rfc9794.original.xml   rfc9794.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 3.0. -ietf-pquip-pqt-hybrid-terminology-06" number="9794" category="info" consensus="
2) --> true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" ver
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft sion="3" updates="" obsoletes="" xml:lang="en">
-ietf-pquip-pqt-hybrid-terminology-06" category="info" consensus="true" submissi
onType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
<!-- xml2rfc v2v3 conversion 3.25.0 -->
<front> <front>
<title abbrev="PQ/T Hybrid Terminology">Terminology for Post-Quantum Traditi onal Hybrid Schemes</title> <title abbrev="PQ/T Hybrid Terminology">Terminology for Post-Quantum Traditi onal Hybrid Schemes</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqt-hybrid-termino <seriesInfo name="RFC" value="9794"/>
logy-06"/> <author fullname="Florence Driscoll" initials="F." surname="Driscoll">
<author fullname="Florence Driscoll">
<organization>UK National Cyber Security Centre</organization> <organization>UK National Cyber Security Centre</organization>
<address> <address>
<email>florence.d@ncsc.gov.uk</email> <email>florence.d@ncsc.gov.uk</email>
</address> </address>
</author> </author>
<author fullname="Michael Parsons"> <author fullname="Michael Parsons" initials="M." surname="Parsons">
<organization>UK National Cyber Security Centre</organization> <organization>UK National Cyber Security Centre</organization>
<address> <address>
<email>michael.p1@ncsc.gov.uk</email> <email>michael.p1@ncsc.gov.uk</email>
</address> </address>
</author> </author>
<author fullname="Britta Hale"> <author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization> <organization>Naval Postgraduate School</organization>
<address> <address>
<email>britta.hale@nps.edu</email> <email>britta.hale@nps.edu</email>
</address> </address>
</author> </author>
<date year="2025" month="January" day="10"/> <date year="2025" month="June"/>
<area>SEC</area> <area>SEC</area>
<workgroup>PQUIP</workgroup> <workgroup>pquip</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<?line 120?>
<t>One aspect of the transition to post-quantum algorithms in cryptographic prot <!-- [rfced] Please insert any keywords (beyond those that appear in
ocols is the development of hybrid schemes that incorporate both post-quantum an the title) for use on https://www.rfc-editor.org/search. -->
d traditional asymmetric algorithms. This document defines terminology for such
schemes. It is intended to be used as a reference and, hopefully, to ensure co <keyword>example</keyword>
nsistency and clarity across different protocols, standards, and organisations.<
/t> <abstract>
<t>One aspect of the transition to post-quantum algorithms in
cryptographic protocols is the development of hybrid schemes that
incorporate both post-quantum and traditional asymmetric algorithms.
This document defines terminology for such schemes. It is intended to
be used as a reference and, hopefully, to ensure consistency and clarity
across different protocols, standards, and organisations.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-terminology/"/>.
</t>
<t>
</t>
</note>
</front> </front>
<middle> <middle>
<?line 125?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>The mathematical problems of integer factorisation and discrete logarit
hms over finite fields or elliptic curves underpin most of the asymmetric algori <t>The mathematical problems of integer factorisation and discrete
thms used for key establishment and digital signatures on the internet. These p logarithms over finite fields or elliptic curves underpin most of the
roblems, and hence the algorithms based on them, will be vulnerable to attacks u asymmetric algorithms used for key establishment and digital signatures
sing Shor's Algorithm on a sufficiently large general-purpose quantum computer, on the Internet. These problems, and hence the algorithms based on
known as a Cryptographically Relevant Quantum Computer (CRQC). Current predicti them, will be vulnerable to attacks using Shor's Algorithm on a
ons vary on when, or if, such a device will exist. However, it is necessary to sufficiently large general-purpose quantum computer, known as a
anticipate and prepare to defend against such a development. Data encrypted tod Cryptographically Relevant Quantum Computer (CRQC). Current predictions
ay (2024) with an algorithm vulnerable to a quantum computer can be stored for d vary on when, or if, such a device will exist. However, it is necessary
ecryption by a future attacker with a CRQC. Signing algorithms in products that to anticipate and prepare to defend against such a development. Data
are expected to be in use for many years, and that cannot be updated or replace encrypted today (in 2025) with an algorithm vulnerable to a quantum
d, are also at risk if a CRQC is developed during the operational lifetime of th computer can be stored for decryption by a future attacker with a CRQC.
at product.</t> Signing algorithms in products that are expected to be in use for many
<t>Ongoing responses to the potential development of a CRQC include modify years, and that cannot be updated or replaced, are also at risk if a
ing established (standardised) protocols to use asymmetric algorithms that are d CRQC is developed during the operational lifetime of that product.</t>
esigned to be secure against quantum computers as well as today's classical comp
uters. These algorithms are called post-quantum, while algorithms based on inte <t>Ongoing responses to the potential development of a CRQC include
ger factorisation, finite-field discrete logarithms or elliptic-curve discrete l modifying established (or standardised) protocols to use asymmetric
ogarithms are called traditional cryptographic algorithms. In this document "tra algorithms that are designed to be secure against quantum computers as
ditional algorithm" is also used to refer to this class of algorithms.</t> well as today's classical computers. These algorithms are called
<t>At the time of publication, the term post-quantum is generally used to "post-quantum", while algorithms based on integer factorisation,
describe cryptographic algorithms that are designed to be secure against an adve finite-field discrete logarithms, or elliptic-curve discrete logarithms
rsary with access to a CRQC. Post-quantum algorithms can also be referred to as are called "traditional cryptographic algorithms". In this document,
quantum-resistant or quantum-safe algorithms. There are merits to the different "traditional algorithm" is also used to refer to this class of
terms, for example some prefer to use the terms quantum-resistant or quantum-saf algorithms.</t>
e to explictly indicate that these algorithms are designed to be secure against
quantum computers but others disagree, and prefer to use post-quantum, in case o <t>At the time of publication, the term "post-quantum" is generally used
f compromises against such algorithms which could make the terms quantum-resista to describe cryptographic algorithms that are designed to be secure
nt or quantum-safe misleading. Similarly, some prefer to refer specifically to S against an adversary with access to a CRQC. Post-quantum algorithms can
hor's Algorithm or to the mathematical problem that is being used to prevent att also be referred to as "quantum-resistant" or "quantum-safe"
ack. Post-quantum cryptography is commonly used amongst the cryptography communi algorithms. There are merits to the different terms. For example, some
ty, so will be used throughout this document. Similarly, the term "traditional a prefer to use the terms quantum-resistant or quantum-safe to explicitly
lgorithm" will be used throughout the document as, at the time of publication, i indicate that these algorithms are designed to be secure against quantum
t is widely used in the community, though other terms, including classical, pre- computers. Others disagree and prefer to use the term post-quantum, in cas
quantum or quantum-vulnerable, are preferred by some.</t> e
<t>There may be a requirement for protocols that use both algorithm types, of compromises against such algorithms that could make the terms
for example during the transition from traditional to post-quantum algorithms o quantum-resistant or quantum-safe misleading. Similarly, some prefer to
r as a general solution, to mitigate risks. When the risk of deploying new algor refer specifically to Shor's Algorithm or to the mathematical problem
ithms is above the accepted threshold for their use case, a designer may combine that is being used to prevent attacks. Post-Quantum Cryptography (PQC) is
a post-quantum algorithm with a traditional algorithm with the goal of adding p commonly used amongst the cryptography community, and so it will be used
rotection against an attacker with a CRQC to the security properties provided by throughout this document. Similarly, the term "traditional algorithm"
the traditional algorithm. They may also implement a post-quantum algorithm al will be used throughout the document as, at the time of publication, it
ongside a traditional algorithm for ease of migration from an ecosystem where on is widely used in the community, though other terms, including
ly traditional algorithms are implemented and used, to one that only uses post-q classical, pre-quantum, or quantum-vulnerable, are preferred by some.</t>
uantum algorithms. Examples of solutions that could use both types of algorithm
include, but are not limited to, <xref target="RFC9370"/>, <xref target="I-D.iet <!-- [rfced] May we update this sentence as follows for clarity?
f-tls-hybrid-design"/>, <xref target="I-D.ietf-lamps-pq-composite-kem"/>, and <x
ref target="I-D.ietf-lamps-cert-binding-for-multi-auth"/>.</t> Original:
<t>Schemes that combine post-quantum and traditional algorithms for key es There may be a requirement for protocols that use both algorithm
tablishment or digital signatures are often called hybrids. For example:</t> types, for example during the transition from traditional to post-
quantum algorithms or as a general solution, to mitigate risks.
Perhaps:
To mitigate risks, there may be a requirement for protocols that
use both algorithm types (for example, during the transition from
traditional to post-quantum algorithms or as a general solution).
-->
<t>There may be a requirement for protocols that use both algorithm
types, for example, during the transition from traditional to
post-quantum algorithms or as a general solution, to mitigate
risks. When the risk of deploying new algorithms is above the accepted
threshold for their use case, a designer may combine a post-quantum
algorithm with a traditional algorithm, with the goal of adding
protection against an attacker with a CRQC to the security properties
provided by the traditional algorithm. They may also implement a
post-quantum algorithm alongside a traditional algorithm for ease of
migration from an ecosystem where only traditional algorithms are
implemented and used, to one that only uses post-quantum
algorithms. Examples of solutions that could use both types of algorithm
include, but are not limited to, <xref target="RFC9370"/>, <xref
target="I-D.ietf-tls-hybrid-design"/>, <xref
target="I-D.ietf-lamps-pq-composite-kem"/>, and <xref
target="RFC9763"/>.</t>
<t>Schemes that combine post-quantum and traditional algorithms for key
establishment or digital signatures are often called "hybrids". For
example:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>The National Institute of Standards and Technology (NIST) defines h
ybrid key establishment to be a "scheme that is a combination of two or more com <!-- Quotations from [NIST_PQC_FAQ] and [ETSI_TS103774] are accurate. -->
ponents that are themselves cryptographic key-establishment schemes" <xref targe <t>The National Institute of Standards and Technology (NIST) defines
t="NIST_PQC_FAQ"/>;</t> hybrid key establishment to be a "scheme that is a combination of
two or more components that are themselves cryptographic
key-establishment schemes" <xref target="NIST_PQC_FAQ"/>.</t>
</li> </li>
<li> <li>
<t>The European Telecommunications Standards Institute (ETSI) defines <t>The European Telecommunications Standards Institute (ETSI)
hybrid key exchanges to be "constructions that combine a traditional key exchang defines hybrid key exchanges to be "constructions that combine a
e ... with a post-quantum key exchange ... into a single key exchange" <xref tar traditional key exchange ... with a post-quantum key exchange
get="ETSI_TS103774"/>.</t> ... into a single key exchange" <xref target="ETSI_TS103774"/>.</t>
</li> </li>
</ul> </ul>
<t>The word "hybrid" is also used in cryptography to describe encryption s
chemes that combine asymmetric and symmetric algorithms <xref target="RFC9180"/> <t>The word "hybrid" is also used in cryptography to describe encryption
, so using it in the post-quantum context overloads it and risks misunderstandin schemes that combine asymmetric and symmetric algorithms <xref
gs. However, this terminology is well-established amongst the post-quantum cryp target="RFC9180"/>, so using it in the post-quantum context overloads it
tography (PQC) community. Therefore, an attempt to move away from its use for PQ and risks misunderstandings. However, this terminology is
C could lead to multiple definitions for the same concept, resulting in confusio well-established amongst the Post-Quantum Cryptography (PQC)
n and lack of clarity. community. Therefore, an attempt to move away from its use for PQC could
At the time of publication, hybrid is generally used for schemes that combine po lead to multiple definitions for the same concept, resulting in
st-quantum and traditional algorithms; it will be so used throughout this docume confusion and lack of clarity. At the time of publication, hybrid is
nt, though some have alternative preferences such as double-algorithm or multi-a generally used for schemes that combine post-quantum and traditional
lgorithm.</t> algorithms; it will be so used throughout this document, though some
<t>This document provides language for constructions that combine traditio have alternative preferences such as double-algorithm or
nal and post-quantum algorithms. Specific solutions for enabling use of multiple multi-algorithm.</t>
asymmetric algorithms in cryptographic schemes may be more general than this, a
llowing the use of solely traditional or solely post-quantum algorithms. Howeve <!-- [rfced] May we adjust the text below as follows to make the verbs
r, where relevant, we focus on post-quantum traditional combinations as these ar "reduce" and "defining" parallel?
e the motivation for the wider work in the IETF. This document is intended as a
reference terminology guide for other documents to add clarity and consistency Original:
across different protocols, standards, and organisations. Additionally, this do Additionally, this document aims to reduce
cument aims to reduce misunderstanding about use of the word "hybrid" as well as misunderstanding about use of the word "hybrid" as well as defining a
defining a shared language for different types of post-quantum and traditional shared language for different types of post-quantum and traditional
hybrid constructions.</t> hybrid constructions.
