GMAC and KMAC for COSE and JOSE

Introduction The base COSE specification defines a container for Message Authentication Code (MAC) parameters and results, and the base JOSE specification defines a similar container for "Signature" data including MAC results. Each type of container is parameterized on an algorithm identifier used to verify the MAC result. This document defines new fully specified algorithm identifiers for the use of Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to generate a MAC (AES-GMAC) as defined in , as well as the SHA-3-derived Keccak MAC (KMAC) as defined in . Unlike the use of AES-GMAC in CMS and IPsec or KMAC in CMS , the COSE and JOSE algorithm identifiers are "fully specified" meaning they rely on no extra parameters (e.g., tag length) to determine their exact operation.

Scope This document does not define any new algorithms it only defines code points in COSE and JOSE registries so that the AES-GMAC and KMAC can be used in those respective security environments with specific combinations of parameters. To avoid confusion, the AES-GMAC algorithm family specified in this document is unrelated to the "AES-MAC" algorithm family from .

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Algorithm Families Both the AES-GMAC algorithm from and the KMAC algorithm from have a set of parameters associated with their uses. For the sake of adhering to COSE and JOSE best practices about fully specifying what gets assigned an "algorithm" code point in each respective registry, the AES-GMAC and KMAC will be treated as an algorithm family with a single code point referring to the algorithm itself along with a specific set of parameter values.

AES-GMAC Family While the general GMAC algorithm can be used with any underlying authenticated encryption with additional data (AEAD) block cipher, this document focuses on its use with the AES-GCM cipher. The parameters associated with AES-GMAC are: key length and tag length. This document restricts the allocated code points to the commonly used key lengths of 128, 192, and 256-bits, a fixed IV length of 96 bits (the recommended default), and restricts the use of a single tag length of 128 bits, which happens to be the longest possible tag length, as indicated in . Future allocations can define the use of AES-GMAC with shortened tag lengths. One required input for AES-GMAC is an initialization vector (IV) which is already provided by the header parameter "IV" from the "COSE Header Parameters" registry of . The use of the AES-GMAC algorithms in COSE SHALL be combined with the IV header parameter in the same COSE layer. A valid IV for these algorithms SHALL be exactly 96 bits (12 octets) in length. The combination of key and IV SHALL be unique for each created MAC. The IV generation mechanism SHALL be deterministic (not random). The specifics of that mechanism are left to an implementation. These IV and tag lengths are consistent with the COSE use of AES-GCM encryption in . Registered AES-GMAC combinations

COSE Value	JOSE Name	Algorithm	Key Length	IV Length	Tag Length
TBA1	A128GMAC128	AES-GMAC	128	96	128
TBA2	A192GMAC128	AES-GMAC	192	96	128
TBA3	A256GMAC128	AES-GMAC	256	96	128

Implementations creating and validating AES-GMAC values SHALL validate that the key type, key length, and algorithm are correct and appropriate for the entities involved. When using a COSE key for these algorithms, the following checks are made:

The "kty" field MUST be present.
The "kty" field MUST be "Symmetric".
If the "alg" field is present, it MUST match the algorithm being used.
If the "key_ops" field is present, it MUST include "MAC create" when creating an authentication tag.
If the "key_ops" field is present, it MUST include "MAC verify" when verifying an authentication tag.

KMAC Family The KMAC family is actually two different variants, KMAC128 and KMAC256, related to the provided security strength of 128 and 256-bits respectively and expected to be used with identical respective minimum key lengths. The parameters associated with KMAC are: key length and tag length. This document restricts the allowed code points to the commonly used key lengths of 128 and 256-bits and restricts the use of a single "standard" tag length for each variant as indicated in . Future allocations can define the use of KMAC with other tag lengths. An optional input for KMAC is a "customization bit string" used as additional context data. When used with COSE the KMAC customization bit string SHALL be the ASCII text string "COSE" without null termination. When used with JOSE the KMAC customization bit string SHALL be the ASCII text string "JOSE" without null termination. Registered KMAC combinations

