rfc9794v1.txt   rfc9794.txt 
skipping to change at line 112 skipping to change at line 112
that could make the terms quantum-resistant or quantum-safe that could make the terms quantum-resistant or quantum-safe
misleading. Similarly, some prefer to refer specifically to Shor's misleading. Similarly, some prefer to refer specifically to Shor's
Algorithm or to the mathematical problem that is being used to Algorithm or to the mathematical problem that is being used to
prevent attacks. Post-Quantum Cryptography (PQC) is commonly used prevent attacks. Post-Quantum Cryptography (PQC) is commonly used
amongst the cryptography community, and so it will be used throughout amongst the cryptography community, and so it will be used throughout
this document. Similarly, the term "traditional algorithm" will be this document. Similarly, the term "traditional algorithm" will be
used throughout the document as, at the time of publication, it is used throughout the document as, at the time of publication, it is
widely used in the community, though other terms, including widely used in the community, though other terms, including
classical, pre-quantum, or quantum-vulnerable, are preferred by some. classical, pre-quantum, or quantum-vulnerable, are preferred by some.
There may be a requirement for protocols that use both algorithm To mitigate risks, there may be a requirement for protocols that use
types, for example, during the transition from traditional to post- both algorithm types, either during the transition from traditional
quantum algorithms or as a general solution, to mitigate risks. When to post-quantum algorithms or as a general solution. When the risk
the risk of deploying new algorithms is above the accepted threshold of deploying new algorithms is above the accepted threshold for their
for their use case, a designer may combine a post-quantum algorithm use case, a designer may combine a post-quantum algorithm with a
with a traditional algorithm, with the goal of adding protection traditional algorithm, with the goal of adding protection against an
against an attacker with a CRQC to the security properties provided attacker with a CRQC to the security properties provided by the
by the traditional algorithm. They may also implement a post-quantum traditional algorithm. They may also implement a post-quantum
algorithm alongside a traditional algorithm for ease of migration algorithm alongside a traditional algorithm for ease of migration
from an ecosystem where only traditional algorithms are implemented from an ecosystem where only traditional algorithms are implemented
and used, to one that only uses post-quantum algorithms. Examples of and used, to one that only uses post-quantum algorithms. Examples of
solutions that could use both types of algorithm include, but are not solutions that could use both types of algorithm include, but are not
limited to, [RFC9370], [HYBRID-TLS], [COMPOSITE-KEM], and [RFC9763]. limited to, [RFC9370], [HYBRID-TLS], [COMPOSITE-KEM], and [RFC9763].
Schemes that combine post-quantum and traditional algorithms for key Schemes that combine post-quantum and traditional algorithms for key
establishment or digital signatures are often called "hybrids". For establishment or digital signatures are often called "hybrids". For
example: example:
skipping to change at line 162 skipping to change at line 162
This document provides language for constructions that combine This document provides language for constructions that combine
traditional and post-quantum algorithms. Specific solutions for traditional and post-quantum algorithms. Specific solutions for
enabling the use of multiple asymmetric algorithms in cryptographic enabling the use of multiple asymmetric algorithms in cryptographic
schemes may be more general than this, allowing the use of solely schemes may be more general than this, allowing the use of solely
traditional or solely post-quantum algorithms. However, where traditional or solely post-quantum algorithms. However, where
relevant, we focus on post-quantum traditional combinations as these relevant, we focus on post-quantum traditional combinations as these
are the motivation for the wider work in the IETF. This document is are the motivation for the wider work in the IETF. This document is
intended as a reference terminology guide for other documents, in intended as a reference terminology guide for other documents, in
order to add clarity and consistency across different protocols, order to add clarity and consistency across different protocols,
standards, and organisations. Additionally, this document aims to standards, and organisations. Additionally, this document aims to
reduce misunderstanding about use of the word "hybrid" as well as reduce misunderstandings about the use of the word "hybrid" and to
defining a shared language for different types of post-quantum and define a shared language for different types of post-quantum and
traditional hybrid constructions. traditional hybrid constructions.
In this document, a "cryptographic algorithm" is defined, as in In this document, a "cryptographic algorithm" is defined, as in
[NIST_SP_800-152], to be a "well-defined computational procedure that [NIST_SP_800-152], to be a "well-defined computational procedure that
takes variable inputs, often including a cryptographic key, and takes variable inputs, often including a cryptographic key, and
produces an output". Examples include RSA, Elliptic Curve Diffie- produces an output". Examples include RSA, Elliptic Curve Diffie-
Hellman (ECDH), Module-Lattice-Based Key-Encapsulation Mechanism (ML- Hellman (ECDH), Module-Lattice-Based Key-Encapsulation Mechanism (ML-
KEM) (formerly known as Kyber), and Module-Lattice-Based Digital KEM) (formerly known as Kyber), and Module-Lattice-Based Digital
Signature Algorithm (ML-DSA) (formerly known as Dilithium). The Signature Algorithm (ML-DSA) (formerly known as Dilithium). The
expression "cryptographic scheme" is used to refer to a construction expression "cryptographic scheme" is used to refer to a construction
skipping to change at line 189 skipping to change at line 189
Encapsulation, and Decapsulation. A cryptographic protocol Encapsulation, and Decapsulation. A cryptographic protocol
incorporates one or more cryptographic schemes. For example, TLS incorporates one or more cryptographic schemes. For example, TLS
[RFC8446] is a cryptographic protocol that includes schemes for key [RFC8446] is a cryptographic protocol that includes schemes for key
agreement, record layer encryption, and server authentication. agreement, record layer encryption, and server authentication.
