Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Proposed WG HPKE Publication, Kept Efficient (hpke)

WG	Name	HPKE Publication, Kept Efficient
	Acronym	hpke
	Area	Security Area (sec)
	State	Proposed
	Charter	charter-ietf-hpke-00-03 External Review (Message to Community, Selected by Secretariat)
	Document dependencies	Document dependencies Loading... Pan and zoom the dependency graph after the layout settles. Show legend Loading...
	Additional resources	GitHub Organization
Personnel	Chairs	Martin Thomson, Yaroslav Rosomakho
	Area Director	Deb Cooley
Mailing list	Address	hpke@ietf.org
	To subscribe	https://mailman3.ietf.org/mailman3/lists/hpke.ietf.org/
	Archive	https://mailarchive.ietf.org/arch/browse/hpke
Chat	Room address	https://zulip.ietf.org/#narrow/stream/hpke

Charter for proposed Working Group

Hybrid Public Key Exchange (HPKE) [RFC 9180] defines an authenticated encryption encapsulation format that combines a semi-static asymmetric key exchange with a symmetric cipher. This format is used in several IETF protocols, such as MLS [RFC 9420] and TLS Encrypted ClientHello [draft-ietf-tls-esni]. The fact that HPKE is defined in an Informational document on the IRTF stream, however, has caused some confusion as to its usability, especially with other standards organizations. Also, there are currently no “post-quantum” (PQ) Key Encapsulation Mechanisms (KEMs) defined for HPKE, in the sense of algorithms that are resilient to attack by a quantum computer.

The hpke Working Group is tasked with two responsibilities:

Re-publish the HPKE specification as a Standards Track document of the IETF, with targeted changes based on experience with its use:
- The working group may decide to apply any validated errata filed on RFC 9180 (Verified or Hold for Document Update).
- The working group may decide to remove functionality that is not widely used.
- The working group may define how Key Derivation Functions (KDFs) that are not two-step might be used with HPKE.
Define PQ algorithms for HPKE from among the following:
- New KEMs based on hybrid combinations of ML-KEM and ECDH (ML-KEM-768 with X25519, ML-KEM-768 with P-256, and ML-KEM-1024 with P-384) and standalone ML-KEM (ML-KEM-768 and ML-KEM-1024).
- New KDFs incorporating SHA3

Differences between the Standards Track version of HPKE and the Informational version (RFC9180) documents should be minimized, in order to minimize impact on existing deployments. The Standards Track and Informational versions must have identical behavior for any functionality that they both specify.

The group might select a number of cipher suites that address different use cases, security levels, and attacker threat models.

Proposed milestones

Date	Milestone	Associated documents
Jul 2025	New post-quantum and post-quantum/traditional hybrid cipher suites for HPKE to the IESG as Proposed Standard
Jun 2025	HPKE specification to the IESG as Proposed Standard