rfc9958.original.xml   rfc9958.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [ <!DOCTYPE rfc [
<!ENTITY nbsp "&#160;"> <!ENTITY nbsp "&#160;">
<!ENTITY zwsp "&#8203;"> <!ENTITY zwsp "&#8203;">
<!ENTITY nbhy "&#8209;"> <!ENTITY nbhy "&#8209;">
<!ENTITY wj "&#8288;"> <!ENTITY wj "&#8288;">
]> ]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.29 (Ruby 3.2.
3) -->
<?rfc strict="yes"?> <?rfc strict="yes"?>
<?rfc comments="yes"?> <?rfc comments="yes"?>
<?rfc docmapping="yes"?> <?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-ietf-pquip-pqc-engineers-14" category="info" consensus="true" submissionType="I -ietf-pquip-pqc-engineers-14" category="info" consensus="true" submissionType="I
ETF" tocInclude="true" sortRefs="true" symRefs="true" version="3"> ETF" xml:lang="en" number="9958" tocInclude="true" sortRefs="true" symRefs="true
<!-- xml2rfc v2v3 conversion 3.30.1 --> " version="3">
<link href="https://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers-14
" rel="prev"/>
<front> <front>
<title abbrev="PQC for Engineers">Post-Quantum Cryptography for Engineers</t itle> <title abbrev="PQC for Engineers">Post-Quantum Cryptography for Engineers</t itle>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-engineers-14"/ > <seriesInfo name="RFC" value="9958"/>
<author fullname="Aritra Banerjee"> <author fullname="Aritra Banerjee">
<organization>Nokia</organization> <organization>Nokia</organization>
<address> <address>
<postal> <postal>
<city>London</city> <city>London</city>
<country>United Kingdom</country> <country>United Kingdom</country>
</postal> </postal>
<email>aritra.banerjee@nokia.com</email> <email>aritra.banerjee@nokia.com</email>
</address> </address>
</author> </author>
<author fullname="Tirumaleswar Reddy"> <author fullname="Tirumaleswar Reddy.K">
<organization>Nokia</organization> <organization>Nokia</organization>
<address> <address>
<postal> <postal>
<city>Bangalore</city> <city>Bangalore</city>
<region>Karnataka</region> <region>Karnataka</region>
<country>India</country> <country>India</country>
</postal> </postal>
<email>k.tirumaleswar_reddy@nokia.com</email> <email>k.tirumaleswar_reddy@nokia.com</email>
</address> </address>
</author> </author>
skipping to change at line 54 skipping to change at line 55
<country>Greece</country> <country>Greece</country>
</postal> </postal>
<email>dimitrios.schoinianakis@nokia-bell-labs.com</email> <email>dimitrios.schoinianakis@nokia-bell-labs.com</email>
</address> </address>
</author> </author>
<author fullname="Timothy Hollebeek"> <author fullname="Timothy Hollebeek">
<organization>DigiCert</organization> <organization>DigiCert</organization>
<address> <address>
<postal> <postal>
<city>Pittsburgh</city> <city>Pittsburgh</city>
<country>USA</country> <region>PA</region>
<country>United States of America</country>
</postal> </postal>
<email>tim.hollebeek@digicert.com</email> <email>tim.hollebeek@digicert.com</email>
</address> </address>
</author> </author>
<author initials="M." surname="Ounsworth" fullname="Mike Ounsworth"> <author initials="M." surname="Ounsworth" fullname="Mike Ounsworth">
<organization abbrev="Entrust">Entrust Limited</organization> <organization abbrev="Entrust">Entrust Limited</organization>
<address> <address>
<postal> <postal>
<street>2500 Solandt Road Suite 100</street> <street>2500 Solandt Road, Suite 100</street>
<city>Ottawa, Ontario</city> <city>Ottawa, Ontario</city>
<code>K2K 3G5</code> <code>K2K 3G5</code>
<country>Canada</country> <country>Canada</country>
</postal> </postal>
<email>mike.ounsworth@entrust.com</email> <email>mike@ounsworth.ca</email>
</address> </address>
</author> </author>
<date year="2025" month="August" day="26"/> <date year="2026" month="May"/>
<area>Security</area> <area>SEC</area>
<workgroup>PQUIP</workgroup> <workgroup>pquip</workgroup>
<keyword>PQC</keyword> <keyword>PQC</keyword>
<abstract> <abstract>
<?line 263?>
<t>The advent of a cryptographically relevant quantum computer (CRQC) would rend <!-- Status of I-Ds in references section:
er state-of-the-art, traditional public key algorithms deployed today obsolete,
as the mathematical assumptions underpinning their security would no longer hold [I-D.bonnell-lamps-chameleon-certs]
. To address this, protocols and infrastructure must transition to post-quantum draft-bonnell-lamps-chameleon-certs-07
algorithms, which are designed to resist both traditional and quantum attacks. T IESG State: I-D Exists as of 11/26/25
his document explains why engineers need to be aware of and understand post-quan
tum cryptography (PQC), detailing the impact of CRQCs on existing systems and th [I-D.connolly-cfrg-xwing-kem]
e challenges involved in transitioning to post-quantum algorithms. Unlike previo draft-connolly-cfrg-xwing-kem-09
us cryptographic updates, this shift may require significant protocol redesign d IESG State: I-D Exists as of 11/26/25
ue to the unique properties of post-quantum algorithms.</t>
[I-D.hale-mls-combiner]
draft-hale-mls-combiner-01
Replaced by draft-ietf-mls-combiner
[I-D.ietf-hpke-pq]
draft-ietf-hpke-pq-03
IESG State: I-D Exists as of 11/26/25
[I-D.ietf-lamps-pq-composite-sigs]
draft-ietf-lamps-pq-composite-sigs-13
IESG state: Publication Requested as of 11/26/25
[I-D.ietf-pquip-hybrid-signature-spectrums]
draft-ietf-pquip-hybrid-signature-spectrums-07
IESG state: RFC Ed Queue as of 11/26/25
[I-D.ietf-pquip-pqc-hsm-constrained]
draft-ietf-pquip-pqc-hsm-constrained-02
IESG State: I-D Exists as of 11/26/25
[I-D.ietf-sshm-ntruprime-ssh]
draft-ietf-sshm-ntruprime-ssh-06
Published as RFC 9941
[I-D.ietf-tls-hybrid-design]
draft-ietf-tls-hybrid-design-16
IESG state: RFC Ed Queue as of 11/26/25
[I-D.irtf-cfrg-bbs-signatures]
draft-irtf-cfrg-bbs-signatures-09
IESG State: I-D Exists as of 11/26/25
[I-D.irtf-cfrg-hybrid-kems]
draft-irtf-cfrg-hybrid-kems-07
IESG State: I-D Exists as of 11/26/25
[I-D.ounsworth-cfrg-kem-combiners]
draft-ounsworth-cfrg-kem-combiners-05
IESG State: Expired as of 11/26/25
-->
<t>The advent of a cryptographically relevant quantum computer (CRQC) would rend
er state-of-the-art, traditional public key algorithms deployed today obsolete,
as the mathematical assumptions underpinning their security would no longer hold
. To address this, protocols and infrastructure must transition to post-quantum
algorithms, which are designed to resist both traditional and quantum attacks. T
his document explains why engineers need to be aware of and understand post-quan
tum cryptography (PQC), and it details the impact of CRQCs on existing systems a
nd the challenges involved in transitioning to post-quantum algorithms. Unlike p
revious cryptographic updates, this shift may require significant protocol redes
ign due to the unique properties of post-quantum algorithms.</t>
</abstract> </abstract>
<note removeInRFC="true">
<name>About This Document</name>
<t>
Status information for this document may be found at <eref target="https
://datatracker.ietf.org/doc/draft-ietf-pquip-pqc-engineers/"/>.
</t>
<t>
Discussion of this document takes place on the
pquip Working Group mailing list (<eref target="mailto:pqc@ietf.org"/>),
which is archived at <eref target="https://mailarchive.ietf.org/arch/bro
wse/pqc/"/>.
Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/pqc/"/>
.
</t>
</note>
</front> </front>
<middle> <middle>
<?line 267?>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>Quantum computing is no longer just a theoretical concept in computatio nal science and physics; it is now an active area of research with practical imp lications. Considerable research efforts and enormous corporate and government f unding for the development of practical quantum computing systems are currently being invested. At the time this document is published, cryptographically releva nt quantum computers (CRQCs) that can break widely used asymmetric algorithms (a lso known as public key algorithms) are not yet available. However, there is ong oing research and development in the field of quantum computing, with the goal o f building more powerful and scalable quantum computers.</t> <t>Quantum computing is no longer just a theoretical concept in computatio nal science and physics; it is now an active area of research with practical imp lications. Considerable research efforts and enormous corporate and government f unding for the development of practical quantum computing systems are currently being invested. At the time this document is published, cryptographically releva nt quantum computers (CRQCs) that can break widely used asymmetric algorithms (a lso known as public key algorithms) are not yet available. However, there is ong oing research and development in the field of quantum computing, with the goal o f building more powerful and scalable quantum computers.</t>
<t>One common myth is that quantum computers are faster than conventional CPUs and GPUs in all areas. This is not the case; much as GPUs outperform genera l-purpose CPUs only on specific types of problems, so will quantum computers, to o, have a niche set of problems on which they excel. Unfortunately for cryptogra phers, integer factorization and discrete logarithms, the mathematical problems underpinning much of classical public key cryptography, happen to fall within th e niche that quantum computers are expected to excel at. As quantum technology a dvances, there is the potential for future quantum computers to have a significa nt impact on current cryptographic systems. Predicting the date of emergence of a CRQC is a challenging task, and there is ongoing uncertainty regarding when th ey will become practically feasible <xref target="CRQCThreat"/>.</t> <t>One common myth is that quantum computers are faster than conventional CPUs and GPUs in all areas. This is not the case; much as GPUs outperform genera l-purpose CPUs only on specific types of problems, quantum computers also have a niche set of problems on which they excel. Unfortunately for cryptographers, in teger factorization and discrete logarithms, the mathematical problems underpinn ing much of classical public key cryptography, happen to fall within the niche i n which quantum computers are expected to excel. As quantum technology advances, there is the potential for future quantum computers to have a significant impac t on current cryptographic systems. Predicting the date of emergence of a CRQC i s a challenging task, and there is ongoing uncertainty regarding when they will become practically feasible <xref target="CRQCThreat"/>.</t>
<t>Extensive research has produced several post-quantum cryptographic algo rithms that offer the potential to ensure cryptography's survival in the quantum computing era. However, transitioning to a post-quantum infrastructure is not a straightforward task, and there are numerous challenges to overcome. It require s a combination of engineering efforts, proactive assessment and evaluation of a vailable technologies, and a careful approach to product development and deploym ent.</t> <t>Extensive research has produced several post-quantum cryptographic algo rithms that offer the potential to ensure cryptography's survival in the quantum computing era. However, transitioning to a post-quantum infrastructure is not a straightforward task, and there are numerous challenges to overcome. It require s a combination of engineering efforts, proactive assessment and evaluation of a vailable technologies, and a careful approach to product development and deploym ent.</t>
<t>PQC is sometimes referred to as "quantum-proof", "quantum-safe", or "qu antum-resistant". It is the development of cryptographic algorithms designed to secure communication and data in a world where quantum computers are powerful en ough to break traditional cryptographic systems, such as RSA (Rivest–Shamir–Adle man) and ECC (Elliptic Curve Cryptography). PQC algorithms are intended to be re sistant to attacks by quantum computers, which use quantum-mechanical phenomena to solve mathematical problems that are infeasible for classical computers.</t> <t>PQC is sometimes referred to as "quantum-proof", "quantum-safe", or "qu antum-resistant". It is the development of cryptographic algorithms designed to secure communication and data in a world where quantum computers are powerful en ough to break traditional cryptographic systems, such as RSA (Rivest-Shamir-Adle man) and ECC (Elliptic Curve Cryptography). PQC algorithms are intended to be re sistant to attacks by quantum computers, which use quantum-mechanical phenomena to solve mathematical problems that are infeasible for classical computers.</t>
<t>As the threat of CRQCs draws nearer, engineers responsible for designin g, maintaining, and securing cryptographic systems must prepare for the signific ant changes that the existence of CRQCs will bring. Engineers need to understand how to implement post-quantum algorithms in applications, how to evaluate the t rade-offs between security and performance, and how to ensure backward compatibi lity with current systems where needed. This is not merely a one-for-one replace ment of algorithms; in many cases, the shift to PQC will involve redesigning pro tocols and infrastructure to accommodate the significant differences in resource utilization and key sizes between traditional and PQC algorithms. Due to the wi de-ranging nature of these impacts, discussions of protocol changes are integrat ed throughout this document rather than being confined to a single section.</t> <t>As the threat of CRQCs draws nearer, engineers responsible for designin g, maintaining, and securing cryptographic systems must prepare for the signific ant changes that the existence of CRQCs will bring. Engineers need to understand how to implement post-quantum algorithms in applications, how to evaluate the t rade-offs between security and performance, and how to ensure backward compatibi lity with current systems where needed. This is not merely a one-for-one replace ment of algorithms; in many cases, the shift to PQC will involve redesigning pro tocols and infrastructure to accommodate the significant differences in resource utilization and key sizes between traditional and PQC algorithms. Due to the wi de-ranging nature of these impacts, discussions of protocol changes are integrat ed throughout this document rather than being confined to a single section.</t>
<t>This document aims to provide general guidance to engineers working on <t>This document aims to provide general guidance to engineers working on
cryptographic libraries, network security, and infrastructure development, where cryptographic libraries, network security, and infrastructure development, where
long-term security planning is crucial. The document covers topics such as sele long-term security planning is crucial. The document covers topics such as sele
cting appropriate PQC algorithms, understanding the differences between PQC key cting appropriate PQC algorithms and understanding the differences between PQC K
encapsulation mechanisms (KEMs) and traditional Diffie-Hellman and RSA style key ey Encapsulation Mechanisms (KEMs) and traditional Diffie-Hellman (DH) and RSA-s
exchanges, and provides insights into expected key, ciphertext, and signature s tyle key exchanges, and it provides insights into expected differences in keys,
izes and processing time differences between PQC and traditional algorithms. Add ciphertext, signature sizes, and processing times between PQC and traditional al
itionally, it discusses the potential threat to symmetric cryptography and hash gorithms. Additionally, it discusses the potential threat to symmetric cryptogra
functions from CRQCs.</t> phy and hash functions from CRQCs.</t>
<t>It is important to remember that asymmetric algorithms (also known as p <t>It is important to remember that asymmetric algorithms (also known as p
ublic key algorithms) are largely used for secure communications between organiz ublic key algorithms) are largely used for secure communications between organiz
ations or endpoints that may not have previously interacted, so a significant am ations or endpoints that may not have previously interacted, so a significant am
ount of coordination between organizations, and within and between ecosystems ne ount of coordination between organizations, and within and between ecosystems, n
eds to be taken into account. Such transitions are some of the most complicated eeds to be taken into account. Such transitions are some of the most complicated
in the tech industry and will require staged migrations in which upgraded agents in the tech industry and will require staged migrations in which upgraded agent
need to co-exist and communicate with non-upgraded agents at a scale never befo s need to coexist and communicate with non-upgraded agents at a scale never befo
re undertaken.</t> re undertaken.</t>
<t>The National Security Agency (NSA) of the United States released an art <t>The National Security Agency (NSA) of the United States released an art
icle on future PQC algorithm requirements for US national security systems <xref icle on future PQC algorithm requirements for US national security systems <xref
target="CNSA2-0"/> based on the need to protect against deployments of CRQCs in target="CNSA2-0"/> based on the need to protect against deployments of CRQCs in
the future. The German Federal Office for Information Security (BSI) has also r the future. The German Federal Office for Information Security (BSI) has also r
eleased a PQC migration and recommendations document <xref target="BSI-PQC"/> wh eleased a PQC migration and recommendations document <xref target="BSI-PQC"/> th
ich largely aligns with United States National Institute of Standards and Techno at largely aligns with United States National Institute of Standards and Technol
logy (NIST) and NSA guidance, but differs in aspects such as specific PQC algori ogy (NIST) and NSA guidance but differs in aspects such as specific PQC algorith
thm profiles.</t> m profiles.</t>
<t>CRQCs pose a threat to both symmetric and asymmetric cryptographic sche <t>CRQCs pose a threat to both symmetric and asymmetric cryptographic sche
mes. However, the threat to asymmetric cryptography is significantly greater due mes. However, the threat to asymmetric cryptography is significantly greater due
to Shor's <xref target="Shors"/> algorithm, which can break widely-used public to Shor's algorithm <xref target="Shors"/>, which can break widely used public
key schemes like RSA and ECC. Symmetric cryptography and hash functions face a l key schemes like RSA and ECC. Symmetric cryptography and hash functions face a l
ower risk from Grover's <xref target="Grovers"/> algorithm, although the impact ower risk from Grover's algorithm <xref target="Grovers"/>, although the impact
is less severe and can typically be mitigated by doubling key and digest lengths is less severe and can typically be mitigated by doubling key and digest lengths
where the risk applies. It is crucial for the reader to understand that when th where the risk applies. It is crucial for the reader to understand that when "P
e word "PQC" is mentioned in the document, it means asymmetric cryptography (or QC" is mentioned in the document, it means asymmetric cryptography (or public ke
public key cryptography), and not any symmetric algorithms based on stream ciphe y cryptography) and not any symmetric algorithms based on stream ciphers, block
rs, block ciphers, hash functions, MACs, etc., which are less vulnerable to quan ciphers, hash functions, Message Authentication Codes (MACs), etc., which are le
tum computers. This document does not cover such topics as when traditional algo ss vulnerable to quantum computers. This document does not cover topics such as
rithms might become vulnerable (for that, see documents such as <xref target="QC when traditional algorithms might become vulnerable (for that, see documents suc
-DNS"/> and others).</t> h as <xref target="QC-DNS"/> and others).</t>
<t>This document does not cover unrelated technologies like quantum key di <t>This document does not cover unrelated technologies like quantum key di
stribution (QKD) or quantum key generation, which use quantum hardware to exploi stribution (QKD) or quantum key generation, which use quantum hardware to exploi
t quantum effects to protect communications and generate keys, respectively. PQC t quantum effects to protect communications and generate keys, respectively. PQC
is based on conventional math (not on quantum mechanics) and software and can b is based on conventional math (not on quantum mechanics) and software, and it c
e run on any general purpose computer.</t> an be run on any general-purpose computer.</t>
<t>This document does not go into the deep mathematics or technical specif <t>This document does not go into the deep mathematics or technical specif
ication of the PQC algorithms, but rather provides an overview to engineers on t ication of the PQC algorithms but rather provides an overview to engineers on th
he current threat landscape and the relevant algorithms designed to help prevent e current threat landscape and the relevant algorithms designed to help prevent
those threats. Also, the cryptographic and algorithmic guidance given in this d those threats. Also, the cryptographic and algorithmic guidance given in this do
ocument should be taken as non-authoritative if it conflicts with emerging and e cument should be taken as non-authoritative if it conflicts with emerging and ev
volving guidance from the IRTF's Crypto Forum Research Group (CFRG).</t> olving guidance from the IRTF's Crypto Forum Research Group (CFRG).</t>
</section> </section>
<section anchor="terminology"> <section anchor="terminology">
<name>Terminology</name> <name>Terminology</name>
<t>Quantum computer: A computer that performs computations using quantum-m <dl>
echanical phenomena such as superposition and entanglement.</t> <dt>Quantum computer:</dt>
<t>Physical qubit: The basic physical unit in a quantum computer, which is <dd>
prone to noise and errors.</t> <t>A computer that performs computations using quantum-mechanical phen
<t>Logical qubit: A fault-tolerant qubit constructed from multiple physica omena such as superposition and entanglement.</t>
l qubits using quantum error correction; it is the effective unit for reliable q </dd>
uantum computation.</t> <dt>Physical qubit:</dt>
<t>Post-Quantum Cryptography (PQC): Cryptographic algorithms designed to b <dd>
e secure against quantum and classical attacks.</t> <t>The basic physical unit in a quantum computer, which is prone to no
<t>Cryptographically Relevant Quantum Computer (CRQC): A quantum computer ise and errors.</t>
with sufficient logical qubits to break traditional asymmetric cryptographic alg </dd>
orithms (e.g., RSA or ECC) within a practical timeframe.</t> <dt>Logical qubit:</dt>
<t>Public Key Cryptography (also called Asymmetric Cryptography): A class <dd>
of cryptographic algorithms in which separate keys are used for encryption and d <t>A fault-tolerant qubit constructed from multiple physical qubits us
ecryption, or for signing and verification. Throughout this document, the terms ing quantum error correction; it is the effective unit for reliable quantum comp
Public Key Cryptography and Asymmetric Cryptography are used interchangeably.</t utation.</t>
> </dd>
<t>There is ongoing discussion about whether to use the term "post-quantum <dt>Post-Quantum Cryptography (PQC):</dt>
", "quantum ready", "quantum resistant", or "quantum secure", to describe algori <dd>
thms that resist CRQCs, and a consensus has not yet been reached. NIST has coine <t>Cryptographic algorithms designed to be secure against quantum and
d the term "post-quantum" to refer to the algorithms that participated in its co classical attacks.</t>
mpetition-like selection process; in this context, the term can be interpreted t </dd>
o mean "the set of algorithms that are designed to still be relevant after quan <dt>Cryptographically Relevant Quantum Computer (CRQC):</dt>
tum computers exist", and not a statement about their security. "Quantum resista <dd>
nt" or "quantum secure" is obviously the goal of these algorithms, however some <t>A quantum computer with sufficient logical qubits to break traditio
people have raised concerns that labelling a class of algorithms as "quantum res nal asymmetric cryptographic algorithms (e.g., RSA or ECC) within a practical ti
istant" or "quantum secure" could lead to confusion if one or more of those algo meframe.</t>
rithms are later found to be insecure or to not resist quantum computers as much </dd>
as theory predicted. "Quantum ready" is often used to refer to a solution -- de <dt>Public Key Cryptography (also called Asymmetric Cryptography):</dt>
vice, appliance, or software stack -- that has reached maturity with regards to <dd>
integration of these new cryptographic algorithms. That said, the authors recogn <t>A class of cryptographic algorithms in which separate keys are used
ize that there is great variability in how these terms are used. This document u for encryption and decryption or for signing and verification. Throughout this
ses any of these terms interchangeably to refer to such algorithms.</t> document, the terms Public Key Cryptography and Asymmetric Cryptography are used
<t>The terms "current," "state-of-the-art," and "ongoing," as used in this interchangeably.</t>
document, refer to work, research, investigations, deployments, or developments </dd>
that are applicable at the time of publication.</t> </dl>
<t>There is ongoing discussion about whether to use the term "post-quantum
", "quantum ready", "quantum resistant", or "quantum secure" to describe algorit
hms that resist CRQCs, and a consensus has not yet been reached. NIST has coined
the term "post-quantum" to refer to the algorithms that participated in its com
petition-like selection process; in this context, the term can be interpreted to
mean "the set of algorithms that are designed to still be relevant after quant
um computers exist" and not a statement about their security. "Quantum resistant
" or "quantum secure" is obviously the goal of these algorithms; however, some p
eople have raised concerns that labeling a class of algorithms as "quantum resis
tant" or "quantum secure" could lead to confusion if one or more of those algori
thms are later found to be insecure or to not resist quantum computers as much a
s theory predicted. "Quantum ready" is often used to refer to a solution -- devi
ce, appliance, or software stack -- that has reached maturity with regard to int
egration of these new cryptographic algorithms. That said, the authors recognize
that there is great variability in how these terms are used. This document uses
these terms interchangeably to refer to such algorithms.</t>
<t>In this document, the terms "current", "state-of-the-art", and "ongoing
" refer to work, research, investigations, deployments, or developments that are
applicable at the time of publication.</t>
</section> </section>
<section anchor="threat-of-crqcs-on-cryptography"> <section anchor="threat-of-crqcs-on-cryptography">
<name>Threat of CRQCs on Cryptography</name> <name>Threat of CRQCs on Cryptography</name>
<t>When considering the security risks associated with the ability of a qu antum computer to attack traditional cryptography, it is important to distinguis h between the impact on symmetric algorithms and public key ones. Dr. Peter Shor and Dr. Lov Grover developed two algorithms that changed the way the world thin ks of security under the presence of a CRQC.</t> <t>When considering the security risks associated with the ability of a qu antum computer to attack traditional cryptography, it is important to distinguis h between the impact on symmetric algorithms and public key ones. Dr. Peter Shor and Dr. Lov Grover developed two algorithms that changed the way the world thin ks of security under the presence of a CRQC.</t>
<t>Quantum computers are, by their nature, hybrids of classical and quantu m computational units. For example, Shor's algorithm consists of a combination o f quantum and classical computational steps. Thus, the term "quantum adversary" should be thought of as "quantum-enhanced adversary", meaning they have access t o both classical and quantum computational techniques.</t> <t>Quantum computers are, by their nature, hybrids of classical and quantu m computational units. For example, Shor's algorithm consists of a combination o f quantum and classical computational steps. Thus, the term "quantum adversary" should be thought of as "quantum-enhanced adversary", meaning they have access t o both classical and quantum computational techniques.</t>
<t>Despite that large-scale quantum computers do not yet exist to experime nt on, the theoretical properties of quantum computation are very well understoo d. This allows engineers and researchers to reason about the upper limits of qu antum-enhanced computation, and indeed to design cryptographic algorithms that a re resistant to any conceivable form of quantum cryptanalysis.</t> <t>Although large-scale quantum computers do not yet exist to experiment o n, the theoretical properties of quantum computation are very well understood. This allows engineers and researchers to reason about the upper limits of quantu m-enhanced computation and to design cryptographic algorithms that are resistant to any conceivable form of quantum cryptanalysis.</t>
<section anchor="symmetric"> <section anchor="symmetric">
<name>Symmetric Cryptography</name> <name>Symmetric Cryptography</name>
<t>For unstructured data such as symmetric encrypted data or cryptograph ic hashes, although CRQCs can search for specific solutions across all possible input combinations (e.g., Grover's algorithm), no quantum algorithm is known to break the underlying security properties of these classes of algorithms. Symmetr ic-key cryptography, which includes keyed primitives such as block ciphers (e.g. , AES) and message authentication mechanisms (e.g., HMAC-SHA256), relies on secr et keys shared between the sender and receiver and remains secure even in a post -quantum world. Symmetric cryptography also includes hash functions (e.g., SHA-2 56) that are used for secure message digesting without any shared key material. HMAC is a specific construction that utilizes a cryptographic hash function and a secret key shared between the sender and receiver to produce a message authent ication code.</t> <t>For unstructured data such as symmetric encrypted data or cryptograph ic hashes, although CRQCs can search for specific solutions across all possible input combinations (e.g., Grover's algorithm), no quantum algorithm is known to break the underlying security properties of these classes of algorithms. Symmetr ic-key cryptography, which includes keyed primitives such as block ciphers (e.g. , AES) and message authentication mechanisms (e.g., HMAC-SHA256), relies on secr et keys shared between the sender and receiver and remains secure even in a post -quantum world. Symmetric cryptography also includes hash functions (e.g., SHA-2 56) that are used for secure message digesting without any shared key material. Hashed Message Authentication Code (HMAC) is a specific construction that utiliz es a cryptographic hash function and a secret key shared between the sender and receiver to produce a message authentication code.</t>
<t>Grover's algorithm is a quantum search algorithm that provides a theo retical quadratic speedup for searching an unstructured database, compared to tr aditional search algorithms. <t>Grover's algorithm is a quantum search algorithm that provides a theo retical quadratic speedup for searching an unstructured database, compared to tr aditional search algorithms.
