| Internet-Draft | N-PAMP | June 2026 |
| Sammartano | Expires 7 December 2026 | [Page] |
The Native Post-Quantum Agent Messaging Protocol (N-PAMP) is a binary, multi-channel, wire-level protocol for authenticated communication between autonomous software agents. N-PAMP operates beneath application-layer agent protocols and provides a single fixed-size frame format, a registry of multiplexed channels, and three escalating security profiles (Standard, High, and Sovereign) built on standard post-quantum and classical cryptography. The protocol uses a hybrid key-encapsulation mechanism combining X25519 with ML-KEM, authenticated encryption with associated data, and a forward-secure key schedule. N-PAMP runs over QUIC as its primary transport and over TCP with TLS 1.3 as a fallback, negotiated via the Application-Layer Protocol Negotiation (ALPN) identifier "n-pamp/2". This document describes the wire format, channel architecture, profile negotiation, and cryptographic suites of N-PAMP, and reserves code-point ranges for extensions defined in companion specifications.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 December 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Autonomous software agents increasingly communicate with one another over long-lived associations that carry control traffic, persistent state, capability delegation, identity attestation, and operational telemetry on a single connection. Existing transport-layer protocols such as TLS 1.3 [RFC8446] and QUIC [RFC9000], and application-layer agent protocols layered above them, do not by themselves provide a unified binary frame format with semantic channel multiplexing, profile-negotiated cryptographic strength, and mandatory authenticated encryption tailored to agent-to-agent traffic.¶
N-PAMP addresses this gap. It defines a single fixed-size frame header, a set of multiplexed channels each carrying a distinct class of agent traffic, and three negotiated security profiles that hold the wire format constant while escalating the cryptographic primitives and operational requirements. All three profiles employ a hybrid key-encapsulation mechanism (KEM) combining the classical X25519 key agreement with a NIST-standardized module-lattice KEM (ML-KEM, [FIPS203]), so that the confidentiality of an association is preserved if either the classical or the post-quantum component remains unbroken.¶
N-PAMP is deliberately scoped as a transport substrate. It does not define application-layer semantics for the data carried on its channels; those are the subject of companion specifications. This document specifies the wire format, the channel registry, profile negotiation, and the cryptographic suites, and it reserves code-point ranges so that companion extensions can be defined without colliding with the core protocol.¶
The design goals of N-PAMP are:¶
Cryptographic agility within a stable wire format. The frame format does not change between profiles; the cryptographic primitives, modes, and operational requirements do.¶
Defense in depth through hybrid post-quantum and classical key establishment, authenticated encryption, and a forward-secure key schedule.¶
Channel multiplexing so that a single association can carry several classes of agent traffic with independent sequence spaces and per-channel keying.¶
Interoperability across profiles, so that an endpoint operating at a higher profile MAY interoperate with a lower-profile peer when local policy permits.¶
For the purposes of this document:¶
A long-lived, cryptographically authenticated session between two N-PAMP endpoints, identified by a stable Association ID.¶
A semantic multiplexing lane within an association, identified by a 16-bit Channel ID, carrying one class of agent traffic with its own sequence space.¶
The atomic unit of transmission, consisting of a fixed 36-octet header, optional extension TLVs, and an AEAD-protected payload.¶
One of three negotiated levels of cryptographic strength and operational requirement (Standard, High, Sovereign).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
N-PAMP is a binary protocol. Every unit of communication is a frame consisting of a fixed 36-octet header (Section 4), zero or more extension TLVs, and a payload protected by an authenticated-encryption-with-associated-data (AEAD) construction [RFC5116]. Frames are carried on channels (Section 5), each of which has an independent per-direction sequence space.¶
An N-PAMP association is established by a handshake that:¶
establishes a hybrid X25519 + ML-KEM shared secret;¶
negotiates a security profile, a KEM, a signature algorithm, and one or more AEAD suites;¶
