HPKE Publication, Kept Efficient (hpke) Working Group Charter

Hybrid Public Key Exchange (HPKE) [RFC 9180] defines an authenticated encryption
encapsulation format that combines a semi-static asymmetric key exchange with a symmetric
cipher. This format is used in several IETF protocols, such as MLS [RFC 9420] and TLS
Encrypted ClientHello [todo]. The fact that HPKE is defined in an Informational document on
the IRTF stream, however, has caused some confusion as to its usability, especially with other
standards organizations.

The hpke Working Group is tasked with two responsibilities:
● Re-publish the HPKE specification as a Standards Track document of the IETF.
● Define new cipher suites for HPKE that use algorithms that are expected to survive the
introduction of a Cryptographically Relevant Quantum Computer (CRQC), including
both pure post-quantum (PQ) algorithms and hybrids of PQ algorithms with traditional
algorithms.

Differences between the Standards Track version of HPKE and the Informational version
(RFC9180) should be minimized, mostly limited to editorial changes and application of errata.
The working group may decide to remove some functionality (e.g., the Auth and AuthPSK
modes), or add some functionality (e.g., support for KDFs that are not two-step). But the
Standards Track and Informational version must have identical behavior for any functionality
that they both specify.

The group might select a number of cipher suites that address different use cases, security
levels, and attacker threat models.

Deliverables:
● HPKE specification to the IESG as Proposed Standard (yesterday)
● New post-quantum and post-quantum/traditional hybrid cipher suites for HPKE to the
IESG as Proposed Standard (the day before that)