PQUIP F. Driscoll
Internet-Draft M. Parsons
Intended status: Informational UK National Cyber Security Centre
Expires: 10 November 2024 9 May 2024
Terminology for Post-Quantum Traditional Hybrid Schemes
draft-ietf-pquip-pqt-hybrid-terminology-03
Abstract
One aspect of the transition to post-quantum algorithms in
cryptographic protocols is the development of hybrid schemes that
incorporate both post-quantum and traditional asymmetric algorithms.
This document defines terminology for such schemes. It is intended
to be used as a reference and, hopefully, to ensure consistency and
clarity across different protocols, standards, and organisations.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-pquip-pqt-hybrid-
terminology/.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 November 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
Driscoll & Parsons Expires 10 November 2024 [Page 1]
Internet-Draft PQ/T Hybrid Terminology May 2024
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Primitives . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Cryptographic Elements . . . . . . . . . . . . . . . . . . . 6
4. Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Properties . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Certificates . . . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
9. Informative References . . . . . . . . . . . . . . . . . . . 13
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction
The mathematical problems of integer factorisation and discrete
logarithms over finite fields or elliptic curves underpin most of the
asymmetric algorithms used for key establishment and digital
signatures on the internet. These problems, and hence the algorithms
based on them, will be vulnerable to attacks using Shor's Algorithm
on a sufficiently large general-purpose quantum computer, known as a
Cryptographically Relevant Quantum Computer (CRQC). It is difficult
to predict when, or if, such a device will exist. However, it is
necessary to anticipate and prepare to defend against such a
development. Data encrypted today (2024) with an algorithm
vulnerable to a quantum computer could be stored for decryption by a
future attacker with a CRQC. Signing algorithms in products that are
expected to be in use for many years, and that cannot be updated or
replaced, are also at risk if a CRQC is developed during the
operational lifetime of that product.
Driscoll & Parsons Expires 10 November 2024 [Page 2]
Internet-Draft PQ/T Hybrid Terminology May 2024
Preparing for the potential development of a CRQC requires modifying
established (standardised) protocols to use asymmetric algorithms
that are perceived to be secure against quantum computers as well as
today's classical computers. These algorithms are called post-
quantum, while algorithms based on integer factorisation, finite-
field discrete logarithms or elliptic-curve discrete logarithms are
called traditional cryptographic algorithms. In this document
"traditional algorithm" is also used to refer to this class of
algorithms.
During the transition from traditional to post-quantum algorithms,
there may be a requirement for protocols that use both algorithm
types. A designer may combine a post-quantum algorithm with a
traditional algorithm to add protection against an attacker with a
CRQC to the security properties provided by the traditional
algorithm. They may also implement a post-quantum algorithm
alongside a traditional algorithm for ease of migration from an
ecosystem where only traditional algorithms are implemented and used,
to one that only uses post-quantum algorithms. Examples of solutions
that could use both types of algorithm include, but are not limited
to, [RFC9370], [I-D.ietf-tls-hybrid-design],
[I-D.ietf-lamps-pq-composite-kem], and
[I-D.ietf-lamps-cert-binding-for-multi-auth]. Schemes that combine
post-quantum and traditional algorithms for key establishment or
digital signatures are often called hybrids. For example:
* NIST defines hybrid key establishment to be a "scheme that is a
combination of two or more components that are themselves
cryptographic key-establishment schemes" [NIST_PQC_FAQ];
* ETSI defines hybrid key exchanges to be "constructions that
combine a traditional key exchange ... with a post-quantum key
exchange ... into a single key exchange" [ETSI_TS103774].
The word "hybrid" is also used in cryptography to describe encryption
schemes that combine asymmetric and symmetric algorithms [RFC9180],
so using it in the post-quantum context overloads it and risks
misunderstandings. However, this terminology is well-established
amongst the post-quantum cryptography (PQC) community. Therefore, an
attempt to move away from its use for PQC could lead to multiple
definitions for the same concept, resulting in confusion and lack of
clarity.
