<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.5) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-mls-pq-ciphersuites-05" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="MLS Cipher Suites with ML-KEM">ML-KEM and Hybrid Cipher Suites for Messaging Layer Security</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-mls-pq-ciphersuites-05"/>
    <author initials="R." surname="Mahy" fullname="Rohan Mahy">
      <organization/>
      <address>
        <email>rohan.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="R. L." surname="Barnes" fullname="Richard L. Barnes">
      <organization/>
      <address>
        <email>rlb@ipv.sx</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>sec</area>
    <workgroup>MLS</workgroup>
    <keyword>ML-KEM</keyword>
    <keyword>Kyber</keyword>
    <keyword>post-quantum</keyword>
    <keyword>post quantum KEM</keyword>
    <keyword>KEM</keyword>
    <keyword>PQ/T</keyword>
    <keyword>hybrid</keyword>
    <keyword>hybrid KEM</keyword>
    <keyword>Key Exchange Mechanism</keyword>
    <abstract>
      <?line 53?>

<t>This document registers new cipher suites for Messaging Layer Security (MLS) based on "post-quantum" algorithms, which are intended to be resilient to attack by quantum computers.
These cipher suites are constructed using the new Module-Lattice Key Encapsulation Mechanism (ML-KEM), optionally in combination with traditional elliptic curve KEMs, together with appropriate authenticated encryption, hash, and signature algorithms.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://mlswg.github.io/mls-pq-ciphersuites/#go.draft-ietf-mls-pq-ciphersuites.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-mls-pq-ciphersuites/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        MLS Working Group mailing list (<eref target="mailto:mls@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/mls/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/mls/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/mlswg/mls-pq-ciphersuites/"/>.</t>
    </note>
  </front>
  <middle>
    <?line 58?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The potential availability of a cryptographically-relevant quantum computer has caused concern that well-funded adversaries could overturn long-held assumptions about the security assurances of classical Key Exchange Mechanisms (KEMs) and classical cryptographic signatures, which are fundamental to modern security protocols, including the MLS protocol <xref target="RFC9420"/>.</t>
      <t>Of particular concern are "harvest now, decrypt later" attacks, by which an attacker could collect encrypted traffic now, before a quantum computer exists, and later use a quantum computer to break the confidentiality protections on the collected traffic.</t>
      <t>In response to these concerns, the cryptographic community has defined "post-quantum" algorithms, which are designed to be resilient to attacks by quantum computers.
Symmetric algorithms can be made post-quantum secure simply by using longer keys and hashes.
For asymmetric operations such as KEMs and signatures, entirely new algorithms are needed.</t>
      <t>In this document, we define ciphersuites that use the post-quantum secure Module-Lattice-Based KEM (ML-KEM) <xref target="MLKEM"/> together with appropriate symmetric algorithms, and either traditional or Module-Lattice-Based Digital Signature Algorithm (ML-DSA) <xref target="MLDSA"/> post-quantum signature algorithms.
The traditional signature cipher suites address the risk of "harvest now, decrypt later" attacks, while not taking on the additional cost of post-quantum signatures.