This has led to the common misconception that symmetric key lengths need to be d This has led to the common misconception that symmetric key lengths need to be d
oubled for quantum security. When you consider the mapping of hash values to the oubled for quantum security. When you consider the mapping of hash values to the
ir corresponding hash inputs (also known as pre-image), or of ciphertext blocks ir corresponding hash inputs (also known as pre-image) or of ciphertext blocks t
to the corresponding plaintext blocks, as an unstructured database, then Grover’ o the corresponding plaintext blocks as an unstructured database, then Grover's
s algorithm theoretically requires doubling the key sizes of the symmetric algor algorithm theoretically requires doubling the key sizes of the symmetric algorit
ithms that are currently deployed at the time of publication to counter the quad hms that are currently deployed at the time of publication to counter the quadra
ratic speedup and maintain current security level. This is because Grover’s algo tic speedup and maintain the current security level. This is because Grover's al
rithm reduces the amount of operations to break 128-bit symmetric cryptography t gorithm reduces the amount of operations to break 128-bit symmetric cryptography
o 2^{64} quantum operations, which might sound computationally feasible. However to 2<sup>{64}</sup> quantum operations, which might sound computationally feasi
, quantum operations are fundamentally different from classical ones as 2^{64} c ble. However, quantum operations are fundamentally different from classical ones
lassical operations can be efficiently parallelized, 2^{64} quantum operations m , as 2<sup>{64}</sup> classical operations can be efficiently parallelized but 2
ust be performed serially, making them infeasible on practical quantum computers <sup>{64}</sup> quantum operations must be performed serially, making them infea
.</t> sible on practical quantum computers.</t>
<t>Grover's algorithm is highly non-parallelizable and even if one deplo <t>Grover's algorithm is highly non-parallelizable and even if one deplo
ys 2^c computational units in parallel to brute-force a key using Grover's algor ys 2<sup>c</sup> computational units in parallel to brute-force a key using Grov
ithm, it will complete in time proportional to 2^{(128−c)/2}, or, put simply, us er's algorithm, it will complete in time proportional to 2<sup>{(128-c)/2}</sup>
ing 256 quantum computers will only reduce runtime by a factor of 16, 1024 quant , or, put simply, using 256 quantum computers will only reduce runtime by a fact
um computers will only reduce runtime by a factor of 32 and so forth (see <xref or of 16, 1024 quantum computers will only reduce runtime by a factor of 32, and
target="NIST"/> and <xref target="Cloudflare"/>). Due to this inherent limitatio so forth (see <xref target="NIST"/> and <xref target="Cloudflare"/>). Due to th
n, the general expert consensus is that AES-128 (Advanced Encryption Standard) r is inherent limitation, the general expert consensus is that AES-128 remains sec
emains secure in practice, and key sizes do not necessarily need to be doubled.< ure in practice and key sizes do not necessarily need to be doubled.</t>
/t> <t>It would be natural to ask whether future research will develop a sup
<t>It would be natural to ask whether future research will develop a sup erior algorithm that could outperform Grover's algorithm in the general case. Ho
erior algorithm that could outperform Grover's algorithm in the general case. Ho wever, Christof Zalka has shown that Grover's algorithm achieves the best possib
wever, Christof Zalka has shown that Grover's algorithm achieves the best possib le complexity for this type of search, meaning no significantly faster quantum a
le complexity for this type of search, meaning no significantly faster quantum a pproach is expected <xref target="Grover-Search"/>.</t>
pproach is expected <xref target="Grover-search"/></t> <t>Finally, in their evaluation criteria for PQC, NIST is assessing the
<t>Finally, in their evaluation criteria for PQC, NIST is assessing the security levels of proposed post-quantum algorithms by comparing them against th
security levels of proposed post-quantum algorithms by comparing them against th e equivalent traditional and quantum security of AES-128, AES-192, and AES-256.
e equivalent traditional and quantum security of AES-128, AES-192, and AES-256. This indicates that NIST is confident in the stable security properties of AES,
This indicates that NIST is confident in the stable security properties of AES, even in the presence of both traditional and quantum attacks. As a result, 128-b
even in the presence of both traditional and quantum attacks. As a result, 128-b it algorithms can be considered quantum-safe for the foreseeable future. However
it algorithms can be considered quantum-safe for the foreseeable future. However , for compliance purposes, some organizations, such as the French National Agenc
, for compliance purposes, some organizations, such as the French National Agenc y for the Security of Information Systems (ANSSI) <xref target="ANSSI"/> and the
y for the Security of Information Systems (ANSSI) <xref target="ANSSI"/> and CNS National Security Agency (NSA) (CNSA 2.0) <xref target="CNSA2-0"/>, recommend t
A 2.0 (Commercial National Security Algorithm Suite 2.0) <xref target="CNSA2-0"/ he use of AES-256.</t>
>, recommend the use of AES-256.</t>
</section> </section>
<section anchor="asymmetric-cryptography"> <section anchor="asymmetric-cryptography">
<name>Asymmetric Cryptography</name> <name>Asymmetric Cryptography</name>
<t>“Shor’s algorithm” efficiently solves the integer factorization probl <t>"Shor's algorithm" efficiently solves the integer factorization probl
em (and the related discrete logarithm problem), which underpin the foundations em (and the related discrete logarithm problem), which underpin the foundations
of the vast majority of public key cryptography that the world uses today. This of the vast majority of public key cryptography that the world uses today. This
implies that, if a CRQC is developed, today’s public key algorithms (e.g., RSA, implies that, if a CRQC is developed, today's public key algorithms (e.g., RSA,
Diffie-Hellman and elliptic curve cryptography, as well as less commonly-used va Diffie-Hellman, and ECC, as well as less commonly used variants such as ElGamal
riants such as ElGamal <xref target="RFC6090"/> and Schnorr signatures <xref tar <xref target="RFC6090"/> and Schnorr signatures <xref target="RFC8235"/>) and pr
get="RFC8235"/>) and protocols would need to be replaced by algorithms and proto otocols would need to be replaced by algorithms and protocols that can offer cry
cols that can offer cryptanalytic resistance against CRQCs. Note that Shor’s alg ptanalytic resistance against CRQCs. Note that Shor's algorithm cannot run solel
orithm cannot run solely on a classical computer, it requires a CRQC.</t> y on a classical computer; it requires a CRQC.</t>
<t>For example, studies show that, if a CRQC existed, it could break RSA <t>For example, studies show that, if a CRQC existed, it could break RSA
-2048 in hours or even seconds depending on assumptions about error correction < -2048 in hours or even seconds depending on assumptions about error correction <
xref target="RSAShor"/><xref target="RSA8HRS"/><xref target="RSA10SC"/>. While s xref target="RSAShor"/> <xref target="RSA8HRS"/> <xref target="RSA10SC"/>. While
uch machines are purely theoretical at the time of writing, this illustrates the such machines are purely theoretical at the time of writing, this illustrates t
eventual vulnerability of RSA to CRQCs.</t> he eventual vulnerability of RSA to CRQCs.</t>
<t>For structured data such as public keys and signatures, CRQCs can ful <t>For structured data such as public keys and signatures, CRQCs can ful
ly solve the underlying hard problems used in traditional cryptography (see Shor ly solve the underlying hard problems used in traditional cryptography (see Shor
's algorithm). Because an increase in the size of the key-pair would not provide 's algorithm). Because an increase in the size of the key pair would not provide
a secure solution (short of RSA keys that are many gigabytes in size <xref targ a secure solution (short of RSA keys that are many gigabytes in size <xref targ
et="PQRSA"/>), a complete replacement of the algorithm is needed. Therefore, pos et="PQRSA"/>), a complete replacement of the algorithm is needed. Therefore, pos
t-quantum public key cryptography must rely on problems that are different from t-quantum public key cryptography must rely on problems that are different from
the ones used in traditional public key cryptography (i.e., the integer factoriz the ones used in traditional public key cryptography (i.e., the integer factoriz
ation problem, the finite-field discrete logarithm problem, and the elliptic-cur ation problem, the finite-field discrete logarithm problem, and the elliptic-cur
ve discrete logarithm problem).</t> ve discrete logarithm problem).</t>
</section> </section>
<section anchor="quantum-side-channel-attacks"> <section anchor="quantum-side-channel-attacks">
<name>Quantum Side-channel Attacks</name> <name>Quantum Side-Channel Attacks</name>
<t>Cryptographic side-channel attacks exploit physical implementations, <t>Cryptographic side-channel attacks exploit physical implementations (
such as timing, power consumption, or electromagnetic leakage to recover secret such as timing, power consumption, or electromagnetic leakage) to recover secret
keys.</t> keys.</t>
<t>The field of cryptographic side-channel attacks potentially stands to <t>The field of cryptographic side-channel attacks potentially stands to
gain a boost in attacker power once cryptanalytic techniques can be enhanced wi gain a boost in attacker power once cryptanalytic techniques can be enhanced wi
th quantum computation techniques <xref target="QuantSide"/>. While a full discu th quantum computation techniques <xref target="QuantSide"/>. While a full discu
ssion of quantum side-channel techniques is beyond the scope of this document, i ssion of quantum side-channel techniques is beyond the scope of this document, i
mplementers of cryptographic hardware should be aware that current best-practice mplementers of cryptographic hardware should be aware that current best practice
s for side-channel resistance may not be sufficient against quantum adversaries. s for side-channel resistance may not be sufficient against quantum adversaries.
</t> </t>
</section> </section>
</section> </section>
<section anchor="traditional-cryptographic-primitives-that-could-be-replaced -by-pqc"> <section anchor="traditional-cryptographic-primitives-that-could-be-replaced -by-pqc">
<name>Traditional Cryptographic Primitives that Could Be Replaced by PQC</ <name>Traditional Cryptographic Primitives That Could Be Replaced by PQC</
name> name>
<t>Any asymmetric cryptographic algorithm based on integer factorization, <t>Any asymmetric cryptographic algorithm based on integer factorization,
finite field discrete logarithms, or elliptic curve discrete logarithms will be finite field discrete logarithms, or elliptic-curve discrete logarithms will be
vulnerable to attacks using Shor's algorithm on a CRQC. This document focuses on vulnerable to attacks using Shor's algorithm on a CRQC. This document focuses on
the principal functions of asymmetric cryptography:</t> the principal functions of asymmetric cryptography:</t>
<ul spacing="normal"> <dl>
<li> <dt>Key agreement and key transport:</dt>
<t>Key agreement and key transport: Key agreement schemes, typically r <dd>
eferred to as Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), as we <t>Key agreement schemes, typically referred to as Diffie-Hellman (DH)
ll as key transport, typically using RSA encryption, are used to establish a sha or Elliptic Curve Diffie-Hellman (ECDH), as well as key transport, typically us
red cryptographic key for secure communication. They are one of the mechanisms t ing RSA encryption, are used to establish a shared cryptographic key for secure
hat can be replaced by PQC, as they are based on existing public key cryptograph communication. They are one of the mechanisms that can be replaced by PQC, as th
y and are therefore vulnerable to Shor's algorithm. A CRQC can employ Shor's alg ey are based on existing public key cryptography and are therefore vulnerable to
orithm to efficiently find the prime factors of a large public key (in the case Shor's algorithm. A CRQC can employ Shor's algorithm to efficiently find the pr
of RSA), which in turn can be exploited to derive the private key. In the case o ime factors of a large public key (in the case of RSA), which, in turn, can be e
f Diffie-Hellman, a CRQC has the potential to calculate the discrete logarithm o xploited to derive the private key. In the case of DH, a CRQC has the potential
f the (short or long-term) Diffie-Hellman public key. This, in turn, would revea to calculate the discrete logarithm of the (short- or long-term) DH public key.