This document provides language for constructions that combine
traditional and post-quantum algorithms. Specific solutions for
enabling use of multiple asymmetric algorithms in cryptographic
schemes may be more general than this, allowing the use of solely
traditional or solely post-quantum algorithms. However, where
Driscoll & Parsons Expires 10 November 2024 [Page 3]
Internet-Draft PQ/T Hybrid Terminology May 2024
relevant, we focus on post-quantum traditional combinations as these
are the motivation for the wider work in the IETF. This document is
intended as a reference terminology guide for other documents to add
clarity and consistency across different protocols, standards, and
organisations. Additionally, this document aims to reduce
misunderstanding about use of the word "hybrid" as well as defining a
shared language for different types of post-quantum traditional
hybrid constructions.
In this document, a "cryptographic algorithm" is defined, as in
[NIST_SP_800-152], to be a "well-defined computational procedure that
takes variable inputs, often including a cryptographic key, and
produces an output". Examples include RSA, ECDH, ML-KEM (formerly
known as Kyber) and ML-DSA (formerly known as Dilithium). The
expression "cryptographic scheme" is used to refer to a construction
that uses a cryptographic algorithm or a group of cryptographic
algorithms to achieve a particular cryptographic outcome, e.g., key
agreement. A cryptographic scheme may be made up of a number of
functions. For example, a Key Encapsulation Mechanism (KEM) is a
cryptographic scheme consisting of three functions: Key Generation,
Encapsulation, and Decapsulation. A cryptographic protocol
incorporates one or more cryptographic schemes. For example, TLS
[RFC8446] is a cryptographic protocol that includes schemes for key
agreement, record layer encryption, and server authentication.
2. Primitives
This section introduces terminology related to cryptographic
algorithms and to hybrid constructions for cryptographic schemes.
*Asymmetric Traditional Cryptographic Algorithm*: An asymmetric
cryptographic algorithm based on integer factorisation, finite
field discrete logarithms, elliptic curve discrete logarithms, or
related mathematical problems.
A related mathematical problem is one that can be solved by
solving the integer factorisation, finite field discrete logarithm
or elliptic curve discrete logarithm problem.
Where there is little risk of confusion asymmetric traditional
cryptographic algorithms can also be referred to as traditional
algorithms for brevity. Traditional algorithms can also be called
classical or conventional algorithms.
*Post-Quantum Algorithm*: An asymmetric cryptographic algorithm that
is intended to be secure against attacks using quantum computers
as well as classical computers.
Driscoll & Parsons Expires 10 November 2024 [Page 4]
Internet-Draft PQ/T Hybrid Terminology May 2024
Post-quantum algorithms can also be called quantum-resistant or
quantum-safe algorithms.
As with all cryptography, it always remains the case that attacks,
either quantum or classical, may be found against post-quantum
algorithms. Therefore it should not be assumed that just because
an algorithm is designed to provide post-quantum security it will
not be compromised.
There may be asymmetric cryptographic constructions that are neither
post-quantum nor asymmetric traditional algorithms according to the
definitions above, but these are out of scope of this document.
*Component Algorithm*: Each cryptographic algorithm that forms part
of a cryptographic scheme.
*Single-Algorithm Scheme*: A cryptographic scheme with one component
algorithm.
A single-algorithm scheme could use either a traditional algorithm
or a post-quantum algorithm.
*Multi-Algorithm Scheme*: A cryptographic scheme that incorporates
more than one component algorithm, where the component algorithms
have the same cryptographic purpose.
For example, a multi-algorithm scheme may include multiple
signature algorithms or multiple Public Key Encryption (PKE)
algorithms. Component algorithms could be all traditional, all
post-quantum, or a mixture of the two.
*Post-Quantum Traditional (PQ/T) Hybrid Scheme*: A multi-algorithm
scheme where at least one component algorithm is a post-quantum
algorithm and at least one is a traditional algorithm.
*PQ/T Hybrid Key Encapsulation Mechanism (KEM)*: A multi-algorithm
KEM made up of two or more component algorithms where at least one
is a post-quantum algorithm and at least one is a traditional
algorithm. The component algorithms could be KEMs, or other key
establishment algorithms.
