simon@josefsson.org

IRTF CFRG chempat PQ/T hybrid post quantum hybrid kem This document specify Chempat as a generic family of instantiated Post-Quantum/Traditional (PQ/T) Hybrid Key Exchange Methods (KEMs). The goal is to provide a generic combiner construct that can be analysed separately for security assurance, and to offer concrete instantiated algorithms for integration into protocol and implementations. Identified instances are provided based on traditional Diffie-Hellman key agreement using curves P-256, P-384, X25519, X448, brainpoolP256, brainpoolP384 combined with post quantum methods ML-KEM-768, ML-KEM-1024, Streamlined NTRU Prime sntrup761, and Classic McEliece. Status information for this document may be found at . Discussion of this document takes place on the Crypto Forum Research Group (CFRG) Research Group mailing list (), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction To hedge against attacks on a traditional key agreement algorithm such as X25519 and a post-quantum key encapsulation mechanism (KEM) such as ML-KEM-768 , it is possible to combine both algorithms to derive a shared secret and define the combination mechanism as a new KEM. Using the terminology of , this combination forms a PQ/T Hybrid Key Encapsulation Mechanism. Chempat is a generic pattern to create a PQ/T Hybrid Key Encapsulation Mechanism based on at least one post-quantum algorithm and at least one traditional algorithm. The idea is that the Chempat combiner can be analyzed generally and some assurance can be had that it behaves well. For ease of presentation, this document combine one traditional DH-Based KEM algorithm with one post-quantum KEM algorithm. While a natural approach would be to integrate the generic key combiner construct into protocols and have the protocol and implementation negotiate parameters, that leads to complexity detrimental to security. Therefor this document describe specific instances of Chempat applied on selected algorithms.

Motivation There are many choices that can be made when specifying a hybrid KEM: the constituent KEMs; their security levels; the combiner; and the hash within, to name but a few. Having too many similar options are a burden to the ecosystem. The above argues for having carefully selected instantiated hybrid KEMs. Each hybrid KEM should be analysed to meet security targets. If that analysis assume specific behaviour of the combiner, or if the analysis become more complex due to the combiner, that leads to more work to re-use the analysis for other combinations. While it would be preferrable to only specify one hybrid KEM and analyse that, such as , cryptographic history suggests that algorithm preferences varies over time. The argument then is to establish a generic method that can be analysed independent of its component algorithms, such as . Generic methods can lead to parametrized protocols and implementations that is more difficult to analyse, and a lack of instantiated algorithm identifiers. While non-hybrid approaches may eventually be preferrable, there are doubts on what properties protocols demand from cryptographic primitives, and some of the properties are different from what have been expected from traditional algorithms . This suggests that some post-quantum KEM's should be used together with a other algorithms to strengthen the properties. Finally this leads up to our approach to describe a generic method that can be analysed independently of the individual components, with as few parameters as possible in the generic combiner, and to instantiate it with common algorithm choices that make sense for protocols and implementations. That is the essence of Chempat.

Comparison to X-Wing X-Wing is a Hybrid PQ/T KEM based on X25519 and ML-KEM-768. Main differences: Chempat is applicable to other algorithm combinations, X-Wing's combiner does not extend securely to other KEM combinations. Chempat on X25519 with ML-KEM-768 will hash the ML-KEM ciphertext and public key. Chempat on X25519 with ML-KEM-768 can provide a per-protocol key-domain separation context string.

Comparison to HPKE X25519Kyber768Draft00 HPKE's X25519Kyber768Draft00 is similar to X-Wing. Main differences to Chempat: Chempat is applicable to other algorithm combinations, X25519Kyber768Draft00's combiner does not extend securely to other KEM combinations. Chempat hashes the shared secret, to be usable outside of HPKE. Chempat hashes the combined ciphertext and public keys. There is also a different KEM called X25519Kyber768Draft00 which is used in TLS. This one should not be used outside of TLS, as it assumes the presence of the TLS transcript to ensure non malleability.