authenticates both peers by signing a transcript that binds the negotiated parameters and both peer identities; and¶
derives a forward-secure key schedule from which per-channel, per-direction traffic keys are obtained.¶
The negotiated profile, the KEM identifier, the signature identifier, the selected AEAD suite(s), and both peer identities are all bound into the handshake transcript and confirmed by a Finished message authentication code (MAC). A man-in-the-middle that alters any negotiated parameter or substitutes an identity invalidates the Finished MAC and aborts the handshake; this is the structural defense against downgrade, unknown-key-share, and identity-substitution attacks (see Section 10).¶
N-PAMP uses QUIC [RFC9000] (secured with TLS 1.3, [RFC9001]) as its primary transport and TCP with TLS 1.3 [RFC8446] as a fallback. In both cases, the application protocol is negotiated using the ALPN extension [RFC7301] with the identifier "n-pamp/2" (Section 9).¶
Every N-PAMP frame has the following structure:¶
+--------+-------------+-------------------+-----------+ | Header | Extension | Payload | AEAD Tag | | 36 B | TLVs (var) | (var, encrypted) | (16 B) | +--------+-------------+-------------------+-----------+
The 36-octet header is fixed-size. Zero or more extension TLVs MAY accompany a frame. The payload is AEAD-sealed, and the associated data covers the 21-octet header prefix (octets 0-20, through the Payload Length field, the same octets protected by the header CRC32C) so that any modification to those header fields is detected on decryption.¶
The fixed header is 36 octets, laid out as follows. Multi-octet integers are encoded in network byte order (big-endian) unless stated otherwise.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 'N' | 'P' | 'A' | 'M' | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Flags | Frame Type | Channel ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Sequence Number (64 bits) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Payload Length (32 bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CRC32C over octets 0-20 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Reserved + Padding (11 octets, zero) + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The fields are:¶
| Offset | Size | Field | Description |
|---|---|---|---|
| 0-3 | 4 octets | Magic | ASCII "NPAM" (0x4E 0x50 0x41 0x4D). |
| 4 | 4 bits | Ver | Protocol major version, the high nibble of octet 4. The value 0x2 designates the wire format described in this document (wire major version 2). |
| 4 | 4 bits | Flags | The low nibble of octet 4 (see Section 4.3). |
| 5-6 | 2 octets | Frame Type | Frame type within the channel (see Section 4.6). |
| 7-8 | 2 octets | Channel ID | The semantic channel (Section 5). |
| 9-16 | 8 octets | Sequence Number | Per-(channel, direction) monotonic sequence number, starting at 0. |
| 17-20 | 4 octets | Payload Length | Byte count of the payload following the header. |
| 21-24 | 4 octets | CRC32C | CRC32C (Castagnoli polynomial 0x1EDC6F41) computed over header octets 0-20. Receivers MUST validate it before processing any other header field. |
| 25-35 | 11 octets | Reserved | MUST be zero; receivers MUST reject frames whose reserved octets are non-zero. |
All multi-octet integers are big-endian. The Ver field carries the wire major version; the value 0x02 corresponds to the ALPN identifier "n-pamp/2".¶
The low nibble of header octet 4 carries four flag bits:¶
| Bit | Name | Meaning |
|---|---|---|
| 0 (0x01) | URG | Urgent-priority scheduling. |
| 1 (0x02) | ENC | Payload is AEAD-encrypted. |
| 2 (0x04) | COMP | Payload is compressed. |
| 3 (0x08) | FRAG | Frame is a fragment of a larger logical message. |
Zero or more Type-Length-Value (TLV) extensions MAY accompany a frame. Each TLV is encoded as:¶
+---------+---------+-----------+ | Type | Length | Value | | 16 bits | 16 bits | Length B | +---------+---------+-----------+
Type and Length are 16-bit unsigned integers in network byte order; Length is the byte count of Value (0 to 65535). A receiver that encounters an unknown TLV whose Type has the high bit (0x8000) clear MUST ignore that TLV. A receiver that encounters an unknown TLV whose Type has the high bit (0x8000) set MUST treat it as a forward-incompatible extension and reject the frame. The TLV type registry maintained by this specification is given in Section 9.4.¶
The payload carries a frame-type-specific body. The body MAY be encoded in a binary serialization, in deterministic CBOR [RFC8949], or as raw octets. The selected encoding is signaled within the channel-local interpretation of the Frame Type field.¶