The cipher suites with post-quantum signatures use only post-quantum KEMs.</t>
      <t>Following the pattern of base MLS, we define several variations, to allow for users that prefer to only use NIST-approved cryptography, users that prefer a higher security level, and users that prefer a PQ/traditional hybrid KEM over pure ML-KEM:</t>
      <ul spacing="normal">
        <li>
          <t>ML-KEM-768 + X25519 (128-bit security, Non-NIST, PQ/T hybrid KEM)</t>
        </li>
        <li>
          <t>ML-KEM-768 + P-256 (128-bit security, NIST, PQ/T hybrid KEM)</t>
        </li>
        <li>
          <t>ML-KEM-1024 + P-384 (192-bit security, NIST, PQ/T hybrid KEM)</t>
        </li>
        <li>
          <t>ML-KEM-768 (128-bit security, Non-NIST, pure PQ KEM)</t>
        </li>
        <li>
          <t>ML-KEM-768 (128-bit security, NIST, pure PQ KEM)</t>
        </li>
        <li>
          <t>ML-KEM-1024 (192-bit security, NIST, pure PQ KEM)</t>
        </li>
        <li>
          <t>ML-KEM-768 + X25519 (128-bit security, Non-NIST, PQ/T hybrid KEM + PQ signature)</t>
        </li>
        <li>
          <t>ML-KEM-768 (192-bit security, NIST, pure PQ)</t>
        </li>
        <li>
          <t>ML-KEM-1024 (256-bit security, NIST, pure PQ)</t>
        </li>
      </ul>
      <t>Some parts of the community wish to support the 128-bit security level with the same Authenticated Encryption with Authenticated Data (AEAD) <xref target="RFC5116"/> algorithms and hash function as used in the default cipher suite registered in <xref target="RFC9420"/> (AES128 GCM <xref target="GCM"/> and HMAC <xref target="RFC2104"/> with SHA-256 <xref target="SHS"/>), while other parts of the community would like to follow recent recommendations to transition immediately to AES256 GCM <xref target="GCM"/> and HMAC <xref target="RFC2104"/> with SHA-384 <xref target="SHS"/>.</t>
      <t>For all of the cipher suites defined in this document, we use SHAKE256 (Section 3.2 of <xref target="FIPS202"/>) as the Key Derivation Function (KDF).</t>
      <t>For the cipher suites at the 192-bit or 256-bit security levels, we use AES256 GCM <xref target="GCM"/> as the AEAD algorithm, and HMAC <xref target="RFC2104"/> with SHA-384 <xref target="SHS"/> as the hash function.</t>
      <t>Finally, one of cipher suites at the 128-bit security level, uses the same hybrid KEM as the first cipher suite, the ChaCha20-Poly130 <xref target="RFC8439"/> AEAD algorithm, HMAC with SHA-384, and the pure PQ signature algorithm ML-DSA-44.
The choice of ChaCha20-Poly130 was selected for acceptable performance when implemented entirely in software.</t>
      <t>For the PQ/T hybrid KEMs and the pure ML-KEM HPKE integration, we use the KEMs defined in <xref target="I-D.ietf-hpke-pq"/>.
The signature schemes for ML-DSA-44, ML-DSA-65, and ML-DSA-87 <xref target="MLDSA"/> are defined in <xref target="I-D.ietf-tls-mldsa"/>.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="mls-cipher-suites">
        <name>MLS Cipher Suites</name>
        <t>This document requests that IANA add the following entries to the "MLS Cipher Suites" registry, replacing "XXXX" with the RFC number assigned to this document:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Name</th>
              <th align="left">Rec</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD1</td>
              <td align="left">MLS_128_MLKEM768X25519_AES128GCM_SHA256_Ed25519</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD2</td>
              <td align="left">MLS_128_MLKEM768X25519_AES256GCM_SHA384_Ed25519</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD3</td>
              <td align="left">MLS_128_MLKEM768P256_AES128GCM_SHA256_P256</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD4</td>
              <td align="left">MLS_128_MLKEM768P256_AES256GCM_SHA384_P256</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD5</td>
              <td align="left">MLS_192_MLKEM1024P384_AES256GCM_SHA384_P384</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD6</td>
              <td align="left">MLS_128_MLKEM768_AES256GCM_SHA384_Ed25519</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD7</td>
              <td align="left">MLS_128_MLKEM768_AES256GCM_SHA384_P256</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD8</td>
              <td align="left">MLS_192_MLKEM1024_AES256GCM_SHA384_P384</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD9</td>