<t>In this document, a "cryptographic algorithm" is defined, as in <xref t
arget="NIST_SP_800-152"/>, to be a "well-defined computational procedure that ta Perhaps:
kes variable inputs, often including a cryptographic key, and produces an output Additionally, this document aims to reduce
". Examples include RSA, ECDH, ML-KEM (formerly known as Kyber) and ML-DSA (for misunderstandings about the use of the word "hybrid" and to define a
merly known as Dilithium). The expression "cryptographic scheme" is used to re shared language for different types of post-quantum and traditional
fer to a construction that uses a cryptographic algorithm or a group of cryptogr hybrid constructions.
aphic algorithms to achieve a particular cryptographic outcome, e.g., key agreem -->
ent. A cryptographic scheme may be made up of a number of functions. For exampl
e, a Key Encapsulation Mechanism (KEM) is a cryptographic scheme consisting of t <t>This document provides language for constructions that combine
hree functions: Key Generation, Encapsulation, and Decapsulation. A cryptograph traditional and post-quantum algorithms. Specific solutions for enabling
ic protocol incorporates one or more cryptographic schemes. For example, TLS <x the use of multiple asymmetric algorithms in cryptographic schemes may be
ref target="RFC8446"/> is a cryptographic protocol that includes schemes for key more general than this, allowing the use of solely traditional or solely
agreement, record layer encryption, and server authentication.</t> post-quantum algorithms. However, where relevant, we focus on
post-quantum traditional combinations as these are the motivation for
the wider work in the IETF. This document is intended as a reference
terminology guide for other documents, in order to add clarity and consist
ency
across different protocols, standards, and organisations. Additionally,
this document aims to reduce misunderstanding about use of the word
"hybrid" as well as defining a shared language for different types of
post-quantum and traditional hybrid constructions.</t>
<!-- Quotation from [NIST_SP_800-152] is accurate. -->
<t>In this document, a "cryptographic algorithm" is defined, as in <xref
target="NIST_SP_800-152"/>, to be a "well-defined computational
procedure that takes variable inputs, often including a cryptographic
key, and produces an output". Examples include RSA, Elliptic Curve
Diffie-Hellman (ECDH), Module-Lattice-Based Key-Encapsulation Mechanism
(ML-KEM) (formerly known as Kyber), and Module-Lattice-Based Digital
Signature Algorithm (ML-DSA) (formerly known as Dilithium). The
expression "cryptographic scheme" is used to refer to a construction
that uses a cryptographic algorithm or a group of cryptographic
algorithms to achieve a particular cryptographic outcome, e.g., key
agreement. A cryptographic scheme may be made up of a number of
functions. For example, a Key Encapsulation Mechanism (KEM) is a
cryptographic scheme consisting of three functions: Key Generation,
Encapsulation, and Decapsulation. A cryptographic protocol incorporates
one or more cryptographic schemes. For example, TLS <xref
target="RFC8446"/> is a cryptographic protocol that includes schemes for
key agreement, record layer encryption, and server authentication.</t>
</section> </section>
<section anchor="primitives"> <section anchor="primitives">
<name>Primitives</name> <name>Primitives</name>
<t>This section introduces terminology related to cryptographic algorithms
and to hybrid constructions for cryptographic schemes.</t> <t>This section introduces terminology related to cryptographic
<dl> algorithms and to hybrid constructions for cryptographic schemes.</t>
<dt><strong>Traditional Asymmetric Cryptographic Algorithm</strong>:</dt
> <dl newline="true">
<dt><strong>Traditional asymmetric cryptographic algorithm</strong>:</dt
>
<dd> <dd>
<t>An asymmetric cryptographic algorithm based on integer factorisatio
n, finite field discrete logarithms, elliptic curve discrete logarithms, or rel <t>An asymmetric cryptographic algorithm based on integer
ated mathematical problems. factorisation, finite field discrete logarithms, elliptic curve
</t> discrete logarithms, or related mathematical problems.</t>
<t>A related mathematical problem is one that can be solved by solving
the integer factorisation, finite field discrete logarithm or elliptic curve di <t>A related mathematical problem is one that can be solved by
screte logarithm problem.</t> solving the integer factorisation, finite field discrete logarithm,
<t>Where there is little risk of confusion, traditional asymmetric cry or elliptic curve discrete logarithm problem.</t>
ptographic algorithms can also be referred to as traditional algorithms for brev
ity. Traditional algorithms can also be called classical or conventional algori <t>Where there is little risk of confusion, traditional asymmetric
thms.</t> cryptographic algorithms can also be referred to as "traditional
algorithms" for brevity. Traditional algorithms can also be called
"classical" or "conventional" algorithms.</t>
</dd> </dd>
<dt><strong>Post-Quantum Asymmetric Cryptographic Algorithm</strong>:</d
t> <dt><strong>Post-quantum asymmetric cryptographic algorithm</strong>:</d
t>
<dd> <dd>
<t>An asymmetric cryptographic algorithm that is intended to be secure <t>An asymmetric cryptographic algorithm that is intended to be
against attacks using quantum computers as well as classical computers. secure against attacks using quantum computers as well as classical
</t> computers.</t>
<t>Where there is little risk of confusion, post-quantum asymmetric cr
yptographic algorithms can also be referred to as post-quantum algorithms for br <t>Where there is little risk of confusion, post-quantum asymmetric
evity. Post-quantum algorithms can also be called quantum-resistant or quantum-s cryptographic algorithms can also be referred to as "post-quantum
afe algorithms.</t> algorithms" for brevity. Post-quantum algorithms can also be called
<t>As with all cryptography, it always remains the case that attacks, "quantum-resistant" or "quantum-safe" algorithms.</t>
either quantum or classical, may be found against post-quantum algorithms. There
fore it should not be assumed that just because an algorithm is designed to prov <t>As with all cryptography, it always remains the case that
ide post-quantum security it will not be compromised. Should an attack be found attacks, either quantum or classical, may be found against
against a post-quantum algorithm, it is commonly still referred to as a post-qua post-quantum algorithms. Therefore, it should not be assumed that
ntum algorithm as they were designed to protect against an adversary with access just because an algorithm is designed to provide post-quantum
to a CRQC and the labels are referring to the designed or desired properties.</ security that it will not be compromised. Should an attack be found
t> against a post-quantum algorithm, it is commonly still referred to
as a "post-quantum algorithm", as they were designed to protect agains
t
an adversary with access to a CRQC, and the labels are referring to
the designed or desired properties.</t>
</dd> </dd>
</dl> </dl>
<t>There may be asymmetric cryptographic constructions that are neither po
st-quantum nor asymmetric traditional algorithms according to the definitions ab <t>There may be asymmetric cryptographic constructions that are neither
ove. These are out of scope of this document.</t> post-quantum nor asymmetric traditional algorithms according to the
<dl> definitions above. These are out of scope of this document.</t>
<dt><strong>Component Asymmetric Algorithm</strong>:</dt>
<dl newline="true">
<dt><strong>Component asymmetric algorithm</strong>:</dt>
<dd> <dd>
<t>Each cryptographic algorithm that forms part of a cryptographic sch <t>Each cryptographic algorithm that forms part of a cryptographic
eme. scheme.</t>
</t> <t>An asymmetric component algorithm operates on the input of the
<t>An asymmetric component algorithm operates on the input of the cryp cryptographic operation and produces a cryptographic output that can
tographic operation and produces a cryptographic output that can be used by itse be used by itself or jointly to complete the operation. Where there
lf or jointly to complete the operation. Where there is little risk of confusion is little risk of confusion, component asymmetric algorithms can
, component aysmmetric algorithms can also be referred to as component algorithm also be referred to as "component algorithms" for brevity, as is done
s for brevity, as is done in the following definitions.</t> in the following definitions.</t>
</dd> </dd>
<dt><strong>Single-Algorithm Scheme</strong>:</dt>
<dt><strong>Single-algorithm scheme</strong>:</dt>
<dd> <dd>
<t>A cryptographic scheme with one component algorithm. <t>A cryptographic scheme with one component algorithm.</t>
</t> <t>A single-algorithm scheme could use either a traditional
<t>A single-algorithm scheme could use either a traditional algorithm algorithm or a post-quantum algorithm.</t>
or a post-quantum algorithm.</t>
</dd> </dd>
<dt><strong>Multi-Algorithm Scheme</strong>:</dt>
<dt><strong>Multi-algorithm scheme</strong>:</dt>
<dd> <dd>
<t>A cryptographic scheme that incorporates more than one component al <t>A cryptographic scheme that incorporates more than one component
gorithm, where the component algorithms have the same cryptographic purpose as e algorithm, where the component algorithms have the same
ach other and as the multi-algorithm scheme. cryptographic purpose as each other and as the multi-algorithm
</t> scheme.</t>
<t>For example, a multi-algorithm signature scheme may include multipl <t>For example, a multi-algorithm signature scheme may include
e signature algorithms or a multi-algorithm Public Key Encryption (PKE) scheme m multiple signature algorithms, or a multi-algorithm Public Key
ay include multiple PKE algorithms. Component algorithms could be all traditiona Encryption (PKE) scheme may include multiple PKE
l, all post-quantum, or a mixture of the two.</t> algorithms. Component algorithms could be all traditional, all
post-quantum, or a mixture of the two.</t>
</dd> </dd>
<dt><strong>Post-Quantum Traditional (PQ/T) Hybrid Scheme</strong>:</dt>
<dt><strong>Post-Quantum Traditional (PQ/T) hybrid scheme</strong>:</dt>
<dd> <dd>
<t>A multi-algorithm scheme where at least one component algorithm is <t>A multi-algorithm scheme where at least one component algorithm
a post-quantum algorithm and at least one is a traditional algorithm. is a post-quantum algorithm and at least one is a traditional
</t> algorithm.</t>
<t>Components of a PQ/T hybrid scheme operate on the same input messag <t>Components of a PQ/T hybrid scheme operate on the same input
e and their output is used together to complete the cryptographic operation eith message and their output is used together to complete the
er serially or in parallel. PQ/T hybrid scheme design is aimed at requiring succ cryptographic operation either serially or in parallel. The PQ/T hybri
essful breaking of all component algorithms to break the PQ/T hybrid scheme's se d
curity properties.</t> scheme design is aimed at requiring successful breaking of all
component algorithms to break the PQ/T hybrid scheme's security
properties.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Key Encapsulation Mechanism (KEM)</strong>:</dt>
<dt><strong>PQ/T hybrid Key Encapsulation Mechanism (KEM)</strong>:</dt>
<dd> <dd>
<t>A multi-algorithm KEM made up of two or more component algorithms w <t>A multi-algorithm KEM made up of two or more component algorithms
here at least one is a post-quantum algorithm and at least one is a traditional where at least one is a post-quantum algorithm and at least one is a
algorithm. The component algorithms could be KEMs, or other key establishment a traditional algorithm. The component algorithms could be KEMs or
lgorithms.</t> other key establishment algorithms.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Public Key Encryption (PKE)</strong>:</dt>
<dt><strong>PQ/T hybrid Public Key Encryption (PKE)</strong>:</dt>
<dd> <dd>
<t>A multi-algorithm PKE scheme made up of two or more component algor <t>A multi-algorithm PKE scheme made up of two or more component
ithms where at least one is a post-quantum algorithm and at least one is a tradi algorithms where at least one is a post-quantum algorithm and at
tional algorithm. The component algorithms could be PKE algorithms, or other ke least one is a traditional algorithm. The component algorithms
y establishment algorithms. could be PKE algorithms or other key establishment algorithms.</t>
</t> <t>The standard security property for a PKE scheme is
<t>The standard security property for a PKE scheme is indistinguishabi indistinguishability under chosen-plaintext attack
lity under chosen-plaintext attack, (IND-CPA). IND-CPA security is not sufficien (IND-CPA). IND-CPA security is not sufficient for secure
t for secure communication in the presence of an active attacker. Therefore, in communication in the presence of an active attacker. Therefore, in
general, PKE schemes are not appropriate for use on the internet, and KEMs, whi general, PKE schemes are not appropriate for use on the Internet,
ch provide indistiguishability under chosen-ciphertext attacks (IND-CCA security and KEMs, which provide indistinguishability under chosen-ciphertext
), are required.</t> attack (IND-CCA security), are required.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Digital Signature</strong>:</dt>
<dt><strong>PQ/T hybrid digital signature</strong>:</dt>
<dd> <dd>
<t>A multi-algorithm digital signature scheme made up of two or more c <t>A multi-algorithm digital signature scheme made up of two or more
omponent digital signature algorithms where at least one is a post-quantum algor component digital signature algorithms where at least one is a
ithm and at least one is a traditional algorithm. post-quantum algorithm and at least one is a traditional algorithm.</t
</t> >
<t>Note that there are many possible ways of constructing a PQ/T hybri <t>Note that there are many possible ways of constructing a PQ/T
d digital signatures. Examples include parallel signatures, composite signatures hybrid digital signature. Examples include parallel signatures,
or nested signatures.</t> composite signatures, or nested signatures.</t>
</dd> </dd>
</dl> </dl>
<t>PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures a
re all examples of PQ/T hybrid schemes.</t> <t>PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures
<dl> are all examples of PQ/T hybrid schemes.</t>
<dt><strong>Post-Quantum Traditional (PQ/T) Hybrid Composite Scheme</str
ong>:</dt> <dl newline="true">
<dt><strong>Post-Quantum Traditional (PQ/T) hybrid composite scheme</str
ong>:</dt>
<dd> <dd>
<t>A multi-algorithm scheme where at least one component algorithm is <t>A multi-algorithm scheme where at least one component algorithm
a post-quantum algorithm and at least one is a traditional algorithm and the res is a post-quantum algorithm and at least one is a traditional
ulting composite scheme is exposed as a singular interface of the same type as t algorithm, and where the resulting composite scheme is exposed as a
he component algorithms. singular interface of the same type as the component algorithms.</t>
</t> <t>A PQ/T hybrid composite can be referred to as a "PQ/T
<t>A PQ/T Hybrid Composite can be referred to as a PQ/T Composite. Exa composite". Examples of PQ/T hybrid composites include a single KEM
mples of PQ/T Hybrid Composites include a single KEM algorithm comprised of a PQ algorithm comprised of a PQ KEM component and a traditional KEM
KEM component and a traditional KEM component, for which the result presents as component, for which the result presents as a KEM output.</t>
a KEM output.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Combiner</strong>:</dt> <dt><strong>PQ/T hybrid combiner</strong>:</dt>
<dd> <dd>
<t>A method that takes two or more component algorithms and combines t hem to form a PQ/T hybrid scheme.</t> <t>A method that takes two or more component algorithms and combines t hem to form a PQ/T hybrid scheme.</t>
</dd> </dd>
<dt><strong>PQ/PQ Hybrid Scheme</strong>:</dt>
<dt><strong>PQ/PQ hybrid scheme</strong>:</dt>
<dd> <dd>
<t>A multi-algorithm scheme where all components are post-quantum algo <t>A multi-algorithm scheme where all components are post-quantum
rithms. algorithms.</t>
</t> <t>The definitions for types of PQ/T hybrid schemes can be adapted