Each channel defines its own frame types in the 0x0000-0xFFFF space. The following frame types are reserved across all channels and have the same meaning on every channel:¶
| Type | Name | Description |
|---|---|---|
| 0x0000 | (reserved) | Reserved; MUST NOT be used as a frame type. |
| 0x0001 | PING | Liveness probe. |
| 0x0002 | PONG | Reply to PING. |
| 0x0003 | CLOSE | Authenticated close; AEAD-protected. |
| 0x0004 | CLOSE_ACK | Reply to CLOSE. |
| 0x0005 | ERROR | Error report; AEAD-protected. |
| 0x0006 | KEY_UPDATE | Initiate key update for this (channel, direction). |
| 0x0007 | KEY_UPDATE_ACK | Acknowledge key update. |
| 0x0008 | PATH_CHALLENGE | Path-migration challenge. |
| 0x0009 | PATH_RESPONSE | Path-migration response. |
| 0x000A | FLOW_UPDATE | Connection-level flow-control credit update. |
Channel-specific frame types begin at 0x0100 within each channel's frame namespace. Frame-type code points at or above 0x0030 that are not reserved here, and in particular the ranges enumerated in Section 8, are reserved for extensions defined in companion specifications.¶
A CLOSE frame is authenticated like any other frame. A receiver MUST verify the AEAD tag before honoring a close. An unauthenticated or forged CLOSE frame MUST be dropped and SHOULD be counted as a security event.¶
N-PAMP multiplexes traffic over channels identified by a 16-bit Channel ID. Each channel carries one class of agent traffic and has an independent per-direction sequence space and independent traffic keys (Section 7). A peer that has not advertised a channel during the handshake MUST NOT receive frames on that channel; frames on an unadvertised channel MUST be dropped.¶
The following channels are defined and maintained by this specification:¶
| ID | Name | Purpose | Min Profile | Direction |
|---|---|---|---|---|
| 0x0000 | Control | Connection control, handshake completion, capability epoch | Standard | Bidirectional |
| 0x0001 | Memory | Persistent-state create/read/update/delete and retrieval | Standard | Multi-stream |
| 0x0002 | Capability | Capability issuance, delegation, revocation, lookup | Standard | Bidirectional |
| 0x0003 | Identity | Identity resolution, attestation, presence | Standard | Bidirectional |
| 0x0004 | Governance | Policy proposals, votes, quorum closure | High | Bidirectional |
| 0x0005 | Immune | Anomaly reports and defensive gossip | Standard | Bidirectional |
| 0x0006 | Federation | Cross-instance synchronization and gossip | High | Multi-stream |
| 0x0007 | Settlement | Agent-to-agent settlement and receipts | Standard | Bidirectional |
| 0x0008 | Compliance | Attestation and regulatory export | High | Bidirectional |
| 0x0009 | Sensory | Bulk telemetry and low-priority observations | High | Multi-stream |
| 0x000A | Telemetry | Operational metrics and health reporting | Standard | Bidirectional |
| 0x000B | Audit | Audit-epoch commitments and transparency-log entries | Sovereign | Bidirectional |
| 0x000C | Stream | Multiplexed full-duplex streaming (tokens, audio, video, file transfer) | Standard | Multi-stream |
| 0x000D | Bridge | Encapsulation of external agent protocols within N-PAMP frames | Standard | Bidirectional |
| 0x000E | Commerce | Multi-party agentic commerce and payment mandates | Standard | Bidirectional |
| 0x000F | Interaction | Agent-to-human user-interface events | Standard | Bidirectional |
| 0x0010 | Discovery | Agent, tool, and service discovery and capability advertisement | Standard | Bidirectional |
| 0x0011 | Workflow | Multi-agent orchestration and task delegation | Standard | Bidirectional |
| 0x0012 | Knowledge | Retrieval queries with ranked results and provenance | Standard | Multi-stream |
| 0x0013 | Spatial | Physical-world state for robotics and IoT (high-frequency) | High | Multi-stream |
The Min Profile column gives the lowest profile at which a channel may be enabled; a channel is available at that profile and at every higher profile (for example, a "High" channel is available at High and Sovereign). The Audit channel is enabled by default only at Sovereign; other profiles MAY enable it. The Control and Immune channels SHOULD be scheduled at higher priority than bulk channels (Memory, Sensory, Telemetry) during congestion.¶
All N-PAMP channels are full-duplex: each peer maintains an independent send and receive sequence space and independent per-direction traffic keys, so both peers MAY transmit on a channel simultaneously. The Direction column classifies each channel as follows:¶
| Direction | Meaning |
|---|---|