2. Primitives 2. Primitives
This section introduces terminology related to cryptographic This section introduces terminology related to cryptographic
algorithms and to hybrid constructions for cryptographic schemes. algorithms and to hybrid constructions for cryptographic schemes.
*Traditional asymmetric cryptographic algorithm*: Traditional asymmetric cryptographic algorithm:
An asymmetric cryptographic algorithm based on integer An asymmetric cryptographic algorithm based on integer
factorisation, finite field discrete logarithms, elliptic curve factorisation, finite field discrete logarithms, elliptic curve
discrete logarithms, or related mathematical problems. discrete logarithms, or related mathematical problems.
A related mathematical problem is one that can be solved by A related mathematical problem is one that can be solved by
solving the integer factorisation, finite field discrete solving the integer factorisation, finite field discrete
logarithm, or elliptic curve discrete logarithm problem. logarithm, or elliptic curve discrete logarithm problem.
Where there is little risk of confusion, traditional asymmetric Where there is little risk of confusion, traditional asymmetric
cryptographic algorithms can also be referred to as "traditional cryptographic algorithms can also be referred to as "traditional
algorithms" for brevity. Traditional algorithms can also be algorithms" for brevity. Traditional algorithms can also be
called "classical" or "conventional" algorithms. called "classical" or "conventional" algorithms.
*Post-quantum asymmetric cryptographic algorithm*: Post-quantum asymmetric cryptographic algorithm:
An asymmetric cryptographic algorithm that is intended to be An asymmetric cryptographic algorithm that is intended to be
secure against attacks using quantum computers as well as secure against attacks using quantum computers as well as
classical computers. classical computers.
Where there is little risk of confusion, post-quantum asymmetric Where there is little risk of confusion, post-quantum asymmetric
cryptographic algorithms can also be referred to as "post-quantum cryptographic algorithms can also be referred to as "post-quantum
algorithms" for brevity. Post-quantum algorithms can also be algorithms" for brevity. Post-quantum algorithms can also be
called "quantum-resistant" or "quantum-safe" algorithms. called "quantum-resistant" or "quantum-safe" algorithms.
As with all cryptography, it always remains the case that attacks, As with all cryptography, it always remains the case that attacks,
either quantum or classical, may be found against post-quantum either quantum or classical, may be found against post-quantum
algorithms. Therefore, it should not be assumed that just because algorithms. Therefore, it should not be assumed that an algorithm
an algorithm is designed to provide post-quantum security that it will not be compromised just because it is designed to provide
will not be compromised. Should an attack be found against a post-quantum cryptography. Should an attack be found against a
post-quantum algorithm, it is commonly still referred to as a post-quantum algorithm, it is commonly still referred to as a
"post-quantum algorithm", as they were designed to protect against "post-quantum algorithm", as they were designed to protect against
an adversary with access to a CRQC, and the labels are referring an adversary with access to a CRQC, and the labels are referring
to the designed or desired properties. to the designed or desired properties.
There may be asymmetric cryptographic constructions that are neither There may be asymmetric cryptographic constructions that are neither
post-quantum nor asymmetric traditional algorithms according to the post-quantum nor asymmetric traditional algorithms according to the
definitions above. These are out of scope of this document. definitions above. These are out of scope of this document.
*Component asymmetric algorithm*: Component asymmetric algorithm:
Each cryptographic algorithm that forms part of a cryptographic Each cryptographic algorithm that forms part of a cryptographic
scheme. scheme.
An asymmetric component algorithm operates on the input of the An asymmetric component algorithm operates on the input of the
cryptographic operation and produces a cryptographic output that cryptographic operation and produces a cryptographic output that
can be used by itself or jointly to complete the operation. Where can be used by itself or jointly to complete the operation. Where
there is little risk of confusion, component asymmetric algorithms there is little risk of confusion, component asymmetric algorithms
can also be referred to as "component algorithms" for brevity, as can also be referred to as "component algorithms" for brevity, as
is done in the following definitions. is done in the following definitions.
*Single-algorithm scheme*: Single-algorithm scheme:
A cryptographic scheme with one component algorithm. A cryptographic scheme with one component algorithm.
A single-algorithm scheme could use either a traditional algorithm A single-algorithm scheme could use either a traditional algorithm
or a post-quantum algorithm. or a post-quantum algorithm.
*Multi-algorithm scheme*: Multi-algorithm scheme:
A cryptographic scheme that incorporates more than one component A cryptographic scheme that incorporates more than one component
algorithm, where the component algorithms have the same algorithm, where the component algorithms have the same
cryptographic purpose as each other and as the multi-algorithm cryptographic purpose as each other and as the multi-algorithm
scheme. scheme.
For example, a multi-algorithm signature scheme may include For example, a multi-algorithm signature scheme may include
multiple signature algorithms, or a multi-algorithm Public Key multiple signature algorithms, or a multi-algorithm Public Key
Encryption (PKE) scheme may include multiple PKE algorithms. Encryption (PKE) scheme may include multiple PKE algorithms.
Component algorithms could be all traditional, all post-quantum, Component algorithms could be all traditional, all post-quantum,
or a mixture of the two. or a mixture of the two.