<t>The definitions for types of PQ/T hybrid schemes can be adapted to to define types of PQ/PQ hybrid schemes, which are multi-algorithm
define types of PQ/PQ hybrid schemes, which are multi-algorithm schemes where al schemes where all component algorithms are post-quantum
l component algorithms are Post-Quantum algorithms. These are designed to mitiga algorithms. These are designed to mitigate risks when the two
te risks when the two post-quantum algorithms are based on different mathematica post-quantum algorithms are based on different mathematical
l problems. Some prefer to refer to these as PQ/PQ multi-algorithm schemes, and problems. Some prefer to refer to these as PQ/PQ multi-algorithm
reserve the term hybrid for PQ/T hybrids.</t> schemes, and reserve the term "hybrid" for PQ/T hybrids.</t>
</dd> </dd>
</dl> </dl>
<t>In cases where there is little chance of confusion between other types
of hybrid cryptography e.g., as defined in <xref target="RFC4949"/>, and where t <t>In cases where there is little chance of confusion between other
he component algorithms of a multi-algorithm scheme could be either post-quantum types of hybrid cryptography (e.g., as defined in <xref
or traditional, it may be appropriate to use the phrase "hybrid scheme" without target="RFC4949"/>) and where the component algorithms of a
PQ/T or PQ/PQ preceding it.</t> multi-algorithm scheme could be either post-quantum or traditional, it
<dl> may be appropriate to use the phrase "hybrid scheme" without PQ/T or
<dt><strong>Component Scheme</strong>:</dt> PQ/PQ preceding it.</t>
<dl newline="true">
<dt><strong>Component scheme</strong>:</dt>
<dd> <dd>
<t>Each cryptographic scheme that makes up a PQ/T hybrid scheme or PQ/ T hybrid protocol.</t> <t>Each cryptographic scheme that makes up a PQ/T hybrid scheme or PQ/ T hybrid protocol.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="cryptographic-elements"> <section anchor="cryptographic-elements">
<name>Cryptographic Elements</name> <name>Cryptographic Elements</name>
<t>This section introduces terminology related to cryptographic elements a <t>This section introduces terminology related to cryptographic elements
nd their inclusion in hybrid schemes.</t> and their inclusion in hybrid schemes.</t>
<dl>
<dt><strong>Cryptographic Element</strong>:</dt> <dl newline="true">
<dt><strong>Cryptographic element</strong>:</dt>
<dd> <dd>
<t>Any data type (private or public) that contains an input or output <t>Any data type (private or public) that contains an input or
value for a cryptographic algorithm or for a function making up a cryptographic output value for a cryptographic algorithm or for a function making
algorithm. up a cryptographic algorithm.</t>
</t> <t>Types of cryptographic elements include public keys, private
<t>Types of cryptographic elements include public keys, private keys, keys, plaintexts, ciphertexts, shared secrets, and signature
plaintexts, ciphertexts, shared secrets, and signature values.</t> values.</t>
</dd> </dd>
<dt><strong>Component Cryptographic Element</strong>:</dt> <dt><strong>Component cryptographic element</strong>:</dt>
<dd> <dd>
<t>A cryptographic element of a component algorithm in a multi-algorit <t>A cryptographic element of a component algorithm in a
hm scheme. multi-algorithm scheme.</t>
</t> <t>For example, in <xref target="I-D.ietf-tls-hybrid-design"/>, the
<t>For example, in <xref target="I-D.ietf-tls-hybrid-design"/>, the cl client's keyshare contains two component public keys: one for a
ient's keyshare contains two component public keys, one for a post-quantum algor post-quantum algorithm and one for a traditional algorithm.</t>
ithm and one for a traditional algorithm.</t>
</dd> </dd>
<dt><strong>Composite Cryptographic Element</strong>:</dt>
<dt><strong>Composite cryptographic element</strong>:</dt>
<dd> <dd>
<t>A cryptographic element that incorporates multiple component crypto <t>A cryptographic element that incorporates multiple component
graphic elements of the same type for use in a multi-algorithm scheme, such that cryptographic elements of the same type for use in a multi-algorithm
the resulting composite cryptographic element is exposed as a singular interfac scheme, such that the resulting composite cryptographic element is
e of the same type as the component cryptographic elements. exposed as a singular interface of the same type as the component
</t> cryptographic elements.</t>
<t>For example, a composite cryptographic public key is made up of two <t>For example, a composite cryptographic public key is made up of
component public keys.</t> two component public keys.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Composite Cryptographic Element</strong>:</dt> <dt><strong>PQ/T hybrid composite cryptographic element</strong>:</dt>
<dd> <dd>
<t>A cryptographic element that incorporates multiple component crypto <t>A cryptographic element that incorporates multiple component
graphic elements of the same type for use in a multi-algorithm scheme, such that cryptographic elements of the same type for use in a multi-algorithm
the resulting composite cryptographic element is exposed as a singular interfac scheme, such that the resulting composite cryptographic element is
e of the same type as the component cryptographic elements, where at least one c exposed as a singular interface of the same type as the component
omponent cryptographic element is post-quantum and at least one is traditional.< cryptographic elements, where at least one component cryptographic
/t> element is post-quantum and at least one is traditional.</t>
</dd> </dd>
<dt><strong>Cryptographic Element Combiner</strong>:</dt>
<dt><strong>Cryptographic element combiner</strong>:</dt>
<dd> <dd>
<t>A method that takes two or more component cryptographic elements of <t>A method that takes two or more component cryptographic elements
the same type and combines them to form a composite cryptographic element. of the same type and combines them to form a composite cryptographic
</t> element.</t>
<t>A cryptographic element combiner could be concatenation, such as wh <t>A cryptographic element combiner could be concatenation, such as
ere two component public keys are concatenated to form a composite public key as where two component public keys are concatenated to form a composite
in <xref target="I-D.ietf-tls-hybrid-design"/>, or something more involved such public key as in <xref target="I-D.ietf-tls-hybrid-design"/>, or
as the dualPRF defined in <xref target="BINDEL"/>.</t> something more involved such as the dualPRF defined in <xref
target="BINDEL"/>.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="protocols"> <section anchor="protocols">
<name>Protocols</name> <name>Protocols</name>
<t>This section introduces terminology related to the use of post-quantum <t>This section introduces terminology related to the use of
and traditional algorithms together in protocols.</t> post-quantum and traditional algorithms together in protocols.</t>
<dl>
<dt><strong>PQ/T Hybrid Protocol</strong>:</dt> <dl newline="true">
<dt><strong>PQ/T hybrid protocol</strong>:</dt>
<dd> <dd>
<t>A protocol that uses two or more component algorithms providing the <t>A protocol that uses two or more component algorithms providing
same cryptographic functionality, where at least one is a post-quantum algorith the same cryptographic functionality, where at least one is a
m and at least one is a traditional algorithm. post-quantum algorithm and at least one is a traditional algorithm.</t
</t> >
<t>For example, a PQ/T hybrid protocol providing confidentiality could <t>For example, a PQ/T hybrid protocol providing confidentiality
use a PQ/T hybrid KEM such as in <xref target="I-D.ietf-tls-hybrid-design"/>, o could use a PQ/T hybrid KEM such as in <xref
r it could combine the output of a post-quantum KEM and a traditional KEM at the target="I-D.ietf-tls-hybrid-design"/>, or it could combine the
protocol level to generate a single shared secret, such as in <xref target="RFC output of a post-quantum KEM and a traditional KEM at the protocol
9370"/>. Similarly, a PQ/T hybrid protocol providing authentication could use a level to generate a single shared secret, such as in <xref
PQ/T hybrid digital signature scheme, or it could include both post-quantum and target="RFC9370"/>. Similarly, a PQ/T hybrid protocol providing
traditional single-algorithm digital signature schemes.</t> authentication could use a PQ/T hybrid digital signature scheme, or
<t>A protocol that can negotiate the use of either a traditional algor it could include both post-quantum and traditional single-algorithm
ithm or a post-quantum algorithm, but not of both types of algorithm, is not a P digital signature schemes.</t>
Q/T hybrid protocol. <t>A protocol that can negotiate the use of either a traditional
Protocols that use two or more component algorithms but with different cryptogra algorithm or a post-quantum algorithm, but not both types of
phic functionality, for example a post-quantum KEM and a pre-shared key (PSK) ar algorithm, is not a PQ/T hybrid protocol. Protocols that use two or
e also not PQ/T hybrid protocols.</t> more component algorithms but with different cryptographic
functionalities, for example, a post-quantum KEM and a Pre-Shared Key
(PSK), are also not PQ/T hybrid protocols.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Protocol with Composite Key Establishment</stron
g>:</dt> <dt><strong>PQ/T hybrid protocol with composite key establishment</stron
g>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite sc <t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
heme to achieve key establishment, in such a way that the protocol fields and me scheme to achieve key establishment, in such a way that the protocol
ssage flow are the same as those in a version of the protocol that uses a single fields and message flow are the same as those in a version of the
-algorithm scheme. protocol that uses a single-algorithm scheme.</t>
</t> <t>For example, a PQ/T hybrid protocol with composite key
<t>For example, a PQ/T hybrid protocol with composite key establishmen establishment could include a single PQ/T hybrid KEM, such as in
t could include a single PQ/T hybrid KEM, such as in <xref target="I-D.ietf-tls- <xref target="I-D.ietf-tls-hybrid-design"/>.</t>
hybrid-design"/>.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Protocol with Composite Data Authentication</str ong>:</dt> <dt><strong>PQ/T hybrid protocol with composite data authentication</str ong>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite sc <t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
heme to achieve data authentication, in such a way that the protocol fields and scheme to achieve data authentication, in such a way that the
message flow are the same as those in a version of the protocol that uses a sing protocol fields and message flow are the same as those in a version
le-algorithm scheme. of the protocol that uses a single-algorithm scheme.</t>
</t> <t>For example, a PQ/T hybrid protocol with composite data
<t>For example, a PQ/T hybrid protocol with composite data authenticat authentication could include data authentication through the use of a
ion could include data authentication through use of a PQ/T composite hybrid dig PQ/T composite hybrid digital signature, exposed as a single
ital signature, exposed as a single interface for PQ signature and traditional s interface for PQ signature and traditional signature components.</t>
ignature components. </t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Protocol with Composite Entity Authentication</s
trong>:</dt> <dt><strong>PQ/T hybrid protocol with composite entity authentication</s
trong>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite sc <t>A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
heme to achieve entity authentication, in such a way that the protocol fields an scheme to achieve entity authentication, in such a way that the
d message flow are the same as those in a version of the protocol that uses a si protocol fields and message flow are the same as those in a version
ngle-algorithm scheme. of the protocol that uses a single-algorithm scheme.</t>
</t> <t>For example, a PQ/T hybrid protocol with composite entity
<t>For example, a PQ/T hybrid protocol with composite entity authentic authentication could include entity authentication through the use of
ation could include entity authentication through use of PQ/T Composite Hybrid c PQ/T Composite Hybrid certificates.</t>
ertificates.</t>
</dd> </dd>
</dl> </dl>
<t>In a PQ/T hybrid protocol with a composite construction, changes are pr
imarily made to the formats of the cryptographic elements, while the protocol fi <t>In a PQ/T hybrid protocol with a composite construction, changes are
elds and message flow remain largely unchanged. In implementations, most change primarily made to the formats of the cryptographic elements, while the
s are likely to be made to the cryptographic libraries, with minimal changes to protocol fields and message flow remain largely unchanged. In
the protocol libraries.</t> implementations, most changes are likely to be made to the cryptographic
<dl> libraries, with minimal changes to the protocol libraries.</t>
<dt><strong>PQ/T Hybrid Protocol with Non-Composite Key Establishment</s
trong>:</dt> <dl newline="true">
<dt><strong>PQ/T hybrid protocol with non-composite key establishment</s
trong>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that incorporates multiple single-algorithm <t>A PQ/T hybrid protocol that incorporates multiple
schemes to achieve key establishment, where at least one uses a post-quantum alg single-algorithm schemes to achieve key establishment, where at
orithm and at least one uses a traditional algorithm, in such a way that the for least one uses a post-quantum algorithm and at least one uses a
mats of the component cryptographic elements are the same as when they are used traditional algorithm, in such a way that the formats of the
a part of a single-algorithm scheme. component cryptographic elements are the same as when they are used
</t> as a part of a single-algorithm scheme.</t>
<t>For example, a PQ/T hybrid protocol with non-composite key establis <t>For example, a PQ/T hybrid protocol with non-composite key
hment could include a traditional key exchange scheme and a post-quantum KEM. A establishment could include a traditional key exchange scheme and a
construction like this for IKEv2 is enabled by <xref target="RFC9370"/>.</t> post-quantum KEM. A construction like this for the Internet Key
Exchange Protocol Version 2 (IKEv2) is enabled by <xref
target="RFC9370"/>.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Protocol with Non-Composite Authentication</stro
ng>:</dt> <dt><strong>PQ/T hybrid protocol with non-composite authentication</stro
ng>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that incorporates multiple single-algorithm <t>A PQ/T hybrid protocol that incorporates multiple
schemes to achieve authentication, where at least one uses a post-quantum algori single-algorithm schemes to achieve authentication, where at least
thm and at least one uses a traditional algorithm, in such a way that the format one uses a post-quantum algorithm and at least one uses a
s of the component cryptographic elements are the same as when they are used a p traditional algorithm, in such a way that the formats of the
art of a single-algorithm scheme. component cryptographic elements are the same as when they are used
</t> as part of a single-algorithm scheme.</t>
<t>For example, a PQ/T hybrid protocol with non-composite authenticati <t>For example, a PQ/T hybrid protocol with non-composite
on could use a PQ/T parallel PKI with one traditional certificate chain and one authentication could use a PQ/T parallel PKI with one traditional
post-quantum certificate chain.</t> certificate chain and one post-quantum certificate chain.</t>
</dd> </dd>
</dl> </dl>
<t>In a PQ/T hybrid protocol with a non-composite construction, changes ar
e primarily made to the protocol fields, the message flow, or both, while change <t>In a PQ/T hybrid protocol with a non-composite construction, changes
s to cryptographic elements are minimised. In implementations, most changes are are primarily made to the protocol fields, the message flow, or both,
likely to be made to the protocol libraries, with minimal changes to the crypto while changes to cryptographic elements are minimised. In
