| Internet-Draft | hybrid-kems | June 2025 |
| Connolly & Barnes | Expires 14 December 2025 | [Page] |
Post-quantum (PQ) algorithms are designed to resist attack by a quantum computer, in contrast to "traditional" algorithms. However, given the novelty of PQ algorithms, there is some concern that PQ algorithms currently believed to be secure will be broken. Hybrid constructions that combine both PQ and traditional algorithms can help moderate this risk while still providing security against quantum attack. In this document, we define constructions for hybrid Key Encapsulation Mechanisms (KEMs) based on combining a traditional KEM and a PQ KEM. Hybrid KEMs using these constructions provide strong security properties as long as the undelying algorithms are secure.¶
This note is to be removed before publishing as an RFC.¶
Discussion of this document takes place on the Crypto Forum Research Group mailing list (cfrg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cfrg.¶
Source for this draft and an issue tracker can be found at https://github.com/cfrg/draft-irtf-cfrg-hybrid-kems.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 14 December 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
Post-quantum (PQ) cryptographic schemes offer new constructions based on problems conjectured as resistant to attacks possible on a quantum computer. Key Encapsulation Mechanisms (KEMs), are a standardized class of cryptographic scheme that can be used to build protocols in lieu of traditional, quantum-vulnerable variants such as finite field or elliptic curve Diffie-Hellman (DH) based protocols.¶
Given the novelty of PQ algorithms, however, there is some concern that PQ algorithms currently believed to be secure will be broken. Hybrid constructions that combine both PQ and traditional algorithms can help moderate this risk while still providing security against quantum attack. If construted properly, a hybrid KEM will retain certain security properties even if one of the two constituent KEMs is compromised. If the PQ KEM is broken, then the hybrid KEM should continue to provide security against non-quantum attackers by virtue of its traditional KEM component. If the traditional KEM is broken by a quantum computer, then the hybrid KEM should continue to resist quantum attack by virtue of its PQ KEM component.¶
In addition to guarding against algorithm weaknesses, this property also guards against flaws in implementations, such as timing attacks. Hybrid KEMs can also facilitate faster deployment of PQ security by allowing applications to incorporate PQ algorithms while still meeting compliance requirements based on traditional algorithms.¶
In this document, we define generic schemes for constructing hybrid KEMs from a traditional algorithm and a PQ KEM. The aim of this document is provide a small set of techniques to achieve specific security properties given conforming component algorithms, which should make these techniques suitable for a broad variety of use cases.¶
The remainder of this document is structured as follows: first, in Section 4 and Section 5, we define the abstractions on which the schemes are built, and then the schemes themselves. Then, in Section 6, we lay out the security analyses that support these constructions, including the security requirements for constituent components and the security notions satisfied by hybrid KEMS constructed according to the schemes in the document Section 6.3. Finally, we discuss some "path not taken", related topics that might be of interest to readers, but which are not treated in depth.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document is consistent with all terminology defined in [I-D.ietf-pquip-pqt-hybrid-terminology].¶
The following terms are used throughout this document:¶
random(n): return a pseudorandom byte string of length n bytes produced
by a cryptographically-secure random number generator.¶
concat(x0, ..., xN): Concatenation of byte strings. concat(0x01,