*PQ/T Hybrid Public Key Encryption (PKE)*: A multi-algorithm PKE
scheme made up of two or more component algorithms where at least
one is a post-quantum algorithm and at least one is a traditional
algorithm. The component algorithms could be PKE algorithms, or
other key establishment algorithms.
Driscoll & Parsons Expires 10 November 2024 [Page 5]
Internet-Draft PQ/T Hybrid Terminology May 2024
The standard security property for a PKE scheme is
indistinguishability under chosen-plaintext attack, (IND-CPA).
IND-CPA security is not sufficient for secure communication in the
presence of an active attacker. Therefore, in general, PKE
schemes are not appropriate for use on the internet, and KEMs,
which provide indistiguishability under chosen-ciphertext attacks
(IND-CCA security), are required.
*PQ/T Hybrid Digital Signature*: A multi-algorithm digital signature
scheme made up of two or more component digital signature
algorithms where at least one is a post-quantum algorithm and at
least one is a traditional algorithm.
PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital
signatures are all examples of PQ/T hybrid schemes.
*PQ/T Hybrid Combiner*: A method that takes two or more component
algorithms and combines them to form a PQ/T hybrid scheme.
*PQ/PQ Hybrid Scheme*: A multi-algorithm scheme where all components
are post-quantum algorithms.
The definitions for types of PQ/T hybrid schemes can adapted to
define types of PQ/PQ hybrid schemes, which are multi-algorithm
schemes where all component algorithms are Post-Quantum
algorithms.
In cases where there is little chance of confusion between other
types of hybrid cryptography e.g., as defined in [RFC4949], and where
the component algorithms of a multi-algorithm scheme could be either
post-quantum or traditional, it may be appropriate to use the phrase
"hybrid scheme" without PQ/T or PQ/PQ preceding it.
*Component Scheme*: Each cryptographic scheme that makes up a PQ/T
hybrid scheme or PQ/T hybrid protocol.
Depending on the construction of a PQ/T hybrid scheme or PQ/T
hybrid protocol it may or may not be meaningful to define the
component schemes as well as the component algorithms. For
example, fused hybrids, as defined in
[I-D.hale-pquip-hybrid-signature-spectrums], may sufficiently
entangle the component algorithms that the component schemes are
not relevant.
3. Cryptographic Elements
This section introduces terminology related to cryptographic elements
and their inclusion in hybrid schemes.
Driscoll & Parsons Expires 10 November 2024 [Page 6]
Internet-Draft PQ/T Hybrid Terminology May 2024
*Cryptographic Element*: Any data type (private or public) that
contains an input or output value for a cryptographic algorithm or
for a function making up a cryptographic algorithm.
Types of cryptographic elements include public keys, private keys,
plaintexts, ciphertexts, shared secrets, and signature values.
*Component Cryptographic Element*: A cryptographic element of a
component algorithm in a multi-algorithm scheme.
For example, in [I-D.ietf-tls-hybrid-design], the client's
keyshare contains two component public keys, one for a post-
quantum algorithm and one for a traditional algorithm.
*Composite Cryptographic Element*: A cryptographic element that
incorporates multiple component cryptographic elements of the same
type in a multi-algorithm scheme. Note that, at the cryptographic
element level, the resulting composite cryptographic element is
exposed as a singular interface of the same type as the component
cryptographic elements.
For example, a composite cryptographic public key is made up of
two component public keys.
*Cryptographic Element Combiner*: A method that takes two or more
component cryptographic elements of the same type and combines
them to form a composite cryptographic element.
A cryptographic element combiner could be concatenation, such as
where two component public keys are concatenated to form a
composite public key as in [I-D.ietf-tls-hybrid-design], or
something more involved such as the dualPRF defined in [BINDEL].
4. Protocols
This section introduces terminology related to the use of post-
quantum and traditional algorithms together in protocols.
*PQ/T Hybrid Protocol*: A protocol that uses two or more component
algorithms providing the same cryptographic functionality, where
at least one is a post-quantum algorithm and at least one is a
traditional algorithm.
