rfc9794.original   rfc9794.txt 
PQUIP F. Driscoll Internet Engineering Task Force (IETF) F. Driscoll
Internet-Draft M. Parsons Request for Comments: 9794 M. Parsons
Intended status: Informational UK National Cyber Security Centre Category: Informational UK National Cyber Security Centre
Expires: 14 July 2025 B. Hale ISSN: 2070-1721 B. Hale
Naval Postgraduate School Naval Postgraduate School
10 January 2025 June 2025
Terminology for Post-Quantum Traditional Hybrid Schemes Terminology for Post-Quantum Traditional Hybrid Schemes
draft-ietf-pquip-pqt-hybrid-terminology-06
Abstract Abstract
One aspect of the transition to post-quantum algorithms in One aspect of the transition to post-quantum algorithms in
cryptographic protocols is the development of hybrid schemes that cryptographic protocols is the development of hybrid schemes that
incorporate both post-quantum and traditional asymmetric algorithms. incorporate both post-quantum and traditional asymmetric algorithms.
This document defines terminology for such schemes. It is intended This document defines terminology for such schemes. It is intended
to be used as a reference and, hopefully, to ensure consistency and to be used as a reference and, hopefully, to ensure consistency and
clarity across different protocols, standards, and organisations. clarity across different protocols, standards, and organisations.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-
terminology/.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on 14 July 2025. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9794.
Copyright Notice Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the Copyright (c) 2025 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents
license-info) in effect on the date of publication of this document. (https://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. Code Components carefully, as they describe your rights and restrictions with respect
extracted from this document must include Revised BSD License text as to this document. Code Components extracted from this document must
described in Section 4.e of the Trust Legal Provisions and are include Revised BSD License text as described in Section 4.e of the
provided without warranty as described in the Revised BSD License. Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction
2. Primitives . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Primitives
3. Cryptographic Elements . . . . . . . . . . . . . . . . . . . 8 3. Cryptographic Elements
4. Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 9 4. Protocols
5. Properties . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Properties
6. Certificates . . . . . . . . . . . . . . . . . . . . . . . . 14 6. Certificates
7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations
9. Informative References . . . . . . . . . . . . . . . . . . . 16 9. Informative References
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18 Acknowledgments
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses
1. Introduction 1. Introduction
The mathematical problems of integer factorisation and discrete The mathematical problems of integer factorisation and discrete
logarithms over finite fields or elliptic curves underpin most of the logarithms over finite fields or elliptic curves underpin most of the
asymmetric algorithms used for key establishment and digital asymmetric algorithms used for key establishment and digital
signatures on the internet. These problems, and hence the algorithms signatures on the Internet. These problems, and hence the algorithms
based on them, will be vulnerable to attacks using Shor's Algorithm based on them, will be vulnerable to attacks using Shor's Algorithm
on a sufficiently large general-purpose quantum computer, known as a on a sufficiently large general-purpose quantum computer, known as a
Cryptographically Relevant Quantum Computer (CRQC). Current Cryptographically Relevant Quantum Computer (CRQC). Current
predictions vary on when, or if, such a device will exist. However, predictions vary on when, or if, such a device will exist. However,
it is necessary to anticipate and prepare to defend against such a it is necessary to anticipate and prepare to defend against such a
development. Data encrypted today (2024) with an algorithm development. Data encrypted today (in 2025) with an algorithm
vulnerable to a quantum computer can be stored for decryption by a vulnerable to a quantum computer can be stored for decryption by a
future attacker with a CRQC. Signing algorithms in products that are future attacker with a CRQC. Signing algorithms in products that are
expected to be in use for many years, and that cannot be updated or expected to be in use for many years, and that cannot be updated or
replaced, are also at risk if a CRQC is developed during the replaced, are also at risk if a CRQC is developed during the
operational lifetime of that product. operational lifetime of that product.
Ongoing responses to the potential development of a CRQC include Ongoing responses to the potential development of a CRQC include
modifying established (standardised) protocols to use asymmetric modifying established (or standardised) protocols to use asymmetric
algorithms that are designed to be secure against quantum computers algorithms that are designed to be secure against quantum computers
as well as today's classical computers. These algorithms are called as well as today's classical computers. These algorithms are called
post-quantum, while algorithms based on integer factorisation, "post-quantum", while algorithms based on integer factorisation,
finite-field discrete logarithms or elliptic-curve discrete finite-field discrete logarithms, or elliptic-curve discrete
logarithms are called traditional cryptographic algorithms. In this logarithms are called "traditional cryptographic algorithms". In
document "traditional algorithm" is also used to refer to this class this document, "traditional algorithm" is also used to refer to this
of algorithms. class of algorithms.
At the time of publication, the term post-quantum is generally used At the time of publication, the term "post-quantum" is generally used
to describe cryptographic algorithms that are designed to be secure to describe cryptographic algorithms that are designed to be secure
against an adversary with access to a CRQC. Post-quantum algorithms against an adversary with access to a CRQC. Post-quantum algorithms
can also be referred to as quantum-resistant or quantum-safe can also be referred to as "quantum-resistant" or "quantum-safe"
algorithms. There are merits to the different terms, for example algorithms. There are merits to the different terms. For example,
some prefer to use the terms quantum-resistant or quantum-safe to some prefer to use the terms quantum-resistant or quantum-safe to
explictly indicate that these algorithms are designed to be secure explicitly indicate that these algorithms are designed to be secure
against quantum computers but others disagree, and prefer to use against quantum computers. Others disagree and prefer to use the
post-quantum, in case of compromises against such algorithms which term post-quantum, in case of compromises against such algorithms
could make the terms quantum-resistant or quantum-safe misleading. that could make the terms quantum-resistant or quantum-safe
Similarly, some prefer to refer specifically to Shor's Algorithm or misleading. Similarly, some prefer to refer specifically to Shor's
to the mathematical problem that is being used to prevent attack. Algorithm or to the mathematical problem that is being used to
Post-quantum cryptography is commonly used amongst the cryptography prevent attacks. Post-Quantum Cryptography (PQC) is commonly used
community, so will be used throughout this document. Similarly, the amongst the cryptography community, and so it will be used throughout
term "traditional algorithm" will be used throughout the document as, this document. Similarly, the term "traditional algorithm" will be
at the time of publication, it is widely used in the community, used throughout the document as, at the time of publication, it is
though other terms, including classical, pre-quantum or quantum- widely used in the community, though other terms, including
vulnerable, are preferred by some. classical, pre-quantum, or quantum-vulnerable, are preferred by some.
There may be a requirement for protocols that use both algorithm There may be a requirement for protocols that use both algorithm
types, for example during the transition from traditional to post- types, for example, during the transition from traditional to post-
quantum algorithms or as a general solution, to mitigate risks. When quantum algorithms or as a general solution, to mitigate risks. When
the risk of deploying new algorithms is above the accepted threshold the risk of deploying new algorithms is above the accepted threshold
for their use case, a designer may combine a post-quantum algorithm for their use case, a designer may combine a post-quantum algorithm
with a traditional algorithm with the goal of adding protection with a traditional algorithm, with the goal of adding protection
against an attacker with a CRQC to the security properties provided against an attacker with a CRQC to the security properties provided
by the traditional algorithm. They may also implement a post-quantum by the traditional algorithm. They may also implement a post-quantum
algorithm alongside a traditional algorithm for ease of migration algorithm alongside a traditional algorithm for ease of migration
from an ecosystem where only traditional algorithms are implemented from an ecosystem where only traditional algorithms are implemented
and used, to one that only uses post-quantum algorithms. Examples of and used, to one that only uses post-quantum algorithms. Examples of
solutions that could use both types of algorithm include, but are not solutions that could use both types of algorithm include, but are not
limited to, [RFC9370], [I-D.ietf-tls-hybrid-design], limited to, [RFC9370], [HYBRID-TLS], [COMPOSITE-KEM], and [RFC9763].