graphic libraries.</t> implementations, most changes are likely to be made to the protocol
<t>It is possible for a PQ/T hybrid protocol to be designed with both comp libraries, with minimal changes to the cryptographic libraries.</t>
osite and non-composite constructions. For example, a protocol that offers both <t>It is possible for a PQ/T hybrid protocol to be designed with both
confidentiality and authentication could have composite key agreement and non-c composite and non-composite constructions. For example, a protocol that
omposite authentication. Similarly, it is possible for a PQ/T hybrid protocol t offers both confidentiality and authentication could have composite key
o achieve certain cryptographic outcomes in a non-hybrid manner. For example <x agreement and non-composite authentication. Similarly, it is possible
ref target="I-D.ietf-tls-hybrid-design"/> describes a PQ/T hybrid protocol with for a PQ/T hybrid protocol to achieve certain cryptographic outcomes in
composite key agreement, but with single-algorithm authentication.</t> a non-hybrid manner. For example, <xref
<t>PQ/T hybrid protocols may not specify non-composite aspects, but can ch target="I-D.ietf-tls-hybrid-design"/> describes a PQ/T hybrid protocol
oose to do so for clarity, in particular if including both composite and non-com with composite key agreement, but with single-algorithm
posite aspects.</t> authentication.</t>
<dl> <t>PQ/T hybrid protocols may not specify non-composite aspects, but can
<dt><strong>PQ/T Hybrid Composite Protocol</strong>:</dt> choose to do so for clarity, in particular, if including both composite
and non-composite aspects.</t>
<dl newline="true">
<dt><strong>PQ/T hybrid composite protocol</strong>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that only uses composite constructions can b <t>A PQ/T hybrid protocol that only uses composite constructions can
e referred to as a PQ/T Hybrid Composite Protocol. be referred to as a "PQ/T hybrid composite protocol".</t>
</t> <t>An example of this is a protocol that only provides entity
<t>For example, a protocol that only provides entity authentication, a authentication, and achieves this using PQ/T hybrid composite entity
nd achieves this using PQ/T hybrid composite entity authentication. Similarly, a authentication. Similarly, another example is a protocol that offers b
protocol that offers both key establishment and data authentication, and achiev oth key
es this using both PQ/T hybrid composite key establishment and PQ/T hybrid compo establishment and data authentication, and achieves this using both
site data authentication.</t> PQ/T hybrid composite key establishment and PQ/T hybrid composite
data authentication.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Non-Composite Protocol</strong>:</dt>
<dt><strong>PQ/T hybrid non-composite protocol</strong>:</dt>
<dd> <dd>
<t>A PQ/T hybrid protocol that does not use only composite constructio <t>A PQ/T hybrid protocol that does not use only composite
ns can be referred to as a PQ/T Hybrid Non-Composite Protocol. constructions can be referred to as a "PQ/T hybrid non-composite
</t> protocol".</t>
<t>For example, a PQ/T hybrid protocol that offers both confidentialit <t>For example, a PQ/T hybrid protocol that offers both
y and authentication and uses composite key agreement and non-composite authenti confidentiality and authentication and uses composite key agreement
cation would be referred to as a PQ/T hybrid non-composite protocol.</t> and non-composite authentication would be referred to as a "PQ/T
hybrid non-composite protocol".</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="properties"> <section anchor="properties">
<name>Properties</name> <name>Properties</name>
<t>This section describes some properties that may be desired from or achi <t>This section describes some properties that may be desired from or
eved by a PQ/T hybrid scheme or PQ/T hybrid protocol. Properties of PQ/T hybrid achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol. Properties of
schemes are still an active area of research and development, e.g., <xref targe PQ/T hybrid schemes are still an active area of research and
t="BINDELHALE"/>. This section does not attempt to be comprehensive, but rather development, e.g., in <xref target="BINDELHALE"/>. This section does not
covers a basic set of properties.</t> attempt to be comprehensive, but rather covers a basic set of
<t>It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol t properties.</t>
o achieve all of the properties in this section. To understand what properties a <t>It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol
re required a designer or implementer will think about why they are using a PQ/T to achieve all of the properties in this section. To understand what
hybrid scheme. For example, a scheme that is designed for implementation securi properties are required, a designer or implementer will think about why
ty will likely require PQ/T hybrid confidentiality or PQ/T hybrid authentication they are using a PQ/T hybrid scheme. For example, a scheme that is
, while a scheme for interoperability will require PQ/T hybrid interoperability. designed for implementation security will likely require PQ/T hybrid
</t> confidentiality or PQ/T hybrid authentication, while a scheme for
<dl> interoperability will require PQ/T hybrid interoperability.</t>
<dt><strong>PQ/T Hybrid Confidentiality</strong>:</dt>
<dl newline="true">
<dt><strong>PQ/T hybrid confidentiality</strong>:</dt>
<dd> <dd>
<t>The property that confidentiality is achieved by a PQ/T hybrid sche <t>The property that confidentiality is achieved by a PQ/T hybrid
me or PQ/T hybrid protocol as long as at least one component algorithm that aims scheme or a PQ/T hybrid protocol as long as at least one component
to provide this property remains secure.</t> algorithm that aims to provide this property remains secure.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Authentication</strong>:</dt> <dt><strong>PQ/T hybrid authentication</strong>:</dt>
<dd> <dd>
<t>The property that authentication is achieved by a PQ/T hybrid schem <t>The property that authentication is achieved by a PQ/T hybrid
e or a PQ/T hybrid protocol as long as at least one component algorithm that aim scheme or a PQ/T hybrid protocol as long as at least one component
s to provide this property remains secure.</t> algorithm that aims to provide this property remains secure.</t>
</dd> </dd>
</dl> </dl>
<t>The security properties of a PQ/T hybrid scheme or protocol depend on t <t>The security properties of a PQ/T hybrid scheme or protocol depend on
he security of its component algorithms, the choice of PQ/T hybrid combiner, and the security of its component algorithms, the choice of PQ/T hybrid
the capability of an attacker. Changes to the security of a component algorithm combiner, and the capability of an attacker. Changes to the security of
can impact the security properties of a PQ/T hybrid scheme providing hybrid con a component algorithm can impact the security properties of a PQ/T
fidentiality or hybrid authentication. For example, if the post-quantum compone hybrid scheme providing hybrid confidentiality or hybrid authentication.
nt algorithm of a PQ/T hybrid scheme is broken, the scheme will remain secure ag For example, if the post-quantum component algorithm of a PQ/T hybrid
ainst an attacker with a classical computer, but will be vulnerable to an attack scheme is broken, the scheme will remain secure against an attacker with
er with a CRQC.</t> a classical computer, but will be vulnerable to an attacker with a
<t>PQ/T hybrid protocols that offer both confidentiality and authenticatio CRQC.</t>
n do not necessarily offer both hybrid confidentiality and hybrid authentication <t>PQ/T hybrid protocols that offer both confidentiality and
. For example, <xref target="I-D.ietf-tls-hybrid-design"/> provides hybrid conf authentication do not necessarily offer both hybrid confidentiality and
identiality but does not address hybrid authentication. Therefore, if the desig hybrid authentication. For example, <xref
n in <xref target="I-D.ietf-tls-hybrid-design"/> is used with single-algorithm X target="I-D.ietf-tls-hybrid-design"/> provides hybrid confidentiality
.509 certificates as defined in <xref target="RFC5280"/> only authentication wit but does not address hybrid authentication. Therefore, if the design in
h a single algorithm is achieved.</t> <xref target="I-D.ietf-tls-hybrid-design"/> is used with
<dl> single-algorithm X.509 certificates as defined in <xref
<dt><strong>PQ/T Hybrid Interoperability</strong>:</dt> target="RFC5280"/>, only authentication with a single algorithm is
achieved.</t>
<dl newline="true">
<dt><strong>PQ/T hybrid interoperability</strong>:</dt>
<dd> <dd>
<t>The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can <t>The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
be completed successfully provided that both parties share support for at least can be completed successfully provided that both parties share
one component algorithm. support for at least one component algorithm.</t>
</t> <t>For example, a PQ/T hybrid digital signature might achieve hybrid
<t>For example, a PQ/T hybrid digital signature might achieve hybrid i interoperability if the signature can be verified by either
nteroperability if the signature can be verified by either verifying the traditi verifying the traditional or the post-quantum component, such as the
onal or the post-quantum component, such as the approach defined in section 7.2. approach defined in Section 7.2.2 of <xref
2 of <xref target="ITU-T-X509-2019"/>. In this example a verifier that has migr target="ITU-T-X509-2019"/>. In this example, a verifier that has
ated to support post-quantum algorithms is required to verify only the post-quan migrated to support post-quantum algorithms is required to verify
tum signature, while a verifier that has not migrated will verify only the tradi only the post-quantum signature, while a verifier that has not
tional signature.</t> migrated will verify only the traditional signature.</t>
</dd> </dd>
</dl> </dl>
<t>In the case of a protocol that aims to achieve both authentication and <t>In the case of a protocol that aims to achieve both authentication
confidentiality, PQ/T hybrid interoperability requires that at least one compone and confidentiality, PQ/T hybrid interoperability requires that at least
nt authentication algorithm and at least one component algorithm for confidentia one component authentication algorithm and at least one component
lity is supported by both parties.</t> algorithm for confidentiality is supported by both parties.</t>
<t>It is not possible for a PQ/T hybrid scheme to achieve both PQ/T hybrid <t>It is not possible for a PQ/T hybrid scheme to achieve both PQ/T
interoperability and PQ/T hybrid confidentiality without additional functionali hybrid interoperability and PQ/T hybrid confidentiality without
ty at a protocol level. For PQ/T hybrid interoperability a scheme needs to work additional functionality at a protocol level. For PQ/T hybrid
whenever one component algorithm is supported by both parties, while to achieve interoperability, a scheme needs to work whenever one component algorithm
PQ/T hybrid confidentiality all component algorithms need to be used. However, is supported by both parties, while to achieve PQ/T hybrid
both properties can be achieved in a PQ/T hybrid protocol by building in downgr confidentiality, all component algorithms need to be used. However, both
ade protection external to the cryptographic schemes. For example, in <xref tar properties can be achieved in a PQ/T hybrid protocol by building in
get="I-D.ietf-tls-hybrid-design"/>, the client uses the TLS supported groups ext downgrade protection external to the cryptographic schemes. For
ension to advertise support for a PQ/T hybrid scheme and the server can select t example, in <xref target="I-D.ietf-tls-hybrid-design"/>, the client uses
his group if it supports the scheme. This is protected using TLS's existing dow the TLS supported groups extension to advertise support for a PQ/T
ngrade protection, so achieves PQ/T hybrid confidentiality, but the connection c hybrid scheme, and the server can select this group if it supports the
an still be made if either the client or server does not support the PQ/T hybrid scheme. This is protected using TLS's existing downgrade protection, so i
scheme, so PQ/T hybrid interoperability is achieved.</t> t
<t>The same is true for PQ/T hybrid interoperability and PQ/T hybrid authe achieves PQ/T hybrid confidentiality, but the connection can still be
ntication. It is not possible to achieve both with a PQ/T hybrid scheme alone, made if either the client or server does not support the PQ/T hybrid
but it is possible with a PQ/T hybrid protocol that has appropriate downgrade pr scheme, so PQ/T hybrid interoperability is achieved.</t>
otection.</t> <t>The same is true for PQ/T hybrid interoperability and PQ/T hybrid
<dl> authentication. It is not possible to achieve both with a PQ/T hybrid
<dt><strong>PQ/T Hybrid Backwards Compatibility</strong>:</dt> scheme alone, but it is possible with a PQ/T hybrid protocol that has
appropriate downgrade protection.</t>
<dl newline="true">
<dt><strong>PQ/T hybrid backwards compatibility</strong>:</dt>
<dd> <dd>
<t>The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can <t>The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
be completed successfully provided that both parties support the traditional com can be completed successfully provided that both parties support the
ponent algorithm, while also using both algorithms if both are supported by both traditional component algorithm, while also using both algorithms if
parties.</t> both are supported by both parties.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Forwards Compatibility</strong>:</dt> <dt><strong>PQ/T Hybrid Forwards Compatibility</strong>:</dt>
<dd> <dd>
<t>The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can <t>The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
be completed successfully using a post-quantum component algorithm provided that can be completed successfully using a post-quantum component
both parties support it, while also having the option to use both post-quantum algorithm provided that both parties support it, while also having
and traditional algorithms if both are supported by both parties. the option to use both post-quantum and traditional algorithms if
</t> both are supported by both parties.</t>
<t>Note that PQ/T hybrid forwards compatability is a protocol or schem <t>Note that PQ/T hybrid forwards compatibility is a protocol or schem
e property only.</t> e property only.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="certificates"> <section anchor="certificates">
<name>Certificates</name> <name>Certificates</name>
<t>This section introduces terminology related to the use of certificates <t>This section introduces terminology related to the use of
in hybrid schemes.</t> certificates in hybrid schemes.</t>
<dl>
<dt><strong>PQ/T Hybrid Certificate</strong>:</dt> <dl newline="true">
<dt><strong>PQ/T hybrid certificate</strong>:</dt>
<dd> <dd>
<t>A digital certificate that contains public keys for two or more com <t>A digital certificate that contains public keys for two or more
ponent algorithms where at least one is a traditional algorithm and at least one component algorithms where at least one is a traditional algorithm
is a post-quantum algorithm. and at least one is a post-quantum algorithm.</t>
</t> <t>A PQ/T hybrid certificate could be used to facilitate a PQ/T
<t>A PQ/T hybrid certificate could be used to facilitate a PQ/T hybrid hybrid authentication protocol. However, a PQ/T hybrid
authentication protocol. However, a PQ/T hybrid authentication protocol does n authentication protocol does not need to use a PQ/T hybrid
ot need to use a PQ/T hybrid certificate; separate certificates could be used fo certificate; separate certificates could be used for individual
r individual component algorithms.</t> component algorithms.</t>
<t>The component public keys in a PQ/T hybrid certificate could be inc <t>The component public keys in a PQ/T hybrid certificate could be
luded as a composite public key or as individual component public keys.</t> included as a composite public key or as individual component public
<t>The use of a PQ/T hybrid certificate does not necessarily achieve h keys.</t>
