Terminology for PostQuantum Traditional Hybrid Schemes
draftietfpquippqthybridterminology04
Document  Type  Active InternetDraft (pquip WG)  

Authors  Florence D , Michael P , Britta Hale  
Last updated  20240910  
Replaces  draftdriscollpqthybridterminology  
RFC stream  Internet Engineering Task Force (IETF)  
Intended RFC status  (None)  
Formats  
Additional resources  Mailing list discussion  
Stream  WG state  WG Document  
Associated WG milestone 


Document shepherd  (None)  
IESG  IESG state  ID Exists  
Consensus boilerplate  Unknown  
Telechat date  (None)  
Responsible AD  (None)  
Send notices to  (None) 
draftietfpquippqthybridterminology04
PQUIP F. Driscoll InternetDraft M. Parsons Intended status: Informational UK National Cyber Security Centre Expires: 14 March 2025 B. Hale Naval Postgraduate School 10 September 2024 Terminology for PostQuantum Traditional Hybrid Schemes draftietfpquippqthybridterminology04 Abstract One aspect of the transition to postquantum algorithms in cryptographic protocols is the development of hybrid schemes that incorporate both postquantum and traditional asymmetric algorithms. This document defines terminology for such schemes. It is intended to be used as a reference and, hopefully, to ensure consistency and clarity across different protocols, standards, and organisations. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draftietfpquippqthybrid terminology/. Status of This Memo This InternetDraft is submitted in full conformance with the provisions of BCP 78 and BCP 79. InternetDrafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as InternetDrafts. The list of current Internet Drafts is at https://datatracker.ietf.org/drafts/current/. InternetDrafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use InternetDrafts as reference material or to cite them other than as "work in progress." This InternetDraft will expire on 14 March 2025. Driscoll, et al. Expires 14 March 2025 [Page 1] InternetDraft PQ/T Hybrid Terminology September 2024 Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ licenseinfo) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Primitives . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Cryptographic Elements . . . . . . . . . . . . . . . . . . . 8 4. Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5. Properties . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Certificates . . . . . . . . . . . . . . . . . . . . . . . . 14 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 9. Informative References . . . . . . . . . . . . . . . . . . . 16 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction The mathematical problems of integer factorisation and discrete logarithms over finite fields or elliptic curves underpin most of the asymmetric algorithms used for key establishment and digital signatures on the internet. These problems, and hence the algorithms based on them, will be vulnerable to attacks using Shor's Algorithm on a sufficiently large generalpurpose quantum computer, known as a Cryptographically Relevant Quantum Computer (CRQC). Current predictions vary on when, or if, such a device will exist. However, it is necessary to anticipate and prepare to defend against such a development. Data encrypted today (2024) with an algorithm vulnerable to a quantum computer can be stored for decryption by a future attacker with a CRQC. Signing algorithms in products that are expected to be in use for many years, and that cannot be updated or replaced, are also at risk if a CRQC is developed during the operational lifetime of that product. Driscoll, et al. Expires 14 March 2025 [Page 2] InternetDraft PQ/T Hybrid Terminology September 2024 Ongoing responses to the potential development of a CRQC include modifying established (standardised) protocols to use asymmetric algorithms that are designed to be secure against quantum computers as well as today's classical computers. These algorithms are called postquantum, while algorithms based on integer factorisation, finitefield discrete logarithms or ellipticcurve discrete logarithms are called traditional cryptographic algorithms. In this document "traditional algorithm" is also used to refer to this class of algorithms. At the time of publication, the term postquantum is generally used to describe cryptographic algorithms that are designed to be secure against an adversary with access to a CRQC. Postquantum algorithms can also be referred to as quantumresistant or quantumsafe algorithms. There are merits to the different terms, for example some prefer to use the terms quantumrestistant or quantumsafe to explictly indicate that these algorithms are designed to be secure against quantum computers but others disagree, and prefer to use postquantum, in case of compromises against such algorithms which