<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" docName="draft-ietf-tls-hybrid-design-16" number="9954" updates="" obsoletes="" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" xml:lang="en" consensus="true" prepTime="2026-07-15T21:59:19" indexInclude="true" scripts="Common,Latin" tocDepth="3">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design-16" rel="prev"/>
  <link href="https://dx.doi.org/10.17487/rfc9954" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <front>
    <title abbrev="Hybrid Key Exchange in TLS 1.3">Hybrid Key Exchange in TLS 1.3</title>
    <seriesInfo name="RFC" value="9954" stream="IETF"/>
    <author initials="D." surname="Stebila" fullname="Douglas Stebila">
      <organization showOnFrontPage="true">University of Waterloo</organization>
      <address>
        <email>dstebila@uwaterloo.ca</email>
      </address>
    </author>
    <author initials="S." surname="Fluhrer" fullname="Scott Fluhrer">
      <organization showOnFrontPage="true">Cisco Systems</organization>
      <address>
        <email>sfluhrer@cisco.com</email>
      </address>
    </author>
    <author initials="S." surname="Gueron" fullname="Shay Gueron">
      <organization abbrev="U. Haifa &amp; Meta" showOnFrontPage="true">University of Haifa and Meta</organization>
      <address>
        <email>shay.gueron@gmail.com</email>
      </address>
    </author>
    <date month="07" year="2026"/>
    <area>SEC</area>
    <workgroup>tls</workgroup>
    <keyword>Post-Quantum</keyword>
    <abstract pn="section-abstract">
      <t indent="0" pn="section-abstract-1">Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms.  It is motivated by the transition to post-quantum cryptography.  This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3.</t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t indent="0" pn="section-boilerplate.1-1">
            This document is not an Internet Standards Track specification; it is
            published for informational purposes.  
        </t>
        <t indent="0" pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by the
            Internet Engineering Steering Group (IESG).  Not all documents
            approved by the IESG are candidates for any level of Internet
            Standard; see Section 2 of RFC 7841. 
        </t>
        <t indent="0" pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc9954" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t indent="0" pn="section-boilerplate.2-1">
            Copyright (c) 2026 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t indent="0" pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Revised BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Revised BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t indent="0" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.1.2">
              <li pn="section-toc.1-1.1.2.1">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.2">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-motivation-for-use-of-hybri">Motivation for Use of Hybrid Key Exchange</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.3">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.3.1"><xref derivedContent="1.3" format="counter" sectionFormat="of" target="section-1.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-scope">Scope</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.4">
                <t indent="0" pn="section-toc.1-1.1.2.4.1"><xref derivedContent="1.4" format="counter" sectionFormat="of" target="section-1.4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-goals">Goals</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.2">
            <t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-key-encapsulation-mechanism">Key Encapsulation Mechanisms</xref></t>
          </li>
          <li pn="section-toc.1-1.3">
            <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-construction-for-hybrid-key">Construction for Hybrid Key Exchange</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.3.2">
              <li pn="section-toc.1-1.3.2.1">
                <t indent="0" pn="section-toc.1-1.3.2.1.1"><xref derivedContent="3.1" format="counter" sectionFormat="of" target="section-3.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-negotiation">Negotiation</xref></t>
              </li>
              <li pn="section-toc.1-1.3.2.2">
                <t indent="0" pn="section-toc.1-1.3.2.2.1"><xref derivedContent="3.2" format="counter" sectionFormat="of" target="section-3.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-transmitting-public-keys-an">Transmitting Public Keys and Ciphertexts</xref></t>
              </li>
              <li pn="section-toc.1-1.3.2.3">
                <t indent="0" pn="section-toc.1-1.3.2.3.1"><xref derivedContent="3.3" format="counter" sectionFormat="of" target="section-3.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-shared-secret-calculation">Shared Secret Calculation</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.4">
            <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-discussion">Discussion</xref></t>
          </li>
          <li pn="section-toc.1-1.5">
            <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.6">
            <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2">
              <li pn="section-toc.1-1.7.2.1">
                <t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
              </li>
              <li pn="section-toc.1-1.7.2.2">
                <t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.8">
            <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-related-work">Related Work</xref></t>
          </li>
          <li pn="section-toc.1-1.9">
            <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgements">Acknowledgements</xref></t>
          </li>
          <li pn="section-toc.1-1.10">
            <t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" removeInRFC="false" toc="include" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t indent="0" pn="section-1-1">This document gives a construction for hybrid key exchange in TLS 1.3.  The overall design approach is a simple, "concatenation"-based approach: Each hybrid key exchange combination should be viewed as a single new key exchange method that should be negotiated and transmitted using the existing TLS 1.3 mechanisms.</t>
      <t indent="0" pn="section-1-2">This document does not propose specific post-quantum mechanisms; see <xref target="scope" format="default" sectionFormat="of" derivedContent="Section 1.3"/> for more on the scope of this document.</t>
      <section anchor="terminology" numbered="true" removeInRFC="false" toc="include" pn="section-1.1">
        <name slugifiedName="name-terminology">Terminology</name>
        <t indent="0" pn="section-1.1-1">
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
    to be interpreted as described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/>
          <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals,
    as shown here. 
</t>
        <t indent="0" pn="section-1.1-2">For the purposes of this document, it is helpful to divide cryptographic algorithms into two classes:</t>
        <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-1.1-3">
          <li pn="section-1.1-3.1">
            <t indent="0" pn="section-1.1-3.1.1">"Traditional" algorithms: Algorithms that are widely deployed today but may be deprecated in the future.  In the context of TLS 1.3, examples of traditional key exchange algorithms include Elliptic Curve Diffie-Hellman (ECDH) using secp256r1 or x25519 or finite field Diffie-Hellman.</t>
          </li>
          <li pn="section-1.1-3.2">
            <t indent="0" pn="section-1.1-3.2.1">"Next-generation" (or "next-gen") algorithms: Algorithms that are not yet widely deployed but may eventually be widely deployed.  An additional facet of these algorithms is that the cryptographic community may have less confidence in their security due to them being relatively new or less studied.  This includes "post-quantum" algorithms.</t>
          </li>
        </ul>
        <t indent="0" pn="section-1.1-4">In this context, "hybrid" key exchange means the use of two (or more) key exchange algorithms based on different cryptographic assumptions, e.g., one traditional algorithm and one next-generation algorithm, with the purpose of the final session key being secure as long as at least one of the component key exchange algorithms remains unbroken.
When one of the algorithms is traditional and one is post-quantum, this is a Post-Quantum Traditional Hybrid Scheme <xref target="RFC9794" format="default" sectionFormat="of" derivedContent="PQUIP-TERM"/>; while this is the initial use case for this document, the document is not limited to this case.
