CoRE Working Group M. Tiloca Internet-Draft RISE AB Intended status: Standards Track 6 July 2026 Expires: 7 January 2027 Using Quantum-Resistant Key Encapsulation Mechanisms (KEMs) in the Pairwise Mode of Group Object Security for Constrained RESTful Environments (Group OSCORE) draft-tiloca-core-group-oscore-kem-00 Abstract Group communication for the Constrained Application Protocol (CoAP) can be protected end-to-end by using the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE). The pairwise mode of Group OSCORE provides authenticated encryption of CoAP messages, by means of symmetric keys that two group members establish only among themselves to achieve pairwise secure communication. This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs) as Pairwise Key Agreement Algorithm of Group OSCORE, enabling post-quantum secure derivation of the symmetric keys used in the pairwise mode. The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Constrained RESTful Environments Working Group mailing list (core@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/core/. Source for this draft and an issue tracker can be found at https://gitlab.com/crimson84/draft-tiloca-core-group-oscore-kem. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Tiloca Expires 7 January 2027 [Page 1] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 January 2027. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 2. Pairwise Key Agreement Algorithm . . . . . . . . . . . . . . 4 3. Derivation of Pairwise Keys . . . . . . . . . . . . . . . . . 5 3.1. Use of ML-KEM (FIPS 203) . . . . . . . . . . . . . . . . 6 4. Assistance from the Group Manager . . . . . . . . . . . . . . 7 4.1. Uploading a KEM Public Key . . . . . . . . . . . . . . . 7 4.2. Retrieving a KEM Public Key . . . . . . . . . . . . . . . 8 4.3. Uploading a KEM Ciphertext . . . . . . . . . . . . . . . 8 4.4. Retrieving a KEM Ciphertext . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . 12 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 Tiloca Expires 7 January 2027 [Page 2] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 1. Introduction The Constrained Application Protocol (CoAP) [RFC7252] also supports group communication [I-D.ietf-core-groupcomm-bis], e.g., over IP multicast. Building on Object Security for Constrained RESTful Environments (OSCORE) [RFC8613], the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) [I-D.ietf-core-oscore-groupcomm] provides end-to-end security of CoAP messages when using group communication for CoAP. An OSCORE group is associated with a Group Manager, i.e., an entity responsible for managing identifiers and keying material in the group and for handling the join process to add group members, among other tasks. Group OSCORE provides two ways to protect a CoAP message: * The group mode, which achieves group-level data confidentiality and provides source authentication by means of a digital signature. The message sender computes the signature with its own private key and embeds it in the protected CoAP message. * The pairwise mode, which achieves pairwise data confidentiality and provides source authentication by means of integrity tags. The message sender performs authenticated encryption of the CoAP message by using a symmetric pairwise key that is exclusively shared with another group member as the intended message recipient. Symmetric pairwise keys are derived from a pairwise shared secret, which in turn is computed from the asymmetric keys of the message sender and recipient, ensuring authenticated key agreement. In the event that a Cryptographically Relevant Quantum Computer (CRQC) is constructed, it is relatively simple to adapt the group mode of Group OSCORE to be quantum-resistant. That is, it is sufficient to rely on a quantum-resistant signature algorithm (e.g., ML-DSA [FIPS204][RFC9964]) as the Signature Algorithm used in the group (see Section 2.1.8 of [I-D.ietf-core-oscore-groupcomm]). However, equivalent drop-in replacements are not available for the Pairwise Key Agreement Algorithm (see Section 2.1.10 of [I-D.ietf-core-oscore-groupcomm]), which is used to compute the shared secret from which pairwise keys are derived (see Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm]). In particular, the available Pairwise Key Agreement Algorithms are based on a direct Elliptic Curve Diffie-Hellman Static-Static key agreement [NIST-800-56A]. Tiloca Expires 7 January 2027 [Page 3] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 At the time of writing, there is no standardized Diffie-Hellman/Non- Interactive Key Exchange (DH/NIKE) that can be used for post-quantum secure establishment of the shared secret, which makes the pairwise mode of Group OSCORE vulnerable to quantum attacks. This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs), such as ML-KEM [FIPS203], as Pairwise Key Agreement Algorithm of Group OSCORE. Consequently, it enables the post-quantum secure establishment of the shared secret and thus the post-quantum secure derivation of the symmetric keys used in the pairwise mode of Group OSCORE. The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members that perform the KEM-based Pairwise Key Agreement Algorithm. