]> Freedom of the Press Foundation

giulio@freedom.press

Freedom of the Press Foundation

cfm@acm.org

Freedom of the Press Foundation

ro@freedom.press

AKEM authenticated KEM DHKEM HPKE KEM combiner The standards-track supersedes the informational , omitting its authenticated modes mode_auth and mode_auth_psk. This document restores mode_auth_psk mode as a strict extension and illustrates how the restored mode can be used with a post-quantum "shared secret" as the PSK in order to achieve hybrid PQ/T confidentiality while transitioning to quantum-resistant encryption, without deprecating the classical implicit authentication on which many applications still rely. This extension requires only the addition of AuthEncap()/AuthDecap() to the DHKEM, the definition of four setup functions, and a change in VerifyPSKInputs(). The extension does not alter the externally observable behavior of the existing HPKE modes standardized in . Although AuthEncap()/AuthDecap() reintroduce the functionality of mode_auth, the mode itself is not restored, since it cannot provide quantum resistance. This document discusses the transitional nature of the AuthPSK construction and its security properties as a transitional step towards quantum resistance. In particular, this document illustrates how the restored mode_auth_psk can be used to provide ready-made KEM combiner-like functionality () without requiring downstream API users to manage their own encryption context. About This Document Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction is the standards-track successor to the informational and omits the authenticated modes mode_auth and mode_auth_psk to simplify the standard. However, some applications make use of the type of implicit sender authentication provided by these modes. The normative portion of this document is small. It restores mode_auth_psk as a strict extension to . This requires AuthEncap()/AuthDecap() from the DHKEM construction in , and a modified VerifyPSKInputs(). The externally observable behavior of existing HPKE modes is unchanged. AuthEncap() computes a static-static DH value DH(skS, pkR) alongside the ephemeral-static value and mixes both into the key derivation, binding the output to the sender's key pair. Although the functionality of mode_auth is re-introduced, the mode identifer itself, which relies solely on DHKEM, is not restored, since it cannot provide quantum-resistant encryption. mode_auth is instead treated as a building block to mode_auth_psk, as seen in . describes how the restored mode_auth_psk can be used to achieve hybrid PQ/T confidentiality as defined in during the transition to quantum-resistant encryption. discusses the transitional nature of this construction and reviews the guidance available to application developers looking to begin the transition to quantum-resistant encryption with existing libraries and APIs. To motivate the extension, discusses how the extension can be used as a type of black-box KEM combiner (), similar to the construction proposed in , to allow application developers to begin the transition to quantum-resistant encryption via usable libraries and APIs.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Terms from are used without redefinition; particular reference is made to the DHKEM construction . The following additional term is used herein:

• AKEM: a KEM whose encapsulation additionally takes the sender's static private key and implicitly binds the shared secret to it.

Authenticated Pre-Shared Key Mode Extension to This section specifies the additions to required to restore mode_auth_psk. These extensions are defined so that the externally observable behavior of the existing HPKE modes is unchanged, although this document modifies the VerifyPSKInputs() procedure in .

Mode Identifiers The reserved entry for value 0x03 in Table 1 of is replaced with the following mode identifier, as originally specified in Table 1 of : The value 0x02 remains reserved.

Exclusion of 0x02 mode_auth from Mode Identifiers Although restoring the AuthEncap() and AuthDecap() functions would also allow for restoring mode_auth, this mode cannot offer quantum-resistant encryption, and its identifier is therefore not reintroduced.

DHKEM Extension: AuthEncap() and AuthDecap() The following two functions are added to the DHKEM, extending it to an AKEM (DHAKEM). They are reproduced verbatim from . All helper functions (GenerateKeyPair, DH, SerializePublicKey, DeserializePublicKey, ExtractAndExpand) are as defined in . Note that the AuthEncap() and AuthDecap() functions are vulnerable to key-compromise impersonation (KCI): the assurance that the shared secret was generated by the holder of the private key skS does not hold if the recipient private key skR is compromised. See for further discussion; see for integration of a pre-shared key.

VerifyPSKInputs The VerifyPSKInputs() function defined in and is extended to handle the reintroduced mode_auth_psk. The updated function replaces the original: The only change from the original is that mode_psk is replaced by [mode_psk, mode_auth_psk] in the final guard.

Setup Functions The following four setup functions are reproduced verbatim from Sections and of . KeyScheduleS()/KeyScheduleR() and AuthEncap()/AuthDecap() are as defined in and respectively.