*Post-Quantum Traditional (PQ/T) hybrid scheme*: Post-Quantum Traditional (PQ/T) hybrid scheme:
A multi-algorithm scheme where at least one component algorithm is A multi-algorithm scheme where at least one component algorithm is
a post-quantum algorithm and at least one is a traditional a post-quantum algorithm and at least one is a traditional
algorithm. algorithm.
Components of a PQ/T hybrid scheme operate on the same input Components of a PQ/T hybrid scheme operate on the same input
message and their output is used together to complete the message and their output is used together to complete the
cryptographic operation either serially or in parallel. The PQ/T cryptographic operation either serially or in parallel. PQ/T
hybrid scheme design is aimed at requiring successful breaking of hybrid scheme design is aimed at requiring successful breaking of
all component algorithms to break the PQ/T hybrid scheme's all component algorithms to break the PQ/T hybrid scheme's
security properties. security properties.
*PQ/T hybrid Key Encapsulation Mechanism (KEM)*: PQ/T hybrid Key Encapsulation Mechanism (KEM):
A multi-algorithm KEM made up of two or more component algorithms A multi-algorithm KEM made up of two or more component algorithms
where at least one is a post-quantum algorithm and at least one is where at least one is a post-quantum algorithm and at least one is
a traditional algorithm. The component algorithms could be KEMs a traditional algorithm. The component algorithms could be KEMs
or other key establishment algorithms. or other key establishment algorithms.
*PQ/T hybrid Public Key Encryption (PKE)*: PQ/T hybrid Public Key Encryption (PKE):
A multi-algorithm PKE scheme made up of two or more component A multi-algorithm PKE scheme made up of two or more component
algorithms where at least one is a post-quantum algorithm and at algorithms where at least one is a post-quantum algorithm and at
least one is a traditional algorithm. The component algorithms least one is a traditional algorithm. The component algorithms
could be PKE algorithms or other key establishment algorithms. could be PKE algorithms or other key establishment algorithms.
The standard security property for a PKE scheme is The standard security property for a PKE scheme is
indistinguishability under chosen-plaintext attack (IND-CPA). indistinguishability under chosen-plaintext attack (IND-CPA)
IND-CPA security is not sufficient for secure communication in the [BDPR]. IND-CPA security is not sufficient for secure
presence of an active attacker. Therefore, in general, PKE communication in the presence of an active attacker. Therefore,
schemes are not appropriate for use on the Internet, and KEMs, in general, PKE schemes are not appropriate for use on the
which provide indistinguishability under chosen-ciphertext attack Internet, and KEMs, which provide indistinguishability under
(IND-CCA security), are required. chosen-ciphertext attack (IND-CCA) [BDPR], are required.
*PQ/T hybrid digital signature*: PQ/T hybrid digital signature:
A multi-algorithm digital signature scheme made up of two or more A multi-algorithm digital signature scheme made up of two or more
component digital signature algorithms where at least one is a component digital signature algorithms where at least one is a
post-quantum algorithm and at least one is a traditional post-quantum algorithm and at least one is a traditional
algorithm. algorithm.
Note that there are many possible ways of constructing a PQ/T Note that there are many possible ways of constructing a PQ/T
hybrid digital signature. Examples include parallel signatures, hybrid digital signature. Examples include parallel signatures,
composite signatures, or nested signatures. composite signatures, or nested signatures.
PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures
are all examples of PQ/T hybrid schemes. are all examples of PQ/T hybrid schemes.
*Post-Quantum Traditional (PQ/T) hybrid composite scheme*: Post-Quantum Traditional (PQ/T) hybrid composite scheme:
A multi-algorithm scheme where at least one component algorithm is A multi-algorithm scheme where at least one component algorithm is
a post-quantum algorithm and at least one is a traditional a post-quantum algorithm and at least one is a traditional
algorithm, and where the resulting composite scheme is exposed as algorithm, and where the resulting composite scheme is exposed as
a singular interface of the same type as the component algorithms. a singular interface of the same type as the component algorithms.
A PQ/T hybrid composite can be referred to as a "PQ/T composite". A PQ/T hybrid composite can be referred to as a "PQ/T composite".
Examples of PQ/T hybrid composites include a single KEM algorithm An example of a PQ/T hybrid composite is a single KEM algorithm
comprised of a PQ KEM component and a traditional KEM component, comprised of a PQ KEM component and a traditional KEM component,
for which the result presents as a KEM output. for which the result presents as a KEM output.
*PQ/T hybrid combiner*: PQ/T hybrid combiner:
A method that takes two or more component algorithms and combines A method that takes two or more component algorithms and combines
them to form a PQ/T hybrid scheme. them to form a PQ/T hybrid scheme.
*PQ/PQ hybrid scheme*: PQ/PQ hybrid scheme:
A multi-algorithm scheme where all components are post-quantum A multi-algorithm scheme where all components are post-quantum
algorithms. algorithms.
The definitions for types of PQ/T hybrid schemes can be adapted to The definitions for types of PQ/T hybrid schemes can be adapted to
define types of PQ/PQ hybrid schemes, which are multi-algorithm define types of PQ/PQ hybrid schemes, which are multi-algorithm
schemes where all component algorithms are post-quantum schemes where all component algorithms are post-quantum
algorithms. These are designed to mitigate risks when the two algorithms. These are designed to mitigate risks when the two
post-quantum algorithms are based on different mathematical post-quantum algorithms are based on different mathematical
problems. Some prefer to refer to these as PQ/PQ multi-algorithm problems. Some prefer to refer to these as PQ/PQ multi-algorithm
schemes, and reserve the term "hybrid" for PQ/T hybrids. schemes, and reserve the term "hybrid" for PQ/T hybrids.