	This document uses the term "component" algorithms to refer to the algorithms combined in a hybrid key exchange.</t>
        <t indent="0" pn="section-1.1-5">Some researchers prefer the term "composite" to refer to the use of multiple algorithms to distinguish from "hybrid public key encryption", in which a key encapsulation mechanism and data encapsulation mechanism are combined to create public key encryption.</t>
        <t indent="0" pn="section-1.1-6">It is intended that the component algorithms within a hybrid key exchange are to be performed, that is, negotiated and transmitted, within the TLS 1.3 handshake.  Any out-of-band method of exchanging keying material is considered out-of-scope.</t>
        <t indent="0" pn="section-1.1-7">The primary motivation of this document is preparing for post-quantum algorithms.  However, it is possible that public key cryptography based on alternative mathematical constructions will be desired to mitigate risks independent of the advent of a quantum computer, for example, because of a cryptanalytic breakthrough.  As such, this document opts for the more generic term "next-generation" algorithms rather than exclusively "post-quantum" algorithms.</t>
        <t indent="0" pn="section-1.1-8">Note that TLS 1.3 uses the term "groups" to refer to key exchange algorithms -- for example, the <tt>supported_groups</tt> extension -- since all key exchange algorithms in TLS 1.3 are Diffie-Hellman-based.  As a result, some parts of this document will refer to data structures or messages with the term "group" in them despite using a key exchange algorithm that is neither Diffie-Hellman-based nor a group.</t>
      </section>
      <section anchor="motivation" numbered="true" removeInRFC="false" toc="include" pn="section-1.2">
        <name slugifiedName="name-motivation-for-use-of-hybri">Motivation for Use of Hybrid Key Exchange</name>
        <t indent="0" pn="section-1.2-1">A hybrid key exchange algorithm allows early adopters eager for post-quantum security to have the potential of post-quantum security (possibly from a less-well-studied algorithm) while still retaining at least the security currently offered by traditional algorithms.  They may even need to retain traditional algorithms due to regulatory constraints, for example, US National Institute of Standards and Technology (NIST) FIPS compliance.</t>
        <t indent="0" pn="section-1.2-2">Ideally, one would not use hybrid key exchange: One would have confidence in a single algorithm and parameterization that will stand the test of time.  However, this may not be the case in the face of quantum computers and cryptanalytic advances more generally.</t>
        <t indent="0" pn="section-1.2-3">Many (though not all) post-quantum algorithms currently under consideration are relatively new; they have not been subject to the same depth of study as RSA and finite field or elliptic curve Diffie-Hellman; thus, the security community does not necessarily have as much confidence in their fundamental security or the concrete security level of specific parameterizations.</t>
        <t indent="0" pn="section-1.2-4">Moreover, it is possible that after next-generation algorithms are defined, and for a period of time thereafter, conservative users may not have full confidence in some algorithms.</t>
        <t indent="0" pn="section-1.2-5">Some users may want to accelerate adoption of post-quantum cryptography due to the threat of retroactive decryption (also known as "harvest-now-decrypt-later"): If a cryptographic assumption is broken due to the advent of a quantum computer or some other cryptanalytic breakthrough, confidentiality of information can be broken retroactively by any adversary who has passively recorded handshakes and encrypted communications.  Hybrid key exchange enables potential security against retroactive decryption while not fully abandoning traditional cryptosystems.</t>
        <t indent="0" pn="section-1.2-6">As such, there may be users for whom hybrid key exchange is an appropriate step prior to an eventual transition to next-generation algorithms. Users should consider the confidence they have in each hybrid component to assess that the hybrid system meets the desired motivation.</t>
      </section>
      <section anchor="scope" numbered="true" removeInRFC="false" toc="include" pn="section-1.3">
        <name slugifiedName="name-scope">Scope</name>
        <t indent="0" pn="section-1.3-1">This document focuses on hybrid ephemeral key exchange in TLS 1.3 <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="TLS13"/>.  It intentionally does not address:</t>
        <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-1.3-2">
          <li pn="section-1.3-2.1">
            <t indent="0" pn="section-1.3-2.1.1">Selecting which next-generation algorithms to use in TLS 1.3 or algorithm identifiers or encoding mechanisms for next-generation algorithms.</t>
          </li>
          <li pn="section-1.3-2.2">
            <t indent="0" pn="section-1.3-2.2.1">Authentication using next-generation algorithms.  While quantum computers could retroactively decrypt previous sessions, session authentication cannot be retroactively broken.</t>
          </li>
        </ul>
      </section>
      <section anchor="goals" numbered="true" removeInRFC="false" toc="include" pn="section-1.4">
        <name slugifiedName="name-goals">Goals</name>
        <t indent="0" pn="section-1.4-1">The primary goal of a hybrid key exchange mechanism is to facilitate the establishment of a shared secret that remains secure as long as one of the component key exchange mechanisms remains unbroken.</t>
        <t indent="0" pn="section-1.4-2">In addition to the primary cryptographic goal, there may be several additional goals in the context of TLS 1.3:</t>
        <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-1.4-3">
          <li pn="section-1.4-3.1">
            <t indent="0" pn="section-1.4-3.1.1">Backwards compatibility: Clients and servers who are "hybrid-aware", i.e., compliant with whatever hybrid key exchange standard is developed for TLS, should remain compatible with endpoints and middleboxes that are not hybrid-aware.  The three scenarios to consider are:
            </t>
            <ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-1.4-3.1.2"><li pn="section-1.4-3.1.2.1" derivedCounter="1.">
                <t indent="0" pn="section-1.4-3.1.2.1.1">Hybrid-aware client, hybrid-aware server: These parties should establish a hybrid shared secret.</t>
              </li>
              <li pn="section-1.4-3.1.2.2" derivedCounter="2.">
                <t indent="0" pn="section-1.4-3.1.2.2.1">Hybrid-aware client, non-hybrid-aware server:  These parties should establish a non-hybrid shared secret (assuming the hybrid-aware client is willing to downgrade to non-hybrid-only).</t>
              </li>
              <li pn="section-1.4-3.1.2.3" derivedCounter="3.">
                <t indent="0" pn="section-1.4-3.1.2.3.1">Non-hybrid-aware client, hybrid-aware server:  These parties should establish a non-hybrid shared secret (assuming the hybrid-aware server is willing to downgrade to non-hybrid-only).</t>
              </li>
            </ol>
            <t indent="0" pn="section-1.4-3.1.3">
Ideally, backwards compatibility should be achieved without extra round trips and without sending duplicate information; see below.</t>
          </li>
          <li pn="section-1.4-3.2">
            <t indent="0" pn="section-1.4-3.2.1">High performance: Use of hybrid key exchange should not be prohibitively expensive in terms of computational performance.  In general, this will depend on the performance characteristics of the specific cryptographic algorithms used and, as such, is outside the scope of this document.  See <xref target="PST" format="default" sectionFormat="of" derivedContent="PST"/> for preliminary results about performance characteristics.</t>
          </li>
          <li pn="section-1.4-3.3">
            <t indent="0" pn="section-1.4-3.3.1">Low latency: Use of hybrid key exchange should not substantially increase the latency experienced to establish a connection.  Factors affecting this may include the following:
            </t>
            <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-1.4-3.3.2">
              <li pn="section-1.4-3.3.2.1">
                <t indent="0" pn="section-1.4-3.3.2.1.1">The computational performance characteristics of the specific algorithms used.  See above.</t>
              </li>
              <li pn="section-1.4-3.3.2.2">
                <t indent="0" pn="section-1.4-3.3.2.2.1">The size of messages to be transmitted.  Public key and ciphertext sizes for post-quantum algorithms range from hundreds of bytes to over one hundred kilobytes, so this impact can be substantial.  See <xref target="PST" format="default" sectionFormat="of" derivedContent="PST"/> for preliminary results in a laboratory setting and <xref target="LANGLEY" format="default" sectionFormat="of" derivedContent="LANGLEY"/> for preliminary results on more realistic networks.</t>
              </li>
              <li pn="section-1.4-3.3.2.3">
                <t indent="0" pn="section-1.4-3.3.2.3.1">Additional round trips added to the protocol.  See below.</t>
              </li>
            </ul>
          </li>
          <li pn="section-1.4-3.4">
            <t indent="0" pn="section-1.4-3.4.1">No extra round trips: Attempting to negotiate hybrid key exchange should not lead to extra round trips in any of the three hybrid-aware/non-hybrid-aware scenarios listed above.</t>
          </li>
          <li pn="section-1.4-3.5">
            <t indent="0" pn="section-1.4-3.5.1">Minimal duplicate information: Attempting to negotiate hybrid key exchange should not mean having to send multiple public keys of the same type.</t>
          </li>
        </ul>
        <t indent="0" pn="section-1.4-4">The tolerance for lower performance and increased latency due to use of hybrid key exchange will depend on the context and use case of the systems and the network involved.</t>
      </section>
    </section>
    <section anchor="kems" numbered="true" removeInRFC="false" toc="include" pn="section-2">
      <name slugifiedName="name-key-encapsulation-mechanism">Key Encapsulation Mechanisms</name>
      <t indent="0" pn="section-2-1">This document models key agreement as key encapsulation mechanisms (KEMs), which consist of three algorithms:</t>
      <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-2-2">
        <li pn="section-2-2.1">
          <t indent="0" pn="section-2-2.1.1"><tt>KeyGen() -&gt; (pk, sk)</tt>: A probabilistic key generation algorithm, which generates a public key <tt>pk</tt> and a secret key <tt>sk</tt>.</t>
        </li>
        <li pn="section-2-2.2">
