]> BubbleFish Technologies, Inc.

npamp-editor@bubblefish.sh

ART post-quantum agents transport ALPN The Native Post-Quantum Agent Messaging Protocol (N-PAMP) is a binary, multi-channel, wire-level protocol for authenticated communication between autonomous software agents. N-PAMP operates beneath application-layer agent protocols and provides a single fixed-size frame format, a registry of multiplexed channels, and three escalating security profiles (Standard, High, and Sovereign) built on standard post-quantum and classical cryptography. The protocol uses a hybrid key-encapsulation mechanism combining X25519 with ML-KEM, authenticated encryption with associated data, and a forward-secure key schedule. N-PAMP runs over QUIC as its primary transport and over TCP with TLS 1.3 as a fallback, negotiated via the Application-Layer Protocol Negotiation (ALPN) identifier "n-pamp/2". This document describes the wire format, channel architecture, profile negotiation, and cryptographic suites of N-PAMP, and reserves code-point ranges for extensions defined in companion specifications.

Introduction Autonomous software agents increasingly communicate with one another over long-lived associations that carry control traffic, persistent state, capability delegation, identity attestation, and operational telemetry on a single connection. Existing transport-layer protocols such as TLS 1.3 and QUIC , and application-layer agent protocols layered above them, do not by themselves provide a unified binary frame format with semantic channel multiplexing, profile-negotiated cryptographic strength, and mandatory authenticated encryption tailored to agent-to-agent traffic. N-PAMP addresses this gap. It defines a single fixed-size frame header, a set of multiplexed channels each carrying a distinct class of agent traffic, and three negotiated security profiles that hold the wire format constant while escalating the cryptographic primitives and operational requirements. All three profiles employ a hybrid key-encapsulation mechanism (KEM) combining the classical X25519 key agreement with a NIST-standardized module-lattice KEM (ML-KEM, ), so that the confidentiality of an association is preserved if either the classical or the post-quantum component remains unbroken. N-PAMP is deliberately scoped as a transport substrate. It does not define application-layer semantics for the data carried on its channels; those are the subject of companion specifications. This document specifies the wire format, the channel registry, profile negotiation, and the cryptographic suites, and it reserves code-point ranges so that companion extensions can be defined without colliding with the core protocol.

Goals The design goals of N-PAMP are:

• Cryptographic agility within a stable wire format. The frame format does not change between profiles; the cryptographic primitives, modes, and operational requirements do.
• Defense in depth through hybrid post-quantum and classical key establishment, authenticated encryption, and a forward-secure key schedule.
• Channel multiplexing so that a single association can carry several classes of agent traffic with independent sequence spaces and per-channel keying.
• Interoperability across profiles, so that an endpoint operating at a higher profile MAY interoperate with a lower-profile peer when local policy permits.

Non-Goals This document does NOT:

• Replace TLS for ordinary web traffic. N-PAMP is purpose-built for autonomous-agent, multi-channel traffic over long-lived associations.
• Define application-layer semantics for the data carried on its channels.
• Define a general-purpose IP-layer tunneling or VPN protocol.

Terminology For the purposes of this document:

Association:

A long-lived, cryptographically authenticated session between two N-PAMP endpoints, identified by a stable Association ID.

Channel:

A semantic multiplexing lane within an association, identified by a 16-bit Channel ID, carrying one class of agent traffic with its own sequence space.

Frame:

The atomic unit of transmission, consisting of a fixed 36-octet header, optional extension TLVs, and an AEAD-protected payload.

Profile:

One of three negotiated levels of cryptographic strength and operational requirement (Standard, High, Sovereign).

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Protocol Overview N-PAMP is a binary protocol. Every unit of communication is a frame consisting of a fixed 36-octet header (), zero or more extension TLVs, and a payload protected by an authenticated-encryption-with-associated-data (AEAD) construction . Frames are carried on channels (), each of which has an independent per-direction sequence space. An N-PAMP association is established by a handshake that:

1. establishes a hybrid X25519 + ML-KEM shared secret;
2. negotiates a security profile, a KEM, a signature algorithm, and one or more AEAD suites;
3. authenticates both peers by signing a transcript that binds the negotiated parameters and both peer identities; and
4. derives a forward-secure key schedule from which per-channel, per-direction traffic keys are obtained.