              <td align="left">MLS_128_MLKEM768X25519_CHACHA20POLY1305_SHA384_MLDSA44</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD10</td>
              <td align="left">MLS_192_MLKEM768_AES256GCM_SHA384_MLDSA65</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
            <tr>
              <td align="left">TBD11</td>
              <td align="left">MLS_256_MLKEM1024_AES256GCM_SHA384_MLDSA87</td>
              <td align="left">Y</td>
              <td align="left">RFCXXXX</td>
            </tr>
          </tbody>
        </table>
        <t>The mapping of cipher suites to HPKE primitives <xref target="I-D.ietf-hpke-hpke"/>, HMAC hash functions, and TLS signature schemes <xref target="I-D.ietf-tls-rfc8446bis"/> is as follows:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">KEM</th>
              <th align="left">KDF</th>
              <th align="left">AEAD</th>
              <th align="left">Hash</th>
              <th align="left">Signature</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBD1</td>
              <td align="left">0x647a</td>
              <td align="left">0x0011</td>
              <td align="left">0x0001</td>
              <td align="left">SHA256</td>
              <td align="left">ed25519</td>
            </tr>
            <tr>
              <td align="left">TBD2</td>
              <td align="left">0x647a</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ed25519</td>
            </tr>
            <tr>
              <td align="left">TBD3</td>
              <td align="left">0x0050</td>
              <td align="left">0x0011</td>
              <td align="left">0x0001</td>
              <td align="left">SHA256</td>
              <td align="left">ecdsa_secp256r1_sha256</td>
            </tr>
            <tr>
              <td align="left">TBD4</td>
              <td align="left">0x0050</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ecdsa_secp256r1_sha256</td>
            </tr>
            <tr>
              <td align="left">TBD5</td>
              <td align="left">0x0051</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ecdsa_secp384r1_sha384</td>
            </tr>
            <tr>
              <td align="left">TBD6</td>
              <td align="left">0x0041</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ed25519</td>
            </tr>
            <tr>
              <td align="left">TBD7</td>
              <td align="left">0x0041</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ecdsa_secp256r1_sha256</td>
            </tr>
            <tr>
              <td align="left">TBD8</td>
              <td align="left">0x0042</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">ecdsa_secp384r1_sha384</td>
            </tr>
            <tr>
              <td align="left">TBD9</td>
              <td align="left">0x647a</td>
              <td align="left">0x0011</td>
              <td align="left">0x0003</td>
              <td align="left">SHA384</td>
              <td align="left">mldsa44</td>
            </tr>
            <tr>
              <td align="left">TBD10</td>
              <td align="left">0x0041</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">mldsa65</td>
            </tr>
            <tr>
              <td align="left">TBD11</td>
              <td align="left">0x0042</td>
              <td align="left">0x0011</td>
              <td align="left">0x0002</td>
              <td align="left">SHA384</td>
              <td align="left">mldsa87</td>
            </tr>
          </tbody>
        </table>
        <t>The hash used for the MLS transcript hash is the one referenced in the cipher suite name. "SHA256" and "SHA384" refer to the SHA-256 and SHA-384 functions defined in <xref target="SHS"/>.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The first eight ciphersuites defined in this document combine a post-quantum (or PQ/T hybrid) KEM with a traditional signature algorithm. As such, they are designed to provide confidentiality against quantum and classical attacks, but provide authenticity against classical attacks only.  Thus, these cipher suites do not provide full post-quantum security, only post-quantum confidentiality.</t>
      <t>The last three cipher suites also use post-quantum signature algorithms.</t>
      <t>For security considerations related to the KEMs used in this document, please see the documents that define those KEMs <xref target="I-D.ietf-hpke-pq"/> and <xref target="I-D.irtf-cfrg-hybrid-kems"/>.