In cases where there is little chance of confusion between other In cases where there is little chance of confusion between other
types of hybrid cryptography (e.g., as defined in [RFC4949]) and types of hybrid cryptography (e.g., as defined in [RFC4949]) and
where the component algorithms of a multi-algorithm scheme could be where the component algorithms of a multi-algorithm scheme could be
either post-quantum or traditional, it may be appropriate to use the either post-quantum or traditional, it may be appropriate to use the
phrase "hybrid scheme" without PQ/T or PQ/PQ preceding it. phrase "hybrid scheme" without PQ/T or PQ/PQ preceding it.
*Component scheme*: Component scheme:
Each cryptographic scheme that makes up a PQ/T hybrid scheme or Each cryptographic scheme that makes up a PQ/T hybrid scheme or
PQ/T hybrid protocol. PQ/T hybrid protocol.
3. Cryptographic Elements 3. Cryptographic Elements
This section introduces terminology related to cryptographic elements This section introduces terminology related to cryptographic elements
and their inclusion in hybrid schemes. and their inclusion in hybrid schemes.
*Cryptographic element*: Cryptographic element:
Any data type (private or public) that contains an input or output Any data type (private or public) that contains an input or output
value for a cryptographic algorithm or for a function making up a value for a cryptographic algorithm or for a function making up a
cryptographic algorithm. cryptographic algorithm.
Types of cryptographic elements include public keys, private keys, Types of cryptographic elements include public keys, private keys,
plaintexts, ciphertexts, shared secrets, and signature values. plaintexts, ciphertexts, shared secrets, and signature values.
*Component cryptographic element*: Component cryptographic element:
A cryptographic element of a component algorithm in a multi- A cryptographic element of a component algorithm in a multi-
algorithm scheme. algorithm scheme.
For example, in [HYBRID-TLS], the client's keyshare contains two For example, in [HYBRID-TLS], the client's keyshare contains two
component public keys: one for a post-quantum algorithm and one component public keys: one for a post-quantum algorithm and one
for a traditional algorithm. for a traditional algorithm.
*Composite cryptographic element*: Composite cryptographic element:
A cryptographic element that incorporates multiple component A cryptographic element that incorporates multiple component
cryptographic elements of the same type for use in a multi- cryptographic elements of the same type for use in a multi-
algorithm scheme, such that the resulting composite cryptographic algorithm scheme, such that the resulting composite cryptographic
element is exposed as a singular interface of the same type as the element is exposed as a singular interface of the same type as the
component cryptographic elements. component cryptographic elements.
For example, a composite cryptographic public key is made up of For example, a composite cryptographic public key is made up of
two component public keys. two component public keys.
*PQ/T hybrid composite cryptographic element*: PQ/T hybrid composite cryptographic element:
A cryptographic element that incorporates multiple component A cryptographic element that incorporates multiple component
cryptographic elements of the same type for use in a multi- cryptographic elements of the same type for use in a multi-
algorithm scheme, such that the resulting composite cryptographic algorithm scheme, such that the resulting composite cryptographic
element is exposed as a singular interface of the same type as the element is exposed as a singular interface of the same type as the
component cryptographic elements, where at least one component component cryptographic elements, where at least one component
cryptographic element is post-quantum and at least one is cryptographic element is post-quantum and at least one is
traditional. traditional.
*Cryptographic element combiner*: Cryptographic element combiner:
A method that takes two or more component cryptographic elements A method that takes two or more component cryptographic elements
of the same type and combines them to form a composite of the same type and combines them to form a composite
cryptographic element. cryptographic element.
A cryptographic element combiner could be concatenation, such as A cryptographic element combiner could be concatenation, such as
where two component public keys are concatenated to form a where two component public keys are concatenated to form a
composite public key as in [HYBRID-TLS], or something more composite public key as in [HYBRID-TLS], or something more
involved such as the dualPRF defined in [BINDEL]. involved such as the dualPRF defined in [BINDEL].
4. Protocols 4. Protocols
This section introduces terminology related to the use of post- This section introduces terminology related to the use of post-
quantum and traditional algorithms together in protocols. quantum and traditional algorithms together in protocols.
*PQ/T hybrid protocol*: PQ/T hybrid protocol:
A protocol that uses two or more component algorithms providing A protocol that uses two or more component algorithms providing
the same cryptographic functionality, where at least one is a the same cryptographic functionality, where at least one is a
post-quantum algorithm and at least one is a traditional post-quantum algorithm and at least one is a traditional
algorithm. algorithm.
For example, a PQ/T hybrid protocol providing confidentiality For example, a PQ/T hybrid protocol providing confidentiality
could use a PQ/T hybrid KEM such as in [HYBRID-TLS], or it could could use a PQ/T hybrid KEM such as in [HYBRID-TLS], or it could
combine the output of a post-quantum KEM and a traditional KEM at combine the output of a post-quantum KEM and a traditional KEM at
the protocol level to generate a single shared secret, such as in the protocol level to generate a single shared secret, such as in
[RFC9370]. Similarly, a PQ/T hybrid protocol providing [RFC9370]. Similarly, a PQ/T hybrid protocol providing
authentication could use a PQ/T hybrid digital signature scheme, authentication could use a PQ/T hybrid digital signature scheme,
or it could include both post-quantum and traditional single- or it could include both post-quantum and traditional single-
algorithm digital signature schemes. algorithm digital signature schemes.