          <t indent="0" pn="section-2-2.2.1"><tt>Encaps(pk) -&gt; (ct, ss)</tt>: A probabilistic encapsulation algorithm, which takes as input a public key <tt>pk</tt> and outputs a ciphertext <tt>ct</tt> and shared secret <tt>ss</tt>.</t>
        </li>
        <li pn="section-2-2.3">
          <t indent="0" pn="section-2-2.3.1"><tt>Decaps(sk, ct) -&gt; ss</tt>: A decapsulation algorithm, which takes as input a secret key <tt>sk</tt> and ciphertext <tt>ct</tt> and outputs a shared secret <tt>ss</tt> or, in some cases, a distinguished error value.</t>
        </li>
      </ul>
      <t indent="0" pn="section-2-3">The main security property for KEMs is indistinguishability under adaptive chosen ciphertext attack (IND-CCA2), which means that shared secret values should be indistinguishable from random strings even given the ability to have other arbitrary ciphertexts decapsulated.  IND-CCA2 corresponds to security against an active attacker, and the public key and secret key pair can be treated as a long-term key or reused. A common design pattern for obtaining security under key reuse is to apply the Fujisaki-Okamoto (FO) transform <xref target="FO" format="default" sectionFormat="of" derivedContent="FO"/> or a variant thereof <xref target="HHK" format="default" sectionFormat="of" derivedContent="HHK"/>.</t>
      <t indent="0" pn="section-2-4">A weaker security notion is indistinguishability under chosen
      plaintext attack (IND-CPA), which means that the shared secret values should be indistinguishable from random strings given a copy of the public key.  IND-CPA roughly corresponds to security against a passive attacker and sometimes corresponds to one-time key exchange.</t>
      <t indent="0" pn="section-2-5">See <xref target="KATZ" format="default" sectionFormat="of" derivedContent="KATZ"/> or <xref target="HHK" format="default" sectionFormat="of" derivedContent="HHK"/> for definitions of IND-CCA2 and IND-CPA security.</t>
      <t indent="0" pn="section-2-6">Key exchange in TLS 1.3 is phrased in terms of Diffie-Hellman key exchange in a group.  DH key exchange can be modeled as a KEM, with (1) <tt>KeyGen</tt> corresponding to selecting an exponent <tt>x</tt> as the secret key and computing the public key <tt>g^x</tt>, (2) encapsulation corresponding to selecting an exponent <tt>y</tt> and computing the ciphertext <tt>g^y</tt> and the shared secret <tt>g^(xy)</tt>, and (3) decapsulation corresponding to computing the shared secret <tt>g^(xy)</tt>. See <xref target="RFC9180" format="default" sectionFormat="of" derivedContent="HPKE"/> for more details of such Diffie-Hellman-based key encapsulation mechanisms. Diffie-Hellman key exchange, when viewed as a KEM, does not formally satisfy IND-CCA2 security but is still safe to use for ephemeral key exchange in TLS 1.3; see, for example, <xref target="DOWLING" format="default" sectionFormat="of" derivedContent="DOWLING"/>.</t>
      <t indent="0" pn="section-2-7">TLS 1.3 does not require that ephemeral public keys be used only in a single key exchange session; some implementations may reuse them, at the cost of limited forward secrecy.  As a result, any KEM used in the manner described in this document <bcp14>MUST</bcp14> explicitly be designed to be secure in the event that the public key is reused.  Finite field and elliptic curve Diffie-Hellman key exchange methods used in TLS 1.3 satisfy this criteria.  For generic KEMs, this means satisfying IND-CCA2 security or having a transform like the Fujisaki-Okamoto transform <xref target="FO" format="default" sectionFormat="of" derivedContent="FO"/> <xref target="HHK" format="default" sectionFormat="of" derivedContent="HHK"/> applied.  While it is recommended that implementations avoid reuse of KEM public keys, implementations that do reuse KEM public keys <bcp14>MUST</bcp14> ensure that the number of reuses of a KEM public key abides by any bounds in the specification of the KEM or subsequent security analyses.  Implementations <bcp14>MUST NOT</bcp14> reuse randomness in the generation of KEM ciphertexts.</t>
    </section>
    <section anchor="construction" numbered="true" removeInRFC="false" toc="include" pn="section-3">
      <name slugifiedName="name-construction-for-hybrid-key">Construction for Hybrid Key Exchange</name>
      <section anchor="construction-negotiation" numbered="true" removeInRFC="false" toc="include" pn="section-3.1">
        <name slugifiedName="name-negotiation">Negotiation</name>
        <t indent="0" pn="section-3.1-1">Each particular combination of algorithms in a hybrid key exchange will be represented as a <tt>NamedGroup</tt> and sent in the <tt>supported_groups</tt> extension.  No internal structure or grammar is implied or required in the value of the identifier; they are simply opaque identifiers.</t>
        <t indent="0" pn="section-3.1-2">Each value representing a hybrid key exchange will correspond to an ordered pair of two or more algorithms.  (Note that this is independent from future documents standardizing solely post-quantum key exchange methods, which would have to be assigned their own identifier.)</t>
      </section>
      <section anchor="construction-transmitting" numbered="true" removeInRFC="false" toc="include" pn="section-3.2">
        <name slugifiedName="name-transmitting-public-keys-an">Transmitting Public Keys and Ciphertexts</name>
        <t indent="0" pn="section-3.2-1">This document takes the relatively simple "concatenation approach": The messages from the two or more algorithms being hybridized will be concatenated together and transmitted as a single value to avoid having to change existing data structures.  The values are directly concatenated, without any additional encoding or length fields; the representation and length of elements <bcp14>MUST</bcp14> be fixed once the algorithm is fixed.</t>
        <t indent="0" pn="section-3.2-2">Recall that, in TLS 1.3 (<xref target="RFC9846" sectionFormat="comma" section="4.2.8" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-4.2.8" derivedContent="TLS13"/>), a KEM public key or KEM ciphertext is represented as a <tt>KeyShareEntry</tt>:</t>
        <sourcecode type="tls-presentation" markers="false" pn="section-3.2-3">
    struct {
        NamedGroup group;
        opaque key_exchange&lt;1..2^16-1&gt;;
    } KeyShareEntry;</sourcecode>
        <t indent="0" pn="section-3.2-4">These are transmitted in the <tt>extension_data</tt> fields of <tt>KeyShareClientHello</tt> and <tt>KeyShareServerHello</tt> extensions:</t>
        <sourcecode type="tls-presentation" markers="false" pn="section-3.2-5">
    struct {
        KeyShareEntry client_shares&lt;0..2^16-1&gt;;
    } KeyShareClientHello;

    struct {
        KeyShareEntry server_share;
    } KeyShareServerHello;</sourcecode>
        <t indent="0" pn="section-3.2-6">The client's shares are listed in descending order of client preference; the server selects one algorithm and sends its corresponding share.</t>
        <t indent="0" pn="section-3.2-7">For a hybrid key exchange, the <tt>key_exchange</tt> field of a <tt>KeyShareEntry</tt> is the concatenation of the <tt>key_exchange</tt> field for each of the constituent algorithms.  The order of shares in the concatenation <bcp14>MUST</bcp14> be the same as the order of algorithms indicated in the definition of the <tt>NamedGroup</tt>.</t>
        <t indent="0" pn="section-3.2-8">For the client's share, the <tt>key_exchange</tt> value contains the concatenation of the <tt>pk</tt> outputs of the corresponding KEMs' <tt>KeyGen</tt> algorithms if that algorithm corresponds to a KEM or the (EC)DH ephemeral key share if that algorithm corresponds to an (EC)DH group.  For the server's share, the <tt>key_exchange</tt> value contains the concatenation of the <tt>ct</tt> outputs of the corresponding KEMs' <tt>Encaps</tt> algorithms if that algorithm corresponds to a KEM or the (EC)DH ephemeral key share if that algorithm corresponds to an (EC)DH group.</t>
        <t indent="0" pn="section-3.2-9"><xref target="RFC9846" section="4.2.8" format="default" sectionFormat="of" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-4.2.8" derivedContent="TLS13"/> requires that "The key_exchange values for each KeyShareEntry <bcp14>MUST</bcp14> be generated independently."  In the context of this document, the same algorithm may appear in multiple named groups; thus, this document relaxes the above requirement to allow the same key_exchange value for the same algorithm to be reused in multiple KeyShareEntry records sent within the same <tt>ClientHello</tt>.  However, key_exchange values for different algorithms <bcp14>MUST</bcp14> be generated independently. Explicitly, if the <tt>NamedGroup</tt> is the hybrid key exchange <tt>MyECDHMyPQKEM</tt>, the <tt>KeyShareEntry.key_exchange</tt> values <bcp14>MUST</bcp14> be generated in one of the following two ways:</t>
        <t indent="0" pn="section-3.2-10">Fully independently:</t>
        <sourcecode type="pseudocode" markers="false" pn="section-3.2-11">
MyECDHMyPQKEM.KeyGen() = (MyECDH.KeyGen(), MyPQKEM.KeyGen())

KeyShareClientHello {
    KeyShareEntry {
        NamedGroup: 'MyECDH',
        key_exchange: MyECDH.KeyGen()
    },
    KeyShareEntry {
        NamedGroup: 'MyPQKEM',
        key_exchange: MyPQKEM.KeyGen()
    },
    KeyShareEntry {
        NamedGroup: 'MyECDHMyPQKEM',
        key_exchange: MyECDHMyPQKEM.KeyGen()
    },
}</sourcecode>
        <t indent="0" pn="section-3.2-12">Reusing key_exchange values of the same component algorithm within the same <tt>ClientHello</tt>:</t>
        <sourcecode type="pseudocode" markers="false" pn="section-3.2-13">
myecdh_key_share = MyECDH.KeyGen()
mypqkem_key_share = MyPQKEM.KeyGen()
myecdh_mypqkem_key_share = (myecdh_key_share, mypqkem_key_share)

KeyShareClientHello {
    KeyShareEntry {
        NamedGroup: 'MyECDH',
        key_exchange: myecdh_key_share
    },
    KeyShareEntry {
        NamedGroup: 'MyPQKEM',
        key_exchange: mypqkem_key_share
    },
    KeyShareEntry {
        NamedGroup: 'MyECDHMyPQKEM',
        key_exchange: myecdh_mypqkem_key_share
    },
}</sourcecode>
      </section>
      <section anchor="construction-shared-secret" numbered="true" removeInRFC="false" toc="include" pn="section-3.3">
        <name slugifiedName="name-shared-secret-calculation">Shared Secret Calculation</name>
        <t indent="0" pn="section-3.3-1">This document also takes a simple "concatenation approach" for the calculation of shared secrets: The two shared secrets are concatenated together and used as the shared secret in the existing TLS 1.3 key schedule.  Again, this document does not add any additional structure (length fields) in the concatenation procedure; for both the traditional groups and post-quantum KEMs, the shared secret output length is fixed for a specific elliptic curve or parameter set.</t>
        <t indent="0" pn="section-3.3-2">In other words, if the <tt>NamedGroup</tt> is <tt>MyECDHMyPQKEM</tt>, the shared secret is calculated as:</t>
