Crypto Forum D. Connolly Internet-Draft SandboxAQ Intended status: Informational 4 February 2025 Expires: 8 August 2025 Hybrid PQ/T Key Encapsulation Mechanisms draft-irtf-cfrg-hybrid-kems-01 Abstract This document defines generic techniques to achive hybrid post- quantum/traditional (PQ/T) key encapsulation mechanisms (KEMs) from post-quantum and traditional component algorithms that meet specified security properties. It then uses those generic techniques to construct several concrete instances of hybrid KEMs. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the Crypto Forum Research Group mailing list (cfrg@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/cfrg. Source for this draft and an issue tracker can be found at https://github.com/cfrg/draft-irtf-cfrg-pq1. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 8 August 2025. Connolly Expires 8 August 2025 [Page 1] Internet-Draft hybrid-kems February 2025 Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Cryptographic Dependencies . . . . . . . . . . . . . . . . . 4 4.1. Key encapsulation mechanisms . . . . . . . . . . . . . . 4 4.2. XOF . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.3. Key Derivation Function KDF . . . . . . . . . . . . . . . 6 4.4. Nominal Diffie-Hellman Group . . . . . . . . . . . . . . 6 5. Hybrid KEM Constructions . . . . . . . . . . . . . . . . . . 7 5.1. 'Kitchen Sink' construction . . . . . . . . . . . . . . . 8 5.1.1. Security properties . . . . . . . . . . . . . . . . . 9 5.2. 'QSF' construction . . . . . . . . . . . . . . . . . . . 9 6. Concrete Hybrid KEM Instances . . . . . . . . . . . . . . . . 10 6.1. QSF-SHA3-256-ML-KEM-768-P-256 . . . . . . . . . . . . . . 10 6.1.1. Key generation . . . . . . . . . . . . . . . . . . . 12 6.1.2. Encapsulation . . . . . . . . . . . . . . . . . . . . 12 6.1.3. Derandomized . . . . . . . . . . . . . . . . . . . . 13 6.1.4. Decapsulation . . . . . . . . . . . . . . . . . . . . 13 6.1.5. Security properties . . . . . . . . . . . . . . . . . 13 6.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 . . . . . . . 14 6.2.1. Key generation . . . . . . . . . . . . . . . . . . . 15 6.2.2. Encapsulation . . . . . . . . . . . . . . . . . . . . 15 6.2.3. Derandomized . . . . . . . . . . . . . . . . . . . . 16 6.2.4. Decapsulation . . . . . . . . . . . . . . . . . . . . 16 6.2.5. Security properties . . . . . . . . . . . . . . . . . 17 6.3. QSF-SHA3-256-ML-KEM-1024-P-384 . . . . . . . . . . . . . 18 6.3.1. Key generation . . . . . . . . . . . . . . . . . . . 19 6.3.2. Encapsulation . . . . . . . . . . . . . . . . . . . . 20 6.3.3. Derandomized . . . . . . . . . . . . . . . . . . . . 20 6.3.4. Decapsulation . . . . . . . . . . . . . . . . . . . . 21 6.3.5. Security properties . . . . . . . . . . . . . . . . . 21 7. Random Scalar Generation . . . . . . . . . . . . . . . . . . 22 7.1. Rejection Sampling . . . . . . . . . . . . . . . . . . . 22 7.2. Wide Reduction . . . . . . . . . . . . . . . . . . . . . 22 8. Security Considerations . . . . . . . . . . . . . . . . . . . 22 Connolly Expires 8 August 2025 [Page 2] Internet-Draft hybrid-kems February 2025 8.1. IND-CCA security . . . . . . . . . . . . . . . . . . . . 23 8.2. Ciphertext second preimage resistant (C2PRI) security / ciphertext collision resistance (CCR) . . . . . . . . . . 23 8.3. Binding properties . . . . . . . . . . . . . . . . . . . 23 8.3.1. X-BIND-K-PK security . . . . . . . . . . . . . . . . 23 8.3.2. X-BIND-K-CT security . . . . . . . . . . . . . . . . 23 8.4. Domain Separation . . . . . . . . . . . . . . . . . . . . 23 8.5. Fixed-length . . . . . . . . . . . . . . . . . . . . . . 24 9. Out of Scope . . . . . . . . . . . . . . . . . . . . . . . . 24 9.1. More than two component KEMs . . . . . . . . . . . . . . 24 9.2. Parameterized output length . . . . . . . . . . . . . . . 25 9.3. Protocol-specific labels / info . . . . . . . . . . . . . 25 9.4. Other Component Primitives . . . . . . . . . . . . . . . 25 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 10.1. QSF-SHA3-256-ML-KEM-768-P-256 KEM Identifier . . . . . . 25 10.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 KEM Identifier . . . . . . . . . . . . . . . . . . . . . . . 25 10.3. QSF-SHA3-256-ML-KEM-1024-P-384 KEM Identifier . . . . . 26 11. Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 26 11.1. QSF-SHA3-256-ML-KEM-768-P-256 Test Vectors . . . . . . . 26 11.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 Test Vectors . . . . . . . . . . . . . . . . . . . . . . . . 31 11.3. QSF-SHA3-256-ML-KEM-1024-P-384 Test Vectors . . . . . . 36 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 12.1. Normative References . . . . . . . . . . . . . . . . . . 42 12.2. Informative References . . . . . . . . . . . . . . . . . 43 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 44 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 44 1. Introduction There are many choices that can be made when specifying a hybrid KEM: the constituent KEMs; their security levels; the combiner; and the hash within, to name but a few. Having too many similar options are a burden to the ecosystem. The aim of this document is provide a small set of techniques for constructing hybrid KEMs designed to achieve specific security properties given conforming component algorithms, that should be suitable for the vast majority of use cases. 2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Connolly Expires 8 August 2025 [Page 3] Internet-Draft hybrid-kems February 2025 3. Notation This document is consistent with all terminology defined in [I-D.driscoll-pqt-hybrid-terminology]. The following terms are used throughout this document: * random(n): return a pseudorandom byte string of length n bytes produced by a cryptographically-secure random number generator. * concat(x0, ..., xN): Concatenation of byte strings. concat(0x01, 0x0203, 0x040506) = 0x010203040506. * I2OSP(n, w): Convert non-negative integer n to a w-length, big- endian byte string, as described in [RFC8017]. * OS2IP(x): Convert byte string x to a non-negative integer, as described in [RFC8017], assuming big-endian byte order. 4. Cryptographic Dependencies The generic hybrid PQ/T KEM constructions we define depend on the the following cryptographic primitives: * Key Encapsulation Mechanism Section 4.1; * Extendable Output Function (XOF) Section 4.2; * Key Derivation Function (KDF) Section 4.3; and * Nominal Diffie-Hellman Group Section 4.4. These dependencies are defined in the following subsections. 4.1. Key encapsulation mechanisms Key encapsulation mechanisms (KEMs) are cryptographic schemes that consist of four algorithms: * KeyGen() -> (pk, sk): A probabilistic key generation algorithm, which generates a public encapsulation key pk and a secret decapsulation key sk, each of which are byte strings. * DeriveKey(seed) -> (pk, sk): A deterministic algorithm, which takes as input a seed seed and generates a public encapsulation key pk and a secret decapsulation key sk, each of which are byte strings. Connolly Expires 8 August 2025 [Page 4] Internet-Draft hybrid-kems February 2025 * Encaps(pk) -> (ct, shared_secret): A probabilistic encapsulation algorithm, which takes as input a public encapsulation key pk and outputs a ciphertext ct and shared secret shared_secret. * Decaps(sk, ct) -> shared_secret: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret shared_secret. KEMs can also provide a deterministic version of Encaps, denoted EncapsDerand, with the following signature: * EncapsDerand(pk, randomness) -> (ct, shared_secret): A deterministic encapsulation algorithm, which takes as input a public encapsulation key pk and randomness randomness, and outputs a ciphertext ct and shared secret shared_secret. Finally, KEMs are also parameterized with the following constants: * Nseed, which denotes the number of bytes for a key seed; * Npk, which denotes the number of bytes in a public encapsulation key; * Nsk, which denotes the number of bytes in a private decapsulation key; and * Nct, which denotes the number of bytes in a ciphertext. 4.2. XOF Extendable-output function (XOF). A function on bit strings in which the output can be extended to any desired length. Ought to satisfy the following properties as long as the specified output length is sufficiently long to prevent trivial attacks: 1. (One-way) It is computationally infeasible to find any input that maps to any new pre-specified output. 2. (Collision-resistant) It is computationally infeasible to find any two distinct inputs that map to the same output. MUST provide the bit-security required to source input randomness for PQ/T components from a seed that is expanded to a output length, of which a subset is passed to the component key generation algorithms. Connolly Expires 8 August 2025 [Page 5] Internet-Draft hybrid-kems February 2025 4.3. Key Derivation Function KDF A secure key derivation function (KDF) that is modeled as a secure pseudorandom function (PRF) in the standard model [GHP2018] and independent random oracle in the random oracle model (ROM). 4.4. Nominal Diffie-Hellman Group The traditional DH-KEM construction depends on an abelian group of order order. We represent this group as the object G that additionally defines helper functions described below. The group operation for G is addition + with identity element I. For any elements A and B of the group G, A + B = B + A is also a member of G. Also, for any A in G, there exists an element -A such that A + (-A) = (-A) + A = I. For convenience, we use - to denote subtraction, e.g., A - B = A + (-B). Integers, taken modulo the group order order, are called scalars; arithmetic operations on scalars are implicitly performed modulo order. Scalar multiplication is equivalent to the repeated application of the group operation on an element A with itself r-1 times, denoted as ScalarMult(A, r). We denote the sum, difference, and product of two scalars using the +, -, and * operators, respectively. (Note that this means + may refer to group element addition or scalar addition, depending on the type of the operands.) For any element A, ScalarMult(A, order) = I. We denote B as a fixed generator of the group. Scalar base multiplication is equivalent to the repeated application of the group operation on B with itself r-1 times, this is denoted as ScalarBaseMult(r). The set of scalars corresponds to GF(order), which we refer to as the scalar field. It is assumed that group element addition, negation, and equality comparison can be efficiently computed for arbitrary group elements. This document uses types Element and Scalar to denote elements of the group G and its set of scalars, respectively. We denote Scalar(x) as the conversion of integer input x to the corresponding Scalar value with the same numeric value. For example, Scalar(1) yields a Scalar representing the value 1. We denote equality comparison of these types as == and assignment of values by =. When comparing Scalar values, e.g., for the purposes of sorting lists of Scalar values, the least nonnegative representation mod order is used. We now detail a number of member functions that can be invoked on G. * Order(): Outputs the order of G (i.e., order). * Identity(): Outputs the identity Element of the group (i.e., I). Connolly Expires 8 August 2025 [Page 6] Internet-Draft hybrid-kems February 2025 * RandomScalar(): Outputs a random Scalar element in GF(order), i.e., a random scalar in [0, order - 1]. * ScalarMult(A, k): Outputs the scalar multiplication between Element A and Scalar k. * ScalarBaseMult(k): Outputs the scalar multiplication between Scalar k and the group generator B. * SerializeElementAsSharedSecret(A): Maps an Element A to a fixed- length byte array. This function is used to produce a shared secret for Diffie-Hellman operations performed on the group. * SerializeElement(A): Maps an Element A to a canonical byte array buf of fixed length Ne. This function raises an error if A is the identity element of the group. * DeserializeElement(buf): Attempts to map a byte array buf to an Element A, and fails if the input is not the valid canonical byte representation of an element of the group. This function raises an error if deserialization fails or if A is the identity element of the group. * SerializeScalar(s): Maps a Scalar s to a canonical byte array buf of fixed length Ns. * DeserializeScalar(buf): Attempts to map a byte array buf to a Scalar s. This function raises an error if deserialization fails. * ScalarFromBytes(buf): Maps a byte array buf to a Scalar by first interpreting the contents of buf as an unsigned integer and then reducing that integer modulo the group order; this ensures that the resulting integer is always an element of the Scalar field. 