The negotiated profile, the KEM identifier, the signature identifier, the selected AEAD suite(s), and both peer identities are all bound into the handshake transcript and confirmed by a Finished message authentication code (MAC). A man-in-the-middle that alters any negotiated parameter or substitutes an identity invalidates the Finished MAC and aborts the handshake; this is the structural defense against downgrade, unknown-key-share, and identity-substitution attacks (see ). N-PAMP uses QUIC (secured with TLS 1.3, ) as its primary transport and TCP with TLS 1.3 as a fallback. In both cases, the application protocol is negotiated using the ALPN extension with the identifier "n-pamp/2" ().

Wire Format

Frame Structure Every N-PAMP frame has the following structure:

N-PAMP frame structure

The 36-octet header is fixed-size. Zero or more extension TLVs MAY accompany a frame. The payload is AEAD-sealed, and the associated data covers the 21-octet header prefix (octets 0-20, through the Payload Length field, the same octets protected by the header CRC32C) so that any modification to those header fields is detected on decryption.

Frame Header The fixed header is 36 octets, laid out as follows. Multi-octet integers are encoded in network byte order (big-endian) unless stated otherwise.

36-octet N-PAMP frame header

The fields are: Frame header fields

Offset	Size	Field	Description
0-3	4 octets	Magic	ASCII "NPAM" (0x4E 0x50 0x41 0x4D).
4	4 bits	Ver	Protocol major version, the high nibble of octet 4. The value 0x2 designates the wire format described in this document (wire major version 2).
4	4 bits	Flags	The low nibble of octet 4 (see ).
5-6	2 octets	Frame Type	Frame type within the channel (see ).
7-8	2 octets	Channel ID	The semantic channel ().
9-16	8 octets	Sequence Number	Per-(channel, direction) monotonic sequence number, starting at 0.
17-20	4 octets	Payload Length	Byte count of the payload following the header.
21-24	4 octets	CRC32C	CRC32C (Castagnoli polynomial 0x1EDC6F41) computed over header octets 0-20. Receivers MUST validate it before processing any other header field.
25-35	11 octets	Reserved	MUST be zero; receivers MUST reject frames whose reserved octets are non-zero.

All multi-octet integers are big-endian. The Ver field carries the wire major version; the value 0x02 corresponds to the ALPN identifier "n-pamp/2".

Frame Flags The low nibble of header octet 4 carries four flag bits: Frame flags

Bit	Name	Meaning
0 (0x01)	URG	Urgent-priority scheduling.
1 (0x02)	ENC	Payload is AEAD-encrypted.
2 (0x04)	COMP	Payload is compressed.
3 (0x08)	FRAG	Frame is a fragment of a larger logical message.

Extension TLVs Zero or more Type-Length-Value (TLV) extensions MAY accompany a frame. Each TLV is encoded as:

Extension TLV encoding

Type and Length are 16-bit unsigned integers in network byte order; Length is the byte count of Value (0 to 65535). A receiver that encounters an unknown TLV whose Type has the high bit (0x8000) clear MUST ignore that TLV. A receiver that encounters an unknown TLV whose Type has the high bit (0x8000) set MUST treat it as a forward-incompatible extension and reject the frame. The TLV type registry maintained by this specification is given in .

Payload Encoding The payload carries a frame-type-specific body. The body MAY be encoded in a binary serialization, in deterministic CBOR , or as raw octets. The selected encoding is signaled within the channel-local interpretation of the Frame Type field.

Reserved Frame Types Each channel defines its own frame types in the 0x0000-0xFFFF space. The following frame types are reserved across all channels and have the same meaning on every channel: Reserved frame types (all channels)

Type	Name	Description
0x0000	(reserved)	Reserved; MUST NOT be used as a frame type.
0x0001	PING	Liveness probe.
0x0002	PONG	Reply to PING.
0x0003	CLOSE	Authenticated close; AEAD-protected.
0x0004	CLOSE_ACK	Reply to CLOSE.
0x0005	ERROR	Error report; AEAD-protected.
0x0006	KEY_UPDATE	Initiate key update for this (channel, direction).
0x0007	KEY_UPDATE_ACK	Acknowledge key update.
0x0008	PATH_CHALLENGE	Path-migration challenge.
0x0009	PATH_RESPONSE	Path-migration response.
0x000A	FLOW_UPDATE	Connection-level flow-control credit update.