        <artwork align="left" pn="section-3.3-3">
concatenated_shared_secret = MyECDH.shared_secret
                             || MyPQKEM.shared_secret
</artwork>
        <t indent="0" pn="section-3.3-4">and inserted into the TLS 1.3 key schedule in place of the (EC)DHE shared secret, as shown in <xref target="fig-key-schedule" format="default" sectionFormat="of" derivedContent="Figure 1"/>.</t>
        <figure anchor="fig-key-schedule" align="left" suppress-title="false" pn="figure-1">
          <name slugifiedName="name-key-schedule-for-hybrid-key">Key Schedule for Hybrid Key Exchange</name>
          <artwork align="left" pn="section-3.3-5.1">
                                    0
                                    |
                                    v
                      PSK -&gt;  HKDF-Extract = Early Secret
                                    |
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)
                                    |
                                    v
                              Derive-Secret(., "derived", "")
                                    |
                                    v
concatenated_shared_secret -&gt; HKDF-Extract = Handshake Secret
^^^^^^^^^^^^^^^^^^^^^^^^^^          |
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)
                                    |
                                    v
                              Derive-Secret(., "derived", "")
                                    |
                                    v
                         0 -&gt; HKDF-Extract = Main Secret
                                    |
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)
                                    +-----&gt; Derive-Secret(...)</artwork>
        </figure>
        <t indent="0" pn="section-3.3-6">In regard to FIPS compliance,
the US National Institute of Standards and Technology (NIST) documents <xref target="NIST-SP-800-56C" format="default" sectionFormat="of" derivedContent="NIST-SP-800-56C"/> and <xref target="NIST-SP-800-135" format="default" sectionFormat="of" derivedContent="NIST-SP-800-135"/> give recommendations for key derivation methods in key exchange protocols.  Some hybrid combinations may combine the shared secret from a NIST-approved algorithm (e.g., ECDH using the nistp256/secp256r1 curve) with a shared secret from an unapproved algorithm (e.g., post-quantum).  <xref target="NIST-SP-800-56C" format="default" sectionFormat="of" derivedContent="NIST-SP-800-56C"/> lists simple concatenation as an approved method for generation of a hybrid shared secret in which one of the constituent shared secrets is from an approved method.</t>
      </section>
    </section>
    <section anchor="discussion" numbered="true" removeInRFC="false" toc="include" pn="section-4">
      <name slugifiedName="name-discussion">Discussion</name>
      <dl newline="true" indent="3" spacing="normal" pn="section-4-1">
        <dt pn="section-4-1.1">Larger public keys and/or ciphertexts:</dt>
        <dd pn="section-4-1.2">The <tt>key_exchange</tt> field in the <tt>KeyShareEntry</tt> struct in <xref target="construction-transmitting" format="default" sectionFormat="of" derivedContent="Section 3.2"/> limits public keys and ciphertexts to 2<sup>16</sup>-1 bytes.  Some post-quantum KEMs have larger public keys and/or ciphertexts; for example, Classic McEliece's smallest parameter set has a public key size of 261,120 bytes <xref target="I-D.josefsson-mceliece" format="default" sectionFormat="of" derivedContent="Classic-McEliece"/>.  However, all defined parameter sets for the Module-Lattice-Based Key
Encapsulation Mechanism (ML-KEM) <xref target="NIST-FIPS-203" format="default" sectionFormat="of" derivedContent="NIST-FIPS-203"/> have public keys and ciphertexts that fall within the TLS constraints (although this may result in ClientHello messages larger than a single packet).</dd>
        <dt pn="section-4-1.3">Duplication of key shares:</dt>
        <dd pn="section-4-1.4">Concatenation of public keys in the <tt>key_exchange</tt> field in the <tt>KeyShareEntry</tt> struct as described in <xref target="construction-transmitting" format="default" sectionFormat="of" derivedContent="Section 3.2"/> can result in sending duplicate key shares.  For example, if a client wants to offer support for two combinations, say "SecP256r1MLKEM768" and "X25519MLKEM768" <xref target="I-D.ietf-tls-ecdhe-mlkem" format="default" sectionFormat="of" derivedContent="ECDHE-MLKEM"/>, it would end up sending two ML-KEM-768 public keys, since the <tt>KeyShareEntry</tt> for each combination contains its own copy of an ML-KEM-768 key.  This duplication may be more problematic for post-quantum algorithms that have larger public keys.  On the other hand, if the client wants to offer, for example, "SecP256r1MLKEM768" and "secp256r1" (for backwards compatibility), there is relatively little duplicated data (as the secp256r1 keys are comparatively small).</dd>
      </dl>
    </section>
    <section anchor="iana-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-5">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <t indent="0" pn="section-5-1">IANA has added this document as a reference for the "TLS Supported Groups" registry <xref target="IANA-TLS" format="default" sectionFormat="of" derivedContent="IANA-TLS"/>.</t>
      <t indent="0" pn="section-5-2">For hybrid combinations defined per this document, IANA will
assign identifiers in a range that is distinct from the Finite Field Groups
range.  In addition, the "Recommended" column
<bcp14>SHOULD</bcp14> be "N", and the "DTLS-OK" column <bcp14>SHOULD</bcp14>
be "Y".</t>
    </section>
    <section anchor="security-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-6">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t indent="0" pn="section-6-1">The shared secrets computed in the hybrid key exchange should be computed in a way that achieves the "hybrid" property: The resulting secret is secure as long as at least one of the component key exchange algorithms is unbroken.  See <xref target="GIACON" format="default" sectionFormat="of" derivedContent="GIACON"/> and <xref target="BINDEL" format="default" sectionFormat="of" derivedContent="BINDEL"/> for an investigation of these issues.  Under the assumption that shared secrets are fixed length once the combination is fixed, the construction in <xref target="construction-shared-secret" format="default" sectionFormat="of" derivedContent="Section 3.3"/> corresponds to the dual-PRF combiner of <xref target="BINDEL" format="default" sectionFormat="of" derivedContent="BINDEL"/>, which is shown to preserve security under the assumption that the hash function is a dual-PRF.</t>
      <t indent="0" pn="section-6-2">As noted in <xref target="kems" format="default" sectionFormat="of" derivedContent="Section 2"/>, KEMs used in the manner described in this document <bcp14>MUST</bcp14> explicitly be designed to be secure in the event that the public key is reused, such as achieving IND-CCA2 security or having a transform like the Fujisaki-Okamoto transform applied.  ML-KEM has such security properties.  However, some other post-quantum KEMs designed to be IND-CPA-secure (i.e., without countermeasures such as the FO transform) are completely insecure under public key reuse; for example, some lattice-based IND-CPA-secure KEMs are vulnerable to attacks that recover the private key after just a few thousand samples <xref target="FLUHRER" format="default" sectionFormat="of" derivedContent="FLUHRER"/>.</t>
      <t indent="0" pn="section-6-3"><strong>Public keys, ciphertexts, and secrets should be constant length.</strong>
This document assumes that the length of each public key, ciphertext, and shared secret is fixed once the algorithm is fixed.  This is the case for ML-KEM.</t>
      <t indent="0" pn="section-6-4">Note that variable-length secrets are, generally speaking, dangerous.  In particular, when using key material of variable length and processing it using hash functions, a timing side channel may arise.  In broad terms, when the secret is longer, the hash function may need to process more blocks internally.  In some unfortunate circumstances, this has led to timing attacks, e.g., the Lucky Thirteen <xref target="LUCKY13" format="default" sectionFormat="of" derivedContent="LUCKY13"/> and Raccoon <xref target="RACCOON" format="default" sectionFormat="of" derivedContent="RACCOON"/> attacks.</t>
      <t indent="0" pn="section-6-5">Furthermore, <xref target="AVIRAM" format="default" sectionFormat="of" derivedContent="AVIRAM"/> identifies a risk of using variable-length secrets when the hash function used in the key derivation function is no longer collision-resistant.</t>
      <t indent="0" pn="section-6-6">If concatenation were to be used with values that are not fixed-length, a length prefix or other unambiguous encoding would need to be used to ensure that the composition of the two values is injective and requires a mechanism different from that specified in this document.</t>
      <t indent="0" pn="section-6-7">Therefore, this specification <bcp14>MUST</bcp14> only be used with algorithms that have fixed-length shared secrets (after the variant has been fixed by the algorithm identifier in the <tt>NamedGroup</tt> negotiation in <xref target="construction-negotiation" format="default" sectionFormat="of" derivedContent="Section 3.1"/>).</t>
    </section>
  </middle>
  <back>
    <displayreference target="RFC9794" to="PQUIP-TERM"/>
    <displayreference target="I-D.campagna-tls-bike-sike-hybrid" to="CAMPAGNA"/>
    <displayreference target="RFC8784" to="IKE-PSK"/>
    <displayreference target="I-D.schanck-tls-additional-keyshare" to="SCHANCK"/>
    <displayreference target="I-D.whyte-qsh-tls13" to="WHYTE13"/>
    <displayreference target="I-D.ietf-tls-ecdhe-mlkem" to="ECDHE-MLKEM"/>
    <displayreference target="I-D.kiefer-tls-ecdhe-sidh" to="KIEFER"/>
    <displayreference target="I-D.whyte-qsh-tls12" to="WHYTE12"/>
    <displayreference target="RFC8773" to="EXTERN-PSK"/>
    <displayreference target="RFC9180" to="HPKE"/>
    <displayreference target="RFC8391" to="XMSS"/>
    <displayreference target="RFC9846" to="TLS13"/>
    <displayreference target="I-D.josefsson-mceliece" to="Classic-McEliece"/>
    <references anchor="sec-combined-references" pn="section-7">
      <name slugifiedName="name-references">References</name>
      <references anchor="sec-normative-references" pn="section-7.1">
        <name slugifiedName="name-normative-references">Normative References</name>
        <reference anchor="FO" quoteTitle="true" target="https://doi.org/10.1007/s00145-011-9114-1" derivedAnchor="FO">
          <front>
            <title>Secure Integration of Asymmetric and Symmetric Encryption Schemes</title>