For example, a PQ/T hybrid protocol providing confidentiality
could use a PQ/T hybrid KEM such as in
[I-D.ietf-tls-hybrid-design], or it could combine the output of a
post-quantum KEM and a traditional KEM at the protocol level to
generate a single shared secret, such as in [RFC9370]. Similarly,
Driscoll & Parsons Expires 10 November 2024 [Page 7]
Internet-Draft PQ/T Hybrid Terminology May 2024
a PQ/T hybrid protocol providing authentication could use a PQ/T
hybrid digital signature scheme, or it could include both post-
quantum and traditional single-algorithm digital signature
schemes.
A protocol that can negotiate the use of either a traditional
algorithm or a post-quantum algorithm, but not of both types of
algorithm, is not a PQ/T hybrid protocol. Protocols that use two
or more component algorithms but with different cryptographic
functionality, for example a post-quantum KEM and a pre-shared key
(PSK) are also not PQ/T hybrid protocols.
*PQ/T Hybrid Protocol with Composite Key Establishment*: A PQ/T
hybrid protocol that incorporates a PQ/T hybrid scheme to achieve
key establishment, in such a way that the protocol fields and
message flow are the same as those in a version of the protocol
that uses a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite key
establishment could include a single PQ/T hybrid KEM, such as in
[I-D.ietf-tls-hybrid-design].
*PQ/T Hybrid Protocol with Composite Authentication*: A PQ/T hybrid
protocol that incorporates a PQ/T hybrid scheme to achieve
authentication, in such a way that the protocol fields and message
flow are the same as those in a version of the protocol that uses
a single-algorithm scheme.
For example, a PQ/T hybrid protocol with composite authentication
could include a single PQ/T hybrid digital signature, with
component cryptographic elements being included in a PQ/T hybrid
certificate.
In a PQ/T hybrid protocol with a composite construction, changes are
primarily made to the formats of the cryptographic elements, while
the protocol fields and message flow remain largely unchanged. In
implementations, most changes are likely to be made to the
cryptographic libraries, with minimal changes to the protocol
libraries.
*PQ/T Hybrid Protocol with Non-Composite Key Establishment*: A PQ/T
hybrid protocol that incorporates multiple single-algorithm
schemes to achieve key establishment, where at least one uses a
post-quantum algorithm and at least one uses a traditional
algorithm, in such a way that the formats of the component
cryptographic elements are the same as when they are used a part
of a single-algorithm scheme.
Driscoll & Parsons Expires 10 November 2024 [Page 8]
Internet-Draft PQ/T Hybrid Terminology May 2024
For example, a PQ/T hybrid protocol with non-composite key
establishment could include a traditional key exchange scheme and
a post-quantum KEM. A construction like this for IKEv2 is enabled
by [RFC9370].
*PQ/T Hybrid Protocol with Non-Composite Authentication*: A PQ/T
hybrid protocol that incorporates multiple single-algorithm
schemes to achieve authentication, where at least one uses a post-
quantum algorithm and at least one uses a traditional algorithm,
in such a way that the formats of the component cryptographic
elements are the same as when they are used a part of a single-
algorithm scheme.
For example, a PQ/T hybrid protocol with non-composite
authentication could use a PQ/T parallel PKI with one traditional
certificate chain and one post-quantum certificate chain.
In a PQ/T hybrid protocol with a non-composite construction, changes
are primarily made to the protocol fields, the message flow, or both,
while changes to cryptographic elements are minimised. In
implementations, most changes are likely to be made to the protocol
libraries, with minimal changes to the cryptographic libraries.
It is possible for a PQ/T hybrid protocol to be designed with both
composite and non-composite constructions. For example, a protocol
that offers both confidentiality and authentication could have
composite key agreement and non-composite authentication. Similarly,
it is possible for a PQ/T hybrid protocol to achieve certain
cryptographic outcomes in a non-hybrid manner. For example
[I-D.ietf-tls-hybrid-design] describes a PQ/T hybrid protocol with
composite key agreement, but with single-algorithm authentication.