Channel-specific frame types begin at 0x0100 within each channel's frame namespace. Frame-type code points at or above 0x0030 that are not reserved here, and in particular the ranges enumerated in , are reserved for extensions defined in companion specifications.

CLOSE Frame A CLOSE frame is authenticated like any other frame. A receiver MUST verify the AEAD tag before honoring a close. An unauthenticated or forged CLOSE frame MUST be dropped and SHOULD be counted as a security event.

Channel Architecture N-PAMP multiplexes traffic over channels identified by a 16-bit Channel ID. Each channel carries one class of agent traffic and has an independent per-direction sequence space and independent traffic keys (). A peer that has not advertised a channel during the handshake MUST NOT receive frames on that channel; frames on an unadvertised channel MUST be dropped.

Core Channel Registry The following channels are defined and maintained by this specification: Core channel registry

ID	Name	Purpose	Min Profile	Direction
0x0000	Control	Connection control, handshake completion, capability epoch	Standard	Bidirectional
0x0001	Memory	Persistent-state create/read/update/delete and retrieval	Standard	Multi-stream
0x0002	Capability	Capability issuance, delegation, revocation, lookup	Standard	Bidirectional
0x0003	Identity	Identity resolution, attestation, presence	Standard	Bidirectional
0x0004	Governance	Policy proposals, votes, quorum closure	High	Bidirectional
0x0005	Immune	Anomaly reports and defensive gossip	Standard	Bidirectional
0x0006	Federation	Cross-instance synchronization and gossip	High	Multi-stream
0x0007	Settlement	Agent-to-agent settlement and receipts	Standard	Bidirectional
0x0008	Compliance	Attestation and regulatory export	High	Bidirectional
0x0009	Sensory	Bulk telemetry and low-priority observations	High	Multi-stream
0x000A	Telemetry	Operational metrics and health reporting	Standard	Bidirectional
0x000B	Audit	Audit-epoch commitments and transparency-log entries	Sovereign	Bidirectional
0x000C	Stream	Multiplexed full-duplex streaming (tokens, audio, video, file transfer)	Standard	Multi-stream
0x000D	Bridge	Encapsulation of external agent protocols within N-PAMP frames	Standard	Bidirectional
0x000E	Commerce	Multi-party agentic commerce and payment mandates	Standard	Bidirectional
0x000F	Interaction	Agent-to-human user-interface events	Standard	Bidirectional
0x0010	Discovery	Agent, tool, and service discovery and capability advertisement	Standard	Bidirectional
0x0011	Workflow	Multi-agent orchestration and task delegation	Standard	Bidirectional
0x0012	Knowledge	Retrieval queries with ranked results and provenance	Standard	Multi-stream
0x0013	Spatial	Physical-world state for robotics and IoT (high-frequency)	High	Multi-stream

The Min Profile column gives the lowest profile at which a channel may be enabled; a channel is available at that profile and at every higher profile (for example, a "High" channel is available at High and Sovereign). The Audit channel is enabled by default only at Sovereign; other profiles MAY enable it. The Control and Immune channels SHOULD be scheduled at higher priority than bulk channels (Memory, Sensory, Telemetry) during congestion. All N-PAMP channels are full-duplex: each peer maintains an independent send and receive sequence space and independent per-direction traffic keys, so both peers MAY transmit on a channel simultaneously. The Direction column classifies each channel as follows: Channel directionality

Direction	Meaning
Bidirectional	Both peers send and receive frames on a single stream.
Multi-stream	Bidirectional, and the channel MAY open multiple concurrent transport streams within its stream family.

The Stream channel (0x000C) provides general-purpose multiplexed full-duplex streaming, carrying concurrent bidirectional sub-streams (for example token, audio, video, and file-transfer streams), each with independent flow control. Channel IDs not listed in , and in particular the ranges enumerated in , are reserved for extensions defined in companion specifications.

Profile Negotiation N-PAMP defines three security profiles. The profiles share one wire format and differ in the cryptographic primitives and operational requirements they mandate. Each profile is an escalation of the previous one in cryptographic strength. Security profiles

Profile	Code	Summary
Standard	0x01	Baseline hybrid post-quantum security.
High	0x02	Stronger KEM parameters and stronger hash; downgrade refusal to Standard.
Sovereign	0x03	Highest standard-crypto strength; downgrade refusal below Sovereign.