[I-D.ietf-lamps-pq-composite-kem], and
[I-D.ietf-lamps-cert-binding-for-multi-auth].
Schemes that combine post-quantum and traditional algorithms for key Schemes that combine post-quantum and traditional algorithms for key
establishment or digital signatures are often called hybrids. For establishment or digital signatures are often called "hybrids". For
example: example:
* The National Institute of Standards and Technology (NIST) defines * The National Institute of Standards and Technology (NIST) defines
hybrid key establishment to be a "scheme that is a combination of hybrid key establishment to be a "scheme that is a combination of
two or more components that are themselves cryptographic key- two or more components that are themselves cryptographic key-
establishment schemes" [NIST_PQC_FAQ]; establishment schemes" [NIST_PQC_FAQ].
* The European Telecommunications Standards Institute (ETSI) defines * The European Telecommunications Standards Institute (ETSI) defines
hybrid key exchanges to be "constructions that combine a hybrid key exchanges to be "constructions that combine a
traditional key exchange ... with a post-quantum key exchange ... traditional key exchange ... with a post-quantum key exchange ...
into a single key exchange" [ETSI_TS103774]. into a single key exchange" [ETSI_TS103774].
The word "hybrid" is also used in cryptography to describe encryption The word "hybrid" is also used in cryptography to describe encryption
schemes that combine asymmetric and symmetric algorithms [RFC9180], schemes that combine asymmetric and symmetric algorithms [RFC9180],
so using it in the post-quantum context overloads it and risks so using it in the post-quantum context overloads it and risks
misunderstandings. However, this terminology is well-established misunderstandings. However, this terminology is well-established
amongst the post-quantum cryptography (PQC) community. Therefore, an amongst the Post-Quantum Cryptography (PQC) community. Therefore, an
attempt to move away from its use for PQC could lead to multiple attempt to move away from its use for PQC could lead to multiple
definitions for the same concept, resulting in confusion and lack of definitions for the same concept, resulting in confusion and lack of
clarity. At the time of publication, hybrid is generally used for clarity. At the time of publication, hybrid is generally used for
schemes that combine post-quantum and traditional algorithms; it will schemes that combine post-quantum and traditional algorithms; it will
be so used throughout this document, though some have alternative be so used throughout this document, though some have alternative
preferences such as double-algorithm or multi-algorithm. preferences such as double-algorithm or multi-algorithm.
This document provides language for constructions that combine This document provides language for constructions that combine
traditional and post-quantum algorithms. Specific solutions for traditional and post-quantum algorithms. Specific solutions for
enabling use of multiple asymmetric algorithms in cryptographic enabling the use of multiple asymmetric algorithms in cryptographic
schemes may be more general than this, allowing the use of solely schemes may be more general than this, allowing the use of solely
traditional or solely post-quantum algorithms. However, where traditional or solely post-quantum algorithms. However, where
relevant, we focus on post-quantum traditional combinations as these relevant, we focus on post-quantum traditional combinations as these
are the motivation for the wider work in the IETF. This document is are the motivation for the wider work in the IETF. This document is
intended as a reference terminology guide for other documents to add intended as a reference terminology guide for other documents, in
clarity and consistency across different protocols, standards, and order to add clarity and consistency across different protocols,
organisations. Additionally, this document aims to reduce standards, and organisations. Additionally, this document aims to
misunderstanding about use of the word "hybrid" as well as defining a reduce misunderstanding about use of the word "hybrid" as well as
shared language for different types of post-quantum and traditional defining a shared language for different types of post-quantum and
hybrid constructions. traditional hybrid constructions.
In this document, a "cryptographic algorithm" is defined, as in In this document, a "cryptographic algorithm" is defined, as in
[NIST_SP_800-152], to be a "well-defined computational procedure that [NIST_SP_800-152], to be a "well-defined computational procedure that
takes variable inputs, often including a cryptographic key, and takes variable inputs, often including a cryptographic key, and
produces an output". Examples include RSA, ECDH, ML-KEM (formerly produces an output". Examples include RSA, Elliptic Curve Diffie-
known as Kyber) and ML-DSA (formerly known as Dilithium). The Hellman (ECDH), Module-Lattice-Based Key-Encapsulation Mechanism (ML-
KEM) (formerly known as Kyber), and Module-Lattice-Based Digital
Signature Algorithm (ML-DSA) (formerly known as Dilithium). The
expression "cryptographic scheme" is used to refer to a construction expression "cryptographic scheme" is used to refer to a construction
that uses a cryptographic algorithm or a group of cryptographic that uses a cryptographic algorithm or a group of cryptographic
algorithms to achieve a particular cryptographic outcome, e.g., key algorithms to achieve a particular cryptographic outcome, e.g., key
agreement. A cryptographic scheme may be made up of a number of agreement. A cryptographic scheme may be made up of a number of
functions. For example, a Key Encapsulation Mechanism (KEM) is a functions. For example, a Key Encapsulation Mechanism (KEM) is a
cryptographic scheme consisting of three functions: Key Generation, cryptographic scheme consisting of three functions: Key Generation,
Encapsulation, and Decapsulation. A cryptographic protocol Encapsulation, and Decapsulation. A cryptographic protocol
incorporates one or more cryptographic schemes. For example, TLS incorporates one or more cryptographic schemes. For example, TLS
[RFC8446] is a cryptographic protocol that includes schemes for key [RFC8446] is a cryptographic protocol that includes schemes for key
agreement, record layer encryption, and server authentication. agreement, record layer encryption, and server authentication.
2. Primitives 2. Primitives
This section introduces terminology related to cryptographic This section introduces terminology related to cryptographic
algorithms and to hybrid constructions for cryptographic schemes. algorithms and to hybrid constructions for cryptographic schemes.
*Traditional Asymmetric Cryptographic Algorithm*: An asymmetric *Traditional asymmetric cryptographic algorithm*:
cryptographic algorithm based on integer factorisation, finite An asymmetric cryptographic algorithm based on integer
field discrete logarithms, elliptic curve discrete logarithms, or factorisation, finite field discrete logarithms, elliptic curve
related mathematical problems. discrete logarithms, or related mathematical problems.
A related mathematical problem is one that can be solved by A related mathematical problem is one that can be solved by
solving the integer factorisation, finite field discrete logarithm solving the integer factorisation, finite field discrete
or elliptic curve discrete logarithm problem. logarithm, or elliptic curve discrete logarithm problem.
Where there is little risk of confusion, traditional asymmetric Where there is little risk of confusion, traditional asymmetric
cryptographic algorithms can also be referred to as traditional cryptographic algorithms can also be referred to as "traditional
algorithms for brevity. Traditional algorithms can also be called algorithms" for brevity. Traditional algorithms can also be
classical or conventional algorithms. called "classical" or "conventional" algorithms.
*Post-Quantum Asymmetric Cryptographic Algorithm*: An asymmetric *Post-quantum asymmetric cryptographic algorithm*:
cryptographic algorithm that is intended to be secure against An asymmetric cryptographic algorithm that is intended to be
attacks using quantum computers as well as classical computers. secure against attacks using quantum computers as well as
classical computers.
Where there is little risk of confusion, post-quantum asymmetric Where there is little risk of confusion, post-quantum asymmetric
cryptographic algorithms can also be referred to as post-quantum cryptographic algorithms can also be referred to as "post-quantum
algorithms for brevity. Post-quantum algorithms can also be algorithms" for brevity. Post-quantum algorithms can also be
called quantum-resistant or quantum-safe algorithms. called "quantum-resistant" or "quantum-safe" algorithms.