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Readers are expected to be familiar with the terms and concepts related to CoAP [RFC7252], OSCORE [RFC8613], Group OSCORE [I-D.ietf-core-oscore-groupcomm], and CBOR Object Signing and Encryption (COSE) [RFC9052]. 2. Pairwise Key Agreement Algorithm In an OSCORE group that uses the pairwise mode and a quantum- resistant KEM as the Pairwise Key Agreement Algorithm, the KEM is identified by the Pairwise Key Agreement Algorithm parameter, within the Common Context of the Group OSCORE Security Context (see Section 2.1.10 of [I-D.ietf-core-oscore-groupcomm]). Like for other algorithms used in Group OSCORE, the KEM used as Pairwise Key Agreement Algorithm MUST be one of those defined for COSE and registered at [COSE.Algorithms]. For example, the COSE algorithms ML-KEM-512, ML-KEM-768, and ML-KEM-1024 are being registered by [I-D.ietf-jose-pqc-kem], consistent with the three corresponding parameter sets of the standard ML-KEM [FIPS203]. For endpoints that support the pairwise mode and use a quantum- resistant KEM as Pairwise Key Agreement Algorithm, the algorithm ML- KEM-512 defined in [I-D.ietf-jose-pqc-kem] is mandatory to implement. Tiloca Expires 7 January 2027 [Page 4] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 3. Derivation of Pairwise Keys This section defines how pairwise keys are derived when the Pairwise Key Agreement Algorithm used is a quantum-resistant KEM. Analogous to the construction used by OSCORE in Section 3.2.1 of [RFC8613], the derivation of pairwise keys is aligned with the one defined in Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm], with the difference that two shared secrets are established through the Pairwise Key Agreement Algorithm, and they are separately used to derive a Pairwise Sender Key and the corresponding Pairwise Recipient Key. For a given endpoint, the derivation of the pairwise keys to use between itself and each other endpoint X in the group is as below: Pairwise Sender Key = HKDF(Sender Key, IKM-Sender, info, L) Pairwise Recipient Key = HKDF(Recipient Key, IKM-Recipient, info, L) with IKM-Sender = Sender Auth Cred | Recipient Auth Cred | Sender Shared Secret IKM-Recipient = Recipient Auth Cred | Sender Auth Cred | Recipient Shared Secret where: * The same as defined in Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm] applies for: - HKDF [RFC5869], info, and L. - The Sender Key and the Recipient Key. - Sender Auth Cred and Recipient Auth Cred. - The Pairwise Sender Key, as the AEAD key for processing outgoing messages addressed to endpoint X. - The Pairwise Recipient Key, as the AEAD key for processing incoming messages from endpoint X. Tiloca Expires 7 January 2027 [Page 5] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 * IKM-Sender is the Input Keying Material (IKM) used in the HKDF for the derivation of the Pairwise Sender Key. IKM-Sender is the byte string concatenation of Sender Auth Cred, Recipient Auth Cred, and the Sender Shared Secret. The authentication credentials Sender Auth Cred and Recipient Auth Cred are binary encoded as defined in Section 2.4 of [I-D.ietf-core-oscore-groupcomm]. * IKM-Recipient is the Input Keying Material (IKM) used in the HKDF for the derivation of the Pairwise Recipient Key. IKM-Recipient is the byte string concatenation of Recipient Auth Cred, Sender Auth Cred, and the Recipient Shared Secret. The authentication credentials Recipient Auth Cred and Sender Auth Cred are binary encoded as defined in Section 2.4 of [I-D.ietf-core-oscore-groupcomm]. * The Sender Shared Secret is computed by the endpoint using the endpoint X's KEM public key, and it is encapsulated in the KEM ciphertext computed by the endpoint and intended to endpoint X. * The Recipient Shared Secret is computed by the endpoint using the endpoint's own KEM private key to decrypt the KEM ciphertext that endpoint X computed using the endpoint's KEM public key. A KEM public key associated with the endpoint is used by only one other endpoint X in the group, for computing only one shared secret encapsulated in a KEM ciphertext intended to the endpoint. In order to derive its Pairwise Sender Key, the endpoint has to obtain the endpoint X's KEM public key. Conversely, in order to derive its Pairwise Recipient Key, the endpoint has to obtain the KEM ciphertext that endpoint X computed using the endpoint's KEM public key. However, KEM public keys and KEM ciphertexts are not provided within messages that group members directly send to each other. Instead, group members exchange KEM public keys and KEM ciphertexts via the Group Manager responsible for the group, as defined in Section 4. 