]> UK National Cyber Security Centre

florence.d@ncsc.gov.uk

SEC PQUIP Internet-Draft One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. About This Document Status information for this document may be found at .

Introduction The mathematical problems of integer factorisation and discrete logarithms over finite fields or elliptic curves underpin most of the asymmetric algorithms used for key establishment and digital signatures on the internet. These problems, and hence the algorithms based on them, will be vulnerable to attacks using Shor's Algorithm on a sufficiently large general-purpose quantum computer, known as a Cryptographically Relevant Quantum Computer (CRQC). It is difficult to predict when, or if, such a device will exist. However, it is necessary to anticipate and prepare to defend against such a development. Data encrypted today (2023) with an algorithm vulnerable to a quantum computer could be stored for decryption by a future attacker with a CRQC. Signing algorithms in products that are expected to be in use for many years are also at risk if a CRQC is developed during the operational lifetime of that product. Preparing for the potential development of a CRQC requires modifying established (standardised) protocols to use asymmetric algorithms that are perceived to be secure against quantum computers as well as today's classical computers. These algorithms are called post-quantum, while algorithms based on integer factorisation, finite-field discrete logarithms or elliptic-curve discrete logarithms are called traditional cryptographic algorithms. In this document "traditional algorithm" is also used to refer to this class of algorithms. During the transition from traditional to post-quantum algorithms, there may be a desire or a requirement for protocols that use both algorithm types. A designer may choose to combine a post-quantum algorithm with a traditional algorithm to add protection against an attacker with a CRQC to the security properties provided by the traditional algorithm. They may also choose to implement a post-quantum algorithm alongside a traditional algorithm for ease of migration from an ecosystem where only traditional algorithms are implemented and used, to one that only uses post-quantum algorithms. Examples of solutions that could use both types of algorithm include, but are not limited to, , , , and . Schemes that combine post-quantum and traditional algorithms for key establishment or digital signatures are often called hybrids. For example:

• NIST defines hybrid key establishment to be a "scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes" ;
• ETSI defines hybrid key exchanges to be "constructions that combine a traditional key exchange ... with a post-quantum key exchange ... into a single key exchange" .

The word "hybrid" is also used in cryptography to describe encryption schemes that combine asymmetric and symmetric algorithms , so using it in the post-quantum context overloads it and risks misunderstandings. However, this terminology is well-established amongst the post-quantum cryptography (PQC) community. Therefore, an attempt to move away from its use for PQC could lead to multiple definitions for the same concept, resulting in confusion and lack of clarity. This document provides language for constructions that combine traditional and post-quantum algorithms. Specific solutions for enabling use of multiple asymmetric algorithms in cryptographic schemes may be more general than this, allowing the use of solely traditional or solely post-quantum algorithms. However, where relevant, we focus on post-quantum traditional combinations as these are the motivation for the wider work in the IETF. This document is intended as a reference terminology guide for other documents to add clarity and consistency across different protocols, standards, and organisations. Additionally, this document aims to reduce misunderstanding about use of the word "hybrid" as well as defining a shared language for different types of post-quantum traditional hybrid constructions. In this document, a "cryptographic algorithm" is defined, as in , to be a "well-defined computational procedure that takes variable inputs, often including a cryptographic key, and produces an output". Examples include RSA, ECDH, ML-KEM (formerly known as Kyber) and ML-DSA (formerly known as Dilithium). The expression "cryptographic scheme" is used to refer to a construction that uses a cryptographic algorithm or a group of cryptographic algorithms to achieve a particular cryptographic outcome, e.g., key agreement. A cryptographic scheme may be made up of a number of functions. For example, a Key Encapsulation Mechanism (KEM) is a cryptographic scheme consisting of three functions: Key Generation, Encapsulation, and Decapsulation. A cryptographic protocol incorporates one or more cryptographic schemes. For example, TLS is a cryptographic protocol that includes schemes for key agreement, record layer encryption, and server authentication.

Primitives This section introduces terminology related to cryptographic algorithms and to hybrid constructions for cryptographic schemes.