5. Hybrid KEM Constructions During encapsulation and decapsulation, a hybrid KEM combines its component KEM shared secrets and other info, such as the KEM ciphertexts and encapsulation keys keys, to yield a shared secret. The interface for this function, often called a 'combiner' in the literature, is the SharedSecret function for the constructions in this document. SharedSecret accepts the following inputs: * pq_SS: The PQ KEM shared secret. * trad_SS: The traditional KEM shared secret. * pq_CT: The PQ KEM ciphertext. Connolly Expires 8 August 2025 [Page 7] Internet-Draft hybrid-kems February 2025 * pq_PK: The PQ KEM public encapsulation key. * trad_CT: The traditional KEM ciphertext. * trad_PK: The traditional KEM public encapsulation key. * label: A domain-separating label; see Section 8.4 for more information on the role of the label. The output of the SharedSecret function is a 32 byte shared secret that is, ultimately, the output of the KEM. This section describes two generic constructions for hybrid KEMs: one called the KitchenSink, specified in Section 5.1, and another called QSF, specified in Section 5.2. The KitchenSink construction is maximally conservative in design, opting for the least assumptions about the component KEMs. The QSF construction is tailored to specific component KEMs and is not generally reusable; specific requirements for component KEMs to be usable in the QSF combiner are detailed in Section 5.2. Both make use of the following requirements: 1. Both component KEMs have IND-CCA security. 2. KDF as a secure PRF. A key derivation function (KDF) that is modeled as a secure pseudorandom function (PRF) in the standard model [GHP2018] and independent random oracle in the random oracle model (ROM). 3. Fixed-length values. Every instantiation in concrete parameters of the generic constructions is for fixed parameter sizes, KDF choice, and label, allowing the lengths to not also be encoded into the generic construction. The label/KDF/component algorithm parameter sets MUST be disjoint and non-colliding. Moreover, the length of each each public encapsulation key, ciphertext, and shared secret is fixed once the algorithm is assumed to be fixed. 5.1. 'Kitchen Sink' construction As indicated by the name, the KitchenSink puts 'the whole transcript' through the KDF. This relies on the minimum security properties of its component algorithms at the cost of more bytes needing to be processed by the KDF. Connolly Expires 8 August 2025 [Page 8] Internet-Draft hybrid-kems February 2025 def KitchenSink-KEM.SharedSecret(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label): input = concat(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label) return KDF(input) 5.1.1. Security properties Because the entire hybrid KEM ciphertext and encapsulation key material are included in the KDF preimage, the KitchenSink construction is resilient against implementation errors in the component algorithms. 5.2. 'QSF' construction Inspired by the generic QSF (Quantum Superiority Fighter) framework in [XWING], which leverages the security properties of a KEM like ML- KEM and an inlined instance of DH-KEM, to elide other public data like the PQ ciphertext and encapsulation key from the KDF input: def QSF-KEM.SharedSecret(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label): return KDF(concat(pq_SS, trad_SS, trad_CT, trad_PK, label)) Note that pq_CT and pq_PK are NOT included in the KDF. This is only possible because the component KEMs adhere to the following requirements. The QSF combiner MUST NOT be used in concrete KEM instances that do not satisfy these requirements. 1. Nominal Diffie-Hellman Group with strong Diffie-Hellman security A cryptographic group modelable as a nominal group where the strong Diffie-Hellman assumption holds {XWING}. Specically regarding a nominal group, this means that especially the QSF construction's security is based on a computational-Diffie-Hellman-like problem, but no assumption is made about the format of the generated group element - no assumption is made that the shared group element is indistinguishable from random bytes. The concrete instantiations in this document use elliptic curve groups that have been modeled as nominal groups in the literature. 1. Post-quantum IND-CCA KEM with ciphertext second preimage resistance Connolly Expires 8 August 2025 [Page 9] Internet-Draft hybrid-kems February 2025 The QSF relies the post-quantum KEM component having IND-CCA security against a post-quantum attacker, and ciphertext second preimage resistance (C2SPI, also known as chosen ciphertext resistance, CCR). C2SPI/CCR is equivalent to LEAK-BIND-K,PK-CT security [CDM23] 1. KDF is a secure (post-quantum) PRF, modelable as a random oracle. Indistinguishability of the final shared secret from a random key is established by modeling the key-derivation function as a random oracle [XWING]. 6. Concrete Hybrid KEM Instances This section instantiates three concrete KEMs: 1. QSF-SHA3-256-ML-KEM-768-P-256 Section 6.1: A hybrid KEM using the QSF combiner based on ML-KEM-768 and P-256. 2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 Section 6.2: A hybrid KEM using the KitchenSink combiner based on ML-KEM-768 and X25519. 3. QSF-SHA3-256-ML-KEM-1024-P-384 Section 6.3: A hybrid KEM using the QSF combiner based on ML-KEM-1024 and P-384. Each instance specifies the PQ and traditional KEMs being combined, the combiner construction from Section 5, the label to use for domain separation in the combiner function, as well as the XOF and KDF functions to use throughout. 6.1. QSF-SHA3-256-ML-KEM-768-P-256 This hybrid KEM is heavily based on [XWING]. In particular, it has the same exact design but uses P-256 instead of X25519 as the the traditional component of the algorithm. It has the following parameters. * label: QSF-SHA3-256-ML-KEM-768-P-256 * XOF: SHAKE-256 [FIPS202] * KDF: SHA3-256 [FIPS202] * Combiner: QSF-KEM.SharedSecret * Nseed: 32 * Npk: 1217 Connolly Expires 8 August 2025 [Page 10] Internet-Draft hybrid-kems February 2025 * Nsk: 32 * Nct: 1121 QSF-SHA3-256-ML-KEM-768-P-256 depends on P-256 as a nominal prime- order group [FIPS186] (secp256r1) [ANSIX9.62], where Ne = 33 and Ns = 32, with the following functions: * Order(): Return 0xffffffff00000000ffffffffffffffffbce6faada7179e84 f3b9cac2fc632551. * Identity(): As defined in [ANSIX9.62]. * RandomScalar(): Implemented by returning a uniformly random Scalar in the range [0, G.Order() - 1]. Refer to Section 7 for implementation guidance. * SerializeElement(A): Implemented using the compressed Elliptic- Curve-Point-to-Octet-String method according to [SEC1], yielding a 33-byte output. Additionally, this function validates that the input element is not the group identity element. * DeserializeElement(buf): Implemented by attempting to deserialize a 33-byte input string to a public key using the compressed Octet- String-to-Elliptic-Curve-Point method according to [SEC1], and then performs public-key validation as defined in section 3.2.2.1 of [SEC1]. This includes checking that the coordinates of the resulting point are in the correct range, that the point is on the curve, and that the point is not the point at infinity. (As noted in the specification, validation of the point order is not required since the cofactor is 1.) If any of these checks fail, deserialization returns an error. * SerializeElementAsSharedSecret(A): Implemented by encoding the X coordinate of the elliptic curve point corresponding to A to a little-endian 32-byte string. * SerializeScalar(s): Implemented using the Field-Element-to-Octet- String conversion according to [SEC1]. * DeserializeScalar(buf): Implemented by attempting to deserialize a Scalar from a 32-byte string using Octet-String-to-Field-Element from [SEC1]. This function can fail if the input does not represent a Scalar in the range [0, G.Order() - 1]. * ScalarFromBytes(buf): Implemented by converting buf to an integer using OS2IP, and then reducing the resulting integer modulo the group order. Connolly Expires 8 August 2025 [Page 11] Internet-Draft hybrid-kems February 2025 The rest of this section specifies the key generation, encapsulation, and decapsulation procedures for this hybrid KEM. 6.1.1. Key generation QSF-SHA3-256-ML-KEM-768-P-256 KeyGen works as follows. def expandDecapsulationKey(sk): expanded = SHAKE256(sk, 112) (pq_PK, pq_SK) = ML-KEM-768.KeyGen_internal(expanded[0:32], expanded[32:64]) trad_SK = P-256.ScalarFromBytes(expanded[64:112]) trad_PK = P-256.SerializeElement(P-256.ScalarMultBase(trad_SK)) return (pq_SK, trad_SK, pq_PK, trad_PK) def KeyGen(): sk = random(32) (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) return sk, concat(pq_PK, trad_PK) Similarly, QSF-SHA3-256-ML-KEM-768-P-256 DeriveKey works as follows: def DeriveKey(seed): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(seed) return sk, concat(pq_PK, trad_PK) 6.1.2. Encapsulation Given an encapsulation key pk, QSF-SHA3-256-ML-KEM-768-P-256 Encaps proceeds as follows. def Encaps(pk): pq_PK = pk[0:1184] trad_PK = P-256.DeserializeElement(pk[1184:1217]) (pq_SS, pq_CT) = ML-KEM-768.Encaps(pq_PK) ek = P-256.RandomScalar() trad_CT = P-256.SerializeElement(P-256.ScalarBaseMult(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_PK, ek)) ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1184:1217], label) ct = concat(pq_CT, trad_CT) return (ss, ct) pk is a 1217-byte encapsulation key resulting from KeyGen(). Encaps() returns the 32-byte shared secret ss and the 1121-byte ciphertext ct. Note that Encaps() may raise an error if ML-KEM-768.Encaps fails, e.g., if it does not pass the check of [FIPS203] §7.2. Connolly Expires 8 August 2025 [Page 12] Internet-Draft hybrid-kems February 2025 6.1.3. Derandomized For testing, it is convenient to have a deterministic version of encapsulation. In such cases, an implementation can provide the following derandomized function. def EncapsDerand(pk, randomness): pq_PK = pk[0:1184] trad_PK = P-256.DeserializeElement(pk[1184:1217]) (pq_SS, pq_CT) = ML-KEM-768.EncapsDerand(pq_PK, randomness[0:32]) ek = P-256.ScalarFromBytes(randomness[32:80]) trad_CT = P-256.SerializeElement(P-256.ScalarMultBase(ek)) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(ek, trad_PK)) ss = SHA3-256(pq_SS, trad_SS, trad_CT, trad_PK, label) ct = concat(pq_CT, trad_CT) return (ss, ct) Note that randomness MUST be 80 bytes. 6.1.4. Decapsulation Given a decapsulation key sk and ciphertext ct, QSF-SHA3-256-ML-KEM- 768-P-256 Decaps proceeds as follows. def Decaps(sk, ct): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) pq_CT = ct[0:1088] trad_CT = P-256.DeserializeElement(ct[1088:1121]) pq_SS = ML-KEM-768.Decapsulate(pq_SK, pq_CT) trad_SS = P-256.SerializeElementAsSharedSecret(P-256.ScalarMult(trad_SK, trad_CT)) return SHA3-256(pq_SS, trad_SS, ct[1088:1121], trad_PK, label) ct is the 1121-byte ciphertext resulting from Encaps() and sk is a 32-byte decapsulation key resulting from KeyGen(). Decaps() returns the 32 byte shared secret. 6.1.5. Security properties The inlined DH-KEM is instantiated over the elliptic curve group P-256: as shown in [CDM23], this gives the traditional KEM maximum binding properties (MAL-BIND-K-CT, MAL-BIND-K-PK). ML-KEM-768 as standardized in [FIPS203], when using the 64-byte seed key format as is here, provides MAL-BIND-K-CT security and LEAK-BIND- K-PK security, as demonstrated in [SCHMIEG2024]. Connolly Expires 8 August 2025 [Page 13] Internet-Draft hybrid-kems February 2025 Therefore this concrete instance provides MAL-BIND-K-PK and MAL-BIND- K-CT security. This implies via [KSMW2024] that this instance also satisfies * MAL-BIND-K,CT-PK * MAL-BIND-K,PK-CT * LEAK-BIND-K-PK * LEAK-BIND-K-CT * LEAK-BIND-K,CT-PK * LEAK-BIND-K,PK-CT * HON-BIND-K-PK * HON-BIND-K-CT * HON-BIND-K,CT-PK * HON-BIND-K,PK-CT 6.