0x0203, 0x040506) = 0x010203040506.¶
split(N1, N2, x): Split a byte string x of length N1 + N2 into its
first N1 bytes and its last N2 bytes. This function is the inverse of
concat(x1, x2) when x1 is N1 bytes long and x2 is N2 bytes
long. It is an error to call this function with a byte string that does not
have length N1 + N2. Since this function operates over secret data x,
it MUST be constant-time for a given N1 and N2.¶
When x is a byte string, we use the notation x[..i] and x[i..] to
denote the slice of bytes in x starting from the beginning of x and
leading up to index i, including the i-th byte, and the slice the bytes
in x starting from index i to the end of x, respectively. For example,
if x = [0, 1, 2, 3, 4], then x[..2] = [0, 1] and x[2..] = [2, 3, 4].¶
The generic hybrid PQ/T KEM constructions we define depend on the the following cryptographic primitives:¶
Key Encapsulation Mechanisms (Section 4.1)¶
Nominal Groups (Section 4.2)¶
Key Derivation Functions (Section 4.3)¶
Pseudorandom Generators (Section 4.4)¶
In the remainder of this section, we describe functional aspects of these mechanisms. The security properties we require in order for the resulting hybrid KEM to be secure are discussed in Section 6.¶
A Key Encapsulation Mechanism (KEMs) comprises the following algorithms:¶
GenerateKeyPair() -> (ek, dk): A randomized algorithm that generates a
public encapsulation key ek and a secret decapsulation key dk, each of
which are byte strings.¶
DeriveKeyPair(seed) -> (ek, dk): A deterministic algorithm that takes as
input a seed seed and generates a public encapsulation key ek and a
secret decapsulation key dk, each of which are byte strings.¶
Encaps(ek) -> (ct, ss): A probabilistic encapsulation
algorithm, which takes as input a public encapsulation key ek and outputs
a ciphertext ct and shared secret ss.¶
Decaps(dk, ct) -> ss: A decapsulation algorithm, which takes
as input a secret decapsulation key dk and ciphertext ct and outputs a
shared secret ss.¶
A KEM may also provide a deterministic version of Encaps (e.g., for
purposes of testing):¶
EncapsDerand(ek, randomness) -> (ct, shared_secret): A deterministic
encapsulation algorithm, which takes as input a public encapsulation key
ek and randomness randomness, and outputs a ciphertext ct and shared
secret shared_secret.¶
We assume that the values produced and consumed by the above functions are all byte strings, with fixed lengths:¶
Nseed: The length in bytes of a key seed (input to DeriveKeyPair)¶
Nek: The length in bytes of a public encapsulation key¶
Ndk: The length in bytes of a secret decapsulation key¶
Nct: The length in bytes of a ciphertext produced by Encaps¶
Nss: The length in bytes of a shared secret produced by Encaps or Decaps¶
Nominal groups are an abstract model of elliptic curve groups, over which we
instantiate Diffie-Hellman key agreement [ABH_21]. A nominal group
comprises a set G together with a distinguished basis element g, an
"exponentiation" map, and some auxiliary functions:¶
Exp(p, x) -> q: An algorithm that produces an element q of G from an
element p and an integer x.¶
RandomScalar(seed) -> k: Produce a uniform pseudo-random scalar from the
byte string seed.¶
ElementToSharedSecret(P) -> ss: Extract a shared secret from an element of
the group (e.g., by taking the X coordinate of an ellpitic curve point).¶
We assume that scalars and group elements are represented by byte strings with fixed lengths:¶
Nseed: The length in bytes of a seed (input to RandomScalar)¶
Nscalar: The length in bytes of a scalar¶
Nelem: The length in bytes of a serialized group element¶
Nss: The length in bytes of a shared secret produced by
ElementToSharedSecret¶
The security requirements for groups used with the schemes in this document are laid out in Section 6.3.2.¶
A Key Derivation Function (KDF) is a function that a function that produces keying material based on an input secret and other information.¶