could make the terms quantumrestistant or quantumsafe misleading. Similarly, some prefer to refer specifically to Shor's Algorithm or to the mathematical problem that is being used to prevent attack. Postquantum cryptography is commonly used amongst the cryptography community, so will be used throughout this document. Similarly, the term "traditional algorithm" will be used throughout the document as at the time of publication is widely used in the community, though other terms, including classical, prequantum or quantumvulnerable, are preferred by some. There may be a requirement for protocols that use both algorithm types, for example during the transition from traditional to post quantum algorithms or as a general solution, to mitigate risks. When the risk of deploying new algorithms is above the accepted threshold for their use case, a designer may combine a postquantum algorithm with a traditional algorithm with the goal of adding protection against an attacker with a CRQC to the security properties provided by the traditional algorithm. They may also implement a postquantum algorithm alongside a traditional algorithm for ease of migration from an ecosystem where only traditional algorithms are implemented and used, to one that only uses postquantum algorithms. Examples of solutions that could use both types of algorithm include, but are not limited to, [RFC9370], [ID.ietftlshybriddesign], [ID.ietflampspqcompositekem], and [ID.ietflampscertbindingformultiauth]. Schemes that combine postquantum and traditional algorithms for key establishment or digital signatures are often called hybrids. For example: Driscoll, et al. Expires 14 March 2025 [Page 3] InternetDraft PQ/T Hybrid Terminology September 2024 * NIST defines hybrid key establishment to be a "scheme that is a combination of two or more components that are themselves cryptographic keyestablishment schemes" [NIST_PQC_FAQ]; * ETSI defines hybrid key exchanges to be "constructions that combine a traditional key exchange ... with a postquantum key exchange ... into a single key exchange" [ETSI_TS103774]. The word "hybrid" is also used in cryptography to describe encryption schemes that combine asymmetric and symmetric algorithms [RFC9180], so using it in the postquantum context overloads it and risks misunderstandings. However, this terminology is wellestablished amongst the postquantum cryptography (PQC) community. Therefore, an attempt to move away from its use for PQC could lead to multiple definitions for the same concept, resulting in confusion and lack of clarity. At the time of publication, hybrid is generally used for schemes that combine postquantum and traditional algorithms so will be used throughout this document, though some have alternative preferences such as doublealgorithm or multialgorithm. This document provides language for constructions that combine traditional and postquantum algorithms. Specific solutions for enabling use of multiple asymmetric algorithms in cryptographic schemes may be more general than this, allowing the use of solely traditional or solely postquantum algorithms. However, where relevant, we focus on postquantum traditional combinations as these are the motivation for the wider work in the IETF. This document is intended as a reference terminology guide for other documents to add clarity and consistency across different protocols, standards, and organisations. Additionally, this document aims to reduce misunderstanding about use of the word "hybrid" as well as defining a shared language for different types of postquantum and traditional hybrid constructions. Driscoll, et al. Expires 14 March 2025 [Page 4] InternetDraft PQ/T Hybrid Terminology September 2024 In this document, a "cryptographic algorithm" is defined, as in [NIST_SP_800152], to be a "welldefined computational procedure that takes variable inputs, often including a cryptographic key, and produces an output". Examples include RSA, ECDH, MLKEM (formerly known as Kyber) and MLDSA (formerly known as Dilithium). The expression "cryptographic scheme" is used to refer to a construction that uses a cryptographic algorithm or a group of cryptographic algorithms to achieve a particular cryptographic outcome, e.g., key agreement. A cryptographic scheme may be made up of a number of functions. For example, a Key Encapsulation Mechanism (KEM) is a cryptographic scheme consisting of three functions: Key Generation, Encapsulation, and Decapsulation. A cryptographic protocol incorporates one or more cryptographic schemes. For example, TLS [RFC8446] is a cryptographic protocol that includes schemes for key agreement, record layer encryption, and server authentication. 