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 has the following parameters. * label: KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 * XOF: SHAKE-256 [FIPS202] * KDF: HKDF-SHA-256 [HKDF] * Combiner: KitchenSink-KEM.SharedSecret * Nseed: 32 * Npk: 1216 * Nsk: 32 * Nct: 1120 Connolly Expires 8 August 2025 [Page 14] Internet-Draft hybrid-kems February 2025 KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 depends on a prime-order group implemented using Curve25519 and X25519 [RFC7748]. Additionally, it uses a modified version of HKDF in the combiner, denoted LabeledHKDF, defined below. def LabeledExtract(salt, label, ikm): labeled_ikm = concat(label, ikm) return HDKF-Extract(salt, labeled_ikm) def LabeledExpand(prk, label, info, L): labeled_info = concat(I2OSP(L, 2), label, info) return HKDF-Expand(prk, labeled_info, L) def LabeledHKDF(preimage): prk = LabeledExtract("", "hybrid_prk", preimage) shared_secret = LabeledExpand(prk, "shared_secret", "", 32) return shared_secret The rest of this section specifies the key generation, encapsulation, and decapsulation procedures for this hybrid KEM. 6.2.1. Key generation KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 KeyGen works as follows. def expandDecapsulationKey(sk): expanded = SHAKE256(sk, 96) (pq_PK, pq_SK) = ML-KEM-768.KeyGen_internal(expanded[0:32], expanded[32:64]) trad_SK = expanded[64:96] trad_PK = X25519(trad_SK, 9) return (pq_SK, trad_SK, pq_PK, trad_PK) def KeyGen(): sk = random(32) (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) return sk, concat(pq_PK, trad_PK) Similarly, KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 DeriveKey works as follows: def DeriveKey(seed): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(seed) return sk, concat(pq_PK, trad_PK) 6.2.2. Encapsulation Given an encapsulation key pk, KitchenSink-HKDF-SHA-256-ML-KEM- 768-X25519 Encaps proceeds as follows. Connolly Expires 8 August 2025 [Page 15] Internet-Draft hybrid-kems February 2025 def Encaps(pk): pq_PK = pk[0:1184] trad_PK = pk[1184:1216] (pq_SS, pq_CT) = ML-KEM-768.Encaps(pq_PK) ek = random(32) trad_CT = X25519(ek, 9) trad_SS = X25519(ek, trad_PK) ss = LabeledHKDF(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label) ct = concat(pq_CT, trad_CT) return (ss, ct) pk is a 1216-byte encapsulation key resulting from KeyGen(). Encaps() returns the 32-byte shared secret ss and the 1120-byte ciphertext ct. Note that Encaps() may raise an error if ML-KEM-768.Encaps fails, e.g., if it does not pass the check of [FIPS203] §7.2. 6.2.3. Derandomized For testing, it is convenient to have a deterministic version of encapsulation. In such cases, an implementation can provide the following derandomized function. def EncapsDerand(pk, randomness): pq_PK = pk[0:1184] trad_PK = pk[1184:1216] (pq_SS, pq_CT) = PQ-KEM.EncapsDerand(pq_PK, randomness[0:32]) ek = randomness[32:64] trad_CT = X25519(ek, 9) trad_SS = X25519(ek, trad_PK) ss = LabeledHKDF(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label) ct = concat(pq_CT, trad_CT) return (ss, ct) Note that randomness MUST be 64 bytes. 6.2.4. Decapsulation Given a decapsulation key sk and ciphertext ct, KitchenSink-HKDF-SHA- 256-ML-KEM-768-X25519 Decaps proceeds as follows. Connolly Expires 8 August 2025 [Page 16] Internet-Draft hybrid-kems February 2025 def Decaps(sk, ct): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) pq_CT = ct[0:1088] trad_CT = ct[1088:1120] pq_SS = ML-KEM-768.Decapsulate(pq_SK, pq_CT) trad_SS = X25519(trad_SK, trad_CT) return LabeledHKDF(pq_SS, trad_SS, pq_CT, pq_PK, trad_CT, trad_PK, label) ct is the 1120-byte ciphertext resulting from Encaps() and sk is a 32-byte decapsulation key resulting from KeyGen(). Decaps() returns the 32 byte shared secret. 6.2.5. Security properties The inlined DH-KEM instantiated over the elliptic curve group X25519: as shown in [CDM23], this gives the traditional KEM maximum binding properties (MAL-BIND-K-CT, MAL-BIND-K-PK). ML-KEM-768 as standardized in [FIPS203], when using the 64-byte seed key format as is here, provides MAL-BIND-K-CT security and LEAK-BIND- K-PK security, as demonstrated in [SCHMIEG2024]. Further, the ML-KEM ciphertext and encapsulation key are included in the KDF preimage, giving straightforward CT and PK binding for the entire bytes of the hybrid KEM ciphertext and encapsulation key. Therefore this concrete instance provides MAL-BIND-K-PK and MAL-BIND-K-CT security. This implies via [KSMW2024] that this instance also satisfies * MAL-BIND-K,CT-PK * MAL-BIND-K,PK-CT * LEAK-BIND-K-PK * LEAK-BIND-K-CT * LEAK-BIND-K,CT-PK * LEAK-BIND-K,PK-CT * HON-BIND-K-PK * HON-BIND-K-CT * HON-BIND-K,CT-PK * HON-BIND-K,PK-CT Connolly Expires 8 August 2025 [Page 17] Internet-Draft hybrid-kems February 2025 6.3. QSF-SHA3-256-ML-KEM-1024-P-384 QSF-SHA3-256-ML-KEM-1024-P-384 has the following parameters. * label: QSF-SHA3-256-ML-KEM-768-P-256 * XOF: SHAKE-256 [FIPS202] * KDF: SHA3-256 [FIPS202] * Combiner: QSF-KEM.SharedSecret * Nseed: 32 * Npk: 1629 * Nsk: 32 * Nct: 1629 QSF-SHA3-256-ML-KEM-1024-P-384 depends on P-384 as a nominal prime- order group [FIPS186] (secp256r1) [ANSIX9.62], where Ne = 61 and Ns = 48, with the following functions: * Order(): Return 0xffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf 581a0db248b0a77aecec196accc52973 * Identity(): As defined in [ANSIX9.62]. * RandomScalar(): Implemented by returning a uniformly random Scalar in the range [0, G.Order() - 1]. Refer to Section 7 for implementation guidance. * SerializeElement(A): Implemented using the compressed Elliptic- Curve-Point-to-Octet-String method according to [SEC1], yielding a 61-byte output. Additionally, this function validates that the input element is not the group identity element. Connolly Expires 8 August 2025 [Page 18] Internet-Draft hybrid-kems February 2025 * DeserializeElement(buf): Implemented by attempting to deserialize a 61-byte input string to a public key using the compressed Octet- String-to-Elliptic-Curve-Point method according to [SEC1], and then performs public-key validation as defined in section 3.2.2.1 of [SEC1]. This includes checking that the coordinates of the resulting point are in the correct range, that the point is on the curve, and that the point is not the point at infinity. (As noted in the specification, validation of the point order is not required since the cofactor is 1.) If any of these checks fail, deserialization returns an error. * SerializeElementAsSharedSecret(A): Implemented by encoding the X coordinate of the elliptic curve point corresponding to A to a little-endian 48-byte string. * SerializeScalar(s): Implemented using the Field-Element-to-Octet- String conversion according to [SEC1]. * DeserializeScalar(buf): Implemented by attempting to deserialize a Scalar from a 48-byte string using Octet-String-to-Field-Element from [SEC1]. This function can fail if the input does not represent a Scalar in the range [0, G.Order() - 1]. * ScalarFromBytes(buf): Implemented by converting buf to an integer using OS2IP, and then reducing the resulting integer modulo the group order. The rest of this section specifies the key generation, encapsulation, and decapsulation procedures for this hybrid KEM. 6.3.1. Key generation QSF-SHA3-256-ML-KEM-1024-P-384 KeyGen works as follows. def expandDecapsulationKey(sk): expanded = SHAKE256(sk, 136) (pq_PK, pq_SK) = ML-KEM-1024.KeyGen_internal(expanded[0:32], expanded[32:64]) trad_SK = P-384.ScalarFromBytes(expanded[64:136]) trad_PK = P-384.SerializeElement(P-384.ScalarMultBase(trad_SK)) return (pq_SK, trad_SK, pq_PK, trad_PK) def KeyGen(): sk = random(32) (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) return sk, concat(pq_PK, trad_PK) Similarly, QSF-SHA3-256-ML-KEM-1024-P-384 DeriveKey works as follows: Connolly Expires 8 August 2025 [Page 19] Internet-Draft hybrid-kems February 2025 def DeriveKey(seed): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(seed) return sk, concat(pq_PK, trad_PK) 6.3.2. Encapsulation Given an encapsulation key pk, QSF-SHA3-256-ML-KEM-1024-P-384 Encaps proceeds as follows. def Encaps(pk): pq_PK = pk[0:1568] trad_PK = P-384.DeserializeElement(pk[1568:1629]) (pq_SS, pq_CT) = ML-KEM-1024.Encaps(pq_PK) ek = P-384.RandomScalar() trad_CT = P-384.SerializeElement(P-384.ScalarBaseMult(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_PK, ek)) ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1568:1629], label) ct = concat(pq_CT, trad_CT) return (ss, ct) pk is a 1629-byte encapsulation key resulting from KeyGen(). Encaps() returns the 32-byte shared secret ss and the 1629-byte ciphertext ct. Note that Encaps() may raise an error if ML-KEM-1024.Encaps fails, e.g., if it does not pass the check of [FIPS203] §7.2. 6.3.3. Derandomized For testing, it is convenient to have a deterministic version of encapsulation. In such cases, an implementation can provide the following derandomized function. def EncapsDerand(pk, randomness): pq_PK = pk[0:1568] trad_PK = P-384.DeserializeElement(pk[1568:1629]) (pq_SS, pq_CT) = ML-KEM-1024.EncapsDerand(pq_PK, randomness[0:32]) ek = P-384.ScalarFromBytes(randomness[32:80]) trad_CT = P-384.SerializeElement(P-384.ScalarMultBase(ek)) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(ek, trad_PK)) ss = SHA3-256(pq_SS, trad_SS, trad_CT, pk[1568:1629], label) ct = concat(pq_CT, trad_CT) return (ss, ct) Note that randomness MUST be 80 bytes. Connolly Expires 8 August 2025 [Page 20] Internet-Draft hybrid-kems February 2025 6.3.4. Decapsulation Given a decapsulation key sk and ciphertext ct, QSF-SHA3-256-ML-KEM- 1024-P-384 Decaps proceeds as follows. def Decaps(sk, ct): (pq_SK, trad_SK, pq_PK, trad_PK) = expandDecapsulationKey(sk) pq_CT = ct[0:1568] trad_CT = P-384.DeserializeElement(ct[1568:1629]) pq_SS = ML-KEM-1024.Decapsulate(pq_SK, pq_CT) trad_SS = P-384.SerializeElementAsSharedSecret(P-384.ScalarMult(trad_SK, trad_CT)) return SHA3-256(pq_SS, trad_SS, ct[1568:1629], trad_PK, label) ct is the 1629-byte ciphertext resulting from Encaps() and sk is a 32-byte decapsulation key resulting from KeyGen(). Decaps() returns the 32-byte shared secret. 6.3.5. Security properties The inlined DH-KEM is instantiated over the elliptic curve group P-384: as shown in [CDM23], this gives the traditional KEM maximum binding properties (MAL-BIND-K-CT, MAL-BIND-K-PK). ML-KEM-1024 as standardized in [FIPS203], when using the 64-byte seed key format as is here, provides MAL-BIND-K-CT security and LEAK-BIND- K-PK security, as demonstrated in [SCHMIEG2024]. Therefore this concrete instance provides MAL-BIND-K-PK and MAL-BIND- K-CT security. This implies via [KSMW2024] that this instance also satisfies * MAL-BIND-K,CT-PK * MAL-BIND-K,PK-CT * LEAK-BIND-K-PK * LEAK-BIND-K-CT * LEAK-BIND-K,CT-PK * LEAK-BIND-K,PK-CT * HON-BIND-K-PK * HON-BIND-K-CT Connolly Expires 8 August 2025 [Page 21] Internet-Draft hybrid-kems February 2025 * HON-BIND-K,CT-PK * HON-BIND-K,PK-CT 7. Random Scalar Generation Two popular algorithms for generating a random integer uniformly distributed in the range [0, G.Order() -1] are as follows: 7.1. Rejection Sampling Generate a random byte array with Ns bytes, and attempt to map to a Scalar by calling DeserializeScalar in constant time. If it succeeds, return the result. If it fails, try again with another random byte array, until the procedure succeeds. Failure to implement DeserializeScalar in constant time can leak information about the underlying corresponding Scalar. As an optimization, if the group order is very close to a power of 2, it is acceptable to omit the rejection test completely. In particular, if the group order is p, and there is an integer b such that |p - 2^b| is less than 2^(b/2), then RandomScalar can simply return a uniformly random integer of at most b bits. 7.2. Wide Reduction Generate a random byte array with l = ceil(((3 * ceil(log2(G.Order()))) / 2) / 8) bytes, and interpret it as an integer; reduce the integer modulo G.Order() and return the result. See Section 5 of [HASH-TO-CURVE] for the underlying derivation of l. 8. Security Considerations Hybrid KEM constructions aim to provide security by combining two or more schemes so that security is preserved if all but one schemes are replaced by an arbitrarily bad scheme. Informally, these hybrid KEMs are secure if the KDF is secure, and either the elliptic curve is secure, or the post-quantum KEM is secure: this is the 'hybrid' property. More precisely for the concrete instantiations in this document, if SHA3-256, SHA3-512, and SHAKE-256 may be modelled as a random oracle, then the IND-CCA security of QSF constructions is bounded by the IND- CCA security of ML-KEM, and the gap-CDH security of secp256n1, see [XWING]. Connolly Expires 8 August 2025 [Page 22] Internet-Draft hybrid-kems February 2025 8.1. IND-CCA security Also known as IND-CCA2 security for general public key encryption, for KEMs that encapsulate a new random 'message' each time. The notion of INDistinguishability against Chosen-Ciphertext Attacks (IND-CCA) [RS92] is now widely accepted as the standard security notion for asymmetric encryption schemes. IND-CCA security requires that no efficient adversary can recognize which of two messages is encrypted in a given ciphertext, even if the two candidate messages are chosen by the adversary himself. 