Executive Summary
RFC 9794 establishes standardized terminology for hybrid cryptographic schemes that combine post-quantum and traditional algorithms. As organizations prepare for the quantum computing threat, this reference document ensures consistent communication across protocols, standards, and security teams. It defines key concepts including PQ/T hybrid schemes, composite constructions, security properties (hybrid confidentiality, hybrid authentication), and certificate structures. Understanding this terminology is essential for effective risk assessment and migration planning in the post-quantum transition.
Background and Stakes
The threat of Cryptographically Relevant Quantum Computers (CRQC) makes current asymmetric algorithms based on integer factorization and discrete logarithms vulnerable. Data encrypted today can be stored for future decryption by an attacker with a CRQC.
The response to this threat includes migration to post-quantum algorithms, but the transition carries risks related to deploying new, unproven algorithms. Hybrid schemes, combining traditional and post-quantum algorithms, provide a mitigation approach during this transition period.
RFC Objective
This document establishes standardized terminology for hybrid constructions combining post-quantum and traditional algorithms. It aims to ensure consistency and clarity across different protocols, standards, and organizations.
Key Definitions
Algorithms
Traditional asymmetric algorithm: Algorithm based on integer factorization, discrete logarithms over finite fields or elliptic curves (RSA, ECDH).
Post-quantum algorithm: Algorithm designed to resist attacks by quantum and classical computers (e.g., ML-KEM formerly Kyber, ML-DSA formerly Dilithium).
Hybrid Schemes
Multi-algorithm scheme: Construction incorporating multiple algorithms with the same cryptographic purpose.
PQ/T hybrid scheme (Post-Quantum/Traditional): Multi-algorithm scheme with at least one post-quantum algorithm and one traditional algorithm. Security relies on the requirement to break all component algorithms.
PQ/T hybrid composite scheme: Hybrid scheme exposed as a single interface of the same type as the component algorithms (e.g., a single KEM composed of a PQ KEM and a traditional KEM).
Types of Hybrid Schemes
- PQ/T hybrid KEM: Key Encapsulation Mechanism combining PQ and traditional components
- PQ/T hybrid PKE: Hybrid public key encryption (caution: IND-CPA insufficient for Internet, prefer KEM with IND-CCA)
- PQ/T hybrid digital signature: Parallel, composite, or nested signatures
Hybrid Protocols
PQ/T hybrid protocol: Protocol using at least one PQ algorithm and one traditional algorithm for the same cryptographic function.
Composite construction: Modifications primarily at the cryptographic element format level, protocol and message flow largely unchanged.
Non-composite construction: Modifications primarily at the protocol field and message flow level.
Properties of Hybrid Schemes
Security Properties
PQ/T hybrid confidentiality: Confidentiality is achieved as long as at least one component algorithm remains secure.
PQ/T hybrid authentication: Authentication is achieved as long as at least one component algorithm remains secure.
Important limitation: If the PQ algorithm is broken, the scheme remains secure against a classical attacker but vulnerable against a CRQC.
Interoperability Properties
PQ/T hybrid interoperability: The scheme/protocol works if both parties support at least one component algorithm.
Backwards compatibility: Guaranteed operation if both parties support the traditional algorithm.
PQ/T forwards compatibility: Use of the PQ algorithm if supported by both parties, with option to use both.
Interoperability/confidentiality conflict: Impossible to achieve both hybrid interoperability and hybrid confidentiality simultaneously without additional protocol-level downgrade protection.
Certificates and PKI
PQ/T hybrid certificate: Certificate containing public keys for at least one PQ algorithm and one traditional algorithm (can be in composite form or separate).
PQ/T hybrid certificate chain: All certificates are PQ/T hybrid and signed with both algorithm types.
PQ/T parallel PKI: Two separate certificate chains (one PQ, one traditional) used together in a protocol.
Important: Using a hybrid certificate does not automatically guarantee hybrid authentication of identity – this depends on the trust chain properties.
Implications for Operational Security
For Security Teams
- Risk assessment: Understand that hybrid schemes offer enhanced protection but with trade-offs (performance, complexity)
- Migration planning: Hybrid schemes facilitate gradual transition to post-quantum
- Implementation validation: Verify that deployed hybrid protocols actually provide expected security properties (hybrid confidentiality, hybrid authentication)
- Downgrade protection: Ensure protocols include protection mechanisms to prevent negotiation to weaker algorithms
Key Considerations
- A protocol offering confidentiality and authentication does not necessarily offer both in hybrid mode
- PQ/PQ schemes (two post-quantum algorithms) also exist to mitigate risks related to different mathematical problems
- The security of a hybrid scheme depends on component algorithms, the chosen hybrid combiner, and attacker capabilities
Normative References
- Implementation examples: RFC 9370 (IKEv2), RFC 9763, Hybrid TLS
- Standards: NIST PQC, ETSI TS 103 774
- Protocols: TLS (RFC 8446), X.509 (RFC 5280)
Conclusion
This RFC provides the essential reference vocabulary for understanding and implementing post-quantum/traditional hybrid schemes. It does not prescribe specific solutions but establishes a common language for the security community facing the post-quantum transition.