| Bidirectional | Both peers send and receive frames on a single stream. |
| Multi-stream | Bidirectional, and the channel MAY open multiple concurrent transport streams within its stream family. |
The Stream channel (0x000C) provides general-purpose multiplexed full-duplex streaming, carrying concurrent bidirectional sub-streams (for example token, audio, video, and file-transfer streams), each with independent flow control.¶
Channel IDs not listed in Section 5.1, and in particular the ranges enumerated in Section 8, are reserved for extensions defined in companion specifications.¶
N-PAMP defines three security profiles. The profiles share one wire format and differ in the cryptographic primitives and operational requirements they mandate. Each profile is an escalation of the previous one in cryptographic strength.¶
| Profile | Code | Summary |
|---|---|---|
| Standard | 0x01 | Baseline hybrid post-quantum security. |
| High | 0x02 | Stronger KEM parameters and stronger hash; downgrade refusal to Standard. |
| Sovereign | 0x03 | Highest standard-crypto strength; downgrade refusal below Sovereign. |
Profile code points 0x00 and 0x04-0xFF are reserved by this specification.¶
The profile is offered by the client and selected by the server during the handshake, and is carried in the handshake transcript. Because the profile is part of the transcript that the Finished MAC covers, an attacker who strips a profile from the offer or forces a lower selection invalidates the MAC and aborts the handshake.¶
The profile invariants are:¶
| Property | Standard | High | Sovereign |
|---|---|---|---|
| Minimum KEM | X25519MLKEM768 | X25519MLKEM1024 | X25519MLKEM1024 |
| Allowed signatures | Ed25519 | Ed25519, ML-DSA-87 | ML-DSA-87 |
| KDF hash | SHA-256 | SHA-384 | SHA-384 |
| Per-frame AEAD diversification | Off | On | On |
| Downgrade refusal | Off | Refuses Standard | Refuses below Sovereign |
| Mandatory key update | Yes | Yes (tighter bounds) | Yes (tightest bounds) |
The server MUST select a profile from the client's offered set. The selected profile MUST be no lower than the server's configured minimum acceptable peer profile. A Sovereign server with a minimum acceptable peer profile of Sovereign completes a handshake only when the client offers Sovereign and Sovereign is selected.¶
A High or Sovereign endpoint MAY interoperate with a lower-profile peer for read-only or capability-discovery operations when local policy permits, by accepting a lower selected profile; otherwise it refuses the downgrade as shown above.¶
All cryptographic primitives used by N-PAMP are published standards.¶
| Code point | Name | Profiles |
|---|---|---|
| 0x11ec | X25519MLKEM768 | Standard, High |
| 0x11ed | X25519MLKEM1024 | High, Sovereign |
Both are hybrid KEMs combining X25519 ECDH with ML-KEM [FIPS203] (ML-KEM-768 and ML-KEM-1024, respectively). The two shared secrets are concatenated as (X25519 shared secret || ML-KEM shared secret) and supplied as input keying material to HKDF-Extract [RFC5869]. The construction follows the established practice for hybrid key establishment [I-D.ietf-tls-hybrid-design]. The Sovereign profile MUST NOT accept X25519MLKEM768.¶
| Code point | Name | Key | Nonce | Tag |
|---|---|---|---|---|
| 0x0001 | AES-256-GCM | 32 | 12 | 16 |
| 0x0002 | ChaCha20-Poly1305 | 32 | 12 | 16 |
AES-256-GCM is used as specified for AEAD ciphers in [RFC5116]; ChaCha20-Poly1305 is used as specified in [RFC8439]. Endpoints operating at the High and Sovereign profiles MUST support both AEAD suites because per-frame AEAD diversification at those profiles selects between them. Endpoints operating at the Standard profile MUST support at least one of the two.¶
| Code point | Name | Usage | Profiles |
|---|---|---|---|
| 0x0807 | Ed25519 | Identity, capability tokens | All |
| 0x0905 | ML-DSA-87 | Identity, audit epoch | High, Sovereign |
Ed25519 is used as specified in [RFC8032]. ML-DSA-87 is the module-lattice-based digital signature algorithm standardized in [FIPS204]. The Sovereign profile uses ML-DSA-87 for identity and audit signatures.¶
All key derivation uses HKDF [RFC5869]. The KDF hash is SHA-256 at the Standard profile and SHA-384 at the High and Sovereign profiles. The HKDF-Expand-Label construction follows TLS 1.3 [RFC8446], with a protocol-specific label prefix that provides domain separation from TLS 1.3, from QUIC, and from earlier N-PAMP versions.¶