8.2. Ciphertext second preimage resistant (C2PRI) security / ciphertext collision resistance (CCR) The notion where, even if a KEM has broken IND-CCA security (either due to construction, implementation, or other), its internal structure, based on the Fujisaki-Okamoto transform, guarantees that it is impossible to find a second ciphertext that decapsulates to the same shared secret K: this notion is known as ciphertext second preimage resistance (C2SPI) for KEMs [XWING]. The same notion has also been described as chosen ciphertext resistance elsewhere [CDM23]. 8.3. Binding properties TODO 8.3.1. X-BIND-K-PK security TODO 8.3.2. X-BIND-K-CT security Ciphertext second preimage resistance for KEMs ([C2PRI][XWING]). Related to the ciphertext collision-freeness of the underlying PKE scheme of a FO-transform KEM. Also called ciphertext collision resistance. 8.4. Domain Separation ASCII-encoded bytes provide oracle cloning [BDG2020] in the security game via domain separation. The IND-CCA security of hybrid KEMs often relies on the KDF function KDF to behave as an independent random oracle, which the inclusion of the label achieves via domain separation [GHP2018]. Connolly Expires 8 August 2025 [Page 23] Internet-Draft hybrid-kems February 2025 By design, the calls to KDF in these constructions and usage anywhere else in higher level protoocl use separate input domains unless intentionally duplicating the 'label' per concrete instance with fixed paramters. This justifies modeling them as independent functions even if instantiated by the same KDF. This domain separation is achieved by using prefix-free sets of label values. Recall that a set is prefix-free if no element is a prefix of another within the set. Length diffentiation is sometimes used to achieve domain separation but as a technique it is [brittle and prone to misuse][BDG2020] in practice so we favor the use of an explicit post-fix label. 8.5. Fixed-length Variable-length secrets are generally dangerous. In particular, using key material of variable length and processing it using hash functions may result in a timing side channel. In broad terms, when the secret is longer, the hash function may need to process more blocks internally. In some unfortunate circumstances, this has led to timing attacks, e.g. the Lucky Thirteen [LUCKY13] and Raccoon [RACCOON] attacks. Furthermore, [AVIRAM] identified a risk of using variable-length secrets when the hash function used in the key derivation function is no longer collision-resistant. If concatenation were to be used with values that are not fixed- length, a length prefix or other unambiguous encoding would need to be used to ensure that the composition of the two values is injective and requires a mechanism different from that specified in this document. Therefore, this specification MUST only be used with algorithms which have fixed-length shared secrets (after the variant has been fixed by the algorithm identifier in the NamedGroup negotiation in Section 3.1). 9. Out of Scope Considerations that were considered and not included in these designs: 9.1. More than two component KEMs Design team decided to restrict the space to only two components, a traditional and a post-quantum KEM. Connolly Expires 8 August 2025 [Page 24] Internet-Draft hybrid-kems February 2025 9.2. Parameterized output length Not analyzed as part of any security proofs in the literature, and a complicatation deemed unnecessary. 9.3. Protocol-specific labels / info The concrete instantiations have specific labels, protocol-specific information is out of scope. 9.4. Other Component Primitives There is demand for other hybrid variants that either use different primitives (RSA, NTRU, Classic McEliece, FrodoKEM), parameters, or that use a combiner optimized for a specific use case. Other use cases could be covered in subsequent documents and not included here. 10. IANA Considerations This document requests three new entries to the "HPKE KEM Identifiers" registry. These entries are defined in the following subsections. 10.1. QSF-SHA3-256-ML-KEM-768-P-256 KEM Identifier Value: 0xc1fe (please) KEM: QSF-SHA3-256-ML-KEM-768-P-256 Nsecret: 32 Nenc: 1121 Npk: 1217 Nsk: 32 Auth: no Reference: This document 10.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 KEM Identifier Value: 0xbc48 (please) KEM: KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 Nsecret: 32 Connolly Expires 8 August 2025 [Page 25] Internet-Draft hybrid-kems February 2025 Nenc: 1120 Npk: 1216 Nsk: 32 Auth: no Reference: This document 10.3. QSF-SHA3-256-ML-KEM-1024-P-384 KEM Identifier Value: 0x0a25 (please) KEM: QSF-SHA3-256-ML-KEM-1024-P-384 Nsecret: 32 Nenc: 1617 Npk: 1617 Nsk: 32 Auth: no Reference: This document 11. Test Vectors This section describes test vectors for each of the concrete KEMs specified in this document. 11.1. QSF-SHA3-256-ML-KEM-768-P-256 Test Vectors seed 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 sk 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 pk e2236b35a8c24b39b10aa1323a96a919a2ced88400633a7b07131713fc14b2b5b19cfc3d a5fa1a92c49f25513e0fd30d6b1611c9ab9635d7086727a4b7d21d34244e66969cf15b3b 2a785329f61b096b277ea037383479a6b556de7231fe4b7fa9c9ac24c0699a0018a52534 01bacfa905ca816573e56a2d2e067e9b7287533ba13a937dedb31fa44baced4076992361 0034ae31e619a170245199b3c5c39864859fe1b4c9717a07c30495bdfb98a0a002ccf56c 1286cef5041dede3c44cf16bf562c7448518026b3d8b9940680abd38a1575fd27b58da06 3bfac32c39c30869374c05c1aeb1898b6b303cc68be455346ee0af699636224a148ca2ae a10463111c709f69b69c70ce8538746698c4c60a9aef0030c7924ceec42a5d36816f545e ae13293460b3acb37ea0e13d70e4aa78686da398a8397c08eaf96882113fe4f7bad4da40 b0501e1c753efe73053c87014e8661c33099afe8bede414a5b1aa27d8392b3e131e9a70c Connolly Expires 8 August 2025 [Page 26] Internet-Draft hybrid-kems February 2025 1055878240cad0f40d5fe3cdf85236ead97e2a97448363b2808caafd516cd25052c5c362 543c2517e4acd0e60ec07163009b6425fc32277acee71c24bab53ed9f29e74c66a0a3564 955998d76b96a9a8b50d1635a4d7a67eb42df5644d330457293a8042f53cc7a69288f17e d55827e82b28e82665a86a14fbd96645eca8172c044f83bc0d8c0b4c8626985631ca87af 829068f1358963cb333664ca482763ba3b3bb208577f9ba6ac62c25f76592743b64be519 317714cb4102cb7b2f9a25b2b4f0615de31decd9ca55026d6da0b65111b16fe52feed8a4 87e144462a6dba93728f500b6ffc49e515569ef25fed17aff520507368253525860f58be 3be61c964604a6ac814e6935596402a520a4670b3d284318866593d15a4bb01c35e3e587 ee0c67d2880d6f2407fb7a70712b838deb96c5d7bf2b44bcf6038ccbe33fbcf51a54a584 fe90083c91c7a6d43d4fb15f48c60c2fd66e0a8aad4ad64e5c42bb8877c0ebec2b5e387c 8a988fdc23beb9e16c8757781e0a1499c61e138c21f216c29d076979871caa6942bafc09 0544bee99b54b16cb9a9a364d6246d9f42cce53c66b59c45c8f9ae9299a75d15180c3c95 2151a91b7a10772429dc4cbae6fcc622fa8018c63439f890630b9928db6bb7f9438ae406 5ed34d73d486f3f52f90f0807dc88dfdd8c728e954f1ac35c06c000ce41a0582580e3bb5 7b672972890ac5e7988e7850657116f1b57d0809aaedec0bede1ae148148311c6f7e3173 46e5189fb8cd635b986f8c0bdd27641c584b778b3a911a80be1c9692ab8e1bbb12839573 cce19df183b45835bbb55052f9fc66a1678ef2a36dea78411e6c8d60501b4e60592d1369 8a943b509185db912e2ea10be06171236b327c71716094c964a68b03377f513a05bcd99c 1f346583bb052977a10a12adfc758034e5617da4c1276585e5774e1f3b9978b09d0e9c44 d3bc86151c43aad185712717340223ac381d21150a04294e97bb13bbda21b5a182b6da96 9e19a7fd072737fa8e880a53c2428e3d049b7d2197405296ddb361912a7bcf4827ced611 d0c7a7da104dde4322095339f64a61d5bb108ff0bf4d780cae509fb22c256914193ff734 9042581237d522828824ee3bdfd07fb03f1f942d2ea179fe722f06cc03de5b6902bcdf09 85839265106085c9e35f85c060dde6ede2fa819e793c13c76db2dd45ca randomness 3cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc87 3c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2badfd6dfaac359a5 efbb7bcc4b59d538 ct b83aa828d4d62b9a83ceffe1d3d3bb1ef31264643c070c5798927e41fb07914a273f8f96 e7826cd5375a283d7da885304c5de0516a0f0654243dc5b97f8bfeb831f68251219aabdd 723bc6512041acbaef8af44265524942b902e68ffd23221cda70b1b55d776a92d1143ea3 a0c475f63ee6890157c7116dae3f62bf72f60acd2bb8cc31ce2ba0de364f52b8ed38c79d 719715963a5dd3842d8e8b43ab704e4759b5327bf027c63c8fa857c4908d5a8a7b88ac7f 2be394d93c3706ddd4e698cc6ce370101f4d0213254238b4a2e8821b6e414a1cf20f6c12 44b699046f5a01caa0a1a55516300b40d2048c77cc73afba79afeea9d2c0118bdf2adb88 70dc328c5516cc45b1a2058141039e2c90a110a9e16b318dfb53bd49a126d6b73f215787 517b8917cc01cabd107d06859854ee8b4f9861c226d3764c87339ab16c3667d2f49384e5 5456dd40414b70a6af841585f4c90c68725d57704ee8ee7ce6e2f9be582dbee985e038ff c346ebfb4e22158b6c84374a9ab4a44e1f91de5aac5197f89bc5e5442f51f9a5937b102b a3beaebf6e1c58380a4a5fedce4a4e5026f88f528f59ffd2db41752b3a3d90efabe46389 9b7d40870c530c8841e8712b733668ed033adbfafb2d49d37a44d4064e5863eb0af0a08d 47b3cc888373bc05f7a33b841bc2587c57eb69554e8a3767b7506917b6b70498727f16ea c1a36ec8d8cfaf751549f2277db277e8a55a9a5106b23a0206b4721fa9b3048552c5bd5b 594d6e247f38c18c591aea7f56249c72ce7b117afcc3a8621582f9cf71787e183dee0936 7976e98409ad9217a497df888042384d7707a6b78f5f7fb8409e3b535175373461b77600 2d799cbad62860be70573ecbe13b246e0da7e93a52168e0fb6a9756b895ef7f0147a0dc8 1bfa644b088a9228160c0f9acf1379a2941cd28c06ebc80e44e17aa2f8177010afd78a97 Connolly Expires 8 August 2025 [Page 27] Internet-Draft hybrid-kems February 2025 ce0868d1629ebb294c5151812c583daeb88685220f4da9118112e07041fcc24d5564a99f dbde28869fe0722387d7a9a4d16e1cc8555917e09944aa5ebaaaec2cf62693afad42a3f5 18fce67d273cc6c9fb5472b380e8573ec7de06a3ba2fd5f931d725b493026cb0acbd3fe6 2d00e4c790d965d7a03a3c0b4222ba8c2a9a16e2ac658f572ae0e746eafc4feba023576f 08942278a041fb82a70a595d5bacbf297ce2029898a71e5c3b0d1c6228b485b1ade509b3 5fbca7eca97b2132e7cb6bc465375146b7dceac969308ac0c2ac89e7863eb8943015b243 14cafb9c7c0e85fe543d56658c213632599efabfc1ec49dd8c88547bb2cc40c9d38cbd30 99b4547840560531d0188cd1e9c23a0ebee0a03d5577d66b1d2bcb4baaf21cc7fef1e038 06ca96299df0dfbc56e1b2b43e4fc20c37f834c4af62127e7dae86c3c25a2f696ac8b589 dec71d595bfbe94b5ed4bc07d800b330796fda89edb77be0294136139354eb8cd3759157 8f9c600dd9be8ec6219fdd507adf3397ed4d68707b8d13b24ce4cd8fb22851bfe9d63240 7f31ed6f7cb1600d025fe300142bf6b8ca3bd4740054a10357688012c4103d274067f3fc 18e8a4b908 ss 3ec49c92c4a3fe3dd671b1ebbdbcac4e0f15085f79d3d122783eea8b5ddce37c seed df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af sk df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f5623474d368ccca8af pk 40d5a55e91052ed1ab31c21876cb60690004c3cc24b41204908c44e95201246775aca29b 9826b8b44467f7853a75fa40a0978d6a77ceebe80202c936c5e0363549affb279b246119 4ca41337590ffe7b4f26b8b006235a7978134148c7bb038bb840132e47582bc1a9708899 1737b009d5cff37815aa7ab8d16096967063d1b64e7af7998cabc8a0f77301f8b48aeb83 e169bec4d49a95384625e32f22445911e08bc5567311f681a7276e69198af73082312307 22664ccc2373a0b01c03660ba08c40d000a05f081ad920903dc38ee938bea16c7e6f5270 dc59b3ffb55f93b98c331617f4506487ec9015a14282f50831361b4d45b4157cb04ad25e 3491b34f66999e5a1982a0aad45ac78c053ce4371087bb3b82185f00bd240d14c716c70e b96bbc89b24e9b4aa2ddb9697bd577881a436b898b639c4f9d9c9180282ee2821aa6d705 c3215e0b6909e670bc6cfc59cb659524545778ac3b2b8699d587af3c1294aee035f7a7a4 7756cbacb1a1590470581c53980c382c2a609890a946b8ad08379754062c082ca1f63772 8f59793ee7b87124b0d9ca1b9bf39d6a2a55d4ec36b897c91f54c8cf711739335aaba873 b5cb68d352af070a2803c008c125bedda07923774defb8bc10c6bcf873026558373c9303 e7d6890bf673cfd69c45d751da4ab9a2f69cf7226d5b2ac554136d3f04943334be9f0828 