Input Validation and Error Handling In addition to the validation requirements in , the recipient MUST validate the sender's static public key pkS before use in AuthDecap(), applying the same validation rules as for other public key inputs. Validation failure MUST yield a ValidationError.

DHAKEM with PSK This section illustrates how the authenticated mode defined in can be used. Any AEAD identifier from may be used; the resulting context supports Seal(), Open(), and Export(). Key generation follows GenerateKeyPair() from . mode_auth_psk may be used via its setup function: the sender calls SetupAuthPSKS() and the receiver calls SetupAuthPSKR(), with a pre-shared key psk and a PSK identifier psk_id, as defined in . As in , both parties are assumped to have been provisioned with the PSK value psk and another byte string psk_id. This mode SHOULD be used with a quantum-resistant PSK value as described below in order to offer hybrid PQ/T confidentiality properties.

PQ/T Hybrid Construction The suite_id in the HPKE key schedule reflects only the ciphersuite (KEM_ID, KDF_ID, AEAD_ID), where KEM_ID is a DHAKEM. Generation and distribution of a quantum-safe PSK value is left to the application. Hybrid confidentiality. KeyScheduleS()/KeyScheduleR() delegate to CombineSecrets, for which defines two variants. In CombineSecrets_TwoStage(), the combination is secret = LabeledExtract(dhkem_shared_secret, "secret", psk), equivalent to HKDF-Extract(salt = dhkem_shared_secret, IKM = psk) . In CombineSecrets_OneStage(), dhkem_shared_secret and psk are length-prefixed and concatenated before a single LabeledDerive() call. In both cases, dhkem_shared_secret and psk enter the combination as independent inputs. The intended design property is that secret remains pseudorandom as long as at least one of the two inputs is---meaning an adversary would need to attack both the classical DH-based component and the PQ-KEM to recover secret, as seen in and subsequently, . Whether this property holds formally for a specific CombineSecrets variant depends on that variant's security analysis, which is outside the scope of this document. Authentication. This mode retains the implicit sender authentication properties of DHAKEM described in . A quantum adversary with access to the PSK can also forge authenticated messages. PSK freshness. The PSK psk MUST satisfy the entropy requirement in (32 bytes of uniform randomness).

AKEM/PQ KEM "Combiner" (Informative) Using mode_auth_psk with the shared secret from a PQ-KEM as the provided "psk" value allows application developers to provide hybrid PQ/T security properties using ready-made libraries and APIs. Although this psk value is not a true pre-shared key, this document adopts the pskAPKE terminology from . The result is a KEM combiner-style construction that provides hybrid PQ/T confidentiality and classical authentication, without requiring developers to manage their own encryption context---a frequent source of developer error and a motivating factor for the API design choices of . In addition to the keypair specified in , the receiver holds an additional post-quantum keypair, (skR_pq, pkR_pq). Prior to setting up an HPKE encryption context (either via Setup or via a single-shot API), the sender uses receiver's PQ public key pkR_pq to generate a shared secret and its encapsulation (ss_pq, enc_pq), and uses ss_pq as the psk and a static identifier as the PSK identifier. The ciphertext encapsulation of ss_pq, enc_pq, is included in info to bind it to the key schedule. An example construction is provided below, with reference to the following terms:

• PQKEM: a post-quantum KEM, e.g., ML-KEM or an algorithm from .
• PQKEM.Encap(pkR_pq): PQ-KEM encapsulation; returns (enc_pq, ss_pq).
• PQKEM.Decap(enc_pq, skR_pq): PQ-KEM decapsulation; returns ss_pq.
• Nenc_pq: the fixed ciphertext length of the chosen PQ-KEM, in bytes.

Classical (implicit) sender authentication: This construction provides only classical sender authentication is provided. In contrast to , this "psk" value provides no sender authentication, as it is constructed rather than pre-shared. This limitation is assessed in . The info parameter will exceed 64 bytes. Implementors must ensure their choice of algorithms and underlying implementation can support parameters of this length. The shared secret ss_pq must satisfy the entropy requirement in . Implementations should verify len(enc) == Nenc + Nenc_pq and reject encapsulations of any other length. A fresh (ss_pq, enc_pq) pair should be generated for each encapsulation; reuse of a prior enc_pq is prohibited. The suite_id in the HPKE key schedule reflects only the ciphersuite (AKEM_ID, KDF_ID, AEAD_ID); the PQ-KEM algorithm identity should be conveyed via application-layer framing when multiple PQ-KEM algorithms are supported. Note that describes a related hybrid construction in which a PQ AKEM (rather than an unauthenticated KEM) is used to generate the PSK, which would additionally provide post-quantum sender authentication; that stronger construction is outside the scope of this document.