Traffic secrets are derived per (direction, epoch, AEAD suite, channel) tuple, so that no two distinct contexts share a key. Each traffic secret yields an AEAD key, an AEAD initialization vector, and a header-protection key by HKDF-Expand-Label. The per-frame nonce is the AEAD IV exclusive-ORed with the left-zero-padded sequence number, identical in form to the construction used in TLS 1.3 [RFC8446] and QUIC [RFC9001]. This namespace partitioning prevents cross-direction, cross-suite, and cross-channel nonce reuse, and supports forward secrecy: on key update, traffic secrets for the new epoch are derived afresh and the prior epoch's secrets are zeroized.¶
All randomness that participates in security MUST come from a cryptographically secure random number generator. Implementations MUST NOT use a non-cryptographic source for any field that participates in security.¶
N-PAMP reserves code-point ranges for extensions defined in companion specifications. The core protocol in this document neither defines nor requires any extension; it only reserves the ranges below so that extensions can be specified without colliding with the core wire format. The algorithms and semantics that occupy these ranges are out of scope for this document and are defined in companion specifications.¶
The following per-channel frame-type code points are reserved for extensions defined in companion specifications:¶
| Range | Reserved for |
|---|---|
| 0x0035 - 0x0036 | Memory-channel eviction and revive extension frames |
| 0x0060 - 0x0063 | Capability-channel token extension frames |
| 0x0080 - 0x0080 | Control-channel flow-extension frames |
| 0x0090 - 0x0090 | Audit-channel per-frame integrity-extension frames |
| 0x00A0 - 0x00A3 | Settlement/Audit batch-commitment extension frames |
| 0x00B0 - 0x00B4 | Governance-channel quorum extension frames |
| 0x00C0 - 0x00C4 | Immune-channel propagation extension frames |
Channel IDs in the range 0x0014-0xFFFF are reserved. Channels 0x0014-0x001F are reserved for future core additions by this specification; 0x0020-0xEFFF are reserved for extension channels defined in companion specifications; 0xF000-0xFFFE are GREASE values that receivers MUST ignore; and 0xFFFF MUST NOT appear on the wire. The specific extension assignments are out of scope for this document.¶
No algorithms, parameters, or semantics for any reserved range are defined in this document.¶
This document requests that IANA register the following value in the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry established by [RFC7301]:¶
| Protocol | Identification Sequence | Reference |
|---|---|---|
| N-PAMP, wire major version 2 | 0x6E 0x2D 0x70 0x61 0x6D 0x70 0x2F 0x32 ("n-pamp/2") | (this document) |
The identification sequence is the 8-octet UTF-8 string "n-pamp/2". The trailing digit "2" equals the N-PAMP wire major version (the value 0x02 carried in the Ver field of the frame header, Section 4). The registration policy for the ALPN registry is Expert Review [RFC8126].¶
The earlier identifier "n-pamp/1" is deprecated. Implementations SHOULD NOT negotiate "n-pamp/1" for new associations. Future wire major versions will use distinct ALPN identifiers (for example, "n-pamp/3").¶
This document requests provisional registration of the "npamp" URI scheme in the "Uniform Resource Identifier (URI) Schemes" registry, following the template and the provisional-registration procedure (First Come First Served) of [RFC7595].¶
Scheme name: npamp¶
Status: Provisional¶
Applications/protocols that use this scheme: The protocol defined in this document (N-PAMP). An "npamp" URI names an N-PAMP endpoint and an optional resource path within that endpoint.¶
URI scheme syntax: The "npamp" scheme uses the generic URI syntax of [RFC3986]:¶
npamp-URI = "npamp://" authority path-abempty [ "?" query ]¶
where "authority", "path-abempty", and "query" are as defined in [RFC3986]. The "authority" component identifies the N-PAMP endpoint (host and optional port). N-PAMP does not reserve a fixed default port; the underlying transport is negotiated as described in Section 3.¶
Encoding considerations: "npamp" URIs are processed as defined in [RFC3986]; non-ASCII characters in the path or query components are percent-encoded UTF-8 octets.¶
Interoperability considerations: None beyond those of [RFC3986]. The scheme carries no protocol semantics of its own; all behavior is defined by N-PAMP.¶
Security considerations: See Section 10. An "npamp" URI is only an identifier. Connecting to an "npamp" endpoint invokes the N-PAMP handshake and its authentication, confidentiality, and downgrade protections; dereferencing an "npamp" URI MUST NOT bypass the security profile negotiated by N-PAMP.¶
Contact: Shawn Sammartano, BubbleFish Technologies, Inc.¶
Change controller: Shawn Sammartano, BubbleFish Technologies, Inc.¶
Reference: This document.¶