32d15f3cf96856d3bb3c5abf39b55d82a16d0a199cad40ce426acec4d11061c9bd15bb05 bab3cad442474e3377a4354cff2925b224615d976b4fd1b93eba0b448460891011d3d533 a3069743d0055a786c401498b77aab40175a21f860ee842b0c004149151585fb11df1b20 645a56a4d84789154aeec8573c4abe336017afc7b3498818a48166c5549a405570c7322b 9c459c4093737d308ca3996c7e2b2ea100cdd605c47fbb3317f85bb6269d7650bac32c88 35841f0c3988c4871db4b5a6ab1880912207b8bb64520748db264c8f60832d136a4ecb1e 6b560b5216c56bf9133dcb7b99472b2af4ae872284de4a2173542bc67224a15059224b6b e35595200355a70007597645dc1b91b1e62edcf37b45806343716181103fee659d3048cc d803bb06f0507b12c3530a96967107c609ae60c0155ffc5ac26a6ea8337caa149b9e5151 e526b87d2a1d79614b6f822cc995b70c3492724ab9af2357f5443a2ac05183cac4878868 d04cc33bda26c9a131a98643320543749bc62374148d7946c10c9ec6264cbb46c607f92a baf97a8d30a23044bd65c25b27b13fedbc6f74883d1b45ca43396200c53711e1734498ad 7ec443845ca311e7743e73b08dc3cadb622595593cf8e639c55b29dcb9aac669791a2037 7ff326f07ab457e89229db0c6eb87b18490c87ca3b4ed05b1457567c53a0f411c181d80e 59c46c4a2a0258ebc05f648e78bc9fb332cd4242a9c8bbcbe9228881c61f13592e3094cc 183159555230a2c010ed4bac09275546d7815db0b636d6b6ba1a3d316a5ed3b74a1d7944 Connolly Expires 8 August 2025 [Page 28] Internet-Draft hybrid-kems February 2025 8aa93aa88c52ecab9140273f3bf0b86fdaa15bbb31607c48d3b62775911d835416a254ab 3fe431048663d315bec0e662128947f4f7658e4400dc4529dd2453ec219b6632aacd910d a5c438df2e43c93c9d0a5724263886e1ee67bef05cb40437aa3b3123118f00e00331ec5f e220abc577fd87e778a718603ce55aca0c467880e6aee113f800cda452 randomness 0007cd9f5e4c849f167a580b14aabdefaee7eef47cb0fca9767be1fda69419dfb927e9df 07348b196691abaeb580b32def58538b8d23f87732ea63b02b4fa0f4873360e2841928cd 60dd4cee8cc0d4c9 ct d006d52b094e18fd1a636c5fe586ff67f319c8a1d137e37bee7da75e1f62042e5d567b2f 53623358953348f1f6543ebfb88c9f51965913695c7bb17ff13acc72e32e8e7d2b7cbb2f 5e0e8dd12096d68a7d491e08dbbeffae65aa854d298812f755b3918254a8be28d1f33459 63062761da465ff3960c65c2ed2e3a2c68c38744e66fd728a4ada39ec6a29aeb7ed04a87 94e24c3aa53311a25f674c7722dd8bb24ee0bd66686d67d2b0c45247c43b94823dfcb9f1 8c27ea58417287c33add39d5fa5532acbd18559867a4243ce1af1b8012763fffc49c58b7 695c544724965190036af7b0bf095949056e806018833f09508b0ac8ef8ec7e8c958d82e 9520923c725d1f1363fdd77716e97fdf0c687d807fafb1ca872f3678f3a515059c9194b2 6c8a6984ca68caf7fa341d991c50d6a5782797384369244c760693cb72bdb32e9a46ca2e 74e11ad47db5f439ecdad70cf36ee8ee7e18e78ebc9b992b04233372bb572208881e52f3 7aaad5c139566d302e125060ec2dc7e153a0041a28bdca04d7c9c1e8ae951d3f3ecb61b0 e2075a52ed436994362330f089722b27925e2022349852da007bf9050ece59fda9a4e489 1f1c8f675c1c85cc8456f1eb387ba36aa621c85e2a5073d5418d7a3a3d3de388d7be19c3 42f9607eb09fd3d83bc0d3a7533bb1774b7ded2da7ef3e71832edeca22b9374f1937bd2e 4f915f4316d4a5b31dfb842026b0a63d365194a0e44ec3b5db7e780b2220e62ceb293c78 21a8f8ad0d608cea49ccab85457a82af99436b360875a6f3369359b686920bfdfcbd6115 d29a287bba5f15fa8359897ea544b3066ed4bb8d865e6a05ef1168c0d5a933ef035103a7 c0af7cb2ed100c1582b49da6897a0475eaea7e14991569387603251df80bbee5b8e822a2 167080aebc03e16e67c65257a1f5b48462dba207e4d63288b46934314197d2c43eaf0b47 30a47f1efe7d0587b8ba6e19fb2e5085d7bf1d4f86587a4f9f95131cf3c48e858ed8eb7f fe595a846ac55e3ef3a25c1488e1305b5c4f1dcc4aaac84baf108c5c35d44d1cf2833970 30549e163ed08af66b76fd5e47892668b0b500bd4a7fc1664b233f90851fa2976c20c696 8bc7f8a6deef0258624e4b6f543de25ff84dea079a0acc17bbd1fe3fcd5a784d90255d76 b80d880bdae47ce8909882c38a5579fbb02914e27ebdc8517006f7d2b7bd3d81ad0be1ec 0eaed9869256e933f22a61dd7c0c9ff5d5538e2898d0b24491b0d2f123adf059b45607dc 8708a6e05be55eaab245c8d11e0c58ba8a2ac707cc4d2daf7c191e0feee613b779b286ab fa347c628b2d51d5fed921028d0dd7770d7cb0b590ee8a1e008681f7ad5651d099149bf4 f1bcf82203a54844dac9e21c62bdfc28a984f161441c185d64a8507eb4ba4f405cb871e8 e098b0ced40fdbedb14d40e1cf68545a90f5758a707f446fccfe0be393830fcdf373738a 91aa9a9167391a44443aac7fb1b796e5c91d3d33bb45bf6f29dac3195252f9858816b219 88ba7ba837044e5f033625ee1296b55cc31a7ffdd8d33e495bb09bb0d5f35231979c89c1 c401396b17 ss 4ad24e9a6228c7fcafe345f70a64653406039a89e0b26629398cc85c527cdf7d seed 22a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619 sk 22a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619 pk fb81581265c1dbecb91b2c2a4d81b9515bcbb3748301311497a118f9f2446895af064570 5acb2971d000c35ca4f8841bc4f2af022497f2c84c869567df9b9c0c04325c577189e84d Connolly Expires 8 August 2025 [Page 29] Internet-Draft hybrid-kems February 2025 371971c8532b5a056c29d46878dc7e7c84782ddc3fcd1b47a2e0a7e4d315ac2834e29142 7eb57005695519b9834d8624ec732a1c1294fc718536f4500a9c78ae630958c09044489f 8402ab8e0557ff055f1346cccb1013528b669b445941a8c71b3760be5298b5d237e3ebae babc80e998251d1940a50c0e21f7503d28c45d344937566d29e2b3deea1c1840a4ee4852 cbb5cc8dfb3208d486ac8b29219176ec8a93ccdba3ff812645cb7953568a897070e6802c 7558323ecc0f1a98209e078358498fdeb324c18a899e5c69c376198c030134ec89c4071e f19bc3655a9b2662ca9a0aa8c3fb4c561a1e04a6bd6474441e90102482c07e9ba9299cc0 797ac9d067336793ce947cc335d41690d05227e04e58f6a1a58c6c53d79e4b54b4b3211d 07e8248b4c209e2231cf00a72811075d0905d6d43ade236e8a2685fb4209100163290812 004d84cf07b409955bc21559c08c06804368e29307a5d2c614171e640678d71a4e35e50a 75a588e1e09ea014610d988207aa345609618d53040b2a64775c03cc8a5b39c214edc744 230c12c8850846ec446d2cbd38ec38c2073803630870a72d5b03a192ab3e6aea77cf2ab4 ed5b4a3959320bd526a960b234b9c87e8a0afb8bc263654fcdb41aad13c5836ac98cc57e 78f2686570115e41cc3448a905165aac3c17b3924e8ad270e680a016f74ee4a9269b6610 b3d577c49c1a66742dd95602de025522c55fa7ba533061065de16dde3039698b33985753 ce4172ea6b41a6581a6df234ae3518ccc21771d19bed08951872c780b69d0c789f21b686 64825a6cb7a9a32c08889902d8d86645ca333e65cc4a0667a38820b133b870711351ba5d 9953b563b79ad9e4922e26b0537376e0265e49f0cae42c68bb99942c052de396be9df36d 017ca0940ac1ba7293e7d6679594181a8a727e760c27163749978cdd62cf048cac359390 03250241102c20b7bd46bb65c3743fbfd74e839b9aef5c6073d4b5fd788949b153ca435e 767b1229620adee95218640d6802c602ec5b5af9a7a23a41363789dd9b2be6b96ded173b 281610a359ce289b4d37da6895b4a1150c7ccdf9bfef513cb2fb731cb69b7b40495ec171 1b9aacc50b3d0074a57218a101912c6ad14085d2b128d036df00af00841c13477f219078 f8a61aae309bc81a646a231f6c14c3c7463d0fecb03f7733ab030a2866af9e509a859b0d 521cc0a86765db8407951cc8b7c5521385215817712390a05c82c0c13c2b2c6c65ff9649 e84184845aa705845f91eb08a9eb9a85d93f8e4aa086763e50fa06fd5b0eabd215a0e91a 8c584d44691290665d282c6b41e92d1e202e00d3579c298feaa5bb86676133d4a8fa170a 0f7ab5492765e4d67c2ed4b58a92a481c8393366a0d717649e0cbbd2a17a10908f029b13 8be99b4835212ea025bd5cb3e6581c4027cb534449bb0611a2fb66df21a1fff9c575ec01 0159bfde6ca8fd3c909e3483f9d893ff744fcf198bb7b40c593b6753050459132fa297c0 b5f2cc3271405533eb0463da20784fee1b380d3a68f5a288a991d9b922aee55602ae1830 e361409eca9dff000dc779df4dcb0a558c6fab0910100927ba5cf9d269 randomness f90b0cdf8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd7 5081f592305f2e4526edc09631b10958f464d889f31ba010250fda7f1368ec2967fc84ef 2ae9aff268e0b170 ct fb02d7dc1a09690095bb8456eb2f0e9c605b80e1dbf11be1c6fec1f9c9796d73d4594419 c515e75565eef3617b04438f8f23d64f17ba586b6f19ae4c4208207382b02dc7e681f0f5 886acff404a6012ae075fc92317bc9e558fcf3173b182c6741e90e62235cb299b083f79d 95740645c49fb3d88d66c01e6f42d689d6d94ae30a7d87256bb76bbe9445b0b083db5dab e2ce73d2bdb7e113dddadf9c1bb0a3166f46b57577a42eeb0bd1505e1b83ed4efa728bfb c9e462ec3d9873b50a215e2aae5f4dbea957f5b011ffb0928d0240724217182bc92656b5 9b27ac99f14ce0100df887d08fa48a36eab2b43a6575eab521900b64f961340f77a23ad3 077809c93de7f1021ae7de4d961e4805bf99989ec51211830542244c712969083157cf93 97298b2624a410b92a9c4d403f831194a7615559148c4f1d3071c42409b3391ee1a78a40 8e20ad96be4d4987aa88dc926a34559a41f86a142cc46e37150b0b24c74399e30b810860 e6dface65ebc3e03af14921a77db1438bfcb203da82a939aca3758815532d7604e350402 Connolly Expires 8 August 2025 [Page 30] Internet-Draft hybrid-kems February 2025 ac9b4ec1af32da35fc8ed6a1692901babc4290e01d0dc0aab3ca472ae79c3228caf5265b 6c604ef15e97d13054932c6344cd1d845e96ef9210a46d4b4de41db84272b9e14c204dd2 ed5104c24b9828619103342297a987f12f81c200792965d1de389cfe93c5d7c354f13fb1 5762bcbcb0b2feba1cbf0b701ad5a4741443206c09e6627f445f8e62070127c3b97a7481 d534395d5ca34d5b53a100b6958bac814427b5bf61adc7599c6a16bd7885444a2b91e1b1 b486d3e3f0382e241f74f62d2402ba7a714af58c6b37a2cd6f1e24436a1237ba377cb47d e861ce06ad7c97e6a8878cde9a5cadea427a87d623e98bcd51f66df8e1609063ebcfc7c7 501ed4a86aecc3333f2103e65f851ec35ed0c50f6c21916b3a82beff39de5f4be1d04dc3 c7281307fa097028e6d5be98d819216ddebbff9680b70a83189e214058444ecbae446deb 236c8dc09c510eeaf600adc8f422907fb9cdd25637faf82c686e30495b38f72de88f7217 dc54e1e4929d8875ac43f6c8fc63b85db31dc10b49266900bdaf35e8ff9d059a64ea1a35 a633b38de49ffbc53fd25891a1c3d0a890744e046b4f395d15424a1cb8bd76de738a0319 10820e54b9cb899a2bd0ba37f8c1c1a3b6f09ba8fad8208a660efae32015905787a9403c f50c1dc311a94e85bab76e474149b7903cf7f3f19a50421f95e7228a16111abe4a7947e4 bf9d86e30ae0c9c30641314480a6d1e10c4300ace4cbcf5b9346c7589199a9b75b878756 d3440e6c89a256be0cd916a9ac255d780c50943fe07116a18f1b11660da53e01cf0fa6d4 07afcba60c88d348c89d6a2ba4d177406a473db3351a3bcd3986aaafe417f2d29b1a9aa3 d3b842cda46a545611f48298cb898f518ef2d8cc8f207c4ae812fc0c4f23c43c60c98c00 1a2ded7314978a15024f7a6b032824901afacf7e0aed3d767cf2dcdaf68f1d803586d06b 0061b3e1f9f677c803e958092bca5ae5d0bd7c581491a2ddd3726f8e4e535a0f991207b6 ae712c9f5d ss 2ed4e7929adec0e6f86267b0b908ffd86e0e7ef2731a163afa10e00178124f8f 11.2. KitchenSink-HKDF-SHA-256-ML-KEM-768-X25519 Test Vectors seed 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 sk 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 pk e2236b35a8c24b39b10aa1323a96a919a2ced88400633a7b07131713fc14b2b5b19cfc3d a5fa1a92c49f25513e0fd30d6b1611c9ab9635d7086727a4b7d21d34244e66969cf15b3b 2a785329f61b096b277ea037383479a6b556de7231fe4b7fa9c9ac24c0699a0018a52534 01bacfa905ca816573e56a2d2e067e9b7287533ba13a937dedb31fa44baced4076992361 0034ae31e619a170245199b3c5c39864859fe1b4c9717a07c30495bdfb98a0a002ccf56c 1286cef5041dede3c44cf16bf562c7448518026b3d8b9940680abd38a1575fd27b58da06 3bfac32c39c30869374c05c1aeb1898b6b303cc68be455346ee0af699636224a148ca2ae a10463111c709f69b69c70ce8538746698c4c60a9aef0030c7924ceec42a5d36816f545e ae13293460b3acb37ea0e13d70e4aa78686da398a8397c08eaf96882113fe4f7bad4da40 b0501e1c753efe73053c87014e8661c33099afe8bede414a5b1aa27d8392b3e131e9a70c 1055878240cad0f40d5fe3cdf85236ead97e2a97448363b2808caafd516cd25052c5c362 543c2517e4acd0e60ec07163009b6425fc32277acee71c24bab53ed9f29e74c66a0a3564 955998d76b96a9a8b50d1635a4d7a67eb42df5644d330457293a8042f53cc7a69288f17e d55827e82b28e82665a86a14fbd96645eca8172c044f83bc0d8c0b4c8626985631ca87af 829068f1358963cb333664ca482763ba3b3bb208577f9ba6ac62c25f76592743b64be519 317714cb4102cb7b2f9a25b2b4f0615de31decd9ca55026d6da0b65111b16fe52feed8a4 87e144462a6dba93728f500b6ffc49e515569ef25fed17aff520507368253525860f58be 3be61c964604a6ac814e6935596402a520a4670b3d284318866593d15a4bb01c35e3e587 ee0c67d2880d6f2407fb7a70712b838deb96c5d7bf2b44bcf6038ccbe33fbcf51a54a584 fe90083c91c7a6d43d4fb15f48c60c2fd66e0a8aad4ad64e5c42bb8877c0ebec2b5e387c Connolly Expires 8 August 2025 [Page 31] Internet-Draft hybrid-kems February 2025 8a988fdc23beb9e16c8757781e0a1499c61e138c21f216c29d076979871caa6942bafc09 0544bee99b54b16cb9a9a364d6246d9f42cce53c66b59c45c8f9ae9299a75d15180c3c95 2151a91b7a10772429dc4cbae6fcc622fa8018c63439f890630b9928db6bb7f9438ae406 5ed34d73d486f3f52f90f0807dc88dfdd8c728e954f1ac35c06c000ce41a0582580e3bb5 7b672972890ac5e7988e7850657116f1b57d0809aaedec0bede1ae148148311c6f7e3173 46e5189fb8cd635b986f8c0bdd27641c584b778b3a911a80be1c9692ab8e1bbb12839573 cce19df183b45835bbb55052f9fc66a1678ef2a36dea78411e6c8d60501b4e60592d1369 8a943b509185db912e2ea10be06171236b327c71716094c964a68b03377f513a05bcd99c 1f346583bb052977a10a12adfc758034e5617da4c1276585e5774e1f3b9978b09d0e9c44 d3bc86151c43aad185712717340223ac381d21150a04294e97bb13bbda21b5a182b6da96 9e19a7fd072737fa8e880a53c2428e3d049b7d2197405296ddb361912a7bcf4827ced611 d0c7a7da104dde4322095339f64a61d5bb108ff0bf4d780cae509fb22c256914193ff734 9042581237d522828824ee3bdfd07fb03f1f942d2ea179fe722f06cc03de5b69859edb06 eff389b27dce59844570216223593d4ba32d9abac8cd049040ef6534 randomness 3cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc87 3c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2 ct b83aa828d4d62b9a83ceffe1d3d3bb1ef31264643c070c5798927e41fb07914a273f8f96 e7826cd5375a283d7da885304c5de0516a0f0654243dc5b97f8bfeb831f68251219aabdd 