Hybrid Public Key Encryption (HPKE) was standardized by RFC 9180 in February 2022. It is “hybrid” in the sense that it combines public key cryptographic operations to establish a symmetric key with symmetric cryptographic algorithms using the established key to do the content encryption. It has its own set of registries where Key Encapsulation Mechanisms (KEMs), Key Derivation Functions (KDFs), and Authenticated Encryption with Associated Data (AEAD) algorithms used with HPKE are registered. The KEMs registered include post-quantum KEMs.
There’s been a multi-year effort to bring HPKE encryption to applications using JSON Web Encryption (JWE) and COSE encryption. As has been done by other protocols using HPKE, such as MLS, both the JOSE and COSE HPKE specifications made choices about which cryptographic operations make sense together in the specification’s context, as well as which HPKE features to use. Making those choices within the working groups is part of what made these specifications take a while. There’s also been a deliberate effort to keep the specifications aligned where it made sense.
The good news is that both the JOSE and COSE HPKE specifications have matured to the point where Working Group Last Call (WGLC) has started for them. The two WGLCs are intentionally running concurrently because the drafts are closely related and their functionality is intended to be aligned. They run until Friday, June 20, 2025.
Please participate in the WGLCs on either the jose@ietf.org or cose@ietf.org mailing lists, respectively. The messages to reply to are:
The specifications entering WGLC together are:
Finally, I’ll note that a new IETF HPKE working group has recently been formed to make updates to the HPKE specification. Among the chartered updates are adding post-quantum KEMs and hybrid combined KEMs.
Thanks to all in both working groups who helped us reach this point!
Leave a Reply
You must be logged in to post a comment.