While KDFs in the literature can typically consume and produce byte strings of arbitrary length, the KDFs used in this document have a simpler form, with a fixed output lengths:¶
Nin - The length in bytes of an input to this KDF.¶
Nout - The length in bytes of an output from this KDF.¶
KDF(input) -> output: Produce a byte string of length Nout from an input
byte string.¶
The fixed sizes are for both security and simplicity.¶
For instances of the Extract()/Expand() KDF paradigm such as HKDF, we fix
the salt and sizes to fit this form.¶
The security requirements for KDFs used with the schemes in this document are laid out in Section 6.3.3.¶
PRG
A pseudorandom generator (PRG) is a deterministic function G whose outputs
are longer than its inputs. When the input to G is chosen uniformly at
random, it induces a certain distribution over the possible output. The
output distribution is pseudorandom if it is indistinguishable from the
uniform distribution.¶
The PRGs used in this document have a simpler form, with a fixed output lengths:¶
Nin - The length in bytes of an input to this PRG.¶
Nout - The length in bytes of an output from this PRG which is longer
than Nin.¶
PRG(seed) -> output: Produce a byte string of length Nout from an input
byte string seed.¶
The fixed sizes are for both security and simplicity.¶
MUST provide the bit-security required to source input randomness for PQ/T components from a seed that is expanded to a output length, of which a subset is passed to the component key generation algorithms.¶
The security requirements for PRGs used with the schemes in this document are laid out in Section 6.3.4.¶
In this section, we define three generic schemes for building for hybrid KEMs:¶
GHP - A generic construction that is suitable for use with any choice of
traditional and PQ KEMs, with minimal security assumptions on the
constituent KEMs¶
PRE - A performance optimization of GHP for the case where
encapsulation keys are large and frequently reused¶
QSF - An optimized generic construction for the case where the
traditional component is a nominal group and the PQ component has strong
binding properties¶
These schemes share a common overall structure, differing mainly in how they compute the final shared secret and the security requirements of their components.¶
GHP
The GHP hybrid KEM depends on the following constituent
components:¶
KEM_T: A traditional KEM¶
KEM_PQ: A post-quantum KEM¶
PRG: A PRG producing byte strings of length KEM_T.Nseed + KEM_PQ.Nseed
(PRG.Nout == KEM_T.Nseed + KEM_PQ.Nseed)¶
KDF: A KDF producing byte strings of length GHP.Nss (KDF.Nout
== GHP.Nss)¶
Label - A byte string used to label the specific combination of the above
constituents being used.¶
The KEMs, groups, KDFs, and PRGs MUST meet the security requirements in Section 6.3.¶
The constants associated with the hybrid KEM are mostly derived from the concatenation of keys and ciphertexts:¶
Nek = KEM_T.Nek + KEM_PQ.Nek Ndk = KEM_T.Ndk + KEM_PQ.Ndk Nct = KEM_T.Nct + KEM_PQ.Nct¶
The Nseed and Nss constants should reflect the overall security level of the
combined KEM, with the following recommended values:¶
Nseed = max(KEM_T.Nseed, KEM_PQ.Nseed) Nss = min(KEM_T.Nss, KEM_PQ.Nss)¶
Given these constituent parts, the GHP hybrid KEM is defined as
follows:¶
def GenerateKeyPair():
seed = random(Nseed)
return DeriveKeyPair(seed)
def DeriveKeyPair(seed):
seed_full = PRG(seed)
(seed_T, seed_PQ) = split(KEM_T.Nseed, KEM_PQ.Nseed, seed)
(ek_T, dk_T) = KEM_T.DeriveKeyPair(seed_T)
(ek_PQ, dk_PQ) = KEM_PQ.DeriveKeyPair(seed_PQ)
ek_H = concat(ek_T, ek_PQ)
dk_H = concat(dk_T, dk_PQ)
return (ek_H, dk_H)
def Encaps(ek):
(ek_T, ek_PQ) = split(KEM_T.Nek, KEM_PQ.Nek, ek)
(ss_T, ct_T) = KEM_T.Encap(pk_T)
(ss_PQ, ct_PQ) = KEM_PQ.Encap(pk_PQ)
ss_H = KDF(concat(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, label))
ct_H = concat(ct_T, ct_PQ)
return (ss_H, ct_H)
def Decaps(dk, ct):
(dk_T, dk_PQ) = split(KEM_T.Ndk, KEM_PQ.Ndk, dk)