5. Properties
This section describes some properties that may be desired from or
achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol. Properties
of PQ/T hybrid schemes are still an active area of research and
development, e.g., [BINDELHALE]. This section does not attempt to be
comprehensive, but rather covers a basic set of properties.
It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol
to achieve all of the properties in this section. To understand what
properties are required a designer or implementer will think about
why they are using a PQ/T hybrid scheme. For example, a scheme that
is designed for implementation security will likely require PQ/T
hybrid confidentiality or PQ/T hybrid authentication, while a scheme
for interoperability will require PQ/T hybrid interoperability.
Driscoll & Parsons Expires 10 November 2024 [Page 9]
Internet-Draft PQ/T Hybrid Terminology May 2024
*PQ/T Hybrid Confidentiality*: The property that confidentiality is
achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol as long
as at least one component algorithm that aims to provide this
property remains secure.
*PQ/T Hybrid Authentication*: The property that authentication is
achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol as long
as at least one component algorithm that aims to provide this
property remains secure.
The security properties of a PQ/T hybrid scheme or protocol depend on
the security of its component algorithms, the choice of PQ/T hybrid
combiner, and the capability of an attacker. Changes to the security
of a component algorithm can impact the security properties of a PQ/T
hybrid scheme providing hybrid confidentiality or hybrid
authentication. For example, if the post-quantum component algorithm
of a PQ/T hybrid scheme is broken, the scheme will remain secure
against an attacker with a classical computer, but will be vulnerable
to an attacker with a CRQC.
PQ/T hybrid protocols that offer both confidentiality and
authentication do not necessarily offer both hybrid confidentiality
and hybrid authentication. For example, [I-D.ietf-tls-hybrid-design]
provides hybrid confidentiality but does not address hybrid
authentication. Therefore, if the design in
[I-D.ietf-tls-hybrid-design] is used with single-algorithm X.509
certificates as defined in [RFC5280] only authentication with a
single algorithm is achieved.
*PQ/T Hybrid Interoperability*: The property that a PQ/T hybrid
scheme or PQ/T hybrid protocol can be completed successfully
provided that both parties share support for at least one
component algorithm.
For example, a PQ/T hybrid digital signature might achieve hybrid
interoperability if the signature can be verified by either
verifying the traditional or the post-quantum component, such as
the approach defined in section 7.2.2 of [ITU-T-X509-2019]. In
this example a verifier that has migrated to support post-quantum
algorithms is required to verify only the post-quantum signature,
while a verifier that has not migrated will verify only the
traditional signature.
In the case of a protocol that aims to achieve both authentication
and confidentiality, PQ/T hybrid interoperability requires that at
least one component authentication algorithm and at least one
component algorithm for confidentiality is supported by both parties.
Driscoll & Parsons Expires 10 November 2024 [Page 10]
Internet-Draft PQ/T Hybrid Terminology May 2024
It is not possible for a PQ/T hybrid scheme to achieve both PQ/T
hybrid interoperability and PQ/T hybrid confidentiality without
additional functionality at a protocol level. For PQ/T hybrid
interoperability a scheme needs to work whenever one component
algorithm is supported by both parties, while to achieve PQ/T hybrid
confidentiality all component algorithms need to be used. However,
both properties can be achieved in a PQ/T hybrid protocol by building
in downgrade protection external to the cryptographic schemes. For
example, in [I-D.ietf-tls-hybrid-design], the client uses the TLS
supported groups extension to advertise support for a PQ/T hybrid
scheme and the server can select this group if it supports the
scheme. This is protected using TLS's existing downgrade protection,
so achieves PQ/T hybrid confidentiality, but the connection can still
be made if either the client or server does not support the PQ/T
hybrid scheme, so PQ/T hybrid interoperability is achieved.
The same is true for PQ/T hybrid interoperability and PQ/T hybrid
authentication. It is not possible to achieve both with a PQ/T
hybrid scheme alone, but it is possible with a PQ/T hybrid protocol
that has appropriate downgrade protection.
*PQ/T Hybrid Backwards Compatibility*: The property that a PQ/T
hybrid scheme or PQ/T hybrid protocol can be completed
successfully provided that both parties support the traditional
component algorithm, while also using both algorithms if both are
supported by both parties.