2. Primitives This section introduces terminology related to cryptographic algorithms and to hybrid constructions for cryptographic schemes. *Traditional Asymmetric Cryptographic Algorithm*: An asymmetric cryptographic algorithm based on integer factorisation, finite field discrete logarithms, elliptic curve discrete logarithms, or related mathematical problems. A related mathematical problem is one that can be solved by solving the integer factorisation, finite field discrete logarithm or elliptic curve discrete logarithm problem. Where there is little risk of confusion traditional asymmetric cryptographic algorithms can also be referred to as traditional algorithms for brevity. Traditional algorithms can also be called classical or conventional algorithms. *PostQuantum Asymmetric Algorithm*: An asymmetric cryptographic algorithm that is intended to be secure against attacks using quantum computers as well as classical computers. Where there is little risk of confusion postquantum asymmetric algorithms can also be referred to as postquantum algorithms for brevity. Postquantum algorithms can also be called quantum resistant or quantumsafe algorithms. As with all cryptography, it always remains the case that attacks, either quantum or classical, may be found against postquantum algorithms. Therefore it should not be assumed that just because an algorithm is designed to provide postquantum security it will Driscoll, et al. Expires 14 March 2025 [Page 5] InternetDraft PQ/T Hybrid Terminology September 2024 not be compromised. Should an attack be found against a post quantum algorithm; it is commonly still referred to as a post quantum algorithm as they were designed to protect against an adversary with access to a CRQC and the labels are referring to the designed or desired properties. There may be asymmetric cryptographic constructions that are neither postquantum nor asymmetric traditional algorithms according to the definitions above, but these are out of scope of this document. *Component Asymmetric Algorithm*: Each cryptographic algorithm that forms part of a cryptographic scheme. An asymmetric component algorithm operates on the input of the cryptographic operation and produces a cryptographic output that can be used by itself or jointly to complete the operation. Where there is little risk of confusion, component aysmmetric algorithms can also be referred to as component algorithms for brevity, as is done in the following definitions. *SingleAlgorithm Scheme*: A cryptographic scheme with one component algorithm. A singlealgorithm scheme could use either a traditional algorithm or a postquantum algorithm. *MultiAlgorithm Scheme*: A cryptographic scheme that incorporates more than one component algorithm, where the component algorithms have the same cryptographic purpose as each other and as the multialgorithm scheme. For example, a multialgorithm signature scheme may include multiple signature algorithms or a multialgorithm Public Key Encryption (PKE) scheme may include multiple PKE algorithms. Component algorithms could be all traditional, all postquantum, or a mixture of the two. *PostQuantum Traditional (PQ/T) Hybrid Scheme*: A multialgorithm scheme where at least one component algorithm is a postquantum algorithm and at least one is a traditional algorithm. Components of a PQ/T hybrid scheme operate on the same input message and their output is used together to complete the cryptographic operation either serially or in parallel. PQ/T hybrid scheme design is aimed at requiring successful breaking of all component algorithms to break the PQ/T hybrid scheme's security properties. Driscoll, et al. Expires 14 March 2025 [Page 6] InternetDraft PQ/T Hybrid Terminology September 2024 *PQ/T Hybrid Key Encapsulation Mechanism (KEM)*: A multialgorithm KEM made up of two or more component algorithms where at least one is a postquantum algorithm and at least one is a traditional algorithm. The component algorithms could be KEMs, or other key establishment algorithms. *PQ/T Hybrid Public Key Encryption (PKE)*: A multialgorithm PKE scheme made up of two or more component algorithms where at least one is a postquantum algorithm and at least one is a traditional algorithm. The component algorithms could be PKE algorithms, or other key establishment algorithms. The standard security property for a PKE scheme is indistinguishability under chosenplaintext attack, (INDCPA). INDCPA security is not sufficient for secure communication in the presence of an active attacker. Therefore, in general, PKE schemes are not appropriate for use on the internet, and KEMs, which provide indistiguishability under chosenciphertext attacks (INDCCA security), are required. *PQ/T Hybrid Digital Signature*: A multialgorithm digital signature scheme made up of two or more component digital signature algorithms where at least one is a postquantum algorithm and at least one is a traditional