ek_T = KEM_T.ToEncaps(dk_T)
ek_PQ = KEM_PQ.ToEncaps(dk_PQ)
(ct_T, ct_PQ) = split(KEM_T.Nct, KEM_PQ.Nct, ct)
ss_T = KEM_T.Decap(dk_T, ct_T)
ss_PQ = KEM_PQ.Decap(dk_PQ, ct_PQ)
ss_H = KDF(concat(ss_PQ, ss_T, ct_PQ, ct_T, ek_PQ, ek_T, label))
return ss_H
¶
PRE
The PRE hybrid KEM is a performance optimization of the GHP KEM,
optimized for the case where encapsulation keys are large and frequently
reused. In such cases, hashing the entire encapsulation key is expensive, and
the same value is hashed repeatedly. The PRE KEM thus computes an
intermediate hash of the hybrid encapsulation key, so that the hash value can
be computed once and used across many encapsulation or decapsulation
operations.¶
The PRE KEM is identical to the GHP KEM except for the
shared secret computation. One additional KDF is required:¶
KeyHash: A KDF producing byte strings of length GHP.Nss (KeyHash.Nout
== GHP.Nss)¶
The GenerateKeyPair and DeriveKeyPair algorithms for PRE are
identical to those of the GHP KEM. The Encaps and Decaps
method use a modified shared secret computation:¶
def Encaps(ek):
(ek_T, ek_PQ) = split(KEM_T.Nek, KEM_PQ.Nek, ek)
(ss_T, ct_T) = KEM_T.Encap(pk_T)
(ss_PQ, ct_PQ) = KEM_PQ.Encap(pk_PQ)
ekh = KeyHash(concat(ek_T, ek_PQ))
ss_H = KDF(concat(ss_PQ, ss_T, ct_PQ, ct_T, ekh, label))
ct_H = concat(ct_T, ct_PQ)
return (ss_H, ct_H)
def Decaps(dk, ct):
(dk_T, dk_PQ) = split(KEM_T.Ndk, KEM_PQ.Ndk, dk)
ek_T = KEM_T.ToEncaps(dk_T)
ek_PQ = KEM_PQ.ToEncaps(dk_PQ)
(ct_T, ct_PQ) = split(KEM_T.Nct, KEM_PQ.Nct, ct)
ss_T = KEM_T.Decap(dk_T, ct_T)
ss_PQ = KEM_PQ.Decap(dk_PQ, ct_PQ)
ekh = KeyHash(concat(ek_T, ek_PQ))
ss_H = KDF(concat(ss_PQ, ss_T, ct_PQ, ct_T, ekh, label))
return ss_H
¶
QSF
The QSF hybrid KEM (QSF below) depends on the following constituent
components:¶
Group_T: A nominal group¶
KEM_PQ: A post-quantum KEM¶
PRG: A PRG producing byte strings of length Group_T.Nseed +
KEM_PQ.Nseed (Expand.Nout == Group_T.Nseed + KEM_PQ.Nseed)¶
KDF: A KDF producing byte strings of length QSF.Nss (KDF.Nout
== KDF.Nss)¶
Label - A byte string used to label the specific combination of the above
constituents being used.¶
We presume that Group_T, KEM_PQ, and the KDFs meet the interfaces
described in Section 4 and MUST meet the security requirements
described in Section 6.3.¶
The constants associated with the hybrid KEM are mostly derived from the concatenation of keys and ciphertexts:¶
Nek = Group_T.Nelem + KEM_PQ.Nek Ndk = Group_T.Nscalar + KEM_PQ.Ndk Nct = Group_T.Nelem + KEM_PQ.Nct¶
The Nseed and Nss constants should reflect the overall security level of
the combined KEM, with the following recommended values:¶
Nseed = max(Group_T.Nseed, KEM_PQ.Nseed) Nss = min(Group_T.Nss, KEM_PQ.Nss)¶
Given these constituent parts, we define the QSF hybrid KEM as follows:¶
def GenerateKeyPair():
seed = random(Nseed)
return DeriveKeyPair(seed)
def DeriveKeyPair(seed):
seed_full = PRG(seed)
(seed_T, seed_PQ) = split(Group_T.Nseed, KEM_PQ.Nseed, seed)
dk_T = Group_T.RandomScalar(seed_T))
ek_T = Group_T.Exp(Group_T.g, dk_T)
(ek_PQ, dk_PQ) = KEM_PQ.DeriveKeyPair(seed_PQ)
ek_H = concat(ek_T, ek_PQ)
dk_H = concat(dk_T, dk_PQ)
return (ek_H, dk_H)
def Encaps(ek):
(ek_T, ek_PQ) = split(Group_T.Nek, KEM_PQ.Nek, ek)
sk_E = Group_T.RandomScalar(random(GroupT.nseed))
ct_T = Group_T.Exp(GroupT.g, sk_E)
ss_T = Group_T.ElementToSharedSecret(Group_T.Exp(ek_T, sk_E))
(ss_PQ, ct_PQ) = KEM_PQ.Encap(ek_PQ)
ss_H = KDF(concat(ss_PQ, ss_T, ct_T, ek_T, Label))
ct_H = concat(ct_T, ct_PQ)
return (ss_H, ct_H)
def Decaps(dk, ct):
(dk_T, dk_PQ) = split(Group_T.Ndk, KEM_PQ.Ndk, dk)
(ct_T, ct_PQ) = split(Group_T.Nct, KEM_PQ.Nct, ct)
ek_T = Group_T.ToEncaps(dk_T)
ek_PQ = KEM_PQ.ToEncaps(dk_PQ)
ss_T = Group_T.ElementToSharedSecret(Group_T.Exp(ct_T, dk_T))
ss_PQ = KEM_PQ.Decap(dk_PQ, ct_PQ)
ss_H = KDF(concat(ss_PQ, ss_T, ct_T, ek_T, Label))
return ss_H
¶
Hybrid KEM constructions aim to provide security by combining two or more
schemes so that security is preserved if all but one schemes are replaced by