l the secret required to derive the symmetric encryption key.</t> This, in turn, would reveal the secret required to derive the symmetric encrypti
</li> on key.</t>
<li> </dd>
<t>Digital signatures: Digital signature schemes are used to authentic <dt>Digital signatures:</dt>
ate the identity of a sender, detect unauthorized modifications to data, and und <dd>
erpin trust in a system. Similar to key agreement, signatures also depend on a p <t>Digital signature schemes are used to authenticate the identity of
ublic-private key pair based on the same mathematics as for key agreement and ke a sender, detect unauthorized modifications to data, and underpin trust in a sys
y transport, and hence a break in existing public key cryptography will also aff tem. Similar to key agreement, signatures also depend on a public-private key pa
ect traditional digital signatures, hence the importance of developing post-quan ir based on the same mathematics as for key agreement and key transport. Because
tum digital signatures.</t> of this, a break in existing public key cryptography will also affect tradition
</li> al digital signatures, hence the importance of developing post-quantum digital s
<li> ignatures.</t>
<t>BBS signatures: BBS (Boneh-Boyen-Shacham) signatures are a privacy- </dd>
preserving signature scheme that offers zero-knowledge proof-like properties by <dt>Boneh-Boyen-Shacham (BBS) signatures:</dt>
allowing selective disclosure of specific signed attributes without revealing th <dd>
e entire set of signed data. The security of BBS signatures relies on the hardne <t>BBS signatures are a privacy-preserving signature scheme that offer
ss of the discrete logarithm problem, making them vulnerable to Shor's algorithm s zero-knowledge proof-like properties by allowing selective disclosure of speci
. A CRQC can break the data authenticity security property of BBS but not the da fic signed attributes without revealing the entire set of signed data. The secur
ta confidentiality (Section 6.9 of <xref target="I-D.irtf-cfrg-bbs-signatures"/> ity of BBS signatures relies on the hardness of the discrete logarithm problem,
).</t> making them vulnerable to Shor's algorithm. A CRQC can break the data authentici
</li> ty security property of BBS but not the data confidentiality (<xref section="6.9
<li> " sectionFormat="of" target="I-D.irtf-cfrg-bbs-signatures"/>).</t>
<t>Content encryption: Content encryption typically refers to the encr </dd>
yption of the data using symmetric key algorithms, such as AES, to ensure confid <dt>Content encryption:</dt>
entiality. The threat to symmetric cryptography is discussed in <xref target="sy <dd>
mmetric"/>.</t> <t>Content encryption typically refers to the encryption of the data u
</li> sing symmetric key algorithms, such as AES, to ensure confidentiality. The threa
</ul> t to symmetric cryptography is discussed in <xref target="symmetric"/>.</t>
</dd>
</dl>
</section> </section>
<section anchor="nist-pqc-algorithms"> <section anchor="nist-pqc-algorithms">
<name>NIST PQC Algorithms</name> <name>NIST PQC Algorithms</name>
<t>At time of writing, NIST have standardized three PQC algorithms, with m ore expected to be standardised in the future (<xref target="NISTFINAL"/>). Thes e algorithms are not necessarily drop-in replacements for traditional asymmetric cryptographic algorithms. For instance, RSA <xref target="RSA"/> and ECC <xref target="RFC6090"/> can be used as both a key encapsulation method (KEM) and as a signature scheme, whereas there is currently no post-quantum algorithm that can perform both functions. When upgrading protocols, it is important to replace th e existing use of traditional algorithms with either a PQC KEM or a PQC signatur e method, depending on how the traditional algorithm was previously being used. Additionally, KEMs, as described in <xref target="KEMs"/>, present a different A PI than either key agreement or key transport primitives. As a result, they may require protocol-level or application-level changes in order to be incorporated. </t> <t>At the time of writing, NIST has standardized three PQC algorithms, wit h more expected to be standardized in the future (see <xref target="NISTFINAL"/> ). These algorithms are not necessarily drop-in replacements for traditional asy mmetric cryptographic algorithms. For instance, RSA <xref target="RSA"/> and ECC <xref target="RFC6090"/> can be used as both a KEM and a signature scheme, wher eas there is currently no post-quantum algorithm that can perform both functions . When upgrading protocols, it is important to replace the existing use of tradi tional algorithms with either a PQC KEM or a PQC signature method, depending on how the traditional algorithm was previously being used. Additionally, KEMs, as described in <xref target="KEMs"/>, present a different API than either key agre ement or key transport primitives. As a result, they may require protocol-level or application-level changes in order to be incorporated.</t>
<section anchor="nist-candidates-selected-for-standardization"> <section anchor="nist-candidates-selected-for-standardization">
<name>NIST Candidates Selected for Standardization</name> <name>NIST Candidates Selected for Standardization</name>
<section anchor="pqc-key-encapsulation-mechanisms-kems"> <section anchor="pqc-key-encapsulation-mechanisms-kems">
<name>PQC Key Encapsulation Mechanisms (KEMs)</name> <name>PQC Key Encapsulation Mechanisms (KEMs)</name>
<ul spacing="normal"> <dl>
<li> <dt>ML-KEM:</dt>
<t><xref target="ML-KEM"/>: Module-Lattice-based Key-Encapsulation <dd>
Mechanism Standard (FIPS-203).</t> <t>Module-Lattice-Based Key-Encapsulation Mechanism. See FIPS 203
</li> <xref target="ML-KEM"/>.</t>
<li> </dd>
<t><xref target="HQC"/>: Hamming Quasi-Cyclic coding algorithm whi <dt>HQC:</dt>
ch is based on the hardness of the syndrome decoding problem for quasi-cyclic co <dd>
ncatenated Reed-Muller and Reed-Solomon (RMRS) codes in the Hamming metric. Reed <t>Hamming Quasi-Cyclic. See <xref target="HQC"/>. The coding algo
-Muller (RM) codes are a class of block error-correcting codes commonly used in rithm based on the hardness of the syndrome decoding problem for quasi-cyclic co
wireless and deep-space communications, while Reed-Solomon (RS) codes are widely ncatenated Reed-Muller and Reed-Solomon (RMRS) codes in the Hamming metric. Reed
used to detect and correct multiple-bit errors. HQC has been selected as part o -Muller (RM) codes are a class of block error-correcting codes commonly used in
f the NIST post-quantum cryptography project but has not yet been standardized.< wireless and deep-space communications, while Reed-Solomon (RS) codes are widely
/t> used to detect and correct multiple-bit errors. HQC has been selected as part o
</li> f the NIST post-quantum cryptography project but has not yet been standardized.<
</ul> /t>
</dd>
</dl>
</section> </section>
<section anchor="pqc-signatures"> <section anchor="pqc-signatures">
<name>PQC Signatures</name> <name>PQC Signatures</name>
<ul spacing="normal"> <dl>
<li> <dt>ML-DSA:</dt>
<t><xref target="ML-DSA"/>: Module-Lattice-Based Digital Signature <dd>
Standard (FIPS-204).</t> <t>Module-Lattice-Based Digital Signature Algorithm. See FIPS 204
</li> <xref target="ML-DSA"/>.</t>
<li> </dd>
<t><xref target="SLH-DSA"/>: Stateless Hash-Based Digital Signatur <dt>SLH-DSA:</dt>
e (FIPS-205).</t> <dd>
</li> <t>Stateless Hash-Based Digital Signature Algorithm. See FIPS 205
<li> <xref target="SLH-DSA"/>.</t>
<t><xref target="FN-DSA"/>: FN-DSA is a lattice signature scheme ( </dd>
FIPS-206) (<xref target="lattice-based"/> and <xref target="sig-scheme"/>).</t> <dt>FN-DSA:</dt>
</li> <dd>
</ul> <t>Fast-Fourier Transform over NTRU-Lattice-Based Digital Signatur
e Algorithm. See <xref target="FN-DSA"/>; note that NIST has named this algorith
m "FN-DSA" and assigned "FIPS 206" for its specification, but at the time of thi
s document's publication, it has not yet been released.</t>
</dd>
</dl>
<t>For more information about these, see Sections <xref target="lattic
e-based" format="counter"/>, <xref target="hash-based" format="counter"/>, and <
xref target="sig-scheme" format="counter"/>.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="iso-candidates-selected-for-standardization"> <section anchor="iso-candidates-selected-for-standardization">
<name>ISO Candidates Selected for Standardization</name> <name>ISO Candidates Selected for Standardization</name>
<t>At the time of writing, ISO has selected three PQC KEM algorithms as ca ndidates for standardization, which are mentioned in the following subsection.</ t> <t>At the time of writing, ISO has selected three PQC KEM algorithms as ca ndidates for standardization; these are mentioned in the following subsection.</ t>
<section anchor="pqc-key-encapsulation-mechanisms-kems-1"> <section anchor="pqc-key-encapsulation-mechanisms-kems-1">
<name>PQC Key Encapsulation Mechanisms (KEMs)</name> <name>PQC Key Encapsulation Mechanisms (KEMs)</name>
<ul spacing="normal"> <dl>
<li> <dt>FrodoKEM:</dt>
<t><xref target="FrodoKEM"/>: Key Encapsulation mechanism based on t <dd>
he hardness of learning with errors in algebraically unstructured lattices.</t> <t>KEM based on the hardness of learning with errors in algebraicall
</li> y unstructured lattices. See <xref target="FrodoKEM"/>.</t>
<li> </dd>
<t><xref target="ClassicMcEliece"/>: Based on the hardness of syndro <dt>ClassicMcEliece:</dt>
me decoding of Goppa codes. Goppa codes are a class of error-correcting codes th <dd>
at can correct a certain number of errors in a transmitted message. The decoding <t>KEM based on the hardness of syndrome decoding of Goppa codes. Go
problem involves recovering the original message from the received noisy codewo ppa codes are a class of error-correcting codes that can correct a certain numbe
rd.</t> r of errors in a transmitted message. The decoding problem involves recovering t
</li> he original message from the received noisy codeword. See <xref target="ClassicM
<li> cEliece"/>.</t>
<t><xref target="NTRU"/>: Key encapsulation mechanism based on the " </dd>
N-th degree Truncated polynomial Ring Units" (NTRU) lattices. Variants include S <dt>NTRU:</dt>
treamlined NTRU Prime (sntrup761), which is leveraged for use in SSH <xref targe <dd>
t="I-D.ietf-sshm-ntruprime-ssh"/>.</t> <t>KEM based on the "N-th degree Truncated polynomial Ring Units" (N
</li> TRU) lattices. Variants include Streamlined NTRU Prime (sntrup761), which is lev
</ul> eraged for use in SSH <xref target="RFC9941"/>. See <xref target="NTRU"/>.</t>
</dd>
</dl>
</section> </section>
</section> </section>
<section anchor="timeline"> <section anchor="timeline">
<name>Timeline for Transition</name> <name>Timeline for Transition</name>
<t>The timeline, and driving motivation for transition differs slightly be tween data confidentiality (e.g., encryption) and data authentication (e.g., sig nature) use-cases.</t> <t>The timeline and driving motivation for transition differ slightly betw een data confidentiality (e.g., encryption) and data authentication (e.g., signa ture) use cases.</t>
<t>For data confidentiality, one is concerned with the so-called "harvest now, decrypt later" (HNDL) attack where a malicious actor with adequate resource s can launch an attack to store sensitive encrypted data today that they hope to decrypt once a CRQC is available. This implies that, every day, sensitive encry pted data is susceptible to the attack by not implementing quantum-safe strategi es, as it corresponds to data possibly being deciphered in the future.</t> <t>For data confidentiality, one is concerned with the so-called "harvest now, decrypt later" (HNDL) attack where a malicious actor with adequate resource s can launch an attack to store sensitive encrypted data today that they hope to decrypt once a CRQC is available. This implies that, every day, sensitive encry pted data is susceptible to the attack by not implementing quantum-safe strategi es, as it corresponds to data possibly being deciphered in the future.</t>
<t>For authentication, it is often the case that signatures have a very sh ort lifetime between signing and verifying (such as during a TLS handshake) but some authentication use-cases do require long lifetimes, such as signing firmwar e or software that will be active for decades, signing legal documents, or signi ng certificates that will be embedded into hardware devices such as smartcards. Even for short-lived signatures use cases, the infrastructure often relies on lo ng-lived root keys which can be difficult to update or replace on in-field devic es.</t> <t>For authentication, it is often the case that signatures have a very sh ort lifetime between signing and verifying (such as during a TLS handshake), but some authentication use cases do require long lifetimes, such as signing firmwa re or software that will be active for decades, signing legal documents, or sign ing certificates that will be embedded into hardware devices such as smart cards . Even for short-lived signature use cases, the infrastructure often relies on l ong-lived root keys, which can be difficult to update or replace on in-field dev ices.</t>
<figure anchor="Mosca"> <figure anchor="Mosca">
<name>Mosca model</name> <name>Mosca Model</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="448" viewBox="0 0 448 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="160" width="448" viewBox="0 0 448 160" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,32 L 8,128" fill="none" stroke="black"/> <path d="M 8,32 L 8,128" fill="none" stroke="black"/>
<path d="M 208,32 L 208,80" fill="none" stroke="black"/> <path d="M 208,32 L 208,80" fill="none" stroke="black"/>
<path d="M 296,80 L 296,128" fill="none" stroke="black"/> <path d="M 296,80 L 296,128" fill="none" stroke="black"/>
<path d="M 440,32 L 440,80" fill="none" stroke="black"/> <path d="M 440,32 L 440,80" fill="none" stroke="black"/>
<path d="M 8,32 L 440,32" fill="none" stroke="black"/> <path d="M 8,32 L 440,32" fill="none" stroke="black"/>
<path d="M 8,80 L 440,80" fill="none" stroke="black"/> <path d="M 8,80 L 440,80" fill="none" stroke="black"/>
<path d="M 312,96 L 440,96" fill="none" stroke="black"/> <path d="M 312,96 L 440,96" fill="none" stroke="black"/>
<path d="M 8,128 L 296,128" fill="none" stroke="black"/> <path d="M 8,128 L 296,128" fill="none" stroke="black"/>
skipping to change at line 255 skipping to change at line 327
| | | | | |
| y | x | | y | x |
+------------------------+----------+-----------------+ +------------------------+----------+-----------------+
| | <---------------> | | <--------------->
| z | Security gap | z | Security gap
+-----------------------------------+ +-----------------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>These challenges are illustrated nicely by the so-called Mosca model di <t>These challenges are illustrated nicely by the so-called Mosca model di
scussed in <xref target="Threat-Report"/>. In <xref target="Mosca"/>, "x" denote scussed in <xref target="Threat-Report"/>. In <xref target="Mosca"/>, "x" denote
s the time that systems and data need to remain secure, "y" the number of years s the time that systems and data need to remain secure, "y" the number of years
to fully migrate to a PQC infrastructure, and "z" the time until a CRQC that can to fully migrate to a PQC infrastructure, and "z" the time until a CRQC that can
break current cryptography is available. The model assumes either that encrypte break current cryptography is available. The model assumes either that encrypte
d data can be intercepted and stored before the migration is completed in "y" ye d data can be intercepted and stored before the migration is completed in "y" ye
ars, or that signatures will still be relied upon for "x" years after their crea ars, or that signatures will still be relied upon for "x" years after their crea
tion. This data remains vulnerable for the complete "x" years of their lifetime, tion. This data remains vulnerable for the complete "x" years of their lifetime;
thus the sum "x+y" gives us an estimate of the full timeframe that data remain thus, the sum "x+y" gives us an estimate of the full timeframe that data remain
insecure. The model essentially asks how one is preparing IT systems during thos s insecure. The model essentially asks how one is preparing IT systems during th
e "y" years (in other words, how one can minimize those "y" years) to minimize t ose "y" years (in other words, how one can minimize those "y" years) to minimize
he transition phase to a PQC infrastructure and hence minimize the risks of data the transition phase to a PQC infrastructure and hence minimize the risks of da
being exposed in the future.</t> ta being exposed in the future.</t>
<t>Finally, other factors that could accelerate the introduction of a CRQC <t>Finally, other factors that could accelerate the introduction of a CRQC
should not be under-estimated, like for example faster-than-expected advances i should not be underestimated, for example, faster-than-expected advances in qua
n quantum computing and more efficient versions of Shor’s algorithm requiring fe ntum computing and more efficient versions of Shor's algorithm requiring fewer q
wer qubits. Innovation often comes in waves, so it is to the industry’s benefit ubits. Innovation often comes in waves, so it is to the industry's benefit to re
to remain vigilant and prepare as early as possible. Bear in mind also that whil main vigilant and prepare as early as possible. Also, bear in mind that while th
e the industry tracks advances from public research institutions such as univers e industry tracks advances from public research institutions such as universitie
ities and companies that publish their results, there is also a great deal of la s and companies that publish their results, there is also a great deal of large-
rge-budget quantum research being conducted privately by various national intere budget quantum research being conducted privately by various national interests.
sts. Therefore, the true state of quantum computer advancement is likely several Therefore, the true state of quantum computer advancement is likely several yea
years ahead of the publicly available research at the date this is published.</ rs ahead of the publicly available research at the date this document is publish
t> ed.</t>
<t>Organizations should also consider carefully and honestly what their mi <t>Organizations should also carefully and honestly consider what their mi
gration timeline "y" actually is. If you think only of the time between receivin gration timeline "y" actually is. If you only think of the time between receivin
g a patch from your technology vendor, and rolling that patch out, then "y" migh g a patch from your technology vendor and rolling that patch out, then "y" might
t seem as short as a few weeks. However, this represents the minority of migrati seem as short as a few weeks. However, this represents the minority of migratio
on cases; more often, a PQC migration will involve at least some amount of hardw n cases; more often, a PQC migration will involve at least some amount of hardwa
are replacement. For example, performance-sensitive applications will need CPUs re replacement. For example, performance-sensitive applications will need CPUs w
with PQC hardware acceleration. Security-sensitive applications will need PQC TP ith PQC hardware acceleration. Security-sensitive applications will need PQC TPM
Ms, TEEs, Secure Enclaves, and other cryptographic co-processors. Smartcard appl s, Trusted Execution Environments (TEEs), secure enclaves, and other cryptograph
ications will require replacement of the cards as well as of the readers which c ic co-processors. Smart card applications will require replacement of the cards
an come in many form-factors: tap-for-entry door and turnstile readers, PIN pad and readers. The readers can come in many form factors: tap-for-entry door and t
machines, laptops with built-in smartcard readers, and many others.</t> urnstile readers, PIN pad machines, laptops with built-in smart card readers, an
<t>Included in "y" is not only the deployment time, but also preparation t d many others.</t>
ime: integration, testing, auditing, and re-certification of cryptographic envir <t>Included in "y" is not only the deployment time but also the preparatio
onments. Consider also upstream effects that contribute to "y", including lead-t n time: integration, testing, auditing, and recertification of cryptographic env
imes for your vendors to produce PQC-ready products, which may itself include au ironments. Also consider upstream effects that contribute to "y", including lead
diting and certification delays, time for regulating bodies to adopt PQC policie times for vendors to produce PQC-ready products, which may itself include audit
s, time for auditors to become familiar with the new requirements, etc. If you m ing and certification delays, time for regulating bodies to adopt PQC policies,
easure the full migration time "y" from when your vendors begin implementing PQC time for auditors to become familiar with the new requirements, etc. If you meas
functionality, to when you switch off your last non-PQC-capable device, then "y ure the full migration time "y" from when your vendors begin implementing PQC fu
" can be quite long; likely measured in years for even most moderately-sized org nctionality to when you switch off your last non-PQC-capable device, then "y" ca
anizations, this long tail should not discourage early action.</t> n be quite long, likely measured in years for even most moderately sized organiz
<t>Organizations responsible for protecting long-lived sensitive data or o ations. This long tail should not discourage early action.</t>
perating critical infrastructure will need to begin transitioning immediately, p <t>Organizations responsible for protecting long-lived sensitive data or o
articularly in scenarios where data is vulnerable to HNDL attacks. PQ/T <xref ta perating critical infrastructure will need to begin transitioning immediately, p
rget="PQT"/> or PQ key exchange is relatively self-contained, typically requirin articularly in scenarios where data is vulnerable to HNDL attacks. Post-quantum
g changes only to the cryptographic library (e.g., OpenSSL). In contrast, migrat and traditional (PQ/T) <xref target="PQT"/> or PQ key exchange is relatively sel
ing to post-quantum or PQ/T digital signatures involves broader ecosystem change f-contained, typically requiring changes only to the cryptographic library (e.g.
s, including updates to certificates, CAs, Certificate Management Protocols, HSM , OpenSSL). In contrast, migrating to post-quantum or PQ/T digital signatures in
s, and trust anchors. volves broader ecosystem changes, including updates to certificates, certificate
authorities (CAs), Certificate Management Protocols, HSMs, and trust anchors.
Starting early with hybrid key exchange deployments allows organizations to gain operational experience, while prototyping and planning for PQ/T or PQ digital s ignature integration helps identify ecosystem-wide impacts early. This phased ap proach reduces long-term migration risks and ensures readiness for more complex updates.</t> Starting early with hybrid key exchange deployments allows organizations to gain operational experience, while prototyping and planning for PQ/T or PQ digital s ignature integration helps identify ecosystem-wide impacts early. This phased ap proach reduces long-term migration risks and ensures readiness for more complex updates.</t>
</section> </section>
<section anchor="pqc-categories"> <section anchor="pqc-categories">
<name>PQC Categories</name> <name>PQC Categories</name>
<t>The post-quantum cryptographic schemes standardized by NIST can be cate gorized into three main groups: lattice-based, hash-based, and code-based. Other approaches, such as isogeny-based, multivariate-based, and MPC-in-the-Head-base d cryptography, are also being explored in research and standardization efforts. In addition, NIST issued a call for additional digital signature proposals to e xpand the set of post-quantum signatures under evaluation <xref target="AddSig"/ >.</t> <t>The post-quantum cryptographic schemes standardized by NIST can be cate gorized into three main groups: lattice-based, hash-based, and code-based. Other approaches, such as isogeny-based, multivariate-based, and MPC-in-the-Head-base d cryptography, are also being explored in research and standardization efforts. In addition, NIST issued a call for additional digital signature proposals to e xpand the set of post-quantum signatures under evaluation <xref target="AddSig"/ >.</t>
<section anchor="lattice-based"> <section anchor="lattice-based">
<name>Lattice-Based Public Key Cryptography</name> <name>Lattice-Based Public Key Cryptography</name>
<t>Lattice-based public key cryptography leverages the simple constructi on of lattices (i.e., a regular collection of points in a Euclidean space that a re evenly spaced) to create "trapdoor" problems. These problems are efficient to compute if you possess the secret information but challenging to compute otherw ise. Examples of such problems include the shortest vector, closest vector, shor t integer solution, learning with errors, module learning with errors, and learn ing with rounding problems. All of these problems feature strong proofs for wors t-to-average case reduction, effectively relating the hardness of the average ca se to the worst case.</t> <t>Lattice-based public key cryptography leverages the simple constructi on of lattices (i.e., a regular collection of points in a Euclidean space that a re evenly spaced) to create "trapdoor" problems. These problems are efficient to compute if you possess the secret information but challenging to compute otherw ise. Examples of such problems include the shortest vector, closest vector, shor t integer solution, learning with errors, module learning with errors, and learn ing with rounding problems. All of these problems feature strong proofs for wors t-to-average case reduction, effectively relating the hardness of the average ca se to the worst case.</t>
<t>Lattice-based public keys and signatures are larger than those of cla <t>Lattice-based public keys and signatures are larger than those of cla
ssical schemes such as RSA or ECC, but typically by less than an order of magnit ssical schemes such as RSA or ECC, but typically by less than an order of magnit
ude for public keys (about 6–10×) and by roughly one to two orders of magnitude ude for public keys (about 6-10x) and by roughly one to two orders of magnitude
for signatures (about 10–100×), rather than by several orders of magnitude, maki for signatures (about 10-100x) rather than by several orders of magnitude, makin
ng them the best available candidates for general-purpose use such as replacing g them the best available candidates for general-purpose use, such as replacing
the use of RSA in PKIX certificates.</t> the use of RSA in PKIX certificates.</t>
<t>Examples of this class of algorithms include ML-KEM, FN-DSA, ML-DSA a <t>Examples of this class of algorithms include ML-KEM, FN-DSA, ML-DSA,
nd FrodoKEM.</t> and FrodoKEM.</t>
<t>It is noteworthy that lattice-based encryption schemes require a roun <t>It is noteworthy that lattice-based encryption schemes require a roun
ding step during decryption which has a non-zero probability of "rounding the wr ding step during decryption, which has a non-zero probability of "rounding the w
ong way" and leading to a decryption failure, meaning that valid encryptions are rong way" and leading to a decryption failure, meaning that valid encryptions ar
decrypted incorrectly. However, the parameters of NIST PQC candidates are caref e decrypted incorrectly. However, the parameters of NIST PQC candidates are care
ully chosen so that the probability of such a failure is cryptographically negli fully chosen so that the probability of such a failure is cryptographically negl
gible, far lower than the probability of random transmission errors and implemen igible, far lower than the probability of random transmission errors and impleme
tation bugs. In practical terms, these rare decryption failures can be treated t ntation bugs. In practical terms, these rare decryption failures can be treated
he same way as any fatal transport error: both sides simply perform a fresh KEM the same way as any fatal transport error: Both sides simply perform a fresh KEM
operation, generating a new ciphertext and shared secret.</t> operation, generating a new ciphertext and shared secret.</t>
<t>In cryptanalysis, an oracle refers to a system that an attacker can q <t>In cryptanalysis, an oracle refers to a system that an attacker can q
uery to learn whether decryption succeeded or failed. If such an oracle exists, uery to learn whether decryption succeeded or failed. If such an oracle exists,
an attacker could significantly reduce the security of lattice-based schemes tha an attacker could significantly reduce the security of lattice-based schemes tha
t have a relatively high failure rate. However, for most of the NIST PQC proposa t have a relatively high failure rate. However, for most of the NIST PQC proposa
ls, the number of required oracle queries to force a decryption failure is above ls, the number of required oracle queries to force a decryption failure is above
practical limits, as has been shown in <xref target="LattFail1"/>. More recent practical limits, as shown in <xref target="LattFail1"/>. More recent works hav
works have improved upon the results in <xref target="LattFail1"/>, showing that e improved upon the results in <xref target="LattFail1"/>, showing that the cost
the cost of searching for additional failing ciphertexts after one or more have of searching for additional failing ciphertexts after one or more have already
already been found, can be sped up dramatically <xref target="LattFail2"/>. Nev been found can be sped up dramatically <xref target="LattFail2"/>. Nevertheless,
ertheless, at the time this document is published, the PQC candidates by NIST ar at the time this document is published, the PQC candidates by NIST are consider
e considered secure under these attacks and constant monitoring as cryptanalysis ed secure under these attacks, and constant monitoring as cryptanalysis research
research is ongoing.</t> is ongoing.</t>
</section> </section>
<section anchor="hash-based"> <section anchor="hash-based">
<name>Hash-Based Public Key Cryptography</name> <name>Hash-Based Public Key Cryptography</name>
<t>Hash based PKC has been around since the 1970s, when it was developed <t>Hash-based Public Key Cryptography (PKC) has been around since the 19
by Lamport and Merkle. It is used to create digital signature algorithms and it 70s, when it was developed by Lamport and Merkle. It is used to create digital s
s security is based on the security of the underlying cryptographic hash functio ignature algorithms, and its security is based on the security of the underlying
n. Many variants of hash-based signatures (HBS) have been developed since the 70 cryptographic hash function. Many variants of hash-based signatures (HBSs) have
s including the recent XMSS <xref target="RFC8391"/>, HSS/LMS <xref target="RFC8 been developed since the 1970s, including the recent XMSS <xref target="RFC8391
554"/> or BPQS <xref target="BPQS"/> schemes. Unlike many other digital signatur "/>, HSS/LMS <xref target="RFC8554"/>, or BPQS <xref target="BPQS"/> schemes. Un
e techniques, most hash-based signature schemes are stateful, which means that s like many other digital signature techniques, most hash-based signature schemes
igning necessitates the update and careful tracking of the state of the secret k are stateful, which means that signing necessitates the update and careful track
ey. Producing multiple signatures using the same secret key state results in los ing of the state of the secret key. Producing multiple signatures using the same
s of security and may ultimately enable signature forgery attacks against that k secret key state results in loss of security and may ultimately enable signatur
ey.</t> e forgery attacks against that key.</t>
<t>Stateful hash-based signatures with long service lifetimes require ad <t>Stateful hash-based signatures with long service lifetimes require ad
ditional operational complexity compared with other signature types. For example ditional operational complexity compared to other signature types. For example,
, consider a 20-year root key; there is an expectation that 20 years is longer t consider a 20-year root key; there is an expectation that 20 years is longer tha
han the expected lifetime of the hardware that key is stored on, and therefore t n the expected lifetime of the hardware that key is stored on, so the key will n
he key will need to be migrated to new hardware at some point. Disaster-recovery eed to be migrated to new hardware at some point. Disaster-recovery scenarios wh
scenarios where the primary node fails without warning can be similarly tricky. ere the primary node fails without warning can be similarly tricky. This require
This requires careful operational and compliance consideration to ensure that n s careful operational and compliance consideration to ensure that no private key
o private key state can be reused across the migration or disaster recovery even state can be reused across the migration or disaster recovery event. One approa
t. One approach for avoiding these issues is to only use stateful HBS for short- ch for avoiding these issues is to only use stateful HBSs for short-term use cas
term use cases that do not require horizontal scaling, for example signing a bat es that do not require horizontal scaling, for example, signing a batch of firmw
ch of firmware images and then retiring the signing key.</t> are images and then retiring the signing key.</t>
<t>The SLH-DSA algorithm, which was standardized by NIST, leverages the <t>The SLH-DSA algorithm, which was standardized by NIST, leverages the
HORST (hash to obtain random subset with trees) technique and remains the only s HORST (Hash to Obtain Random Subset with Trees) technique and remains the only s
tandardized hash based signature scheme that is stateless, thus avoiding the com tandardized hash based signature scheme that is stateless, thus avoiding the com
plexities associated with state management. SLH-DSA is an advancement on SPHINCS plexities associated with state management. SLH-DSA is an advancement on SPHINCS
which reduces the signature sizes in SPHINCS and makes it more compact.</t> that reduces the signature sizes in SPHINCS and makes it more compact.</t>
</section> </section>
<section anchor="code-based"> <section anchor="code-based">
<name>Code-Based Public Key Cryptography</name> <name>Code-Based Public Key Cryptography</name>
<t>This area of cryptography started in the 1970s and 80s based on the s <t>This area of cryptography started in the 1970s and 1980s and was base
eminal work of McEliece and Niederreiter which focuses on the study of cryptosys d on the seminal work of McEliece and Niederreiter, which focuses on the study o
tems based on error-correcting codes. Some popular error correcting codes includ f cryptosystems based on error-correcting codes. Some popular error-correcting c
e Goppa codes (used in McEliece cryptosystems), encoding and decoding syndrome c odes include Goppa codes (used in McEliece cryptosystems), encoding and decoding
odes used in Hamming quasi-cyclic (HQC), or quasi-cyclic moderate density parity syndrome codes used in HQC, or quasi-cyclic moderate density parity check (QC-M
check (QC-MDPC) codes.</t> DPC) codes.</t>
<t>Examples include all the unbroken NIST Round 4 finalists: Classic McE <t>Examples include all the unbroken NIST Round 4 finalists: Classic McE
liece, HQC (selected by NIST for standardization), and <xref target="BIKE"/>.</t liece, HQC (selected by NIST for standardization), and Bit Flipping Key Encapsul
> ation (BIKE) <xref target="BIKE"/>.</t>
</section> </section>
</section> </section>
<section anchor="KEMs"> <section anchor="KEMs">
<name>KEMs</name> <name>KEMs</name>
<t>A Key Encapsulation Mechanism (KEM) is a cryptographic technique used f or securely exchanging symmetric key material between two parties over an insecu re channel. It is commonly used in hybrid encryption schemes, where a combinatio n of asymmetric (public key) and symmetric encryption is employed. The KEM encap sulation results in a fixed-length symmetric key that can be used with a symmetr ic algorithm, typically a block cipher, in one of two different ways:</t> <t>A Key Encapsulation Mechanism (KEM) is a cryptographic technique used f or securely exchanging symmetric key material between two parties over an insecu re channel. It is commonly used in hybrid encryption schemes where a combination of asymmetric (public key) and symmetric encryption is employed. The encapsulat ion operation of a KEM results in a fixed-length symmetric key that can be used with a symmetric algorithm, typically a block cipher, in one of two different wa ys:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>Derive a data encryption key (DEK) to encrypt the data</t> <t>To derive a data encryption key (DEK) to encrypt the data</t>
</li> </li>
<li> <li>
<t>Derive a key encryption key (KEK) used to wrap a DEK</t> <t>To derive a key encryption key (KEK) used to wrap a DEK</t>
</li> </li>
</ul> </ul>
<t>These techniques are often referred to as "hybrid public key encryption <t>These techniques are often referred to as the Hybrid Public Key Encrypt
(HPKE)" <xref target="RFC9180"/> mechanism.</t> ion (HPKE) <xref target="RFC9180"/> mechanism.</t>
<t>The term "encapsulation" is chosen intentionally to indicate that KEM a <t>The term "encapsulation" is chosen intentionally to indicate that KEM a
lgorithms behave differently at the API level from the key agreement or key enci lgorithms behave differently at the API level from the key agreement or key enci
pherment / key transport mechanisms that are in use today. Key agreement schemes pherment and key transport mechanisms that are in use today. Key agreement schem
imply that both parties contribute a public / private key pair to the exchange, es imply that both parties contribute a public-private key pair to the exchange,
while key encipherment / key transport schemes imply that the symmetric key mat while key encipherment and key transport schemes imply that the symmetric key m
erial is chosen by one party and "encrypted" or "wrapped" for the other party. K aterial is chosen by one party and "encrypted" or "wrapped" for the other party.