A protocol that can negotiate the use of either a traditional A protocol that can negotiate the use of either a traditional
algorithm or a post-quantum algorithm, but not both types of algorithm or a post-quantum algorithm, but not the use of both
algorithm, is not a PQ/T hybrid protocol. Protocols that use two types of algorithm, is not a PQ/T hybrid protocol. Protocols that
or more component algorithms but with different cryptographic use two or more component algorithms but with different
functionalities, for example, a post-quantum KEM and a Pre-Shared cryptographic functionalities, for example, a post-quantum KEM and
Key (PSK), are also not PQ/T hybrid protocols. a Pre-Shared Key (PSK), are also not PQ/T hybrid protocols.
*PQ/T hybrid protocol with composite key establishment*: PQ/T hybrid protocol with composite key establishment:
A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
scheme to achieve key establishment, in such a way that the scheme to achieve key establishment, in such a way that the
protocol fields and message flow are the same as those in a protocol fields and message flow are the same as those in a
version of the protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite key For example, a PQ/T hybrid protocol with composite key
establishment could include a single PQ/T hybrid KEM, such as in establishment could include a single PQ/T hybrid KEM, such as in
[HYBRID-TLS]. [HYBRID-TLS].
*PQ/T hybrid protocol with composite data authentication*: PQ/T hybrid protocol with composite data authentication:
A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
scheme to achieve data authentication, in such a way that the scheme to achieve data authentication, in such a way that the
protocol fields and message flow are the same as those in a protocol fields and message flow are the same as those in a
version of the protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite data For example, a PQ/T hybrid protocol with composite data
authentication could include data authentication through the use authentication could include data authentication through the use
of a PQ/T composite hybrid digital signature, exposed as a single of a PQ/T composite hybrid digital signature, exposed as a single
interface for PQ signature and traditional signature components. interface for PQ signature and traditional signature components.
*PQ/T hybrid protocol with composite entity authentication*: PQ/T hybrid protocol with composite entity authentication:
A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite
scheme to achieve entity authentication, in such a way that the scheme to achieve entity authentication, in such a way that the
protocol fields and message flow are the same as those in a protocol fields and message flow are the same as those in a
version of the protocol that uses a single-algorithm scheme. version of the protocol that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite entity For example, a PQ/T hybrid protocol with composite entity
authentication could include entity authentication through the use authentication could include entity authentication through the use
of PQ/T Composite Hybrid certificates. of PQ/T Composite Hybrid certificates.
In a PQ/T hybrid protocol with a composite construction, changes are In a PQ/T hybrid protocol with a composite construction, changes are
primarily made to the formats of the cryptographic elements, while primarily made to the formats of the cryptographic elements, while
the protocol fields and message flow remain largely unchanged. In the protocol fields and message flow remain largely unchanged. In
implementations, most changes are likely to be made to the implementations, most changes are likely to be made to the
cryptographic libraries, with minimal changes to the protocol cryptographic libraries, with minimal changes to the protocol
libraries. libraries.
*PQ/T hybrid protocol with non-composite key establishment*: PQ/T hybrid protocol with non-composite key establishment:
A PQ/T hybrid protocol that incorporates multiple single-algorithm A PQ/T hybrid protocol that incorporates multiple single-algorithm
schemes to achieve key establishment, where at least one uses a schemes to achieve key establishment, where at least one uses a
post-quantum algorithm and at least one uses a traditional post-quantum algorithm and at least one uses a traditional
algorithm, in such a way that the formats of the component algorithm, in such a way that the formats of the component
cryptographic elements are the same as when they are used as a cryptographic elements are the same as when they are used as a
part of a single-algorithm scheme. part of a single-algorithm scheme.
For example, a PQ/T hybrid protocol with non-composite key For example, a PQ/T hybrid protocol with non-composite key
establishment could include a traditional key exchange scheme and establishment could include a traditional key exchange scheme and
a post-quantum KEM. A construction like this for the Internet Key a post-quantum KEM. A construction like this for the Internet Key
Exchange Protocol Version 2 (IKEv2) is enabled by [RFC9370]. Exchange Protocol Version 2 (IKEv2) is enabled by [RFC9370].
*PQ/T hybrid protocol with non-composite authentication*: PQ/T hybrid protocol with non-composite authentication:
A PQ/T hybrid protocol that incorporates multiple single-algorithm A PQ/T hybrid protocol that incorporates multiple single-algorithm
schemes to achieve authentication, where at least one uses a post- schemes to achieve authentication, where at least one uses a post-
quantum algorithm and at least one uses a traditional algorithm, quantum algorithm and at least one uses a traditional algorithm,
in such a way that the formats of the component cryptographic in such a way that the formats of the component cryptographic
elements are the same as when they are used as part of a single- elements are the same as when they are used as part of a single-
algorithm scheme. algorithm scheme.
For example, a PQ/T hybrid protocol with non-composite For example, a PQ/T hybrid protocol with non-composite
authentication could use a PQ/T parallel PKI with one traditional authentication could use a PQ/T parallel PKI with one traditional
certificate chain and one post-quantum certificate chain. certificate chain and one post-quantum certificate chain.
skipping to change at line 497 skipping to change at line 497
composite key agreement and non-composite authentication. Similarly, composite key agreement and non-composite authentication. Similarly,
it is possible for a PQ/T hybrid protocol to achieve certain it is possible for a PQ/T hybrid protocol to achieve certain
cryptographic outcomes in a non-hybrid manner. For example, cryptographic outcomes in a non-hybrid manner. For example,
[HYBRID-TLS] describes a PQ/T hybrid protocol with composite key [HYBRID-TLS] describes a PQ/T hybrid protocol with composite key
agreement, but with single-algorithm authentication. agreement, but with single-algorithm authentication.