Traditional Cryptographic Algorithm:

An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms or elliptic curve discrete logarithms. Where there is little risk of confusion traditional cryptographic algorithms can also be referred to as traditional algorithms for brevity. Traditional algorithms can also be called classical or convential algorithms.

Post-Quantum Algorithm:

An asymmetric cryptographic algorithm that is believed to be secure against attacks using quantum computers as well as classical computers. Post-quantum algorithms can also be called quantum-resistant or quantum-safe algorithms.

Component Algorithm:

Each cryptographic algorithm that forms part of a cryptographic scheme.

Single-Algorithm Scheme:

A cryptographic scheme with one component algorithm. A single-algorithm scheme could use either a traditional algorithm or a post-quantum algorithm.

Multi-Algorithm Scheme:

A cryptographic scheme that incorporates more than one component algorithm, where the component algorithms have the same cryptographic purpose. For example, a multi-algorithm scheme may include multiple signature algorithms or multiple Public Key Encryption (PKE) algorithms. Component algorithms could be all traditional, all post-quantum, or a mixture of the two.

Post-Quantum Traditional (PQ/T) Hybrid Scheme:

A multi-algorithm scheme where at least one component algorithm is a post-quantum algorithm and at least one is a traditional algorithm.

PQ/T Hybrid Key Encapsulation Mechanism (KEM):

A multi-algorithm KEM made up of two or more component KEM algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

PQ/T Hybrid Public Key Encryption (PKE):

A multi-algorithm PKE scheme made up of two or more component PKE algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

PQ/T Hybrid Digital Signature:

A multi-algorithm digital signature scheme made up of two or more component digital signature algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures are all examples of PQ/T hybrid schemes.

PQ/T Hybrid Combiner:

A method that takes two or more component algorithms and combines them to form a PQ/T hybrid scheme.

PQ/PQ Hybrid Scheme:

A multi-algorithm scheme where all components are post-quantum algorithms. The definitions for types of PQ/T hybrid schemes can adapted to define types of PQ/PQ hybrid schemes, which are multi-algorithm schemes where all component algorithms are Post-Quantum algorithms.

In cases where there is little chance of confusion between other types of hybrid cryptography e.g., as defined in , and where the component algorithms of a multi-algorithm scheme could be either post-quantum or traditional, it may be appropriate to use the phrase "hybrid scheme" without PQ/T or PQ/PQ preceding it.

Cryptographic Elements This section introduces terminology related to cryptographic elements and their inclusion in hybrid schemes.

Cryptographic Element:

Any data type (private or public) that contains an input or output value for a cryptographic algorithm or for a function making up a cryptographic algorithm. Types of cryptographic elements include public keys, private keys, plaintexts, ciphertexts, shared secrets, and signature values.

Component Cryptographic Element:

A cryptographic element of a component algorithm in a multi-algorithm scheme. For example, in , the client's keyshare contains two component public keys, one for a post-quantum algorithm and one for a traditional algorithm.

Composite Cryptographic Element:

A cryptographic element that incorporates multiple component cryptographic elements of the same type in a multi-algorithm scheme. For example, a composite cryptographic public key is made up of two component public keys.

Cryptographic Element Combiner:

A method that takes two or more component cryptographic elements of the same type and combines them to form a composite cryptographic element. A cryptographic element combiner could be concatenation, such as where two component public keys are concatenated to form a composite public key as in , or something more involved such as the dualPRF defined in .

Protocols This section introduces terminology related to the use of post-quantum and traditional algorithms together in protocols.

PQ/T Hybrid Protocol:

A protocol that uses two or more component algorithms providing the same cryptographic functionality, where at least one is a post-quantum algorithm and at least one is a traditional algorithm. For example, a PQ/T hybrid protocol providing confidentiality could use a PQ/T hybrid KEM such as in , or it could combine the output of a post-quantum KEM and a traditional KEM at the protocol level to generate a single shared secret, such as in . Similarly, a PQ/T hybrid protocol providing authentication could use a PQ/T hybrid digital signature scheme, or it could include both post-quantum and traditional single-algorithm digital signature schemes.