*PQ/T Hybrid Forwards Compatibility*: The property that a PQ/T
hybrid scheme or PQ/T hybrid protocol can be completed
successfully provided that both parties support the post-quantum
component algorithm, while also using both algorithms if both are
supported by both parties.
6. Certificates
This section introduces terminology related to the use of
certificates in hybrid schemes.
*PQ/T Hybrid Certificate*: A digital certificate that contains
public keys for two or more component algorithms where at least
one is a traditional algorithm and at least one is a post-quantum
algorithm.
A PQ/T hybrid certificate could be used to facilitate a PQ/T
hybrid authentication protocol. However, a PQ/T hybrid
authentication protocol does not need to use a PQ/T hybrid
certificate; separate certificates could be used for individual
component algorithms.
Driscoll & Parsons Expires 10 November 2024 [Page 11]
Internet-Draft PQ/T Hybrid Terminology May 2024
The component public keys in a PQ/T hybrid certificate could be
included as a composite public key or as individual component
public keys.
The use of a PQ/T hybrid certificate does not necessarily achieve
hybrid authentication of the identity of the sender; this is
determined by properties of the chain of trust. For example, an
end-entity certificate that contains a composite public key, but
which is signed using a single-algorithm digital signature scheme
could be used to provide hybrid authentication of the source of a
message, but would not achieve hybrid authentication of the
identity of the sender.
*Post-Quantum Certificate*: A digital certificate that contains a
single public key for a post-quantum digital signature algorithm.
*Traditional Certificate*: A digital certificate that contains a
single public key for a traditional digital signature algorithm.
X.509 certificates as defined in [RFC5280] could be either
traditional or post-quantum certificates depending on the algorithm
in the Subject Public Key Info. For example, a certificate
containing a ML-DSA public key, as will be defined in
[I-D.ietf-lamps-dilithium-certificates], would be a post-quantum
certificate.
*Post-Quantum Certificate Chain*: A certificate chain where all
certificate include a public key for a post-quantum algorithm and
are signed using a post-quantum digital signature scheme.
*Traditional Certificate Chain*: A certificate chain where all
certificates include a public key for a traditional algorithm and
are signed using a traditional digital signature scheme.
*PQ/T Hybrid Certificate Chain*: A certificate chain where all
certificates are PQ/T hybrid certificates and each certificate is
signed with two or more component algorithms with at least one
being a traditional algorithm and at least one being a post-
quantum algorithm.
A PQ/T hybrid certificate chain is one way of achieving hybrid
authentication of the identity of a sender in a protocol, but is not
the only way. An alternative is to use a PQ/T parallel PKI as
defined below.
*PQ/T Mixed Certificate Chain*: A certificate chain containing at
Driscoll & Parsons Expires 10 November 2024 [Page 12]
Internet-Draft PQ/T Hybrid Terminology May 2024
least two of the three certificate types defined in this draft
(PQ/T hybrid certificates, post-quantum certificates and
traditional certificates)
For example, a traditional end-entity certificate could be signed
by a post-quantum intermediate certificate, which in turn could be
signed by a post-quantum root certificate. This may be desirable
due to the lifetimes of the certificates, the relative difficulty
of rotating keys, or for efficiency reasons. The security
properties of a certificate chain that mixes post-quantum and
traditional algorithms would need to be analysed on a case-by-case
basis.
*PQ/T Parallel PKI*: Two certificate chains, one a post-quantum
certificate chain and one a traditional certificate chain, that
are used together in a protocol.
A PQ/T parallel PKI might be used achieve hybrid authentication or
hybrid interoperability depending on the protocol implementation.
*Multi-Certificate Authentication*: Authentication that uses two or
more end-entity certificates.
For example, multi-certificate authentication may be achieved
using a PQ/T parallel PKI.
7. Security Considerations
This document defines security-relevant terminology to be used in
documents specifying PQ/T hybrid protocols and schemes. However, the
document itself does not have a security impact on Internet
protocols. The security considerations for each PQ/T hybrid protocol
are specific to that protocol and should be discussed in the relevant
specification documents.