Comparison to KEM Generic Combiner Chempat is most similar to the generic combiner in . Main differences: Chempat offers instantiated identified Hybrid KEMs for direct use in protocols and implementations. Chempat offers the possibility of a generic simpler security argument for the combiner, whereas is parametrized with several algorithm choices and any security analysis needs to be parametrized over the numerous options permitted. Chempat has a fixed 32 byte shared secret instead of a variable length shared secret. Chempat hashes the public keys of the component KEM's.

Design Goals While Chempat share a lot with , and the following goals set it apart: Allow generic security analysis independent of combinations. Provide concrete instantiated algorithm identifiers for several anticipated uses of Hybrid KEM combinations. We aim for instantiated algorithms of Chempat to be usable for most applications, including specifically HPKE , TLS , OpenPGP and SSH .

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The following terms are used throughout this document: string - array of bytes func1(), func2(a,b) - denote functions called FUNC1 and FUNC2 that takes no parameters and two parameters a and b, respectively. concat(x0, ..., xN): returns the concatenation of byte strings. concat(0x01, 0x0203, 0x040506) = 0x010203040506. random(n): return a pseudorandom byte string of length n bytes produced by a cryptographically-secure random number generator.

Chempat Chempat is defined as follows:

The hash function SHA3-256 is defined in . The hybrid_pk string is the concatenation of the serialized public-key output from the traditional (receiver_pk_TEM) and post-quantum (receiver_pk_PQKEM) respectively. To reduce memory usage it is possible to hash the public keys to pre-compute H(hybrid_pk) directly when hybrid_pk is received. The hybrid_ct string is the concatenation of the serialized ciphertext output from the traditional (receiver_ct_TEM) and post-quantum (receiver_ct_PQKEM) respectively. To reduce memory usage it is possible to hash the ciphertext to pre-compute H(hybrid_ct) directly when hybrid_ct is received. The hybrid_ss string is the 32-byte output shared secret, formed as the output of the SHA3-256 hash function. The inputs to the hash function is a concatenation of the shared secrets from the traditional (ss_TKEM) and post-quantum (ss_PQKEM) KEMs with the hashes of the ciphertexts (H(hybrid_ct)) and public keys (H(hybrid_pk)) together with a variable-length protocol-specific context string. The context string can be chosen uniquely by the protocol referencing this document. The purpose is to provide protocol domain separation of the generated keys. The content is arbitrary, and in practice the name of the protocol will suffice. Since this results in a new Chempat instance, to reduce combinatorical complexity of parameters, we provide one instance with the context variable set to the name of the Chempat instance, for example "Chempat-X25519-sntrup761".

Naming Protocols wishing to utilize a PQ/T Hybrid KEM described in this document MUST refer to one of the derived instantiated algorithm identifiers and MUST NOT specify a generic construction where the individual algorithms are parameters. The convention for identifiers is "Chempat-TKEM-PQKEM" replacing "TKEM" and "PQKEM" with a brief mnemonic identifying the traditional and post-quantum algorithm respectively.

Use in HPKE Each Chempat instance satisfy the HPKE KEM interface as follows. The SerializePublicKey, DeserializePublicKey, SerializePrivateKey and DeserializePrivateKey are concatenation and splitting of the known-length component strings.

Chempat does not provide authenticeted KEMs and does not support AuthEncap() or AuthDecap() of . Context is a string provided by the protocol referencing this document, or if not provided corresponds to the name of the Chempat instance, such as "Chempat-X25519-sntrup761". Nsecret is 32 for all Chempat instances, and Nenc, Npk, and Nsk depends on the underlying components.