EMs, on the other hand, behave according to the following API primitives <xref t KEMs, on the other hand, behave according to the following API primitives <xref
arget="PQCAPI"/>:</t> target="PQCAPI"/>:</t>
<ul spacing="normal"> <ul spacing="normal">
<li> <li>
<t>def kemKeyGen() -&gt; (pk, sk)</t> <t>def kemKeyGen() -&gt; (pk, sk)</t>
</li> </li>
<li> <li>
<t>def kemEncaps(pk) -&gt; (ss, ct)</t> <t>def kemEncaps(pk) -&gt; (ss, ct)</t>
</li> </li>
<li> <li>
<t>def kemDecaps(ct, sk) -&gt; ss</t> <t>def kemDecaps(ct, sk) -&gt; ss</t>
</li> </li>
</ul> </ul>
<t>where <tt>pk</tt> is the public key, <tt>sk</tt> is the secret key, <tt >ct</tt> is the ciphertext representing an encapsulated key, and <tt>ss</tt> is the shared secret. The following figure illustrates a sample flow of a KEM-based key exchange:</t> <t>where <tt>pk</tt> is the public key, <tt>sk</tt> is the secret key, <tt >ct</tt> is the ciphertext representing an encapsulated key, and <tt>ss</tt> is the shared secret. The following figure illustrates a sample flow of a KEM-based key exchange:</t>
<figure anchor="tab-kem-ke"> <figure anchor="tab-kem-ke">
<name>KEM based key exchange</name> <name>KEM-Based Key Exchange</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="336" width="536" viewBox="0 0 536 336" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1 .1" height="336" width="536" viewBox="0 0 536 336" class="diagram" text-anchor=" middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,272 L 8,304" fill="none" stroke="black"/> <path d="M 8,272 L 8,304" fill="none" stroke="black"/>
<path d="M 24,80 L 24,112" fill="none" stroke="black"/> <path d="M 24,80 L 24,112" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/>
<path d="M 208,80 L 208,112" fill="none" stroke="black"/> <path d="M 208,80 L 208,112" fill="none" stroke="black"/>
<path d="M 208,272 L 208,304" fill="none" stroke="black"/> <path d="M 208,272 L 208,304" fill="none" stroke="black"/>
<path d="M 224,72 L 224,320" fill="none" stroke="black"/> <path d="M 224,72 L 224,320" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
<path d="M 280,32 L 280,64" fill="none" stroke="black"/> <path d="M 280,32 L 280,64" fill="none" stroke="black"/>
skipping to change at line 388 skipping to change at line 460
|<----------| |<----------|
+------------------------+ | | +------------------------+ | |
| ss = kemDecaps(ct, sk) |-| | | ss = kemDecaps(ct, sk) |-| |
+------------------------+ | | +------------------------+ | |
| | | |
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<section anchor="authenticated-key-exchange"> <section anchor="authenticated-key-exchange">
<name>Authenticated Key Exchange</name> <name>Authenticated Key Exchange</name>
<t>Authenticated Key Exchange (AKE) with KEMs where both parties contrib ute a KEM public key to the overall session key is interactive as described in S ection 9.4 of <xref target="RFC9528"/>. However, single-sided KEM, such as when one peer has a KEM key in a certificate and the other peer wants to encrypt for it (as in S/MIME or OpenPGP email), can be achieved using non-interactive HPKE < xref target="RFC9180"/>. The following figure illustrates the Diffie-Hellman (DH ) Key exchange:</t> <t>Authenticated Key Exchange (AKE) with KEMs where both parties contrib ute a KEM public key to the overall session key is interactive as described in < xref section="9.4" sectionFormat="of" target="RFC9528"/>. However, a single-side d KEM, such as when one peer has a KEM key in a certificate and the other peer w ants to encrypt for it (as in S/MIME or OpenPGP email), can be achieved using no n-interactive HPKE <xref target="RFC9180"/>. The following figure illustrates th e DH Key exchange:</t>
<figure anchor="tab-dh-ake"> <figure anchor="tab-dh-ake">
<name>Diffie-Hellman based AKE</name> <name>DH-Based AKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="480" width="552" viewBox="0 0 552 480" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="480" width="552" viewBox="0 0 552 480" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,320 L 8,368" fill="none" stroke="black"/> <path d="M 8,320 L 8,368" fill="none" stroke="black"/>
<path d="M 24,80 L 24,128" fill="none" stroke="black"/> <path d="M 24,80 L 24,128" fill="none" stroke="black"/>
<path d="M 136,336 L 136,344" fill="none" stroke="black"/> <path d="M 136,336 L 136,344" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 184,32 L 184,64" fill="none" stroke="black"/>
<path d="M 216,80 L 216,128" fill="none" stroke="black"/> <path d="M 216,80 L 216,128" fill="none" stroke="black"/>
<path d="M 216,320 L 216,368" fill="none" stroke="black"/> <path d="M 216,320 L 216,368" fill="none" stroke="black"/>
<path d="M 232,72 L 232,464" fill="none" stroke="black"/> <path d="M 232,72 L 232,464" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
skipping to change at line 491 skipping to change at line 563
+-------------------------+ | | +-------------------------+ | |
| encrypted | | encrypted |
| content | | content |
|---------->| |---------->|
| | +------------------------+ | | +------------------------+
| | | decryptContent(ss) | | | | decryptContent(ss) |
| | +------------------------+ | | +------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>What's important to note about the sample flow above is that the shar ed secret <tt>ss</tt> is derived using key material from both the Client and the Server, which classifies it as an AKE. There is another property of a key excha nge, called Non-Interactive Key Exchange (NIKE) which refers to whether the send er can compute the shared secret <tt>ss</tt> and encrypt content without requiri ng active interaction (an exchange of network messages) with the recipient. <xre f target="tab-dh-ake"/> shows a Diffie-Hellman key exchange which is an AKE, sin ce both parties are using long-term keys which can have established trust (for e xample, via certificates), but it is not a NIKE, since the client needs to wait for the network interaction to receive the receiver's public key <tt>pk2</tt> be fore it can compute the shared secret <tt>ss</tt> and begin content encryption. However, a DH key exchange can be an AKE and a NIKE at the same time if the rece iver's public key is known to the sender in advance, and many Internet protocols rely on this property of DH-based key exchanges.</t> <t>In the sample flow above, it is important to note that the shared sec ret <tt>ss</tt> is derived using key material from both the client and the serve r, which classifies it as an AKE. There is another property of a key exchange, c alled Non-Interactive Key Exchange (NIKE), that refers to whether the sender ca n compute the shared secret <tt>ss</tt> and encrypt content without requiring ac tive interaction (an exchange of network messages) with the recipient. <xref tar get="tab-dh-ake"/> shows a DH key exchange, which is an AKE since both parties a re using long-term keys that can have established trust (for example, via certif icates), but it is not a NIKE since the client needs to wait for the network int eraction to receive the receiver's public key <tt>pk2</tt> before it can compute the shared secret <tt>ss</tt> and begin content encryption. However, a DH key e xchange can be an AKE and a NIKE at the same time if the receiver's public key i s known to the sender in advance (see <xref target="tab-dh-ake-nike"/>), and man y Internet protocols rely on this property of DH-based key exchanges.</t>
<figure anchor="tab-dh-ake-nike"> <figure anchor="tab-dh-ake-nike">
<name>Diffie-Hellman based AKE and NIKE simultaneously</name> <name>Simultaneous DH-Based AKE and NIKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="400" width="536" viewBox="0 0 536 400" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= "1.1" height="400" width="536" viewBox="0 0 536 400" class="diagram" text-anchor ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,80 L 8,192" fill="none" stroke="black"/> <path d="M 8,80 L 8,192" fill="none" stroke="black"/>
<path d="M 136,160 L 136,168" fill="none" stroke="black"/> <path d="M 136,160 L 136,168" fill="none" stroke="black"/>
<path d="M 168,32 L 168,64" fill="none" stroke="black"/> <path d="M 168,32 L 168,64" fill="none" stroke="black"/>
<path d="M 200,80 L 200,192" fill="none" stroke="black"/> <path d="M 200,80 L 200,192" fill="none" stroke="black"/>
<path d="M 216,72 L 216,368" fill="none" stroke="black"/> <path d="M 216,72 L 216,368" fill="none" stroke="black"/>
<path d="M 248,32 L 248,64" fill="none" stroke="black"/> <path d="M 248,32 L 248,64" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 264,32 L 264,64" fill="none" stroke="black"/>
<path d="M 312,72 L 312,368" fill="none" stroke="black"/> <path d="M 312,72 L 312,368" fill="none" stroke="black"/>
skipping to change at line 580 skipping to change at line 652
|---------->| |---------->|
| | +------------------------+ | | +------------------------+
| |-| Long-term server key: | | |-| Long-term server key: |
| | | sk2, pk2 | | | | sk2, pk2 |
| | | ss = KeyEx(pk1, sk2) | | | | ss = KeyEx(pk1, sk2) |
| | | decryptContent(ss) | | | | decryptContent(ss) |
| | +------------------------+ | | +------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>The complication with KEMs is that a KEM <tt>Encaps()</tt> is non-det erministic; it involves randomness chosen by the sender of that message. Therefo re, in order to perform an AKE, the client must wait for the server to generate the needed randomness and perform <tt>Encaps()</tt> against the client key, whic h necessarily requires a network round-trip. Therefore, a KEM-based protocol can either be an AKE or a NIKE, but cannot be both at the same time. Consequently, certain Internet protocols will necessitate a redesign to accommodate this disti nction, either by introducing extra network round-trips or by making trade-offs in security properties.</t> <t>The complication with KEMs is that a KEM <tt>Encaps()</tt> is non-det erministic; it involves randomness chosen by the sender of that message. Therefo re, in order to perform an AKE, the client must wait for the server to generate the needed randomness and perform <tt>Encaps()</tt> against the client key, whic h necessarily requires a network round-trip. Therefore, a KEM-based protocol can either be an AKE or a NIKE, but it cannot be both at the same time. Consequentl y, certain Internet protocols will necessitate a redesign to accommodate this di stinction, either by introducing extra network round trips or by making trade-of fs in security properties.</t>
<figure anchor="tab-kem-ake"> <figure anchor="tab-kem-ake">
<name>KEM based AKE</name> <name>KEM-Based AKE</name>
<artset> <artset>
<artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version= <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version=
"1.1" height="480" width="560" viewBox="0 0 560 480" class="diagram" text-anchor "1.1" height="480" width="576" viewBox="0 0 576 480" class="diagram" text-anchor
="middle" font-family="monospace" font-size="13px" stroke-linecap="round"> ="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
<path d="M 8,80 L 8,112" fill="none" stroke="black"/>
<path d="M 8,288 L 8,352" fill="none" stroke="black"/> <path d="M 8,288 L 8,352" fill="none" stroke="black"/>
<path d="M 184,32 L 184,64" fill="none" stroke="black"/> <path d="M 24,80 L 24,112" fill="none" stroke="black"/>
<path d="M 208,80 L 208,112" fill="none" stroke="black"/> <path d="M 200,32 L 200,64" fill="none" stroke="black"/>
<path d="M 208,336 L 208,352" fill="none" stroke="black"/> <path d="M 224,80 L 224,112" fill="none" stroke="black"/>
<path d="M 224,72 L 224,464" fill="none" stroke="black"/> <path d="M 224,288 L 224,352" fill="none" stroke="black"/>
<path d="M 264,32 L 264,64" fill="none" stroke="black"/> <path d="M 240,72 L 240,464" fill="none" stroke="black"/>
<path d="M 280,32 L 280,64" fill="none" stroke="black"/> <path d="M 280,32 L 280,64" fill="none" stroke="black"/>
<path d="M 320,72 L 320,464" fill="none" stroke="black"/> <path d="M 296,32 L 296,64" fill="none" stroke="black"/>
<path d="M 336,176 L 336,224" fill="none" stroke="black"/> <path d="M 336,72 L 336,464" fill="none" stroke="black"/>
<path d="M 336,416 L 336,464" fill="none" stroke="black"/> <path d="M 352,176 L 352,224" fill="none" stroke="black"/>
<path d="M 360,32 L 360,64" fill="none" stroke="black"/> <path d="M 352,416 L 352,464" fill="none" stroke="black"/>
<path d="M 552,176 L 552,224" fill="none" stroke="black"/> <path d="M 376,32 L 376,64" fill="none" stroke="black"/>
<path d="M 552,416 L 552,464" fill="none" stroke="black"/> <path d="M 568,176 L 568,224" fill="none" stroke="black"/>
<path d="M 184,32 L 264,32" fill="none" stroke="black"/> <path d="M 568,416 L 568,464" fill="none" stroke="black"/>
<path d="M 280,32 L 360,32" fill="none" stroke="black"/> <path d="M 200,32 L 280,32" fill="none" stroke="black"/>
<path d="M 184,64 L 264,64" fill="none" stroke="black"/> <path d="M 296,32 L 376,32" fill="none" stroke="black"/>
<path d="M 280,64 L 360,64" fill="none" stroke="black"/> <path d="M 200,64 L 280,64" fill="none" stroke="black"/>
<path d="M 8,80 L 208,80" fill="none" stroke="black"/> <path d="M 296,64 L 376,64" fill="none" stroke="black"/>
<path d="M 8,112 L 208,112" fill="none" stroke="black"/> <path d="M 24,80 L 224,80" fill="none" stroke="black"/>
<path d="M 232,160 L 312,160" fill="none" stroke="black"/> <path d="M 24,112 L 224,112" fill="none" stroke="black"/>
<path d="M 336,176 L 552,176" fill="none" stroke="black"/> <path d="M 248,160 L 328,160" fill="none" stroke="black"/>
<path d="M 336,224 L 552,224" fill="none" stroke="black"/> <path d="M 352,176 L 568,176" fill="none" stroke="black"/>
<path d="M 232,272 L 312,272" fill="none" stroke="black"/> <path d="M 352,224 L 568,224" fill="none" stroke="black"/>
<path d="M 8,288 L 200,288" fill="none" stroke="black"/> <path d="M 248,272 L 328,272" fill="none" stroke="black"/>
<path d="M 8,352 L 208,352" fill="none" stroke="black"/> <path d="M 8,288 L 224,288" fill="none" stroke="black"/>
<path d="M 232,400 L 312,400" fill="none" stroke="black"/> <path d="M 8,352 L 224,352" fill="none" stroke="black"/>
<path d="M 336,416 L 552,416" fill="none" stroke="black"/> <path d="M 248,400 L 328,400" fill="none" stroke="black"/>
<path d="M 336,464 L 552,464" fill="none" stroke="black"/> <path d="M 352,416 L 568,416" fill="none" stroke="black"/>
<polygon class="arrowhead" points="320,400 308,394.4 308,405.6" <path d="M 352,464 L 568,464" fill="none" stroke="black"/>
fill="black" transform="rotate(0,312,400)"/> <polygon class="arrowhead" points="336,400 324,394.4 324,405.6"
<polygon class="arrowhead" points="320,160 308,154.4 308,165.6" fill="black" transform="rotate(0,328,400)"/>
fill="black" transform="rotate(0,312,160)"/> <polygon class="arrowhead" points="336,160 324,154.4 324,165.6"
<polygon class="arrowhead" points="240,272 228,266.4 228,277.6" fill="black" transform="rotate(0,328,160)"/>
fill="black" transform="rotate(180,232,272)"/> <polygon class="arrowhead" points="256,272 244,266.4 244,277.6"
fill="black" transform="rotate(180,248,272)"/>
<g class="text"> <g class="text">
<text x="220" y="52">Client</text> <text x="236" y="52">Client</text>
<text x="316" y="52">Server</text> <text x="332" y="52">Server</text>
<text x="36" y="100">pk1,</text> <text x="52" y="100">pk1,</text>
<text x="72" y="100">sk1</text> <text x="88" y="100">sk1</text>
<text x="96" y="100">=</text> <text x="112" y="100">=</text>
<text x="152" y="100">kemKeyGen()</text> <text x="168" y="100">kemKeyGen()</text>
<text x="216" y="100">-</text> <text x="232" y="100">-</text>
<text x="240" y="148">pk1</text> <text x="256" y="148">pk1</text>
<text x="328" y="196">-</text> <text x="344" y="196">-</text>
<text x="364" y="196">ss1,</text> <text x="380" y="196">ss1,</text>
<text x="400" y="196">ct1</text> <text x="416" y="196">ct1</text>
<text x="424" y="196">=</text> <text x="440" y="196">=</text>
<text x="492" y="196">kemEncaps(pk1)</text> <text x="508" y="196">kemEncaps(pk1)</text>
<text x="364" y="212">pk2,</text> <text x="380" y="212">pk2,</text>
<text x="400" y="212">sk2</text> <text x="416" y="212">sk2</text>
<text x="424" y="212">=</text> <text x="440" y="212">=</text>
<text x="480" y="212">kemKeyGen()</text> <text x="496" y="212">kemKeyGen()</text>
<text x="288" y="260">ct1,pk2</text> <text x="304" y="260">ct1,pk2</text>
<text x="32" y="308">ss1</text> <text x="32" y="308">ss1</text>
<text x="56" y="308">=</text> <text x="56" y="308">=</text>
<text x="124" y="308">kemDecaps(ct1,</text> <text x="124" y="308">kemDecaps(ct1,</text>
<text x="204" y="308">sk1)</text> <text x="204" y="308">sk1)</text>
<text x="236" y="308">-|</text>
<text x="36" y="324">ss2,</text> <text x="36" y="324">ss2,</text>
<text x="72" y="324">ct2</text> <text x="72" y="324">ct2</text>
<text x="96" y="324">=</text> <text x="96" y="324">=</text>
<text x="164" y="324">kemEncaps(pk2)</text> <text x="164" y="324">kemEncaps(pk2)</text>
<text x="232" y="324">-</text>
<text x="28" y="340">ss</text> <text x="28" y="340">ss</text>
<text x="48" y="340">=</text> <text x="48" y="340">=</text>
<text x="112" y="340">Combiner(ss1,</text> <text x="112" y="340">Combiner(ss1,</text>
<text x="188" y="340">ss2)</text> <text x="188" y="340">ss2)</text>
<text x="240" y="388">ct2</text> <text x="256" y="388">ct2</text>
<text x="328" y="436">-</text> <text x="344" y="436">-</text>
<text x="360" y="436">ss2</text> <text x="376" y="436">ss2</text>
<text x="384" y="436">=</text> <text x="400" y="436">=</text>
<text x="452" y="436">kemDecaps(ct2,</text> <text x="468" y="436">kemDecaps(ct2,</text>
<text x="532" y="436">sk2)</text> <text x="548" y="436">sk2)</text>
<text x="356" y="452">ss</text> <text x="372" y="452">ss</text>
<text x="376" y="452">=</text> <text x="392" y="452">=</text>
<text x="440" y="452">Combiner(ss1,</text> <text x="456" y="452">Combiner(ss1,</text>
<text x="516" y="452">ss2)</text> <text x="532" y="452">ss2)</text>
</g> </g>
</svg> </svg>
</artwork> </artwork>
<artwork type="ascii-art"><![CDATA[ <artwork type="ascii-art"><![CDATA[
+---------+ +---------+ +---------+ +---------+
| Client | | Server | | Client | | Server |
+---------+ +---------+ +---------+ +---------+
+------------------------+ | | +------------------------+ | |
| pk1, sk1 = kemKeyGen() |-| | | pk1, sk1 = kemKeyGen() |-| |
+------------------------+ | | +------------------------+ | |
| | | |
|pk1 | |pk1 |
|---------->| |---------->|
| | +--------------------------+ | | +--------------------------+
| |-| ss1, ct1 = kemEncaps(pk1)| | |-| ss1, ct1 = kemEncaps(pk1)|
| | | pk2, sk2 = kemKeyGen() | | | | pk2, sk2 = kemKeyGen() |
| | +--------------------------+ | | +--------------------------+
| | | |
| ct1,pk2| | ct1,pk2|
|<----------| |<----------|
+------------------------+ | | +--------------------------+ | |
| ss1 = kemDecaps(ct1, sk1)|-| | | ss1 = kemDecaps(ct1, sk1)| | |
| ss2, ct2 = kemEncaps(pk2)| | | ss2, ct2 = kemEncaps(pk2)|-| |
| ss = Combiner(ss1, ss2)| | | | ss = Combiner(ss1, ss2) | | |
+------------------------+ | | +--------------------------+ | |
| | | |
|ct2 | |ct2 |
|---------->| |---------->|
| | +--------------------------+ | | +--------------------------+
| |-| ss2 = kemDecaps(ct2, sk2)| | |-| ss2 = kemDecaps(ct2, sk2)|
| | | ss = Combiner(ss1, ss2) | | | | ss = Combiner(ss1, ss2) |
| | +--------------------------+ | | +--------------------------+
]]></artwork> ]]></artwork>
</artset> </artset>
</figure> </figure>
<t>Here, <tt>Combiner(ss1, ss2)</tt>, often referred to as a KEM Combine r, is a cryptographic construction that takes in two shared secrets and returns a single combined shared secret. The simplest combiner is concatenation <tt>ss1 || ss2</tt>, but combiners can vary in complexity depending on the cryptographic properties required. For example, if the combination should preserve IND-CCA2 < xref target="INDCCA2"/> of either input even if the other is chosen maliciously, then a more complex construct is required. Another consideration for combiner d esign is so-called "binding properties" introduced in <xref target="KEEPINGUP"/> , which may require the ciphertexts and recipient public keys to be included in the combiner. KEM combiner security analysis becomes more complicated in hybrid settings where the two KEMs represent different algorithms, for example, where o ne is ML-KEM and the other is ECDH. For a more thorough discussion of KEM combin ers, see <xref target="KEEPINGUP"/>, <xref target="I-D.draft-ounsworth-cfrg-kem- combiners"/>, and <xref target="I-D.irtf-cfrg-hybrid-kems"/>.</t> <t>In the figure above, <tt>Combiner(ss1, ss2)</tt>, often referred to a s a KEM combiner, is a cryptographic construction that takes in two shared secre ts and returns a single combined shared secret. The simplest combiner is concate nation <tt>ss1 || ss2</tt>, but combiners can vary in complexity depending on th e cryptographic properties required. For example, if the combination should pres erve IND-CCA2 (see <xref target="INDCCA2"/>) of either input, even if the other is chosen maliciously, then a more complex construct is required. Another consid eration for combiner design is the so-called "binding properties" introduced in <xref target="KEEPINGUP"/>, which may require the ciphertexts and recipient publ ic keys to be included in the combiner. KEM combiner security analysis becomes m ore complicated in hybrid settings where the two KEMs represent different algori thms, for example, where one is ML-KEM and the other is ECDH. For a more thoroug h discussion of KEM combiners, see <xref target="KEEPINGUP"/>, <xref target="I-D .ounsworth-cfrg-kem-combiners"/>, and <xref target="I-D.irtf-cfrg-hybrid-kems"/> .</t>
</section> </section>
<section anchor="security-properties-of-kems"> <section anchor="security-properties-of-kems">
<name>Security Properties of KEMs</name> <name>Security Properties of KEMs</name>
<t>The security properties described in this section (IND-CCA2 and bindi ng) are not an exhaustive list of all possible KEM security considerations. They were selected because they are fundamental to evaluating KEM suitability in pro tocol design and are commonly discussed in current PQC work.</t> <t>The security properties described in this section (IND-CCA2 and bindi ng) are not an exhaustive list of all possible KEM security considerations. They were selected because they are fundamental to evaluating KEM suitability in pro tocol design and are commonly discussed in current PQC work.</t>
<section anchor="INDCCA2"> <section anchor="INDCCA2">
<name>IND-CCA2</name> <name>IND-CCA2</name>
<t>IND-CCA2 (INDistinguishability under adaptive Chosen-Ciphertext Att ack) is an advanced security notion for encryption schemes. It ensures the confi dentiality of the plaintext and resistance against chosen-ciphertext attacks. An appropriate definition of IND-CCA2 security for KEMs can be found in <xref targ et="CS01"/> and <xref target="BHK09"/>. ML-KEM <xref target="ML-KEM"/> and Class ic McEliece provide IND-CCA2 security.</t> <t>IND-CCA2 (INDistinguishability under adaptive Chosen-Ciphertext Att ack) is an advanced security notion for encryption schemes. It ensures the confi dentiality of the plaintext and resistance against chosen-ciphertext attacks. An appropriate definition of IND-CCA2 security for KEMs can be found in <xref targ et="CS01"/> and <xref target="BHK09"/>. ML-KEM <xref target="ML-KEM"/> and Class ic McEliece provide IND-CCA2 security.</t>
<t>Understanding IND-CCA2 security is essential for individuals involv ed in designing or implementing cryptographic systems and protocols in order to evaluate the strength of the algorithm, assess its suitability for specific use cases, and ensure that data confidentiality and security requirements are met. U nderstanding IND-CCA2 security is generally not necessary for developers migrati ng to using an IETF-vetted key establishment method (KEM) within a given protoco l or flow. IND-CCA2 is a widely accepted security notion for public key encrypti on mechanisms, making it suitable for a broad range of applications. When an IET F specification defines a new KEM, its security considerations should fully desc ribe the relevant cryptographic properties, including IND-CCA2.</t> <t>Understanding IND-CCA2 security is essential for individuals involv ed in designing or implementing cryptographic systems and protocols in order to evaluate the strength of the algorithm, assess its suitability for specific use cases, and ensure that data confidentiality and security requirements are met. U nderstanding IND-CCA2 security is generally not necessary for developers migrati ng to using an IETF-vetted KEM within a given protocol or flow. IND-CCA2 is a wi dely accepted security notion for public key encryption mechanisms, making it su itable for a broad range of applications. When an IETF specification defines a n ew KEM, its security considerations should fully describe the relevant cryptogra phic properties, including IND-CCA2.</t>
