multiple types of keying material in TLS is the use of pre-shared keys, especially the recent TLS working group document on including an external pre-shared key [EXTERN-PSK]. Considering other IETF standards, there is work on post-quantum preshared keys in IKEv2 [IKE-PSK] and a framework for hybrid key exchange in IKEv2 [IKE-HYBRID].
Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography.
multiple types of keying material in TLS is the use of pre-shared keys, especially the recent TLS working group document on including an external pre-shared key [EXTERN-PSK]. Considering other IETF standards, there is work on post-quantum preshared keys in IKEv2 [IKE-PSK] and a framework for hybrid key exchange in IKEv2 [IKE-HYBRID].
multiple types of keying material in TLS is the use of pre-shared keys, especially the recent TLS working group document on including an external pre-shared key [EXTERN-PSK]. Considering other IETF standards, there is work on post-quantum preshared keys in IKEv2 [IKE-PSK] and a framework for hybrid key exchange in IKEv2 [IKE-HYBRID].
It is intended as a terminology guide for other documents to add clarity and consistency across different protocols, standards, and organisations. Additionally, it aims to reduce misunderstanding about use of the word "hybrid" as well as defining a shared language for different types of post-quantum traditional hybrid constructions. ¶
f Internet-Draftietf-tls-hybrid-design July 2021 This is the approach used in [SCHANCK]. [BINDEL] analyzes the security of this approach as abstracted in their nested dual-PRF "N" combiner, showing a similar result as for the dualPRF combiner that it preserves IND-CPA (or IND-CCA) security.
Section 4.2.7 of [RFC8446]. Then the TLS client's 'key_exchange' value of the 'key_share' extension is the concatenation of the curveSM2 ephemeral share and ML-KEM768 encapsulation key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of [RFC8446]. The
document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. Status of This Memo
This approach is not taken in any of the known post-quantum/hybridTLSdrafts. However, it bears some similarities to the approach for using external PSKs in [EXTERN-PSK]. B.4.7. Benefits and Drawbacks *New logic.* While (Comb-Concat) (Appendix B.4.1), (Comb-KDF-1) (Appendix B.4.2), and (Comb-KDF-2) (Appendix B.4.3) require new logic
Appendix A. Change log * draft-kwiatkowski-tls-ecdhe-mlkem-03: - Adds P-384 combined with ML-KEM-1024 - Adds text that describes error-handling and outlines how the client and server must ensure the integrity of the key exchange process. - Adds note on the incompatibility of the codepoint name X25519MLKEM768 with [hybrid].