3.1. Use of ML-KEM (FIPS 203) When using ML-KEM [FIPS203] as Pairwise Key Agreement Algorithm, the following applies. Editor's note: it should be sufficient to: * Point to the guidelines/conventions provided in [I-D.ietf-jose-pqc-kem]. Tiloca Expires 7 January 2027 [Page 6] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 * Point to the COSE algorithms ML-KEM-* registered in [I-D.ietf-jose-pqc-kem]. * State that the initial shared secret SS' in [I-D.ietf-jose-pqc-kem] is used here: - As the Sender Shared Secret, by the endpoint that computes the KEM ciphertext and encapsulates SS' therein. - As the Recipient Shared Secret, by the endpoint that decrypts the KEM ciphertext to compute SS'. 4. Assistance from the Group Manager This section defines the operations that the Group Manager performs to facilitate the exchange of KEM public keys and KEM ciphertexts among group members, when the Pairwise Key Agreement Algorithm used in the group is a quantum-resistant KEM. The following is not relevant for a node that joins the group exclusively as a silent server (see Section 1.1 of [I-D.ietf-core-oscore-groupcomm]), or that does not support or does not intend to use the pairwise mode in the group. There are different ways to perform such supportive operations, depending on the specific realization of Group Manager. For example, it is possible to accordingly extend the interface provided by the realization of Group Manager specified in [I-D.ietf-ace-key-groupcomm-oscore], based on the ACE framework for authentication and authorization in constrained environments [RFC9200]. Given an OSCORE group, the following applies. 4.1. Uploading a KEM Public Key A group member P has to be able to upload its own KEM public keys at the Group Manager. P generates and uploads at the Group Manager a KEM public key to be retrieved and used by any and exactly one other group member. P can upload a KEM public key at the Group Manager already when joining the group, and then upload other KEM public keys later on as a group member. P stores its KEM public key, the corresponding KEM private key, and a SHA-256 hash [SHA-256] of the KEM public key as corresponding identifier. Tiloca Expires 7 January 2027 [Page 7] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 When the Group Manager receives a KEM public key from P, the Group Manager stores the KEM public key as associated with the Sender ID of P in the group. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P. The Group Manager MUST keep the association between the KEM Public Key and Sender ID of P up-to-date over time, in the event that P changes its Sender ID in the group. The Group Manager is expected to be able to store multiple KEM public keys from the same group member P at any given time. 4.2. Retrieving a KEM Public Key Another group member Q has to be able to retrieve from the Group Manager a KEM public key uploaded by P. When Q retrieves a KEM public key of P from the Group Manager (see below), the Group Manager deletes that KEM public key of P from its local storage. P has to be able to gain knowledge about the number of own KEM public keys that are currently stored at the Group Manager. For example, this can rely on P accessing a dedicated resource hosted by the Group Manager. If such resource is observable [RFC7641], P can use CoAP Observe to subscribe for updates about the resource representation, thereby receiving notifications from the Group Manager. Q retrieves a KEM public key of P from the Group Manager, by specifying to the Group Manager the Sender ID of P in the group. Q is expected to retrieve a KEM public key of P when it wants to send to P a message protected with the pairwise mode and it does not have the Pairwise Sender Key required to process the message. After the Group Manager provides Q with the KEM public key of P, the Group Manager deletes the KEM public key of P from its local storage. 4.3. Uploading a KEM Ciphertext After Q retrieves a KEM public key of P from the Group Manager (see above), Q uses the KEM public key of P to compute a shared secret and encapsulate it in a KEM ciphertext intended to P. Q uses the shared secret as the Sender Shared Secret for deriving its own Pairwise Sender Key to use with P (see Section 3). Tiloca Expires 7 January 2027 [Page 8] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 Q has to be able to upload at the Group Manager the following information: * The KEM ciphertext. * The Sender ID of P, identifying the intended consumer of the KEM ciphertext. * The SHA-256 hash of the KEM public key of P that was used to compute the KEM ciphertext. When the Group Manager receives from Q a KEM ciphertext intended to P, the Group Manager stores the KEM ciphertext as associated with the following information: * The Sender ID of Q, identifying the producer of the KEM ciphertext. The Group Manager is able to identify Q and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with Q. * The Sender ID of P received from Q, identifying the intended consumer of the KEM ciphertext. * The SHA-256 hash received from Q, as the identifier of the KEM public key of P that was used to compute the KEM ciphertext. When doing so, the Group Manager overwrites any already stored KEM ciphertext and SHA-256 hash identifier that are associated with the same consumer Sender ID and producer Sender ID. The Group Manager MUST keep up-to-date the association between the KEM ciphertext and the three pieces of information above, in the event that P or Q change their Sender IDs in the group. 