an arbitrarily bad scheme. Informally, these hybrid KEMs are secure if the
KDF is secure, and either the traditional component is secure, or the post-quantum
KEM is secure: this is the 'hybrid' property.¶
Also known as IND-CCA2 security for general public key encryption, for KEMs that encapsulate a new random 'message' each time.¶
The notion of INDistinguishability against Chosen-Ciphertext Attacks (IND-CCA) [RS92] is now widely accepted as the standard security notion for asymmetric encryption schemes. IND-CCA security requires that no efficient adversary can recognize which of two messages is encrypted in a given ciphertext, even if the two candidate messages are chosen by the adversary himself.¶
Also known in the literature as ciphertext collision resistance (CCR).¶
The notion where, even if a KEM has broken IND-CCA security (either due to
construction, implementation, or other), its internal structure, based on the
Fujisaki-Okamoto transform, guarantees that it is impossible to find a second
ciphertext that decapsulates to the same shared secret K: this notion is
known as ciphertext second preimage resistance (C2SPI) for KEMs
[XWING]. The same notion has also been described as chosen ciphertext
resistance elsewhere [CDM23].¶
It is often useful for a KEM to have certain "binding properties", by which certain parameters determine certain others [CDM23]. These properties are referred to with labels of the form X-BIND-P-Q. For example, LEAK-BIND-K-PK means that for a given shared secret (K), there is a unique encapsulation key (PK) that could have produced it, even if all of the secrets involved are given to the adversary after the encapsulation operation is completed (LEAK).¶
The property LEAK-BIND-K,PK-CT is related to the C2PRI property discussed above. Related to the ciphertext collision-freeness of the underlying PKE scheme of a FO-transform KEM. Also called ciphertext collision resistance.¶
TODO: We need to provide more thorough description, and verify that these requirements align with the requirements of the security proofs in the literature, especially [GHP2018] and [XWING].¶
Component KEMs MUST be IND-CCA-secure [GHP2018] [XWING].¶
For instances of QSF, the component KEM MUST also be ciphertext second
preimage resistant (C2PRI) [XWING]: this allows the component KEM
encapsulation key and ciphertext to be left out from the KDF input.¶
The groups MUST be modelable as nominal groups in which the strong Diffie-Hellman problem holds [ABH_21] [XWING].¶
The Montgomery curves Curve25519 and Curve448 have been shown to be modelable
as nominal groups in [ABH_21] as well as showing the X25519() and
X448() functions respectively pertain to the nominal group exp(X, y)
function, specifically clamping secret keys when they are generated, instead
of clamping secret keys together with exponentiation.¶
KDFs MUST be secure pseudorandom functions (PRFs) when keyed with the shared
secret output from the post-quantum IND-CCA-secure KEM component algorithm in
QSF [XWING] or any of the component IND-CCA-secure KEMs when used in
KitchenSink [GHP2018] or PreHash.¶
KDFs must be secure instances of random oracles in the ROM and QROM [GHP2018] [XWING]. Proofs of indifferentiability from random oracles [MRH03] give good confidence here, as any function proven indifferentiable from a random oracle is resistant against collision, first, and second preimage attacks . An indifferentiability bound guarantees security against specific attacks. Although indifferentiability does not capture all properties of a random oracle [RSS11], indifferentiability still remains the best way to rule out structural attacks.¶
Sponge-based constructions such as SHA-3 have been shown to be indifferentiable against classical [BDP_08] as well as quantum adversaries [ACM_25].¶
HKDF has been shown to be indifferentiable from a random oracle under specific constraints [LBB20]:¶