As with all cryptography, it always remains the case that attacks, As with all cryptography, it always remains the case that attacks,
either quantum or classical, may be found against post-quantum either quantum or classical, may be found against post-quantum
algorithms. Therefore it should not be assumed that just because algorithms. Therefore, it should not be assumed that just because
an algorithm is designed to provide post-quantum security it will an algorithm is designed to provide post-quantum security that it
not be compromised. Should an attack be found against a post- will not be compromised. Should an attack be found against a
quantum algorithm, it is commonly still referred to as a post- post-quantum algorithm, it is commonly still referred to as a
quantum algorithm as they were designed to protect against an "post-quantum algorithm", as they were designed to protect against
adversary with access to a CRQC and the labels are referring to an adversary with access to a CRQC, and the labels are referring
the designed or desired properties. to the designed or desired properties.
There may be asymmetric cryptographic constructions that are neither There may be asymmetric cryptographic constructions that are neither
post-quantum nor asymmetric traditional algorithms according to the post-quantum nor asymmetric traditional algorithms according to the
definitions above. These are out of scope of this document. definitions above. These are out of scope of this document.
*Component Asymmetric Algorithm*: Each cryptographic algorithm that *Component asymmetric algorithm*:
forms part of a cryptographic scheme. Each cryptographic algorithm that forms part of a cryptographic
scheme.
An asymmetric component algorithm operates on the input of the An asymmetric component algorithm operates on the input of the
cryptographic operation and produces a cryptographic output that cryptographic operation and produces a cryptographic output that
can be used by itself or jointly to complete the operation. Where can be used by itself or jointly to complete the operation. Where
there is little risk of confusion, component aysmmetric algorithms there is little risk of confusion, component asymmetric algorithms
can also be referred to as component algorithms for brevity, as is can also be referred to as "component algorithms" for brevity, as
done in the following definitions. is done in the following definitions.
*Single-Algorithm Scheme*: A cryptographic scheme with one component *Single-algorithm scheme*:
algorithm. A cryptographic scheme with one component algorithm.
A single-algorithm scheme could use either a traditional algorithm A single-algorithm scheme could use either a traditional algorithm
or a post-quantum algorithm. or a post-quantum algorithm.
*Multi-Algorithm Scheme*: A cryptographic scheme that incorporates *Multi-algorithm scheme*:
more than one component algorithm, where the component algorithms A cryptographic scheme that incorporates more than one component
have the same cryptographic purpose as each other and as the algorithm, where the component algorithms have the same
multi-algorithm scheme. cryptographic purpose as each other and as the multi-algorithm
scheme.
For example, a multi-algorithm signature scheme may include For example, a multi-algorithm signature scheme may include
multiple signature algorithms or a multi-algorithm Public Key multiple signature algorithms, or a multi-algorithm Public Key
Encryption (PKE) scheme may include multiple PKE algorithms. Encryption (PKE) scheme may include multiple PKE algorithms.
Component algorithms could be all traditional, all post-quantum, Component algorithms could be all traditional, all post-quantum,
or a mixture of the two. or a mixture of the two.
*Post-Quantum Traditional (PQ/T) Hybrid Scheme*: A multi-algorithm *Post-Quantum Traditional (PQ/T) hybrid scheme*:
scheme where at least one component algorithm is a post-quantum A multi-algorithm scheme where at least one component algorithm is
algorithm and at least one is a traditional algorithm. a post-quantum algorithm and at least one is a traditional
algorithm.
Components of a PQ/T hybrid scheme operate on the same input Components of a PQ/T hybrid scheme operate on the same input
message and their output is used together to complete the message and their output is used together to complete the
cryptographic operation either serially or in parallel. PQ/T cryptographic operation either serially or in parallel. The PQ/T
hybrid scheme design is aimed at requiring successful breaking of hybrid scheme design is aimed at requiring successful breaking of
all component algorithms to break the PQ/T hybrid scheme's all component algorithms to break the PQ/T hybrid scheme's
security properties. security properties.
*PQ/T Hybrid Key Encapsulation Mechanism (KEM)*: A multi-algorithm *PQ/T hybrid Key Encapsulation Mechanism (KEM)*:
KEM made up of two or more component algorithms where at least one A multi-algorithm KEM made up of two or more component algorithms
is a post-quantum algorithm and at least one is a traditional where at least one is a post-quantum algorithm and at least one is
algorithm. The component algorithms could be KEMs, or other key a traditional algorithm. The component algorithms could be KEMs
establishment algorithms. or other key establishment algorithms.
*PQ/T Hybrid Public Key Encryption (PKE)*: A multi-algorithm PKE *PQ/T hybrid Public Key Encryption (PKE)*:
scheme made up of two or more component algorithms where at least A multi-algorithm PKE scheme made up of two or more component
one is a post-quantum algorithm and at least one is a traditional algorithms where at least one is a post-quantum algorithm and at
algorithm. The component algorithms could be PKE algorithms, or least one is a traditional algorithm. The component algorithms
other key establishment algorithms. could be PKE algorithms or other key establishment algorithms.
The standard security property for a PKE scheme is The standard security property for a PKE scheme is
indistinguishability under chosen-plaintext attack, (IND-CPA). indistinguishability under chosen-plaintext attack (IND-CPA).
IND-CPA security is not sufficient for secure communication in the IND-CPA security is not sufficient for secure communication in the
presence of an active attacker. Therefore, in general, PKE presence of an active attacker. Therefore, in general, PKE
schemes are not appropriate for use on the internet, and KEMs, schemes are not appropriate for use on the Internet, and KEMs,
which provide indistiguishability under chosen-ciphertext attacks which provide indistinguishability under chosen-ciphertext attack
(IND-CCA security), are required. (IND-CCA security), are required.
*PQ/T Hybrid Digital Signature*: A multi-algorithm digital signature *PQ/T hybrid digital signature*:
scheme made up of two or more component digital signature A multi-algorithm digital signature scheme made up of two or more
algorithms where at least one is a post-quantum algorithm and at component digital signature algorithms where at least one is a
least one is a traditional algorithm. post-quantum algorithm and at least one is a traditional
algorithm.
Note that there are many possible ways of constructing a PQ/T Note that there are many possible ways of constructing a PQ/T
hybrid digital signatures. Examples include parallel signatures, hybrid digital signature. Examples include parallel signatures,
composite signatures or nested signatures. composite signatures, or nested signatures.
PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures
are all examples of PQ/T hybrid schemes. are all examples of PQ/T hybrid schemes.
*Post-Quantum Traditional (PQ/T) Hybrid Composite Scheme*: A multi- *Post-Quantum Traditional (PQ/T) hybrid composite scheme*:
algorithm scheme where at least one component algorithm is a post- A multi-algorithm scheme where at least one component algorithm is
quantum algorithm and at least one is a traditional algorithm and a post-quantum algorithm and at least one is a traditional
the resulting composite scheme is exposed as a singular interface algorithm, and where the resulting composite scheme is exposed as
of the same type as the component algorithms. a singular interface of the same type as the component algorithms.
A PQ/T Hybrid Composite can be referred to as a PQ/T Composite. A PQ/T hybrid composite can be referred to as a "PQ/T composite".
Examples of PQ/T Hybrid Composites include a single KEM algorithm Examples of PQ/T hybrid composites include a single KEM algorithm
comprised of a PQ KEM component and a traditional KEM component, comprised of a PQ KEM component and a traditional KEM component,
for which the result presents as a KEM output. for which the result presents as a KEM output.