Profile code points 0x00 and 0x04-0xFF are reserved by this specification. The profile is offered by the client and selected by the server during the handshake, and is carried in the handshake transcript. Because the profile is part of the transcript that the Finished MAC covers, an attacker who strips a profile from the offer or forces a lower selection invalidates the MAC and aborts the handshake. The profile invariants are: Profile invariants

Property	Standard	High	Sovereign
Minimum KEM	X25519MLKEM768	X25519MLKEM1024	X25519MLKEM1024
Allowed signatures	Ed25519	Ed25519, ML-DSA-87	ML-DSA-87
KDF hash	SHA-256	SHA-384	SHA-384
Per-frame AEAD diversification	Off	On	On
Downgrade refusal	Off	Refuses Standard	Refuses below Sovereign
Mandatory key update	Yes	Yes (tighter bounds)	Yes (tightest bounds)

The server MUST select a profile from the client's offered set. The selected profile MUST be no lower than the server's configured minimum acceptable peer profile. A Sovereign server with a minimum acceptable peer profile of Sovereign completes a handshake only when the client offers Sovereign and Sovereign is selected. A High or Sovereign endpoint MAY interoperate with a lower-profile peer for read-only or capability-discovery operations when local policy permits, by accepting a lower selected profile; otherwise it refuses the downgrade as shown above.

Cryptographic Suites All cryptographic primitives used by N-PAMP are published standards.

Key Encapsulation Mechanisms KEM code points

Code point	Name	Profiles
0x11ec	X25519MLKEM768	Standard, High
0x11ed	X25519MLKEM1024	High, Sovereign

Both are hybrid KEMs combining X25519 ECDH with ML-KEM (ML-KEM-768 and ML-KEM-1024, respectively). The two shared secrets are concatenated as (X25519 shared secret || ML-KEM shared secret) and supplied as input keying material to HKDF-Extract . The construction follows the established practice for hybrid key establishment . The Sovereign profile MUST NOT accept X25519MLKEM768.

Authenticated Encryption AEAD code points

Code point	Name	Key	Nonce	Tag
0x0001	AES-256-GCM	32	12	16
0x0002	ChaCha20-Poly1305	32	12	16

AES-256-GCM is used as specified for AEAD ciphers in ; ChaCha20-Poly1305 is used as specified in . Endpoints operating at the High and Sovereign profiles MUST support both AEAD suites because per-frame AEAD diversification at those profiles selects between them. Endpoints operating at the Standard profile MUST support at least one of the two.

Signatures Signature code points

Code point	Name	Usage	Profiles
0x0807	Ed25519	Identity, capability tokens	All
0x0905	ML-DSA-87	Identity, audit epoch	High, Sovereign

Ed25519 is used as specified in . ML-DSA-87 is the module-lattice-based digital signature algorithm standardized in . The Sovereign profile uses ML-DSA-87 for identity and audit signatures.

Key Derivation and Hashing All key derivation uses HKDF . The KDF hash is SHA-256 at the Standard profile and SHA-384 at the High and Sovereign profiles. The HKDF-Expand-Label construction follows TLS 1.3 , with a protocol-specific label prefix that provides domain separation from TLS 1.3, from QUIC, and from earlier N-PAMP versions.

Key Schedule and Nonces Traffic secrets are derived per (direction, epoch, AEAD suite, channel) tuple, so that no two distinct contexts share a key. Each traffic secret yields an AEAD key, an AEAD initialization vector, and a header-protection key by HKDF-Expand-Label. The per-frame nonce is the AEAD IV exclusive-ORed with the left-zero-padded sequence number, identical in form to the construction used in TLS 1.3 and QUIC . This namespace partitioning prevents cross-direction, cross-suite, and cross-channel nonce reuse, and supports forward secrecy: on key update, traffic secrets for the new epoch are derived afresh and the prior epoch's secrets are zeroized.

Random Number Generation All randomness that participates in security MUST come from a cryptographically secure random number generator. Implementations MUST NOT use a non-cryptographic source for any field that participates in security.

Extension Points N-PAMP reserves code-point ranges for extensions defined in companion specifications. The core protocol in this document neither defines nor requires any extension; it only reserves the ranges below so that extensions can be specified without colliding with the core wire format. The algorithms and semantics that occupy these ranges are out of scope for this document and are defined in companion specifications.