For security considerations related to the post-quantum signature algorithms used in this document, please see <xref target="I-D.ietf-tls-mldsa"/> and <xref target="RFC9881"/>.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="SHS">
          <front>
            <title>Secure hash standard</title>
            <author>
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.180-4"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="MLKEM">
          <front>
            <title>Module-lattice-based key-encapsulation mechanism standard</title>
            <author>
              <organization/>
            </author>
            <date month="August" year="2024"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.203"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="MLDSA">
          <front>
            <title>Module-lattice-based digital signature standard</title>
            <author>
              <organization/>
            </author>
            <date month="August" year="2024"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.204"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="FIPS202">
          <front>
            <title>SHA-3 standard :: permutation-based hash and extendable-output functions</title>
            <author>
              <organization/>
            </author>
            <date year="2015"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.fips.202"/>
          <refcontent>National Institute of Standards and Technology (U.S.)</refcontent>
        </reference>
        <reference anchor="GCM">
          <front>
            <title>Recommendation for block cipher modes of operation :: GaloisCounter Mode (GCM) and GMAC</title>
            <author fullname="M J Dworkin" initials="M." surname="Dworkin">
              <organization/>
            </author>
            <date year="2007"/>
          </front>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-38d"/>
          <refcontent>National Institute of Standards and Technology</refcontent>
        </reference>
        <reference anchor="RFC9420" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9420.xml">
          <front>
            <title>The Messaging Layer Security (MLS) Protocol</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="B. Beurdouche" initials="B." surname="Beurdouche"/>
            <author fullname="R. Robert" initials="R." surname="Robert"/>
            <author fullname="J. Millican" initials="J." surname="Millican"/>
            <author fullname="E. Omara" initials="E." surname="Omara"/>
            <author fullname="K. Cohn-Gordon" initials="K." surname="Cohn-Gordon"/>
            <date month="July" year="2023"/>
            <abstract>
              <t>Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9420"/>
          <seriesInfo name="DOI" value="10.17487/RFC9420"/>
        </reference>
        <reference anchor="RFC5116" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5116.xml">
          <front>
            <title>An Interface and Algorithms for Authenticated Encryption</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5116"/>
          <seriesInfo name="DOI" value="10.17487/RFC5116"/>
        </reference>
        <reference anchor="RFC2104">
          <front>
            <title>HMAC: Keyed-Hashing for Message Authentication</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="M. Bellare" initials="M." surname="Bellare"/>
            <author fullname="R. Canetti" initials="R." surname="Canetti"/>
            <date month="February" year="1997"/>
            <abstract>
              <t>This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2104"/>
          <seriesInfo name="DOI" value="10.17487/RFC2104"/>
        </reference>
        <reference anchor="RFC8439">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-pq">
          <front>
            <title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>Selkie Cryptography</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   Updating key exchange and public-key encryption protocols to resist
   attack by quantum computers is a high priority given the possibility
   of "harvest now, decrypt later" attacks.  Hybrid Public Key
   Encryption (HPKE) is a widely-used public key encryption scheme based
   on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
   Function (KDF), and an Authenticated Encryption with Associated Data
   (AEAD) scheme.  In this document, we define KEM algorithms for HPKE
   based on both post-quantum KEMs and hybrid constructions of post-
   quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
   that is suitable for use with these KEMs.  When used with these
   algorithms, HPKE is resilient with respect to attacks by a quantum
   computer.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-04"/>
        </reference>
        <reference anchor="I-D.ietf-tls-mldsa">
          <front>
            <title>Use of ML-DSA in TLS 1.3</title>
            <author fullname="Tim Hollebeek" initials="T." surname="Hollebeek">
              <organization>DigiCert</organization>
            </author>
            <author fullname="Sophie Schmieg" initials="S." surname="Schmieg">
              <organization>Google</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization>Cloudflare</organization>
            </author>
            <date day="18" month="June" year="2026"/>
            <abstract>
              <t>   This memo specifies how the post-quantum signature scheme ML-DSA
   (FIPS 204) is used for authentication in TLS 1.3.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-mldsa-04"/>
        </reference>
        <reference anchor="I-D.ietf-hpke-hpke">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Karthikeyan Bhargavan" initials="K." surname="Bhargavan">
              <organization>Inria</organization>
            </author>
            <author fullname="Benjamin Lipp" initials="B." surname="Lipp">
              <organization>Inria</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
         </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   This document describes a scheme for hybrid public key encryption
   (HPKE).  This scheme provides a variant of public key encryption of
   arbitrary-sized plaintexts for a recipient public key.  It also
   includes a variant that authenticates possession of a pre-shared key.