*PQ/T Hybrid Combiner*: A method that takes two or more component *PQ/T hybrid combiner*:
algorithms and combines them to form a PQ/T hybrid scheme. A method that takes two or more component algorithms and combines
them to form a PQ/T hybrid scheme.
*PQ/PQ Hybrid Scheme*: A multi-algorithm scheme where all components *PQ/PQ hybrid scheme*:
are post-quantum algorithms. A multi-algorithm scheme where all components are post-quantum
algorithms.
The definitions for types of PQ/T hybrid schemes can be adapted to The definitions for types of PQ/T hybrid schemes can be adapted to
define types of PQ/PQ hybrid schemes, which are multi-algorithm define types of PQ/PQ hybrid schemes, which are multi-algorithm
schemes where all component algorithms are Post-Quantum schemes where all component algorithms are post-quantum
algorithms. These are designed to mitigate risks when the two algorithms. These are designed to mitigate risks when the two
post-quantum algorithms are based on different mathematical post-quantum algorithms are based on different mathematical
problems. Some prefer to refer to these as PQ/PQ multi-algorithm problems. Some prefer to refer to these as PQ/PQ multi-algorithm
schemes, and reserve the term hybrid for PQ/T hybrids. schemes, and reserve the term "hybrid" for PQ/T hybrids.
In cases where there is little chance of confusion between other In cases where there is little chance of confusion between other
types of hybrid cryptography e.g., as defined in [RFC4949], and where types of hybrid cryptography (e.g., as defined in [RFC4949]) and
the component algorithms of a multi-algorithm scheme could be either where the component algorithms of a multi-algorithm scheme could be
post-quantum or traditional, it may be appropriate to use the phrase either post-quantum or traditional, it may be appropriate to use the
"hybrid scheme" without PQ/T or PQ/PQ preceding it. phrase "hybrid scheme" without PQ/T or PQ/PQ preceding it.
*Component Scheme*: Each cryptographic scheme that makes up a PQ/T *Component scheme*:
hybrid scheme or PQ/T hybrid protocol. Each cryptographic scheme that makes up a PQ/T hybrid scheme or
PQ/T hybrid protocol.
3. Cryptographic Elements 3. Cryptographic Elements
This section introduces terminology related to cryptographic elements This section introduces terminology related to cryptographic elements
and their inclusion in hybrid schemes. and their inclusion in hybrid schemes.
*Cryptographic Element*: Any data type (private or public) that *Cryptographic element*:
contains an input or output value for a cryptographic algorithm or Any data type (private or public) that contains an input or output
for a function making up a cryptographic algorithm. value for a cryptographic algorithm or for a function making up a
cryptographic algorithm.
Types of cryptographic elements include public keys, private keys, Types of cryptographic elements include public keys, private keys,
plaintexts, ciphertexts, shared secrets, and signature values. plaintexts, ciphertexts, shared secrets, and signature values.
*Component Cryptographic Element*: A cryptographic element of a *Component cryptographic element*:
component algorithm in a multi-algorithm scheme. A cryptographic element of a component algorithm in a multi-
algorithm scheme.
For example, in [I-D.ietf-tls-hybrid-design], the client's For example, in [HYBRID-TLS], the client's keyshare contains two
keyshare contains two component public keys, one for a post- component public keys: one for a post-quantum algorithm and one
quantum algorithm and one for a traditional algorithm. for a traditional algorithm.
*Composite Cryptographic Element*: A cryptographic element that *Composite cryptographic element*:
incorporates multiple component cryptographic elements of the same A cryptographic element that incorporates multiple component
type for use in a multi-algorithm scheme, such that the resulting cryptographic elements of the same type for use in a multi-
composite cryptographic element is exposed as a singular interface algorithm scheme, such that the resulting composite cryptographic
of the same type as the component cryptographic elements. element is exposed as a singular interface of the same type as the
component cryptographic elements.
For example, a composite cryptographic public key is made up of For example, a composite cryptographic public key is made up of
two component public keys. two component public keys.
*PQ/T Hybrid Composite Cryptographic Element*: A cryptographic *PQ/T hybrid composite cryptographic element*:
element that incorporates multiple component cryptographic A cryptographic element that incorporates multiple component
elements of the same type for use in a multi-algorithm scheme, cryptographic elements of the same type for use in a multi-
such that the resulting composite cryptographic element is exposed algorithm scheme, such that the resulting composite cryptographic
as a singular interface of the same type as the component element is exposed as a singular interface of the same type as the
cryptographic elements, where at least one component cryptographic component cryptographic elements, where at least one component
element is post-quantum and at least one is traditional. cryptographic element is post-quantum and at least one is
traditional.
*Cryptographic Element Combiner*: A method that takes two or more *Cryptographic element combiner*:
component cryptographic elements of the same type and combines A method that takes two or more component cryptographic elements
them to form a composite cryptographic element. of the same type and combines them to form a composite
cryptographic element.
A cryptographic element combiner could be concatenation, such as A cryptographic element combiner could be concatenation, such as
where two component public keys are concatenated to form a where two component public keys are concatenated to form a
composite public key as in [I-D.ietf-tls-hybrid-design], or composite public key as in [HYBRID-TLS], or something more
something more involved such as the dualPRF defined in [BINDEL]. involved such as the dualPRF defined in [BINDEL].
4. Protocols 4. Protocols
This section introduces terminology related to the use of post- This section introduces terminology related to the use of post-
quantum and traditional algorithms together in protocols. quantum and traditional algorithms together in protocols.
*PQ/T Hybrid Protocol*: A protocol that uses two or more component *PQ/T hybrid protocol*:
algorithms providing the same cryptographic functionality, where A protocol that uses two or more component algorithms providing
at least one is a post-quantum algorithm and at least one is a the same cryptographic functionality, where at least one is a
traditional algorithm. post-quantum algorithm and at least one is a traditional
algorithm.
For example, a PQ/T hybrid protocol providing confidentiality For example, a PQ/T hybrid protocol providing confidentiality
could use a PQ/T hybrid KEM such as in could use a PQ/T hybrid KEM such as in [HYBRID-TLS], or it could
[I-D.ietf-tls-hybrid-design], or it could combine the output of a combine the output of a post-quantum KEM and a traditional KEM at
post-quantum KEM and a traditional KEM at the protocol level to the protocol level to generate a single shared secret, such as in
generate a single shared secret, such as in [RFC9370]. Similarly, [RFC9370]. Similarly, a PQ/T hybrid protocol providing
a PQ/T hybrid protocol providing authentication could use a PQ/T authentication could use a PQ/T hybrid digital signature scheme,
hybrid digital signature scheme, or it could include both post- or it could include both post-quantum and traditional single-
quantum and traditional single-algorithm digital signature algorithm digital signature schemes.
schemes.
A protocol that can negotiate the use of either a traditional A protocol that can negotiate the use of either a traditional
algorithm or a post-quantum algorithm, but not of both types of algorithm or a post-quantum algorithm, but not both types of
algorithm, is not a PQ/T hybrid protocol. Protocols that use two algorithm, is not a PQ/T hybrid protocol. Protocols that use two
or more component algorithms but with different cryptographic or more component algorithms but with different cryptographic
functionality, for example a post-quantum KEM and a pre-shared key functionalities, for example, a post-quantum KEM and a Pre-Shared
(PSK) are also not PQ/T hybrid protocols. Key (PSK), are also not PQ/T hybrid protocols.
