Skip to main content

Combiner function for hybrid key encapsulation mechanisms (Hybrid KEMs)

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Active".
Expired & archived
Authors Mike Ounsworth , Aron Wussler , Stavros Kousidis
Last updated 2024-01-09 (Latest revision 2023-07-08)
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The migration to post-quantum cryptography often calls for performing multiple key encapsulations in parallel and then combining their outputs to derive a single shared secret. This document defines a comprehensible and easy to implement Keccak- based KEM combiner to join an arbitrary number of key shares, that is compatible with NIST SP 800-56Cr2 [SP800-56C] when viewed as a key derivation function. The combiners defined here are practical split- key PRFs and are CCA-secure as long as at least one of the ingredient KEMs is.


Mike Ounsworth
Aron Wussler
Stavros Kousidis

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)