   HPKE works for any combination of an asymmetric Key Encapsulation
   Mechanism (KEM), key derivation function (KDF), and authenticated
   encryption with additional data (AEAD) encryption function.  We
   provide instantiations of the scheme using widely used and efficient
   primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key
   agreement, HMAC-based key derivation function (HKDF), and SHA2.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-hpke-hpke-03"/>
        </reference>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.irtf-cfrg-hybrid-kems">
          <front>
            <title>Hybrid PQ/T Key Encapsulation Mechanisms</title>
            <author fullname="Deirdre Connolly" initials="D." surname="Connolly">
              <organization>SandboxAQ</organization>
            </author>
            <author fullname="Richard Barnes" initials="R." surname="Barnes">
              <organization>Cisco</organization>
            </author>
            <author fullname="Paul Grubbs" initials="P." surname="Grubbs">
              <organization>University of Michigan</organization>
            </author>
            <date day="7" month="May" year="2026"/>
            <abstract>
              <t>   This document defines generic constructions for hybrid Key
   Encapsulation Mechanisms (KEMs) based on combining a post-quantum
   (PQ) KEM with a traditional cryptographic component.  Hybrid KEMs
   built using these constructions provide strong security properties as
   long as either of the underlying algorithms are secure.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hybrid-kems-11"/>
        </reference>
        <reference anchor="RFC9881">
          <front>
            <title>Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title>
            <author fullname="J. Massimo" initials="J." surname="Massimo"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="B. E. Westerbaan" initials="B. E." surname="Westerbaan"/>
            <date month="October" year="2025"/>
            <abstract>
              <t>Digital signatures are used within X.509 certificates and Certificate Revocation Lists (CRLs), and to sign messages. This document specifies the conventions for using FIPS 204, the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) in Internet X.509 certificates and CRLs. The conventions for the associated signatures, subject public keys, and private key are also described.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9881"/>