*PQ/T Hybrid Protocol with Composite Key Establishment*: A PQ/T *PQ/T hybrid protocol with composite key establishment*:
hybrid protocol that incorporates a PQ/T hybrid composite scheme A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
to achieve key establishment, in such a way that the protocol scheme to achieve key establishment, in such a way that the
fields and message flow are the same as those in a version of the protocol fields and message flow are the same as those in a
protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite key For example, a PQ/T hybrid protocol with composite key
establishment could include a single PQ/T hybrid KEM, such as in establishment could include a single PQ/T hybrid KEM, such as in
[I-D.ietf-tls-hybrid-design]. [HYBRID-TLS].
*PQ/T Hybrid Protocol with Composite Data Authentication*: A PQ/T *PQ/T hybrid protocol with composite data authentication*:
hybrid protocol that incorporates a PQ/T hybrid composite scheme A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
to achieve data authentication, in such a way that the protocol scheme to achieve data authentication, in such a way that the
fields and message flow are the same as those in a version of the protocol fields and message flow are the same as those in a
protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite data For example, a PQ/T hybrid protocol with composite data
authentication could include data authentication through use of a authentication could include data authentication through the use
PQ/T composite hybrid digital signature, exposed as a single of a PQ/T composite hybrid digital signature, exposed as a single
interface for PQ signature and traditional signature components. interface for PQ signature and traditional signature components.
*PQ/T Hybrid Protocol with Composite Entity Authentication*: A PQ/T *PQ/T hybrid protocol with composite entity authentication*:
hybrid protocol that incorporates a PQ/T hybrid composite scheme A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
to achieve entity authentication, in such a way that the protocol scheme to achieve entity authentication, in such a way that the
fields and message flow are the same as those in a version of the protocol fields and message flow are the same as those in a
protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite entity For example, a PQ/T hybrid protocol with composite entity
authentication could include entity authentication through use of authentication could include entity authentication through the use
PQ/T Composite Hybrid certificates. of PQ/T Composite Hybrid certificates.
In a PQ/T hybrid protocol with a composite construction, changes are In a PQ/T hybrid protocol with a composite construction, changes are
primarily made to the formats of the cryptographic elements, while primarily made to the formats of the cryptographic elements, while
the protocol fields and message flow remain largely unchanged. In the protocol fields and message flow remain largely unchanged. In
implementations, most changes are likely to be made to the implementations, most changes are likely to be made to the
cryptographic libraries, with minimal changes to the protocol cryptographic libraries, with minimal changes to the protocol
libraries. libraries.
*PQ/T Hybrid Protocol with Non-Composite Key Establishment*: A PQ/T *PQ/T hybrid protocol with non-composite key establishment*:
hybrid protocol that incorporates multiple single-algorithm A PQ/T hybrid protocol that incorporates multiple single-algorithm
schemes to achieve key establishment, where at least one uses a schemes to achieve key establishment, where at least one uses a
post-quantum algorithm and at least one uses a traditional post-quantum algorithm and at least one uses a traditional
algorithm, in such a way that the formats of the component algorithm, in such a way that the formats of the component
cryptographic elements are the same as when they are used a part cryptographic elements are the same as when they are used as a
of a single-algorithm scheme. part of a single-algorithm scheme.
For example, a PQ/T hybrid protocol with non-composite key For example, a PQ/T hybrid protocol with non-composite key
establishment could include a traditional key exchange scheme and establishment could include a traditional key exchange scheme and
a post-quantum KEM. A construction like this for IKEv2 is enabled a post-quantum KEM. A construction like this for the Internet Key
by [RFC9370]. Exchange Protocol Version 2 (IKEv2) is enabled by [RFC9370].
*PQ/T Hybrid Protocol with Non-Composite Authentication*: A PQ/T *PQ/T hybrid protocol with non-composite authentication*:
hybrid protocol that incorporates multiple single-algorithm A PQ/T hybrid protocol that incorporates multiple single-algorithm
schemes to achieve authentication, where at least one uses a post- schemes to achieve authentication, where at least one uses a post-
quantum algorithm and at least one uses a traditional algorithm, quantum algorithm and at least one uses a traditional algorithm,
in such a way that the formats of the component cryptographic in such a way that the formats of the component cryptographic
elements are the same as when they are used a part of a single- elements are the same as when they are used as part of a single-
algorithm scheme. algorithm scheme.
For example, a PQ/T hybrid protocol with non-composite For example, a PQ/T hybrid protocol with non-composite
authentication could use a PQ/T parallel PKI with one traditional authentication could use a PQ/T parallel PKI with one traditional
certificate chain and one post-quantum certificate chain. certificate chain and one post-quantum certificate chain.
In a PQ/T hybrid protocol with a non-composite construction, changes In a PQ/T hybrid protocol with a non-composite construction, changes
are primarily made to the protocol fields, the message flow, or both, are primarily made to the protocol fields, the message flow, or both,
while changes to cryptographic elements are minimised. In while changes to cryptographic elements are minimised. In
implementations, most changes are likely to be made to the protocol implementations, most changes are likely to be made to the protocol
libraries, with minimal changes to the cryptographic libraries. libraries, with minimal changes to the cryptographic libraries.
It is possible for a PQ/T hybrid protocol to be designed with both It is possible for a PQ/T hybrid protocol to be designed with both
composite and non-composite constructions. For example, a protocol composite and non-composite constructions. For example, a protocol
that offers both confidentiality and authentication could have that offers both confidentiality and authentication could have
composite key agreement and non-composite authentication. Similarly, composite key agreement and non-composite authentication. Similarly,
it is possible for a PQ/T hybrid protocol to achieve certain it is possible for a PQ/T hybrid protocol to achieve certain
cryptographic outcomes in a non-hybrid manner. For example cryptographic outcomes in a non-hybrid manner. For example,
[I-D.ietf-tls-hybrid-design] describes a PQ/T hybrid protocol with [HYBRID-TLS] describes a PQ/T hybrid protocol with composite key
composite key agreement, but with single-algorithm authentication. agreement, but with single-algorithm authentication.
PQ/T hybrid protocols may not specify non-composite aspects, but can PQ/T hybrid protocols may not specify non-composite aspects, but can
choose to do so for clarity, in particular if including both choose to do so for clarity, in particular, if including both
composite and non-composite aspects. composite and non-composite aspects.
*PQ/T Hybrid Composite Protocol*: A PQ/T hybrid protocol that only *PQ/T hybrid composite protocol*:
uses composite constructions can be referred to as a PQ/T Hybrid A PQ/T hybrid protocol that only uses composite constructions can
Composite Protocol. be referred to as a "PQ/T hybrid composite protocol".
For example, a protocol that only provides entity authentication, An example of this is a protocol that only provides entity
and achieves this using PQ/T hybrid composite entity authentication, and achieves this using PQ/T hybrid composite
authentication. Similarly, a protocol that offers both key entity authentication. Similarly, another example is a protocol
establishment and data authentication, and achieves this using that offers both key establishment and data authentication, and
both PQ/T hybrid composite key establishment and PQ/T hybrid achieves this using both PQ/T hybrid composite key establishment
composite data authentication. and PQ/T hybrid composite data authentication.
*PQ/T Hybrid Non-Composite Protocol*: A PQ/T hybrid protocol that *PQ/T hybrid non-composite protocol*:
does not use only composite constructions can be referred to as a A PQ/T hybrid protocol that does not use only composite
PQ/T Hybrid Non-Composite Protocol. constructions can be referred to as a "PQ/T hybrid non-composite
protocol".
For example, a PQ/T hybrid protocol that offers both For example, a PQ/T hybrid protocol that offers both
confidentiality and authentication and uses composite key confidentiality and authentication and uses composite key
agreement and non-composite authentication would be referred to as agreement and non-composite authentication would be referred to as
a PQ/T hybrid non-composite protocol. a "PQ/T hybrid non-composite protocol".