PQ/T hybrid protocols may not specify non-composite aspects, but can PQ/T hybrid protocols may not specify non-composite aspects, but can
choose to do so for clarity, in particular, if including both choose to do so for clarity, in particular, if including both
composite and non-composite aspects. composite and non-composite aspects.
*PQ/T hybrid composite protocol*: PQ/T hybrid composite protocol:
A PQ/T hybrid protocol that only uses composite constructions can A PQ/T hybrid protocol that only uses composite constructions can
be referred to as a "PQ/T hybrid composite protocol". be referred to as a "PQ/T hybrid composite protocol".
An example of this is a protocol that only provides entity An example of this is a protocol that only provides entity
authentication, and achieves this using PQ/T hybrid composite authentication, and achieves this using PQ/T hybrid composite
entity authentication. Similarly, another example is a protocol entity authentication. Similarly, another example is a protocol
that offers both key establishment and data authentication, and that offers both key establishment and data authentication, and
achieves this using both PQ/T hybrid composite key establishment achieves this using both PQ/T hybrid composite key establishment
and PQ/T hybrid composite data authentication. and PQ/T hybrid composite data authentication.
*PQ/T hybrid non-composite protocol*: PQ/T hybrid non-composite protocol:
A PQ/T hybrid protocol that does not use only composite A PQ/T hybrid protocol that does not use only composite
constructions can be referred to as a "PQ/T hybrid non-composite constructions can be referred to as a "PQ/T hybrid non-composite
protocol". protocol".
For example, a PQ/T hybrid protocol that offers both For example, a PQ/T hybrid protocol that offers both
confidentiality and authentication and uses composite key confidentiality and authentication and uses composite key
agreement and non-composite authentication would be referred to as agreement and non-composite authentication would be referred to as
a "PQ/T hybrid non-composite protocol". a "PQ/T hybrid non-composite protocol".
5. Properties 5. Properties
skipping to change at line 535 skipping to change at line 535
properties. properties.
It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol
to achieve all of the properties in this section. To understand what to achieve all of the properties in this section. To understand what
properties are required, a designer or implementer will think about properties are required, a designer or implementer will think about
why they are using a PQ/T hybrid scheme. For example, a scheme that why they are using a PQ/T hybrid scheme. For example, a scheme that
is designed for implementation security will likely require PQ/T is designed for implementation security will likely require PQ/T
hybrid confidentiality or PQ/T hybrid authentication, while a scheme hybrid confidentiality or PQ/T hybrid authentication, while a scheme
for interoperability will require PQ/T hybrid interoperability. for interoperability will require PQ/T hybrid interoperability.
*PQ/T hybrid confidentiality*: PQ/T hybrid confidentiality:
The property that confidentiality is achieved by a PQ/T hybrid The property that confidentiality is achieved by a PQ/T hybrid
scheme or a PQ/T hybrid protocol as long as at least one component scheme or a PQ/T hybrid protocol as long as at least one component
algorithm that aims to provide this property remains secure. algorithm that aims to provide this property remains secure.
*PQ/T hybrid authentication*: PQ/T hybrid authentication:
The property that authentication is achieved by a PQ/T hybrid The property that authentication is achieved by a PQ/T hybrid
scheme or a PQ/T hybrid protocol as long as at least one component scheme or a PQ/T hybrid protocol as long as at least one component
algorithm that aims to provide this property remains secure. algorithm that aims to provide this property remains secure.
The security properties of a PQ/T hybrid scheme or protocol depend on The security properties of a PQ/T hybrid scheme or protocol depend on
the security of its component algorithms, the choice of PQ/T hybrid the security of its component algorithms, the choice of PQ/T hybrid
combiner, and the capability of an attacker. Changes to the security combiner, and the capability of an attacker. Changes to the security
of a component algorithm can impact the security properties of a PQ/T of a component algorithm can impact the security properties of a PQ/T
hybrid scheme providing hybrid confidentiality or hybrid hybrid scheme providing hybrid confidentiality or hybrid
authentication. For example, if the post-quantum component algorithm authentication. For example, if the post-quantum component algorithm
skipping to change at line 563 skipping to change at line 563
to an attacker with a CRQC. to an attacker with a CRQC.
PQ/T hybrid protocols that offer both confidentiality and PQ/T hybrid protocols that offer both confidentiality and
authentication do not necessarily offer both hybrid confidentiality authentication do not necessarily offer both hybrid confidentiality
and hybrid authentication. For example, [HYBRID-TLS] provides hybrid and hybrid authentication. For example, [HYBRID-TLS] provides hybrid
confidentiality but does not address hybrid authentication. confidentiality but does not address hybrid authentication.
Therefore, if the design in [HYBRID-TLS] is used with single- Therefore, if the design in [HYBRID-TLS] is used with single-
algorithm X.509 certificates as defined in [RFC5280], only algorithm X.509 certificates as defined in [RFC5280], only
authentication with a single algorithm is achieved. authentication with a single algorithm is achieved.
