]> UK National Cyber Security Centre

florence.d@ncsc.gov.uk

SEC TBD Internet-Draft One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to ensure consistency and clarity across different protocols, standards, and organisations. About This Document Status information for this document may be found at .

Introduction The mathematical problems of integer factorisation and discrete logarithms over finite fields or elliptic curves underpin most of the asymmetric algorithms used for key establishment and digital signatures on the internet. These problems, and hence the algorithms based on them, will be vulnerable to attacks using Shor's Algorithm on a sufficiently large general-purpose quantum computer, known as a Cryptographically Relevant Quantum Computer (CRQC). It is difficult to predict when, or if, such a device will exist. However, it is necessary to defend against this possibility. Data encrypted today with an algorithm vulnerable to a quantum computer could be stored for decryption by a future attacker with a CRQC. Signing algorithms that are expected to be in use for many years are also at risk if a CRQC is developed during the operational lifetime of the algorithm. Preparing for the potential development of a CRQC requires modifying standardised protocols to use asymmetric algorithms that are believed to be secure against quantum computers as well as today's classical computers. These algorithms are called post-quantum, while algorithms based on integer factorisation, finite-field discrete logarithms or elliptic-curve discrete logarithms are called traditional algorithms. During the transition from traditional to post-quantum algorithms there may be a desire or a requirement for protocols that use both types of algorithm. Most post-quantum algorithms are less well studied than traditional asymmetric algorithms, so a designer may choose to combine a post-quantum algorithm with a traditional algorithm to add protection against an attacker with a CRQC to the security properties provided by the traditional algorithm. A designer may also choose to implement a post-quantum algorithm alongside a traditional algorithm for ease of migration from an ecosystem where only traditional algorithms are implemented and used, to one which uses post-quantum algorithms. Work on solutions that could use both types of algorithm includes , , , . Schemes that combine post-quantum and traditional algorithms for key establishment or digital signatures are often called hybrids. For example, NIST define hybrid key establishment to be a "scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes" and ETSI define hybrid key exchanges to be "constructions that combine a traditional key exchange...with a post-quantum key exchange...into a single key exchange". The word hybrid is also used in cryptography to describe encryption schemes that combine asymmetric and symmetric algorithms , so using it in the post-quantum context overloads it and risks misunderstandings. However, this terminology is well-established amongst the post-quantum cryptography community so an attempt to move away from its use could lead to multiple definitions for the same concept, resulting in confusion and lack of clarity. This document provides language for constructions that combine traditional and post-quantum algorithms. Specific solutions for enabling use of multiple asymmetric algorithms in cryptographic schemes may in fact be more general than this, allowing the use of solely traditional, or solely post-quantum algorithms. However, where relevant, we focus on post-quantum traditional combinations as these are the motivation for the wider work in the IETF. It is intended as a terminology guide for other documents to add clarity and consistency across different protocols, standards, and organisations. Additionally, it aims to reduce misunderstanding about use of the word "hybrid" as well as defining a shared language for different types of post-quantum traditional hybrid constructions. In this document, a "cryptographic algorithm" is defined, as in , to be a "well-defined computational procedure that takes variable inputs, often including a cryptographic key, and produces an output". Examples include RSA, ECH, CRYSTALS-Kyber and CRYSTALS-Dilithium. The expression "cryptographic scheme" is used to mean a construction that uses an algorithm or a group of algorithms to achieve a particular cryptographic outcome, e.g. key agreement. A cryptographic scheme may be made up of a number of functions. For example, a Key Encapsulation Mechanism (KEM) is a cryptographic scheme consisting of three functions: Key Generation, Encapsulation and Decapsulation. A cryptographic protocol incorporates one or more cryptographic schemes. For example, TLS is a cryptographic protocol which includes schemes for key agreement, record layer encryption, and server authentication.

Primitives This section introduces terminology related to cryptographic algorithms, as well as to hybrid constructions for cryptographic schemes.