5. Properties 5. Properties
This section describes some properties that may be desired from or This section describes some properties that may be desired from or
achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol. Properties achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol.
of PQ/T hybrid schemes are still an active area of research and Properties of PQ/T hybrid schemes are still an active area of
development, e.g., [BINDELHALE]. This section does not attempt to be research and development, e.g., in [BINDELHALE]. This section does
comprehensive, but rather covers a basic set of properties. not attempt to be comprehensive, but rather covers a basic set of
properties.
It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol
to achieve all of the properties in this section. To understand what to achieve all of the properties in this section. To understand what
properties are required a designer or implementer will think about properties are required, a designer or implementer will think about
why they are using a PQ/T hybrid scheme. For example, a scheme that why they are using a PQ/T hybrid scheme. For example, a scheme that
is designed for implementation security will likely require PQ/T is designed for implementation security will likely require PQ/T
hybrid confidentiality or PQ/T hybrid authentication, while a scheme hybrid confidentiality or PQ/T hybrid authentication, while a scheme
for interoperability will require PQ/T hybrid interoperability. for interoperability will require PQ/T hybrid interoperability.
*PQ/T Hybrid Confidentiality*: The property that confidentiality is *PQ/T hybrid confidentiality*:
achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol as long The property that confidentiality is achieved by a PQ/T hybrid
as at least one component algorithm that aims to provide this scheme or a PQ/T hybrid protocol as long as at least one component
property remains secure. algorithm that aims to provide this property remains secure.
*PQ/T Hybrid Authentication*: The property that authentication is *PQ/T hybrid authentication*:
achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol as long The property that authentication is achieved by a PQ/T hybrid
as at least one component algorithm that aims to provide this scheme or a PQ/T hybrid protocol as long as at least one component
property remains secure. algorithm that aims to provide this property remains secure.
The security properties of a PQ/T hybrid scheme or protocol depend on The security properties of a PQ/T hybrid scheme or protocol depend on
the security of its component algorithms, the choice of PQ/T hybrid the security of its component algorithms, the choice of PQ/T hybrid
combiner, and the capability of an attacker. Changes to the security combiner, and the capability of an attacker. Changes to the security
of a component algorithm can impact the security properties of a PQ/T of a component algorithm can impact the security properties of a PQ/T
hybrid scheme providing hybrid confidentiality or hybrid hybrid scheme providing hybrid confidentiality or hybrid
authentication. For example, if the post-quantum component algorithm authentication. For example, if the post-quantum component algorithm
of a PQ/T hybrid scheme is broken, the scheme will remain secure of a PQ/T hybrid scheme is broken, the scheme will remain secure
against an attacker with a classical computer, but will be vulnerable against an attacker with a classical computer, but will be vulnerable
to an attacker with a CRQC. to an attacker with a CRQC.
PQ/T hybrid protocols that offer both confidentiality and PQ/T hybrid protocols that offer both confidentiality and
authentication do not necessarily offer both hybrid confidentiality authentication do not necessarily offer both hybrid confidentiality
and hybrid authentication. For example, [I-D.ietf-tls-hybrid-design] and hybrid authentication. For example, [HYBRID-TLS] provides hybrid
provides hybrid confidentiality but does not address hybrid confidentiality but does not address hybrid authentication.
authentication. Therefore, if the design in Therefore, if the design in [HYBRID-TLS] is used with single-
[I-D.ietf-tls-hybrid-design] is used with single-algorithm X.509 algorithm X.509 certificates as defined in [RFC5280], only
certificates as defined in [RFC5280] only authentication with a authentication with a single algorithm is achieved.
single algorithm is achieved.
*PQ/T Hybrid Interoperability*: The property that a PQ/T hybrid *PQ/T hybrid interoperability*:
scheme or PQ/T hybrid protocol can be completed successfully The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
provided that both parties share support for at least one can be completed successfully provided that both parties share
component algorithm. support for at least one component algorithm.
For example, a PQ/T hybrid digital signature might achieve hybrid For example, a PQ/T hybrid digital signature might achieve hybrid
interoperability if the signature can be verified by either interoperability if the signature can be verified by either
verifying the traditional or the post-quantum component, such as verifying the traditional or the post-quantum component, such as
the approach defined in section 7.2.2 of [ITU-T-X509-2019]. In the approach defined in Section 7.2.2 of [ITU-T-X509-2019]. In
this example a verifier that has migrated to support post-quantum this example, a verifier that has migrated to support post-quantum
algorithms is required to verify only the post-quantum signature, algorithms is required to verify only the post-quantum signature,
while a verifier that has not migrated will verify only the while a verifier that has not migrated will verify only the
traditional signature. traditional signature.
In the case of a protocol that aims to achieve both authentication In the case of a protocol that aims to achieve both authentication
and confidentiality, PQ/T hybrid interoperability requires that at and confidentiality, PQ/T hybrid interoperability requires that at
least one component authentication algorithm and at least one least one component authentication algorithm and at least one
component algorithm for confidentiality is supported by both parties. component algorithm for confidentiality is supported by both parties.
It is not possible for a PQ/T hybrid scheme to achieve both PQ/T It is not possible for a PQ/T hybrid scheme to achieve both PQ/T
hybrid interoperability and PQ/T hybrid confidentiality without hybrid interoperability and PQ/T hybrid confidentiality without
additional functionality at a protocol level. For PQ/T hybrid additional functionality at a protocol level. For PQ/T hybrid
interoperability a scheme needs to work whenever one component interoperability, a scheme needs to work whenever one component
algorithm is supported by both parties, while to achieve PQ/T hybrid algorithm is supported by both parties, while to achieve PQ/T hybrid
confidentiality all component algorithms need to be used. However, confidentiality, all component algorithms need to be used. However,
both properties can be achieved in a PQ/T hybrid protocol by building both properties can be achieved in a PQ/T hybrid protocol by building
in downgrade protection external to the cryptographic schemes. For in downgrade protection external to the cryptographic schemes. For
example, in [I-D.ietf-tls-hybrid-design], the client uses the TLS example, in [HYBRID-TLS], the client uses the TLS supported groups
supported groups extension to advertise support for a PQ/T hybrid extension to advertise support for a PQ/T hybrid scheme, and the
scheme and the server can select this group if it supports the server can select this group if it supports the scheme. This is
scheme. This is protected using TLS's existing downgrade protection, protected using TLS's existing downgrade protection, so it achieves
so achieves PQ/T hybrid confidentiality, but the connection can still PQ/T hybrid confidentiality, but the connection can still be made if
be made if either the client or server does not support the PQ/T either the client or server does not support the PQ/T hybrid scheme,
hybrid scheme, so PQ/T hybrid interoperability is achieved. so PQ/T hybrid interoperability is achieved.
The same is true for PQ/T hybrid interoperability and PQ/T hybrid The same is true for PQ/T hybrid interoperability and PQ/T hybrid
authentication. It is not possible to achieve both with a PQ/T authentication. It is not possible to achieve both with a PQ/T
hybrid scheme alone, but it is possible with a PQ/T hybrid protocol hybrid scheme alone, but it is possible with a PQ/T hybrid protocol
that has appropriate downgrade protection. that has appropriate downgrade protection.
*PQ/T Hybrid Backwards Compatibility*: The property that a PQ/T *PQ/T hybrid backwards compatibility*:
hybrid scheme or PQ/T hybrid protocol can be completed The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
successfully provided that both parties support the traditional can be completed successfully provided that both parties support
component algorithm, while also using both algorithms if both are the traditional component algorithm, while also using both
supported by both parties. algorithms if both are supported by both parties.