COSE Value	JOSE Name	Algorithm	Key Length	Tag Length
TBA4	KMAC128	KMAC128	128	256
TBA5	KMAC256	KMAC256	256	512

Implementations creating and validating KMAC values SHALL validate that the key type, key length, and algorithm are correct and appropriate for the entities involved. When using a COSE key for these algorithms, the following checks are made:

The "kty" field MUST be present.
The "kty" field MUST be "Symmetric".
If the "alg" field is present, it MUST match the algorithm being used.
If the "key_ops" field is present, it MUST include "MAC create" when creating an authentication tag.
If the "key_ops" field is present, it MUST include "MAC verify" when verifying an authentication tag.

Security Considerations This document does not define any new modes of operation for the relevant MAC algorithms, and so does not introduce any new security considerations. All of the applicable considerations from and apply when the algorithm is used in COSE or JOSE. The requirement to use non-random IV generation in is meant to satisfy the critical constraint on GMAC (and nonce-based MACs generally) described in Chapter 10 of to guarantee the uniqueness of the combination of key and IV. Whether the mechanism is a simple counter, a determistic PRF, or something else does not affect the constraint to be non-random.

IANA Considerations This section provides guidance to the Internet Assigned Numbers Authority (IANA) regarding registration of code points in accordance with BCP 26 .

COSE Algorithms A new set of entries have been added to the "COSE Algorithms" registry with the following parameters.

AES-GMAC 128/128

Name:: AES-GMAC 128/128
Value:: TBA1
Description:: AES-GMAC with 128-bit key and 128-bit tag
Capabilities:: [kty]
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes

AES-GMAC 192/128

Name:: AES-GMAC 192/128
Value:: TBA2
Description:: AES-GMAC with 192-bit key and 128-bit tag
Capabilities:: [kty]
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes

AES-GMAC 256/128

Name:: AES-GMAC 256/128
Value:: TBA3
Description:: AES-GMAC with 256-bit key and 128-bit tag
Capabilities:: [kty]
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes

KMAC 128/256

Name:: KMAC 128/256
Value:: TBA4
Description:: KMAC128 with 128-bit key and 256-bit tag
Capabilities:: [kty]
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes

KMAC 256/512

Name:: KMAC 256/512
Value:: TBA5
Description:: KMAC256 with 256-bit key and 512-bit tag
Capabilities:: [kty]
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes

JOSE Algorithms A new set of entries have been added to the "JSON Web Signature and Encryption Algorithms" registry with the following parameters.

A128GMAC128

Algorithm Name:: A128GMAC128
Algorithm Description:: AES-GMAC with 128-bit key and 128-bit tag
Algorithm Usage Location(s):: alg
JOSE Implementation Requirements:: Optional
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes
Algorithm Analysis Document(s):

A192GMAC128

Algorithm Name:: A192GMAC128
Algorithm Description:: AES-GMAC with 192-bit key and 128-bit tag
Algorithm Usage Location(s):: alg
JOSE Implementation Requirements:: Optional
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes
Algorithm Analysis Document(s):

A256GMAC128

Algorithm Name:: A256GMAC128
Algorithm Description:: AES-GMAC with 256-bit key and 128-bit tag
Algorithm Usage Location(s):: alg
JOSE Implementation Requirements:: Optional
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes
Algorithm Analysis Document(s):

KMAC128

Algorithm Name:: KMAC128
Algorithm Description:: KMAC with 128-bit key and 256-bit tag
Algorithm Usage Location(s):: alg
JOSE Implementation Requirements:: Optional
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes
Algorithm Analysis Document(s):

KMAC256

Algorithm Name:: KMAC256
Algorithm Description:: KMAC with 256-bit key and 512-bit tag
Algorithm Usage Location(s):: alg
JOSE Implementation Requirements:: Optional
Change controller:: IESG
Reference:: [This document]
Recommended:: Yes
Algorithm Analysis Document(s):

Others TBD