Composite PQ/T Hybrid Protocol:

A protocol that incorporates one or more PQ/T hybrid schemes in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses single-algorithm schemes. In a composite PQ/T hybrid protocol, changes are primarily made to the formats of the cryptographic elements, while the protocol fields and message flow remain largely unchanged. In implementations, most changes are likely to be made to the cryptographic libraries, with minimal changes to the protocol libraries.

Non-composite PQ/T Hybrid Protocol:

A protocol that incorporates multiple single-algorithm schemes of the same type, where at least one uses a post-quantum algorithm and at least one uses a traditional algorithm, in such a way that the formats of the component cryptographic elements are the same as when they are used as part of single-algorithm schemes. In a non-composite PQ/T hybrid protocol, changes are primarily made to the protocol fields, the message flow, or both, while changes to cryptographic elements are minimised. In implementations, most changes are likely to be made to the protocol libraries, with minimal changes to the cryptographic libraries.

It is possible for a PQ/T hybrid protocol to be designed that is neither entirely composite nor entirely non-composite. For example, in a protocol that offers both confidentiality and authentication, the key establishment could be done in a composite manner while the authentication is done in a non-composite manner.

Properties This section describes properties that may be desired from or achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol.

PQ/T Hybrid Confidentiality:

The property that confidentiality is achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol as long as at least one component algorithm that aims to provide this property remains secure.

PQ/T Hybrid Authentication:

The property that authentication is achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol as long as at least one component algorithm that aims to provide this property remains secure.

The security properties of a PQ/T hybrid scheme or protocol depend on the security of its component algorithms, the choice of PQ/T hybrid combiner, and the capability of an attacker. Changes to the security of a component algorithm can impact the security properties of a PQ/T hybrid scheme providing hybrid confidentiality or hybrid authentication. For example, if the post-quantum component algorithm of a PQ/T hybrid scheme is broken, the scheme will remain secure against an attacker with a classical computer, but will be vulnerable to an attacker with a CRQC. PQ/T hybrid protocols that offer both confidentiality and authentication do not necessarily offer both hybrid confidentiality and hybrid authentication. For example, provides hybrid confidentiality but does not address hybrid authentication. Therefore, if the design in is used with X.509 certificates as defined in only authentication with a single algorithm is achieved.

PQ/T Hybrid Interoperability:

The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties share support for at least one component algorithm. For example, a PQ/T hybrid digital signature might achieve hybrid interoperability if the signature can be verified by either verifying the traditional or the post-quantum component, such as the approach defined in section 7.2.2 of . In this example a verifier that has migrated to support post-quantum algorithms is required to verify only the post-quantum signature, while a verifier that has not migrated will verify only the traditional signature.

In the case of a protocol that aims to achieve both authentication and confidentiality, PQ/T hybrid interoperability requires that at least one component authentication algorithm and at least one component algorithm for confidentiality is supported by both parties. It is not possible for a PQ/T hybrid scheme to achieve both PQ/T hybrid interoperability and PQ/T hybrid confidentiality without additional functionality at a protocol level. For PQ/T hybrid interoperability a scheme needs to work whenever one component algorithm is supported by both parties, while to achieve PQ/T hybrid confidentiality all component algorithms need to be used. However, both properties can be achieved in a PQ/T hybrid protocol by building in downgrade protection external to the cryptographic schemes. For example, in , the client uses the TLS supported groups extension to advertise support for a PQ/T hybrid scheme and the server can select this group if it supports the scheme. This is protected using TLS's existing downgrade protection, so achieves PQ/T hybrid confidentiality, but the connection can still be made if either the client or server does not support the PQ/T hybrid scheme, so PQ/T hybrid interoperability is achieved. The same is true for PQ/T hybrid interoperability and PQ/T hybrid authentication. It is not possible to achieve both with a PQ/T hybrid scheme alone, but it is possible with a PQ/T hybrid protocol that has appropriate downgrade protection.