ybrid authentication of the identity of the sender; this is determined by proper <t>The use of a PQ/T hybrid certificate does not necessarily achieve
ties of the chain of trust. For example, an end-entity certificate that contains hybrid authentication of the identity of the sender; this is
a composite public key, but which is signed using a single-algorithm digital si determined by properties of the chain of trust. For example, an
gnature scheme could be used to provide hybrid authentication of the source of a end-entity certificate that contains a composite public key, but
message, but would not achieve hybrid authentication of the identity of the sen which is signed using a single-algorithm digital signature scheme,
der.</t> could be used to provide hybrid authentication of the source of a
message, but would not achieve hybrid authentication of the identity
of the sender.</t>
</dd> </dd>
<dt><strong>Post-Quantum Certificate</strong>:</dt> <dt><strong>Post-quantum certificate</strong>:</dt>
<dd> <dd>
<t>A digital certificate that contains a single public key for a post- <t>A digital certificate that contains a single public key for a
quantum digital signature algorithm.</t> post-quantum digital signature algorithm.</t>
</dd> </dd>
<dt><strong>Traditional Certificate</strong>:</dt> <dt><strong>Traditional certificate</strong>:</dt>
<dd> <dd>
<t>A digital certificate that contains a single public key for a tradi <t>A digital certificate that contains a single public key for a
tional digital signature algorithm.</t> traditional digital signature algorithm.</t>
</dd> </dd>
</dl> </dl>
<t>X.509 certificates as defined in <xref target="RFC5280"/> could be eith <t>X.509 certificates as defined in <xref target="RFC5280"/> could be
er traditional or post-quantum certificates depending on the algorithm in the Su either traditional or post-quantum certificates depending on the
bject Public Key Info. For example, a certificate containing a ML-DSA public ke algorithm in the Subject Public Key Info. For example, a certificate
y, as will be defined in <xref target="I-D.ietf-lamps-dilithium-certificates"/>, containing a ML-DSA public key, as defined in <xref
would be a post-quantum certificate.</t> target="I-D.ietf-lamps-dilithium-certificates"/>, would be a
<dl> post-quantum certificate.</t>
<dt><strong>Post-Quantum Certificate Chain</strong>:</dt>
<dl newline="true">
<dt><strong>Post-quantum certificate chain</strong>:</dt>
<dd> <dd>
<t>A certificate chain where all certificates include a public key for <t>A certificate chain where all certificates include a public key
a post-quantum algorithm and are signed using a post-quantum digital signature for a post-quantum algorithm and are signed using a post-quantum
scheme.</t> digital signature scheme.</t>
</dd> </dd>
<dt><strong>Traditional Certificate Chain</strong>:</dt> <dt><strong>Traditional certificate chain</strong>:</dt>
<dd> <dd>
<t>A certificate chain where all certificates include a public key for <t>A certificate chain where all certificates include a public key
a traditional algorithm and are signed using a traditional digital signature sc for a traditional algorithm and are signed using a traditional
heme.</t> digital signature scheme.</t>
</dd> </dd>
<dt><strong>PQ/T Hybrid Certificate Chain</strong>:</dt> <dt><strong>PQ/T hybrid certificate chain</strong>:</dt>
<dd> <dd>
<t>A certificate chain where all certificates are PQ/T hybrid certific <t>A certificate chain where all certificates are PQ/T hybrid
ates and each certificate is signed with two or more component algorithms with a certificates and each certificate is signed with two or more
t least one being a traditional algorithm and at least one being a post-quantum component algorithms with at least one being a traditional algorithm
algorithm.</t> and at least one being a post-quantum algorithm.</t>
</dd> </dd>
</dl> </dl>
<t>A PQ/T hybrid certificate chain is one way of achieving hybrid authenti <t>A PQ/T hybrid certificate chain is one way of achieving hybrid
cation of the identity of a sender in a protocol, but is not the only way. An al authentication of the identity of a sender in a protocol, but it is not th
ternative is to use a PQ/T parallel PKI as defined below.</t> e
<dl> only way. An alternative is to use a PQ/T parallel PKI as defined
<dt><strong>PQ/T Mixed Certificate Chain</strong>:</dt> below.</t>
<dl newline="true">
<dt><strong>PQ/T mixed certificate chain</strong>:</dt>
<dd> <dd>
<t>A certificate chain containing at least two of the three certificat <t>A certificate chain containing at least two of the three
e types defined in this draft (PQ/T hybrid certificates, post-quantum certificat certificate types defined in this document (PQ/T hybrid certificates,
es and traditional certificates) post-quantum certificates, and traditional certificates).</t>
</t> <t>For example, a traditional end-entity certificate could be signed
<t>For example, a traditional end-entity certificate could be signed b by a post-quantum intermediate certificate, which in turn could be
y a post-quantum intermediate certificate, which in turn could be signed by a po signed by a post-quantum root certificate. This may be desirable due
st-quantum root certificate. This may be desirable due to the lifetimes of the c to the lifetimes of the certificates, the relative difficulty of
ertificates, the relative difficulty of rotating keys, or for efficiency reasons rotating keys, or for efficiency reasons. The security properties of
. The security properties of a certificate chain that mixes post-quantum and tra a certificate chain that mixes post-quantum and traditional
ditional algorithms would need to be analysed on a case-by-case basis.</t> algorithms would need to be analysed on a case-by-case basis.</t>
</dd> </dd>
<dt><strong>PQ/T Parallel PKI</strong>:</dt>
<dt><strong>PQ/T parallel PKI</strong>:</dt>
<dd> <dd>
<t>Two certificate chains, one a post-quantum certificate chain and on <t>Two certificate chains, one that is a post-quantum certificate chai
e a traditional certificate chain, that are used together in a protocol. n and
</t> one that is a traditional certificate chain, and that are used togethe
<t>A PQ/T parallel PKI might be used achieve hybrid authentication or r in a
hybrid interoperability depending on the protocol implementation.</t> protocol.</t>
<t>A PQ/T parallel PKI might be used to achieve hybrid authentication
or hybrid interoperability depending on the protocol
implementation.</t>
</dd> </dd>
<dt><strong>Multi-Certificate Authentication</strong>:</dt>
<dt><strong>Multi-certificate authentication</strong>:</dt>
<dd> <dd>
<t>Authentication that uses two or more end-entity certificates. <t>Authentication that uses two or more end-entity certificates.</t>
</t> <t>For example, multi-certificate authentication may be achieved
<t>For example, multi-certificate authentication may be achieved using using a PQ/T parallel PKI.</t>
a PQ/T parallel PKI.</t>
</dd> </dd>
</dl> </dl>
</section> </section>
<section anchor="security-considerations"> <section anchor="security-considerations">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>This document defines security-relevant terminology to be used in docum <t>This document defines security-relevant terminology to be used in
ents specifying PQ/T hybrid protocols and schemes. However, the document itself documents specifying PQ/T hybrid protocols and schemes. However, the
does not have a security impact on Internet protocols. The security considerat document itself does not have a security impact on Internet protocols.
ions for each PQ/T hybrid protocol are specific to that protocol and should be d The security considerations for each PQ/T hybrid protocol are specific
iscussed in the relevant specification documents. More general guidance about th to that protocol and should be discussed in the relevant specification
e security considerations, timelines, and benefits and drawbacks of use of PQ/T documents. More general guidance about the security considerations,
hybrids is also out of scope of this document.</t> timelines, and benefits and drawbacks of the use of PQ/T hybrids is also o
ut
of scope of this document.</t>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA actions.</t> <t>This document has no IANA actions.</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-lamps-dilithium-certificates" to="ML-DSA"/>
<displayreference target="I-D.ietf-tls-hybrid-design" to="HYBRID-TLS"/>
<displayreference target="I-D.ietf-lamps-pq-composite-kem" to="COMPOSITE-KEM"/>
<references anchor="sec-informative-references"> <references anchor="sec-informative-references">
<name>Informative References</name> <name>Informative References</name>
<!-- [BINDEL] -->
<reference anchor="BINDEL" target="https://doi.org/10.1007/978-3-030-25510 -7_12"> <reference anchor="BINDEL" target="https://doi.org/10.1007/978-3-030-25510 -7_12">
<front> <front>
<title>Hybrid Key Encapsulation Mechanisms and Authenticated Key Excha nge</title> <title>Hybrid Key Encapsulation Mechanisms and Authenticated Key Excha nge</title>
<author initials="N." surname="Bindel" fullname="Nina Bindel"> <author initials="N." surname="Bindel" fullname="Nina Bindel">
<organization/> <organization/>
</author> </author>
<author initials="J." surname="Brendel" fullname="Jacqueline Brendel"> <author initials="J." surname="Brendel" fullname="Jacqueline Brendel">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Fischlin" fullname="Marc Fischlin"> <author initials="M." surname="Fischlin" fullname="Marc Fischlin">
skipping to change at line 392 skipping to change at line 853
</author> </author>
<author initials="B." surname="Goncalves" fullname="Brian Goncalves"> <author initials="B." surname="Goncalves" fullname="Brian Goncalves">
<organization/> <organization/>
</author> </author>
<author initials="D." surname="Stebila" fullname="Douglas Stebila"> <author initials="D." surname="Stebila" fullname="Douglas Stebila">
<organization/> <organization/>
</author> </author>
<date year="2019" month="July"/> <date year="2019" month="July"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/978-3-030-25510-7_12"/> <seriesInfo name="DOI" value="10.1007/978-3-030-25510-7_12"/>
<refcontent>Post-Quantum Cryptography pp.206-226</refcontent> <refcontent>Post-Quantum Cryptography, PQCrypto 2019, Lecture Notes in C omputer Science, vol. 11505, pp. 206-226</refcontent>
</reference> </reference>
<reference anchor="BINDELHALE" target="https://eprint.iacr.org/2023/423.pd f"> <reference anchor="BINDELHALE" target="https://eprint.iacr.org/2023/423.pd f">
<front> <front>
<title>A Note on Hybrid Signature Schemes</title> <title>A Note on Hybrid Signature Schemes</title>
<author initials="N." surname="Bindel" fullname="Nina Bindel"> <author initials="N." surname="Bindel" fullname="Nina Bindel">
<organization/> <organization/>
</author> </author>
<author initials="B." surname="Hale" fullname="Britta Hale"> <author initials="B." surname="Hale" fullname="Britta Hale">
<organization/> <organization/>
</author> </author>
<date year="2023" month="July" day="23"/> <date year="2023" month="July" day="23"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2023/423</refcontent> <refcontent>Cryptology ePrint Archive, Paper 2023/423</refcontent>
</reference> </reference>
<!-- [ETSI_TS103774] -->
<reference anchor="ETSI_TS103774" target="https://www.etsi.org/deliver/ets i_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf"> <reference anchor="ETSI_TS103774" target="https://www.etsi.org/deliver/ets i_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf">
<front> <front>
<title>CYBER; Quantum-safe Hybrid Key Exchanges</title> <title>CYBER; Quantum-safe Hybrid Key Exchanges</title>
<author> <author>
<organization>ETSI TS 103 744 V1.1.1</organization> <organization>European Telecommunications Standards Institute (ETSI) </organization>
</author> </author>
<date year="2020" month="December"/> <date year="2020" month="December"/>
</front> </front>
<refcontent>ETSI TS 103 744 v1.1.1</refcontent>
</reference> </reference>
<!-- [ITU-T-X509-2019] Date was changed from January 2019 to October 2019 to mat
ch the information at the URL. -->
<reference anchor="ITU-T-X509-2019" target="https://www.itu.int/rec/T-REC- X.509-201910-I"> <reference anchor="ITU-T-X509-2019" target="https://www.itu.int/rec/T-REC- X.509-201910-I">
<front> <front>
<title>ITU-T X.509 The Directory - Public-key and attribute certificat e frameworks</title> <title>Information Technology - Open Systems Interconnection - The Dir ectory: Public-key and attribute certificate frameworks</title>
<author> <author>
<organization>ITU-T</organization> <organization>ITU-T</organization>
</author> </author>
<date year="2019" month="January"/> <date year="2019" month="October"/>
</front> </front>
<seriesInfo name="ITU-T Recommendation" value="X.509"/>
</reference> </reference>
<!-- [rfced] FYI, this reference has been edited to show the most
recent date it was updated (31 January 2025). Please review and
let us know if you prefer otherwise.
Original:
[NIST_PQC_FAQ]
National Institute of Standards and Technology (NIST),
"Post-Quantum Cryptography FAQs", 5 July 2022,
<https://csrc.nist.gov/Projects/post-quantum-cryptography/
faqs>.
Current:
[NIST_PQC_FAQ]
NIST, "Post-Quantum Cryptography (PQC) FAQs", 31 January
2025, <https://csrc.nist.gov/Projects/post-quantum-
cryptography/faqs>.
-->
<reference anchor="NIST_PQC_FAQ" target="https://csrc.nist.gov/Projects/po st-quantum-cryptography/faqs"> <reference anchor="NIST_PQC_FAQ" target="https://csrc.nist.gov/Projects/po st-quantum-cryptography/faqs">
<front> <front>
<title>Post-Quantum Cryptography FAQs</title> <title>Post-Quantum Cryptography (PQC) FAQs</title>
<author> <author>
<organization>National Institute of Standards and Technology (NIST)< /organization> <organization>NIST</organization>
</author> </author>
<date year="2022" month="July" day="05"/> <date year="2025" month="January" day="31"/>
</front> </front>
</reference> </reference>
<!-- [NIST_SP_800-152] -->
<reference anchor="NIST_SP_800-152" target="https://doi.org/10.6028/NIST.S P.800-152"> <reference anchor="NIST_SP_800-152" target="https://doi.org/10.6028/NIST.S P.800-152">
<front> <front>
<title>NIST SP 800-152 A Profile for U. S. Federal Cryptographic Key M <title>A Profile for U. S. Federal Cryptographic Key Management System
anagement Systems</title> s</title>
<author initials="E. B." surname="Barker" fullname="Elaine B. Barker"> <author initials="E." surname="Barker" fullname="Elaine B. Barker">
<organization>Information Technology Laboratory</organization> <organization>Information Technology Laboratory</organization>
</author> </author>
<author initials="M." surname="Smid" fullname="Miles Smid"> <author initials="M." surname="Smid" fullname="Miles Smid">
<organization>Information Technology Laboratory</organization> <organization>Information Technology Laboratory</organization>
</author> </author>
<author initials="D." surname="Branstad" fullname="Dannis Branstad"> <author initials="D." surname="Branstad" fullname="Dannis Branstad">
<organization>Information Technology Laboratory</organization> <organization>Information Technology Laboratory</organization>
</author> </author>
<author>
<organization>National Institute of Standards and Technology (NIST)<
/organization>
</author>
<date year="2015" month="October"/> <date year="2015" month="October"/>
</front> </front>
<seriesInfo name="NIST SP" value="800-152"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-15"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-dilithium-certificates">
<front>
<title>Internet X.509 Public Key Infrastructure: Algorithm Identifiers
for ML-DSA</title>
<author fullname="Jake Massimo" initials="J." surname="Massimo">
<organization>AWS</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanakis"
>
<organization>AWS</organization>
</author>
<author fullname="Sean Turner" initials="S." surname="Turner">
<organization>sn3rd</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
<organization>Cloudflare</organization>
</author>
<date day="4" month="November" year="2024"/>
<abstract>
<t> Digital signatures are used within X.509 certificates, Certifi
cate
Revocation Lists (CRLs), and to sign messages. This document
describes the conventions for using FIPS 204, the Module-Lattice-
Based Digital Signature Algorithm (ML-DSA) in Internet X.509
certificates and certificate revocation lists. The conventions for
the associated signatures, subject public keys, and private key are
also described.
