Internet-Draft Quantum-Resistant KEMs in Group OSCORE July 2026
Tiloca Expires 7 January 2027 [Page]
Workgroup:
CoRE Working Group
Internet-Draft:
draft-tiloca-core-group-oscore-kem-00
Published:
Intended Status:
Standards Track
Expires:
Author:
M. Tiloca
RISE AB

Using Quantum-Resistant Key Encapsulation Mechanisms (KEMs) in the Pairwise Mode of Group Object Security for Constrained RESTful Environments (Group OSCORE)

Abstract

Group communication for the Constrained Application Protocol (CoAP) can be protected end-to-end by using the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE). The pairwise mode of Group OSCORE provides authenticated encryption of CoAP messages, by means of symmetric keys that two group members establish only among themselves to achieve pairwise secure communication. This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs) as Pairwise Key Agreement Algorithm of Group OSCORE, enabling post-quantum secure derivation of the symmetric keys used in the pairwise mode. The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members.

Discussion Venues

This note is to be removed before publishing as an RFC.

Discussion of this document takes place on the Constrained RESTful Environments Working Group mailing list (core@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/core/.

Source for this draft and an issue tracker can be found at https://gitlab.com/crimson84/draft-tiloca-core-group-oscore-kem.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 January 2027.

Table of Contents

1. Introduction

The Constrained Application Protocol (CoAP) [RFC7252] also supports group communication [I-D.ietf-core-groupcomm-bis], e.g., over IP multicast. Building on Object Security for Constrained RESTful Environments (OSCORE) [RFC8613], the security protocol Group Object Security for Constrained RESTful Environments (Group OSCORE) [I-D.ietf-core-oscore-groupcomm] provides end-to-end security of CoAP messages when using group communication for CoAP. An OSCORE group is associated with a Group Manager, i.e., an entity responsible for managing identifiers and keying material in the group and for handling the join process to add group members, among other tasks.

Group OSCORE provides two ways to protect a CoAP message:

In the event that a Cryptographically Relevant Quantum Computer (CRQC) is constructed, it is relatively simple to adapt the group mode of Group OSCORE to be quantum-resistant. That is, it is sufficient to rely on a quantum-resistant signature algorithm (e.g., ML-DSA [FIPS204][RFC9964]) as the Signature Algorithm used in the group (see Section 2.1.8 of [I-D.ietf-core-oscore-groupcomm]).

However, equivalent drop-in replacements are not available for the Pairwise Key Agreement Algorithm (see Section 2.1.10 of [I-D.ietf-core-oscore-groupcomm]), which is used to compute the shared secret from which pairwise keys are derived (see Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm]). In particular, the available Pairwise Key Agreement Algorithms are based on a direct Elliptic Curve Diffie-Hellman Static-Static key agreement [NIST-800-56A].

At the time of writing, there is no standardized Diffie-Hellman/Non-Interactive Key Exchange (DH/NIKE) that can be used for post-quantum secure establishment of the shared secret, which makes the pairwise mode of Group OSCORE vulnerable to quantum attacks.

This document defines the use of quantum-resistant Key Encapsulation Mechanisms (KEMs), such as ML-KEM [FIPS203], as Pairwise Key Agreement Algorithm of Group OSCORE. Consequently, it enables the post-quantum secure establishment of the shared secret and thus the post-quantum secure derivation of the symmetric keys used in the pairwise mode of Group OSCORE.

The Group Manager facilitates the exchange of KEM public keys and KEM ciphertexts among group members that perform the KEM-based Pairwise Key Agreement Algorithm.

1.1. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Readers are expected to be familiar with the terms and concepts related to CoAP [RFC7252], OSCORE [RFC8613], Group OSCORE [I-D.ietf-core-oscore-groupcomm], and CBOR Object Signing and Encryption (COSE) [RFC9052].

2. Pairwise Key Agreement Algorithm

In an OSCORE group that uses the pairwise mode and a quantum-resistant KEM as the Pairwise Key Agreement Algorithm, the KEM is identified by the Pairwise Key Agreement Algorithm parameter, within the Common Context of the Group OSCORE Security Context (see Section 2.1.10 of [I-D.ietf-core-oscore-groupcomm]).