PQ/T Hybrid Backwards Compatibility:

The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties support the traditional component algorithm.

PQ/T Hybrid Forwards Compatibility:

The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties support the post-quantum component algorithm.

Weak Non-Separability:

A property of a hybrid digital signature that guarantees that an adversary cannot remove either component signature without leaving some evidence behind. Weak non-separability does not necessarily prevent an attacker from creating a valid traditional-only or post-quantum-only signature from a PQ/T hybrid signature, rather it means that a verifier would be able to identify that the resulting signature had been derived from a PQ/T hybrid signature.

Strong Non-Separability:

A property of a hybrid digital signature that guarantees that an adversary cannot create a valid single-algorithm signature from a hybrid signature. In the context of PQ/T hybrid signatures this means that an attacker cannot take a PQ/T hybrid digital signature and generate a post-quantum or traditional signature that will verify correctly.

Simultaneous Verification:

A property of a hybrid digital signature where all component algorithms must be verified before the verifier returns a result and finishes the verification process. In the context of PQ/T hybrid signatures this means that both the post-quantum and traditional component signatures much be verified before the verifier returns a result.

Weak non-separability, strong non-separability and simultaneous verification are related concepts, with strong non-separability being a stronger property than weak non-separability and simultaneous verification being a stronger property still. These concepts are introduced, explored in more detail and examples provided in .

Certificates This section introduces terminology related to the use of certificates in hybrid schemes.

PQ/T Hybrid Certificate:

A digital certificate that contains public keys for two or more component algorithms where at least one is a traditional algorithm and at least one is a post-quantum algorithm. A PQ/T hybrid certificate could be used to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid certificate; separate certificates could be used for individual component algorithms. The component public keys in a PQ/T hybrid certificate could be included as a composite public key or as individual component public keys.

The use of a PQ/T hybrid certificate does not necessarily achieve hybrid authentication of the identity of the sender; this is determined by properties of the chain of trust. For example, an end-entity certificate that contains a composite public key, but which is signed using a single-algorithm digital signature scheme could be used to provide hybrid authentication of the source of a message, but would not achieve hybrid authentication of the identity of the sender.

Post-Quantum Certificate:

A digital certificate that contains a single public key for a post-quantum digital signature algorithm.

Traditional Certificate:

A digital certificate that contains a single public key for a traditional digital signature algorithm. X.509 certificates as defined in could be either traditional or post-quantum certificates depending on the algorithm in the Subject Public Key Info. For example, a certificate containing a ML-DSA public key, as defined in , would be a post-quantum certificate.

Post-Quantum Certificate Chain:

A certificate chain where each certificate includes a public key for a post-quantum algorithm and is signed using a post-quantum digital signature scheme.

Traditional Certificate Chain:

A certificate chain where all certificates includes a public key for a traditional algorithm and is signed using a traditional digital signature scheme.

PQ/T Hybrid Certificate Chain:

A certificate chain where all certificates are PQ/T hybrid certificates and each certificate is signed with two or more component algorithms where at least one is a traditional algorithm and at least one is a post-quantum algorithm.

A PQ/T hybrid certificate chain is one way of achieving hybrid authentication of the identity of a sender in a protocol, but is not the only way. An alternative is to incorporate both a post-quantum certificate chain and a traditional certificate chain in a protocol. It would be possible to construct a certificate chain containing a mixture of post-quantum certificates, traditional certificates and PQ/T hybrid certificates. For example, a post-quantum end-entity certificate could be signed by a traditional intermediate certificate, which in turn could be signed by a traditional root. The security properties of a certificate chain that mixes post-quantum and traditional algorithms would need to be analysed on a case-by-case basis.

Algorithm Specification This section introduces terminology for specifying the component algorithms used in PQ/T hybrid schemes or PQ/T hybrid protocols.

PQ/T Hybrid Scheme Identifier:

A single code point that specifies all component algorithms used in a PQ/T hybrid scheme.

Security Considerations This document defines security-relevant terminology to be used in documents specifying PQ/T hybrid protocols and schemes. However, the document itself does not have a security impact on Internet protocols. The security considerations for each PQ/T hybrid protocol are specific to that protocol and should be discussed in the relevant specification documents.