</t> <!-- [I-D.ietf-lamps-dilithium-certificates] draft-ietf-lamps-dilithium-certific
</abstract> ates
</front> IESG State: IESG Evaluation. Updated to "long way" to match the document's heade
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-cert r.-->
ificates-05"/>
</reference>
<reference anchor="I-D.ietf-lamps-cert-binding-for-multi-auth">
<front>
<title>Related Certificates for Use in Multiple Authentications within
a Protocol</title>
<author fullname="Alison Becker" initials="A." surname="Becker">
<organization>National Security Agency</organization>
</author>
<author fullname="Rebecca Guthrie" initials="R." surname="Guthrie">
<organization>National Security Agency</organization>
</author>
<author fullname="Michael J. Jenkins" initials="M. J." surname="Jenkin
s">
<organization>National Security Agency</organization>
</author>
<date day="10" month="December" year="2024"/>
<abstract>
<t> This document defines a new CSR attribute, relatedCertRequest,
and a
new X.509 certificate extension, RelatedCertificate. The use of the
relatedCertRequest attribute in a CSR and the inclusion of the
RelatedCertificate extension in the resulting certificate together
provide additional assurance that two certificates each belong to the
same end entity. This mechanism is particularly useful in the
context of non-composite hybrid authentication, which enables users
to employ the same certificates in hybrid authentication as in
authentication done with only traditional or post-quantum algorithms.
</t> <reference anchor="I-D.ietf-lamps-dilithium-certificates" target="https://datatr
</abstract> acker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates-11">
</front> <front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cert-binding-f <title>Internet X.509 Public Key Infrastructure - Algorithm Identifiers fo
or-multi-auth-06"/> r Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
</reference> <author initials="J." surname="Massimo" fullname="Jake Massimo">
<reference anchor="I-D.ietf-tls-hybrid-design"> <organization>AWS</organization>
<front> </author>
<title>Hybrid key exchange in TLS 1.3</title> <author initials="P." surname="Kampanakis" fullname="Panos Kampanakis">
<author fullname="Douglas Stebila" initials="D." surname="Stebila"> <organization>AWS</organization>
<organization>University of Waterloo</organization> </author>
</author> <author initials="S." surname="Turner" fullname="Sean Turner">
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer"> <organization>sn3rd</organization>
<organization>Cisco Systems</organization> </author>
</author> <author initials="B. E." surname="Westerbaan" fullname="Bas Westerbaan">
<author fullname="Shay Gueron" initials="S." surname="Gueron"> <organization>Cloudflare</organization>
<organization>University of Haifa</organization> </author>
</author> <date month="May" day="22" year="2025" />
<date day="7" month="October" year="2024"/> </front>
<abstract> <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-certifica
<t> Hybrid key exchange refers to using multiple key exchange algo tes-11" />
rithms
simultaneously and combining the result with the goal of providing
security even if all but one of the component algorithms is broken.
It is motivated by transition to post-quantum cryptography. This
document provides a construction for hybrid key exchange in the
Transport Layer Security (TLS) protocol version 1.3.
Discussion of this work is encouraged to happen on the TLS IETF </reference>
mailing list tls@ietf.org or on the GitHub repository which contains
the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design.
</t> <!-- [I-D.ietf-lamps-cert-binding-for-multi-auth]
</abstract> in AUTH48 as RFC-to-be 9763 as of 5/29/25.
</front> -->
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design-11 <reference anchor="RFC9763" target="https://www.rfc-editor.org/info/rfc9763">
"/> <front>
</reference> <title>Related Certificates for Use in Multiple Authentications within a P
<reference anchor="I-D.ietf-lamps-pq-composite-kem"> rotocol</title>
<front> <author initials="A." surname="Becker" fullname="Alison Becker">
<title>Composite ML-KEM for use in X.509 Public Key Infrastructure and <organization>National Security Agency</organization>
CMS</title> </author>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth"> <author initials="R." surname="Guthrie" fullname="Rebecca Guthrie">
<organization>Entrust Limited</organization> <organization>National Security Agency</organization>
</author> </author>
<author fullname="John Gray" initials="J." surname="Gray"> <author initials="M." surname="Jenkins" fullname="Michael J. Jenkins">
<organization>Entrust Limited</organization> <organization>National Security Agency</organization>
</author> </author>
<author fullname="Massimiliano Pala" initials="M." surname="Pala"> <date month='June' year='2025'/>
<organization>OpenCA Labs</organization> </front>
</author> <seriesInfo name="RFC" value="9763"/>
<author fullname="Jan Klaußner" initials="J." surname="Klaußner"> <seriesInfo name="DOI" value="10.17487/RFC9763"/>
<organization>Bundesdruckerei GmbH</organization> </reference>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<date day="21" month="October" year="2024"/>
<abstract>
<t> This document defines combinations of ML-KEM [FIPS.203] in hyb
rid
with traditional algorithms RSA-OAEP, ECDH, X25519, and X448. These
combinations are tailored to meet security best practices and
regulatory requirements. Composite ML-KEM is applicable in any
application that uses X.509, PKIX, and CMS data structures and
protocols that accept ML-KEM, but where the operator wants extra
protection against breaks or catastrophic bugs in ML-KEM. For use
within CMS, this document is intended to be coupled with the CMS
KEMRecipientInfo mechanism in [RFC9629].
</t> <!-- [I-D.ietf-tls-hybrid-design] draft-ietf-tls-hybrid-design-12 IESG State: I-
</abstract> D Exists as of 02/12/25. -->
</front> <xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ie
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite-k tf-tls-hybrid-design.xml"/>
em-05"/>
</reference> <!-- [I-D.ietf-lamps-pq-composite-kem]
<reference anchor="RFC4949"> Updated to "long way" to match information in the header. -->
<front>
<title>Internet Security Glossary, Version 2</title> <reference anchor="I-D.ietf-lamps-pq-composite-kem" target="https://datatracker.
<author fullname="R. Shirey" initials="R." surname="Shirey"/> ietf.org/doc/html/draft-ietf-lamps-pq-composite-kem-06">
<date month="August" year="2007"/> <front>
<abstract> <title>Composite ML-KEM for use in X.509 Public Key Infrastructure and CMS
<t>This Glossary provides definitions, abbreviations, and explanatio </title>
ns of terminology for information system security. The 334 pages of entries offe <author initials="M." surname="Ounsworth" fullname="Mike Ounsworth">
r recommendations to improve the comprehensibility of written material that is g <organization>Entrust Limited</organization>
enerated in the Internet Standards Process (RFC 2026). The recommendations follo </author>
w the principles that such writing should (a) use the same term or definition wh <author initials="J." surname="Gray" fullname="John Gray">
enever the same concept is mentioned; (b) use terms in their plainest, dictionar <organization>Entrust Limited</organization>
y sense; (c) use terms that are already well-established in open publications; a </author>
nd (d) avoid terms that either favor a particular vendor or favor a particular t <author initials="M." surname="Pala" fullname="Massimiliano Pala">
echnology or mechanism over other, competing techniques that already exist or co <organization>OpenCA Labs</organization>
uld be developed. This memo provides information for the Internet community.</t> </author>
</abstract> <author initials="J." surname="Klaussner" fullname="Jan Klaussner">
</front> <organization>Bundesdruckerei GmbH</organization>
<seriesInfo name="FYI" value="36"/> </author>
<seriesInfo name="RFC" value="4949"/> <author initials="S." surname="Fluhrer" fullname="Scott Fluhrer">
<seriesInfo name="DOI" value="10.17487/RFC4949"/> <organization>Cisco Systems</organization>
</reference> </author>
<reference anchor="RFC5280"> <date month="March" day="18" year="2025" />
<front> </front>
<title>Internet X.509 Public Key Infrastructure Certificate and Certif <seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite-kem-06
icate Revocation List (CRL) Profile</title> " />
<author fullname="D. Cooper" initials="D." surname="Cooper"/>
<author fullname="S. Santesson" initials="S." surname="Santesson"/> </reference>
<author fullname="S. Farrell" initials="S." surname="Farrell"/>
<author fullname="S. Boeyen" initials="S." surname="Boeyen"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.494
<author fullname="R. Housley" initials="R." surname="Housley"/> 9.xml"/>
<author fullname="W. Polk" initials="W." surname="Polk"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.528
<date month="May" year="2008"/> 0.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.844
<t>This memo profiles the X.509 v3 certificate and X.509 v2 certific 6.xml"/>
ate revocation list (CRL) for use in the Internet. An overview of this approach <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.918
and model is provided as an introduction. The X.509 v3 certificate format is des 0.xml"/>
cribed in detail, with additional information regarding the format and semantics <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.937
of Internet name forms. Standard certificate extensions are described and two I 0.xml"/>
nternet-specific extensions are defined. A set of required certificate extension