Traditional Algorithm:

An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms or elliptic curve discrete logarithms.

Post-Quantum Algorithm:

An asymmetric cryptographic algorithm that is believed to be secure against quantum computers as well as classical computers.

Component Algorithm:

Each cryptographic algorithm that forms part of a cryptographic scheme.

Single-Algorithm Scheme:

A cryptographic scheme with one component algorithm. A single-algorithm scheme could use either a traditional algorithm or a post-quantum algorithm.

Multi-Algorithm Scheme:

A cryptographic scheme with more than one component algorithm.

Post-Quantum Traditional (PQT) Hybrid Scheme:

A cryptographic scheme that uses two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

PQT Hybrid Key Encapsulation Mechanism:

A Key Encapsulation Mechanism (KEM) that uses two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

PQT Hybrid Public Key Encryption:

A Public Key Encryption (PKE) scheme that uses two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm.

PQT Hybrid Digital Signature:

A digital signature scheme that uses two or more component algorithms where at least one is a post-quantum algorithm and at least one is a traditional algorithm. PQT Hybrid KEMs, PQT Hybrid PKE, and PQT Hybrid Digital Signatures are all examples of PQT Hybrid schemes.

PQT Hybrid Combiner:

A method that takes two or more component algorithms and combines them to form a PQT Hybrid scheme.

Functionality This section describes properties that may be desired from or achieved by a PQT Hybrid scheme.

Hybrid Confidentiality:

The property that confidentiality is achieved provided that at least one component algorithm remains secure.

EDNOTE 1: In the PQT Hybrid case what does this property mean if the attacker has a quantum computer?

Hybrid Authentication:

The property that authentication is achieved provided that at least one component algorithm remains secure.

EDNOTE 2: This may benefit from expanding. Whether this is achieved or not depends on whether the verifier verifies all signatures, which they may not do in all cases, or may not be defined in the protocol. Either the definition of hybrid authentication could be expanded or more definitions could be added to this section. EDNOTE 3: It may be useful to distinguish between source authentication (i.e. authentication of the sender of a particular message) and identity authentication (i.e. authentication of the identity of the sender). EDNOTE 4: Other properties may be desired from a PQT Hybrid scheme e.g. backwards compatibility, crypt agility. Should these be defined here?

Cryptographic Elements This section introduces terminology related to cryptographic elements and their inclusion in hybrid schemes.

Cryptographic Element:

Any data (private or public) that is an input or output value for a cryptographic algorithm or a function making up a cryptographic algorithm. Types of cryptographic elements include public keys, private keys, plaintexts, ciphertexts, shared secrets, and signature values.

Component Cryptographic Element:

A cryptographic element of a component algorithm in a multi-algorithm scheme.

Composite Cryptographic Element:

A cryptographic element that incorporates multiple component cryptographic elements of the same type in a multi-algorithm scheme. For example, a composite cryptographic public key is made up of two component public keys.

Cryptographic Element Combiner:

A method that takes two or more component cryptographic elements of the same type and combines them to form a composite cryptographic element. A cryptographic element combiner could be concatenation, such as where two component public keys are concatenated to form a composite public key as in , or something more involved such as the dualPRF defined in .

Protocols This section introduces terminology related to the use of PQT Hybrid schemes in protocols.

PQT Hybrid Protocol:

A protocol that incorporates one or more PQT Hybrid schemes. A PQT Hybrid protocol that provides hybrid confidentiality may use a PQT Hybrid KEM, PQT Hybrid PKE, or a different combination of primitives. A PQT Hybrid protocol that provides hybrid authentication may use a PQT Hybrid Digital Signature or could alternatively use a PQT Hybrid KEM or PQT Hybrid PKE to prove possession of long-term component private keys. PQT Hybrid protocols that offer both confidentiality and authentication do not necessarily offer both hybrid confidentiality and hybrid authentication. For example, provides hybrid confidentiality but does not address hybrid authentication. Therefore, if the design in is used with X.509 certificates as defined in only authentication with a single algorithm is achieved.