The N-PAMP channel registry (Section 5.1), the frame-type registry (Section 4.6), and the TLV type registry (Section 9.4) are defined and maintained within this specification. Because this document is published through the Independent Submission stream, it does not request the creation of new IANA-hosted registries for these code points; the registries are normative within this document and are extended by companion specifications and by future revisions of this document, not by IANA registration actions.¶
The following TLV tags are defined by this specification. Tags marked "reserved" are described in Section 8.¶
| Tag | Name | Length | Description |
|---|---|---|---|
| 0x01 | ProfileOffer | 4 | Profiles offered by the client (handshake only). |
| 0x02 | ProfileSelect | 1 | Profile selected by the server (handshake only). |
| 0x03 | KEMOffer | var | KEMs offered by the client. |
| 0x04 | KEMSelect | 2 | KEM selected by the server. |
| 0x05 | SigOffer | var | Signature algorithms offered. |
| 0x06 | SigSelect | 2 | Signature algorithm selected. |
| 0x07 | KEMShare | var | Public KEM share. |
| 0x08 | KEMCiphertext | var | KEM encapsulation ciphertext. |
| 0x10 | (reserved) | var | Reserved for a companion specification. |
| 0x12 | AnomalyCharge | 32 | Per-frame integrity charge. |
| 0x13 | (reserved) | var | Reserved for a companion specification. |
| 0x14 | (reserved) | 32 | Reserved for a companion specification (handshake only). |
| 0x15 | PathChallenge | 32 | Path-migration challenge nonce. |
| 0x16 | PathResponse | 64 | Path-migration response. |
| 0x17 | KeyUpdateMarker | 8 | Key-update epoch marker. |
| 0x18 | ProtectionMode | 1 | Protection-mode selector. |
| 0x8000-0xFFFF | (reserved) | -- | Forward-incompatible extension points (Type high bit set). |
This section follows the spirit of [RFC3552]. N-PAMP inherits the security properties of its underlying transports, TLS 1.3 [RFC8446] and QUIC [RFC9001], and adds the considerations below.¶
Every profile uses a hybrid KEM that concatenates an X25519 shared secret with an ML-KEM shared secret [FIPS203] before key derivation. The confidentiality of an association is preserved as long as at least one of the two components remains unbroken; an adversary must defeat both the classical and the post-quantum component to recover traffic keys. N-PAMP makes no claim of unconditional or "quantum-proof" security; it provides post-quantum hybrid security against the adversaries addressed by its component primitives.¶
All payloads are protected by AEAD [RFC5116]. Traffic keys are partitioned per (direction, epoch, suite, channel), which structurally prevents nonce reuse across directions, AEAD suites, and channels. AEAD tag verification MUST be performed before any payload is processed, and equality comparisons of authentication values MUST be constant-time to avoid timing side channels.¶
Each (channel, direction) pair maintains a sliding replay window over sequence numbers. Frames outside the window or already recorded within it MUST be rejected. Where 0-RTT data is permitted, it MUST be limited to idempotent operations and protected against replay by an anti-replay mechanism scoped to the current epoch; the Sovereign profile disables 0-RTT entirely.¶
Endpoints MUST perform key updates within profile-specific bounds on elapsed time, frames sent, and bytes protected, with the tightest bounds at the Sovereign profile. On key update, the prior epoch's traffic secrets MUST be zeroized so that compromise of the current epoch does not expose previously protected traffic. Rotation of the master secret requires a fresh handshake.¶
When carried over QUIC, an endpoint MUST validate a peer's new path with a challenge-response exchange (PATH_CHALLENGE / PATH_RESPONSE) before accepting an address change, to prevent off-path migration spoofing.¶
CLOSE frames are AEAD-protected and MUST be verified before being honored, so that an off-path attacker cannot tear down an association with a forged CLOSE.¶
The reserved code-point ranges in Section 8 carry no algorithms or semantics in this document. Any security properties of extensions occupying those ranges are the responsibility of the companion specifications that define them and are out of scope here.¶
Where the wire format requires deterministic encoding (for example, deterministic CBOR [RFC8949] or canonical integer encodings), implementations MUST produce byte-identical output for identical inputs, because non-deterministic encodings can invalidate transcript and integrity computations across peers.¶
The author thanks the reviewers of earlier N-PAMP drafts for their feedback.¶