8. IANA Considerations
This document has no IANA actions.
9. Informative References
[BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and
D. Stebila, "Hybrid Key Encapsulation Mechanisms and
Authenticated Key Exchange", Post-Quantum Cryptography
pp.206-226, DOI 10.1007/978-3-030-25510-7_12, July 2019,
.
Driscoll & Parsons Expires 10 November 2024 [Page 13]
Internet-Draft PQ/T Hybrid Terminology May 2024
[BINDELHALE]
Bindel, N. and B. Hale, "A Note on Hybrid Signature
Schemes", Cryptology ePrint Archive, Paper 2023/423, 23
July 2023, .
[ETSI_TS103774]
ETSI TS 103 744 V1.1.1, "CYBER; Quantum-safe Hybrid Key
Exchanges", December 2020, .
[I-D.hale-pquip-hybrid-signature-spectrums]
Bindel, N., Hale, B., Connolly, D., and F. D, "Hybrid
signature spectrums", Work in Progress, Internet-Draft,
draft-hale-pquip-hybrid-signature-spectrums-04, 21 March
2024, .
[I-D.ietf-lamps-cert-binding-for-multi-auth]
Becker, A., Guthrie, R., and M. J. Jenkins, "Related
Certificates for Use in Multiple Authentications within a
Protocol", Work in Progress, Internet-Draft, draft-ietf-
lamps-cert-binding-for-multi-auth-05, 29 April 2024,
.
[I-D.ietf-lamps-dilithium-certificates]
Massimo, J., Kampanakis, P., Turner, S., and B.
Westerbaan, "Internet X.509 Public Key Infrastructure:
Algorithm Identifiers for ML-DSA", Work in Progress,
Internet-Draft, draft-ietf-lamps-dilithium-certificates-
03, 5 February 2024,
.
[I-D.ietf-lamps-pq-composite-kem]
Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S.
Fluhrer, "Composite ML-KEM for Use in the Internet X.509
Public Key Infrastructure and CMS", Work in Progress,
Internet-Draft, draft-ietf-lamps-pq-composite-kem-03, 2
March 2024, .
Driscoll & Parsons Expires 10 November 2024 [Page 14]
Internet-Draft PQ/T Hybrid Terminology May 2024
[I-D.ietf-tls-hybrid-design]
Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key
exchange in TLS 1.3", Work in Progress, Internet-Draft,
draft-ietf-tls-hybrid-design-10, 5 April 2024,
.
[ITU-T-X509-2019]
ITU-T, "ITU-T X.509 The Directory - Public-key and
attribute certificate frameworks", January 2019,
.
[NIST_PQC_FAQ]
National Institute of Standards and Technology (NIST),
"Post-Quantum Cryptography FAQs", 5 July 2022,
.
[NIST_SP_800-152]
Barker, E. B., Smid, M., Branstad, D., and National
Institute of Standards and Technology (NIST), "NIST SP
800-152 A Profile for U. S. Federal Cryptographic Key
Management Systems", October 2015,
.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
.
[RFC9180] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid
Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180,
February 2022, .
[RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van
Geest, D., Garcia-Morchon, O., and V. Smyslov, "Multiple
Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May
2023, .
Driscoll & Parsons Expires 10 November 2024 [Page 15]
Internet-Draft PQ/T Hybrid Terminology May 2024
Acknowledgments
This document is the product of numerous fruitful discussions in the
IETF PQUIP group. Thank you in particular to Mike Ounsworth, John
Gray, Tim Hollebeek, Wang Guilin, Britta Hale, Rebecca Guthrie,
Stephen Farrell, Paul Hoffman and Sofía Celi for their contributions.
This document is inspired by many others from the IETF and elsewhere.
Authors' Addresses
Florence Driscoll
UK National Cyber Security Centre
Email: florence.d@ncsc.gov.uk
Michael Parsons
UK National Cyber Security Centre
Email: michael.p1@ncsc.gov.uk
Driscoll & Parsons Expires 10 November 2024 [Page 16]