Hybrid Public Key Encryption

	draft-ietf-hpke-hpke-00.txt
	Date:	01/06/2025
	Authors:	Richard Barnes, Karthikeyan Bhargavan, Benjamin Lipp, Christopher Wood
	Working Group:	HPKE Publication, Kept Efficient (hpke)

This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.

Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE

	draft-ietf-hpke-pq-00.txt
	Date:	01/06/2025
	Authors:	Richard Barnes
	Working Group:	HPKE Publication, Kept Efficient (hpke)

Updating key exchange and public-key encryption protocols to resist attack by quantum computers is a high priority given the possibility of "harvest now, decrypt later" attacks. Hybrid Public Key Encryption (HPKE) is a widely-used public key encryption scheme based on combining a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. In this document, we define KEM algorithms for HPKE based on both post-quantum KEMs and hybrid constructions of post- quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3 that is suitable for use with these KEMs. When used with these algorithms, HPKE is resilient with respect to attack by a quantum computer.

Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

HPKE Publication, Kept Efficient (hpke)

WG	Name	HPKE Publication, Kept Efficient
	Acronym	hpke
	Area	Security Area (sec)
	State	Active
	Charter	charter-ietf-hpke-01 Approved
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	GitHub Organization
Personnel	Chairs	Martin Thomson, Yaroslav Rosomakho
	Area Director	Deb Cooley
Mailing list	Address	hpke@ietf.org
	To subscribe	https://mailman3.ietf.org/mailman3/lists/hpke.ietf.org/
	Archive	https://mailarchive.ietf.org/arch/browse/hpke
Chat	Room address	https://zulip.ietf.org/#narrow/stream/hpke

Charter for Working Group

Hybrid Public Key Exchange (HPKE) [RFC 9180] defines an authenticated encryption encapsulation format that combines a semi-static asymmetric key exchange with a symmetric cipher. This format is used in several IETF protocols, such as MLS [RFC 9420] and TLS Encrypted ClientHello [draft-ietf-tls-esni]. The fact that HPKE is defined in an Informational document on the IRTF stream, however, has caused some confusion as to its usability, especially with other standards organizations. Also, there are currently no “post-quantum” (PQ) Key Encapsulation Mechanisms (KEMs) defined for HPKE, in the sense of algorithms that are resilient to attack by a quantum computer.

The hpke Working Group is tasked with two responsibilities:

Re-publish the HPKE specification as a Standards Track document of the IETF, with targeted changes based on experience with its use:
- The working group may decide to apply any validated errata filed on RFC 9180 (Verified or Hold for Document Update).
- The working group may decide to remove functionality that is not widely used.
- The working group may define how Key Derivation Functions (KDFs) that are not two-step might be used with HPKE.
Define PQ algorithms for HPKE from among the following:
- New KEMs based on hybrid combinations of ML-KEM and ECDH (ML-KEM-768 with X25519, ML-KEM-768 with P-256, and ML-KEM-1024 with P-384) and standalone ML-KEM (ML-KEM-768 and ML-KEM-1024).
- New KDFs incorporating SHA3

Differences between the Standards Track version of HPKE and the Informational version (RFC9180) documents should be minimized, in order to minimize impact on existing deployments. The Standards Track and Informational versions must have identical behavior for any functionality that they both specify.

The group might select a number of cipher suites that address different use cases, security levels, and attacker threat models.

Milestones

Date	Milestone	Associated documents
Jul 2025	New post-quantum and post-quantum/traditional hybrid cipher suites for HPKE to the IESG as Proposed Standard
Jun 2025	HPKE specification to the IESG as Proposed Standard