Chempat-X25519-sntrup761 This algorithm is instantiated using the TKEM as DHKEM(X25519, HKDF-SHA256) from and PQKEM as a HPKE variant of sntrup761 from . The DHKEM.Nsecret, DHKEM.Nenc, DHKEM.Npk, DHKEM.Nsk are all 32 for X25519 per . The PQKEM.Nsecret is 32, PQKEM.Nenc is 1039, PQKEM.Npk is 1158 and PQKEM.Nsk is 1763 for sntrup761 per . Thus Nenc is 1071, Npk is 1190 and Nsk is 1795 for Chempat-X25519-sntrup761.

Chempat with Classic McEliece with X448 and X25519 This is a set of mechanisms implemented the same way but with different component algorithms and parameter lengths. This algorithm is instantiated using the TKEM as DHKEM(X, HKDF-SHA512) from and PQKEM as a HPKE variant of M from , substituting X and M for the particular algorithm from the tables below. Sizes for DHKEM for X25519 and X448 as per , and sizes for PQKEM as per . The f and non-f versions are interoperable. The f versions have faster key generation, while the non-f versions have simpler key generation. For example, a key generated with mceliece6688128f can decapsulate ciphertexts that were encapsulated with mceliece6688128, and vice versa. The secret-key sizes (and formats) are the same, the encapsulation functions are the same, and the decapsulation functions are the same. Implementations of this protocol can chose between f and non-f variants, however the name of the hybrid will use the non-f names. DHKEM variant Nsecret Nenc Npk Nsk X25519 32 32 32 32 X448 64 56 56 56 PQKEM variant Nsecret Nenc Npk Nsk mceliece348864 32 96 261120 6492 mceliece460896 32 156 524160 13608 mceliece6688128 32 208 1044992 13932 mceliece6960119 32 194 1047319 13948 mceliece8192128 32 208 1357824 14120 Names and sizes of the Chempat hybrids are per table below. Variant Nenc Npk Nsk Chempat-X25519-mceliece348864 128 261152 6524 Chempat-X25519-mceliece460896 188 524192 13640 Chempat-X25519-mceliece6688128 240 1045024 13964 Chempat-X25519-mceliece6960119 226 1047351 13980 Chempat-X25519-mceliece8192128 240 1357856 14152 Chempat-X448-mceliece348864 160 261176 6548 Chempat-X448-mceliece460896 220 524216 13664 Chempat-X448-mceliece6688128 272 1045048 13988 Chempat-X448-mceliece6960119 258 1047375 14004 Chempat-X448-mceliece8192128 272 1357880 14176

Chempat-X25519-ML-KEM-768 This algorithm is instantiated using the TKEM as DHKEM(X25519, HKDF-SHA256) from and PQKEM as a HPKE variant of ML-KEM-768 from . Protocols and implementation MAY consider instead of Chempat-X25519-ML-KEM-768, and the definition of Chempat-X25519-ML-KEM-768 is here for situations when some property of X-Wing is not wanted. Informally and non-conclusively, X-Wing offers better performance and Chempat-X25519-ML-KEM-768 offers re-use of the generic security claims on Chempat and a per-protocol key-separation context string. The DHKEM.Nsecret, DHKEM.Nenc, DHKEM.Npk, DHKEM.Nsk are all 32 for X25519 per . The PQKEM.Nsecret is 32, PQKEM.Nenc is 1088, PQKEM.Npk is 1184 and PQKEM.Nsk is 2400 for ML-KEM-768 per . Thus Nenc is 1120, Npk is 1216 and Nsk is 2432 for Chempat-X25519-ML-KEM-768.

Chempat-X448-ML-KEM-1024 This algorithm is instantiated using the TKEM as DHKEM(X448, HKDF-SHA512) from and PQKEM as a HPKE variant of ML-KEM-1024 from . For X448 DHKEM.Nsecret is 64, DHKEM.Nenc is 56, DHKEM.Npk is 56, DHKEM.Nsk is 56 per . The PQKEM.Nsecret is 32, PQKEM.Nenc is 864, PQKEM.Npk is 1568 and PQKEM.Nsk is 2400 for ML-KEM-1024 per . Thus Nenc is 1120, Npk is 1624 and Nsk is 2456 for Chempat-X25519-ML-KEM-1024.