            <author fullname="Eiichiro Fujisaki" initials="E." surname="Fujisaki">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Tatsuaki Okamoto" initials="T." surname="Okamoto">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="December" year="2011"/>
          </front>
          <refcontent>Journal of Cryptology, vol. 26, no. 1, pp. 80-101</refcontent>
          <seriesInfo name="DOI" value="10.1007/s00145-011-9114-1"/>
        </reference>
        <reference anchor="HHK" quoteTitle="true" target="https://doi.org/10.1007/978-3-319-70500-2_12" derivedAnchor="HHK">
          <front>
            <title>A Modular Analysis of the Fujisaki-Okamoto Transformation</title>
            <author fullname="Dennis Hofheinz" initials="D." surname="Hofheinz">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Kathrin Hövelmanns" initials="K." surname="Hövelmanns">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Eike Kiltz" initials="E." surname="Kiltz">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2017"/>
          </front>
          <refcontent>Theory of Cryptography (TCC 2017), Lecture Notes in Computer Science, vol. 10677, pp. 341-371</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-319-70500-2_12"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9846" target="https://www.rfc-editor.org/info/rfc9846" quoteTitle="true" derivedAnchor="TLS13">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="July" year="2026"/>
            <abstract>
              <t indent="0">This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t indent="0">This document obsoletes RFC 8446, which specified TLS 1.3. This document obsoletes RFC 5246 (specifying TLS 1.2) and RFCs 5077, 6961, 7627, and 8422, all of which pertain to TLS 1.2 or earlier, and updates RFCs 5705 and 6066. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9846"/>
          <seriesInfo name="DOI" value="10.17487/RFC9846"/>
        </reference>
      </references>
      <references anchor="sec-informative-references" pn="section-7.2">
        <name slugifiedName="name-informative-references">Informative References</name>
        <reference anchor="AVIRAM" target="https://mailarchive.ietf.org/arch/msg/tls/F4SVeL2xbGPaPB2GW_GkBbD_a5M/" quoteTitle="true" derivedAnchor="AVIRAM">
          <front>
            <title>[TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3</title>
            <author initials="" surname="Nimrod Aviram">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="" surname="Benjamin Dowling">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="" surname="Ilan Komargodski">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="" surname="Kenny Paterson">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="" surname="Eyal Ronen">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="" surname="Eylon Yogev">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2021" month="September" day="01"/>
          </front>
        </reference>
        <reference anchor="BCNS15" quoteTitle="true" target="https://doi.org/10.1109/sp.2015.40" derivedAnchor="BCNS15">
          <front>
            <title>Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem</title>
            <author fullname="Joppe W. Bos" initials="J." surname="Bos">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Craig Costello" initials="C." surname="Costello">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Michael Naehrig" initials="M." surname="Naehrig">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="May" year="2015"/>
          </front>
          <refcontent>2015 IEEE Symposium on Security and Privacy, pp. 553-570</refcontent>
          <seriesInfo name="DOI" value="10.1109/sp.2015.40"/>
        </reference>
        <reference anchor="BERNSTEIN" quoteTitle="true" target="https://doi.org/10.1007/978-3-540-88702-7" derivedAnchor="BERNSTEIN">
          <front>
            <title>Post-Quantum Cryptography</title>
            <author fullname="Daniel J. Bernstein" role="editor"/>
            <author fullname="Johannes Buchmann" role="editor"/>
            <author fullname="Erik Dahmen" role="editor"/>
            <date year="2009"/>
          </front>
          <seriesInfo name="DOI" value="10.1007/978-3-540-88702-7"/>
          <refcontent>Springer Berlin</refcontent>
        </reference>
        <reference anchor="BINDEL" quoteTitle="true" target="https://doi.org/10.1007/978-3-030-25510-7_12" derivedAnchor="BINDEL">
          <front>
            <title>Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange</title>
            <author fullname="Nina Bindel" initials="N." surname="Bindel">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Jacqueline Brendel" initials="J." surname="Brendel">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Marc Fischlin" initials="M." surname="Fischlin">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Brian Goncalves" initials="B." surname="Goncalves">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2019"/>
          </front>
          <refcontent>Post-Quantum Cryptography (PQCrypto 2019), Lecture Notes in Computer Science, vol. 11505, pp. 206-226</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-030-25510-7_12"/>
        </reference>
        <reference anchor="I-D.campagna-tls-bike-sike-hybrid" target="https://datatracker.ietf.org/doc/html/draft-campagna-tls-bike-sike-hybrid-07" quoteTitle="true" derivedAnchor="CAMPAGNA">
          <front>
            <title>Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS)</title>
            <author fullname="Matt Campagna" initials="M." surname="Campagna">
              <organization showOnFrontPage="true">AWS</organization>
            </author>
            <author fullname="Eric Crockett" initials="E." surname="Crockett">
              <organization showOnFrontPage="true">AWS</organization>
            </author>
            <date day="2" month="September" year="2021"/>
            <abstract>
              <t indent="0">Hybrid key exchange refers to executing two independent key exchanges and feeding the two resulting shared secrets into a Pseudo Random Function (PRF), with the goal of deriving a secret which is as secure as the stronger of the two key exchanges. This document describes new hybrid key exchange schemes for the Transport Layer Security 1.2 (TLS) protocol. The key exchange schemes are based on combining Elliptic Curve Diffie-Hellman (ECDH) with a post-quantum key encapsulation method (PQ KEM) using the existing TLS PRF.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-campagna-tls-bike-sike-hybrid-07"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="CECPQ1" target="https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html" quoteTitle="true" derivedAnchor="CECPQ1">
          <front>
            <title>Experimenting with Post-Quantum Cryptography</title>
            <author initials="M." surname="Braithwaite">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2016" month="July" day="07"/>
          </front>
          <refcontent>Google Security Blog</refcontent>
        </reference>
        <reference anchor="CECPQ2" target="https://www.imperialviolet.org/2018/12/12/cecpq2.html" quoteTitle="true" derivedAnchor="CECPQ2">
          <front>
            <title>CECPQ2</title>
            <author initials="A." surname="Langley">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018" month="December" day="12"/>
          </front>
        </reference>
        <reference anchor="I-D.josefsson-mceliece" target="https://datatracker.ietf.org/doc/html/draft-josefsson-mceliece-05" quoteTitle="true" derivedAnchor="Classic-McEliece">
          <front>
            <title>Classic McEliece</title>
            <author fullname="Simon Josefsson" initials="S." surname="Josefsson"/>
            <date day="23" month="June" year="2026"/>
            <abstract>
              <t indent="0">This document specifies Classic McEliece, a Key Encapsulation Method (KEM) designed for IND-CCA2 security, even against quantum computers. This is a transcribed version of the proposed ISO Classic McEliece draft, which ISO standardized in June 2026. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-josefsson-mceliece/. Source for this draft and an issue tracker can be found at https://gitlab.com/jas/ietf-mceliece.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-josefsson-mceliece-05"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="DODIS" quoteTitle="true" target="https://doi.org/10.1007/978-3-540-30576-7_11" derivedAnchor="DODIS">
          <front>
            <title>Chosen-Ciphertext Security of Multiple Encryption</title>
            <author fullname="Yevgeniy Dodis" initials="Y." surname="Dodis">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Jonathan Katz" initials="J." surname="Katz">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2005"/>
          </front>
          <refcontent>Theory of Cryptography (TCC 2005), Lecture Notes in Computer Science, vol. 3378, pp. 188-209</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-540-30576-7_11"/>
        </reference>
        <reference anchor="DOWLING" quoteTitle="true" target="https://doi.org/10.1007/s00145-021-09384-1" derivedAnchor="DOWLING">
          <front>
            <title>A Cryptographic Analysis of the TLS 1.3 Handshake Protocol</title>
            <author fullname="Benjamin Dowling" initials="B." surname="Dowling">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Marc Fischlin" initials="M." surname="Fischlin">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="July" year="2021"/>
          </front>
          <refcontent>Journal of Cryptology, vol. 34, article 37</refcontent>
          <seriesInfo name="DOI" value="10.1007/s00145-021-09384-1"/>
        </reference>
        <reference anchor="I-D.ietf-tls-ecdhe-mlkem" target="https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-mlkem-05" quoteTitle="true" derivedAnchor="ECDHE-MLKEM">
          <front>
            <title>Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3</title>
            <author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkowski">
              <organization showOnFrontPage="true">PQShield</organization>
            </author>
            <author fullname="Panos Kampanakis" initials="P." surname="Kampanakis">
              <organization showOnFrontPage="true">AWS</organization>
            </author>
            <author fullname="Bas Westerbaan" initials="B." surname="Westerbaan">
              <organization showOnFrontPage="true">Cloudflare</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true">University of Waterloo</organization>
            </author>
            <date day="26" month="May" year="2026"/>
            <abstract>