*PQ/T Hybrid Forwards Compatibility*: The property that a PQ/T *PQ/T Hybrid Forwards Compatibility*:
hybrid scheme or PQ/T hybrid protocol can be completed The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
successfully using a post-quantum component algorithm provided can be completed successfully using a post-quantum component
that both parties support it, while also having the option to use algorithm provided that both parties support it, while also having
both post-quantum and traditional algorithms if both are supported the option to use both post-quantum and traditional algorithms if
by both parties. both are supported by both parties.
Note that PQ/T hybrid forwards compatability is a protocol or Note that PQ/T hybrid forwards compatibility is a protocol or
scheme property only. scheme property only.
6. Certificates 6. Certificates
This section introduces terminology related to the use of This section introduces terminology related to the use of
certificates in hybrid schemes. certificates in hybrid schemes.
*PQ/T Hybrid Certificate*: A digital certificate that contains *PQ/T hybrid certificate*:
public keys for two or more component algorithms where at least A digital certificate that contains public keys for two or more
one is a traditional algorithm and at least one is a post-quantum component algorithms where at least one is a traditional algorithm
algorithm. and at least one is a post-quantum algorithm.
A PQ/T hybrid certificate could be used to facilitate a PQ/T A PQ/T hybrid certificate could be used to facilitate a PQ/T
hybrid authentication protocol. However, a PQ/T hybrid hybrid authentication protocol. However, a PQ/T hybrid
authentication protocol does not need to use a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid
certificate; separate certificates could be used for individual certificate; separate certificates could be used for individual
component algorithms. component algorithms.
The component public keys in a PQ/T hybrid certificate could be The component public keys in a PQ/T hybrid certificate could be
included as a composite public key or as individual component included as a composite public key or as individual component
public keys. public keys.
The use of a PQ/T hybrid certificate does not necessarily achieve The use of a PQ/T hybrid certificate does not necessarily achieve
hybrid authentication of the identity of the sender; this is hybrid authentication of the identity of the sender; this is
determined by properties of the chain of trust. For example, an determined by properties of the chain of trust. For example, an
end-entity certificate that contains a composite public key, but end-entity certificate that contains a composite public key, but
which is signed using a single-algorithm digital signature scheme which is signed using a single-algorithm digital signature scheme,
could be used to provide hybrid authentication of the source of a could be used to provide hybrid authentication of the source of a
message, but would not achieve hybrid authentication of the message, but would not achieve hybrid authentication of the
identity of the sender. identity of the sender.
*Post-Quantum Certificate*: A digital certificate that contains a *Post-quantum certificate*:
single public key for a post-quantum digital signature algorithm. A digital certificate that contains a single public key for a
post-quantum digital signature algorithm.
*Traditional Certificate*: A digital certificate that contains a *Traditional certificate*:
single public key for a traditional digital signature algorithm. A digital certificate that contains a single public key for a
traditional digital signature algorithm.
X.509 certificates as defined in [RFC5280] could be either X.509 certificates as defined in [RFC5280] could be either
traditional or post-quantum certificates depending on the algorithm traditional or post-quantum certificates depending on the algorithm
in the Subject Public Key Info. For example, a certificate in the Subject Public Key Info. For example, a certificate
containing a ML-DSA public key, as will be defined in containing a ML-DSA public key, as defined in [ML-DSA], would be a
[I-D.ietf-lamps-dilithium-certificates], would be a post-quantum post-quantum certificate.
certificate.
*Post-Quantum Certificate Chain*: A certificate chain where all *Post-quantum certificate chain*:
certificates include a public key for a post-quantum algorithm and A certificate chain where all certificates include a public key
are signed using a post-quantum digital signature scheme. for a post-quantum algorithm and are signed using a post-quantum
digital signature scheme.
*Traditional Certificate Chain*: A certificate chain where all *Traditional certificate chain*:
certificates include a public key for a traditional algorithm and A certificate chain where all certificates include a public key
are signed using a traditional digital signature scheme. for a traditional algorithm and are signed using a traditional
digital signature scheme.
*PQ/T Hybrid Certificate Chain*: A certificate chain where all *PQ/T hybrid certificate chain*:
certificates are PQ/T hybrid certificates and each certificate is A certificate chain where all certificates are PQ/T hybrid
signed with two or more component algorithms with at least one certificates and each certificate is signed with two or more
being a traditional algorithm and at least one being a post- component algorithms with at least one being a traditional
quantum algorithm. algorithm and at least one being a post-quantum algorithm.
A PQ/T hybrid certificate chain is one way of achieving hybrid A PQ/T hybrid certificate chain is one way of achieving hybrid
authentication of the identity of a sender in a protocol, but is not authentication of the identity of a sender in a protocol, but it is
the only way. An alternative is to use a PQ/T parallel PKI as not the only way. An alternative is to use a PQ/T parallel PKI as
defined below. defined below.
*PQ/T Mixed Certificate Chain*: A certificate chain containing at *PQ/T mixed certificate chain*:
least two of the three certificate types defined in this draft A certificate chain containing at least two of the three
(PQ/T hybrid certificates, post-quantum certificates and certificate types defined in this document (PQ/T hybrid
traditional certificates) certificates, post-quantum certificates, and traditional
certificates).
For example, a traditional end-entity certificate could be signed For example, a traditional end-entity certificate could be signed
by a post-quantum intermediate certificate, which in turn could be by a post-quantum intermediate certificate, which in turn could be
signed by a post-quantum root certificate. This may be desirable signed by a post-quantum root certificate. This may be desirable
due to the lifetimes of the certificates, the relative difficulty due to the lifetimes of the certificates, the relative difficulty
of rotating keys, or for efficiency reasons. The security of rotating keys, or for efficiency reasons. The security
properties of a certificate chain that mixes post-quantum and properties of a certificate chain that mixes post-quantum and
traditional algorithms would need to be analysed on a case-by-case traditional algorithms would need to be analysed on a case-by-case
basis. basis.
*PQ/T Parallel PKI*: Two certificate chains, one a post-quantum *PQ/T parallel PKI*:
certificate chain and one a traditional certificate chain, that Two certificate chains, one that is a post-quantum certificate
chain and one that is a traditional certificate chain, and that
are used together in a protocol. are used together in a protocol.
A PQ/T parallel PKI might be used achieve hybrid authentication or A PQ/T parallel PKI might be used to achieve hybrid authentication
hybrid interoperability depending on the protocol implementation. or hybrid interoperability depending on the protocol
implementation.
*Multi-Certificate Authentication*: Authentication that uses two or *Multi-certificate authentication*:
more end-entity certificates. Authentication that uses two or more end-entity certificates.
For example, multi-certificate authentication may be achieved For example, multi-certificate authentication may be achieved
using a PQ/T parallel PKI. using a PQ/T parallel PKI.
7. Security Considerations 7. Security Considerations
This document defines security-relevant terminology to be used in This document defines security-relevant terminology to be used in
documents specifying PQ/T hybrid protocols and schemes. However, the documents specifying PQ/T hybrid protocols and schemes. However, the
document itself does not have a security impact on Internet document itself does not have a security impact on Internet
protocols. The security considerations for each PQ/T hybrid protocol protocols. The security considerations for each PQ/T hybrid protocol
are specific to that protocol and should be discussed in the relevant are specific to that protocol and should be discussed in the relevant
specification documents. More general guidance about the security specification documents. More general guidance about the security
considerations, timelines, and benefits and drawbacks of use of PQ/T considerations, timelines, and benefits and drawbacks of the use of
hybrids is also out of scope of this document. PQ/T hybrids is also out of scope of this document.