4.4. Retrieving a KEM Ciphertext P has to be able to retrieve from the Group Manager the following information: * The KEM ciphertext computed for P by Q. * The SHA-256 hash identifier of its own KEM public key that Q used to compute the KEM ciphertext. In order to retrieve that information, P specifies the Sender ID of Q to the Group Manager. Then, the Group Manager provides the requested information, if it stores a KEM ciphertext associated with both: Tiloca Expires 7 January 2027 [Page 9] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 * The specified Sender ID of Q, identifying the producer of the KEM ciphertext; and * The Sender ID of P, identifying the intended consumer of the KEM ciphertext. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P. After providing P with the requested KEM ciphertext and SHA-256 hash identifier, the Group Manager deletes those two pieces of information from its local storage, freeing up their association with the consumer Sender ID and producer Sender ID. P is expected to retrieve the KEM ciphertext computed by Q when it receives from Q a message protected with the pairwise mode and it does not have the Pairwise Recipient Key required to process the message. P uses the SHA-256 hash identifier to retrieve its own corresponding KEM public key and KEM private key from its local storage. Then, P computes the shared secret by decrypting the KEM ciphertext using its retrieved KEM private key. After that, P deletes from its local storage the KEM private key just used, as well as the corresponding KEM public key and the corresponding SHA-256 hash identifier. P uses the shared secret as the Recipient Shared Secret for deriving its own Pairwise Recipient Key to use with Q (see Section 3). 5. Security Considerations The security considerations from [I-D.ietf-core-oscore-groupcomm] hold for this document too. The security considerations for the specific KEM used as Pairwise Key Agreement Algorithm also apply. Editor's note: add further security considerations. 6. IANA Considerations This document has no actions for IANA. 7. References 7.1. Normative References Tiloca Expires 7 January 2027 [Page 10] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 [COSE.Algorithms] IANA, "COSE Algorithms", . [FIPS203] "Module-Lattice-Based Key-Encapsulation Mechanism Standard", NIST FIPS 203, August 2024, . [I-D.ietf-core-groupcomm-bis] Dijk, E. and M. Tiloca, "Group Communication for the Constrained Application Protocol (CoAP)", Work in Progress, Internet-Draft, draft-ietf-core-groupcomm-bis- 18, 10 February 2026, . [I-D.ietf-core-oscore-groupcomm] Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P., and R. Höglund, "Group Object Security for Constrained RESTful Environments (Group OSCORE)", Work in Progress, Internet-Draft, draft-ietf-core-oscore-groupcomm-28, 23 December 2025, . [I-D.ietf-jose-pqc-kem] Reddy.K, T., Banerjee, A., and H. Tschofenig, "Post- Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE", Work in Progress, Internet-Draft, draft-ietf-jose-pqc-kem- 06, 6 July 2026, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, June 2014, . Tiloca Expires 7 January 2027 [Page 11] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 [RFC7641] Hartke, K., "Observing Resources in the Constrained Application Protocol (CoAP)", RFC 7641, DOI 10.17487/RFC7641, September 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8613] Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, July 2019, . [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, August 2022, . [SHA-256] NIST, "Secure Hash Standard", NIST FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4 , August 2015, . 7.2. Informative References [FIPS204] "Module-Lattice-Based Digital Signature Standard", NIST FIPS 204, August 2024, . [I-D.ietf-ace-key-groupcomm-oscore] Tiloca, M. and F. Palombini, "Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)", Work in Progress, Internet-Draft, draft-ietf-ace-key-groupcomm-oscore-21, 14 March 2026, . [NIST-800-56A] Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography - NIST Special Publication 800-56A, Revision 3", April 2018, . Tiloca Expires 7 January 2027 [Page 12] Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026 [RFC9200] Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, August 2022, . [RFC9964] Prorock, M. and O. Steele, "ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)", RFC 9964, DOI 10.17487/RFC9964, May 2026, . Acknowledgments The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next project CYPRESS. Author's Address Marco Tiloca RISE AB Isafjordsgatan 22 SE-164 40 Kista Sweden Email: marco.tiloca@ri.se Tiloca Expires 7 January 2027 [Page 13]