Reserved Frame-Type Ranges The following per-channel frame-type code points are reserved for extensions defined in companion specifications: Reserved frame-type ranges (companion specifications)

Range	Reserved for
0x0035 - 0x0036	Memory-channel eviction and revive extension frames
0x0060 - 0x0063	Capability-channel token extension frames
0x0080 - 0x0080	Control-channel flow-extension frames
0x0090 - 0x0090	Audit-channel per-frame integrity-extension frames
0x00A0 - 0x00A3	Settlement/Audit batch-commitment extension frames
0x00B0 - 0x00B4	Governance-channel quorum extension frames
0x00C0 - 0x00C4	Immune-channel propagation extension frames

Reserved TLV Tags The TLV types 0x0010, 0x0013, and 0x0014 are reserved for extension TLVs defined in companion specifications. TLV types in the range 0x8000-0xFFFF remain reserved as forward-incompatible extension points per .

Reserved Channel-ID Range Channel IDs in the range 0x0014-0xFFFF are reserved. Channels 0x0014-0x001F are reserved for future core additions by this specification; 0x0020-0xEFFF are reserved for extension channels defined in companion specifications; 0xF000-0xFFFE are GREASE values that receivers MUST ignore; and 0xFFFF MUST NOT appear on the wire. The specific extension assignments are out of scope for this document. No algorithms, parameters, or semantics for any reserved range are defined in this document.

IANA Considerations

ALPN Protocol Identifier This document requests that IANA register the following value in the "TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry established by : Requested ALPN registration

Protocol	Identification Sequence	Reference
N-PAMP, wire major version 2	0x6E 0x2D 0x70 0x61 0x6D 0x70 0x2F 0x32 ("n-pamp/2")	(this document)

The identification sequence is the 8-octet UTF-8 string "n-pamp/2". The trailing digit "2" equals the N-PAMP wire major version (the value 0x02 carried in the Ver field of the frame header, ). The registration policy for the ALPN registry is Expert Review . The earlier identifier "n-pamp/1" is deprecated. Implementations SHOULD NOT negotiate "n-pamp/1" for new associations. Future wire major versions will use distinct ALPN identifiers (for example, "n-pamp/3").

URI Scheme Registration This document requests provisional registration of the "npamp" URI scheme in the "Uniform Resource Identifier (URI) Schemes" registry, following the template and the provisional-registration procedure (First Come First Served) of . Scheme name: npamp Status: Provisional Applications/protocols that use this scheme: The protocol defined in this document (N-PAMP). An "npamp" URI names an N-PAMP endpoint and an optional resource path within that endpoint. URI scheme syntax: The "npamp" scheme uses the generic URI syntax of : where "authority", "path-abempty", and "query" are as defined in . The "authority" component identifies the N-PAMP endpoint (host and optional port). N-PAMP does not reserve a fixed default port; the underlying transport is negotiated as described in . Encoding considerations: "npamp" URIs are processed as defined in ; non-ASCII characters in the path or query components are percent-encoded UTF-8 octets. Interoperability considerations: None beyond those of . The scheme carries no protocol semantics of its own; all behavior is defined by N-PAMP. Security considerations: See . An "npamp" URI is only an identifier. Connecting to an "npamp" endpoint invokes the N-PAMP handshake and its authentication, confidentiality, and downgrade protections; dereferencing an "npamp" URI MUST NOT bypass the security profile negotiated by N-PAMP. Contact: Shawn Sammartano, BubbleFish Technologies, Inc. Change controller: Shawn Sammartano, BubbleFish Technologies, Inc. Reference: This document.

Registries Maintained by This Specification The N-PAMP channel registry (), the frame-type registry (), and the TLV type registry () are defined and maintained within this specification. Because this document is published through the Independent Submission stream, it does not request the creation of new IANA-hosted registries for these code points; the registries are normative within this document and are extended by companion specifications and by future revisions of this document, not by IANA registration actions.