</section> </section>
<section anchor="binding"> <section anchor="binding">
<name>Binding</name> <name>Binding</name>
<t>KEMs also have an orthogonal set of properties to consider when des <t>KEMs also have an orthogonal set of properties to consider when des
igning protocols around them: binding <xref target="KEEPINGUP"/>. This can be "c igning protocols around them: binding <xref target="KEEPINGUP"/>. This can be "c
iphertext binding", "public key binding", "context binding", or any other proper iphertext binding", "public key binding", "context binding", or any other proper
ty that is important to not be substituted between KEM invocations. In general, ty that is important to not be substituted between KEM invocations. In general,
a KEM is considered to bind a certain value if substitution of that value by an a KEM is considered to bind a certain value if substitution of that value by an
attacker will necessarily result in a different shared secret being derived. As attacker will necessarily result in a different shared secret being derived. As
an example, if an attacker can construct two different ciphertexts which will de an example, if an attacker can construct two different ciphertexts that will dec
capsulate to the same shared secret; or can construct a ciphertext which will de apsulate to the same shared secret, can construct a ciphertext that will decapsu
capsulate to the same shared secret under two different public keys, or can subs late to the same shared secret under two different public keys, or can substitut
titute whole KEM exchanges from one session into another, then the construction e whole KEM exchanges from one session into another, then the construction is no
is not ciphertext binding, public key binding, or context binding respectively. t ciphertext binding, public key binding, or context binding, respectively. Simi
Similarly, protocol designers may wish to bind protocol state information such a larly, protocol designers may wish to bind protocol state information such as a
s a transaction ID or nonce so that attempts to replay ciphertexts from one sess transaction ID or nonce so that attempts to replay ciphertexts from one session
ion inside a different session will be blocked at the cryptographic level becaus inside a different session will be blocked at the cryptographic level because th
e the server derives a different shared secret and is thus is unable to decrypt e server derives a different shared secret and is thus is unable to decrypt the
the content.</t> content.</t>
<t>The solution to binding is generally achieved at the protocol desig <t>The solution to binding is generally achieved at the protocol desig
n level: It is recommended to avoid using the KEM output shared secret directly n level: It is recommended to avoid using the KEM output shared secret directly
without integrating it into an appropriate protocol. While KEM algorithms provid without integrating it into an appropriate protocol. While KEM algorithms provid
e key secrecy, they do not inherently ensure source authenticity, protect agains e key secrecy, they do not inherently ensure source authenticity, protect agains
t replay attacks, or guarantee freshness. These security properties should be ad t replay attacks, or guarantee freshness. These security properties should be ad
dressed by incorporating the KEM into a protocol that has been analyzed for such dressed by incorporating the KEM into a protocol that has been analyzed for such
protections. Even though modern KEMs such as ML-KEM produce full-entropy shared protections. Even though modern KEMs such as ML-KEM produce full-entropy shared
secrets, it is still advisable for binding reasons to pass it through a key der secrets, it is still advisable for binding reasons to pass the shared secret th
ivation function (KDF) and also include all values that you wish to bind; then f rough a key derivation function (KDF) and also include all values that you wish
inally you will have a shared secret that is safe to use at the protocol level.< to bind; finally, you will have a shared secret that is safe to use at the proto
/t> col level.</t>
</section> </section>
</section> </section>
<section anchor="hpke"> <section anchor="hpke">
<name>HPKE</name> <name>HPKE</name>
<t>Modern cryptography has long used the notion of "hybrid encryption" w <t>Modern cryptography has long used the notion of "hybrid encryption" w
here an asymmetric algorithm is used to establish a key, and then a symmetric al here an asymmetric algorithm is used to establish a key and then a symmetric alg
gorithm is used for bulk content encryption. The previous sections explained imp orithm is used for bulk content encryption. The previous sections explained impo
ortant security properties of KEMs, such as IND-CCA2 security and binding, and e rtant security properties of KEMs, such as IND-CCA2 security and binding, and em
mphasized that these properties must be supported by proper protocol design. One phasized that these properties must be supported by proper protocol design. One
widely deployed scheme that achieves this is HPKE (Hybrid Public Key Encryption widely deployed scheme that achieves this is Hybrid Public Key Encryption (HPKE)
) <xref target="RFC9180"/>.</t> <xref target="RFC9180"/>.</t>
<t>HPKE (hybrid public key encryption) <xref target="RFC9180"/> works wi <t>HPKE <xref target="RFC9180"/> works with a combination of KEMs, KDFs,
th a combination of KEMs, KDFs and AEAD (authenticated encryption with additiona and Authenticated Encryption with Associated Data (AEAD) schemes. HPKE includes
l data) schemes. HPKE includes three authenticated variants, including one that three authenticated variants, including one that authenticates possession of a
authenticates possession of a pre-shared key and two optional ones that authenti pre-shared key and two optional ones that authenticate possession of a KEM priva
cate possession of a key encapsulation mechanism (KEM) private key. HPKE can be te key. HPKE can be extended to support hybrid post-quantum KEM <xref target="I-
extended to support hybrid post-quantum KEM <xref target="I-D.ietf-hpke-pq"/>. M D.ietf-hpke-pq"/>. ML-KEM does not support the static-ephemeral key exchange tha
L-KEM does not support the static-ephemeral key exchange that allows HPKE based t allows HPKE that is based on DH-based KEMs and its optional authenticated mode
on DH based KEMs and its optional authenticated modes as discussed in section 1. s as discussed in <xref section="1.5" sectionFormat="of" target="I-D.connolly-cf
5 of <xref target="I-D.draft-connolly-cfrg-xwing-kem"/>.</t> rg-xwing-kem"/>.</t>
</section> </section>
</section> </section>
<section anchor="pqc-signatures-1"> <section anchor="pqc-signatures-1">
<name>PQC Signatures</name> <name>PQC Signatures</name>
<t>Any digital signature scheme that provides a construction defining secu rity under a post-quantum setting falls under this category of PQC signatures.</ t> <t>Any digital signature scheme that provides a construction defining secu rity under a post-quantum setting falls under this category of PQC signatures.</ t>
<section anchor="security-properties-of-pqc-signatures"> <section anchor="security-properties-of-pqc-signatures">
<name>Security Properties of PQC Signatures</name> <name>Security Properties of PQC Signatures</name>
<section anchor="euf-cma-and-suf-cma"> <section anchor="euf-cma-and-suf-cma">
<name>EUF-CMA and SUF-CMA</name> <name>EUF-CMA and SUF-CMA</name>
<t>EUF-CMA (existential unforgeability under chosen message attack) <x ref target="GMR88"/> is a security notion for digital signature schemes. It guar antees that an adversary, even with access to a signing oracle, cannot forge a v alid signature for an arbitrary message. EUF-CMA provides strong protection agai nst forgery attacks, ensuring the integrity and authenticity of digital signatur es by preventing unauthorized modifications or fraudulent signatures. ML-DSA, FN -DSA, and SLH-DSA provide EUF-CMA security.</t> <t>EUF-CMA (existential unforgeability under chosen message attack) <x ref target="GMR88"/> is a security notion for digital signature schemes. It guar antees that an adversary, even with access to a signing oracle, cannot forge a v alid signature for an arbitrary message. EUF-CMA provides strong protection agai nst forgery attacks, ensuring the integrity and authenticity of digital signatur es by preventing unauthorized modifications or fraudulent signatures. ML-DSA, FN -DSA, and SLH-DSA provide EUF-CMA security.</t>
<t>SUF-CMA (strong unforgeability under chosen message attack) builds upon EUF-CMA by requiring that an adversary cannot produce a different valid sig nature for a message that has already been signed by the signing oracle. Like EU F-CMA, SUF-CMA provides robust assurances for digital signature schemes, further enhancing their security posture. ML-DSA, FN-DSA, and SLH-DSA also achieve SUF- CMA security.</t> <t>SUF-CMA (strong unforgeability under chosen message attack) builds upon EUF-CMA by requiring that an adversary cannot produce a different valid sig nature for a message that has already been signed by the signing oracle. Like EU F-CMA, SUF-CMA provides robust assurances for digital signature schemes, further enhancing their security posture. ML-DSA, FN-DSA, and SLH-DSA also achieve SUF- CMA security.</t>
<t>Understanding EUF-CMA and SUF-CMA security is essential for designi <t>Understanding EUF-CMA and SUF-CMA security is essential for designi
ng or implementing cryptographic systems in order to ensure the security, reliab ng or implementing cryptographic systems in order to ensure the security, reliab
ility, and robustness of digital signature schemes. These notions allow for info ility, and robustness of digital signature schemes. These notions allow for info
rmed decision-making, vulnerability analysis, compliance with standards, and des rmed decision making, vulnerability analysis, compliance with standards, and des
igning systems that provide strong protection against forgery attacks. For devel igning systems that provide strong protection against forgery attacks. For devel
opers migrating to using an IETF-vetted PQC signature scheme within a given prot opers migrating to an IETF-vetted PQC signature scheme within a given protocol o
ocol or flow, a deep understanding of EUF-CMA and SUF-CMA security may not be ne r flow, a deep understanding of EUF-CMA and SUF-CMA security may not be necessar
cessary, as the schemes vetted by IETF adhere to these stringent security standa y, as the schemes vetted by IETF adhere to these stringent security standards.</
rds.</t> t>
<t>EUF-CMA and SUF-CMA are considered strong security benchmarks for p <t>EUF-CMA and SUF-CMA are considered strong security benchmarks for p
ublic key signature algorithms, making them suitable for most applications. IETF ublic key signature algorithms, making them suitable for most applications. Auth
specification authors should include all security concerns in the "Security Con ors of IETF specifications should include all security concerns in the "Security
siderations" section of the relevant RFC and should not assume that implementers Considerations" section of the relevant RFC and should not assume that implemen
are experts in cryptographic theory.</t> ters are experts in cryptographic theory.</t>
</section> </section>
</section> </section>
<section anchor="sig-scheme"> <section anchor="sig-scheme">
<name>Details of FN-DSA, ML-DSA, and SLH-DSA</name> <name>Details of FN-DSA, ML-DSA, and SLH-DSA</name>
<t>ML-DSA <xref target="ML-DSA"/> is a digital signature algorithm based <t>ML-DSA <xref target="ML-DSA"/> is a digital signature algorithm based
on the hardness of lattice problems over module lattices (i.e., the Module Lear on the hardness of lattice problems over module lattices (i.e., the Module Lear
ning with Errors problem (MLWE)). The design of the algorithm is based on the "F ning with Errors (MLWE) problem). The design of the algorithm is based on the "F
iat-Shamir with Aborts" <xref target="Lyu09"/> framework introduced by Lyubashev iat-Shamir with Aborts" <xref target="Lyu09"/> framework introduced by Lyubashev
sky, that leverages rejection sampling to render lattice-based Fiat-Shamir (FS) sky that leverages rejection sampling to render lattice-based Fiat-Shamir (FS) s
schemes compact and secure. ML-DSA uses uniformly-distributed random number samp chemes compact and secure. ML-DSA uses uniformly distributed random number sampl
ling over small integers to compute coefficients in error vectors, which makes t ing over small integers to compute coefficients in error vectors, which makes th
he scheme easier to implement compared with FN-DSA <xref target="FN-DSA"/> which e scheme easier to implement compared to FN-DSA <xref target="FN-DSA"/>, which
uses Gaussian-distributed numbers, necessitating the need to use floating point uses Gaussian-distributed numbers, necessitating the need to use floating-point
arithmetic during signature generation.</t> arithmetic during signature generation.</t>
<t>ML-DSA offers both deterministic and randomized signing and is instan <t>ML-DSA offers both deterministic and randomized signing and is instan
tiated with 3 parameter sets providing different security levels. Security prope tiated with three parameter sets providing different security levels. Security p
rties of ML-DSA are discussed in Section 9 of <xref target="I-D.ietf-lamps-dilit roperties of ML-DSA are discussed in <xref section="9" sectionFormat="of" target
hium-certificates"/>.</t> ="RFC9881"/>.</t>
<t>FN-DSA <xref target="FN-DSA"/> is based on the GPV hash-and-sign latt ice-based signature framework introduced by Gentry, Peikert, and Vaikuntanathan, which is a framework that requires a certain class of lattices and a trapdoor s ampler technique.</t> <t>FN-DSA <xref target="FN-DSA"/> is based on the GPV hash-and-sign latt ice-based signature framework introduced by Gentry, Peikert, and Vaikuntanathan, which is a framework that requires a certain class of lattices and a trapdoor s ampler technique.</t>
<t>The main design principle of FN-DSA is compactness, i.e., it was desi <t>The main design principle of FN-DSA is compactness, i.e., it was desi
gned in a way that achieves minimal total memory bandwidth requirement (the sum gned in a way that achieves minimal total memory bandwidth requirement (the sum
of the signature size plus the public key size). This is possible due to the com of the signature size plus the public key size). This is possible due to the com
pactness of NTRU lattices. FN-DSA also offers very efficient signing and verific pactness of NTRU lattices. FN-DSA also offers very efficient signing and verific
ation procedures. The main potential downsides of FN-DSA refer to the non-trivia ation procedures. The main potential downsides of FN-DSA refer to the non-trivia
lity of its algorithms and the need for floating point arithmetic support in ord lity of its algorithms and the need for floating-point arithmetic support in ord
er to support Gaussian-distributed random number sampling where the other lattic er to support Gaussian-distributed random number sampling where the other lattic
e schemes use the less efficient but easier to support uniformly-distributed ran e schemes use the less efficient but easier to support uniformly distributed ran
dom number sampling.</t> dom number sampling.</t>
<t>Implementers of FN-DSA need to be aware that FN-DSA signing is highly <t>Implementers of FN-DSA need to be aware that FN-DSA signing is highly
susceptible to side-channel attacks, unless constant-time 64-bit floating-point susceptible to side-channel attacks unless constant-time 64-bit floating-point
operations are used. This requirement is extremely platform-dependent, as noted operations are used. This requirement is extremely platform-dependent, as noted
in NIST's report.</t> in NIST's report <xref target="NIST"/>.</t>
<t>The performance characteristics of ML-DSA and FN-DSA may differ based <t>The performance characteristics of ML-DSA and FN-DSA may differ based
on the specific implementation and hardware platform. Generally, ML-DSA is know on the specific implementation and hardware platform. Generally, ML-DSA is know
n for its relatively fast signature generation, while FN-DSA can provide more ef n for its relatively fast signature generation, while FN-DSA can provide more ef
ficient signature verification. The choice may depend on whether the application ficient signature verification. The choice may depend on whether the application
requires more frequent signature generation or signature verification (See <xre requires more frequent signature generation or signature verification (see <xre
f target="LIBOQS"/>). For further clarity on the sizes and security levels, plea f target="LIBOQS"/>). For further clarity on the sizes and security levels, plea
se refer to the tables in <xref target="RecSecurity"/> and <xref target="Compari se refer to the tables in Sections <xref target="RecSecurity" format="counter"/>
sons"/>.</t> and <xref target="Comparisons" format="counter"/>.</t>
<t>SLH-DSA <xref target="SLH-DSA"/> utilizes the concept of stateless ha <t>SLH-DSA <xref target="SLH-DSA"/> utilizes the concept of stateless ha
sh-based signatures, where each signature is unique and unrelated to any previou sh-based signatures, where each signature is unique and unrelated to any previou
s signature (as discussed in <xref target="hash-based"/>). This property elimina s signature (as discussed in <xref target="hash-based"/>). This property elimina
tes the need for maintaining state information during the signing process. SLH-D tes the need for maintaining state information during the signing process. SLH-D
SA was designed to sign up to 2^64 messages under a given key pair, and it offer SA was designed to sign up to 2<sup>64</sup> messages under a given key pair, an
s three security levels. The parameters for each of the security levels were cho d it offers three security levels. The parameters for each of the security level
sen to provide 128 bits of security, 192 bits of security, and 256 bits of secur s were chosen to provide 128 bits of security, 192 bits of security, and 256 bit
ity. SLH-DSA offers smaller public key sizes, larger signature sizes, slower sig s of security. SLH-DSA offers smaller public key sizes, larger signature sizes,
nature generation, and slower verification when compared to ML-DSA and FN-DSA. S slower signature generation, and slower verification when compared to ML-DSA and
LH-DSA does not introduce a new hardness assumption beyond those inherent to the FN-DSA. SLH-DSA does not introduce a new hardness assumption beyond those inher
underlying hash functions. It builds upon established foundations in cryptograp ent to the underlying hash functions. It builds upon established foundations in
hy, making it a reliable and robust digital signature scheme for a post-quantum cryptography, making it a reliable and robust digital signature scheme for a pos
world.</t> t-quantum world.</t>
<t>All of these algorithms, ML-DSA, FN-DSA, and SLH-DSA include two sign <t>All of these algorithms (ML-DSA, FN-DSA, and SLH-DSA) include two sig
ature modes: pure mode, where the entire content is signed directly, and pre-has nature modes: pure mode, where the entire content is signed directly, and pre-ha
h mode, where a digest of the content is signed.</t> sh mode, where a digest of the content is signed.</t>
</section> </section>
<section anchor="details-of-xmss-and-lms"> <section anchor="details-of-xmss-and-lms">
<name>Details of XMSS and LMS</name> <name>Details of XMSS and LMS</name>
<t>The eXtended Merkle Signature Scheme (XMSS) <xref target="RFC8391"/> and Hierarchical Signature Scheme (HSS) / Leighton-Micali Signature (LMS) <xref target="RFC8554"/> are stateful hash-based signature schemes, where the secret k ey state changes over time. In both schemes, reusing a secret key state compromi ses cryptographic security guarantees.</t> <t>The eXtended Merkle Signature Scheme (XMSS) <xref target="RFC8391"/> and Hierarchical Signature Scheme (HSS) / Leighton-Micali Signature (LMS) <xref target="RFC8554"/> are stateful hash-based signature schemes, where the secret k ey state changes over time. In both schemes, reusing a secret key state compromi ses cryptographic security guarantees.</t>
<t>XMSS and LMS can be used for signing a potentially large but fixed nu <t>XMSS and LMS can be used for signing a potentially large but fixed nu
mber of messages and the number of signing operations depends upon the size of t mber of messages, and the number of signing operations depends upon the size of
he tree. XMSS and LMS provide cryptographic digital signatures without relying o the tree. XMSS and LMS provide cryptographic digital signatures without relying
n the conjectured hardness of mathematical problems, instead leveraging the prop on the conjectured hardness of mathematical problems, instead leveraging the pro
erties of cryptographic hash functions. Multi-tree XMSS and LMS (i.e., XMSS-MT a perties of cryptographic hash functions. Multi-tree XMSS and LMS (i.e., XMSS-MT
nd HSS, respectively) use a hyper-tree based hierarchical approach with a Merkle and HSS, respectively) use a hyper-tree-based hierarchical approach with a Merkl
tree at each level of the hierarchy. <xref target="RFC8391"/> describes both si e tree at each level of the hierarchy. <xref target="RFC8391"/> describes both s
ngle-tree and multi-tree variants of XMSS, while <xref target="RFC8554"/> descri ingle-tree and multi-tree variants of XMSS, while <xref target="RFC8554"/> descr
bes the Leighton-Micali One-Time Signature (LM-OTS) system as well as the LMS an ibes the Leighton-Micali One-Time Signature (LM-OTS) system as well as the LMS a
d HSS N-time signature systems. Comparison of XMSS and LMS is discussed in Secti nd HSS N-time signature systems. Comparison of XMSS and LMS is discussed in <xre
on 10 of <xref target="RFC8554"/>.</t> f section="10" sectionFormat="of" target="RFC8554"/>.</t>
<t>The number of tree layers in multi-tree XMSS and HSS provides a trade <t>The number of tree layers in multi-tree XMSS and HSS provides a trade
-off between signature size on the one side and key generation and signing speed -off between signature size on the one side and key generation and signing speed
on the other side. Increasing the number of layers reduces key generation time on the other side. Increasing the number of layers reduces key generation time
exponentially and signing time linearly at the cost of increasing the signature exponentially and signing time linearly at the cost of increasing the signature
size linearly. HSS allows for customization of each subtree whereas XMSS-MT does size linearly. HSS allows for customization of each subtree, whereas XMSS-MT doe
not, electing instead to use the same structure for each subtree.</t> s not, electing instead to use the same structure for each subtree.</t>
<t>Due to the complexities described above, the XMSS and LMS are not a s <t>Due to the complexities described above, XMSS and LMS are not suitabl
uitable replacement for traditional signature schemes like RSA or ECDSA. Applica e replacements for traditional signature schemes like RSA or ECDSA. Applications
tions that expect a long lifetime of a signature, like firmware update or secure that expect a long lifetime of a signature, like firmware update or secure boot
boot, are typical use cases where those schemes can be successfully applied.</t , are typical use cases where those schemes can be successfully applied.</t>
>
<section anchor="lms-key-and-signature-sizes"> <section anchor="lms-key-and-signature-sizes">
<name>LMS Key and Signature Sizes</name> <name>LMS Key and Signature Sizes</name>
<t>The LMS scheme is characterized by four distinct parameter sets: th e underlying hash function (SHA2-256 or SHAKE-256), the length of the digest (24 or 32 bytes), the LMS tree height parameter that controls a maximal number of s ignatures that the private key can produce, and the width of the Winternitz coef ficients (see <xref target="RFC8554"/>, section 4.1) that can be used to trade-o ff signing time for signature size. Parameters can be mixed, providing 80 possib le parameterizations of the scheme.</t> <t>The LMS scheme is characterized by four distinct parameter sets: th e underlying hash function (SHA2-256 or SHAKE-256), the length of the digest (24 or 32 bytes), the LMS tree height parameter that controls a maximal number of s ignatures that the private key can produce, and the width of the Winternitz coef ficients (see <xref section="4.1" sectionFormat="comma" target="RFC8554"/>) that can be used to trade-off signing time for signature size. Parameters can be mix ed, providing 80 possible parameterizations of the scheme.</t>