IANA Considerations This document has no IANA actions.

Informative References Post-Quantum Cryptography pp.206-226 Cryptology ePrint Archive, Paper 2023/423 ETSI TS 103 744 V1.1.1 ITU-T National Institute of Standards and Technology (NIST) Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory National Institute of Standards and Technology (NIST) AWS AWS sn3rd Cloudflare Digital signatures are used within X.509 certificates, Certificate Revocation Lists (CRLs), and to sign messages. This document describes the conventions for using Dilithium quantum-resistant signatures in Internet X.509 certificates and certificate revocation lists. The conventions for the associated post-quantum signatures, subject public keys, and private key are also described. National Security Agency National Security Agency National Security Agency This document defines a new CSR attribute, relatedCertRequest, and a new X.509 certificate extension, RelatedCertificate. The use of the relatedCertRequest attribute in a CSR and the inclusion of the RelatedCertificate extension in the resulting certificate together provide additional assurance that two certificates each belong to the same end entity. This mechanism is particularly useful in the context of non-composite hybrid authentication, which enables users to employ the same certificates in hybrid authentication as in authentication done with only traditional or post-quantum algorithms. University of Waterloo Cisco Systems University of Haifa Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. Entrust Limited Entrust Limited The migration to post-quantum cryptography is unique in the history of modern digital cryptography in that neither the old outgoing nor the new incoming algorithms are fully trusted to protect data for the required data lifetimes. The outgoing algorithms, such as RSA and elliptic curve, may fall to quantum cryptalanysis, while the incoming post-quantum algorithms face uncertainty about both the underlying mathematics as well as hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs. Cautious implementers may wish to layer cryptographic algorithms such that an attacker would need to break all of them in order to compromise the data being protected using either a Post-Quantum / Traditional Hybrid, Post-Quantum / Post-Quantum Hybrid, or combinations thereof. This document, and its companions, defines a specific instantiation of hybrid paradigm called "composite" where multiple cryptographic algorithms are combined to form a single key, signature, or key encapsulation mechanism (KEM) such that they can be treated as a single atomic object at the protocol level. This document defines the structure CompositeCiphertextValue which is a sequence of the respective ciphertexts for each component algorithm. Explicit pairings of algorithms are defined which should meet most Internet needs. For the purpose of combining KEMs, the combiner function from [I-D.ounsworth-cfrg-kem-combiners] is used. This document is intended to be coupled with the composite keys structure define in [I-D.ounsworth-pq-composite-keys] and the CMS KEMRecipientInfo mechanism in [I-D.housley-lamps-cms-kemri]. This Glossary provides definitions, abbreviations, and explanations of terminology for information system security. The 334 pages of entries offer recommendations to improve the comprehensibility of written material that is generated in the Internet Standards Process (RFC 2026). The recommendations follow the principles that such writing should (a) use the same term or definition whenever the same concept is mentioned; (b) use terms in their plainest, dictionary sense; (c) use terms that are already well-established in open publications; and (d) avoid terms that either favor a particular vendor or favor a particular technology or mechanism over other, competing techniques that already exist or could be developed. This memo provides information for the Internet community. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while computing a shared secret during a Security Association (SA) setup. This document utilizes the IKE_INTERMEDIATE exchange, where multiple key exchanges are performed when an IKE SA is being established. It also introduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purpose when the IKE SA is being rekeyed or is creating additional Child SAs. This document updates RFC 7296 by renaming a Transform Type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". It also renames an IANA registry for this Transform Type from "Transform Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize key exchange algorithms that can be used in IKEv2.

Acknowledgments This document is the product of numerous fruitful discussions in the IETF PQUIP group. Thank you in particular to Mike Ounsworth, John Gray, Tim Hollebeek, Wang Guilin, Paul Hoffman and Sofía Celi for their contributions. This document is inspired by many others from the IETF and elsewhere. In particular, many of the definitions in the Properties section are drawn from .