8. IANA Considerations 8. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
9. Informative References 9. Informative References
[BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and [BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and
D. Stebila, "Hybrid Key Encapsulation Mechanisms and D. Stebila, "Hybrid Key Encapsulation Mechanisms and
Authenticated Key Exchange", Post-Quantum Cryptography Authenticated Key Exchange", Post-Quantum Cryptography,
pp.206-226, DOI 10.1007/978-3-030-25510-7_12, July 2019, PQCrypto 2019, Lecture Notes in Computer Science, vol.
<https://doi.org/10.1007/978-3-030-25510-7_12>. 11505, pp. 206-226, DOI 10.1007/978-3-030-25510-7_12, July
2019, <https://doi.org/10.1007/978-3-030-25510-7_12>.
[BINDELHALE] [BINDELHALE]
Bindel, N. and B. Hale, "A Note on Hybrid Signature Bindel, N. and B. Hale, "A Note on Hybrid Signature
Schemes", Cryptology ePrint Archive, Paper 2023/423, 23 Schemes", Cryptology ePrint Archive, Paper 2023/423, 23
July 2023, <https://eprint.iacr.org/2023/423.pdf>. July 2023, <https://eprint.iacr.org/2023/423.pdf>.
[ETSI_TS103774] [COMPOSITE-KEM]
ETSI TS 103 744 V1.1.1, "CYBER; Quantum-safe Hybrid Key Ounsworth, M., Gray, J., Pala, M., Klaussner, J., and S.
Exchanges", December 2020, <https://www.etsi.org/deliver/
etsi_ts/103700_103799/103744/01.01.01_60/
ts_103744v010101p.pdf>.
[I-D.ietf-lamps-cert-binding-for-multi-auth]
Becker, A., Guthrie, R., and M. J. Jenkins, "Related
Certificates for Use in Multiple Authentications within a
Protocol", Work in Progress, Internet-Draft, draft-ietf-
lamps-cert-binding-for-multi-auth-06, 10 December 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
cert-binding-for-multi-auth-06>.
[I-D.ietf-lamps-dilithium-certificates]
Massimo, J., Kampanakis, P., Turner, S., and B.
Westerbaan, "Internet X.509 Public Key Infrastructure:
Algorithm Identifiers for ML-DSA", Work in Progress,
Internet-Draft, draft-ietf-lamps-dilithium-certificates-
05, 4 November 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
dilithium-certificates-05>.
[I-D.ietf-lamps-pq-composite-kem]
Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S.
Fluhrer, "Composite ML-KEM for use in X.509 Public Key Fluhrer, "Composite ML-KEM for use in X.509 Public Key
Infrastructure and CMS", Work in Progress, Internet-Draft, Infrastructure and CMS", Work in Progress, Internet-Draft,
draft-ietf-lamps-pq-composite-kem-05, 21 October 2024, draft-ietf-lamps-pq-composite-kem-06, 18 March 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
pq-composite-kem-05>. pq-composite-kem-06>.
[I-D.ietf-tls-hybrid-design] [ETSI_TS103774]
European Telecommunications Standards Institute (ETSI),
"CYBER; Quantum-safe Hybrid Key Exchanges", ETSI TS 103
744 v1.1.1, December 2020, <https://www.etsi.org/deliver/
etsi_ts/103700_103799/103744/01.01.01_60/
ts_103744v010101p.pdf>.
[HYBRID-TLS]
Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key
exchange in TLS 1.3", Work in Progress, Internet-Draft, exchange in TLS 1.3", Work in Progress, Internet-Draft,
draft-ietf-tls-hybrid-design-11, 7 October 2024, draft-ietf-tls-hybrid-design-12, 14 January 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls- <https://datatracker.ietf.org/doc/html/draft-ietf-tls-
hybrid-design-11>. hybrid-design-12>.
[ITU-T-X509-2019] [ITU-T-X509-2019]
ITU-T, "ITU-T X.509 The Directory - Public-key and ITU-T, "Information Technology - Open Systems
attribute certificate frameworks", January 2019, Interconnection - The Directory: Public-key and attribute
certificate frameworks", ITU-T Recommendation X.509,
October 2019,
<https://www.itu.int/rec/T-REC-X.509-201910-I>. <https://www.itu.int/rec/T-REC-X.509-201910-I>.
[ML-DSA] Massimo, J., Kampanakis, P., Turner, S., and B. E.
Westerbaan, "Internet X.509 Public Key Infrastructure -
Algorithm Identifiers for Module-Lattice-Based Digital
Signature Algorithm (ML-DSA)", Work in Progress, Internet-
Draft, draft-ietf-lamps-dilithium-certificates-11, 22 May
2025, <https://datatracker.ietf.org/doc/html/draft-ietf-
lamps-dilithium-certificates-11>.
[NIST_PQC_FAQ] [NIST_PQC_FAQ]
National Institute of Standards and Technology (NIST), NIST, "Post-Quantum Cryptography (PQC) FAQs", 31 January
"Post-Quantum Cryptography FAQs", 5 July 2022, 2025, <https://csrc.nist.gov/Projects/post-quantum-
<https://csrc.nist.gov/Projects/post-quantum-cryptography/ cryptography/faqs>.
faqs>.
[NIST_SP_800-152] [NIST_SP_800-152]
Barker, E. B., Smid, M., Branstad, D., and National Barker, E., Smid, M., and D. Branstad, "A Profile for U.
Institute of Standards and Technology (NIST), "NIST SP S. Federal Cryptographic Key Management Systems", NIST
800-152 A Profile for U. S. Federal Cryptographic Key SP 800-152, DOI 10.6028/NIST.SP.800-15, October 2015,
Management Systems", October 2015,
<https://doi.org/10.6028/NIST.SP.800-152>. <https://doi.org/10.6028/NIST.SP.800-152>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<https://www.rfc-editor.org/rfc/rfc4949>. <https://www.rfc-editor.org/info/rfc4949>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/rfc/rfc5280>. <https://www.rfc-editor.org/info/rfc5280>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC9180] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid [RFC9180] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid
Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180, Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180,
February 2022, <https://www.rfc-editor.org/rfc/rfc9180>. February 2022, <https://www.rfc-editor.org/info/rfc9180>.
[RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van [RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
Key Exchanges in the Internet Key Exchange Protocol Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
2023, <https://www.rfc-editor.org/rfc/rfc9370>. 2023, <https://www.rfc-editor.org/info/rfc9370>.
[RFC9763] Becker, A., Guthrie, R., and M. Jenkins, "Related
Certificates for Use in Multiple Authentications within a
Protocol", RFC 9763, DOI 10.17487/RFC9763, June 2025,
<https://www.rfc-editor.org/info/rfc9763>.
Acknowledgments Acknowledgments
This document is the product of numerous fruitful discussions in the This document is the product of numerous fruitful discussions in the
IETF PQUIP group. Thank you in particular to Mike Ounsworth, John IETF PQUIP group. Thank you in particular to Mike Ounsworth, John
Gray, Tim Hollebeek, Wang Guilin, Rebecca Guthrie, Stephen Farrell, Gray, Tim Hollebeek, Wang Guilin, Rebecca Guthrie, Stephen Farrell,
Paul Hoffman and Sofía Celi for their contributions. This document Paul Hoffman, and Sofía Celi for their contributions. This document
is inspired by many others from the IETF and elsewhere. is inspired by many others from the IETF and elsewhere.
Authors' Addresses Authors' Addresses
Florence Driscoll Florence Driscoll
UK National Cyber Security Centre UK National Cyber Security Centre
Email: florence.d@ncsc.gov.uk Email: florence.d@ncsc.gov.uk
Michael Parsons Michael Parsons
UK National Cyber Security Centre UK National Cyber Security Centre
 End of changes. 124 change blocks. 
378 lines changed or deleted 387 lines changed or added

This html diff was produced by rfcdiff 1.48.