Like for other algorithms used in Group OSCORE, the KEM used as Pairwise Key Agreement Algorithm MUST be one of those defined for COSE and registered at [COSE.Algorithms]. For example, the COSE algorithms ML-KEM-512, ML-KEM-768, and ML-KEM-1024 are being registered by [I-D.ietf-jose-pqc-kem], consistent with the three corresponding parameter sets of the standard ML-KEM [FIPS203].

For endpoints that support the pairwise mode and use a quantum-resistant KEM as Pairwise Key Agreement Algorithm, the algorithm ML-KEM-512 defined in [I-D.ietf-jose-pqc-kem] is mandatory to implement.

3. Derivation of Pairwise Keys

This section defines how pairwise keys are derived when the Pairwise Key Agreement Algorithm used is a quantum-resistant KEM.

Analogous to the construction used by OSCORE in Section 3.2.1 of [RFC8613], the derivation of pairwise keys is aligned with the one defined in Section 2.5.1 of [I-D.ietf-core-oscore-groupcomm], with the difference that two shared secrets are established through the Pairwise Key Agreement Algorithm, and they are separately used to derive a Pairwise Sender Key and the corresponding Pairwise Recipient Key.

For a given endpoint, the derivation of the pairwise keys to use between itself and each other endpoint X in the group is as below:

Pairwise Sender Key    = HKDF(Sender Key, IKM-Sender, info, L)
Pairwise Recipient Key = HKDF(Recipient Key, IKM-Recipient, info, L)

with

IKM-Sender    = Sender Auth Cred | Recipient Auth Cred |
                Sender Shared Secret
IKM-Recipient = Recipient Auth Cred | Sender Auth Cred |
                Recipient Shared Secret

where:

A KEM public key associated with the endpoint is used by only one other endpoint X in the group, for computing only one shared secret encapsulated in a KEM ciphertext intended to the endpoint.

In order to derive its Pairwise Sender Key, the endpoint has to obtain the endpoint X's KEM public key. Conversely, in order to derive its Pairwise Recipient Key, the endpoint has to obtain the KEM ciphertext that endpoint X computed using the endpoint's KEM public key.

However, KEM public keys and KEM ciphertexts are not provided within messages that group members directly send to each other. Instead, group members exchange KEM public keys and KEM ciphertexts via the Group Manager responsible for the group, as defined in Section 4.

3.1. Use of ML-KEM (FIPS 203)

When using ML-KEM [FIPS203] as Pairwise Key Agreement Algorithm, the following applies.

Editor's note: it should be sufficient to:

  • Point to the guidelines/conventions provided in [I-D.ietf-jose-pqc-kem].

  • Point to the COSE algorithms ML-KEM-* registered in [I-D.ietf-jose-pqc-kem].

  • State that the initial shared secret SS' in [I-D.ietf-jose-pqc-kem] is used here:

    • As the Sender Shared Secret, by the endpoint that computes the KEM ciphertext and encapsulates SS' therein.

    • As the Recipient Shared Secret, by the endpoint that decrypts the KEM ciphertext to compute SS'.

4. Assistance from the Group Manager

This section defines the operations that the Group Manager performs to facilitate the exchange of KEM public keys and KEM ciphertexts among group members, when the Pairwise Key Agreement Algorithm used in the group is a quantum-resistant KEM.

The following is not relevant for a node that joins the group exclusively as a silent server (see Section 1.1 of [I-D.ietf-core-oscore-groupcomm]), or that does not support or does not intend to use the pairwise mode in the group.

There are different ways to perform such supportive operations, depending on the specific realization of Group Manager. For example, it is possible to accordingly extend the interface provided by the realization of Group Manager specified in [I-D.ietf-ace-key-groupcomm-oscore], based on the ACE framework for authentication and authorization in constrained environments [RFC9200].

Given an OSCORE group, the following applies.

4.1. Uploading a KEM Public Key

A group member P has to be able to upload its own KEM public keys at the Group Manager.

P generates and uploads at the Group Manager a KEM public key to be retrieved and used by any and exactly one other group member. P can upload a KEM public key at the Group Manager already when joining the group, and then upload other KEM public keys later on as a group member.

