algorithm Description: Key Encryption with HPKE using ML-KEM-768 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 4 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.17. HPKE-16

  • Algorithm Name: HPKE-16

  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 2 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.18. HPKE-16-KE

  • Algorithm Name: HPKE-16-KE

  • Algorithm Description: Key Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and AES-256-GCM AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 4 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.19. HPKE-17

  • Algorithm Name: HPKE-17

  • Algorithm Description: Integrated Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 2 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

6.1.20. HPKE-17-KE

  • Algorithm Name: HPKE-17-KE

  • Algorithm Description: Key Encryption with HPKE using ML-KEM-1024 KEM, SHAKE256 KDF, and ChaCha20Poly1305 AEAD

  • Algorithm Usage Location(s): "alg"

  • JOSE Implementation Requirements: Optional

  • Change Controller: IETF

  • Specification Document(s): Table 4 of this document

  • Algorithm Analysis Documents(s): [I-D.ietf-hpke-pq]

7. References

7.1. Normative References

[I-D.ietf-cose-dilithium]
Prorock, M. and O. Steele, "ML-DSA for JOSE and COSE", Work in Progress, Internet-Draft, draft-ietf-cose-dilithium-11, , <https://datatracker.ietf.org/doc/html/draft-ietf-cose-dilithium-11>.
[I-D.ietf-hpke-pq]
Barnes, R. and D. Connolly, "Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE", Work in Progress, Internet-Draft, draft-ietf-hpke-pq-03, , <https://datatracker.ietf.org/doc/html/draft-ietf-hpke-pq-03>.
[I-D.ietf-jose-hpke-encrypt]
Reddy.K, T., Tschofenig, H., Banerjee, A., Steele, O., and M. B. Jones, "Use of Hybrid Public Key Encryption (HPKE) with JSON Web Encryption (JWE)", Work in Progress, Internet-Draft, draft-ietf-jose-hpke-encrypt-15, , <https://datatracker.ietf.org/doc/html/draft-ietf-jose-hpke-encrypt-15>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

7.2. Informative References

[RFC7518]
Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, , <https://www.rfc-editor.org/rfc/rfc7518>.

Acknowledgments

TODO acknowledge.

Authors' Addresses

Filip Skokan
Okta
Brian Campbell
Ping Identity