Composite PQT Hybrid Protocol:

A protocol that incorporates one or more PQT Hybrid schemes in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses single-algorithm schemes. In a composite PQT Hybrid protocol, changes are primarily made to the formats of the cryptographic elements, while the protocol fields and message flow remain largely unchanged. In implementations most changes are likely to be made to the cryptographic libraries, with minimal changes to the protocol libraries.

Non-composite PQT Hybrid Protocol:

A protocol that incorporates one or more PQT Hybrid schemes in such a way that the formats of the component cryptographic elements are the same as when they are used as part of single-algorithm schemes. In a non-composite PQT Hybrid protocol, changes are primarily made to the protocol fields, the message flow, or both, while changes to cryptographic elements are minimised. In implementations, most changes are likely to be made to the protocol libraries, with minimal changes to the cryptographic libraries.

NOTE: It is possible for a PQT Hybrid protocol to be designed that is neither entirely composite nor entirely non-composite. For example, in a protocol that offers both confidentiality and authentication the key establishment could be done in a composite manner while the authentication is done in a non-composite manner.

Certificates This section introduces terminology related to the use of certificates in hybrid schemes.

PQT Hybrid Certificate:

A digital certificate that contains public keys for two or more component algorithms where at least one is a traditional algorithm, and at least one is a post-quantum algorithm. A PQT Hybrid certificate could be used to facilitate a PQT Hybrid authentication protocol. However, a PQT Hybrid authentication protocol does not need to use a PQT Hybrid certificate; separate certificates could be used for individual component algorithms. The component public keys in a PQT Hybrid certificate could be included as a composite public key or as individual component public keys. The use of a PQT Hybrid certificate does not necessarily achieve hybrid authentication of the identity of the sender; this is determined by properties of the chain of trust. For example, an end-entity certificate that contains a composite public key as defined in but which is signed using a single-algorithm digital signature scheme could be used to provide hybrid authentication of the source of a message, but would not achieve hybrid authentication of the identity of the sender.

EDNOTE 5: Is it helpful to define composite and non-composite certificates? TODO 1: Terminology for certificate chains and PKI. TODO 2: Terminology for algorithm specification.

Security Considerations This document defines security-relevant terminology to be used in documents specifying PQT Hybrids. However, the document itself does not have a security impact on internet protocols. The security considerations for each PQT Hybrid protocol are specific to that protocol and should be discussed in the relevant documents.

IANA Considerations This document has no IANA actions.