Chempat-P256-ML-KEM-768 This algorithm is instantiated using the TKEM as DHKEM(P-256, HKDF-SHA256) from and PQKEM as a HPKE variant of ML-KEM-768 from . For P256 DHKEM.Nsecret is 32, DHKEM.Nenc is 65, DHKEM.Npk is 65, DHKEM.Nsk is 32 per . The PQKEM.Nsecret is 32, PQKEM.Nenc is 1088, PQKEM.Npk is 1184 and PQKEM.Nsk is 2400 for ML-KEM-768 per . Thus Nenc is 1153, Npk is 1249 and Nsk is 2432 for Chempat-P256-ML-KEM-768.

Chempat-P384-ML-KEM-1024 This algorithm is instantiated using the TKEM as DHKEM(P-384, HKDF-SHA384) from and PQKEM as a HPKE variant of ML-KEM-1024 from . For P384 DHKEM.Nsecret is 48, DHKEM.Nenc is 97, DHKEM.Npk is 97, DHKEM.Nsk is 48 per . The PQKEM.Nsecret is 32, PQKEM.Nenc is 864, PQKEM.Npk is 1568 and PQKEM.Nsk is 2400 for ML-KEM-1024 per . Thus Nenc is 961, Npk is 1665 and Nsk is 2448 for Chempat-P384-ML-KEM-1024.

Chempat-brainpoolP256-ML-KEM-768 This algorithm is instantiated using the TKEM as DHKEM(brainpoolP256, HKDF-SHA256) from and PQKEM as a HPKE variant of ML-KEM-768 from . For brainpoolP256 DHKEM.Nsecret is 32, DHKEM.Nenc is 65, DHKEM.Npk is 65, DHKEM.Nsk is 32. The PQKEM.Nsecret is 32, PQKEM.Nenc is 1088, PQKEM.Npk is 1184 and PQKEM.Nsk is 2400 for ML-KEM-768 per . Thus Nenc is 1153, Npk is 1249 and Nsk is 2432 for Chempat-brainpoolP256-ML-KEM-768.

Chempat-brainpoolP384-ML-KEM-1024 This algorithm is instantiated using the TKEM as DHKEM(brainpoolP384, HKDF-SHA384) from and PQKEM as a HPKE variant of ML-KEM-1024 from . For brainpoolP384 DHKEM.Nsecret is 48, DHKEM.Nenc is 97, DHKEM.Npk is 97, DHKEM.Nsk is 48. The PQKEM.Nsecret is 32, PQKEM.Nenc is 864, PQKEM.Npk is 1568 and PQKEM.Nsk is 2400 for ML-KEM-1024 per . Thus Nenc is 961, Npk is 1665 and Nsk is 2448 for Chempat-brainpoolP384-ML-KEM-1024.

Security Considerations Chempat is intended to be secure if SHA3 is secure and either the traditional algorithm is secure or the post-quantum algorithm is secure. The security considerations of each component algorithm are inherited. Cryptographic algorithms and parameters will be broken or weakened over time. Blindly implementing supported groups listed here is not advised. Implementers and users need to check that the cryptographic algorithms listed continue to provide the expected level of security.