that HMAC is indifferentiable from a random oracle, which for HMAC-SHA-256 has been shown in [DRS_13], assuming the compression function underlying SHA-256 is a random oracle, which it is indifferentiably when used prefix-free.¶
the values of HKDF's IKM input do not collide with
values of info || 0x01. This MUST be enforced by the
concrete instantiations that use HKDF as its KDF.¶
The choice of the KDF security level SHOULD be made based on the security level provided by the constituent KEMs. The KDF SHOULD at least have the security level of the strongest constituent KEM.¶
The functions used to expand a key seed to multiple key seeds is closer to a pseudorandom generator (PRG) in its security requirements [AOB_24]. A secure PRG is an algorithm PRG : {0, 1}^n → {0, 1}^m, such that no polynomial-time adversary can distinguish between PRG(r) (for r $← {0, 1}^n) and a random z $← {0, 1}^m [Rosulek]. The uniform string r ∈ {0, 1}^n is called the seed of the PRG.¶
A PRG is not to be confused with a random (or pseudorandom) number generator (RNG): a PRG requires the seed randomness to be chosen uniformly and extend it; an RNG takes sources of noisy data and transforms them into uniform outputs.¶
A PRG is a particular mode of use of a random oracle [BDP_11]. Examples used in such a manner include SHAKE256.¶
All generic constructions in this document produce IND-CCA-secure KEMs when correctly instantiated concretely with cryptographic components that meet the respective security requirements. Any changes to the routines, including key generation/derivation, are not guaranteed to produce secure results.¶
ASCII-encoded bytes provide oracle cloning [BDG2020] in the security game
via domain separation. The IND-CCA security of hybrid KEMs often relies on
the KDF function KDF to behave as an independent random oracle, which the
inclusion of the label achieves via domain separation [GHP2018].¶
By design, the calls to KDF in these constructions and usage anywhere else
in higher level protoocl use separate input domains unless intentionally
duplicating the 'label' per concrete instance with fixed paramters. This
justifies modeling them as independent functions even if instantiated by the
same KDF. This domain separation is achieved by using prefix-free sets of
label values. Recall that a set is prefix-free if no element is a prefix of
another within the set.¶
Length diffentiation is sometimes used to achieve domain separation but as a technique it is brittle and prone to misuse [BDG2020] in practice so we favor the use of an explicit post-fix label.¶
Variable-length secrets are generally dangerous. In particular, using key material of variable length and processing it using hash functions may result in a timing side channel. In broad terms, when the secret is longer, the hash function may need to process more blocks internally. In some unfortunate circumstances, this has led to timing attacks, e.g. the Lucky Thirteen [LUCKY13] and Raccoon [RACCOON] attacks.¶
Furthermore, [AVIRAM] identified a risk of using variable-length secrets when the hash function used in the key derivation function is no longer collision-resistant.¶
If concatenation were to be used with values that are not fixed-length, a length prefix or other unambiguous encoding would need to be used to ensure that the composition of the two values is injective and requires a mechanism different from that specified in this document.¶
Therefore, this specification MUST only be used with algorithms which have fixed-length shared secrets.¶
Considerations that were considered and not included in these designs:¶
Anonymity [GMP22], Deniability, Obfuscation, other forms of key-robustness or binding [GMP22], [CDM23]¶
TODO: deniable KEM cite and Kemeleon paper cite¶
Design team decided to restrict the space to only two components, a traditional and a post-quantum KEM.¶
Not analyzed as part of any security proofs in the literature, and a complicatation deemed unnecessary.¶
TODO acknowledge.¶