TLV Type Registry The following TLV tags are defined by this specification. Tags marked "reserved" are described in . TLV type registry

Tag	Name	Length	Description
0x01	ProfileOffer	4	Profiles offered by the client (handshake only).
0x02	ProfileSelect	1	Profile selected by the server (handshake only).
0x03	KEMOffer	var	KEMs offered by the client.
0x04	KEMSelect	2	KEM selected by the server.
0x05	SigOffer	var	Signature algorithms offered.
0x06	SigSelect	2	Signature algorithm selected.
0x07	KEMShare	var	Public KEM share.
0x08	KEMCiphertext	var	KEM encapsulation ciphertext.
0x10	(reserved)	var	Reserved for a companion specification.
0x12	AnomalyCharge	32	Per-frame integrity charge.
0x13	(reserved)	var	Reserved for a companion specification.
0x14	(reserved)	32	Reserved for a companion specification (handshake only).
0x15	PathChallenge	32	Path-migration challenge nonce.
0x16	PathResponse	64	Path-migration response.
0x17	KeyUpdateMarker	8	Key-update epoch marker.
0x18	ProtectionMode	1	Protection-mode selector.
0x8000-0xFFFF	(reserved)	--	Forward-incompatible extension points (Type high bit set).

Security Considerations This section follows the spirit of . N-PAMP inherits the security properties of its underlying transports, TLS 1.3 and QUIC , and adds the considerations below.

Hybrid Key Establishment Every profile uses a hybrid KEM that concatenates an X25519 shared secret with an ML-KEM shared secret before key derivation. The confidentiality of an association is preserved as long as at least one of the two components remains unbroken; an adversary must defeat both the classical and the post-quantum component to recover traffic keys. N-PAMP makes no claim of unconditional or "quantum-proof" security; it provides post-quantum hybrid security against the adversaries addressed by its component primitives.

Downgrade, Unknown-Key-Share, and Identity Substitution The negotiated profile, KEM, signature algorithm, AEAD suite(s), and both peer identities are bound into the handshake transcript and confirmed by the Finished MAC (, ). Altering any negotiated parameter, stripping a profile from the offer, or substituting a peer identity invalidates the Finished MAC and aborts the handshake. The High and Sovereign profiles additionally refuse to complete at a profile below their configured minimum.

Authenticated Encryption and Nonce Management All payloads are protected by AEAD . Traffic keys are partitioned per (direction, epoch, suite, channel), which structurally prevents nonce reuse across directions, AEAD suites, and channels. AEAD tag verification MUST be performed before any payload is processed, and equality comparisons of authentication values MUST be constant-time to avoid timing side channels.

Replay Each (channel, direction) pair maintains a sliding replay window over sequence numbers. Frames outside the window or already recorded within it MUST be rejected. Where 0-RTT data is permitted, it MUST be limited to idempotent operations and protected against replay by an anti-replay mechanism scoped to the current epoch; the Sovereign profile disables 0-RTT entirely.

Forward Secrecy and Key Update Endpoints MUST perform key updates within profile-specific bounds on elapsed time, frames sent, and bytes protected, with the tightest bounds at the Sovereign profile. On key update, the prior epoch's traffic secrets MUST be zeroized so that compromise of the current epoch does not expose previously protected traffic. Rotation of the master secret requires a fresh handshake.

Connection Migration When carried over QUIC, an endpoint MUST validate a peer's new path with a challenge-response exchange (PATH_CHALLENGE / PATH_RESPONSE) before accepting an address change, to prevent off-path migration spoofing.

Authenticated Close CLOSE frames are AEAD-protected and MUST be verified before being honored, so that an off-path attacker cannot tear down an association with a forged CLOSE.

Extension Points The reserved code-point ranges in carry no algorithms or semantics in this document. Any security properties of extensions occupying those ranges are the responsibility of the companion specifications that define them and are out of scope here.

Implementation Considerations Where the wire format requires deterministic encoding (for example, deterministic CBOR or canonical integer encodings), implementations MUST produce byte-identical output for identical inputs, because non-deterministic encodings can invalidate transcript and integrity computations across peers.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes. This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection. A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK] This document updates the guidelines and recommendations, as well as the IANA registration processes, for the definition of Uniform Resource Identifier (URI) schemes. It obsoletes RFC 4395. This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided. This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm. RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. The Concise Binary Object Representation (CBOR) is a data format whose design goals include the possibility of extremely small code size, fairly small message size, and extensibility without the need for version negotiation. These design goals make it different from earlier binary serializations such as ASN.1 and MessagePack. This document obsoletes RFC 7049, providing editorial improvements, new details, and errata fixes while keeping full compatibility with the interchange format of RFC 7049. It does not create a new version of the format. This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. This document describes how Transport Layer Security (TLS) is used to secure QUIC. National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST) Informative References Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. University of Waterloo Cisco Systems University of Haifa and Meta Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3.

Acknowledgments The author thanks the reviewers of earlier N-PAMP drafts for their feedback.