On Thu, 19 Feb 2026 at 15:38, Neil Madden <[email protected]> wrote:
> I think it’s mostly fine. Some questions though: > > * Why support non-hybrids at all? > Non-hybrid key-exchange is only for compliance and regulatory purposes (it is discussed in Section 1 of the draft). For instance, CNSA 2.0 defines use of PQC algorithms only. > * Why support ML-KEM-512 at all? Especially non-hybrid. > ML-KEM-512 is primarily intended for constrained devices and bandwidth-sensitive environments. ML-KEM-512 is also supported by other protocols like TLS and IPSec. > * Why support P-256 at all? X25519 is a better choice, and P-384 is there > for anyone still hampered by an irrational government. > P-256 is already added to the JOSE/COSE HPKE drafts. P-256 remains widely deployed across TLS, IPsec, JOSE/COSE, and FIPS-validated modules. > > I’m also raising my eyebrows a bit at the ChaPoly variants. The usual > rationale for ChaPoly over AES is that it’s fast and > timing-channel-resistant on hardware that lacks AES acceleration. But are > people really going to be running PQ hybrids on such low end hardware? > That’s a huge code size to be pulling in at the least, not to mention > memory pressure and energy draw. I’ll defer to the COSE people here on > what’s likely in this space, but it feels a bit like filler rather than > something that meets a genuine need. > HPKE supports both AES-GCM and ChaPoly and both COSE/JOSE HPKE drafts have added both of them. Excluding it here would create a divergence from the base HPKE specifications. > > Re: P-521, I think the main reason no one uses it is because it is > incredibly slow. > Agreed. Cheers, -Tiru > > Neil > > On 19 Feb 2026, at 08:54, tirumal reddy <[email protected]> wrote: > > > A new section has been added to the draft to justify the combination of > PQC-only and PQ/T hybrid KEMs with specific KDF and AEAD algorithms, > https://www.ietf.org/archive/id/draft-reddy-cose-jose-pqc-hybrid-hpke-11.html#section-7. > Please take a look and share any feedback, especially if there are concerns > regarding the justification of particular KEM/KDF/AEAD pairings. > > Cheers, > -Tiru > > On Thu, 12 Feb 2026 at 19:54, tirumal reddy <[email protected]> wrote: > >> Hi, >> >> We have updated the draft "Post-Quantum and Hybrid KEMs for HPKE with >> JOSE and COSE" >> https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid-hpke/ >> to version 10. As many of you recall, this draft has been presented >> multiple times in both COSE/JOSE WGs. While there was general interest, the >> WG adoption of this draft was previously postponed to allow for the >> completion COSE-HPKE and JOSE-HPKE specifications. >> >> With those base documents now mature, we have updated this draft to >> ensure alignment with, JOSE/COSE HPKE and HPKE PQ specs. >> >> Further, comments and suggestions are welcome. >> >> we also request the Chairs to initiate a second WG adoption call for this >> draft. >> >> Best Regards, >> -Tiru >> >> -----Original Message----- >> From: [email protected] <[email protected]> >> Sent: Wednesday, February 11, 2026 6:04 PM >> To: K Tirumaleswar Reddy (Nokia) <[email protected]>; >> Hannes Tschofenig <[email protected]>; Hannes Tschofenig < >> [email protected]>; K Tirumaleswar Reddy (Nokia) < >> [email protected]> >> Subject: New Version Notification for >> draft-reddy-cose-jose-pqc-hybrid-hpke-10.txt >> >> >> CAUTION: This is an external email. Please be very careful when clicking >> links or opening attachments. See the URL nok.it/ext for additional >> information. >> >> >> >> A new version of Internet-Draft >> draft-reddy-cose-jose-pqc-hybrid-hpke-10.txt >> has been successfully submitted by Tirumaleswar Reddy and posted to the >> IETF repository. >> >> Name: draft-reddy-cose-jose-pqc-hybrid-hpke >> Revision: 10 >> Title: Post-Quantum and Hybrid KEMs for HPKE with JOSE and COSE >> Date: 2026-02-11 >> Group: Individual Submission >> Pages: 21 >> URL: >> https://www.ietf.org/archive/id/draft-reddy-cose-jose-pqc-hybrid-hpke-10.txt >> Status: >> https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-hybrid-hpke/ >> HTML: >> https://www.ietf.org/archive/id/draft-reddy-cose-jose-pqc-hybrid-hpke-10.html >> HTMLized: >> https://datatracker.ietf.org/doc/html/draft-reddy-cose-jose-pqc-hybrid-hpke >> Diff: >> https://author-tools.ietf.org/iddiff?url2=draft-reddy-cose-jose-pqc-hybrid-hpke-10 >> >> Abstract: >> >> This document specifies the use of Post-Quantum (PQ) and Post- >> Quantum/Traditional (PQ/T) Hybrid Key Encapsulation Mechanisms (KEMs) >> within the Hybrid Public Key Encryption (HPKE) for JOSE and COSE. It >> defines algorithm identifiers and key formats to support pure post- >> quantum algorithms (ML-KEM) and their PQ/T hybrid combinations. >> >> >> >> The IETF Secretariat >> >> >> _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