Motivation (Informative) Application developers are in a bind: though they may be aware of advice to implement quantum-resistant encryption on an accelerated timeline, they may encounter rapidly-evolving guidance on best practices, a lack of direct parity with classical constructions, and a relative paucity of stable libraries and APIs . Developers looking to offer hybrid PQ/T encryption in their own applications, for reasons described for example in , can look to early-stage implementations of , or may refer to the now-expired , but will need to manage their own combiner implementation. On the other hand, production-ready quantum-resistant authentication is still maturing. Standardized schemes offer non-repudiable, signature-based authentication, which is not a direct replacement for the type of DH-based implicit authentication described in the authenticated modes of or this document. Although the strategy of hybrid encryption with classical authentication is not as straightforward to communicate as unauthenticated hybrid encryption that forgoes implict authentication entirely, protocols such as Noise IK, as used in , indicate that this strategy has real-world uses until quantum-resistant authentication methods become more available. Allowing application developers to deploy quantum-resistant encryption as a transitional measure without deprecating the classical authentication properties of their application provides a path towards quantum readiness, similar in concept to and , which also discuss the introduction of quantum-resistent PSK as a transitional measure.

Security Considerations The sender-authentication and key-compromise impersonation (KCI) properties of mode_auth_psk are as described in Sections and of , which apply without change to the functions defined in . Security properties specific to the hybrid PQ/T construction are discussed informatively in . The formal security of the DHKEM authenticated modes under the Gap-DH assumption is established in . The security of mode_auth_psk---termed AuthPSK in ---is analyzed there as the pskAPKE scheme.

IANA Considerations This document requests no IANA actions; all identifiers are drawn from registries defined in .

References Normative References Cisco Inria Inria This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes a variant that authenticates possession of a pre-shared key. HPKE works for any combination of an asymmetric Key Encapsulation Mechanism (KEM), key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. Entrust Limited Proton AG BSI The migration to post-quantum cryptography often calls for performing multiple key encapsulations in parallel and then combining their outputs to derive a single shared secret. This document defines a comprehensible and easy to implement Keccak- based KEM combiner to join an arbitrary number of key shares, that is compatible with NIST SP 800-56Cr2 [SP800-56C] when viewed as a key derivation function. The combiners defined here are practical split- key PRFs and are CCA-secure as long as at least one of the ingredient KEMs is. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References National Institute of Standards and Technology Advances in Cryptology -- EUROCRYPT 2021, LNCS 12696, pp. 396-427 Advances in Cryptology -- ASIACRYPT 2023 SandboxAQ MPI-SP & Radboud University Cloudflare This memo defines X-Wing, a general-purpose post-quantum/traditional hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML- KEM-768. University of Waterloo Cisco Systems University of Haifa and Meta Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Post Quantum Cryptography Alliance This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes. Cisco Selkie Cryptography Updating key exchange and public-key encryption protocols to resist attack by quantum computers is a high priority given the possibility of "harvest now, decrypt later" attacks. Hybrid Public Key Encryption (HPKE) is a widely-used public key encryption scheme based on combining a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. In this document, we define KEM algorithms for HPKE based on both post-quantum KEMs and hybrid constructions of post- quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3 that is suitable for use with these KEMs. When used with these algorithms, HPKE is resilient with respect to attacks by a quantum computer. This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while computing a shared secret during a Security Association (SA) setup. This document utilizes the IKE_INTERMEDIATE exchange, where multiple key exchanges are performed when an IKE SA is being established. It also introduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purpose when the IKE SA is being rekeyed or is creating additional Child SAs. This document updates RFC 7296 by renaming a Transform Type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". It also renames an IANA registry for this Transform Type from "Transform Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize key exchange algorithms that can be used in IKEv2. This document specifies a TLS 1.3 extension that allows a server to authenticate with a combination of a certificate and an external pre-shared key (PSK). This document provides usage guidance for external Pre-Shared Keys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It lists TLS security properties provided by PSKs under certain assumptions, then it demonstrates how violations of these assumptions lead to attacks. Advice for applications to help meet these assumptions is provided. This document also discusses PSK use cases and provisioning processes. Finally, it lists the privacy and security properties that are not provided by TLS 1.3 when external PSKs are used.

Acknowledgments TK