*PQ/T hybrid interoperability*: PQ/T hybrid interoperability:
The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
can be completed successfully provided that both parties share can be completed successfully provided that both parties share
support for at least one component algorithm. support for at least one component algorithm.
For example, a PQ/T hybrid digital signature might achieve hybrid For example, a PQ/T hybrid digital signature might achieve hybrid
interoperability if the signature can be verified by either interoperability if the signature can be verified by either
verifying the traditional or the post-quantum component, such as verifying the traditional or the post-quantum component, such as
the approach defined in Section 7.2.2 of [ITU-T-X509-2019]. In the approach defined in Section 7.2.2 of [ITU-T-X509-2019]. In
this example, a verifier that has migrated to support post-quantum this example, a verifier that has migrated to support post-quantum
algorithms is required to verify only the post-quantum signature, algorithms is required to verify only the post-quantum signature,
skipping to change at line 603 skipping to change at line 603
protected using TLS's existing downgrade protection, so it achieves protected using TLS's existing downgrade protection, so it achieves
PQ/T hybrid confidentiality, but the connection can still be made if PQ/T hybrid confidentiality, but the connection can still be made if
either the client or server does not support the PQ/T hybrid scheme, either the client or server does not support the PQ/T hybrid scheme,
so PQ/T hybrid interoperability is achieved. so PQ/T hybrid interoperability is achieved.
The same is true for PQ/T hybrid interoperability and PQ/T hybrid The same is true for PQ/T hybrid interoperability and PQ/T hybrid
authentication. It is not possible to achieve both with a PQ/T authentication. It is not possible to achieve both with a PQ/T
hybrid scheme alone, but it is possible with a PQ/T hybrid protocol hybrid scheme alone, but it is possible with a PQ/T hybrid protocol
that has appropriate downgrade protection. that has appropriate downgrade protection.
*PQ/T hybrid backwards compatibility*: PQ/T hybrid backwards compatibility:
The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
can be completed successfully provided that both parties support can be completed successfully provided that both parties support
the traditional component algorithm, while also using both the traditional component algorithm, while also using both
algorithms if both are supported by both parties. algorithms if both are supported by both parties.
*PQ/T Hybrid Forwards Compatibility*: PQ/T hybrid forwards compatibility:
The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol The property that a PQ/T hybrid scheme or a PQ/T hybrid protocol
can be completed successfully using a post-quantum component can be completed successfully using a post-quantum component
algorithm provided that both parties support it, while also having algorithm provided that both parties support it, while also having
the option to use both post-quantum and traditional algorithms if the option to use both post-quantum and traditional algorithms if
both are supported by both parties. both are supported by both parties.
Note that PQ/T hybrid forwards compatibility is a protocol or Note that PQ/T hybrid forwards compatibility is a protocol or
scheme property only. scheme property only.
6. Certificates 6. Certificates
This section introduces terminology related to the use of This section introduces terminology related to the use of
certificates in hybrid schemes. certificates in hybrid schemes.
*PQ/T hybrid certificate*: PQ/T hybrid certificate:
A digital certificate that contains public keys for two or more A digital certificate that contains public keys for two or more
component algorithms where at least one is a traditional algorithm component algorithms where at least one is a traditional algorithm
and at least one is a post-quantum algorithm. and at least one is a post-quantum algorithm.
A PQ/T hybrid certificate could be used to facilitate a PQ/T A PQ/T hybrid certificate could be used to facilitate a PQ/T
hybrid authentication protocol. However, a PQ/T hybrid hybrid authentication protocol. However, a PQ/T hybrid
authentication protocol does not need to use a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid
certificate; separate certificates could be used for individual certificate; separate certificates could be used for individual
component algorithms. component algorithms.
skipping to change at line 648 skipping to change at line 648
The use of a PQ/T hybrid certificate does not necessarily achieve The use of a PQ/T hybrid certificate does not necessarily achieve
hybrid authentication of the identity of the sender; this is hybrid authentication of the identity of the sender; this is
determined by properties of the chain of trust. For example, an determined by properties of the chain of trust. For example, an
end-entity certificate that contains a composite public key, but end-entity certificate that contains a composite public key, but
which is signed using a single-algorithm digital signature scheme, which is signed using a single-algorithm digital signature scheme,
could be used to provide hybrid authentication of the source of a could be used to provide hybrid authentication of the source of a
message, but would not achieve hybrid authentication of the message, but would not achieve hybrid authentication of the
identity of the sender. identity of the sender.
*Post-quantum certificate*: Post-quantum certificate:
A digital certificate that contains a single public key for a A digital certificate that contains a single public key for a
post-quantum digital signature algorithm. post-quantum digital signature algorithm.
*Traditional certificate*: Traditional certificate:
A digital certificate that contains a single public key for a A digital certificate that contains a single public key for a
traditional digital signature algorithm. traditional digital signature algorithm.
X.509 certificates as defined in [RFC5280] could be either X.509 certificates as defined in [RFC5280] could be either
traditional or post-quantum certificates depending on the algorithm traditional or post-quantum certificates depending on the algorithm
in the Subject Public Key Info. For example, a certificate in the Subject Public Key Info. For example, a certificate
containing a ML-DSA public key, as defined in [ML-DSA], would be a containing a ML-DSA public key, as defined in [ML-DSA], would be a
post-quantum certificate. post-quantum certificate.
*Post-quantum certificate chain*: Post-quantum certificate chain:
A certificate chain where all certificates include a public key A certificate chain where all certificates include a public key
for a post-quantum algorithm and are signed using a post-quantum for a post-quantum algorithm and are signed using a post-quantum
digital signature scheme. digital signature scheme.