algorithm. Note that there are many possible ways of constructing a PQ/T hybrid digital signatures. Examples include parallel signatures, composite signatures or nested signatures. PQ/T hybrid KEMs, PQ/T hybrid PKE, and PQ/T hybrid digital signatures are all examples of PQ/T hybrid schemes. *PostQuantum Traditional (PQ/T) Hybrid Composite Scheme*: A multi algorithm scheme where at least one component algorithm is a post quantum algorithm and at least one is a traditional algorithm and the resulting composite scheme is exposed as a singular interface of the same type as the component algorithms. A PQ/T Hybrid Composite can be referred to as a PQ/T Composite. Examples of PQ/T Hybrid Composites include a single KEM algorithm comprised of a PQ KEM component and a traditional KEM component, for which the result presents as a KEM output. *PQ/T Hybrid Combiner*: A method that takes two or more component algorithms and combines them to form a PQ/T hybrid scheme. *PQ/PQ Hybrid Scheme*: A multialgorithm scheme where all components are postquantum algorithms. Driscoll, et al. Expires 14 March 2025 [Page 7] InternetDraft PQ/T Hybrid Terminology September 2024 The definitions for types of PQ/T hybrid schemes can be adapted to define types of PQ/PQ hybrid schemes, which are multialgorithm schemes where all component algorithms are PostQuantum algorithms. These are designed to mitigate risks when the two postquantum algorithms are based on different mathematical problems. Some prefer to refer to these as PQ/PQ multialgorithm schemes, and reserve the term hybrid for PQ/T hybrids. In cases where there is little chance of confusion between other types of hybrid cryptography e.g., as defined in [RFC4949], and where the component algorithms of a multialgorithm scheme could be either postquantum or traditional, it may be appropriate to use the phrase "hybrid scheme" without PQ/T or PQ/PQ preceding it. *Component Scheme*: Each cryptographic scheme that makes up a PQ/T hybrid scheme or PQ/T hybrid protocol. 3. Cryptographic Elements This section introduces terminology related to cryptographic elements and their inclusion in hybrid schemes. *Cryptographic Element*: Any data type (private or public) that contains an input or output value for a cryptographic algorithm or for a function making up a cryptographic algorithm. Types of cryptographic elements include public keys, private keys, plaintexts, ciphertexts, shared secrets, and signature values. *Component Cryptographic Element*: A cryptographic element of a component algorithm in a multialgorithm scheme. For example, in [ID.ietftlshybriddesign], the client's keyshare contains two component public keys, one for a post quantum algorithm and one for a traditional algorithm. *Composite Cryptographic Element*: A cryptographic element that incorporates multiple component cryptographic elements of the same type for use in a multialgorithm scheme, such that the resulting composite cryptographic element is exposed as a singular interface of the same type as the component cryptographic elements. For example, a composite cryptographic public key is made up of two component public keys. *PQ/T Hybrid Composite Cryptographic Element*: A cryptographic Driscoll, et al. Expires 14 March 2025 [Page 8] InternetDraft PQ/T Hybrid Terminology September 2024 element that incorporates multiple component cryptographic elements of the same type for use in a multialgorithm scheme, such that the resulting composite cryptographic element is exposed as a singular interface of the same type as the component cryptographic elements, where at least one component cryptographic element is postquantum and at least one is traditional. *Cryptographic Element Combiner*: A method that takes two or more component cryptographic elements of the same type and combines them to form a composite cryptographic element. A cryptographic element combiner could be concatenation, such as where two component public keys are concatenated to form a composite public key as in [ID.ietftlshybriddesign], or something more involved such as the dualPRF defined in [BINDEL]. 