723bc6512041acbaef8af44265524942b902e68ffd23221cda70b1b55d776a92d1143ea3 a0c475f63ee6890157c7116dae3f62bf72f60acd2bb8cc31ce2ba0de364f52b8ed38c79d 719715963a5dd3842d8e8b43ab704e4759b5327bf027c63c8fa857c4908d5a8a7b88ac7f 2be394d93c3706ddd4e698cc6ce370101f4d0213254238b4a2e8821b6e414a1cf20f6c12 44b699046f5a01caa0a1a55516300b40d2048c77cc73afba79afeea9d2c0118bdf2adb88 70dc328c5516cc45b1a2058141039e2c90a110a9e16b318dfb53bd49a126d6b73f215787 517b8917cc01cabd107d06859854ee8b4f9861c226d3764c87339ab16c3667d2f49384e5 5456dd40414b70a6af841585f4c90c68725d57704ee8ee7ce6e2f9be582dbee985e038ff c346ebfb4e22158b6c84374a9ab4a44e1f91de5aac5197f89bc5e5442f51f9a5937b102b a3beaebf6e1c58380a4a5fedce4a4e5026f88f528f59ffd2db41752b3a3d90efabe46389 9b7d40870c530c8841e8712b733668ed033adbfafb2d49d37a44d4064e5863eb0af0a08d 47b3cc888373bc05f7a33b841bc2587c57eb69554e8a3767b7506917b6b70498727f16ea c1a36ec8d8cfaf751549f2277db277e8a55a9a5106b23a0206b4721fa9b3048552c5bd5b 594d6e247f38c18c591aea7f56249c72ce7b117afcc3a8621582f9cf71787e183dee0936 7976e98409ad9217a497df888042384d7707a6b78f5f7fb8409e3b535175373461b77600 2d799cbad62860be70573ecbe13b246e0da7e93a52168e0fb6a9756b895ef7f0147a0dc8 1bfa644b088a9228160c0f9acf1379a2941cd28c06ebc80e44e17aa2f8177010afd78a97 ce0868d1629ebb294c5151812c583daeb88685220f4da9118112e07041fcc24d5564a99f dbde28869fe0722387d7a9a4d16e1cc8555917e09944aa5ebaaaec2cf62693afad42a3f5 18fce67d273cc6c9fb5472b380e8573ec7de06a3ba2fd5f931d725b493026cb0acbd3fe6 2d00e4c790d965d7a03a3c0b4222ba8c2a9a16e2ac658f572ae0e746eafc4feba023576f 08942278a041fb82a70a595d5bacbf297ce2029898a71e5c3b0d1c6228b485b1ade509b3 5fbca7eca97b2132e7cb6bc465375146b7dceac969308ac0c2ac89e7863eb8943015b243 14cafb9c7c0e85fe543d56658c213632599efabfc1ec49dd8c88547bb2cc40c9d38cbd30 99b4547840560531d0188cd1e9c23a0ebee0a03d5577d66b1d2bcb4baaf21cc7fef1e038 06ca96299df0dfbc56e1b2b43e4fc20c37f834c4af62127e7dae86c3c25a2f696ac8b589 dec71d595bfbe94b5ed4bc07d800b330796fda89edb77be0294136139354eb8cd3759157 8f9c600dd9be8ec6219fdd507adf3397ed4d68707b8d13b24ce4cd8fb22851bfe9d63240 Connolly Expires 8 August 2025 [Page 32] Internet-Draft hybrid-kems February 2025 7f31ed6f7cb1600de56f17576740ce2a32fc5145030145cfb97e63e0e41d354274a079d3 e6fb2e15 ss 7f62845e15bc9d96e9dd4d4cdc9d092ffbf5f05a88a9348992315b5206d53cce seed badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea sk badfd6dfaac359a5efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea pk 0333285fa253661508c9fb444852caa4061636cb060e69943b431400134ae1fbc0228724 7cb38068bbb89e6714af10a3fcda6613acc4b5e4b0d6eb960c302a0253b1f507b596f088 4d351da89b01c35543214c8e542390b2bc497967961ef10286879c34316e6483b644fc27 e8019d73024ba1d1cc83650bb068a5431b33d1221b3d122dc1239010a55cb13782140893 f30aca7c09380255a0c621602ffbb6a9db064c1406d12723ab3bbe2950a21fe521b160b3 0b16724cc359754b4c88342651333ea9412d5137791cf75558ebc5c54c520dd6c622a059 f6b332ccebb9f24103e59a297cd69e4a48a3bfe53a5958559e840db5c023f66c10ce2308 1c2c8261d744799ba078285cfa71ac51f44708d0a6212c3993340724b3ac38f63e82a889 a4fc581f6b8353cc6233ac8f5394b6cca292f892360570a3031c90c4da3f02a895677390 e60c24684a405f69ccf1a7b95312a47c844a4f9c2c4a37696dc10072a87bf41a2717d45b 2a99ce09a4898d5a3f6b67085f9a626646bcf369982d483972b9cd7d244c4f49970f766a 22507925eca7df99a491d80c27723e84c7b49b633a46b46785a16a41e02c538251622117 364615d9c2cdaa1687a860c18bfc9ce8690efb2a524cb97cdfd1a4ea661fa7d08817998a f838679b07c9db8455e2167a67c14d6a347522e89e8971270bec858364b1c1023b82c483 cf8a8b76f040fe41c24dec2d49f6376170660605b80383391c4abad1136d874a77ef73b4 40758b6e7059add20873192e6e372e069c22c5425188e5c240cb3a6e29197ad17e87ec41 a813af68531f262a6db25bbdb8a15d2ed9c9f35b9f2063890bd26ef09426f225aa1e6008 d31600a29bcdf3b10d0bc72788d35e25f4976b3ca6ac7cbf0b442ae399b225d9714d0638 a864bda7018d3b7c793bd2ace6ac68f4284d10977cc029cf203c5698f15a06b162d6c8b4 fd40c6af40824f9c6101bb94e9327869ab7efd835dfc805367160d6c8571e3643ac70cba d5b96a1ad99352793f5af71705f95126cb4787392e94d808491a2245064ba5a7a30c0663 01392a6c315336e10dbc9c2177c7af382765b6c88eeab51588d01d6a95747f3652dc5b5c 401a23863c7a0343737c737c99287a40a90896d4594730b552b910d23244684206f0eb84 2fb9aa316ab182282a75fb72b6806cea4774b822169c386a58773c3edc8229d85905abb8 7ac228f0f7a2ce9a497bb5325e17a6a82777a997c036c3b862d29c14682ad325a9600872 f3913029a1588648ba590a7157809ff740b5138380015c40e9fb90f0311107946f28e596 2e21666ad65092a3a60480cd16e61ff7fb5b44b70cf12201878428ef8067fceb1e1dcb49 d66c773d312c7e53238cb620e126187009472d41036b702032411dc96cb750631df9d994 52e495deb4300df660c8d35f32b424e98c7ed14b12d8ab11a289ac63c50a24d52925950e 49ba6bf4c2c38953c92d60b6cd034e575c711ac41bfa66951f62b9392828d7b45aed377a c69c35f1c6b80f388f34e0bb9ce8167eb2bc630382825c396a407e905108081b444ac8a0 7c2507376a750d18248ee0a81c4318d9a38fc44c3b41e8681f87c34138442659512c4127 6e1cc8fc4eb66e12727bcb5a9e0e405cdea21538d6ea885ab169050e6b91e1b69f7ed34b cbb48fd4c562a576549f85b528c953926d96ea8a160b8843f1c89c62 randomness 17cda7cfad765f5623474d368ccca8af0007cd9f5e4c849f167a580b14aabdefaee7eef4 7cb0fca9767be1fda69419dfb927e9df07348b196691abaeb580b32d ct c93beb22326705699bbc3d1d0aa6339be7a405debe61a7c337e1a91453c097a6f77c1306 39d1aaeb193175f1a987aa1fd789a63c9cd487ebd6965f5d8389c8d7c8cfacbba4b44d2f be0ae84de9e96fb11215d9b76acd51887b752329c1a3e0468ccc49392c1e0f1aad61a73c Connolly Expires 8 August 2025 [Page 33] Internet-Draft hybrid-kems February 2025 10831e60a9798cb2e7ec07596b5803db3e243ecbb94166feade0c9197378700f8eb65a43 502bbac4605992e2de2b906ab30ba401d7e1ff3c98f42cfc4b30b974d3316f331461ac05 f43e0db7b41d3da702a4f567b6ee7295199c7be92f6b4a47e7307d34278e03c872fb4864 7c446a64a3937dccd7c6d8de4d34b9dea45a0b065ef15b9e94d1b6df6dca7174d9bc9d14 c6225e3a78a58785c3fe4e2fe6a0706f3365389e4258fbb61ecf1a1957715982b3f18444 24e03acd83da7eee50573f6cd3ff396841e9a00ad679da92274129da277833d0524674fe ea09a98d25b888616f338412d8e65e151e65736c8c6fb448c9260fa20e7b2712148bcd3a 0853865f50c1fc9e4f201aee3757120e034fd509d954b7a749ff776561382c4cb64cebcb b6aa82d04cd5c2b40395ecaf231bde8334ecfd955d09efa8c6e7935b1cb0298fb8b6740b e4593360eed5f129d59d98822a6cea37c57674e919e84d6b90f695fca58e7d29092bd70f 7c97c6dfb021b9f87216a6271d8b144a364d03b6bf084f972dc59800b14a2c008bbd0992 b5b82801020978f2bdddb3ca3367d876cffb3548dab695a29882cae2eb5ba7c847c3c71b d0150fa9c33aac8e6240e0c269b8e295ddb7b77e9c17bd310be65e28c0802136d086777b e5652d6f1ac879d3263e9c712d1af736eac048fe848a577d6afaea1428dc71db8c430edd 7b584ae6e6aeaf7257aff0fd8fe25c30840e30ccfa1d95118ef0f6657367e9070f3d97a2 e9a7bae19957bd707b00e31b6b0ebb9d7df4bd22e44c060830a194b5b8288353255b5295 4ff5905ab2b126d9aa049e44599368c27d6cb033eae5182c2e1504ee4e3745f51488997b 8f958f0209064f6f44a7e4de5226d5594d1ad9b42ac59a2d100a2f190df873a2e141552f 33c923b4c927e8747c6f830c441a8bd3c5b371f6b3ab8103ebcfb18543aefc1beb6f776b bfd5344779f4aa23daaf395f69ec31dc046b491f0e5cc9c651dfc306bd8f2105be7bc7a4 f4e21957f87278c771528a8740a92e2daefa76a3525f1fae17ec4362a2700988001d8600 11d6ca3a95f79a0205bcf634cef373a8ea273ff0f4250eb8617d0fb92102a6aa09cf0c3e e2cad1ad96438c8e4dfd6ee0fcc85833c3103dd6c1600cd305bc2df4cda89b55ca237a3f 9c3f82390074ff30825fc750130ebaf13d0cf7556d2c52a98a4bad39ca5d44aaadeaef77 5c695e64d06e966acfcd552a14e2df6c63ae541f0fa88fc48263089685704506a21a0385 6ce65d4f06d54f3157eeabd62491cb4ac7bf029e79f9fbd4c77e2a3588790c710e611da8 b2040c76a61507a8020758dcc30894ad018fef98e401cc54106e20d94bd544a8f0e1fd05 00342d123f618aa8c91bdf6e0e03200693c9651e469aee6f91c98bea4127ae66312f4ae3 ea155b67 ss 81a8ce7d49778780e580267d98573cf1946c9f0d3bb8653010c3120b2fbdd514 seed ef58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c9 sk ef58538b8d23f87732ea63b02b4fa0f4873360e2841928cd60dd4cee8cc0d4c9 pk 36244278824f77c621c660892c1c3886a9560caa52a97c461fd3958a598e749bbc8c7798 ac8870bac7318ac2b863000ca3b0bdcbbc1ccfcb1a30875df9a76976763247083e646ccb 2499a4e4f0c9f4125378ba3da1999538b86f99f2328332c177d1192b849413e655101289 73f679d23253850bb6c347ba7ca81b5e6ac4c574565c731740b3cd8c9756caac39fba7ac 422acc60c6c1a645b94e3b6d21485ebad9c4fe5bb4ea0853670c5246652bff65ce8381cb 473c40c1a0cd06b54dcec11872b351397c0eaf995bebdb6573000cbe2496600ba76c8cb0 23ec260f0571e3ec12a9c82d9db3c57b3a99e8701f78db4fabc1cc58b1bae02745073a81 fc8045439ba3b885581a283a1ba64e103610aabb4ddfe9959e7241011b2638b56ba6a982 ef610c514a57212555db9a98fb6bcf0e91660ec15dfa66a67408596e9ccb97489a09a073 ffd1a0a7ebbe71aa5ff793cb91964160703b4b6c9c5390842c2c905d4a9f88111fed5787 4ba9b03cf611e70486edf539767c7485189d5f1b08e32a274dc24a39c918fd2a4dfa946a 8c897486f2c974031b2804aabc81749db430b85311372a3b8478868200b40e043f7bf4a1 c3a08b0771b431e342ee277410bca034a0c77086c8f702b3aed2b4108bbd3af471633373 a1ac74b128b148d1b9412aa66948cac6dc6614681fda02ca86675d2a756003c49c50f06e Connolly Expires 8 August 2025 [Page 34] Internet-Draft hybrid-kems February 2025 13c63ce4bc9f321c860b202ee931834930011f485c9af86b9f642f0c353ad305c66996b9 a136b753973929495f0d8048db75529edcb4935904797ac66605490f66329c3bb36b8573 a3e00f817b3082162ff106674d11b261baae0506cde7e69fdce93c6c7b59b9d4c759758a cf287c2e4c4bfab5170a9236daf21bdb6005e92464ee8863f845cf37978ef19969264a51 6fe992c93b5f7ae7cb6718ac69257d630379e4aac6029cb906f98d91c92d118c36a6d161 15d4c8f16066078badd161a65ba51e0252bc358c67cd2c4beab2537e42956e08a39cfccf 0cd875b5499ee952c83a162c68084f6d35cf92f71ec66baec74ab87e2243160b64df54af b5a07f78ec0f5c5759e5a4322bca2643425748a1a97c62108510c44fd9089c5a7c14e57b 1b77532800013027cff91922d7c935b4202bb507aa47598a6a5a030117210d4c49c17470 0550ad6f82ad40e965598b86bc575448eb19d70380d465c1f870824c026d74a2522a799b 7b122d06c83aa64c0974635897261433914fdfb14106c230425a83dc8467ad8234f086c7 2a47418be9cfb582b1dcfa3d9aa45299b79fff265356d8286a1ca2f3c2184b2a70d15289 e5b202d03b64c735a867b1154c55533ff61d6c296277011848143bc85a4b823040ae025a 29293ab77747d85310078682e0ba0ac236548d905a79494324574d417c7a3457bd5fb525 3c4876679034ae844d0d05010fec722db5621e3a67a2d58e2ff33b432269169b51f9dcc0 95b8406dc1864cf0aeb6a2132661a38d641877594b3c51892b9364d25c63d637140a2018 d10931b0daa5a2f2a405017688c991e586b522f94b1132bc7e87a63246475816c8be9c62 b731691ab912eb656ce2619225663364701a014b7d0337212caa2ecc731f34438289e0ca 4590a276802d980056b5d0d316cae2ecfea6d86696a9f161aa90ad47eaad8cadd31ae3cb c1c013747dfee80fb35b5299f555dcc2b787ea4f6f16ffdf66952461 randomness 22a96188d032675c8ac850933c7aff1533b94c834adbb69c6115bad4692d8619f90b0cdf 8a7b9c264029ac185b70b83f2801f2f4b3f70c593ea3aeeb613a7f1b ct 0d2e38cbf17a2e2e4e0c87a94ca1e7701ae1552e02509b3b00f9c82c39e3fd435b05b912 75f47abc9f1021429a26a346598cd6cd9efdc8adc1dbc35036d0290bf89733c835309202 232f9bf652ea82f3d49280d6e8a3bd3135fb883445ab5b074d949c5350c7c7d6ac59905b dbfce6639da8a9d4b390ecc1dd05522d2956f2d37a05593996e5cb3fd8d5a9eb52417732 e1ebf545588713b4760227115aab7ada178dadbca583b26cfedba2888a0c95b950bf07f7 50d7aa8103798aa3470a042c0105c6a037de2f9ebc396021b2ba2c16aba696fbac3454dc 8e053b8fa55edd45215eeb57a1eab9106fb426b375a9b9e5c3419efc7610977e72640f9f d1b2ec337de33c35e5a7581b2aae4d8ee86d2e0ebf82a1350714de50d2d788687878a196 44ae4e3175e8d59dc90171b3badeff65aeaf600e5e5483a3595fdeb40cbafcbd040c29a2 f6900533ae999d24f54dfcef748c30313ca447cdddfa57ad78eaa890e90f3f7bf8d11696 8a5713cc75fd0408f36364fa265c5617039304eaeac4cbee6fc49b9fe2276768cdbec2d7 3a507b543cc028dc1b154b7c2b0412254c466a94a8d6ea3a47e1743469bd45c08f54cf96 5884be3696e961741ede16e3b1bc4feb93faaef31d911dc0cb3fa90bcda991959a9d2cbc 817a5564c5c01177a59e9577589ea344d60cf5b0aa39f31863febd54603ca87ad2363c76 6642a3f52557bcd9e4c05a87665842ba336b83156a677030f0bad531a8387a1486a599ca a748fcea7bdc1eb63f3cdb97173551ab7c1c36b69acbbdb2ff7a1e7bc70439632ddc67b9 7f3da1f59b3c1588515957cb8a2f86ab635ce0a78b7cdf24eac3445e8fc8b79ba04da9e9 03f49a7d912c197a84b4cfabc779b97d24788419bcf58035db99717edb9fd1c1df8c4005 f700eabba528ddfcbaeda6dd30754f795948a34c9319ab653524b19931c7900c4167988a f52292fe902e746b524d20ceffb4339e8f5535f41cf35f0f8ea8b4a7b949c5d2381116b1 46e9b913a83a3fa1c65ff9468c835fe4114554a6c66a80e1c9a6bb064b380be3c95e5595 ec979bf1c85aa938938e3f10e72b0c87811969e8ab0d83de0b0604c4016ac3a015e19514 089271bdc6ebf2ec56fab6018e44de749b4c36cc235e370da8466dbdc253542a2d704eb3 316fd70d5d238cb7eaaf05966d973f62c7ef43b9a806f4ed213ac8099ea15d61a9024441 Connolly Expires 8 August 2025 [Page 35] Internet-Draft hybrid-kems February 2025 60883f6bf441a3e1469945c9b79489ea18390f1ebc83caca10bdb8f2429877b52bd44c94 a228ef91c392ef5398c5c83982701318ccedab92f7a279c4fddebaa7fe5e986c48b7d813 