s is specified. The X.509 v2 CRL format is described in detail along with standa
rd and Internet-specific extensions. An algorithm for X.509 certification path v
alidation is described. An ASN.1 module and examples are provided in the appendi
ces. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5280"/>
<seriesInfo name="DOI" value="10.17487/RFC5280"/>
</reference>
<reference anchor="RFC8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Securi
ty (TLS) protocol. TLS allows client/server applications to communicate over the
Internet in a way that is designed to prevent eavesdropping, tampering, and mes
sage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077
, 5246, and 6961. This document also specifies new requirements for TLS 1.2 impl
ementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC9180">
<front>
<title>Hybrid Public Key Encryption</title>
<author fullname="R. Barnes" initials="R." surname="Barnes"/>
<author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
<author fullname="B. Lipp" initials="B." surname="Lipp"/>
<author fullname="C. Wood" initials="C." surname="Wood"/>
<date month="February" year="2022"/>
<abstract>
<t>This document describes a scheme for hybrid public key encryption
(HPKE). This scheme provides a variant of public key encryption of arbitrary-si
zed plaintexts for a recipient public key. It also includes three authenticated
variants, including one that authenticates possession of a pre-shared key and tw
o optional ones that authenticate possession of a key encapsulation mechanism (K
EM) private key. HPKE works for any combination of an asymmetric KEM, key deriva
tion function (KDF), and authenticated encryption with additional data (AEAD) en
cryption function. Some authenticated variants may not be supported by all KEMs.
We provide instantiations of the scheme using widely used and efficient primiti
ves, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key
derivation function (HKDF), and SHA2.</t>
<t>This document is a product of the Crypto Forum Research Group (CF
RG) in the IRTF.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9180"/>
<seriesInfo name="DOI" value="10.17487/RFC9180"/>
</reference>
<reference anchor="RFC9370">
<front>
<title>Multiple Key Exchanges in the Internet Key Exchange Protocol Ve
rsion 2 (IKEv2)</title>
<author fullname="CJ. Tjhai" initials="CJ." surname="Tjhai"/>
<author fullname="M. Tomlinson" initials="M." surname="Tomlinson"/>
<author fullname="G. Bartlett" initials="G." surname="Bartlett"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
<author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-Mor
chon"/>
<author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
<date month="May" year="2023"/>
<abstract>
<t>This document describes how to extend the Internet Key Exchange P
rotocol Version 2 (IKEv2) to allow multiple key exchanges to take place while co
mputing a shared secret during a Security Association (SA) setup.</t>
<t>This document utilizes the IKE_INTERMEDIATE exchange, where multi
ple key exchanges are performed when an IKE SA is being established. It also int
roduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purpos
e when the IKE SA is being rekeyed or is creating additional Child SAs.</t>
<t>This document updates RFC 7296 by renaming a Transform Type 4 fro
m "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a fiel
d in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange M
ethod". It also renames an IANA registry for this Transform Type from "Transform
Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchan
ge Method Transform IDs". These changes generalize key exchange algorithms that
can be used in IKEv2.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9370"/>
<seriesInfo name="DOI" value="10.17487/RFC9370"/>
</reference>
</references> </references>
<?line 386?>
<section numbered="false" anchor="acknowledgments"> <section numbered="false" anchor="acknowledgments">
<name>Acknowledgments</name> <name>Acknowledgments</name>
<t>This document is the product of numerous fruitful discussions in the IE <t>This document is the product of numerous fruitful discussions in the
TF PQUIP group. Thank you in particular to Mike Ounsworth, John Gray, Tim Holle IETF PQUIP group. Thank you in particular to <contact fullname="Mike
beek, Wang Guilin, Rebecca Guthrie, Stephen Farrell, Paul Hoffman and Sofía Celi Ounsworth"/>, <contact fullname="John Gray"/>, <contact fullname="Tim
for their contributions. This document is inspired by many others from the IET Hollebeek"/>, <contact fullname="Wang Guilin"/>, <contact
F and elsewhere.</t> fullname="Rebecca Guthrie"/>, <contact fullname="Stephen Farrell"/>,
<contact fullname="Paul Hoffman"/>, and <contact fullname="Sofía Celi"/>
for their contributions. This document is inspired by many others from
the IETF and elsewhere.</t>
</section> </section>
</back> </back>
<!-- ##markdown-source:
H4sIAAAAAAAAA+1d63LcNpb+7yq/A0v7Y+xUd0uWnThWaqtGkeREcexRLGUz
+8uFJtHdGLHJNkFK7p3yu+wL7EvsvtieCwACJMiWbGdmd2riJJa6QVwOzuU7
F4DT6fThg1rVuTxK9q5ktVZFmZfLbbIoq+Si1PX0l0YUdbNOriqRqVqVhciT
H7fzSmXJZbqSa6n3Hj4Q83klb6CLi1/2r+zXXnfQJBW1XJbV9ihRxaJ8+ODh
g6xMC7GGgbNKLOqpkvViunnfqA38v56uqJNp3XYyPfjm4QPdzNdKa5hHvd3A
s+dnVy8fPiia9VxWR9AnjAJ/pWWhZaEbfZTUVSMfPoC5PYVpVlIcJZdnJw8f
3JbV9bIqm81RcvHLr+cXDx9cyy18mEGXBQxayHp6ivOCZ2XRYKdJEj6QJDyF
36ArVSyTH/Bb/HgtVH6UrOp6o4/29/E3UaUrdSNnuMZZWS338YP9eVXearm/
eZ/u42P42b0fwz+iqVclrj6ZYj9JsmjynEn7Mi8rWaQyOa2UTss85wbQlyjU
fwjcz6Pk11fJG2G29mQLhEwuZdpUqt4mJ7KoK8kPSV7XwnQ5y/5YpDqdLcub
WXMdG/y1SldC5smFqDRsyOcPveYOZ5snu4b+HrqoRfKjyGVs2DfiBgZE/l4C
WzfANMjMZZkHw82pk9kKOvljsdEzmTVIbuTfag093TBXfH/+5vTs5yN+tBbV
UtbtNmalop17cjB7cnDwfP/F82+nT6cHTw+mh19//eRg+vzdk0PzJEuhEZ5X
cpucFanY6CanSSevJSy+UHqtE1FkyTFsOlBIoVyZ5h+wwdIsuGUK+mdqf0hA
/kAs3syS71WRybz9nCn3RhWi81X32Z/gWWCByMM/ifR9I3NVyG6Lbh+vZ8lL
4MgVtO128hq4vPdl9/nvZ8kPJdAnv5G62wFsvij6X3e7OJ0ll7Wcg5h1Ozgt
m2UudPh1JRegVmqg+VGoGU+q7aYugZE2q22y2cwOD76ZHh5+w09pWSmpkWXc
Vpz+6fwo2c0PpMqSw4MnL6YHz5HvLKf9ePzz2QC3yU2linqmRFoR1x0eHD7d
f3b4dLbJFgGXHSdvSmB6YCury9WyEHVTSavVI1zkCBjnoAH+CZ+CfWuF0tuw
UFp9WjN5ySjJC1xecsxqcQKKZQMawy4yJNshUPX5FD/Fz8+uLs/fXV0+OXj6
/PmzAeLd3t7OZK1ZXmH6MES1jx+8q/U+Pnlw8A7/evGCfnv2bP/gyYz+fffN
wX6t3/GnNwdP8M+mR/OTf//+7O13iWGbqRYLGUi7Ed8Y5YGKqMGOaB3J1SWw
z9MExkr+7ckM/nRWfjBlHjq/+nV6Nf3z1wcvpshGI8tWdTMDyu5XMt2/mr49
O5n+eWYfA6Y8D9ZB3SbUILlagWlR8FgNph0medHMc5VOwZaSkhJ1Xal5A5yW
yqpWC9JWyaKCXUcDPLpUGqYvCrTYN+eXV+8ufjl59/L4l4FlpbpKZ6Aua7QS
+xdV+ReYpN7foOS+N1uQepK7vxDvdbDOYSGHUUen7kzaeaGhM1x/uQBtAiQR
Vcb6+wrUucFaj3A5jzubeIjse/C1XW1yeZF8ewA7+/XhbkvzzcHht/v41Ozy
YmaeCpbW6RHUARBooXJJuO9XUIygnmUmKzTL7cpVSpz6WhRiCToCRPFyq2u5
HiBGV62e5YIsAygOUV3Lqv2eN9zaVdBKHnV+FvOyEshfgx2/hpmDtl6r7It1
eSoKYB7QTAK2UHyJfr8UZzz5evrkgLXa+fSUsOE0F+uNnmYqV/VKIWO30qaP
Ii3x++kclDTg1iksZbpu8lpNcQPD5nWuLRLPwIwti1hvm/fTtFyDZKlaguiv
qc3blyfPXjx7YX/++vDbA/vzt8+efWN/fvGk/fwFqNgjhrTT6TQRc11XIq0T
/uhPwDpCb0CKkWQAfgDaw+aQT5LUZeJLdiJy8DWAGACWVJGkAQtvqrIuAQvD
V5r6yeSNzMsNMTR0zetNNNtBaCFq6CQtqw1urkzmZb3qjAa7Vnv+kdDb9VqC
6ku9icwS0JYwIrg9DQ2VyQWIAwzQcbt0k67s6PDQeY3zVGgNM0B6sNK5TBoN
PwJCEWgqJUN8mMUkWZUbiTB4O8GW6AOBSUd3CDQhtGK1nIJngRAbYEKpYUZq
QX3ULWkmibY8OaFHGD9rYl+Yld0jELkMjfbDB/+CflNVZk2KTR4+QMsAEgKr
EAhSc+x7noOuQBLjapZguhcCDYfplsbJAPdVEqgM5BBmB8sbbKoKhbZDyRzk
BMgk81xtoOsE/AVAeUkD5Kk2sNtr2BrLItGdYOohqdFOSVgpGC29ok3hOSxV
DTPWFhNpBErYnTKuIe2l1NItiom0on2gcdvB5gJH4w7Wk+RW5Tnu4E2TF6Bf
4WncKDCUIr3GmaEneQlq9A86Obad4NMC+GIBIq1glvk2yVH7J0uJfeTTTQPM
CdOxDIniCLqlmiTXRXlbMKcEilwAiyRvZS5v4InEWTnzXPLo5O0vJ49hmSdN
ZThDZoq2Vic3Amw9TOkW1jvBrVCLCXOtQFlSQANapfyA5jdJfixvQcJgMopY
uZCp1Br7wIWjC6M2KFdIQRhmA146fgPiIRFCLMFowIa2/VtZhZ5PBcBGIDqu
jGQjE6A0wXo+ewxTADEFP8BtRZfkPWolKTSHrdHAk4ZBMkl9I3fOQV7AwySM
zNsFT/AgCVILpoMgGvcv1D4blgqjSXB18gOqMSfM0AY4ksZbi2KbbCU4zMxR
9AhMqyhrEvtNRu4etARC5SKVIPLYo8g1MlECsnQN22GmhNQ2BIOHMvCrYXLI
nvB7ZS1RrhayVmvJIiNqO98ZK91liQ+BDGwwpqJxytjDpkR0ruD5jva0Ixdp
3mSgAkrQLlvswskZTOWR1S4KZOOxp5GhdyRFXGwd/dgUOfppDBlIxyndbdXI
/regLvBvYhGQLVCBWpNecs2cUHtD4mgoKzCWr/FBjFeIlmJiHtVtE6O/pqS/
4lquVWlTUmnRVt6EfIsTWjjf6Jyj4vHNzl5gqWzLPeQV4iJSjkBYMiy83crQ
i/a37RsZ5LhmU2wYaEP43yyZvgDjFhpL6MyoLdBAdjDY0RQ8BTm4kLtuPgp8
BsqG9AtLZ4rqhiWe5fRiACmkpC00dUurr3gUYBvrMYAcKOTdGrfrve/J+TQH
NsIpwX9rcP9rJzStoUWygIijyMsPAKKAl3S5RntiqY5iYAl4l/HR2n/YAPHR
OiCyI1eLqFbHuPq+MgReXALAB38EvhTLSsqJVdnelEMpQewFcoGcgT1V5Vqh
Dgl1ejsvECr4IC0bEJG1uL4fAaDrXApEtOC+qDVGTxEFdcjKPyCMJHyMPAif
9g1uZfcshmEMJgSiSNRslolhlBvCEGQdOnzm+5r4KNBjXRZWBAT8vNQsS0FL
bNaA5qCVOPDAI66qslmuyqYOJTxYvpPBIbEf7lK2OkOgORqRdDbstyqTdkGK
AZM3ffANoWvmIcv/bCWQhk4fT5CMjmreJrfWm03exokoWGbc5ZlxtMg3YhFc
AxyAtSFKft+oin1WFDrP4uBWIucSrG/BAsb2OxLqGVDP9VgAVwe6eMQXgc4I
ihkFCNPOG6MrS2DgWi1RaNGIgxb5DeAVDUZGHUiegckvyZYW8jYAGdDnHFAy
Q0/Qd4yGViAsqzJnJANfqYoWihI5IShFGqAiKsFGzdE5FwNzt0gnykX8JQ6+
LOFztBIZ7SqSWaYM7j0FHUFPVty0Df/Doxv0YkFdwI83KuONNsTvz4Gt95YW
Q0pc4Z4x9w6tSeQoddD14MJo+40GW6slgybecliITEtNARCEwhWGU1GdxDpi
neumhBIPqhMlhba+LIyqthpBD7HQLDljbiRjbPnHsDFrTsfMxMKBzbawbELq
HKeEwDIHdcFodJL89a/GEf/4EX8ZDgR0vo9HArARLrTXcCQA8fEjAYtL3/22
3DnudbfEjvt2iOf7rh1SoVwAmrW4ipcJlH7Zyj6FJb6icOcnhXCcs2+CC/3J
sRkWyR57/s7ECLN45jzE6LclrmRdkmMPxC7gcQ8fobnSEhMfHTAFY07DMU2Q
YQ/2x4+ofvz4nV3sWYNiKDDKlUujzFnpa2/JLSUeYYA6vlob3jYr3cOgRF01
acC/Vgn5++o/ncxmM6s2AmboNQIYjogP/WlQ3f7XuNwgH2A4DteLGeBkj6fd
gcRhHGkboFbjguIO6Rjf+v4MsEfUu2HJe/ItSR4NihoULWthPC4fTWB25ENN
oZG8FLAHimMXZDsQC1E4hNws6Eb7XjiBBT/opNg9mvoemg9INoM45hFwzOPW
yBvkC9JH2BAVvVxviLfXaJ7ELShnUp4Iiq3PC30YzYX4jRqjMiCLK8ltIg4x
RizRYk0RLbRyE3RMsTFSqsBPF422oSRwj8lsmmgXBq3GvBXDq333hGJyn6GN
vsO9sTDLOVgD4M3hJMKtK4FUyzHoRPlmA3owzKQNesZHYRlyKnzwatSpM47M
374baIyqBjIVy0YseS9GhDJYXJENG6hLA64960RmtEDmYrhM5tRuctzZ74Vt
7RYYTEf6z+IomCi7ucB2eV7eWphmhoKJyI5lxj3lTwfX0UoMW/fKRMvgdyRW
2lBYMHg8cMlbtU0RCOOFsYaG6cN+GjRhGBvhc4Ua6NqKPBa39MLGfjC4EwH2
hXrZIK7Bvhlx2+fZE868IDAGhP0A8ScHhZPjzK6eXQ9/2kKtNTtgWZPKnoZC
ANvUdsPqnir2QjisFPCRRK8EOgABC3tOtsU/o4Jq5D7gfJKXbuQEMfPeQHxi