*Traditional certificate chain*: Traditional certificate chain:
A certificate chain where all certificates include a public key A certificate chain where all certificates include a public key
for a traditional algorithm and are signed using a traditional for a traditional algorithm and are signed using a traditional
digital signature scheme. digital signature scheme.
*PQ/T hybrid certificate chain*: PQ/T hybrid certificate chain:
A certificate chain where all certificates are PQ/T hybrid A certificate chain where all certificates are PQ/T hybrid
certificates and each certificate is signed with two or more certificates and each certificate is signed with two or more
component algorithms with at least one being a traditional component algorithms with at least one being a traditional
algorithm and at least one being a post-quantum algorithm. algorithm and at least one being a post-quantum algorithm.
A PQ/T hybrid certificate chain is one way of achieving hybrid A PQ/T hybrid certificate chain is one way of achieving hybrid
authentication of the identity of a sender in a protocol, but it is authentication of the identity of a sender in a protocol, but it is
not the only way. An alternative is to use a PQ/T parallel PKI as not the only way. An alternative is to use a PQ/T parallel PKI as
defined below. defined below.
*PQ/T mixed certificate chain*: PQ/T mixed certificate chain:
A certificate chain containing at least two of the three A certificate chain containing at least two of the three
certificate types defined in this document (PQ/T hybrid certificate types defined in this document (PQ/T hybrid
certificates, post-quantum certificates, and traditional certificates, post-quantum certificates, and traditional
certificates). certificates).
For example, a traditional end-entity certificate could be signed For example, a traditional end-entity certificate could be signed
by a post-quantum intermediate certificate, which in turn could be by a post-quantum intermediate certificate, which in turn could be
signed by a post-quantum root certificate. This may be desirable signed by a post-quantum root certificate. This may be desirable
due to the lifetimes of the certificates, the relative difficulty due to the lifetimes of the certificates, the relative difficulty
of rotating keys, or for efficiency reasons. The security of rotating keys, or for efficiency reasons. The security
properties of a certificate chain that mixes post-quantum and properties of a certificate chain that mixes post-quantum and
traditional algorithms would need to be analysed on a case-by-case traditional algorithms would need to be analysed on a case-by-case
basis. basis.
*PQ/T parallel PKI*: PQ/T parallel PKI:
Two certificate chains, one that is a post-quantum certificate Two certificate chains, one that is a post-quantum certificate
chain and one that is a traditional certificate chain, and that chain and one that is a traditional certificate chain, and that
are used together in a protocol. are used together in a protocol.
A PQ/T parallel PKI might be used to achieve hybrid authentication A PQ/T parallel PKI might be used to achieve hybrid authentication
or hybrid interoperability depending on the protocol or hybrid interoperability depending on the protocol
implementation. implementation.
*Multi-certificate authentication*: Multi-certificate authentication:
Authentication that uses two or more end-entity certificates. Authentication that uses two or more end-entity certificates.
For example, multi-certificate authentication may be achieved For example, multi-certificate authentication may be achieved
using a PQ/T parallel PKI. using a PQ/T parallel PKI.
7. Security Considerations 7. Security Considerations
This document defines security-relevant terminology to be used in This document defines security-relevant terminology to be used in
documents specifying PQ/T hybrid protocols and schemes. However, the documents specifying PQ/T hybrid protocols and schemes. However, the
document itself does not have a security impact on Internet document itself does not have a security impact on Internet
skipping to change at line 730 skipping to change at line 730
specification documents. More general guidance about the security specification documents. More general guidance about the security
considerations, timelines, and benefits and drawbacks of the use of considerations, timelines, and benefits and drawbacks of the use of
PQ/T hybrids is also out of scope of this document. PQ/T hybrids is also out of scope of this document.
8. IANA Considerations 8. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
9. Informative References 9. Informative References
[BDPR] Bellare, M., Desai, A., Pointcheval, D., and P. Rogaway,
"Relations Among Notions of Security for Public-Key
Encryption Schemes", June 2001,
<https://www.cs.ucdavis.edu/~rogaway/papers/
relations.pdf>.
[BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and [BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and
D. Stebila, "Hybrid Key Encapsulation Mechanisms and D. Stebila, "Hybrid Key Encapsulation Mechanisms and
Authenticated Key Exchange", Post-Quantum Cryptography, Authenticated Key Exchange", Post-Quantum Cryptography,
PQCrypto 2019, Lecture Notes in Computer Science, vol. PQCrypto 2019, Lecture Notes in Computer Science, vol.
11505, pp. 206-226, DOI 10.1007/978-3-030-25510-7_12, July 11505, pp. 206-226, DOI 10.1007/978-3-030-25510-7_12, July
2019, <https://doi.org/10.1007/978-3-030-25510-7_12>. 2019, <https://doi.org/10.1007/978-3-030-25510-7_12>.
[BINDELHALE] [BINDELHALE]
Bindel, N. and B. Hale, "A Note on Hybrid Signature Bindel, N. and B. Hale, "A Note on Hybrid Signature
Schemes", Cryptology ePrint Archive, Paper 2023/423, 23 Schemes", Cryptology ePrint Archive, Paper 2023/423, 23
 End of changes. 48 change blocks. 
66 lines changed or deleted 72 lines changed or added

This html diff was produced by rfcdiff 1.48.