5b3fe4cd15be2004ce73ff86b1e55f8ecd6ba5b8114315f8e716ef3ab0a64564a4644651 166ebd68b1f783e2e443dbccadfe189368647629f1a12215840b7f1d026de2f665c2eb02 3ff51a6df160912811ee03444ae4227fb941dc9ec4f31b445006fd384de5e60e0a5061b5 0cb1202f863090fc05eb814e2d42a03586c0b56f533847ac7b8184ce9690bc8dece32a88 ca934f541d4cc520fa64de6b6e1c3c8e03db5971a445992227c825590688d203523f5271 61137334 ss abcd3d254b08dcc1d174acc399acbe8edb0b3f6d23c4e026829657751c1ca09b 11.3. QSF-SHA3-256-ML-KEM-1024-P-384 Test Vectors seed 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 sk 7f9c2ba4e88f827d616045507605853ed73b8093f6efbc88eb1a6eacfa66ef26 pk e41c6ffcd44a9d23ad5584b131877690e69f2067a33b86b4c917ac71940303a668aa331b a9075deb0511e5536c9a455b1be23ba39280b9a6c2a4bba17830a11e7532c2d425c1218f dffabdc5ba44e70456fce06e14b267db019548ccb9967cac7df908f5f880d67a6aa8383f 70b599448bc240b25651c2a623f644cf480fb205b4a6a2435ed6cd5b4ca3f803c725528d 42d018b0f3c6ed30746dc07b3ccc279ad831c111134073bac741c73c22c79f0927947830 440673b8360b06f3078147b7c767435225aa4119892147a642174e8ae33e8ee8ac3809b4 5f7c64e7244f3c46189f232e48d1368128bddd5b99594b9f3273b1e9a7ab7e2c1eeada5a 0240104bf9c19d19275be3ae073839ff20c0128a2b1a722df8f7636198149cc06c410a14 11dac2c8609714585cf9a9c86b01bb3847c25ee0c281605edf49049a953baed542a6c0cd 9fe67216fab96c142e5a652409f941f85334b1c383dc24a52af2855de301150852d6ca60 9ab060854ba755590dac5371ded9b032c14a9fb68e57da7ae7595cd3d24ee72c7a89d490 8f3aaaf9a9ad43dc63d38186f6c3bbbc2712a1e34903a351dca26ed031aba99867179899 9ee1139b4687f76686adc367c5a098766b9f21585841b3116a4c2e645605fb457850a896 53ac20d063b4d6962363418c2a00ae74fa09955b8d9f1757c0528527303eae9aba1bfa21 73693b44d6279620a0ac27874c5c48b5a7811aea6e5ee112d178b54484bcfdc253fdc286 7f68c700416e6468522798b1482945aaa83dfc98599f4488acc6491e2044c5829abbc696 c7c0562f20b73e8542e32b93fa13b87b1cbdd432660596439a6223c68136ebc0371e1382 e5148a83a5050b611e6d3acf50d6265d7c7a72da88e13895b3386a1b906f520a73c283ba f4d9471577ad6a2618ae85b03090acc1b3301e59601121567491249764a54ab9c52848bb d8c7806c7c05a0f01bb3a9b3407b8a787a4b8dbb2c28e65cf909c8179b27eb0576517316 ab41bceab21922fbc2cda587b66abd0f976f8e5994dcd1a6f5924263818f96c0299aac16 c4f165dcd931096989330184404a62a3c07c35a494dc9922e38a3822f25747a5532c5083 bf180fe144580df494ff68a38cd719e6836577f47ddd4036ee8875a1349cd4f1276bd056 2c80aca80868fec36df663a357c9c9c9a364abf5212cdc99e3327e52962ab1122e8d736f 99048fd6647006fc4e5c1174c3930b188946f8e6347ca88ee672ab4bfcbd2db9b730031b f72a010084580a144832134461212ba7e5b256da9aa62c9705134da7f38339acc043b826 3d1142a288adccdb6d9176583f59288ec431339c5e7b1b4bd29021b8959e6f8a161af3ae 72da158de77985db11ad810f5706442a0032edd48c143805e69188543931c320afc33236 ee7090165c3daff9cc83f6c69b8b02ce22384cbb6da54c6df76b49925b25bd996cb2cc13 b21c9312227761395f873011de4a37f2182e52e04cbfda9aa8ba777452743b3b9d02282f 78eb167a07b9daf11de0d27f7531aa15ac7464042280c1154c405f00b9147c651e864628 f7c493f7059af51cb4a3d08f29f243b030cf84404aede236fe9aa799531a87645c08f0cd da2a9e2c985f86e7abf9962915f465ed9bafad4080045a6c8cf83bdb8a5075984c3577ad Connolly Expires 8 August 2025 [Page 36] Internet-Draft hybrid-kems February 2025 a1ac687bb3374a645f5678bea23357cc6258d4a47e8d03aff7bb4482d98320f71a9819b0 78166779ab59567a902548977a4c826eb657a5417af550883d943e3f9365449a67cd9450 97824596cc05447805a2f31ca3ab0044739687f077be1c89074744cf6a2d484590a0511d 90d40d557bb9886b5d7eb382784cc113eb8fb63755b055a5e775093dac8640b096e94478 367617745b0c937c0f4dd7aca5a91001a680cc0bc2d6f9597ad1434e5a877d852e0a93cc 38352c848a27eab620215435822145406a7f98f91e5e8b70a150c5e6a718d83000515348 0b403ba20c24e558b344f877dfd98f4b8105ea53310bf75b6f4c08ba30565fc1784563a6 16d1213886504b431ab8750b8ff623d3cc3116a07d31371d33292873670110f48550e777 bef92c05703ac4a3a4d6fa67a660538cf05b5889c80cd5c2e686275f703dd1b604b7c45a b092a9f736ab1a430cacb73b9d7c6e07bcc0776a5656f99f6b526a3eceb6608dff53aa38 6a9fe9d0935d9a65873ff402d9660e9abfd4b8fd039be5a4720770e8194b5fc31fb06cbd 40db8065bd583226fa2eefc75c2e27697b307071d033a68d3c0c42b4fa9213264d randomness 3cb1eea988004b93103cfb0aeefd2a686e01fa4a58e8a3639ca8a1e3f9ae57e235b8cc87 3c23dc62b8d260169afa2f75ab916a58d974918835d25e6a435085b2badfd6dfaac359a5 efbb7bcc4b59d538df9a04302e10c8bc1cbf1a0b3a5120ea17cda7cfad765f56 ct d139c9744f82ef618112c84fa0f6e27c1daf5642261ff68f6714b1892fd48efa91209f27 70f21f523e3632acf603f1c4e27331cb1fccc112f333821109314c7a905fe461fbe34184 cf4f7280041e2611d2589e5faca10d5621e677683a8ea8981ebbc6f8f1ee864fb602a671 bc95ee93ce9174eafe05b7092f163721b24c39a4d67c80f59e83994bf04ee6df7acc9e96 940d81fccd8e88fad6bbf598bad917d228d46ab0a00f2c48541f64d9aeae1cacd1c7fc94 8fed02002563c4ae256cabc08e5b8d9137501b221cbc1497ee23ed204b611be846fcfc60 c1a6fb2dd1948ba458f45bd41492c78ebf81b9b9b948b446b046a55219dc6168c0b8f4ec e0b565a2dc96d004f5ed20afd28499904e8f987d2f6b72e2a3ad2a852546639fd4de356b cc1ad4bdc21a48086b87e711708b2946de77157da9a6854b3558ade1a77c75d249cae054 cde643894e2d3688f487fc3b71a5713c20abc6e14eddc80d74d53445f5a9b3900ffea522 55e85cb29740cb55d859331bf0fe6b61c01c1f4193afe3300174840ec8a91d8b423530ad 892ef304db95cc43f05a859564ac382c4a0ae091d99afd943f78d32308f90b2695d17626 470aaa70faabf4122f5f5faef5df37c65c1d35850d6c93fa3438f5c349888b867d5c4748 c042348b7d2374ac78aaa24dabd2500de0325e98148ea46ecc4873aae6400aece8e799a7 e256ab93cfd16320b19381e1f89290430f6a334efe58ab8de957bbda3a187bde3375751c 6b9d4f9deaff9eed2e912bf78cbffbaa5f98c6d86ed9686cdd7200db8aae3c982f4de055 7f5219cc7ee84f559155641c9cccc096d47c98b179ce6e947997c81296e6c0a1c77b4f33 e0bb96e085f2b41d14214108fdff4e8f49cd7f8587624999329e8e1dd6522bf9f216dedf d88b29a5ef25babc9e2c0a0a2905ae27d8ae44e87bca70ec7d8cb0c139bffc156ae44761 7df0c9e95dfea1903b147918779a99742eab38b55393cfa7da56568bbace05d02cda7405 99219ff69e60039b9a60bad01efbcf36af7c3e11c8ac695241f5ad229f16521d7e1d0f39 3df64207c3214ebdae12139b39211e60e7339647f15f63e910c68bb661ff372af203ddb2 30836a3ccadba7a6349343e67725900843e5a165bc9e5a9cae481416e52a849d52c197cf 3041d18958b02cd3fa5ddf1c67050f8550cdf52cfe52570dedfa20c164083ce26ceaebe8 e5ce3ca5861a03976e230dbe0ae98ff8c569715aca7eb33fdc4750ffb89572143d5ed347 a14155629ec75f43e1705e885e8e5a8812b10bd2fe85777888bcfa8d363ad3679375ec79 76e5655084bdf1dae11699c384a0dc4cf0c658055e9ede8350bb05459612a20cebab22ed fb8815e1cf5c7e5b1fdd50a441db61fd47a9bb8d2269565db5aaccbc239ce6c47fbb44f0 ca5441049eed74c3a1db38be13c792c1b5aa0c5658887c44dffec5eeeb22a725b5995711 380d1f80a0f9e04a43d6009403e6f95191f8ec809916e44c3d37740468cdc977e33aaa79 cf73d13db2bfd78b3cd491f507bc8c45bfc7ac1634f1a4306d6ed72fc123317076415c60 Connolly Expires 8 August 2025 [Page 37] Internet-Draft hybrid-kems February 2025 d51cee12f9fc8c11c48cb827952da775112312d3712d79e97167241f08a4a4278b6dd1bd 5c67809451ee43bcfa6f3d64371b8dc9f88ed3afb04f8815b6b5ca739f6c01c11a68282f 4a9489bbb2adbc9134ea411bbd11d40a9ad6a79c21ace163465b302b34d8f45ef60136fd 4910f3b78b68c2f2c23a7eeb57a6daa25122c16836b7c86a6a637f6e9603380a9999d19b 8e5c3f3c9f410bebbdb1e65cb68bffa625aa5b157b70a42eb95a81a5a111ead4d0be0c77 45885c2646a0e587cf08bb943245000f0720fb12a869ed1e012d2660aaa917ca7af84d52 9b7387fd41d92293a45c617c3fde16f82209d1a1aff081c006c982aa4d758902fd28b00b 5d9c10771c6f77e875759f27b998182a0cf753bf7cdeb1cec371261a6af05f2738f96d68 29843d3a19e49e1abf5b8bd0fe604ce13272a330b4f1cfbfdba6b6df7096158eb3ac7adb 952d6a81bb0f4dfbeda3f61cda98c1c06f34ac7cf67d17521f1205942edd8eab6abb60a0 53dc782de23466e7f44df2e8c7bff556ecc542341784d7965e3a5d5695effbda1b8a5fb2 149b442a5b9f3030cf682ade82408a3df715b3a23795afd7d358c75272afa0708a4ae247 b2bb87fc65f7a4157ecf2c7bc5589331ec2c331a03520aaa94d64aba1da116f540bb2df0 5a0dab190395a7226fb292f94cca3054ab2377cee81d9e58a4fbe1f95aa02d05a4 ss 6355d14217900ffc9ef9b8ba6c7500a145c8aede60f85486e93820f5e17d1f25 seed 23474d368ccca8af0007cd9f5e4c849f167a580b14aabdefaee7eef47cb0fca9 sk 23474d368ccca8af0007cd9f5e4c849f167a580b14aabdefaee7eef47cb0fca9 pk fb919074472b8012c870650da1c92b1f885455cc83dbe5b708213a83c401e9e408c63367 f15507c266474c0a7512e08402d0bdf45c0183f42c5a96c6f4d1589784ad32f378bef259 1a27bd43ebb7e847446fe257b0d3a338c26401203c916662880cac68db7f548848c69a61 b0d570867459d0da534d8b858fa40816b48f6890bb06da38fb2c458f218965e2a94ca136 7d8400d0a1271ed65114e636a5266879a51317628f54db15d698376f443b8fc41949560d fe1771bf6a57cf5254ce4597586cb202b9a3c7307d1ae0985eb66e0da38e2e247384349e aa0c8d3496250b713a96b01996f5c5bb5444e7e585d5d41297c319d367284708312c98a4 45c77ed5135a3497c04cac330e8459008528679127de41c8ecf544e3a7793602ae29a0ad c47c858c7487f556adb88798441571e520273b469f52048d29e063eda4187e02305b3416 372b8f0850350ac52f7875097e989de356b0d3d4074201c9f044355e58906f2b0e50b28c eb908ab75a22fcea243cd064a3eb051a825cb4e76a14f5504924748dfb5184e6248dba45 fbc5ba109bc0ad5600c59bad7c239d5c538837b595d4b26d27d7a826310de09a99aa0a33 4cc40c3f9099e788724dac165f82b96d704303b851de54a0f7b2ca655966626a711ab28c 35e4aa3dba62e7d777a3008e315b350bc85b797252c16234ac3cc12f1b3ea2bb1b8b942e d07c2754879754b60eb4f39d62d679bde4a50644436964b3fe0b807a8477a4f0ab89aa92 96098925d51b924b86dbdccc963acb3b975cdf02d07c3710b24c248c29275c9821b29a92 9a850eb7a41f5bc2aed447b33d7a3cc0f25f1f4b5feed92528363caa520b06e82b22c39a 4dc6b8ebcc1fe2d76aad319539eb5306d9b8710390a89c01c8890bfcc9716dcbb676645e 42641748db3296ba9079988e6a2a45d2e25ab0d826d073824558272011709fc13a483397 974181a75575a0163047c65daf1945eb731164c177ba379c0fd3b9244642712ba2ef4807 804c4832f753e07496c9c971d2882d41a75b78f3c83130412fd2c6a2a9a4882435c816b4 d2fb9c05c50d2eb347a294685a1a9470494c29a43f1b621762ebc4b4b45ef3d81f4ff083 2cba113d9c0d4d7b437f0623f7b97f31ccbef9c251ac4522f5782dbe7988b77b3d2a3a04 cc9572b159644341cdc8fc2a7b1a9895f3357e26cec3651e9dfa139869ca848ca1fb48b8 5e10318d45bf8526916e13cedebb28cd5c6aaaf06d7001852855279116453d851c55f541 9f678895f46d6e266a6571ba3d54676ee33145b07cd0537e02d8a93ffb5ce2c13093b3c5 3935b49484701cc6994d810a4cc15cc6f50d6d3599f764b15417801430b32cf0acab2cce 59c022ac777ca9f5b86ad1698b136b0e4cab6a145326a96dee693b34a7ad6a9010afec85 8d02c2dcd2ba2f1805f38355f68022bd48c93d7c3b0264211651bf7c838ad4b5bc62998a Connolly Expires 8 August 2025 [Page 38] Internet-Draft hybrid-kems February 2025 6ce993a4f23bca243b73929f00f25c33458a1099c344a8868c635703b64167f25a6b6478 1b0545be70c3fe0080b8c6260ea067d38310e921a929e95e8d6a89e6246525e697bd4702 410b2407c87e882bc4b0b504a1d2498c989d4561a9443c1f3bd202ddc53bd7dc7723e06a 92f5ca20e2086b0741bd069dfd149ce7497cde756f36a53713c648951054f58327dcf74b 52240ffc6a3763019a103585df850f6fb99774974d589bb0996aaf6bfb78c1218d700810 3bd6262031c9ed61c079b4aa6b615324b88b7c101b32c356874826466187ad62225bcb86 b144896be9393a803380945608a4496c57887c181f430041548581fdbb0357614b981c3c e2514be0095b3f197c455340cdca25bc2acc62b47e50118d7c17b9c1f94edea5c3a9915d f945675ab67d9c840f73f553e5a7ad78e0c596e44fc8ca043df74d1ae253e5d9880bf48a 70760473bbb581c8ae4e36c98ce76dd76334ea129e2b5c936fd2abdcc31aa14411f266c2 53085a5f5714df4078c1d082047bc0046c2160ca39924618b8a97ca66a894a7a946d0159 6111c9fe81892207b9fca949bc4143f58465844371e7cb7dced503dbc4068ed33521c840 b1095af6dc0fde306df3d74785123563d421d696759a2892f5f6812079c28d6175be4020 143b5667daa088cb7094a81267b870834898f6b6020c1aa4bfe13c79e71da495b42ca55a b21b54b0bb5a76d2e6a90872039b0c0f24cf92e50348ea6f9dab53c3b7c50a9ee2d7e6be 97e950f88736ccca78f57434f78221057a061f93b96b0fc7b87aeff35a572fb027 randomness 767be1fda69419dfb927e9df07348b196691abaeb580b32def58538b8d23f87732ea63b0 2b4fa0f4873360e2841928cd60dd4cee8cc0d4c922a96188d032675c8ac850933c7aff15 33b94c834adbb69c6115bad4692d8619f90b0cdf8a7b9c264029ac185b70b83f ct a1509d5821b2decf0a882d513f3aa1624d1c6f774bd33b10c751d02879e60c66bef59fa2 2991bcb6e0d91990ebedad967457308404370b0d9c30d9758e7879e1ec71c4ec18de6546 4a3020b41093bb38145e4b5b253d9ea03bcac191239578a4be812ca7070d87afa341db03 5072610544aca22ed3e01a88c7d717504b32404f95e889caa4cce81e6f9d1227c4e81968 6386c6e9edefe0012cbe4b0c10cc14ee5d87c514431b909be0e33ff21bdf1be0e8e3e01c 7aabcdffbbfce91fc2f4db690d8f743c2e0efcc45484b9c4f64e0072ef32993a574e0146 ad129f7553755e4c81dce8c2afb2b093d0d3047468d39468ffacbdaaa03b5b71644822d9 71cb2af5dfc2d0808950b9f36263707dfe4d5b53efd18b0ea38c4fcb9199fa40558943e5 484e26a9b4b3515ef93d35faa0c98bece01e6dc2ed800ad74e5251bd90a1e66ac3c399be 18884de6f9dc2eb8a7488775abbb07a355d95d4e0fc9b0d0ff65f7680e4ffc1b4bc06eaf cc4fe68032e4c7abb148c8b6632b86f432fe212856a5282248c4a9db3c3bf4aa7739b8ac 631c6debd2c4df6d430bbba27d4d375922076d29307019f69d467ac30706d68509e009b6 e924832915d385f2b3fcc08e36438bd066b6d72095df65786e203cde5ca4c84333e28249 