4. Protocols This section introduces terminology related to the use of post quantum and traditional algorithms together in protocols. *PQ/T Hybrid Protocol*: A protocol that uses two or more component algorithms providing the same cryptographic functionality, where at least one is a postquantum algorithm and at least one is a traditional algorithm. For example, a PQ/T hybrid protocol providing confidentiality could use a PQ/T hybrid KEM such as in [ID.ietftlshybriddesign], or it could combine the output of a postquantum KEM and a traditional KEM at the protocol level to generate a single shared secret, such as in [RFC9370]. Similarly, a PQ/T hybrid protocol providing authentication could use a PQ/T hybrid digital signature scheme, or it could include both post quantum and traditional singlealgorithm digital signature schemes. A protocol that can negotiate the use of either a traditional algorithm or a postquantum algorithm, but not of both types of algorithm, is not a PQ/T hybrid protocol. Protocols that use two or more component algorithms but with different cryptographic functionality, for example a postquantum KEM and a preshared key (PSK) are also not PQ/T hybrid protocols. *PQ/T Hybrid Protocol with Composite Key Establishment*: A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite scheme to achieve key establishment, in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses a singlealgorithm scheme. Driscoll, et al. Expires 14 March 2025 [Page 9] InternetDraft PQ/T Hybrid Terminology September 2024 For example, a PQ/T hybrid protocol with composite key establishment could include a single PQ/T hybrid KEM, such as in [ID.ietftlshybriddesign]. *PQ/T Hybrid Protocol with Composite Data Authentication*: A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite scheme to achieve data authentication, in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses a singlealgorithm scheme. For example, a PQ/T hybrid protocol with composite data authentication could include data authentication through use of a PQ/T composite hybrid digital signature, exposed as a single interface for PQ signature and traditional signature components. *PQ/T Hybrid Protocol with Composite Entity Authentication*: A PQ/T hybrid protocol that incorporates a PQ/T hybrid composite scheme to achieve entity authentication, in such a way that the protocol fields and message flow are the same as those in a version of the protocol that uses a singlealgorithm scheme. For example, a PQ/T hybrid protocol with composite entity authentication could include entity authentication through use of PQ/T Composite Hybrid certificates. In a PQ/T hybrid protocol with a composite construction, changes are primarily made to the formats of the cryptographic elements, while the protocol fields and message flow remain largely unchanged. In implementations, most changes are likely to be made to the cryptographic libraries, with minimal changes to the protocol libraries. *PQ/T Hybrid Protocol with NonComposite Key Establishment*: A PQ/T hybrid protocol that incorporates multiple singlealgorithm schemes to achieve key establishment, where at least one uses a postquantum algorithm and at least one uses a traditional algorithm, in such a way that the formats of the component cryptographic elements are the same as when they are used a part of a singlealgorithm scheme. For example, a PQ/T hybrid protocol with noncomposite key establishment could include a traditional key exchange scheme and a postquantum KEM. A construction like this for IKEv2 is enabled by [RFC9370]. *PQ/T Hybrid Protocol with NonComposite Authentication*: A PQ/T Driscoll, et al. Expires 14 March 2025 [Page 10] InternetDraft PQ/T Hybrid Terminology September 2024 hybrid protocol that incorporates multiple singlealgorithm schemes to achieve authentication, where at least one uses a post quantum algorithm and at least one uses a traditional algorithm, in such a way that the formats of the component cryptographic elements are the same as when they are used a part of a single algorithm scheme. For example, a PQ/T hybrid protocol with noncomposite authentication could use a PQ/T parallel PKI with one traditional certificate chain and one postquantum certificate chain. In a PQ/T hybrid protocol with a noncomposite construction, changes are primarily made to the protocol fields, the message flow, or both, while changes to cryptographic elements are minimised. In implementations, most changes are likely to be made to the protocol libraries, with minimal changes to the cryptographic libraries. It is possible for a PQ/T hybrid protocol to be designed with both composite and noncomposite constructions. For example, a protocol that offers both confidentiality and authentication could have composite key agreement and noncomposite authentication. Similarly, it is possible for a PQ/T hybrid protocol to achieve certain cryptographic outcomes in a nonhybrid manner. For example [ID.ietftlshybriddesign] describes a PQ/T hybrid protocol with composite key agreement, but with singlealgorithm authentication. PQ/T hybrid protocols may not specify noncomposite aspects, but can chose to do so for clarity, in particular if including both composite and noncomposite aspects. *PQ/T Hybrid Composite Protocol*: A PQ/T hybrid protocol that only uses composite constructions can be referred to as a PQ/T Hybrid Composite Protocol. For example, a protocol that only provides entity authentication, and achieves this using PQ/T hybrid composite entity authentication. Similarly, a protocol that offers both key establishment and data authentication, and achieves this using both PQ/T hybrid composite key establishment and PQ/T hybrid composite data authentication. *PQ/T Hybrid NonComposite Protocol*: A PQ/T hybrid protocol that does not use only composite constructions can be referred to as a PQ/T Hybrid NonComposite Protocol. Driscoll, et al. Expires 14 March 2025 [Page 11] InternetDraft PQ/T Hybrid Terminology September 2024 For example, a PQ/T hybrid protocol that offers both confidentiality and authentication and uses composite key agreement and noncomposite authentication would be referred to as a PQ/T hybrid noncomposite protocol. 