Summary

Implement the Hybrid Public Key Encryption (HPKE) algorithm in the form of a JCE Cipher, as defined in RFC 9180.

Problem

HPKE was published in 2022 (RFC 9180) and is the current standard for encryption using asymmetric keys. It is used in multiple higher-level protocols (TLS Encrypted ClientHello, Messaging Layer Security (MLS) Protocol, etc). It can also be used directly in applications. OpenSSL, Apple, Rust, Go, and Python have all provided implementations for it. HPKE is designed as a composition of KEM, KDF, and AEAD cipher that supports traditional asymmetric key algorithms like EC and XDH, as well as modern PQC and hybrid algorithms like ML-KEM and X-Wing. Now that Java has support for KEM (JDK 21) and KDF (JDK 25), we are in a good position to support HPKE in the next release of JDK.

Solution

Implement HPKE as a JCE Cipher in the SunJCE security provider.

Specification

Add a new standard algorithm name "HPKE" for Cipher in the Java Security Standard Algorithm Names documentation.

HPKE is a Cipher algorithm that works in either ENCRYPT_MODE or DECRYPT_MODE mode. It is always initialized with an AsymmetricKey and an HPKEParameterSpec object.

HPKEParameterSpec is defined as:

package javax.crypto.spec;

public final class HPKEParameterSpec implements AlgorithmParameterSpec {

    // KEM, KDF, and AEAD algorithm identifiers
    public static final int KEM_DHKEM_P_256_HKDF_SHA256 = 0x10;
    public static final int KEM_DHKEM_P_384_HKDF_SHA384 = 0x11;
    public static final int KEM_DHKEM_P_521_HKDF_SHA512 = 0x12;
    public static final int KEM_DHKEM_X25519_HKDF_SHA256 = 0x20;
    public static final int KEM_DHKEM_X448_HKDF_SHA512 = 0x21;
    public static final int KDF_HKDF_SHA256 = 0x1;
    public static final int KDF_HKDF_SHA384 = 0x2;
    public static final int KDF_HKDF_SHA512 = 0x3;
    public static final int AEAD_AES_128_GCM = 0x1;
    public static final int AEAD_AES_256_GCM = 0x2;
    public static final int AEAD_CHACHA20_POLY1305 = 0x3;
    public static final int EXPORT_ONLY = 0xffff;

    // A factory method to create a new HPKEParameterSpec object with specified KEM, KDF, and AEAD algorithm identifiers.
    public static HPKEParameterSpec of(int kem_id, int kdf_id, int aead_id);

    // Creates a new HPKEParameterSpec object with the specified info value.
    public HPKEParameterSpec withInfo(byte[] info);

    // Creates a new HPKEParameterSpec object with the specified psk and psk_id values.
    public HPKEParameterSpec withPsk(SecretKey psk, byte[] psk_id);

    // Creates a new HPKEParameterSpec object with the specified key encapsulation message value that will be used by the recipient.

    public HPKEParameterSpec withEncapsulation(byte[] encapsulation);

    // Creates a new HPKEParameterSpec object with the specified authentication key value.
    public HPKEParameterSpec withAuthKey(AsymmetricKey kS);

    // {@return the algorithm identifier for KEM }
    public int kem_id();

    // {@return the algorithm identifier for KDF }
    public int kdf_id();

    // {@return the algorithm identifier for AEAD }
    public int aead_id();

    // {@return a copy of the application-supplied information, empty if none}
    public byte[] info();

    // {@return pre-shared key, {@code null} if none}
    public SecretKey psk();

    // {@return a copy of the identifier for PSK, empty if none}
    public byte[] psk_id();

    // {@return the key for authentication, {@code null} if none}
    public AsymmetricKey authKey();

    // {@return a copy of the key encapsulation message, {@code null} if none}
    public byte[] encapsulation();

    @Override public String toString()
}

The full spec can be viewed at https://cr.openjdk.org/~weijun/HPKEParameterSpec.html. A copy has been attached to this CSR.