              <t indent="0">This draft defines three hybrid key agreement mechanisms for TLS 1.3 - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that combine the post-quantum ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie- Hellman) exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-ecdhe-mlkem-05"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="ETSI" target="https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf" quoteTitle="true" derivedAnchor="ETSI">
          <front>
            <title>Quantum Safe Cryptography and Security: An introduction, benefits, enablers and challenges</title>
            <author>
              <organization showOnFrontPage="true">Campagna, M., Ed., et al.</organization>
            </author>
            <date year="2015" month="June"/>
          </front>
          <refcontent>ETSI White Paper No. 8</refcontent>
        </reference>
        <reference anchor="EVEN" quoteTitle="true" target="https://doi.org/10.1007/978-1-4684-4730-9_4" derivedAnchor="EVEN">
          <front>
            <title>On the Power of Cascade Ciphers</title>
            <author fullname="S. Even" initials="S." surname="Even">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="O. Goldreich" initials="O." surname="Goldreich">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="1984"/>
          </front>
          <refcontent>Advances in Cryptology, pp. 43-50</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-1-4684-4730-9_4"/>
        </reference>
        <reference anchor="RFC8773" target="https://www.rfc-editor.org/info/rfc8773" quoteTitle="true" derivedAnchor="EXTERN-PSK">
          <front>
            <title>TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="March" year="2020"/>
            <abstract>
              <t indent="0">This document specifies a TLS 1.3 extension that allows a server to authenticate with a combination of a certificate and an external pre-shared key (PSK).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8773"/>
          <seriesInfo name="DOI" value="10.17487/RFC8773"/>
        </reference>
        <reference anchor="FLUHRER" target="https://eprint.iacr.org/2016/085" quoteTitle="true" derivedAnchor="FLUHRER">
          <front>
            <title>Cryptanalysis of ring-LWE based key exchange with key share reuse</title>
            <author initials="S." surname="Fluhrer">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2016"/>
          </front>
          <refcontent>Cryptology ePrint Archive, Paper 2016/085</refcontent>
        </reference>
        <reference anchor="FRODO" quoteTitle="true" target="https://doi.org/10.1145/2976749.2978425" derivedAnchor="FRODO">
          <front>
            <title>Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE</title>
            <author fullname="Joppe Bos" initials="J." surname="Bos">
              <organization showOnFrontPage="true">NXP Semiconductors, Eindhoven, Netherlands</organization>
            </author>
            <author fullname="Craig Costello" initials="C." surname="Costello">
              <organization showOnFrontPage="true">Microsoft Research, Redmond, WA, USA</organization>
            </author>
            <author fullname="Leo Ducas" initials="L." surname="Ducas">
              <organization showOnFrontPage="true">CWI, Amsterdam, Netherlands</organization>
            </author>
            <author fullname="Ilya Mironov" initials="I." surname="Mironov">
              <organization showOnFrontPage="true">Google, Mountain View, CA, USA</organization>
            </author>
            <author fullname="Michael Naehrig" initials="M." surname="Naehrig">
              <organization showOnFrontPage="true">Microsoft Research, Redmond, WA, USA</organization>
            </author>
            <author fullname="Valeria Nikolaenko" initials="V." surname="Nikolaenko">
              <organization showOnFrontPage="true">Stanford University, Stanford, CA, USA</organization>
            </author>
            <author fullname="Ananth Raghunathan" initials="A." surname="Raghunathan">
              <organization showOnFrontPage="true">Google, Mountain View, CA, USA</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true">McMaster University, Hamilton, ON, Canada</organization>
            </author>
            <date month="October" year="2016"/>
          </front>
          <refcontent>Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006-1018</refcontent>
          <seriesInfo name="DOI" value="10.1145/2976749.2978425"/>
        </reference>
        <reference anchor="GIACON" quoteTitle="true" target="https://doi.org/10.1007/978-3-319-76578-5_7" derivedAnchor="GIACON">
          <front>
            <title>KEM Combiners</title>
            <author fullname="Federico Giacon" initials="F." surname="Giacon">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Felix Heuer" initials="F." surname="Heuer">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Bertram Poettering" initials="B." surname="Poettering">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018"/>
          </front>
          <refcontent>Public-Key Cryptography (PKC 2018), Lecture Notes in Computer Science, vol. 10769, pp. 190-218</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-319-76578-5_7"/>
        </reference>
        <reference anchor="HARNIK" quoteTitle="true" target="https://doi.org/10.1007/11426639_6" derivedAnchor="HARNIK">
          <front>
            <title>On Robust Combiners for Oblivious Transfer and Other Primitives</title>
            <author fullname="Danny Harnik" initials="D." surname="Harnik">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Joe Kilian" initials="J." surname="Kilian">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Moni Naor" initials="M." surname="Naor">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Omer Reingold" initials="O." surname="Reingold">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Alon Rosen" initials="A." surname="Rosen">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2005"/>
          </front>
          <refcontent>Advances in Cryptology (EUROCRYPT 2005), Lecture Notes in Computer Science, vol. 3494, pp. 96-113</refcontent>
          <seriesInfo name="DOI" value="10.1007/11426639_6"/>
        </reference>
        <reference anchor="RFC9180" target="https://www.rfc-editor.org/info/rfc9180" quoteTitle="true" derivedAnchor="HPKE">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t indent="0">This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t indent="0">This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="IANA-TLS" target="https://www.iana.org/assignments/tls-parameters" quoteTitle="true" derivedAnchor="IANA-TLS">
          <front>
            <title>TLS Supported Groups</title>
            <author>
              <organization showOnFrontPage="true">IANA</organization>
            </author>
          </front>
        </reference>
        <reference anchor="RFC8784" target="https://www.rfc-editor.org/info/rfc8784" quoteTitle="true" derivedAnchor="IKE-PSK">
          <front>
            <title>Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security</title>
            <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
            <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <date month="June" year="2020"/>
            <abstract>
              <t indent="0">The possibility of quantum computers poses a serious challenge to cryptographic algorithms deployed widely today. The Internet Key Exchange Protocol Version 2 (IKEv2) is one example of a cryptosystem that could be broken; someone storing VPN communications today could decrypt them at a later time when a quantum computer is available. It is anticipated that IKEv2 will be extended to support quantum-secure key exchange algorithms; however, that is not likely to happen in the near term. To address this problem before then, this document describes an extension of IKEv2 to allow it to be resistant to a quantum computer by using preshared keys.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8784"/>
          <seriesInfo name="DOI" value="10.17487/RFC8784"/>
        </reference>
        <reference anchor="KATZ" quoteTitle="true" derivedAnchor="KATZ">
          <front>
            <title>Introduction to Modern Cryptography</title>
            <author initials="J." surname="Katz">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="Y." surname="Lindell">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2021"/>
          </front>
          <refcontent>Third Edition</refcontent>
          <refcontent>CRC Press</refcontent>
        </reference>
        <reference anchor="I-D.kiefer-tls-ecdhe-sidh" target="https://datatracker.ietf.org/doc/html/draft-kiefer-tls-ecdhe-sidh-00" quoteTitle="true" derivedAnchor="KIEFER">
          <front>
            <title>Hybrid ECDHE-SIDH Key Exchange for TLS</title>
            <author fullname="Franziskus Kiefer" initials="F." surname="Kiefer">
              <organization showOnFrontPage="true">Mozilla</organization>
            </author>
            <author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkowski">
              <organization showOnFrontPage="true">Cloudflare</organization>
            </author>
            <date day="5" month="November" year="2018"/>
            <abstract>
              <t indent="0">This draft specifies a TLS key exchange that combines the post- quantum key exchange, Supersingular elliptic curve isogenie diffie- hellman (SIDH), with elliptic curve Diffie-Hellman (ECDHE) key exchange.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-kiefer-tls-ecdhe-sidh-00"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="LANGLEY" target="https://www.imperialviolet.org/2018/04/11/pqconftls.html" quoteTitle="true" derivedAnchor="LANGLEY">
          <front>
            <title>Post-quantum confidentiality for TLS</title>
            <author initials="A." surname="Langley">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2018" month="April" day="11"/>
          </front>
        </reference>
        <reference anchor="LUCKY13" quoteTitle="true" target="https://doi.org/10.1109/sp.2013.42" derivedAnchor="LUCKY13">
          <front>
            <title>Lucky Thirteen: Breaking the TLS and DTLS Record Protocols</title>
            <author fullname="N. J. Al Fardan" initials="N." surname="Al Fardan">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="K. G. Paterson" initials="K." surname="Paterson">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="May" year="2013"/>
          </front>
          <refcontent>2013 IEEE Symposium on Security and Privacy, pp. 526-540</refcontent>
          <seriesInfo name="DOI" value="10.1109/sp.2013.42"/>
        </reference>
        <reference anchor="NIELSEN" quoteTitle="true" derivedAnchor="NIELSEN">
          <front>
            <title>Quantum Computation and Quantum Information</title>
            <author initials="M. A." surname="Nielsen">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="I. L." surname="Chuang">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2000"/>