5. Properties This section describes some properties that may be desired from or achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol. Properties of PQ/T hybrid schemes are still an active area of research and development, e.g., [BINDELHALE]. This section does not attempt to be comprehensive, but rather covers a basic set of properties. It is not possible for one PQ/T hybrid scheme or PQ/T hybrid protocol to achieve all of the properties in this section. To understand what properties are required a designer or implementer will think about why they are using a PQ/T hybrid scheme. For example, a scheme that is designed for implementation security will likely require PQ/T hybrid confidentiality or PQ/T hybrid authentication, while a scheme for interoperability will require PQ/T hybrid interoperability. *PQ/T Hybrid Confidentiality*: The property that confidentiality is achieved by a PQ/T hybrid scheme or PQ/T hybrid protocol as long as at least one component algorithm that aims to provide this property remains secure. *PQ/T Hybrid Authentication*: The property that authentication is achieved by a PQ/T hybrid scheme or a PQ/T hybrid protocol as long as at least one component algorithm that aims to provide this property remains secure. The security properties of a PQ/T hybrid scheme or protocol depend on the security of its component algorithms, the choice of PQ/T hybrid combiner, and the capability of an attacker. Changes to the security of a component algorithm can impact the security properties of a PQ/T hybrid scheme providing hybrid confidentiality or hybrid authentication. For example, if the postquantum component algorithm of a PQ/T hybrid scheme is broken, the scheme will remain secure against an attacker with a classical computer, but will be vulnerable to an attacker with a CRQC. Driscoll, et al. Expires 14 March 2025 [Page 12] InternetDraft PQ/T Hybrid Terminology September 2024 PQ/T hybrid protocols that offer both confidentiality and authentication do not necessarily offer both hybrid confidentiality and hybrid authentication. For example, [ID.ietftlshybriddesign] provides hybrid confidentiality but does not address hybrid authentication. Therefore, if the design in [ID.ietftlshybriddesign] is used with singlealgorithm X.509 certificates as defined in [RFC5280] only authentication with a single algorithm is achieved. *PQ/T Hybrid Interoperability*: The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties share support for at least one component algorithm. For example, a PQ/T hybrid digital signature might achieve hybrid interoperability if the signature can be verified by either verifying the traditional or the postquantum component, such as the approach defined in section 7.2.2 of [ITUTX5092019]. In this example a verifier that has migrated to support postquantum algorithms is required to verify only the postquantum signature, while a verifier that has not migrated will verify only the traditional signature. In the case of a protocol that aims to achieve both authentication and confidentiality, PQ/T hybrid interoperability requires that at least one component authentication algorithm and at least one component algorithm for confidentiality is supported by both parties. It is not possible for a PQ/T hybrid scheme to achieve both PQ/T hybrid interoperability and PQ/T hybrid confidentiality without additional functionality at a protocol level. For PQ/T hybrid interoperability a scheme needs to work whenever one component algorithm is supported by both parties, while to achieve PQ/T hybrid confidentiality all component algorithms need to be used. However, both properties can be achieved in a PQ/T hybrid protocol by building in downgrade protection external to the cryptographic schemes. For example, in [ID.ietftlshybriddesign], the client uses the TLS supported groups extension to advertise support for a PQ/T hybrid scheme and the server can select this group if it supports the scheme. This is protected using TLS's existing downgrade protection, so achieves PQ/T hybrid confidentiality, but the connection can still be made if either