<t>The public (PK) and private (SK) key size depends on the length of the digest (M). The signature size depends on the digest, the Winternitz paramet er (W), the LMS tree height (H), and the length of the digest. The table below p rovides key and signature sizes for parameterization with the digest size M=32 o f the scheme.</t> <t>The public (PK) and private (SK) key size depends on the length of the digest (M). The signature size depends on the digest, the Winternitz paramet er (W), the LMS tree height (H), and the length of the digest. The table below p rovides key and signature sizes for parameterization with the digest size M=32 o f the scheme.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PK</th> <th align="left">PK</th>
<th align="left">SK</th> <th align="left">SK</th>
<th align="left">W</th> <th align="left">W</th>
<th align="left">H=5</th> <th align="left">H=5</th>
<th align="left">H=10</th> <th align="left">H=10</th>
<th align="left">H=15</th> <th align="left">H=15</th>
skipping to change at line 810 skipping to change at line 882
<td align="left">1612</td> <td align="left">1612</td>
<td align="left">1772</td> <td align="left">1772</td>
<td align="left">1932</td> <td align="left">1932</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
</section> </section>
<section anchor="hash-then-sign"> <section anchor="hash-then-sign">
<name>Hash-then-Sign</name> <name>Hash-then-Sign</name>
<t>Within the hash-then-sign paradigm, the message is hashed before sign <t>Within the hash-then-sign paradigm, the message is hashed before sign
ing it. By pre-hashing, the onus of resistance to existential forgeries becomes ing it. By pre-hashing, the onus of resistance to existential forgeries becomes
heavily reliant on the collision-resistance of the hash function in use. The has heavily reliant on the collision-resistance of the hash function in use. The has
h-then-sign paradigm has the ability to improve application performance by reduc h-then-sign paradigm has the ability to improve application performance by reduc
ing the size of signed messages that need to be transmitted between application ing the size of signed messages that need to be transmitted between application
and cryptographic module, and making the signature size predictable and manageab and cryptographic module and making the signature size predictable and manageabl
le. As a corollary, hashing remains mandatory even for short messages and assign e. As a corollary, hashing remains mandatory even for short messages and assigns
s a further computational requirement onto the verifier. This makes the performa a further computational requirement onto the verifier. This makes the performan
nce of hash-then-sign schemes more consistent, but not necessarily more efficien ce of hash-then-sign schemes more consistent, but not necessarily more efficient
t.</t> .</t>
<t>Using a hash function to produce a fixed-size digest of a message ens <t>Using a hash function to produce a fixed-size digest of a message ens
ures that the signature is compatible with a wide range of systems and protocols ures that the signature is compatible with a wide range of systems and protocols
, regardless of the specific message size or format. Crucially for hardware secu , regardless of the specific message size or format. Crucially for hardware secu
rity modules, Hash-then-Sign also significantly reduces the amount of data that rity modules, hash-then-sign also significantly reduces the amount of data that
needs to be transmitted and processed by a Hardware Security Module (HSM). Consi needs to be transmitted and processed by a Hardware Security Module (HSM). Consi
der scenarios such as a networked HSM located in a different data center from th der scenarios such as a networked HSM located in a different data center from th
e calling application or a smart card connected over a USB interface. In these c e calling application or a smart card connected over a USB interface. In these c
ases, streaming a message that is megabytes or gigabytes long can result in nota ases, streaming a message that is megabytes or gigabytes long can result in nota
ble network latency, on-device signing delays, or even depletion of available on ble network latency, on-device signing delays, or even depletion of available on
-device memory.</t> -device memory.</t>
<t>Note that the vast majority of Internet protocols that sign large mes <t>Note that the vast majority of Internet protocols that sign large mes
sages already perform some form of content hashing at the protocol level, so thi sages already perform some form of content hashing at the protocol level, so thi
s tends to be more of a concern with proprietary cryptographic protocols, and pr s tends to be more of a concern with proprietary cryptographic protocols and pro
otocols from non-IETF standards bodies. Protocols like TLS 1.3 and DNSSEC use th tocols from non-IETF standards bodies. Protocols like TLS 1.3 and DNSSEC use the
e Hash-then-Sign paradigm. In TLS 1.3 <xref target="RFC8446"/> CertificateVerify hash-then-sign paradigm. In TLS 1.3 <xref target="RFC8446"/> CertificateVerify
messages, the content that is covered under the signature includes the transcri messages, the content that is covered under the signature includes the transcrip
pt hash output (Section 4.4.1 of <xref target="RFC8446"/>), while DNSSEC <xref t t hash output (<xref section="4.4.1" sectionFormat="of" target="RFC8446"/>) whil
arget="RFC4034"/> uses it to provide origin authentication and integrity assuran e DNSSEC <xref target="RFC4034"/> uses it to provide origin authentication and i
ce services for DNS data. Similarly, the Cryptographic Message Syntax (CMS) <xre ntegrity assurance services for DNS data. Similarly, the Cryptographic Message S
f target="RFC5652"/> includes a mandatory message digest step before invoking th yntax (CMS) <xref target="RFC5652"/> includes a mandatory message digest step be
e signature algorithm.</t> fore invoking the signature algorithm.</t>
<t>In the case of ML-DSA, it internally incorporates the necessary hash operations as part of its signing algorithm. ML-DSA directly takes the original message, applies a hash function internally, and then uses the resulting hash va lue for the signature generation process. In the case of SLH-DSA, it internally performs randomized message compression using a keyed hash function that can pro cess arbitrary length messages. In the case of FN-DSA, the SHAKE-256 hash functi on is used as part of the signature process to derive a digest of the message be ing signed.</t> <t>In the case of ML-DSA, it internally incorporates the necessary hash operations as part of its signing algorithm. ML-DSA directly takes the original message, applies a hash function internally, and then uses the resulting hash va lue for the signature generation process. In the case of SLH-DSA, it internally performs randomized message compression using a keyed hash function that can pro cess arbitrary length messages. In the case of FN-DSA, the SHAKE-256 hash functi on is used as part of the signature process to derive a digest of the message be ing signed.</t>
<t>Therefore, ML-DSA, FN-DSA, and SLH-DSA offer enhanced security over t he traditional Hash-then-Sign paradigm because by incorporating dynamic key mate rial into the message digest, a pre-computed hash collision on the message to be signed no longer yields a signature forgery. Applications requiring the perform ance and bandwidth benefits of Hash-then-Sign may still pre-hash at the protocol level prior to invoking ML-DSA, FN-DSA, or SLH-DSA, but protocol designers shou ld be aware that doing so re-introduces the weakness that hash collisions direct ly yield signature forgeries. Signing the full un-digested message is recommende d where applications can tolerate it.</t> <t>Therefore, ML-DSA, FN-DSA, and SLH-DSA offer enhanced security over t he traditional hash-then-sign paradigm because, by incorporating dynamic key mat erial into the message digest, a pre-computed hash collision on the message to b e signed no longer yields a signature forgery. Applications requiring the perfor mance and bandwidth benefits of hash-then-sign may still pre-hash at the protoco l level prior to invoking ML-DSA, FN-DSA, or SLH-DSA, but protocol designers sho uld be aware that doing so reintroduces the weakness that hash collisions direct ly yield signature forgeries. Signing the full un-digested message is recommende d where applications can tolerate it.</t>
</section> </section>
</section> </section>
<section anchor="RecSecurity"> <section anchor="RecSecurity">
<name>NIST Recommendations for Security / Performance Tradeoffs</name> <name>NIST Recommendations for Security and Performance Trade-offs</name>
<t>This information is a re-print of information provided in the NIST PQC <t>This information is a reprint of information provided in the NIST PQC p
project <xref target="NIST"/> as of the time this document is published. The Tab roject <xref target="NIST"/> as of the time this document is published. <xref ta
le 2 denotes the five security levels provided by NIST for PQC algorithms. Neith rget="security-levels-table"/> denotes the five security levels provided by NIST
er NIST nor the IETF make any specific recommendations about which security leve for PQC algorithms. Neither NIST nor the IETF makes any specific recommendation
l to use. In general, protocols will include algorithm choices at multiple level s about which security level to use. In general, protocols will include algorith
s so that users can choose the level appropriate to their policies and data clas m choices at multiple levels so that users can choose the level appropriate to t
sification, similar to how organizations today choose which size of RSA key to u heir policies and data classification, similar to how organizations today choose
se. The security levels are defined as requiring computational resources compara which size of RSA key to use. The security levels are defined as requiring comp
ble to or greater than an attack on AES (128, 192 and 256) and SHA2/SHA3 algorit utational resources comparable to or greater than an attack on AES (128, 192, an
hms, i.e., exhaustive key recovery for AES and optimal collision search for SHA2 d 256) and SHA2/SHA3 algorithms, i.e., exhaustive key recovery for AES and optim
/SHA3.</t> al collision search for SHA2/SHA3.</t>
<table> <table anchor="security-levels-table">
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">AES/SHA(2/3) hardness</th> <th align="left">AES/SHA(2/3) hardness</th>
<th align="left">PQC Algorithm</th> <th align="left">PQC Algorithm</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td align="left">1</td> <td align="left">1</td>
skipping to change at line 856 skipping to change at line 928
<td align="left">SHA-384/SHA3-384 (collision search)</td> <td align="left">SHA-384/SHA3-384 (collision search)</td>
<td align="left">No algorithm tested at this level</td> <td align="left">No algorithm tested at this level</td>
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">AES-256 (exhaustive key recovery)</td> <td align="left">AES-256 (exhaustive key recovery)</td>
<td align="left">ML-KEM-1024, FN-DSA-1024, ML-DSA-87, SLH-DSA-SHA2/S HAKE-256f/s</td> <td align="left">ML-KEM-1024, FN-DSA-1024, ML-DSA-87, SLH-DSA-SHA2/S HAKE-256f/s</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>The SLH-DSA-x-yf/s "f/s" in the above table denotes whether SLH-DSA is <t>The SLH-DSA-x-yf/s "f/s" in the above table denotes whether SLH-DSA is
using SHAKE or SHA-2 as an underlying hash function "x" and whether it is the fa using SHAKE or SHA-2 as an underlying hash function "x" and whether it is the fa
st (f) or small (s) version for "y" bit AES security level. Refer to <xref targe st (f) or small (s) version for "y" bit AES security level. Refer to <xref targe
t="I-D.ietf-lamps-cms-sphincs-plus"/> for further details on SLH-DSA algorithms. t="RFC9814"/> for further details on SLH-DSA algorithms.</t>
</t> <t>The following table compares the signature sizes for different SLH-DSA
<t>The following table compares the signature sizes for different SLH-DSA algorithm categories at equivalent security levels using the "simple" version. T
algorithm categories at equivalent security levels, using the "simple" version. he categories include "f" for fast signature generation and "s" for smaller sign
The categories include "(f)" for fast signature generation, and "(s)" for smalle ature size and faster verification, although with slower signature generation. B
r signature size and faster verification, although with slower signature generat oth SHA-256 and SHAKE-256 parameterizations produce the same signature sizes and
ion. Both SHA-256 and SHAKE-256 parameterizations produce the same signature siz are therefore included together in the table.</t>
es and are therefore included together in the table.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Signature size (in bytes)</th> <th align="left">Signature size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 985 skipping to change at line 1057
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">2592</td> <td align="left">2592</td>
<td align="left">4896</td> <td align="left">4896</td>
<td align="left">4627</td> <td align="left">4627</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section anchor="Comparisons"> <section anchor="Comparisons">
<name>Comparing PQC KEMs/Signatures vs. Traditional KEMs (KEXs)/Signatures <name>Comparing PQC KEMs/Signatures and Traditional KEMs/Signatures</name>
</name> <t>This section provides two tables for comparison of different KEMs and s
<t>This section provides two tables for comparison of different KEMs and s ignatures, respectively, in the traditional and post-quantum scenarios. These ta
ignatures respectively, in the traditional and post-quantum scenarios. These tab bles focus on the secret key sizes, public key sizes, and ciphertext/signature s
les focus on the secret key sizes, public key sizes, and ciphertext/signature si izes for the PQC algorithms and their traditional counterparts of similar securi
zes for the PQC algorithms and their traditional counterparts of similar securit ty levels.</t>
y levels.</t> <t>The first table compares traditional and PQC KEMs in terms of security,
<t>The first table compares traditional vs. PQC KEMs in terms of security, public and private key sizes, and ciphertext sizes.</t>
public and private key sizes, and ciphertext sizes.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Ciphertext size (in bytes)</th> <th align="left">Ciphertext size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 1043 skipping to change at line 1115
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-KEM-1024</td> <td align="left">ML-KEM-1024</td>
<td align="left">1568</td> <td align="left">1568</td>
<td align="left">3168</td> <td align="left">3168</td>
<td align="left">1568</td> <td align="left">1568</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>The next table compares traditional vs. PQC signature schemes in terms of security, public, private key sizes, and signature sizes.</t> <t>The next table compares traditional and PQC signature schemes in terms of security, public, private key sizes, and signature sizes.</t>
<table> <table>
<thead> <thead>
<tr> <tr>
<th align="left">PQ Security Level</th> <th align="left">PQ Security Level</th>
<th align="left">Algorithm</th> <th align="left">Algorithm</th>
<th align="left">Public key size (in bytes)</th> <th align="left">Public key size (in bytes)</th>
<th align="left">Private key size (in bytes)</th> <th align="left">Private key size (in bytes)</th>
<th align="left">Signature size (in bytes)</th> <th align="left">Signature size (in bytes)</th>
</tr> </tr>
</thead> </thead>
skipping to change at line 1106 skipping to change at line 1178
</tr> </tr>
<tr> <tr>
<td align="left">5</td> <td align="left">5</td>
<td align="left">ML-DSA-87</td> <td align="left">ML-DSA-87</td>
<td align="left">2592</td> <td align="left">2592</td>
<td align="left">4896</td> <td align="left">4896</td>
<td align="left">4627</td> <td align="left">4627</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t>As is clear from the above table, PQC KEMs and signature schemes typica lly have significantly larger keys and ciphertexts/signatures than their traditi onal counterparts. These increased key and signatures sizes could introduce prob lems in protocols. As an example, IKEv2 uses UDP as the transport for its messag es. One challenge with integrating a PQC KEM into IKEv2 is that IKE fragmentatio n cannot be utilized in the initial IKE_SA_INIT exchange. To address this issue, <xref target="RFC9242"/> introduces a solution by defining a new exchange calle d the "Intermediate Exchange" which can be fragmented using the IKE fragmentatio n mechanism. <xref target="RFC9370"/> then uses this Intermediate Exchange to ca rry out the PQC key exchange after the initial IKEv2 exchange and before the IKE _AUTH exchange. Another example from <xref target="SP-1800-38C"/> section 6.3.3 shows that increased key and signature sizes cause protocol key exchange message s to span more network packets, therefore it results in a higher total loss prob ability per packet. In lossy network conditions, this may increase the latency o f the key exchange.</t> <t>As is clear from the above table, PQC KEMs and signature schemes typica lly have significantly larger keys and ciphertexts/signatures than their traditi onal counterparts. These increased key and signatures sizes could introduce prob lems in protocols. As an example, the Internet Key Exchange Protocol Version 2 ( IKEv2) uses UDP as the transport protocol for its messages. One challenge with i ntegrating a PQC KEM into IKEv2 is that IKE fragmentation cannot be utilized in the initial IKE_SA_INIT exchange. To address this issue, <xref target="RFC9242"/ > introduces a solution by defining a new exchange called the "Intermediate Exch ange", which can be fragmented using the IKE fragmentation mechanism. <xref targ et="RFC9370"/> then uses this Intermediate Exchange to carry out the PQC key exc hange after the initial IKEv2 exchange and before the IKE_AUTH exchange. Another example from Section 6.3.3 of <xref target="SP-1800-38C"/> shows that increased key and signature sizes cause protocol key exchange messages to span more netwo rk packets, which results in a higher total loss probability per packet. In loss y network conditions, this may increase the latency of the key exchange.</t>
</section> </section>
<section anchor="PQT"> <section anchor="PQT">
<name>Post-Quantum and Traditional Hybrid Schemes</name> <name>Post-Quantum and Traditional (PQ/T) Hybrid Schemes</name>
<t>The migration to PQC is unique in the history of modern digital cryptog raphy in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required lifetimes. The traditional a lgorithms, such as RSA and ECDH, will fall to quantum cryptanalysis, while the p ost-quantum algorithms face uncertainty about the underlying mathematics, compli ance issues, unknown vulnerabilities, and hardware and software implementations that have not had sufficient maturing time to rule out traditional cryptanalytic attacks and implementation bugs.</t> <t>The migration to PQC is unique in the history of modern digital cryptog raphy in that neither the traditional algorithms nor the post-quantum algorithms are fully trusted to protect data for the required lifetimes. The traditional a lgorithms, such as RSA and ECDH, will fall to quantum cryptanalysis, while the p ost-quantum algorithms face uncertainty about the underlying mathematics, compli ance issues, unknown vulnerabilities, and hardware and software implementations that have not had sufficient maturing time to rule out traditional cryptanalytic attacks and implementation bugs.</t>
<t>During the transition from traditional to post-quantum algorithms, ther e may be a desire or a requirement for protocols that use both algorithm types. <xref target="I-D.ietf-pquip-pqt-hybrid-terminology"/> defines the terminology f or the post-quantum and traditional (PQ/T) hybrid schemes.</t> <t>During the transition from traditional to post-quantum algorithms, ther e may be a desire or a requirement for protocols that use both algorithm types. <xref target="RFC9794"/> defines the terminology for PQ/T hybrid schemes.</t>
<section anchor="pqt-hybrid-confidentiality"> <section anchor="pqt-hybrid-confidentiality">
<name>PQ/T Hybrid Confidentiality</name> <name>PQ/T Hybrid Confidentiality</name>
<t>The PQ/T Hybrid Confidentiality property can be used to mitigate both <t>The PQ/T Hybrid Confidentiality property can be used to mitigate both
"harvest now, decrypt now" and HNDL attacks described in <xref target="timeline "harvest now, decrypt now" and HNDL attacks described in <xref target="timeline
"/>. If the PQ portion were to have a flaw, the traditional (T) algorithm, which "/>. If the PQ portion were to have a flaw, the traditional (T) algorithm, which
is secure against today’s attackers, prevents immediate decryption ("harvest no is secure against today's attackers, prevents immediate decryption ("harvest no
w, decrypt now"). If the T algorithm is broken in the future by CRQCs, the PQ po w, decrypt now"). If the T algorithm is broken in the future by CRQCs, the PQ po
rtion, assuming it remains secure, prevents later decryption ("harvest now, decr rtion, assuming it remains secure, prevents later decryption (i.e., HNDL). A hyb
ypt later"). A hybrid construction therefore provides confidentiality as long as rid construction therefore provides confidentiality as long as at least one comp
at least one component remains secure. Two types of hybrid key agreement scheme onent remains secure. Two types of hybrid key agreement schemes are discussed be
s are discussed below.</t> low.</t>
<ul spacing="normal"> <dl>
<li> <dt>Concatenated hybrid key agreement scheme:</dt>
<t>Concatenated hybrid key agreement scheme: The final shared secret <dd>
that will be used as an input of the key derivation function is the result of t <t>The final shared secret that will be used as an input of the key
he concatenation of the secrets established with each key agreement scheme. For derivation function is the result of the concatenation of the secrets establishe
example, in <xref target="I-D.ietf-tls-hybrid-design"/>, the client uses the TLS d with each key agreement scheme. For example, in <xref target="I-D.ietf-tls-hyb
supported groups extension to advertise support for a PQ/T hybrid scheme, and t rid-design"/>, the client uses the TLS supported groups extension to advertise s
he server can select this group if it supports the scheme. The hybrid-aware clie upport for a PQ/T hybrid scheme, and the server can select this group if it supp
nt and server establish a hybrid secret by concatenating the two shared secrets, orts the scheme. The hybrid-aware client and server establish a hybrid secret by
which is used as the shared secret in the existing TLS 1.3 key schedule.</t> concatenating the two shared secrets, which is used as the shared secret in the
</li> existing TLS 1.3 key schedule.</t>
<li> </dd>
<t>Cascaded hybrid key agreement scheme: The final shared secret is <dt>Cascaded hybrid key agreement scheme:</dt>
computed by applying as many iterations of the key derivation function as the nu <dd>
mber of key agreement schemes composing the hybrid key agreement scheme. For exa <t>The final shared secret is computed by applying as many iteration
mple, <xref target="RFC9370"/> extends the Internet Key Exchange Protocol Versio s of the key derivation function as the number of key agreement schemes composin
n 2 (IKEv2) to allow one or more PQC algorithms in addition to the traditional a g the hybrid key agreement scheme. For example, <xref target="RFC9370"/> extends
lgorithm to derive the final IKE SA keys using the cascade method as explained i IKEv2 to allow one or more PQC algorithms in addition to the traditional algori
n Section 2.2.2 of <xref target="RFC9370"/>.</t> thm to derive the final IKE Security Association (SA) keys using the cascade met
</li> hod as explained in <xref section="2.2.2" sectionFormat="of" target="RFC9370"/>.