IANA Considerations Protocols that provide a Context variable will need to register their own key-domain separate identifiers. The registrations below are when Chempat instances are used with their default value of Context. This document requests/registers new entries to the "HPKE KEM Identifiers" registry as follows. Value KEM Nsecret Nenc Npk Nsk Auth Reference TBD Chempat-X25519-sntrup761 32 1071 1190 1795 No THISRFC TBD Chempat-X25519-mceliece348864 32 128 261152 6524 No THISRFC TBD Chempat-X25519-mceliece460896 32 188 524192 13640 No THISRFC TBD Chempat-X25519-mceliece6688128 32 240 1045024 13964 No THISRFC TBD Chempat-X25519-mceliece6960119 32 226 1047351 13980 No THISRFC TBD Chempat-X25519-mceliece8192128 32 240 1357856 14152 No THISRFC TBD Chempat-X448-mceliece348864 32 160 261176 6548 No THISRFC TBD Chempat-X448-mceliece460896 32 220 524216 13664 No THISRFC TBD Chempat-X448-mceliece6688128 32 272 1045048 13988 No THISRFC TBD Chempat-X448-mceliece6960119 32 258 1047375 14004 No THISRFC TBD Chempat-X448-mceliece8192128 32 272 1357880 14176 No THISRFC TBD Chempat-X25519-ML-KEM-768 32 1120 1216 2432 No THISRFC TBD Chempat-X448-ML-KEM-1024 32 1120 1624 2456 No THISRFC TBD Chempat-P256-ML-KEM-768 32 1153 1249 2432 No THISRFC TBD Chempat-P384-ML-KEM-1024 32 961 1665 2448 No THISRFC TBD Chempat-brainpoolP256-ML-KEM-768 32 1153 1249 2432 No THISRFC TBD Chempat-brainpoolP384-ML-KEM-1024 32 961 1665 2448 No THISRFC This document requests/registers a new entry to the TLS Supported Group registry as follows. Value Description DTLS-OK Recommended Reference Comment TBD Chempat-X25519-sntrup761 Y Y THISRFC PQ/T hybrid of X25519 and sntrup761

Acknowledgments The combiner function was suggested by . The document re-use ideas and some text from , , and .

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. SandboxAQ MPI-SP & Radboud University Cloudflare This memo defines X-Wing, a general-purpose post-quantum/traditional hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML- KEM-768. UK National Cyber Security Centre One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. Classic McEliece Team This document specifies Classic McEliece, a Key Encapsulation Method (KEM) designed for IND-CCA2 security, even against quantum computers. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-josefsson-mceliece/. Source for this draft and an issue tracker can be found at https://gitlab.com/jas/ietf-mceliece. Entrust Limited Proton AG BSI The migration to post-quantum cryptography often calls for performing multiple key encapsulations in parallel and then combining their outputs to derive a single shared secret. This document defines a comprehensible and easy to implement Keccak- based KEM combiner to join an arbitrary number of key shares, that is compatible with NIST SP 800-56Cr2 [SP800-56C] when viewed as a key derivation function. The combiners defined here are practical split- key PRFs and are CCA-secure as long as at least one of the ingredient KEMs is. National Institute of Standards and Technology Information Technology Laboratory National Institute of Standards and Technology

US Gaithersburg

The Secure Shell (SSH) Protocol is a protocol for secure remote login and other secure network services over an insecure network. This document describes the architecture of the SSH protocol, as well as the notation and terminology used in SSH protocol documents. It also discusses the SSH algorithm naming system that allows local extensions. The SSH protocol consists of three major components: The Transport Layer Protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy. The User Authentication Protocol authenticates the client to the server. The Connection Protocol multiplexes the encrypted tunnel into several logical channels. Details of these protocols are described in separate documents. [STANDARDS-TRACK] This document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws. OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. [STANDARDS-TRACK] This memo proposes several elliptic curve domain parameters over finite prime fields for use in cryptographic applications. The domain parameters are consistent with the relevant international standards, and can be used in X.509 certificates and certificate revocation lists (CRLs), for Internet Key Exchange (IKE), Transport Layer Security (TLS), XML signatures, and all applications or protocols based on the cryptographic message syntax (CMS). This document is not an Internet Standards Track specification; it is published for informational purposes. This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Cloudflare Cloudflare This memo defines X25519Kyber768Draft00, a hybrid post-quantum KEM, for HPKE (RFC9180). This KEM does not support the authenticated modes of HPKE. Cloudflare University of Waterloo This memo defines X25519Kyber768Draft00, a hybrid post-quantum key exchange for TLS 1.3.