the client or server does not support the PQ/T hybrid scheme, so PQ/T hybrid interoperability is achieved. The same is true for PQ/T hybrid interoperability and PQ/T hybrid authentication. It is not possible to achieve both with a PQ/T hybrid scheme alone, but it is possible with a PQ/T hybrid protocol that has appropriate downgrade protection. Driscoll, et al. Expires 14 March 2025 [Page 13] InternetDraft PQ/T Hybrid Terminology September 2024 *PQ/T Hybrid Backwards Compatibility*: The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully provided that both parties support the traditional component algorithm, while also using both algorithms if both are supported by both parties. *PQ/T Hybrid Forwards Compatibility*: The property that a PQ/T hybrid scheme or PQ/T hybrid protocol can be completed successfully using a postquantum component algorithm provided that both parties support it, while also having the option to use both postquantum and traditional algorithms if both are supported by both parties. Note that PQ/T hybrid forwards compatability is a protocol or scheme property only. 6. Certificates This section introduces terminology related to the use of certificates in hybrid schemes. *PQ/T Hybrid Certificate*: A digital certificate that contains public keys for two or more component algorithms where at least one is a traditional algorithm and at least one is a postquantum algorithm. A PQ/T hybrid certificate could be used to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid authentication protocol does not need to use a PQ/T hybrid certificate; separate certificates could be used for individual component algorithms. The component public keys in a PQ/T hybrid certificate could be included as a composite public key or as individual component public keys. The use of a PQ/T hybrid certificate does not necessarily achieve hybrid authentication of the identity of the sender; this is determined by properties of the chain of trust. For example, an endentity certificate that contains a composite public key, but which is signed using a singlealgorithm digital signature scheme could be used to provide hybrid authentication of the source of a message, but would not achieve hybrid authentication of the identity of the sender. *PostQuantum Certificate*: A digital certificate that contains a single public key for a postquantum digital signature algorithm. Driscoll, et al. Expires 14 March 2025 [Page 14] InternetDraft PQ/T Hybrid Terminology September 2024 *Traditional Certificate*: A digital certificate that contains a single public key for a traditional digital signature algorithm. X.509 certificates as defined in [RFC5280] could be either traditional or postquantum certificates depending on the algorithm in the Subject Public Key Info. For example, a certificate containing a MLDSA public key, as will be defined in [ID.ietflampsdilithiumcertificates], would be a postquantum certificate. *PostQuantum Certificate Chain*: A certificate chain where all certificate include a public key for a postquantum algorithm and are signed using a postquantum digital signature scheme. *Traditional Certificate Chain*: A certificate chain where all certificates include a public key for a traditional algorithm and are signed using a traditional digital signature scheme. *PQ/T Hybrid Certificate Chain*: A certificate chain where all certificates are PQ/T hybrid certificates and each certificate is signed with two or more component algorithms with at least one being a traditional algorithm and at least one being a post quantum algorithm. A PQ/T hybrid certificate chain is one way of achieving hybrid authentication of the identity of a sender in a protocol, but is not the only way. An alternative is to use a PQ/T parallel PKI as defined below. *PQ/T Mixed Certificate Chain*: A certificate chain containing at least two of the three certificate types defined in this draft (PQ/T hybrid certificates, postquantum certificates and traditional certificates) For example, a traditional endentity certificate could be signed by a postquantum intermediate certificate, which in turn could be signed by a postquantum root certificate. This may be desirable due to the lifetimes of the certificates, the relative difficulty of rotating keys, or for efficiency reasons. The security properties of a certificate chain that mixes postquantum and traditional algorithms would need to be analysed on a casebycase basis. *PQ/T Parallel PKI*: Two certificate chains, one a postquantum certificate chain and one a traditional certificate chain, that are used together in a protocol. Driscoll, et al. Expires 14 March 2025 [Page 15] InternetDraft PQ/T Hybrid Terminology September 2024 A PQ/T parallel PKI might be used achieve hybrid authentication or hybrid interoperability depending