</ul> </t>
</dd>
</dl>
<t>Various instantiations of these two types of hybrid key agreement sch emes have been explored. One must be careful when selecting which hybrid scheme to use. The chosen scheme for protocols like TLS 1.3 <xref target="I-D.ietf-tls- hybrid-design"/> has IND-CCA2 robustness. That is, IND-CCA2 security is guarante ed for the scheme as long as at least one of the component algorithms is IND-CCA 2 secure.</t> <t>Various instantiations of these two types of hybrid key agreement sch emes have been explored. One must be careful when selecting which hybrid scheme to use. The chosen scheme for protocols like TLS 1.3 <xref target="I-D.ietf-tls- hybrid-design"/> has IND-CCA2 robustness. That is, IND-CCA2 security is guarante ed for the scheme as long as at least one of the component algorithms is IND-CCA 2 secure.</t>
</section> </section>
<section anchor="pqt-hybrid-authentication"> <section anchor="pqt-hybrid-authentication">
<name>PQ/T Hybrid Authentication</name> <name>PQ/T Hybrid Authentication</name>
<t>The PQ/T hybrid authentication property provides resilience against c atastrophic breaks or unforeseen vulnerabilities in PQC algorithms, allowing sys tems additional time to stabilize before migrating fully to pure PQ deployments. </t> <t>The PQ/T hybrid authentication property provides resilience against c atastrophic breaks or unforeseen vulnerabilities in PQC algorithms, allowing sys tems additional time to stabilize before migrating fully to pure PQ deployments. </t>
<t>This property ensures authentication using a PQ/T hybrid scheme, as l ong as at least one component algorithm remains secure. For example, a PQ/T hybr id certificate <xref target="I-D.ietf-lamps-pq-composite-sigs"/> can be employed to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid aut hentication protocol does not need to use a PQ/T hybrid certificate; separate ce rtificates could be used for individual component algorithms <xref target="I-D.i etf-lamps-cert-binding-for-multi-auth"/>. When separate certificates are used, i t may be possible for attackers to take them apart or put them together in unexp ected ways, including enabling cross-protocol attacks. The exact risks this pres ents are highly dependent on the protocol and use case, so a full security analy sis is needed. Best practices for ensuring that pairs of certificates are only u sed as intended are discussed in more detail in <xref target="COMPOSITE"/> and < xref target="REUSE"/> of this document.</t> <t>This property ensures authentication using a PQ/T hybrid scheme as lo ng as at least one component algorithm remains secure. For example, a PQ/T hybri d certificate <xref target="I-D.ietf-lamps-pq-composite-sigs"/> can be employed to facilitate a PQ/T hybrid authentication protocol. However, a PQ/T hybrid auth entication protocol does not need to use a PQ/T hybrid certificate; separate cer tificates could be used for individual component algorithms <xref target="RFC976 3"/>. When separate certificates are used, it may be possible for attackers to t ake them apart or put them together in unexpected ways, including enabling cross -protocol attacks. The exact risks this presents are highly dependent on the pro tocol and use case, so a full security analysis is needed. Best practices for en suring that pairs of certificates are only used as intended are discussed in mor e detail in Sections <xref target="COMPOSITE" format="counter"/> and <xref targe t="REUSE" format="counter"/> of this document.</t>
<t>The frequency and duration of system upgrades and the time when CRQCs will become widely available need to be weighed to determine whether and when t o support the PQ/T Hybrid Authentication property.</t> <t>The frequency and duration of system upgrades and the time when CRQCs will become widely available need to be weighed to determine whether and when t o support the PQ/T Hybrid Authentication property.</t>
</section> </section>
<section anchor="hybrid-cryptographic-algorithm-combinations-consideration s-and-approaches"> <section anchor="hybrid-cryptographic-algorithm-combinations-consideration s-and-approaches">
<name>Hybrid Cryptographic Algorithm Combinations: Considerations and Ap proaches</name> <name>Hybrid Cryptographic Algorithm Combinations: Considerations and Ap proaches</name>
<section anchor="hybrid-cryptographic-combinations"> <section anchor="hybrid-cryptographic-combinations">
<name>Hybrid Cryptographic Combinations</name> <name>Hybrid Cryptographic Combinations</name>
<t>It is also possible to use more than two algorithms together in a h ybrid scheme, with various methods for combining them. For post-quantum transiti on purposes, the combination of a post-quantum algorithm with a traditional algo rithm is the most straightforward and recommended. The use of multiple post-quan tum algorithms with different mathematical bases has also been considered. Combi ning algorithms in a way that requires both to be used together ensures stronger security, while combinations that do not require both will sacrifice security b ut offer other benefits like backwards compatibility and crypto agility. Includi ng a traditional key alongside a post-quantum key often has minimal bandwidth im pact.</t> <t>It is also possible to use more than two algorithms together in a h ybrid scheme, with various methods for combining them. For post-quantum transiti on purposes, the combination of a post-quantum algorithm with a traditional algo rithm is the most straightforward and recommended. The use of multiple post-quan tum algorithms with different mathematical bases has also been considered. Combi ning algorithms in a way that requires both to be used together ensures stronger security, while combinations that do not require both will sacrifice security b ut offer other benefits like backwards compatibility and crypto agility. Includi ng a traditional key alongside a post-quantum key often has minimal bandwidth im pact.</t>
</section> </section>
<section anchor="COMPOSITE"> <section anchor="COMPOSITE">
<name>Composite Keys in Hybrid Schemes</name> <name>Composite Keys in Hybrid Schemes</name>
<t>When combining keys in an "and" mode, it may make more sense to con <t>When combining keys in an "and" mode, it may make more sense to con
sider them to be a single composite key, instead of two keys. This generally req sider them to be a single composite key instead of two keys. This generally requ
uires fewer changes to various components of PKI ecosystems, many of which are n ires fewer changes to various components of PKI ecosystems, many of which are no
ot prepared to deal with two keys or dual signatures. To those protocol- or appl t prepared to deal with two keys or dual signatures. To those protocol- or appli
ication-layer parsers, a "composite" algorithm composed of two "component" algor cation-layer parsers, a "composite" algorithm composed of two "component" algori
ithms is simply a new algorithm, and support for adding new algorithms generally thms is simply a new algorithm, and support for adding new algorithms generally
already exists. Treating multiple "component" keys as a single "composite" key already exists. Treating multiple "component" keys as a single "composite" key a
also has security advantages such as preventing cross-protocol reuse of the indi lso has security advantages, such as preventing cross-protocol reuse of the indi
vidual component keys and guarantees about revoking or retiring all component ke vidual component keys and guarantees about revoking or retiring all component ke
ys together at the same time, especially if the composite is treated as a single ys together at the same time, especially if the composite is treated as a single
object all the way down into the cryptographic module.</t> object all the way down into the cryptographic module.</t>
<t>All that needs to be done is to standardize the formats of how the <t>All that needs to be done is to standardize the formats of how the
two keys from the two algorithms are combined into a single data structure, and two keys from the two algorithms are combined into a single data structure and h
how the two resulting signatures or KEMs are combined into a single signature or ow the two resulting signatures or KEMs are combined into a single signature or
KEM. The answer can be as simple as concatenation, if the lengths are fixed or KEM. The answer can be as simple as concatenation if the lengths are fixed or ea
easily determined. At the time this document is published, security research is sily determined. At the time this document is published, security research is on
ongoing as to the security properties of concatenation-based composite signature going as to the security properties of concatenation-based composite signatures
s and KEMs vs. more sophisticated signature and KEM combiners, and in which prot and KEMs versus more sophisticated signature and KEM combiners and protocol cont
ocol contexts those simpler combiners are sufficient.</t> exts in which those simpler combiners are sufficient.</t>
<t>One last consideration is the specific pairs of algorithms that can <t>One last consideration is the specific pairs of algorithms that can
be combined. A recent trend in protocols is to only allow a small number of "kn be combined. A recent trend in protocols is to only allow a small number of "kn
own good" configurations that make sense, often referred to in cryptography as a own good" configurations that make sense, often referred to in cryptography as a
"ciphersuite", instead of allowing arbitrary combinations of individual configu "ciphersuite", instead of allowing arbitrary combinations of individual configu
ration choices that may interact in dangerous ways. The current consensus is tha ration choices that may interact in dangerous ways. The current consensus is tha
t the same approach should be followed for combining cryptographic algorithms, a t the same approach should be followed for combining cryptographic algorithms an
nd that "known good" pairs should be explicitly listed ("explicit composite"), i d that "known good" pairs should be explicitly listed ("explicit composite") ins
nstead of just allowing arbitrary combinations of any two cryptographic algorith tead of just allowing arbitrary combinations of any two cryptographic algorithms
ms ("generic composite").</t> ("generic composite").</t>
<t>The same considerations apply when using multiple certificates to t <t>The same considerations apply when using multiple certificates to t
ransport a pair of related keys for the same subject. Exactly how two certificat ransport a pair of related keys for the same subject. Exactly how two certificat
es should be managed in order to avoid some of the pitfalls mentioned above is s es should be managed in order to avoid some of the pitfalls mentioned above is s
till an active area of investigation. Using two certificates keeps the certifica till an active area of investigation. Using two certificates keeps the certifica
te tooling simple and straightforward, but in the end simply moves the problems te tooling simple and straightforward, but in the end, this simply moves problem
with requiring that both certs are intended to be used as a pair, must produce t s (i.e., problems with the requirement that both certificates be used as a pair,
wo signatures which must be carried separately, and both must validate, to the c that two signatures that must be carried separately, and that both validate) to
ertificate management layer, where addressing these concerns in a robust way can the certificate management layer, where addressing these concerns in a robust w
be difficult.</t> ay can be difficult.</t>
<t>At least one scheme has been proposed that allows the pair of certi <t>At least one scheme has been proposed that allows the pair of certi
ficates to exist as a single certificate when being issued and managed, but dyna ficates to exist as a single certificate when being issued and managed but dynam
mically split into individual certificates when needed (<xref target="I-D.draft- ically split into individual certificates when needed (see <xref target="I-D.bon
bonnell-lamps-chameleon-certs"/>).</t> nell-lamps-chameleon-certs"/>).</t>
</section> </section>
<section anchor="REUSE"> <section anchor="REUSE">
<name>Key Reuse in Hybrid Schemes</name> <name>Key Reuse in Hybrid Schemes</name>
<t>An important security note, particularly when using hybrid signatur <t>An important security note, particularly when using hybrid signatur
e keys, but also to a lesser extent hybrid KEM keys, is key reuse. In traditiona e keys, but also to a lesser extent hybrid KEM keys, is key reuse. In traditiona
l cryptography, problems can occur with so-called "cross-protocol attacks" when l cryptography, problems can occur with so-called "cross-protocol attacks" when
the same key can be used for multiple protocols; for example signing TLS handsha the same key can be used for multiple protocols; for example, signing TLS handsh
kes and signing S/MIME emails. While it is not best-practice to reuse keys withi akes and signing S/MIME emails. While it is not best practice to reuse keys with
n the same protocol, for example using the same key for multiple S/MIME certific in the same protocol, e.g., using the same key for multiple S/MIME certificates
ates for the same user, it is not generally catastrophic for security. However, for the same user, it is not generally catastrophic for security. However, key r
key reuse becomes a large security problem within hybrids.</t> euse becomes a large security problem within hybrid schemes.</t>
<t>Consider an {RSA, ML-DSA} hybrid key where the RSA key also appears <t>Consider an {RSA, ML-DSA} hybrid key where the RSA key also appears
within a single-algorithm certificate. In this case, an attacker could perform within a single-algorithm certificate. In this case, an attacker could perform
a "stripping attack" where they take some piece of data signed with the {RSA, ML a "stripping attack" where they take some piece of data signed with the {RSA, ML
-DSA} key, remove the ML-DSA signature and present the data as if it was intende -DSA} key, remove the ML-DSA signature, and present the data as if it was intend
d for the RSA only certificate. This leads to a set of security definitions call ed for the RSA only certificate. This leads to a set of security definitions cal
ed "non-separability properties", which refers to how well the signature scheme led "non-separability properties", which refers to how well the signature scheme
resists various complexities of downgrade / stripping attacks <xref target="I-D. resists various complexities of downgrade/stripping attacks <xref target="I-D.i
draft-ietf-pquip-hybrid-signature-spectrums"/>. Therefore, it is recommended tha etf-pquip-hybrid-signature-spectrums"/>. Therefore, it is recommended that imple
t implementers either reuse the entire hybrid key as a whole, or perform fresh k menters either reuse the entire hybrid key as a whole or perform fresh key gener
ey generation of all component keys per usage, and must not take an existing key ation of all component keys per usage, and must not take an existing key and reu
and reuse it as a component of a hybrid.</t> se it as a component of a hybrid key.</t>
</section> </section>
<section anchor="future-directions-and-ongoing-research"> <section anchor="future-directions-and-ongoing-research">
<name>Future Directions and Ongoing Research</name> <name>Future Directions and Ongoing Research</name>
<t>Many aspects of hybrid cryptography are still under investigation. LAMPS WG at IETF is actively exploring the security properties of these combinat ions, and future standards will reflect the evolving consensus on these issues.< /t> <t>Many aspects of hybrid cryptography are still under investigation. The LAMPS Working Group at IETF is actively exploring the security properties of these combinations, and future standards will reflect the evolving consensus on these issues.</t>
</section> </section>
</section> </section>
</section> </section>
<section anchor="impact-on-constrained-devices-and-networks"> <section anchor="impact-on-constrained-devices-and-networks">
<name>Impact on Constrained Devices and Networks</name> <name>Impact on Constrained Devices and Networks</name>
<t>PQC algorithms generally have larger keys, ciphertext, and signature si zes than traditional public key algorithms. This has particular impact on constr ained devices that operate with limited data rates. In the IoT space, these cons traints have historically driven significant optimization efforts in the IETF (e .g., LAKE, CoRE) to adapt security protocols to resource-constrained environment s.</t> <t>PQC algorithms generally have larger keys, ciphertext, and signature si zes than traditional public key algorithms. This has particular impact on constr ained devices that operate with limited data rates. In the IoT space, these cons traints have historically driven significant optimization efforts in the IETF (e .g., in the LAKE and CoRE Working Groups) to adapt security protocols to resourc e-constrained environments.</t>
<t>As the transition to PQC progresses, these environments will face simil ar challenges. Larger message sizes can increase handshake latency, raise energy consumption, and require fragmentation logic. Work is ongoing in the IETF to st udy how PQC can be deployed in constrained devices (see <xref target="I-D.ietf-p quip-pqc-hsm-constrained"/>).</t> <t>As the transition to PQC progresses, these environments will face simil ar challenges. Larger message sizes can increase handshake latency, raise energy consumption, and require fragmentation logic. Work is ongoing in the IETF to st udy how PQC can be deployed in constrained devices (see <xref target="I-D.ietf-p quip-pqc-hsm-constrained"/>).</t>
</section> </section>
<section anchor="security-considerations"> <section anchor="security-considerations">
<name>Security Considerations</name> <name>Security Considerations</name>
<section anchor="cryptanalysis"> <section anchor="cryptanalysis">
<name>Cryptanalysis</name> <name>Cryptanalysis</name>
<t>Traditional cryptanalysis exploits weaknesses in algorithm design, ma <t>Traditional cryptanalysis exploits weaknesses in algorithm design, ma
thematical vulnerabilities, or implementation flaws, that are exploitable with c thematical vulnerabilities, or implementation flaws that are exploitable with cl
lassical (i.e. non-quantum) hardware, whereas quantum cryptanalysis harnesses th assical (i.e., non-quantum) hardware, whereas quantum cryptanalysis harnesses th
e power of CRQCs to solve specific mathematical problems more efficiently. Anoth e power of CRQCs to solve specific mathematical problems more efficiently. Quant
er form of quantum cryptanalysis is "quantum side-channel" attacks. In such atta um side-channel attacks are another form of quantum cryptanalysis. In such attac
cks, a device under threat is directly connected to a quantum computer, which th ks, a device under threat is directly connected to a quantum computer, which the
en injects entangled or superimposed data streams to exploit hardware that lacks n injects entangled or superimposed data streams to exploit hardware that lacks
protection against quantum side-channels. Both pose threats to the security of protection against quantum side channels. Both pose threats to the security of c
cryptographic algorithms, including those used in PQC. Developing and adopting n ryptographic algorithms, including those used in PQC. It is crucial to develop a
ew cryptographic algorithms resilient against these threats is crucial for ensur nd adopt new cryptographic algorithms resilient against these threats to ensure
ing long-term security in the face of advancing cryptanalysis techniques.</t> long-term security in the face of advancing cryptanalysis techniques.</t>
<t>Recent attacks on the side-channel implementations using deep learnin <t>Recent attacks on the side-channel implementations using deep learnin
g based power analysis have also shown that one needs to be cautious while imple g-based power analysis have also shown that one needs to be cautious while imple
menting the required PQC algorithms in hardware. Two of the most recent works in menting the required PQC algorithms in hardware. Two of the most recent works in
clude one attack on ML-KEM <xref target="KyberSide"/> and one attack on Saber <x clude one attack on ML-KEM <xref target="KyberSide"/> and one attack on Saber <x
ref target="SaberSide"/>. An evolving threat landscape points to the fact that l ref target="SaberSide"/>. An evolving threat landscape points to the fact that l
attice based cryptography is indeed more vulnerable to side-channel attacks as i attice-based cryptography is indeed more vulnerable to side-channel attacks as i
n <xref target="SideCh"/>, <xref target="LatticeSide"/>. Consequently, there wer n <xref target="SideCh"/> and <xref target="LatticeSide"/>. Consequently, some m
e some mitigation techniques for side channel attacks that have been proposed as itigation techniques for side-channel attacks have been proposed; see <xref targ
in <xref target="Mitigate1"/>, <xref target="Mitigate2"/>, and <xref target="Mi et="Mitigate1"/>, <xref target="Mitigate2"/>, and <xref target="Mitigate3"/>.</t
tigate3"/>.</t> >
</section> </section>
<section anchor="cryptographic-agility"> <section anchor="cryptographic-agility">
<name>Cryptographic Agility</name> <name>Cryptographic Agility</name>
<t>Cryptographic agility is recommended for both traditional and quantum cryptanalysis as it enables organizations to adapt to emerging threats, adopt s tronger algorithms, comply with standards, and plan for long-term security in th e face of evolving cryptanalytic techniques and the advent of CRQCs.</t> <t>Cryptographic agility is recommended for both traditional and quantum cryptanalysis as it enables organizations to adapt to emerging threats, adopt s tronger algorithms, comply with standards, and plan for long-term security in th e face of evolving cryptanalytic techniques and the advent of CRQCs.</t>
<t>Several PQC schemes are available that need to be tested; cryptograph <t>Several PQC schemes are available that need to be tested; cryptograph
y experts around the world are pushing for the best possible solutions, and the y experts around the world are pushing for the best possible solutions, and the
first standards that will ease the introduction of PQC are being prepared. It is first standards that will ease the introduction of PQC are being prepared. This
of paramount importance and a call for imminent action for organizations, bodie is of paramount importance and is a call for imminent action for organizations,
s, and enterprises to start evaluating their cryptographic agility, assess the c bodies, and enterprises to start evaluating their cryptographic agility, assess
omplexity of implementing PQC into their products, processes, and systems, and d the complexity of implementing PQC into their products, processes, and systems,
evelop a migration plan that achieves their security goals to the best possible and develop a migration plan that achieves their security goals to the best poss
extent.</t> ible extent.</t>
<t>An important and often overlooked step in achieving cryptographic agi <t>An important and often overlooked step in achieving cryptographic agi
lity is maintaining a cryptographic inventory. Modern software stacks incorporat lity is maintaining a cryptographic inventory. Modern software stacks incorporat
e cryptography in numerous places, making it challenging to identify all instanc e cryptography in numerous places, making it challenging to identify all instanc
es. Therefore, cryptographic agility and inventory management take two major for es. Therefore, cryptographic agility and inventory management take two major for
ms: First, application developers responsible for software maintenance should ac ms. First, application developers responsible for software maintenance should ac
tively search for instances of hard-coded cryptographic algorithms within applic tively search for instances of hard-coded cryptographic algorithms within applic
ations. When possible, they should design the choice of algorithm to be dynamic, ations. When possible, they should design the choice of algorithm to be dynamic,
based on application configuration. Second, administrators, policy officers, an based on application configuration. Second, administrators, policy officers, an
d compliance teams should take note of any instances where an application expose d compliance teams should take note of any instances where an application expose
s cryptographic configurations. These instances should be managed either through s cryptographic configurations. These instances should be managed through either
