And ideally (at least in my mind), draft-skokan-jose-hpke-pq-pqt can be
expanded to also register the corresponding COSE HPKE algorithm identifiers,
keeping JOSE and COSE HPKE in sync.
Cheers,
-- Mike
From: Filip Skokan <[email protected]>
Sent: Friday, March 6, 2026 11:23 AM
To: John Mattsson <[email protected]>
Cc: Aritra Banerjee (Nokia) <[email protected]>; [email protected]; cose
<[email protected]>; lake <[email protected]>
Subject: [COSE] Re: COSE and LAKE needs draft-ietf-jose-pqc-ke (was Proposal:
Use HPKE for JWE PQ/PQT straight away)
John,
The JOSE WG adoption of PQ & PQ/T HPKE algs was postponed to allow the
completion of draft-ietf-jose-hpke-encrypt. With that out of the way now (it's
been submitted to IESG for publication already) I'm hoping that we'll be
adopting one of the two I-Ds* that we have for this after the meeting in
Shenzhen. Given that all we need are algorithm registrations and JWK key format
definition with the rest referencing draft-ietf-hpke-pq these shouldn't take
too long *fingers crossed*.
*1: draft-reddy-cose-jose-pqc-hybrid-hpke
*2: draft-skokan-jose-hpke-pq-pqt
S pozdravem,
Filip Skokan
On Fri, 6 Mar 2026 at 19:59, John Mattsson
<[email protected]<mailto:[email protected]>> wrote:
>LAKE needs the COSE-specific parts from draft-ietf-jose-pqc-kem, not the >JOSE
>ones, correct?
Correct.
>would you mind elaborating?
As I wrote Mike, the main problem is that LAKE/EDHOC needs KEMs, not PKEs.
Also, I don’t expect HPKE to focus on algorithms for very constrained devices
and systems. A main target for LAKE/EDHOC is very constrained radio networks.
---
Regarding JOSE, 3GPP has specified the use of JWE and are referring to
draft-ietf-jose-pqc-kem and draft-ietf-jose-hpke-encrypt as adopted drafts in
its PQC migration study.
The EU roadmap recommends that all deployments using public-key cryptography
for confidentiality to have completed migration to PQC no later than 2030. 5G
and 6G intends to meet this deadline. 3GPP is likely to start normative work
soon.
With draft-ietf-jose-hpke-encrypt being published without ML-KEM and
draft-ietf-jose-pqc-kem maybe not published for JOSE. When do JOSE WG plan to
ship quantum-resistant JWE?
Is it correct that when draft-ietf-hpke-pq is published, JOSE need to register
new code points for the algorithms before they can be used in JWE?
As discussed in TLS, 3GPP and most other external SDOs relying on JOSE are
likely to want an RFC.
Cheers,
John
From: Filip Skokan <[email protected]<mailto:[email protected]>>
Date: Friday, 6 March 2026 at 18:03
To: John Mattsson
<[email protected]<mailto:[email protected]>>
Cc: Aritra Banerjee (Nokia)
<[email protected]<mailto:[email protected]>>,
[email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>, cose
<[email protected]<mailto:[email protected]>>, lake
<[email protected]<mailto:[email protected]>>
Subject: Re: [COSE] COSE and LAKE needs draft-ietf-jose-pqc-ke (was Proposal:
Use HPKE for JWE PQ/PQT straight away)
I hear you John, LAKE needs the COSE-specific parts from
draft-ietf-jose-pqc-kem, not the JOSE ones, correct?
Although I don't understand how constraints play a role in the suitability of
draft-ietf-cose-hpke with additional Pure PQ algorithms vs the COSE parts of
the draft-ietf-jose-pqc-kem draft, the underlying ops are the give or take the
same just packaged differently, would you mind elaborating? Or is it purely
timing in that draft-ietf-jose-pqc-kem seems closer than draft-ietf-cose-hpke
with additional Pure PQ algs coming from elsewhere?
S pozdravem,
Filip Skokan
On Fri, 6 Mar 2026 at 17:33, John Mattsson
<[email protected]<mailto:[email protected]>>
wrote:
Adding COSE, LAKE
LAKE WG is counting on draft-ietf-jose-pqc-kem, It is referenced by several
drafts, and has been discussed several times.
draft-ietf-cose-hpke is not suitable for LAKE and many other constrained uses
of COSE.
When I reviewed it last year it looked very much ready for WGLC. I would
suggest to start WGLC.
Cheers,
John Preuß Mattsson
From: Aritra Banerjee (Nokia)
<[email protected]<mailto:[email protected]>>
Date: Wednesday, 11 February 2026 at 18:20
To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>>
Subject: [jose] Re: Proposal: Use HPKE for JWE PQ/PQT straight away
Hello,
The draft-ietf-jose-pqc-kem establishes a clear, HPKE-independent pathway for
systems aiming to transition to PQC-only Key Encapsulation Mechanisms (KEMs).
It does not depend on the new modes defined in draft-ietf-jose-hpke-encrypt.
Instead, draft-ietf-jose-pqc-kem mirrors the original JWE ECDH-style key
agreement model, making it the natural post-quantum analogue of ECDH-ES.
While HPKE-based JOSE provides valuable capabilities, particularly for PQ/T use
cases, deployments seeking a PQC-only key establishment mechanism should not be
required to rely on the new modes introduced in jose-hpke. This draft supports
a minimal-change transition to PQC-only KEMs while remaining aligned with the
existing JWE model, enabling a straightforward and consistent migration path.
Best,
Aritra.
_______________________________________________
COSE mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