j0NtaPUwIkfsy0bVS7OhYndmnjSuecK42RZYAMFToFJl3XfwhCnoqih0qQpo
ChvAmKX1oETf3FsHHeN5iHQAPzQ1PL0He+VgpI3Uvb08niRnJ6c/TpLXP09f
nb1OHmGSC+zLto0iv8IancfULTQ6vTyONTq1eSgMIBOMkB9AcVHVVpeCLNVE
vl7gSQSb4jw13VtqoPoEl2mR5h8MJkHn6UrJG3J4BLgZaQPi0HkAiAUbA6ZM
zpazCWEIinuY4PNxVEE5/SQyjNdySJTr0/DnRVMYFvPhJbLWSMVP8gi247FB
g7ExjfwiG5D0wCTbkY6o6x9IVbKpC4ZhJjmV3keRxVkl4GfCNPktDovGtDX0
FCzz6udLBjqYA/z4MbYkN5JNvCF3aqf+LbR3O4EYIEVdkYutrDwoxgvTssL0
kWjLpXCBnLG6qNDzUVQjREpWG2dVmVRWJzsHFkCYsP0ga5F6KaNahS1slEzk
Xnzl11get1YxzMC7INVXX4FXcpQcF74FHRKMu4Wnk8Hw9CTpJNzijSgxwUSK
Jv9mnLg+Hm2FXOE8YpuTKcGjMaGe/Mba909bTD97GGtkJmNm/BtBgJr+D9MD
BVfnbWTGAc/JUB54kF9Ggs4jzi2W2xKmDepyB7o1fm2b8mCgh7HK7nOGEYPS
ly/Midax7WS0u3H8ICE6mtKJpXLuuWkhQPi8XRuK/QXbdpcUhNm2e6UejHhp
4yPnQWZoS4FakYMXpmHWa6Q0R2mFNtJmyA4mTxFq9OKwXoTWmLhF2XgJ2kEc
7XxCHF2vyNMz+UzoEaCVSXP+pdH4YSooA+gnbglbtekK47qEI7rAoXW2zBBt
3iGbYZwfR3cxyP4qhmKFNsbtwvZgbWGQzt4PRxqJ0Fvg2U7qxURI75G/Mnlh
UFViLnOOX/E0SCuaTJMdgnLYWuEU24gq12+EIfIhpo94hBQ3NAwSrLeg+Lbr
aCgSmqK5DibbevkUx57ZRCyG5hpKK+sUJs/gxk91sLo6sWEwX1d1tdOZwNzS
mFJCJKsJDjJqi5lqJl3S1XVuAh4UpRy7XzuyaVxdSgdo2nR8B6/38eiG4gWt
WSTMPEem1zJf4G7/pVRUIIIYpUTQVcsw5T+7u1r0lrXVER99RAtGKBKoQHaS
cCcLad3dRWl9d48jzBZfUhxv2mboOD5sLU8cFpP84ACR2TgkwhFCL3ziMLUN
phtWH8oRkM8Rl3sz+dcUjbnf3LtlZ5pRNkU6BpZkAxUm8danP4WT2hhaCLtN
CRFsi0RJ4agBFfGykeiElJw8GIHoeDO91q6+3HOTXJGIDQW1rTpJs15/XGhs
nSYbfH108ers8egI0CAwTicxOvHWo1YEFe9tOkWXOilunp36QLO2hYm3JeuJ
DpLysdojPCr1ODxK5TgiTmuzvcAXuRRY4xZnA3aqhgwRVWV7HVDjeEaNN/ak
zTGQVqQjXkGNpFV1VtMRd7G6W2Ol11Jam6Uqq8Raf38pOSPc0VdDGtIII56r
oBAtlp8VqLQRLeWz2PTYGNJKFaINrJOifDCqGt2QfV00OaomcW18aIJOMd5A
tIrtaJL9wf6gYylMC6u903E73f1BZsDQjBddiOaDwqqKHtd8KQ7h6E50VCdD
MF12DFmjREoue96HR6YROR8kEMq40wH/b+gUaqb7UIx7t7HZHv9xVbHwyULu
V8YRowZ6FXMM2W25hjZJV2AIiukGy/Upy8RgeZI8On9zOj25OH48S8xPHuzW
hLjbIlXOm7BXF2QOXUILPBoKW6O4AZBIKcNhiwOYZjaZBI+YWP/EW4d2KWyx
wcWCSqg5CExx5LBml8NBzI1caGT9CEOKYUqkagNT8UihDSlOWgI8nhgkToUm
WYSVT03u2R21GmTgXpb6zuzcf/Jvw+DMhnSmzJac2Qo4rGiFEbTC4DW5ngwy
jVdBkWtfj/ZT9LN+sNrqe6+VgatYehBUblfgq2gMNXkd4mQfPvBHZb7wPwE2
Y5YZn5wpv80t+KHl9e1CNLIyjAdO3FL+LyID54K22VeP9k7FyA+IKE2WCmE2
xdhJHhcidWiJ4ALmaizSjOlJB9d9iWqpZNyhnjtOrV2zsHgm2lPLYq52AO1t
u3SKJygKpjIaou+9KSMZA7IF33NFGeufloJGF9aaZ41PME5yMDKcKyZkq5Yn
AEGVmZ8s2mnrOOlH/RDN10gx9H+jAK9VZrDcT0GsPphiiRmKFrX2rJf7t9m8
iHDZ/ReZMAcBTDIueAomHz5mDQHpqegCdGwF3bKuQKY7kS8TxfBDPmGdH52i
sF7DYPAQ+3Ah/DbDGY+xJ5exmlcOtrCHx8QYWDJrPWTI6qYtwbWk44oNtwMu
VYoxRN06oEFoAXFtKoPgAuxWfSth5aYe1G6TzZv4VSacfhMuwcrJVXPAzJaY
7XB9SVgHmNRBsFhMCznP9wBV7UJmHubwCrY3qwrDqXsBq+1RLAJjWUQ7piFs
AWxSKjMu9OkFswIRi4Sv/EjBmuQeoEHcQQv2zKXYTBosjOqfcYni56bEpOnG
c/1Is2qDAKPWMToTl13Y4hlIwabiERD+hnzOypTxPLblKkVNgW1R2JCbczpv
RN5Ig4ZHMsjcwOZPkbRUtrIZfsqqLcvFA6Rw6IWdGgD2GsudeSHmNwu6Ec84
2ImlF1zqANtRydrIaIvyaGW6x0Gj9IzP0oQ+Y+ChGBShWSQGREI6Xj9K0pqj
swBuM65/Jfi0Iu8gKsR2IgHREJ8sRgJvXJ7iGg2DVkMtAhGfQq1ImM6Gmtqp
D7BDD/9Yz2WE0uagnQXZUQQWn+kXAWTxlQwFAYem1G4lzqrj1ER3POJO/XPf
PnvfJuN+w+B8evVUXb/Bk7cxzf7pUPauOzOGc3cQ3nkccTKYXqsWPWBNKnBS
YYoQbHmmASZDnJ0YlWceZVPam6EnMba4bFy1Un0jUhNZjIinihuuobATo9Rb
I/KLty9DZMXXzJiqaKySMfV/90YEXgnmXSv3XTyYD87ywLG4oPnOcU5YNkRl
Yju9IA4A2WKSSFLEYgCRU8rqdw+gdPRnDLN5k0YwrTI+hosxqzZjFT6K7qTd
9LuxjrJnSVzx70paEEX4IFgxOchRt9coOzf3HM8KI2dwMK/2vOwA30zC+boj
KXTG2p1t20mgsOhrkD5D4baQFBa87b7+oZdRHBqgjWqE3IvebCGXZc2+RStF
n56J5BM/GCqFbgZOB01sEDdOWIxFJK02aE/O7ZQzHJpysa3nOipn/qG7QV7D
Y4KGaVAtPrq4fPW4PQuPy4gtQsciKnZNPMkWWFDWwY+8O20TZbw+pggJ2YuR
eWWovSA/AWhz6QEem3DIwQ1nrsJAatg02yIvb12JOekz0vOlxSZYWGKPEfld
+aW1A/nwe2goomK72H7+IhQopwI6OqujBEYupUmMrbrbrtKlEceBavj99pU8
1lAP/ePsbGRxnb2NtTBHX6xOM0O1vQ5p5UkfB+fSQ8EcmfJTHz29bL9pg5Gz
//7Pu3POGSwC7OzfinckD/ePyj3R5XX4J96mw0FhkN9uon8Hlg1Sjk0scAi8
ordJYg8u8qlztRaVyrfsthqQy7eBOf9j2NvCS0PutFlcnsnX/OBBtIInkeGF
UEV7kJiP3kz4ziN/nrm6llwFZs8imKmGc8vVvBJ4Q+WEiQAoHtaXJ95ZzRDA
2fY79e2bsph+QUvqlQhF2VDvMKYR6G74+q7g3TSPIq9Boewyxi4HtiujNjmw
pW/4qgivQvELyWQBe3Ufez14OtfoMAPQOrhthr60f6AHeZTrOVF1n786uzmk
aAceFOSyRrD6BvvfxcSHLPd5Wvpe/NbV0P9ktjsz2y4XzSX6L16dt/WcwTlL
72ZRYENVuNhveG6524wdgZ1GIZzufQ1DR89zyNtX9ORjoj9mrYOneUe2jfQ0
17R/pj3oq/ZxUzBgP9jC2uggF3uYsqOowNE8XFaUBiSv1OOMIhshfu9kmehI
c4mepradhoESErcY41GBbKgJ3TmzyIQ6h8qC4IS6Dy2sIkEmFb2Tz+Ycomas
hlMwXaxFUVCllEeJnZ6Su7WgC0XH/DfvtJ1z5nv6IHLGLuqCUwKVisXopPi2
S1W65FPzSBgKwZvZNd8JWOIB+gWfRqkoVsDFn/YAp1p4J2J3MpQZaWYuDRrK
L3ixxmSXEWkvcBng2/FSlcGxZ/EMS2Rwd7B/wH0g5md+02x9+YxV3CuJdjIL
o3DDgjdwv2bMJx6aFvUTn1u893jbyJgRPBEiiPvse1ZKjp1x5WG+/az9j8/j
Hpb2U1SguZFIf7ICTG5tKiS+ODPJsIs2ushCSPkGUzbdSTi0istc6uZuiDIl
EFtrVOj6TrxnBLUuM1XGF3jeozgi8WYyVHeEppVPgnkVrJUU2B4raPCFHczz
7S2Z9jw5KOr2Qn/Et0m4WstR3i0q9jybBKprugIfdWQlKCqc4mUwSOy50Fgd
Igm3dYrQ2URjt4FpQrh0d9IE2DfPvbCBJZcydyeYxcDSyqS97wGgDt8zapv7
lbOJdzMZxt/dnVkVn+vDlNa1uS7idrX1AWu/mNQeUunITOeOJYdDFv6AzNOu
wJkGNzDKzLWja0IJ69Cu7yPQBaJ2KjQyLpJOOpgi5Fs+Ytgfq9symh4PpmP8
n6t2m7auXiaYNuaoPlFiUNTxRjUS+V2lqHyS0FwKYiuxiWfc/OwRVS4ij6wx
6uL1l9jRUndc4YBm/f3XeDVwDd7g6Zv2OkO8IlAWmTuIY3vBK7fr+KE8U4Wz
KlUqu1rO5rjtXcRYZ7uxzGmq9l25/knoJ/hjx+uJ0BCCsOEN7/U9l9ym+IaF
Lyp3Xa9BGc0V3q0VOcw5MBG8A7Qqr6W57dadOyS5pQhe5H7azvWH/fPrFmRH
bwqP3584grZbLHBnKJBxAs3e1I1erdfBAM3pBvS7EH08Ad0C2IFxkDatccwy
vFlmcGD/DAnvtT0NtisR7o6oxZ0dfv+JH2SOVajiaw+gKwKEXbDEm2fSGGGN
vlFPEZV33tH8FptGtN59NLcBpfYEXuYdi2tdClOXwwlwwRLKJXu62WzKio/8
7NKKu1FsP12+VstV7SDHgBG0G+yleXhVAItgj1jbmww6fbT1bnP1LwYb1giT
oHiGCoCxLNfbdYvens8OZ4eoNoDJwtfwUBWDvVuqzXKbSVZM45XQ5r5RBtGW
wIMvudAtfoLmvDxzH2l3NV5CzYKQ/uAoW24CpIm6fUYzay6oVttrJbhcJPBL
rEW0+8k37/adkY7gT0YhkF2/vaNggAs7owxHYGNWwNyQ18VLZnOYwXzpGEPc
UfHsEmV0wX1nN5yZrTgX7la2sM4iISUR1uYYVT0+rp1tIWVGG0l31mH0GK/L
Gzt8NEgplxtrCTC2tMHjGDgl7xUp/iV+PFyLLeyREQsF1WAkGOfaqDwzt0xm
5W2Brw2U/vXG8gNd0pjHw6QDt2Hdq0Ta1LTB73iJVktJuu1M0wQKSuLS/X43
uErd0cwxlrPIztyThVTReNeruZeS71LDsFpt+9Ie1LG3EzKkrfmtFuyIwSz/
oPkdIHSlQ4RqdM+pC/qMbDgDIk5qFIUhOU21NiCJQtrKVUh5ZKNTqLQ2Bxos
UeroEW6a1agEdE30lTv0rul9o91DMrtlt4dbIlqjqxwMgIjtKXgoJjbQCUNH
ngl1M+p+/2BLbNsisOR7AKS3dBcwhq1gEQ6d/F3BibfPnas5Y3dn8Bs93NW7
4YXwGrmLP2oBz4DKD2kDIv93Io2NiOx0b+5AQ1UHJFoJdwlbyWfyzRGoO7wd
61NI6h8u9imxsMRNibi+hLZUchf4tqRGGGOPP3kY/nNKnANfYOiEUxCiaR9w
6WmLff10ZXiuya8dp3ORn3qvwfDR3rtWOIeHcq3q9hOtNiBs7/ZciBQ3iCt/
hxWgH4R1BvxOD7RK3kKBfr2vN8PvYKsxxRy+oVJ3Js7BuUyBjDRx9eEfXI2X
+ffgRZROpsbClLhF6//5HRLR6XQPzPB8wjq7yOgeyVp/v+NsdchtIr5sojnI
wyACY7zfMXSgwCqLDQt1GNjhsBOGSPCXqsFXhYVOIaCqIpuaEYYFIk4nE0Oh
870o0RzgtRrxziXafRa2cbxRwuiyqczNFjbdbybkrr/7DALH7hL4NGXi4g8e
g0XO1Y1cKxG5uvRLT8VXVLtmcq+wTPfgbycOMFQ/ok2Yla4KYlc3OCWJH1w2
c3zhrH9/Db40tF+1EKoBogWzqLlf2edorNExeDdY0d1eBJqgP+FSdF1U0Dbc
wV0Y6FVtPVW//MY7MR9aRFs+Ns5rHVNUya7s7uDM4MqCAbb8HdYwYk37Sxjn
6O6lCzHA8KkrEN2sVfAlzJYuf/O7a5Unv+VnJ9wgF8NHEPyWrDsDDtt8BHOM
IA5avLlAGKvjUAWTpvWyBbt1rTCals22BRfGpWJjSdAXg2Ewyozug/Te06B0
B3oEdWyeRprLvLz1t/q1+iDvt9O+1rB0pF0yl9HRbeCB3qWTP54G4Ts1K7Go
+RqaGHNMRtRhF+H7Xz5mINJVe37zASvvtLNhP8rVBZMgt3otM9XBb/ZeD1xa
UxV36KkqYUd9HchhDb+kgBIwWeMK5+x7M1swE1CrpkO+ObMDnnvCCiVmLuAm
QTERc5adbxyQ5uKsFP0LoanEbTQV2OcELoMABooc0R3wwAweacNmAhpszUUj
gkK40/l2SqFcrCsI/JgLj6mtP4vnXLsTMwf2h01Op3BTjBd4ThJ3DW14h2Ag
rAYBW+8kEEDOJ7j3KI8jsWowitODAe0t+UERQXANqC/a8Rrl7mGH2HnWuMxY
2B9KG59I98nYWaK90MSGQoNKCp9wxmO+tCx5gu8dyMzVjLr7ihn7FijLwVP7
BpXAmfZeaE3BVfuaElMc2C1Na/OadAOGC6x6rzfyXlxo7sV1Hg6/UMe7tY7z
z0CDc3NNnH9SMJS/NFiseTVcuooHZsjo2xfhkMYQtfctTn1ltRJePt9o762J
jk7uPZUmK2toM0te+2+/wVe90AU7XBRTD096Qq8+ynFXOKc/hy4WytzSAhbg
dk6324F+8c/W8OK0ex/W+J3Mto7r/PjN8Q4O4UwTtxTeq1fw1eI4E+7oOMVX
i+QyW5qLaf56xC/UkNm/7i1gRnLvY7dn82p3vkuZZguPgPQ2sHFVo2q879PQ
nXbTe+MOrPnX8wuOfBMPiOI62ZZNp9QUNvU1HmD4U1Po27LCCu6fylWR/FAJ
gOpXag0sCXIzl/J6kvwmgI1/aEBtgPZ6Cx+mqYDfwTYrENDLWm6w9v6lqGDr
8YpDAdP7sVws1oK14mW5+J//EgALcuW9zREtf6XmjS2IjrwoSG+UeUUmXcRn
3uDK76y06yXYB1QkyDh78L/r+6TyFIwAAA==
<!-- [rfced] Abbreviations:
a) Regarding IND-CPA and IND-CCA in Section 2:
Current:
The standard security property for a PKE scheme is
indistinguishability under chosen-plaintext attack (IND-CPA).
IND-CPA security is not sufficient for secure communication in the
presence of an active attacker. Therefore, in general, PKE
schemes are not appropriate for use on the Internet, and KEMs,
which provide indistiguishability under chosen-ciphertext attack
(IND-CCA security), are required.
- Is the word 'security' needed in 'IND-CCA security'?
- We note that RFC 9771 includes references for IND-CCA and IND-CCA2. Would
you like to add references to this document, or will this be sufficiently
clear to the reader? (See https://www.rfc-editor.org/rfc/rfc9771#section-4.2.1)
b) FYI, we added expansions for abbreviations upon first use for the
items below. Please review each expansion in the document carefully to
ensure correctness.
Elliptic Curve Diffie-Hellman (ECDH)
Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) (per FIPS 203)
Module-Lattice-Based Digital Signature Algorithm (ML-DSA)
Internet Key Exchange Protocol Version 2 (IKEv2)
-->
<!-- [rfced] For readability we have formatted the lists in this
document with a line break between each term and its definition.
We suggest removing the <strong> element (which yields bold font
in the HTML and PDF, and yields asterisks in the TXT); please let
us know if removing <strong> is acceptable.
-->
<!-- [rfced] Please review the "Inclusive Language" portion of the online
Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
and let us know if any changes are needed. Updates of this nature typically
result in more precise language, which is helpful for readers.
In addition, please consider whether "traditional" should be updated throughout
this document for clarity. While the NIST website
<https://web.archive.org/web/20250214092458/https://www.nist.gov/nist-research-l
ibrary/nist-technical-series-publications-author-instructions#table1>
indicates that this term is potentially biased, it is also ambiguous.
--> -->
</rfc> </rfc>
 End of changes. 126 change blocks. 
1050 lines changed or deleted 878 lines changed or added

This html diff was produced by rfcdiff 1.48.