on the protocol implementation. *MultiCertificate Authentication*: Authentication that uses two or more endentity certificates. For example, multicertificate authentication may be achieved using a PQ/T parallel PKI. 7. Security Considerations This document defines securityrelevant terminology to be used in documents specifying PQ/T hybrid protocols and schemes. However, the document itself does not have a security impact on Internet protocols. The security considerations for each PQ/T hybrid protocol are specific to that protocol and should be discussed in the relevant specification documents. More general guidance about the security considerations, timelines, and benefits and drawbacks of use of PQ/T hybrids is also out of scope of this document. 8. IANA Considerations This document has no IANA actions. 9. Informative References [BINDEL] Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and D. Stebila, "Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange", PostQuantum Cryptography pp.206226, DOI 10.1007/9783030255107_12, July 2019, <https://doi.org/10.1007/9783030255107_12>. [BINDELHALE] Bindel, N. and B. Hale, "A Note on Hybrid Signature Schemes", Cryptology ePrint Archive, Paper 2023/423, 23 July 2023, <https://eprint.iacr.org/2023/423.pdf>. [ETSI_TS103774] ETSI TS 103 744 V1.1.1, "CYBER; Quantumsafe Hybrid Key Exchanges", December 2020, <https://www.etsi.org/deliver/ etsi_ts/103700_103799/103744/01.01.01_60/ ts_103744v010101p.pdf>. Driscoll, et al. Expires 14 March 2025 [Page 16] InternetDraft PQ/T Hybrid Terminology September 2024 [ID.ietflampscertbindingformultiauth] Becker, A., Guthrie, R., and M. J. Jenkins, "Related Certificates for Use in Multiple Authentications within a Protocol", Work in Progress, InternetDraft, draftietf lampscertbindingformultiauth05, 29 April 2024, <https://datatracker.ietf.org/doc/html/draftietflamps certbindingformultiauth05>. [ID.ietflampsdilithiumcertificates] Massimo, J., Kampanakis, P., Turner, S., and B. Westerbaan, "Internet X.509 Public Key Infrastructure: Algorithm Identifiers for MLDSA", Work in Progress, InternetDraft, draftietflampsdilithiumcertificates 04, 22 July 2024, <https://datatracker.ietf.org/doc/html/ draftietflampsdilithiumcertificates04>. [ID.ietflampspqcompositekem] Ounsworth, M., Gray, J., Pala, M., Klaußner, J., and S. Fluhrer, "Composite MLKEM for Use in the Internet X.509 Public Key Infrastructure and CMS", Work in Progress, InternetDraft, draftietflampspqcompositekem04, 8 July 2024, <https://datatracker.ietf.org/doc/html/draft ietflampspqcompositekem04>. [ID.ietftlshybriddesign] Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key exchange in TLS 1.3", Work in Progress, InternetDraft, draftietftlshybriddesign10, 5 April 2024, <https://datatracker.ietf.org/doc/html/draftietftls hybriddesign10>. [ITUTX5092019] ITUT, "ITUT X.509 The Directory  Publickey and attribute certificate frameworks", January 2019, <https://www.itu.int/rec/TRECX.509201910I>. [NIST_PQC_FAQ] National Institute of Standards and Technology (NIST), "PostQuantum Cryptography FAQs", 5 July 2022, <https://csrc.nist.gov/Projects/postquantumcryptography/ faqs>. [NIST_SP_800152] Barker, E. B., Smid, M., Branstad, D., and National Institute of Standards and Technology (NIST), "NIST SP 800152 A Profile for U. S. Federal Cryptographic Key Management Systems", October 2015, <https://doi.org/10.6028/NIST.SP.800152>. Driscoll, et al. Expires 14 March 2025 [Page 17] InternetDraft PQ/T Hybrid Terminology September 2024 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, <https://www.rfceditor.org/rfc/rfc4949>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfceditor.org/rfc/rfc5280>. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfceditor.org/rfc/rfc8446>. [RFC9180] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid Public Key Encryption", RFC 9180, DOI 10.17487/RFC9180, February 2022, <https://www.rfceditor.org/rfc/rfc9180>. [RFC9370] Tjhai, CJ., Tomlinson, M., Bartlett, G., Fluhrer, S., Van Geest, D., GarciaMorchon, O., and V. Smyslov, "Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 9370, DOI 10.17487/RFC9370, May 2023, <https://www.rfceditor.org/rfc/rfc9370>. Acknowledgments This document is the product of numerous fruitful discussions in the IETF PQUIP group. Thank you in particular to Mike Ounsworth, John Gray, Tim Hollebeek, Wang Guilin, Rebecca Guthrie, Stephen Farrell, Paul Hoffman and Sofía Celi for their contributions. This document is inspired by many others from the IETF and elsewhere. Authors' Addresses Florence Driscoll UK National Cyber Security Centre Email: florence.d@ncsc.gov.uk Michael Parsons UK National Cyber Security Centre Email: michael.p1@ncsc.gov.uk Britta Hale Naval Postgraduate School Email: britta.hale@nps.edu Driscoll, et al. Expires 14 March 2025 [Page 18]