aecb360c7b42df325821a7abe2b54f8d9d7e6fed9dd18f872fd7270d129a993da5d625e4 c3eb7a6e9ee49c1ef2e536a9572542a99cb21139f926b686aac631ed2fc1f17bab80ad64 52d96990cc2d5d57f14331ed698acc68a50f9365113bb3a975fe1507eba9bbe3069be320 e7733809e1f9fc21ba3a89a6093c4ca96e4eb2e4c9bbd2c191b4b4019c64e729a3fc65dc 161716c5940f4e2d2555a9f79071c760b0574b2891ec2f74829ddae11c676ad4a6575dde f34adbd097ee049ed4a3da4c17361d838cf780659196ec6d817a6408d210f1a796e1cf61 9eab616956304efa7f9f08b5460839e6d4f1220e238672619ede26da3c6516fa9719c65d 5dc41b1a9e7817e60767986e6125aa71509dfcd282ff4adb3093fa32b46f993ff9dd5f6a 2d521b24a86995f01fa746ece7584dad16ff192cc230b2b09226b48ee1ecaeba935f64e8 1f5de2f51dce5234f7d558dd9c1e6ac7761a9c901f1b7cda4b1e3841dd752da03fab4573 6116a409b5034f0e49b890e8d42697c9a88851ef1e9b413e70f936895cb2de4e4649a562 3dbdddcfb9721af5c4991f9336bdde117a32215984b54e5653da7778becb6fe4c876a244 6181062c4a446249abed8e2beae07d96343484fa2f70bfd9dc45845a03c1be75f8b794a9 17fe67904fbcab8736d524032be1bf83d8439a75a8bda37a0c4543502112888654ce351d Connolly Expires 8 August 2025 [Page 39] Internet-Draft hybrid-kems February 2025 9c81bc0844a32927759c205f8c5dcc10e81fc04e7ca7a24c759c455265e266426c092403 d50040fb840992d5afb3b3db4f608f22bcb1539daf30c919ef0507c8e70d1616c3e96ab4 d6630c50d48785db947bc6da11eedf6889f5837112e1452c2b55ef4c0eb7e32346fbb96a 9815aabcd6db97c77bc270517af31a6e3a6c1851e31d4ba115e56e81740ba212cb2af1f9 a2540e6989b2882b44a2039b761c482e43b5d153f05fb01a218eecd32c9c4a6de54e2316 f7b466d306b20ebb120d4d1185a01382934ad66f914d71ed6da0b34e0347d3d5d565d52e bc1ba68bb33d34abc9c8eb91cea27b6cf57db0162ef02e22f92ecf07203775c372cb6257 a2e82a28baae7e9a8e8f32bc20c8a6b9434c6755846ad68113deb043b09f860419b2d6af 2f64b1885db33bc3fe164842ec44b460261a977c44872cb92581f71a20a088a719fc3e46 fae48da16fb79573ab0cf980df9a77b4f73e0f59463c11ee03487cdf7ca0c386050f41f3 f2255e051bcea12765c8733d25350edabc61da85cc437fe6ad480bd25ce4daef91841236 fb04f19cb8df9d6a6f7e24863076dd5b173da8518f3800a3a615d0a6a6ac4305f731f8a4 945b4eb7c7ad72b63373f9baaac0eeafa45276b436ec760f7512e1e10328a320f7390d6e f5123d20b9b8c21342d94d63bc4bb1d58ad6fb5bc9a07f69201a5aa94ab7dd550389ff15 d1df63c8268c87059c6142855e73c4c65e7d03c0d53f8e888a7f19cfe26f7c2aa3c9bbd6 b020c35e51b8dff46fc2163131dd513693334ed43dd7a8c182bc6f520ecfc8a38a3e4610 c9bfcf782cff1f87ede42bb56681db4542783d40039bbdd642492ef1fa5230eb8a6ee5b1 34305b73f83147912980758b390070b7931117f97833a3d7fc92b7552ecf4765ec ss f62fe1a5ebf713c8d43c0ab6dd37d3e0a0b35781e48e79c3d849833c713fdad1 seed 2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc096 sk 2801f2f4b3f70c593ea3aeeb613a7f1b1de33fd75081f592305f2e4526edc096 pk a10a07c7c72815b5281584a0cfaa22fee7386985592d051750b32443e16f31171bfe2677 df7ba9ddec75c7182ad65ac06cbb614e97b1dca591c1ca3f52f46ce270a8cd7b794a9948 5d4365bc901513d7000148ad30d085a4926be184853f61cc4b216cf3703743d6ac87c003 ba153231a52dc2307f52c0361d9409220c205631952d202e2ce22872fb7b79b484afbb6f 5b979c0c61978dda8a0d32294702270b43b494f9c30d11bdd504a098d662dd943a1b6890 91b579e05897c53a4d61a2bb5ea2c4e975705b914b4be3bdac76b07d454e6d3087081480 43ca4a0ab92f92265d2a757e868a0d7d400ddde468a8649c1e458a13b96aea338a6a242c 1813ab3e3447c7d608e1a5beaf218f633201e096c11f6bbf038c8663c58914e021e8c788 5deab1a95b6cc86692722c0af10092f03810bdd8b4176cb893761a0e740a28a54a1ee362 0188b7e298bb83c95d57514cc0a2ae4cc562d4f61d27d71dead6184688086d964383131f 76d9ba4671627db94c6d57795cc1b2e07c231efa2793c61bedbaa609a583c3c8ad6ac658 faf43b89e78ec980c1dcea2b1ea836859097656accf3f8700a007cfda6859f21387e9467 48c773700b63db1a159296126e782b3595913fa5ca0f13a00de5cdfed083893bbdc7db01 9887738e1768706382af258caa145486622304eb1586f08b597bbb106b9433ac34458aa6 835c72cab5635308233e6ab5c774b51e10339ab98093099da0730346dbcf74cc926ff3bb ef663ba7988ed99b55bd3163846755b1bbb263a675478a0e8bab2d538aae816c186f8b79 3fd7c56966afe39435593b0603da78cd59b85671a428bacd9f2b80810042cf5ac8368747 aa3565caa633c6976b806c551ab507d0da8dc2a42e226569f5c74b623441e5513d765b7f 21ec5f39a3a78e102d61e86217916d39d5caa1712d106aa45c16b9d9350ceffac702b3aa 74ccb828263082521ffa17807c07bdffa281798a178dda3ea8357fb0040cc9187e8d9259 f719b5a317908916983a191f63c749cc8c1e74b94ee8c15526444e76521484399436ea1a f8a30f88572f1f2cc9c9d08c7f911219808437b89b54dc838867103fa32411e9612330c7 6c87763b7aa3072918a3f69c2db38231419d616a480558c31336b349f18293aa7094f026 d40243f5494fde85c858171c1dc024280a81edc99321d0bbf8253e150032919c58d4277f 62e0cd5d8654cc721ed7b019e47b94898728595bbe929a139da12e8043779a4277528bcd Connolly Expires 8 August 2025 [Page 40] Internet-Draft hybrid-kems February 2025 35c800abe82adc8a0b0ea12c0b13bd2e6597ba2b82490b7c0c336eba761c90966167ca89 29103d94543490dc688a43bb7910b35383705d8caf2d7590dfd75bbaa39f0e6761ad07c9 440691ea527b3aa62194d397a81236538681ad74c201c1656c1a16ed7b1b4fac407bd828 93139acb90b20ed106fd144d05b368f53bb6076a410ca454795679339b43d5d444545b82 d5a0ce273787731109f619a256246a03b97a09c677eaa581a275bf98f505ca759e2fba6f e7a7060b77c7c55aa32d849ce1445449c3a951524ea9652ff24b572ed64e58320293a047 dfe5005ff3131cd6976b139c342c93dacba8bf1b24ec567709186daea1b4f67736073c9c 028451cae14348a380ca13c4be04154a2681dee5712a16c03bc54b6c61a6e0520cd9b464 e8cc31eed3625e829f664a6aa076a70bf50b416c92bbe028adba36bd586280c47db94924 26d0bfe7f81feea4925f2ba294752af024ca2a7bc1cf48b5a3110d9c553fd79b7c699716 09049df265314a639b6b2a5adc895c22d952abbaacde1a1fafe7b00bb67e288546411c91 9e86bae5232ee58002ffec7c92885c004542f79a85af78379d483df1206ce513ab93c681 d5799dc1a3659460c3c17aa50bb306e7eca66c190e1468b1cfe83dbf473f26c003681604 700483c447b0253c47d9d3ccb7d8c5ace9b5f6094310545cabd5cb88e9b09829024dc151 1cd13ebe761e6b055e02a4000a434de6d7737cb8923477c82f2992a4d6918ee84537ea93 e63b05e045a99f0cc8a561a1180c3be8361277bb9640486ee86261e74c205f8537b416c5 b0c3b1d9609d47e3b04072b51d55347f3057ede1cded5716f60556c59a13c2d777e86b39 0d3852a4a4ad10ec2bf9a31da640246beb771dc01ebf27c06344ada2cc800e3dd463ba92 4aea3212ad21fac6ae410198933bec50d87b9bca037e4e76f20128a1336183fee431ec68 4f797fa38543ed398e333afd342e95ec20f86224fba7f9815e5d7b65b09b3ea137 randomness 31b10958f464d889f31ba010250fda7f1368ec2967fc84ef2ae9aff268e0b1700affc682 0b523a3d917135f2dff2ee06bfe72b3124721d4a26c04e53a75e30e73a7a9c4a95d91c55 d495e9f51dd0b5e9d83c6d5e8ce803aa62b8d654db53d09b8dcff273cdfeb573 ct 58a5879901d77e89869c44f85798adde8b73edea452743e43b45728966d6b3d6f7274bb1 c9539d62971baf46f2a445360efb97023a0138757e35fc004fde721e010f0a1b24e86d3f 120c9127dc08da8e17000bb802ac39460a9eee609ba0a7e9b32230d4e7f79d2a3a319e1e de19255feeb3830ae7007f39c4bcc0db45191e55070893a7f4053433a256d711230a4e3d fdefeccc98b070329672b2bf403341694fe97ff52aaeb27a8f0a54e50efec5a92c9ff961 ae8eec8c4e9b428bd459d2bbc2a562a8f86d8e77782f1fedb820b227a69920aa38ba2cc5 cf54e524c489f6f445227d8df024ec1222396ff87e7802bcca9899a6c638315f61ec3cde 4699877ae57c2bb74a0846cf0525b4c8e40936461173b14e9e356e439156670b0c7006c8 75e02de388a2607d622555d0d96a75ee366a87a249ed20e6091372083ee75c097c939208 63534f5a3b29c7d0e26b7cf79adabdc196461bd6f78db70edd4937b0a73042825d69ebc0 7063c90d883c3c21131d9fff4d51495671c7d4eef039938b813199625c5a0831240ed0c9 6d05bee0f14821ff3aa4765b794fa66fd3c0a14ae0bafa77f9daf4522496eb14370ec6a7 7c86a599e402fe5eb3727eb7755c23c657ac4d1501ad28665ae8221ddae4e68aa810cd3e f922821777ee958256b72778478aec12e96cdd91e8da4ab801895402a29323d1820bf13a 74696a508ce8c1a7581fe0902229cafde4381091bf99d1021d5ba5f58814da61ac8db9d1 2ccb4686f69491cbf93a9da041dfae9b9046e70a904c4efb4c39f0b1ea4a6d16ba2032ef 5b2a2d0745d6c0a9b9a1fb35f1fbeaa663c9a64f5781a83d86dedf747086c2d5dfc06a5f 0dda25f577aec96db45233a4c472f164294f91c76d47d9fc45946a684956487e5d743978 5d84ccdd7f483f82360a865475978014851cc976b37974df1c2fcfc58377d2a275ccdc21 13553419554be3744133c64f8ca35b460fb361078e1f541cb8fa7b3645d3c7675162364b 071d262c35a5cb7ebaa8a2bca379c212ec6cc6cf351e3dfe08b04b942b7e941be6162e11 58ad6bea2c5c1e62ee8765cd52244f180e46b1b8b88b486964f486570ca8f0773bc0166d 7c5d6663ccb6abfe43762d0caf8455fd2b7814aed54913b634c02fc2a35b4de94f2459dc Connolly Expires 8 August 2025 [Page 41] Internet-Draft hybrid-kems February 2025 6f5a5d34bfe3cbeadbbd2f1a61ce593033cc8c8fb8f8286dfda70a8d2e8040c0147e7cbd cfd644e08a710fb50fefdc386fbc3bbd7b9dc068df417ba5ee4a1457cff4e521ad557f6f 0bba2f47107543927adec085ac66dd984a825447c580b86a0d94e70fe9b9154009715d43 5a5bc02ba3a7841f4c0df7910030c21a5e30da73a5c655ede25fdba97757b3b0c726b00f fd7e6a13d4b266b984b9e88f9296f086ed246c347369022c5cc592d82b772db688f047c2 28b84029c500c8c21bf576b2e71436b4151b85af002783e401cd870b15b7b524aba10472 46479f32e0be01896b1d1652f08a48c1244b5b380550b5e9fc09d9a396f06ea5d59dcd8e 33095fb03c3730ec32fcc2e3bba1b9148c0f18a61dcea1967737649a51ba8c3f6fd01f20 f61b333507248d04b5dcfea03bfd95a4bd5bef6d2a3bed39a86dc1723a531efeac72cf3d 4255378ac04ea915f0673a557cc39124ad0b24a4a8713bb8a45bcbe80d68bfe69353cf51 413ac9b0587f35c3d007cab3d6614de4401f7f9aac0e39688874480b1452e053f33a3adb ca3c70a18d2669bfa9e10ceba9ecce421e1bbdefbe09b50340ea1f70dae50d6a8db4202e be68b6070ec40dcd6e49534454bd7d993c11efa5dc9d8da8039cbf2e0a93624331d2d7ef d590ef31a0d9735199578f21955ac64b9a4183eab783d2d15dc41315ec090e120147384b caaeffbc277b0a784e9ae2d70f2542fe77c90e25bb235767a2ce017d4019a8dbd8b8b204 3743e65e0dcfad9811fc6e9e76dbdc11417363b109c7772744b93e6da0cabac3bc37394f f6a368e18d04214979ca4304359111217c65e82ee8b9da7d64ef81117247a99b6cfa6dac 9f55614c796a14b5a221d51f3d7d42ffc6caaff631fef11ae6e89778a23c90e60023a0d3 41487eb1aafcc4b9f9310bfad347779850c637727fbd45c3ec515517c8714b03d817c2ce dda99eaef4edea2612bbc3369290cfc1a02a322d5e8840756489b8efa2f12c237116b398 f783f87fd191426a973f02b9e6f92eeec46871cb02db36dcbf513ff0b3c1ddf689f6f3f2 75d6ebbadf14b9bb9da4dc455773ec8a9902f227313247cd7dcb0784049664d286 ss 6709ef22e6610e3b3424b13df8a606061a691df48199f0b18f32c509a26440b5 12. References 12.1. Normative References [FIPS202] "SHA-3 standard :: permutation-based hash and extendable- output functions", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.202, 2015, . [FIPS203] "Module-lattice-based key-encapsulation mechanism standard", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.203, August 2024, . [HASH-TO-CURVE] Faz-Hernandez, A., Scott, S., Sullivan, N., Wahby, R. S., and C. A. Wood, "Hashing to Elliptic Curves", RFC 9380, DOI 10.17487/RFC9380, August 2023, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Connolly Expires 8 August 2025 [Page 42] Internet-Draft hybrid-kems February 2025 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 12.2. Informative References [ANSIX9.62] ANS, "Public Key Cryptography for the Financial Services Industry: the Elliptic Curve Digital Signature Algorithm (ECDSA)", ANS X9.62-2005, November 2005. [AVIRAM] Nimrod Aviram, Benjamin Dowling, Ilan Komargodski, Kenny Paterson, Eyal Ronen, and Eylon Yogev, "[TLS] Combining Secrets in Hybrid Key Exchange in TLS 1.3", 1 September 2021, . [BDG2020] "Separate Your Domains: NIST PQC KEMs, Oracle Cloning and Read-Only Indifferentiability", 2020, . [CDM23] Cremers, C., Dax, A., and N. Medinger, "Keeping Up with the KEMs: Stronger Security Notions for KEMs and automated analysis of KEM-based protocols", 2023, . [FIPS186] "Digital Signature Standard (DSS)", National Institute of Standards and Technology (U.S.), DOI 10.6028/nist.fips.186-5, February 2023, . [GHP2018] "KEM Combiners", 2018, . [HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, . Connolly Expires 8 August 2025 [Page 43] Internet-Draft hybrid-kems February 2025 [I-D.driscoll-pqt-hybrid-terminology] D, F., "Terminology for Post-Quantum Traditional Hybrid Schemes", Work in Progress, Internet-Draft, draft- driscoll-pqt-hybrid-terminology-02, 7 March 2023, . [KSMW2024] Kraemer, J., Struck, P., and M. Weishaupl, "Binding Security of Implicitly-Rejecting KEMs and Application to BIKE and HQC", n.d., . [LUCKY13] Al Fardan, N. J. and K. G. Paterson, "Lucky Thirteen: Breaking the TLS and DTLS record protocols", n.d., . [RACCOON] Merget, R., Brinkmann, M., Aviram, N., Somorovsky, J., Mittmann, J., and J. Schwenk, "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)", September 2020, . [SCHMIEG2024] Schmieg, S., "Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK", 2024, . [SEC1] "Elliptic Curve Cryptography, Standards for Efficient Cryptography Group, ver. 2", 2009, . [XWING] "X-Wing: The Hybrid KEM You’ve Been Looking For", 2024, . Acknowledgments TODO acknowledge. Author's Address Deirdre Connolly SandboxAQ Email: durumcrustulum@gmail.com Connolly Expires 8 August 2025 [Page 44]