P stores its KEM public key, the corresponding KEM private key, and a SHA-256 hash [SHA-256] of the KEM public key as corresponding identifier.

When the Group Manager receives a KEM public key from P, the Group Manager stores the KEM public key as associated with the Sender ID of P in the group. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P.

The Group Manager MUST keep the association between the KEM Public Key and Sender ID of P up-to-date over time, in the event that P changes its Sender ID in the group.

The Group Manager is expected to be able to store multiple KEM public keys from the same group member P at any given time.

4.2. Retrieving a KEM Public Key

Another group member Q has to be able to retrieve from the Group Manager a KEM public key uploaded by P.

When Q retrieves a KEM public key of P from the Group Manager (see below), the Group Manager deletes that KEM public key of P from its local storage.

P has to be able to gain knowledge about the number of own KEM public keys that are currently stored at the Group Manager. For example, this can rely on P accessing a dedicated resource hosted by the Group Manager. If such resource is observable [RFC7641], P can use CoAP Observe to subscribe for updates about the resource representation, thereby receiving notifications from the Group Manager.

Q retrieves a KEM public key of P from the Group Manager, by specifying to the Group Manager the Sender ID of P in the group.

Q is expected to retrieve a KEM public key of P when it wants to send to P a message protected with the pairwise mode and it does not have the Pairwise Sender Key required to process the message.

After the Group Manager provides Q with the KEM public key of P, the Group Manager deletes the KEM public key of P from its local storage.

4.3. Uploading a KEM Ciphertext

After Q retrieves a KEM public key of P from the Group Manager (see above), Q uses the KEM public key of P to compute a shared secret and encapsulate it in a KEM ciphertext intended to P.

Q uses the shared secret as the Sender Shared Secret for deriving its own Pairwise Sender Key to use with P (see Section 3).

Q has to be able to upload at the Group Manager the following information:

  • The KEM ciphertext.

  • The Sender ID of P, identifying the intended consumer of the KEM ciphertext.

  • The SHA-256 hash of the KEM public key of P that was used to compute the KEM ciphertext.

When the Group Manager receives from Q a KEM ciphertext intended to P, the Group Manager stores the KEM ciphertext as associated with the following information:

  • The Sender ID of Q, identifying the producer of the KEM ciphertext. The Group Manager is able to identify Q and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with Q.

  • The Sender ID of P received from Q, identifying the intended consumer of the KEM ciphertext.

  • The SHA-256 hash received from Q, as the identifier of the KEM public key of P that was used to compute the KEM ciphertext.

When doing so, the Group Manager overwrites any already stored KEM ciphertext and SHA-256 hash identifier that are associated with the same consumer Sender ID and producer Sender ID.

The Group Manager MUST keep up-to-date the association between the KEM ciphertext and the three pieces of information above, in the event that P or Q change their Sender IDs in the group.

4.4. Retrieving a KEM Ciphertext

P has to be able to retrieve from the Group Manager the following information:

  • The KEM ciphertext computed for P by Q.

  • The SHA-256 hash identifier of its own KEM public key that Q used to compute the KEM ciphertext.

In order to retrieve that information, P specifies the Sender ID of Q to the Group Manager. Then, the Group Manager provides the requested information, if it stores a KEM ciphertext associated with both:

  • The specified Sender ID of Q, identifying the producer of the KEM ciphertext; and

  • The Sender ID of P, identifying the intended consumer of the KEM ciphertext. The Group Manager is able to identify P and thereby determine its Sender ID in the group, e.g., by means of the secure communication association shared with P.

After providing P with the requested KEM ciphertext and SHA-256 hash identifier, the Group Manager deletes those two pieces of information from its local storage, freeing up their association with the consumer Sender ID and producer Sender ID.

P is expected to retrieve the KEM ciphertext computed by Q when it receives from Q a message protected with the pairwise mode and it does not have the Pairwise Recipient Key required to process the message.

P uses the SHA-256 hash identifier to retrieve its own corresponding KEM public key and KEM private key from its local storage.

Then, P computes the shared secret by decrypting the KEM ciphertext using its retrieved KEM private key. After that, P deletes from its local storage the KEM private key just used, as well as the corresponding KEM public key and the corresponding SHA-256 hash identifier.