          </front>
          <refcontent>Cambridge University Press</refcontent>
        </reference>
        <reference anchor="NIST" target="https://www.nist.gov/pqcrypto" quoteTitle="true" derivedAnchor="NIST">
          <front>
            <title>Post-Quantum Cryptography</title>
            <author>
              <organization showOnFrontPage="true">NIST</organization>
            </author>
          </front>
        </reference>
        <reference anchor="NIST-FIPS-203" target="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf" quoteTitle="true" derivedAnchor="NIST-FIPS-203">
          <front>
            <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</title>
            <author>
              <organization abbrev="NIST" showOnFrontPage="true">National Institute of Standards and Technology</organization>
            </author>
            <date month="August" year="2024"/>
          </front>
          <seriesInfo name="NIST FIPS" value="203"/>
          <seriesInfo name="DOI" value="10.6028/NIST.FIPS.203"/>
        </reference>
        <reference anchor="NIST-SP-800-56C" quoteTitle="true" target="https://doi.org/10.6028/nist.sp.800-56cr2" derivedAnchor="NIST-SP-800-56C">
          <front>
            <title>Recommendation for Key-Derivation Methods in Key-Establishment Schemes</title>
            <author fullname="Elaine Barker" initials="E." surname="Barker">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Lily Chen" initials="L." surname="Chen">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Richard Davis" initials="R." surname="Davis">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="August" year="2020"/>
          </front>
          <seriesInfo name="NIST SP" value="800-56Cr2"/>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-56cr2"/>
        </reference>
        <reference anchor="NIST-SP-800-135" quoteTitle="true" target="https://doi.org/10.6028/nist.sp.800-135r1" derivedAnchor="NIST-SP-800-135">
          <front>
            <title>Recommendation for Existing Application-Specific Key Derivation Functions</title>
            <author fullname="Quynh Dang" initials="Q." surname="Dang">
              <organization showOnFrontPage="true"/>
            </author>
            <date month="December" year="2011"/>
          </front>
          <seriesInfo name="NIST SP" value="800-135r1"/>
          <seriesInfo name="DOI" value="10.6028/nist.sp.800-135r1"/>
        </reference>
        <reference anchor="OQS-102" target="https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_0_2-stable" quoteTitle="true" derivedAnchor="OQS-102">
          <front>
            <title>OQS-OpenSSL-1-0-2_stable</title>
            <author/>
            <date day="31" year="2020" month="January"/>
          </front>
          <refcontent>commit 537b2f9</refcontent>
        </reference>
        <reference anchor="OQS-111" target="https://github.com/open-quantum-safe/openssl/tree/OQS-OpenSSL_1_1_1-stable" quoteTitle="true" derivedAnchor="OQS-111">
          <front>
            <title>OQS-OpenSSL-1-1-1_stable</title>
            <author/>
            <date day="8" year="2025" month="January"/>
          </front>
          <refcontent>commit 5f49b7a</refcontent>
        </reference>
        <reference anchor="OQS-PROV" target="https://github.com/open-quantum-safe/oqs-provider/" quoteTitle="true" derivedAnchor="OQS-PROV">
          <front>
            <title>OQS Provider for OpenSSL 3</title>
            <author/>
            <date day="8" year="2026" month="January"/>
          </front>
          <refcontent>commit 573fb25</refcontent>
        </reference>
        <reference anchor="RFC9794" target="https://www.rfc-editor.org/info/rfc9794" quoteTitle="true" derivedAnchor="PQUIP-TERM">
          <front>
            <title>Terminology for Post-Quantum Traditional Hybrid Schemes</title>
            <author fullname="F. Driscoll" initials="F." surname="Driscoll"/>
            <author fullname="M. Parsons" initials="M." surname="Parsons"/>
            <author fullname="B. Hale" initials="B." surname="Hale"/>
            <date month="June" year="2025"/>
            <abstract>
              <t indent="0">One aspect of the transition to post-quantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both post-quantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9794"/>
          <seriesInfo name="DOI" value="10.17487/RFC9794"/>
        </reference>
        <reference anchor="PST" quoteTitle="true" target="https://doi.org/10.1007/978-3-030-44223-1_5" derivedAnchor="PST">
          <front>
            <title>Benchmarking Post-quantum Cryptography in TLS</title>
            <author fullname="Christian Paquin" initials="C." surname="Paquin">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Goutam Tamvada" initials="G." surname="Tamvada">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2020"/>
          </front>
          <refcontent>Post-Quantum Cryptography (PQCrypto 2020), Lecture Notes in Computer Science, vol. 12100, pp. 72-91</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-030-44223-1_5"/>
        </reference>
        <reference anchor="RACCOON" target="https://raccoon-attack.com/" quoteTitle="true" derivedAnchor="RACCOON">
          <front>
            <title>Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)</title>
            <author initials="R." surname="Merget">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="M." surname="Brinkmann">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="N." surname="Aviram">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Somorovsky">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Mittmann">
              <organization showOnFrontPage="true"/>
            </author>
            <author initials="J." surname="Schwenk">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2020" month="September"/>
          </front>
        </reference>
        <reference anchor="RFC9370" target="https://www.rfc-editor.org/info/rfc9370" quoteTitle="true" derivedAnchor="RFC9370">
          <front>
            <title>Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="CJ. Tjhai" initials="CJ." surname="Tjhai"/>
            <author fullname="M. Tomlinson" initials="M." surname="Tomlinson"/>
            <author fullname="G. Bartlett" initials="G." surname="Bartlett"/>
            <author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
            <author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
            <author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-Morchon"/>
            <author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
            <date month="May" year="2023"/>
            <abstract>
              <t indent="0">This document describes how to extend the Internet Key Exchange Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while computing a shared secret during a Security Association (SA) setup.</t>
              <t indent="0">This document utilizes the IKE_INTERMEDIATE exchange, where multiple key exchanges are performed when an IKE SA is being established. It also introduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purpose when the IKE SA is being rekeyed or is creating additional Child SAs.</t>
              <t indent="0">This document updates RFC 7296 by renaming a Transform Type 4 from "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a field in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange Method". It also renames an IANA registry for this Transform Type from "Transform Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exchange Method Transform IDs". These changes generalize key exchange algorithms that can be used in IKEv2.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9370"/>
          <seriesInfo name="DOI" value="10.17487/RFC9370"/>
        </reference>
        <reference anchor="S2N" target="https://aws.amazon.com/blogs/security/post-quantum-tls-now-supported-in-aws-kms/" quoteTitle="true" derivedAnchor="S2N">
          <front>
            <title>Post-quantum TLS now supported in AWS KMS</title>
            <author fullname="Andrew Hopkins"/>
            <author fullname="Matthew Campagna"/>
            <date year="2019" month="November" day="04"/>
          </front>
          <refcontent>AWS Security Blog</refcontent>
        </reference>
        <reference anchor="I-D.schanck-tls-additional-keyshare" target="https://datatracker.ietf.org/doc/html/draft-schanck-tls-additional-keyshare-00" quoteTitle="true" derivedAnchor="SCHANCK">
          <front>
            <title>A Transport Layer Security (TLS) Extension For Establishing An Additional Shared Secret</title>
            <author fullname="John M. Schanck" initials="J. M." surname="Schanck">
              <organization showOnFrontPage="true">University of Waterloo</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization showOnFrontPage="true">McMaster University</organization>
            </author>
            <date day="17" month="April" year="2017"/>
            <abstract>
              <t indent="0">This document defines a Transport Layer Security (TLS) extension that allows parties to establish an additional shared secret using a second key exchange algorithm and incorporates this shared secret into the TLS key schedule.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-schanck-tls-additional-keyshare-00"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="I-D.whyte-qsh-tls12" target="https://datatracker.ietf.org/doc/html/draft-whyte-qsh-tls12-02" quoteTitle="true" derivedAnchor="WHYTE12">
          <front>
            <title>Quantum-Safe Hybrid (QSH) Ciphersuite for Transport Layer Security (TLS) version 1.2</title>
            <author fullname="John M. Schanck" initials="J. M." surname="Schanck"/>
            <author fullname="William Whyte" initials="W." surname="Whyte">
              <organization showOnFrontPage="true">Security Innovation</organization>
            </author>
            <author fullname="Zhenfei Zhang" initials="Z." surname="Zhang">
              <organization showOnFrontPage="true">Security Innovation</organization>
            </author>
            <date day="22" month="July" year="2016"/>
            <abstract>
              <t indent="0">This document describes the Quantum-Safe Hybrid ciphersuite, a new cipher suite providing modular design for quantum-safe cryptography to be adopted in the handshake for the Transport Layer Security (TLS) protocol version 1.2. In particular, it specifies the use of the NTRUEncrypt encryption scheme in a TLS handshake.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-whyte-qsh-tls12-02"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="I-D.whyte-qsh-tls13" target="https://datatracker.ietf.org/doc/html/draft-whyte-qsh-tls13-06" quoteTitle="true" derivedAnchor="WHYTE13">
          <front>