          <seriesInfo name="DOI" value="10.17487/RFC9881"/>
        </reference>
      </references>
    </references>
    <?line 146?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This work would not be possible without the hard work of the CFRG Hybrid KEM design team: Aron Wussler, Bas Westerbaan, Deirdre Connolly, Mike Ounsworth, Nick Sullivan, and Stephen Farrell.
Thanks also to Joël Alwen, Marta Mularczyk, and Britta Hale.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6Va63LbuhH+z6dAlT9xa8qSLDu2Zjo9ii/HbuLEJ/b0nDOd
jgciIQljimQAUI6O4yfqY/TF+u2ClETrYqf1ZGyIXCz2+u0ulDAMA6ddonri
6mP44exKyDQWF7OB0bE40flYGXFTaKesGGZGXClr5UinI/FRzuiVigqj3SyQ
g4FRU2Jy82zbg3bjkncQZ1EqJzgrNnLoQq3cMJwkNsy/hhFvsrwnbB0EOjc9
4UxhXafVOm51AlsMJtpanaVuloPF5dntuRBvhExs1hMNncYqV/iVusauaFz2
3+MPJG5cfrk9bwTSKNkT0rjgITP3I5MVOQtbvrAqCiLp1Cgzs57Q6TAL7tUM
pHEvEGElPlYfZgNlaJFn1oVfC5m6YlJ9FuVnURH7P9e/7N3S3zFbdbGak6mZ
OPsWjWU6UrAwLbSdBIF18MWdTLIU6s6UDXLdE/90WbQrbGacUUOL1WxCi38F
wVSlhYK4Ykk7IbyxfoXS5LWf6RWeTqROegKm/4l80MzMCA+licY9MXYut729
PSKhJ3qqmhXRHj3YG5jswao97N6j0+DfYsDMHkZ7a7xJRAlsa90ScyJu+q1N
na3d9maUNbfHSXPsJkkQyMKNM8OOgutsT3xpiis5nuFcIXy8fclg1MVDqAIb
/yEdoqnHT5S3iCE6VvenET1pRtlkme/HpngvTQpfLPHW8JiJRf3d5iOSwU86
nzbttyAI0sxMQDJlv91c3PTE6efLZrvVPGx1jvY+Xd7cNs8vr2+a7aNW2AXJ
1UfEzCaiTmufSU5v+ptJiAstO63OZqIOiH4+WXfQzXXzqNUK949Og4DSZC5+
EIahkAPrjIxcENyOtRVI92KChBRGjbR1cJtI1YPwLhT2ZVgRbxHEO2IgrYpF
lorGctY1kPrIV8TQBHnwMIYbEMIKrnKEA7FwmRgonG11okkKfJbOyeheDGbz
VIWD84JEa0JmZdUz6YhhlKVQq4gceBaWpHRjxZpcZXGRqPAj2OpI+UROI5nb
ImHHL7KZNCEM2QEo5fRKJskMotL5A516aoZKGDDWnkKoJNGgjgTMMVWEF9DU
ZSPlSEQml3lustxoJJigRICimpAsFiqNzIzP2hVjace7DO1Wj3BaAbUW1mt6
7010HCcqCN6Iy9QZqBbRZvKlArw54gyZ5JSAYQCbwj/ZUEjBx2QjI3P4gPQK
jUrUFPZdsTIJIiJZkD9h1kiZFMaUTjxA1XBYsN9kPIU/pNGwf5QVCVyPB5A5
FcDCUThWeCStLSasHZw0yArHTrFV4NBrI3GAJRmjBJ9Jtg1Ya8Vbsu0OW2hB
XFNsYblatJHMkoIc9AiwSRaTTnM54BwAdpZgj06jpIir8KFCWb0Uj49/+nJ+
ctzttJ6e4IzPQ5GjVOkIYWTmdqLTGkCaKZBUpNnDrogVS8joahplcOMkhHcp
YFo+VKa0JE5LVOSq4KAsAcQOoR5zHCikI0Jj1XHqGzLY+hji85AKawkp61BT
71lLyD7UsY+cyhwq8l7L0pKEJVpIAgNcppS2OagU8XM+Mb0dKANoW803OH1S
pHQCBVishjoFw1fBRazIsdvgwm7Ai5vZZKKcwfELzgjulNhMZKxqPYIPCUSo
nuTIfHD0UEIRDauh27BsW8pUVLbgHLAo7fyELFdGervZgiS3jAb1lIZeZGpk
34zhaUks0jRVCunlzeuW8RnmUKXRxHJ99alJfnbj9drUATB8z0BNXWQFdwht
rllPT1twy64xpI80pXnHMiZSuVh36qlGO4H3N3OA61fMWBpURS8NFpCmrs1a