Informative References Post-Quantum Cryptography pp.206-226 ETSI TS 103 744 V1.1.1 National Institute of Standards and Technology (NIST) Information Technology Laboratory Information Technology Laboratory Information Technology Laboratory National Institute of Standards and Technology (NIST) National Security Agency National Security Agency National Security Agency The advent of cryptographically relevant quantum computers (CRQC) will threaten the public key cryptography that is currently in use in today's secure internet protocol infrastructure. To address this, organizations such as the National Institute of Standards and Technology (NIST) will standardize new post-quantum cryptography (PQC) that is resistant to attacks by both classical and quantum computers. After PQC algorithms are standardized, the widespread implementation of this cryptography will be contingent upon adapting current protocols to accommodate PQC. Hybrid solutions are one way to facilitate the transition between traditional and PQ algorithms: they use both a traditional and a PQ algorithm in order to perform encryption or authentication, with the guarantee that the given security property will still hold in the case that one algorithm fails. Hybrid solutions can be constructed in many ways, and the cryptographic community has already begun to explore this space. This document introduces non-composite hybrid authentication, which requires updates at the protocol level and limits impact to the certificate-issuing infrastructure. University of Waterloo Cisco Systems University of Haifa and Amazon Web Services Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. Post-Quantum Post-Quantum Quantum Secret Cisco Systems ISARA Corporation Philips ELVIS-PLUS This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while computing a shared secret during a Security Association (SA) setup. The primary application of this feature in IKEv2 is the ability to perform one or more post-quantum key exchanges in conjunction with the classical (Elliptic Curve) Diffie-Hellman key exchange, so that the resulting shared key is resistant against quantum computer attacks. Another possible application is the ability to combine several key exchanges in situations when no single key exchange algorithm is trusted by both initiator and responder. This document updates RFC7296 by renaming a transform type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". It also renames an IANA registry for this transform type from "Transform Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize key exchange algorithms that can be used in IKEv2. Entrust Limited CableLabs D-Trust GmbH The migration to post-quantum cryptography is unique in the history of modern digital cryptography in that neither the old outgoing nor the new incoming algorithms are fully trusted to protect data for the required data lifetimes. The outgoing algorithms, such as RSA and elliptic curve, may fall to quantum cryptalanysis, while the incoming post-quantum algorithms face uncertainty about both the underlying mathematics as well as hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs. Cautious implementors may wish to layer cryptographic algorithms such that an attacker would need to break all of them in order to compromise the data being protected. For digital signatures, this is referred to as "dual", and for encryption key establishment this as reffered to as "hybrid". This document, and its companions, defines a specific instantiation of the dual and hybrid paradigm called "composite" where multiple cryptographic algorithms are combined to form a single key, signature, or key encapsulation mechanism (KEM) such that they can be treated as a single atomic object at the protocol level. EDNOTE: the terms "dual" and "hybrid" are currently in flux. We anticipate an Informational draft to normalize terminology, and will update this draft accordingly. This document defines the structures CompositePublicKey and CompositePrivateKey, which are sequences of the respective structure for each component algorithm. The generic composite variant is defined which allows arbitrary combinations of key types to be placed in the CompositePublicKey and CompositePrivateKey structures without needing the combination to be pre-registered or pre-agreed. The explicit variant is also defined which allows for a set of algorithm identifier OIDs to be registered together as an explicit composite algorithm and assigned an OID. This document is intended to be coupled with corresponding documents that define the structure and semantics of composite signatures and encryption, such as [draft-ounsworth-pq-composite-sigs-05] and draft- ounsworth-pq-composite-kem (yet to be published). Entrust Limited CableLabs The migration to post-quantum cryptography is unique in the history of modern digital cryptography in that neither the old outgoing nor the new incoming algorithms are fully trusted to protect data for the required data lifetimes. The outgoing algorithms, such as RSA and elliptic curve, may fall to quantum cryptanalysis, while the incoming post-quantum algorithms face uncertainty about both the underlying mathematics as well as hardware and software implementations that have not had sufficient maturing time to rule out classical cryptanalytic attacks and implementation bugs. Cautious implementer may wish to layer cryptographic algorithms such that an attacker would need to break all of them in order to compromise the data being protected. For digital signatures, this is referred to as "dual", and for encryption key establishment this as referred to as "hybrid". This document, and its companions, defines a specific instantiation of the dual and hybrid paradigm called "composite" where multiple cryptographic algorithms are combined to form a single key, signature, or key encapsulation mechanism (KEM) such that they can be treated as a single atomic object at the protocol level. EDNOTE: the terms "dual" and "hybrid" are currently in flux. We anticipate an Informational draft to normalize terminology, and will update this draft accordingly. This document defines the structures CompositeSignatureValue, and CompositeParams, which are sequences of the respective structure for each component algorithm. The generic composite variant is defined which allows arbitrary combinations of signature algorithms to be used in the CompositeSignatureValue and CompositeParams structures without needing the combination to be pre-registered or pre-agreed. The explicit variant is also defined which allows for a set of signature algorithm identifier OIDs to be registered together as an explicit composite signature algorithm and assigned an OID. This document is intended to be coupled with corresponding documents that define the structure and semantics of composite public and private keys and encryption [I-D.draft-ounsworth-pq-composite-keys- 01], however may also be used with non-composite keys, such as when a protocol combines multiple certificates into a single cryptographic operation. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.

Acknowledgments TODO acknowledge.