{"draft":"draft-irtf-cfrg-hpke-12","doc_id":"RFC9180","title":"Hybrid Public Key Encryption","authors":["R. Barnes","K. Bhargavan","B. Lipp","C. Wood"],"format":["HTML","TEXT","PDF","XML"],"page_count":"107","pub_status":"INFORMATIONAL","status":"INFORMATIONAL","source":"Crypto Forum Research Group","abstract":"This document describes a scheme for hybrid public key encryption\r\n(HPKE). This scheme provides a variant of public key encryption of\r\narbitrary-sized plaintexts for a recipient public key. It also\r\nincludes three authenticated variants, including one that\r\nauthenticates possession of a pre-shared key and two optional ones\r\nthat authenticate possession of a key encapsulation mechanism (KEM)\r\nprivate key. HPKE works for any combination of an asymmetric KEM, key\r\nderivation function (KDF), and authenticated encryption with\r\nadditional data (AEAD) encryption function. Some authenticated\r\nvariants may not be supported by all KEMs. We provide instantiations\r\nof the scheme using widely used and efficient primitives, such as\r\nElliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key\r\nderivation function (HKDF), and SHA2.\r\n\r\nThis document is a product of the Crypto Forum Research Group (CFRG)\r\nin the IRTF.","pub_date":"February 2022","keywords":["public-key encryption","key encapsulation","post-quantum public-key encryption"],"obsoletes":[],"obsoleted_by":[],"updates":[],"updated_by":[],"see_also":[],"doi":"10.17487\/RFC9180","errata_url":"https:\/\/www.rfc-editor.org\/errata\/rfc9180"}