UCTcWz55QfWsRsQxbG/ZSEbbe0Kc1yUqojCBXzIEm+T+rMwJcKwOjaivBMP1
8pZS1uVh+26gZ29mKQKkRkCxhMA4Ry5mDxVE5ZCTgAenUwUmyFqOFKuAypBw
KsmLFJq7nDPEgqs6jjJlDOXoUT028NkkBLUTIUfBlIrBIp1nu2t2SjHWI9ax
QlZUGJX4KFlHjqZ72XeLjpuLicg5ejlG0bv8uVyG7w6PxF/Eb52Dg/axeNvu
HIUD7eZn7opPWRqS4Lvc1C9x3XnO4zrsHByuZfHC9nar0+X9+0dd7D/u/OB+
On6r5Kz69S+v3LZlC0u6UcLNx/xPBiaT/LII5BXJt0uxIjWcs50+uMkmissw
dxC+UlVF5kHbMQWzLfIckxi/fa6LD9Cyp6PWBF2C6Nc6tLN5h+bJ6m9PpZPi
bf+sf7pTNggH7fYhoGsZ1suKQW0Il1UqDNxdaY8kyFVZJK6GEPN23JMtNx90
3g00oe4fL/CbzqMbgav+SUnZabe6eMoS31z0Oc4fHzG8PD3tVJCWMWxvsh53
Iom+5+I+ZMyBTJGfFIgO/XtZ7Kj6o4+znMdC41VMJQMYgjeQlQ7/AVkpp0pZ
Ge4MwdVcwhqKVk2EXlcsCcDA78MZJ/mNb2nEfrNDvB4fywELBiF/EG/qO0+V
0VPf6Z9X7nr74fR8pxRlVQZZhlYZ3KB5Hrc+yuxcqHUm8RJQIC1CZ/cHLFVx
qAUayax5isFEg2pAXfZa2demBUO8XeTFUp6Xhw21sfWw9X3fyVjiX6cVXmfJ
rL3fKsU/6u4fQ9LnSrKCyzp5vbm6lfi0pvYL3y6E3W5ZXscZjXdQceX0B4hr
VdnAUtGTUaRyJwdIArRsPCCjbUVaKArfPFEUQzydlY0a4stmQ/eADm0pDp6h
n62LXV7VXVx/OONxd+R7w3kUcMTRrqUghp0uw1O+2wjH+b0K86+UBKTfwgQ2
GkPAciivjLBbLQ8PvPnKj0fvlvop30qvPc0lNpwksZWcdJgu+5/64gTZjcmg
bGrx+M3q3eHqNcLXAj1VWeqZDTolHy7zzgWEPDn6uUE0Vrg2SvwziFyj8kRG
tK3xG34aC7hGTIm0mAyombCLCaEGBegcvot/yKRQ4rv4RHH8Az/fxRcV8W80
LIpi5HvwvfdX/qn+vv7H71jsAy9x+/60TefAAndIwztuxFEtffW980gPjLhD
bgA07s5iX5a/C/E7y3d+QkYRJa/Odl7gUPJCmr3Ea38dr2sSYkUqelpZbC2v
7jZedale5HUw53Xc8byoXbimvavMCCK38DpcJ9dmS22V693reC3028LraK2O
W/Tbwut4S0ycXPTxr9O6/vzxd0DlQcWXEaPbxcbfVxm2W8+FW6so8zg82C5c
u13yoljYoigzA5ht4OUvwCYYVXhCe17nAAqMw5hlJ5ruQu0q1NKvp6eyHNXK
aDnn3gKkVlH4OYiaYXTU7R4OtAXgAoekLXHP1pCISoNXBc2FX3BdpMUFHU6L
xZhcR6U1GDRfbVms4NES/rS+HXbfSb9qtdgrtGjRwic5FqqWBsvyzLFnE5+O
50Ph+hKf/Wr3QesleSIUrDt0LTk+m/adRdmnF0uYs4lPXZ6tfA7mfNqv5oPP
ng+/WMIa2tR9kc9W+7x7PZ+teh3N+XT+L72Ot/l9f5kPNxjd7ga9GFZepRfz
mSPLCp/2a/ViPhWoLPNhNGEM4DltWDZ81KbwpBMZnTtPoH0rTO21qbqE+WRX
m+jom6imaPjobTCkNLwoDTG/eqFd1cBGFFWbP8eiegNXTUlvFl/HPG/abueN
utKjsatfHm4aoMqvPOjyuHYH9RaWWGp7dxjH/F3hhmu4ecPeFH1/L8ozwmzl
XpcumSD3ynW0HEmdLn1vW7/+X9ynF27OYv4dy/L+lT18zdUU4nZc+PvqlS+W
4ozv/Sq2wwJz6OoNK99MrF7XPdOj6T0BIWjmMmpljExsxnPBKy49eQKZD2tR
zeEIpYSvJspg4hFjcdtQG5Ix6dCdoVV+GqlelL17eYXoxpkt2awdT9ghj49/
4zcGb6KhGYU+PsJ7NbEUoD8g8Iv6v0KbDZNNJSpdpRwdtTlz6Eu1AcKBcqgf
3afZQ6LiEZsheOz56ULFf20M4SDVeCrHHfoPCuUdCUXIgMW2miZKyobqqy7+
zplpy+uLk/MvP1f/c4NSxyeAcEpOeqJvslT8WlibKLMr3qNz+FXRFdBASoyN
p0qbGIZAfqcZj/RXdDvzuUgtTnBIq086usf8lCR6ShsYPpzKaao9lwZmTmiU
lOl9GW0w+N+z//w7Ef3kQWHDlTROiiv6Qiv6Y3bvObyH0fH0QiYYff8Lr4SX
n4oiAAA=

-->

</rfc>