            <title>Quantum-Safe Hybrid (QSH) Key Exchange for Transport Layer Security (TLS) version 1.3</title>
            <author fullname="William Whyte" initials="W." surname="Whyte">
              <organization showOnFrontPage="true">Onboard Security</organization>
            </author>
            <author fullname="Zhenfei Zhang" initials="Z." surname="Zhang">
              <organization showOnFrontPage="true">Onboard Security</organization>
            </author>
            <author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
              <organization showOnFrontPage="true">Cisco Systems</organization>
            </author>
            <author fullname="Oscar Garcia-Morchon" initials="O." surname="Garcia-Morchon">
              <organization showOnFrontPage="true">Philips</organization>
            </author>
            <date day="3" month="October" year="2017"/>
            <abstract>
              <t indent="0">This document describes the Quantum-Safe Hybrid Key Exchange, a mechanism for providing modular design for quantum-safe cryptography to be adopted in the handshake for the Transport Layer Security (TLS) protocol version 1.3.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-whyte-qsh-tls13-06"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="RFC8391" target="https://www.rfc-editor.org/info/rfc8391" quoteTitle="true" derivedAnchor="XMSS">
          <front>
            <title>XMSS: eXtended Merkle Signature Scheme</title>
            <author fullname="A. Huelsing" initials="A." surname="Huelsing"/>
            <author fullname="D. Butin" initials="D." surname="Butin"/>
            <author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
            <author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/>
            <author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/>
            <date month="May" year="2018"/>
            <abstract>
              <t indent="0">This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is based on existing descriptions in scientific literature. This note specifies Winternitz One-Time Signature Plus (WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8391"/>
          <seriesInfo name="DOI" value="10.17487/RFC8391"/>
        </reference>
        <reference anchor="ZHANG" quoteTitle="true" target="https://doi.org/10.1007/978-3-540-24632-9_26" derivedAnchor="ZHANG">
          <front>
            <title>On the Security of Multiple Encryption or CCA-security+CCA-security=CCA-security?</title>
            <author fullname="Rui Zhang" initials="R." surname="Zhang">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Goichiro Hanaoka" initials="G." surname="Hanaoka">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Junji Shikata" initials="J." surname="Shikata">
              <organization showOnFrontPage="true"/>
            </author>
            <author fullname="Hideki Imai" initials="H." surname="Imai">
              <organization showOnFrontPage="true"/>
            </author>
            <date year="2004"/>
          </front>
          <refcontent>Public Key Cryptography (PKC 2004), Lecture Notes in Computer Science, vol. 2947, pp. 360-374</refcontent>
          <seriesInfo name="DOI" value="10.1007/978-3-540-24632-9_26"/>
        </reference>
      </references>
    </references>
    <section anchor="related-work" numbered="true" removeInRFC="false" toc="include" pn="section-appendix.a">
      <name slugifiedName="name-related-work">Related Work</name>
      <t indent="0" pn="section-appendix.a-1">Quantum computing and post-quantum cryptography in general are outside the scope of this document.  For a general introduction to quantum computing, see a standard textbook such as <xref target="NIELSEN" format="default" sectionFormat="of" derivedContent="NIELSEN"/>.  For an overview of post-quantum cryptography as of 2009, see <xref target="BERNSTEIN" format="default" sectionFormat="of" derivedContent="BERNSTEIN"/>; while not containing more recent advances, it still provides a helpful introduction.  For the current status of the NIST Post-Quantum Cryptography Standardization Project, see <xref target="NIST" format="default" sectionFormat="of" derivedContent="NIST"/>.  For additional perspectives on the general transition from traditional to post-quantum cryptography, see for example <xref target="ETSI" format="default" sectionFormat="of" derivedContent="ETSI"/>, among others.</t>
      <t indent="0" pn="section-appendix.a-2">There have been several Internet-Drafts describing mechanisms for embedding post-quantum and/or hybrid key exchange in TLS:</t>
      <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-appendix.a-3">
        <li pn="section-appendix.a-3.1">
          <t indent="0" pn="section-appendix.a-3.1.1">TLS 1.2: <xref target="I-D.whyte-qsh-tls12" format="default" sectionFormat="of" derivedContent="WHYTE12"/>, <xref target="I-D.campagna-tls-bike-sike-hybrid" format="default" sectionFormat="of" derivedContent="CAMPAGNA"/></t>
        </li>
        <li pn="section-appendix.a-3.2">
          <t indent="0" pn="section-appendix.a-3.2.1">TLS 1.3: <xref target="I-D.kiefer-tls-ecdhe-sidh" format="default" sectionFormat="of" derivedContent="KIEFER"/>, <xref target="I-D.schanck-tls-additional-keyshare" format="default" sectionFormat="of" derivedContent="SCHANCK"/>, <xref target="I-D.whyte-qsh-tls13" format="default" sectionFormat="of" derivedContent="WHYTE13"/></t>
        </li>
      </ul>
      <t indent="0" pn="section-appendix.a-4">There have been several prototype implementations for post-quantum and/or hybrid key exchange in TLS:</t>
      <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-appendix.a-5">
        <li pn="section-appendix.a-5.1">
          <t indent="0" pn="section-appendix.a-5.1.1">TLS 1.2: <xref target="BCNS15" format="default" sectionFormat="of" derivedContent="BCNS15"/>, <xref target="CECPQ1" format="default" sectionFormat="of" derivedContent="CECPQ1"/>, <xref target="FRODO" format="default" sectionFormat="of" derivedContent="FRODO"/>, <xref target="OQS-102" format="default" sectionFormat="of" derivedContent="OQS-102"/>, <xref target="S2N" format="default" sectionFormat="of" derivedContent="S2N"/></t>
        </li>
        <li pn="section-appendix.a-5.2">
          <t indent="0" pn="section-appendix.a-5.2.1">TLS 1.3: <xref target="CECPQ2" format="default" sectionFormat="of" derivedContent="CECPQ2"/>, <xref target="OQS-111" format="default" sectionFormat="of" derivedContent="OQS-111"/>, <xref target="OQS-PROV" format="default" sectionFormat="of" derivedContent="OQS-PROV"/>, <xref target="PST" format="default" sectionFormat="of" derivedContent="PST"/></t>
        </li>
      </ul>
      <t indent="0" pn="section-appendix.a-6">These experimental implementations have taken an ad hoc approach and not attempted to implement one of the Internet-Drafts listed above.</t>
      <t indent="0" pn="section-appendix.a-7">Unrelated to post-quantum but still related to the issue of combining multiple types of keying material in TLS is the use of pre-shared keys, especially the recent TLS Working Group document on including an external pre-shared key <xref target="RFC8773" format="default" sectionFormat="of" derivedContent="EXTERN-PSK"/>.</t>
      <t indent="0" pn="section-appendix.a-8"><xref target="RFC9370" format="default" sectionFormat="of" derivedContent="RFC9370"/> on the multiple key exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2) has been published as a Proposed Standard, and other IETF work includes post-quantum preshared keys in IKEv2 <xref target="RFC8784" format="default" sectionFormat="of" derivedContent="IKE-PSK"/>.  The eXtended Merkle Signature Scheme (XMSS) hash-based signature scheme has been published as an Informational RFC by the IRTF <xref target="RFC8391" format="default" sectionFormat="of" derivedContent="XMSS"/>.</t>
      <t indent="0" pn="section-appendix.a-9">In the academic literature, <xref target="EVEN" format="default" sectionFormat="of" derivedContent="EVEN"/> initiated the study of combining multiple symmetric encryption schemes; <xref target="ZHANG" format="default" sectionFormat="of" derivedContent="ZHANG"/>, <xref target="DODIS" format="default" sectionFormat="of" derivedContent="DODIS"/>, and <xref target="HARNIK" format="default" sectionFormat="of" derivedContent="HARNIK"/> examined combining multiple public key encryption schemes; and <xref target="HARNIK" format="default" sectionFormat="of" derivedContent="HARNIK"/> coined the term "robust combiner" to refer to a compiler that constructs a hybrid scheme from individual schemes while preserving security properties.  <xref target="GIACON" format="default" sectionFormat="of" derivedContent="GIACON"/> and <xref target="BINDEL" format="default" sectionFormat="of" derivedContent="BINDEL"/> examined combining multiple key encapsulation mechanisms.</t>
    </section>
    <section anchor="acknowledgements" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b">
      <name slugifiedName="name-acknowledgements">Acknowledgements</name>
      <t indent="0" pn="section-appendix.b-1">The ideas in this document have grown from discussions with many colleagues, including <contact fullname="Christopher Wood"/>, <contact fullname="Matt Campagna"/>, <contact fullname="Eric Crockett"/>, <contact fullname="Deirdre Connolly"/>, authors of the various hybrid documents and implementations cited in this document, and members of the TLS Working Group.  The immediate impetus for this document came from discussions with attendees at the Workshop on Post-Quantum Software in Mountain View, California in January 2019.  <contact fullname="Daniel J. Bernstein"/> and <contact fullname="Tanja Lange"/> commented on the risks of reuse of ephemeral public keys.  <contact fullname="Matt Campagna"/> and the team at Amazon Web Services provided additional suggestions.  <contact fullname="Nimrod Aviram"/> proposed restricting to fixed-length secrets.</t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.c">
      <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
      <author initials="D." surname="Stebila" fullname="Douglas Stebila">
        <organization showOnFrontPage="true">University of Waterloo</organization>
        <address>
          <email>dstebila@uwaterloo.ca</email>
        </address>
      </author>
      <author initials="S." surname="Fluhrer" fullname="Scott Fluhrer">
        <organization showOnFrontPage="true">Cisco Systems</organization>
        <address>
          <email>sfluhrer@cisco.com</email>
        </address>
      </author>
      <author initials="S." surname="Gueron" fullname="Shay Gueron">
        <organization abbrev="U. Haifa &amp; Meta" showOnFrontPage="true">University of Haifa and Meta</organization>
        <address>
          <email>shay.gueron@gmail.com</email>
        </address>
      </author>
    </section>
  </back>
</rfc>