P uses the shared secret as the Recipient Shared Secret for deriving its own Pairwise Recipient Key to use with Q (see Section 3).

5. Security Considerations

The security considerations from [I-D.ietf-core-oscore-groupcomm] hold for this document too. The security considerations for the specific KEM used as Pairwise Key Agreement Algorithm also apply.

Editor's note: add further security considerations.

6. IANA Considerations

This document has no actions for IANA.

7. References

7.1. Normative References

[COSE.Algorithms]
IANA, "COSE Algorithms", <https://www.iana.org/assignments/cose/cose.xhtml#algorithms>.
[FIPS203]
"Module-Lattice-Based Key-Encapsulation Mechanism Standard", NIST FIPS 203, , <https://doi.org/10.6028/NIST.FIPS.203>.
[I-D.ietf-core-groupcomm-bis]
Dijk, E. and M. Tiloca, "Group Communication for the Constrained Application Protocol (CoAP)", Work in Progress, Internet-Draft, draft-ietf-core-groupcomm-bis-18, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-groupcomm-bis-18>.
[I-D.ietf-core-oscore-groupcomm]
Tiloca, M., Selander, G., Palombini, F., Mattsson, J. P., and R. Höglund, "Group Object Security for Constrained RESTful Environments (Group OSCORE)", Work in Progress, Internet-Draft, draft-ietf-core-oscore-groupcomm-28, , <https://datatracker.ietf.org/doc/html/draft-ietf-core-oscore-groupcomm-28>.
[I-D.ietf-jose-pqc-kem]
Reddy.K, T., Banerjee, A., and H. Tschofenig, "Post-Quantum Key Encapsulation Mechanisms (PQ KEMs) for COSE", Work in Progress, Internet-Draft, draft-ietf-jose-pqc-kem-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-jose-pqc-kem-06>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5869]
Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, , <https://www.rfc-editor.org/rfc/rfc5869>.
[RFC7252]
Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10.17487/RFC7252, , <https://www.rfc-editor.org/rfc/rfc7252>.
[RFC7641]
Hartke, K., "Observing Resources in the Constrained Application Protocol (CoAP)", RFC 7641, DOI 10.17487/RFC7641, , <https://www.rfc-editor.org/rfc/rfc7641>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8613]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz, "Object Security for Constrained RESTful Environments (OSCORE)", RFC 8613, DOI 10.17487/RFC8613, , <https://www.rfc-editor.org/rfc/rfc8613>.
[RFC9052]
Schaad, J., "CBOR Object Signing and Encryption (COSE): Structures and Process", STD 96, RFC 9052, DOI 10.17487/RFC9052, , <https://www.rfc-editor.org/rfc/rfc9052>.
[SHA-256]
NIST, "Secure Hash Standard", NIST FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4 , , <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf>.

7.2. Informative References

[FIPS204]
"Module-Lattice-Based Digital Signature Standard", NIST FIPS 204, , <https://doi.org/10.6028/NIST.FIPS.204>.
[I-D.ietf-ace-key-groupcomm-oscore]
Tiloca, M. and F. Palombini, "Key Management for Group Object Security for Constrained RESTful Environments (Group OSCORE) Using Authentication and Authorization for Constrained Environments (ACE)", Work in Progress, Internet-Draft, draft-ietf-ace-key-groupcomm-oscore-21, , <https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-oscore-21>.
[NIST-800-56A]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography - NIST Special Publication 800-56A, Revision 3", , <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf>.
[RFC9200]
Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., and H. Tschofenig, "Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)", RFC 9200, DOI 10.17487/RFC9200, , <https://www.rfc-editor.org/rfc/rfc9200>.
[RFC9964]
Prorock, M. and O. Steele, "ML-DSA for JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)", RFC 9964, DOI 10.17487/RFC9964, , <https://www.rfc-editor.org/rfc/rfc9964>.

Acknowledgments

The work on this document has been partly supported by the Sweden's Innovation Agency VINNOVA and the Celtic-Next project CYPRESS.

Author's Address

Marco Tiloca
RISE AB
Isafjordsgatan 22
SE-164 40 Kista
Sweden