organization-wide written cryptographic policies or automated cryptographic pol organization-wide written cryptographic policies or automated cryptographic pol
icy systems.</t> icy systems.</t>
<t>Numerous commercial solutions are available for both detecting hard-c <t>Numerous commercial solutions are available for detecting hard-coded
oded cryptographic algorithms in source code and compiled binaries, as well as p cryptographic algorithms in source code and compiled binaries, as well as provid
roviding cryptographic policy management control planes for enterprise and produ ing cryptographic policy management control planes for enterprise and production
ction environments.</t> environments.</t>
</section> </section>
<section anchor="jurisdictional-fragmentation"> <section anchor="jurisdictional-fragmentation">
<name>Jurisdictional Fragmentation</name> <name>Jurisdictional Fragmentation</name>
<t>Another potential application of hybrids bears mentioning, even thoug h it is not directly PQC-related. That is using hybrids to navigate inter-jurisd ictional cryptographic connections. Traditional cryptography is already fragment ed by jurisdiction: consider that while most jurisdictions support Elliptic Curv e Diffie-Hellman, those in the United States will prefer the NIST curves while t hose in Germany will prefer the Brainpool curves. China, Russia, and other juris dictions have their own national cryptography standards. This situation of fragm ented global cryptography standards is unlikely to improve with PQC. If "and" mo de hybrids become standardized for the reasons mentioned above, then one could i magine leveraging them to create "ciphersuites" in which a single cryptographic operation simultaneously satisfies the cryptographic requirements of both endpoi nts.</t> <t>Another potential application of hybrid schemes bears mentioning, eve n though it is not directly related to PQC: using hybrids to navigate inter-juri sdictional cryptographic connections. Traditional cryptography is already fragme nted by jurisdiction. Consider that while most jurisdictions support ECDH, those in the United States will prefer the NIST curves while those in Germany will pr efer the Brainpool curves. China, Russia, and other jurisdictions have their own national cryptography standards. This situation of fragmented global cryptograp hy standards is unlikely to improve with PQC. If "and" mode hybrid schemes becom e standardized for the reasons mentioned above, then one could imagine leveragin g them to create ciphersuites in which a single cryptographic operation simultan eously satisfies the cryptographic requirements of both endpoints.</t>
</section> </section>
<section anchor="hybrid-key-exchange-and-signatures-bridging-the-gap-betwe <section anchor="hybrid-key-exchange-and-signatures-bridging-the-gap-betwe
en-post-quantum-and-traditional-cryptography"> en-pqt-cryptography">
<name>Hybrid Key Exchange and Signatures: Bridging the Gap Between Post- <name>Hybrid Key Exchange and Signatures: Bridging the Gap Between PQ/T
Quantum and Traditional Cryptography</name> Cryptography</name>
<t>Post-quantum algorithms selected for standardization are relatively n <t>Post-quantum algorithms selected for standardization are relatively n
ew and they have not been subject to the same depth of study as traditional algo ew and have not been subject to the same depth of study as traditional algorithm
rithms. PQC implementations will also be new and therefore more likely to contai s. PQC implementations will also be new and therefore more likely to contain imp
n implementation bugs than the battle-tested crypto implementations that are rel lementation bugs than the battle-tested crypto implementations that are relied o
ied on today. In addition, certain deployments may need to retain traditional al n today. In addition, certain deployments may need to retain traditional algorit
gorithms due to regulatory constraints, for example FIPS <xref target="SP-800-56 hms due to regulatory constraints, e.g., FIPS <xref target="SP-800-56C"/> or Pay
C"/> or PCI compliance <xref target="PCI"/>. Hybrid key exchange is recommended ment Card Industry (PCI) compliance <xref target="PCI"/>. Hybrid key exchange is
to enhance security against the "harvest now, decrypt later" attack. Additionall recommended to enhance security against the HNDL attack. Additionally, hybrid s
y, hybrid signatures provide for time to react in the case of the announcement o ignatures provide for time to react in the case of the announcement of a devasta
f a devastating attack against any one algorithm, while not fully abandoning tra ting attack against any one algorithm, while not fully abandoning traditional cr
ditional cryptosystems.</t> yptosystems.</t>
<t>Hybrid key exchange performs both a classical and a post-quantum key <t>Hybrid key exchange performs both a classical and a post-quantum key
exchange in parallel. It provides security redundancy against potential weakness exchange in parallel. It provides security redundancy against potential weakness
es in PQC algorithms, allows for a gradual transition of trust in PQC algorithms es in PQC algorithms, allows for a gradual transition of trust in PQC algorithms
, and, in backward-compatible designs, enables gradual adoption without breaking , and, in backward-compatible designs, enables gradual adoption without breaking
compatibility with existing systems. For instance, in TLS 1.3, a hybrid key exc compatibility with existing systems. For instance, in TLS 1.3, a hybrid key exc
hange can combine a widely supported classical algorithm, such as X25519, with a hange can combine a widely supported classical algorithm, such as X25519, with a
post-quantum algorithm like ML-KEM. This allows legacy clients to continue usin post-quantum algorithm like ML-KEM. This allows legacy clients to continue usin
g the classical algorithm while enabling upgraded clients to proceed with hybrid g the classical algorithm while enabling upgraded clients to proceed with hybrid
key exchange. In contrast, overhead-spreading hybrid designs focus on reducing key exchange. In contrast, overhead-spreading hybrid designs focus on reducing
the PQ overhead. For example, approaches like those described in <xref target="I the PQ overhead. For example, approaches like those described in <xref target="I
-D.hale-mls-combiner"/> amortize PQ costs by selectively applying PQ updates in -D.ietf-mls-combiner"/> amortize PQ costs by selectively applying PQ updates in
key exchange processes, allowing systems to balance security and efficiency. Thi key exchange processes, allowing systems to balance security and efficiency. Thi
s strategy ensures a post-quantum secure channel while keeping the overhead mana s strategy ensures a post-quantum secure channel while keeping the overhead mana
geable, making it particularly suitable for constrained environments.</t> geable, making it particularly suitable for constrained environments.</t>
<t>While some hybrid key exchange options introduce additional computati onal and bandwidth overhead, the impact of traditional key exchange algorithms ( e.g., key size) is typically small, helping to keep the overall increase in reso urce usage manageable for most systems. In highly constrained environments, howe ver, those hybrid key exchange protocols may be impractical due to their higher resource requirements compared to pure post-quantum or traditional key exchange approaches. However, some hybrid key exchange designs distribute the PQC overhea d, making them more suitable for constrained environments. The choice of hybrid key exchange design depends on the specific system requirements and use case, so the appropriate approach may vary.</t> <t>While some hybrid key exchange options introduce additional computati onal and bandwidth overhead, the impact of traditional key exchange algorithms ( e.g., key size) is typically small, helping to keep the overall increase in reso urce usage manageable for most systems. In highly constrained environments, howe ver, those hybrid key exchange protocols may be impractical due to their higher resource requirements compared to pure post-quantum or traditional key exchange approaches. However, some hybrid key exchange designs distribute the PQC overhea d, making them more suitable for constrained environments. The choice of hybrid key exchange design depends on the specific system requirements and use case, so the appropriate approach may vary.</t>
</section> </section>
<section anchor="caution-ciphertext-commitment-in-kem-vs-dh"> <section anchor="caution-ciphertext-commitment-in-kem-vs-dh">
<name>Caution: Ciphertext commitment in KEM vs. DH</name> <name>Caution: Ciphertext Commitment in KEM vs. DH</name>
<t>The ciphertext generated by a KEM is not necessarily directly linked to the shared secret it produces. KEMs allow for multiple ciphertexts to encapsu late the same shared secret, which enables flexibility in key management without enforcing a strict one-to-one correspondence between ciphertexts and shared sec rets. This allows for secret reuse across different recipients, sessions, or ope rational contexts without the need for new secrets for each use, simplifying key distribution and reducing computational overhead. In contrast, cryptographic sc hemes like Diffie-Hellman inherently link the public key to the derived shared s ecret, meaning any change in the public key results in a different shared secret .</t> <t>The ciphertext generated by a KEM is not necessarily directly linked to the shared secret it produces. KEMs allow for multiple ciphertexts to encapsu late the same shared secret, which enables flexibility in key management without enforcing a strict one-to-one correspondence between ciphertexts and shared sec rets. This allows for secret reuse across different recipients, sessions, or ope rational contexts without the need for new secrets for each use, simplifying key distribution and reducing computational overhead. In contrast, cryptographic sc hemes like Diffie-Hellman inherently link the public key to the derived shared s ecret, meaning any change in the public key results in a different shared secret .</t>
</section> </section>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document has no IANA considerations.</t> <t>This document has no IANA actions.</t>
</section> </section>
<section anchor="further-reading-resources"> <section anchor="further-reading-and-resources">
<name>Further Reading &amp; Resources</name> <name>Further Reading and Resources</name>
<t>A good book on modern cryptography is Serious Cryptography, 2nd Edition <t>A good book on modern cryptography is "Serious Cryptography, 2nd Editio
, by Jean-Philippe Aumasson, ISBN 9781718503847.</t> n" by Jean-Philippe Aumasson <xref target="Serious-Crypt"/>.</t>
<t>The Open Quantum Safe (OQS) Project <xref target="OQS"/> is an open-sou rce project that aims to support the transition to quantum-resistant cryptograph y.</t> <t>The Open Quantum Safe (OQS) Project <xref target="OQS"/> is an open-sou rce project that aims to support the transition to quantum-resistant cryptograph y.</t>
<t>The IETF's PQUIP Working Group <xref target="PQUIP-WG"/> maintains a li st of PQC-related protocol work within the IETF.</t> <t>The IETF's PQUIP Working Group <xref target="PQUIP-WG"/> maintains a li st of PQC-related protocol work within the IETF.</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.bonnell-lamps-chameleon-certs" to="ENC-PAIR-CE
RTS"/>
<displayreference target="I-D.connolly-cfrg-xwing-kem" to="X-WING"/>
<displayreference target="I-D.ietf-mls-combiner" to="PQ-MLS"/>
<displayreference target="I-D.ietf-hpke-pq" to="PQ-HPKE"/>
<displayreference target="I-D.ietf-lamps-pq-composite-sigs" to="ML-DSA-X.509
"/>
<displayreference target="I-D.ietf-pquip-hybrid-signature-spectrums" to="HYB
RID-SIG-SPECT"/>
<displayreference target="I-D.ietf-pquip-pqc-hsm-constrained" to="CONSTRAIN-
DEV-PCQ"/>
<displayreference target="I-D.ietf-tls-hybrid-design" to="TLS-HYB-KEY-EXCH"/
>
<displayreference target="I-D.irtf-cfrg-bbs-signatures" to="BBS-SIG-SCHEME"/
>
<displayreference target="I-D.irtf-cfrg-hybrid-kems" to="PQ-KEM"/>
<displayreference target="I-D.ounsworth-cfrg-kem-combiners" to="KEM-COMBINER
"/>
<references anchor="sec-combined-references"> <references anchor="sec-combined-references">
<name>References</name> <name>References</name>
<references anchor="sec-normative-references"> <references anchor="sec-normative-references">
<name>Normative References</name> <name>Normative References</name>
<reference anchor="ML-KEM" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.203.pdf"> <reference anchor="ML-KEM" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.203.pdf">
<front> <front>
<title>FIPS-203: Module-Lattice-based Key-Encapsulation Mechanism St andard</title> <title>Module-Lattice-Based Key-Encapsulation Mechanism Standard</ti tle>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="203"/>
<seriesInfo name="DOI" value="10.6028/nist.fips.203"/>
</reference> </reference>
<reference anchor="ML-DSA" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.204.pdf"> <reference anchor="ML-DSA" target="https://nvlpubs.nist.gov/nistpubs/FIP S/NIST.FIPS.204.pdf">
<front> <front>
<title>FIPS-204: Module-Lattice-Based Digital Signature Standard</ti tle> <title>Module-Lattice-Based Digital Signature Standard</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="204"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.204"/>
</reference> </reference>
<reference anchor="SLH-DSA" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.205.pdf"> <reference anchor="SLH-DSA" target="https://nvlpubs.nist.gov/nistpubs/FI PS/NIST.FIPS.205.pdf">
<front> <front>
<title>FIPS-205: Stateless Hash-Based Digital Signature Standard</ti tle> <title>Stateless Hash-Based Digital Signature Standard</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date year="2024" month="August"/>
</front> </front>
<seriesInfo name="NIST FIPS" value="205"/>
<seriesInfo name="DOI" value="10.6028/NIST.FIPS.205"/>
</reference> </reference>
<reference anchor="Shors" target="https://arxiv.org/pdf/quant-ph/9508027 "> <reference anchor="Shors" target="https://arxiv.org/pdf/quant-ph/9508027 ">
<front> <front>
<title>Polynomial-time algorithms for prime factorization and discre <title>Polynomial-Time Algorithms for Prime Factorization and Discre
te logarithms on a quantum computer</title> te Logarithms on a Quantum Computer</title>
<author> <author initials="P." surname="Shor" fullname="Peter W. Shor">
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date year="1996" month="January" day="25"/>
</front> </front>
<refcontent>arXiv:quant-ph/9508027v2</refcontent>
</reference> </reference>
<reference anchor="Grovers" target="https://dl.acm.org/doi/10.1145/23781 4.237866"> <reference anchor="Grovers" target="https://dl.acm.org/doi/10.1145/23781 4.237866">
<front> <front>
<title>A fast quantum mechanical algorithm for database search</titl e> <title>A fast quantum mechanical algorithm for database search</titl e>
<author> <author fullname="Lok K. Grover">
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date year="1996" month="July" day="01"/>
</front> </front>
<seriesInfo name="DOI" value="10.1145/237814.237866"/>
<refcontent>STOC '96: Proceedings of the twenty-eighth annual ACM symp
osium on Theory of Computing, pp. 212-219</refcontent>
</reference> </reference>
<reference anchor="RSA" target="https://dl.acm.org/doi/pdf/10.1145/35934 0.359342"> <reference anchor="RSA" target="https://dl.acm.org/doi/pdf/10.1145/35934 0.359342">
<front> <front>
<title>A Method for Obtaining Digital Signatures and Public-Key Cryp <title>A Method for Obtaining Digital Signatures and Public-Key Cryp
tosystems+</title> tosystems</title>
<author> <author fullname="Ronald L. Rivest">
<organization/> <organization/>
</author> </author>
<date/> <author initials="A." surname="Shamir">
</front> <organization/>
</reference> </author>
<reference anchor="RFC6090"> <author initials="L." surname="Adleman">
<front> <organization/>
<title>Fundamental Elliptic Curve Cryptography Algorithms</title> </author>
<author fullname="D. McGrew" initials="D." surname="McGrew"/> <date year="1978" month="February"/>
<author fullname="K. Igoe" initials="K." surname="Igoe"/>
<author fullname="M. Salter" initials="M." surname="Salter"/>
<date month="February" year="2011"/>
<abstract>
<t>This note describes the fundamental algorithms of Elliptic Curv
e Cryptography (ECC) as they were defined in some seminal references from 1994 a
nd earlier. These descriptions may be useful for implementing the fundamental al
gorithms without using any of the specialized methods that were developed in fol
lowing years. Only elliptic curves defined over fields of characteristic greater
than three are in scope; these curves are those used in Suite B. This document
is not an Internet Standards Track specification; it is published for informatio
nal purposes.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6090"/>
<seriesInfo name="DOI" value="10.17487/RFC6090"/>
</reference>
<reference anchor="RFC8391">
<front>
<title>XMSS: eXtended Merkle Signature Scheme</title>
<author fullname="A. Huelsing" initials="A." surname="Huelsing"/>
<author fullname="D. Butin" initials="D." surname="Butin"/>
<author fullname="S. Gazdag" initials="S." surname="Gazdag"/>
<author fullname="J. Rijneveld" initials="J." surname="Rijneveld"/>
<author fullname="A. Mohaisen" initials="A." surname="Mohaisen"/>
<date month="May" year="2018"/>
<abstract>
<t>This note describes the eXtended Merkle Signature Scheme (XMSS)
, a hash-based digital signature system that is based on existing descriptions i
n scientific literature. This note specifies Winternitz One-Time Signature Plus
(WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a
multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building
block. XMSS provides cryptographic digital signatures without relying on the con
jectured hardness of mathematical problems. Instead, it is proven that it only r
elies on the properties of cryptographic hash functions. XMSS provides strong se
curity guarantees and is even secure when the collision resistance of the underl
ying hash function is broken. It is suitable for compact implementations, is rel
atively simple to implement, and naturally resists side-channel attacks. Unlike
most other signature systems, hash-based signatures can so far withstand known a
ttacks using quantum computers.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8391"/>
<seriesInfo name="DOI" value="10.17487/RFC8391"/>
</reference>
<reference anchor="RFC8554">
<front>
<title>Leighton-Micali Hash-Based Signatures</title>
<author fullname="D. McGrew" initials="D." surname="McGrew"/>
<author fullname="M. Curcio" initials="M." surname="Curcio"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<date month="April" year="2019"/>
<abstract>
<t>This note describes a digital-signature system based on cryptog
raphic hash functions, following the seminal work in this area of Lamport, Diffi
e, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifi
es a one-time signature scheme and a general signature scheme. These systems pro
vide asymmetric authentication without using large integer mathematics and can a
chieve a high security level. They are suitable for compact implementations, are
relatively simple to implement, and are naturally resistant to side-channel att
acks. Unlike many other signature systems, hash-based signatures would still be
secure even if it proves feasible for an attacker to build a quantum computer.</
t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF. This has been reviewed by many researchers, both in the resea
rch group and outside of it. The Acknowledgements section lists many of them.</t
>
</abstract>
</front>
<seriesInfo name="RFC" value="8554"/>
<seriesInfo name="DOI" value="10.17487/RFC8554"/>
</reference>
<reference anchor="RFC8446">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over t
he Internet in a way that is designed to prevent eavesdropping, tampering, and m
essage forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 im
plementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="RFC4034">
<front>
<title>Resource Records for the DNS Security Extensions</title>
<author fullname="R. Arends" initials="R." surname="Arends"/>
<author fullname="R. Austein" initials="R." surname="Austein"/>
<author fullname="M. Larson" initials="M." surname="Larson"/>
<author fullname="D. Massey" initials="D." surname="Massey"/>
<author fullname="S. Rose" initials="S." surname="Rose"/>
<date month="March" year="2005"/>
<abstract>
<t>This document is part of a family of documents that describe th
e DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection
of resource records and protocol modifications that provide source authenticati
on for the DNS. This document defines the public key (DNSKEY), delegation signer
(DS), resource record digital signature (RRSIG), and authenticated denial of ex
istence (NSEC) resource records. The purpose and format of each resource record
is described in detail, and an example of each resource record is given.</t>
<t>This document obsoletes RFC 2535 and incorporates changes from
all updates to RFC 2535. [STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="4034"/> <seriesInfo name="DOI" value="10.1145/359340.359342"/>
<seriesInfo name="DOI" value="10.17487/RFC4034"/> <refcontent>Communications of the ACM, vol. 21, no. 2, pp. 120-126</re
fcontent>
</reference> </reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.6
090.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
391.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
554.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
446.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4
034.xml"/>
<reference anchor="NTRU" target="https://ntru.org/index.shtml"> <reference anchor="NTRU" target="https://ntru.org/index.shtml">
<front> <front>
<title>NTRU</title> <title>NTRU</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="FrodoKEM" target="https://frodokem.org/"> <reference anchor="FrodoKEM" target="https://frodokem.org/">
<front> <front>
<title>FrodoKEM</title> <title>FrodoKEM</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="ClassicMcEliece" target="https://classic.mceliece.org /"> <reference anchor="ClassicMcEliece" target="https://classic.mceliece.org /">
<front> <front>
<title>Classic McEliece</title> <title>Classic McEliece</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <date/>
</front> </front>
</reference> </reference>
<reference anchor="FN-DSA" target="https://falcon-sign.info/"> <reference anchor="FN-DSA" target="https://falcon-sign.info/">
<front> <front>
<title>Fast Fourier lattice-based compact signatures over NTRU</titl e> <title>FALCON: Fast Fourier lattice-based compact signatures over NT RU</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="RFC8235"> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8
<front> 235.xml"/>
<title>Schnorr Non-interactive Zero-Knowledge Proof</title> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<author fullname="F. Hao" initials="F." role="editor" surname="Hao"/ 180.xml"/>
> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<date month="September" year="2017"/> 881.xml"/>
<abstract> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
<t>This document describes the Schnorr non-interactive zero-knowle 242.xml"/>
dge (NIZK) proof, a non-interactive variant of the three-pass Schnorr identifica <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
tion scheme. The Schnorr NIZK proof allows one to prove the knowledge of a discr 370.xml"/>
ete logarithm without leaking any information about its value. It can serve as a </references>
useful building block for many cryptographic protocols to ensure that participa <references anchor="sec-informative-references">
nts follow the protocol specification honestly. This document specifies the Schn <name>Informative References</name>
orr NIZK proof in both the finite field and the elliptic curve settings.</t> <reference anchor="Serious-Crypt">
</abstract>
</front>
<seriesInfo name="RFC" value="8235"/>
<seriesInfo name="DOI" value="10.17487/RFC8235"/>
</reference>
<reference anchor="RFC9180">
<front>
<title>Hybrid Public Key Encryption</title>
<author fullname="R. Barnes" initials="R." surname="Barnes"/>
<author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
<author fullname="B. Lipp" initials="B." surname="Lipp"/>
<author fullname="C. Wood" initials="C." surname="Wood"/>
<date month="February" year="2022"/>
<abstract>
<t>This document describes a scheme for hybrid public key encrypti
on (HPKE). This scheme provides a variant of public key encryption of arbitrary-
sized plaintexts for a recipient public key. It also includes three authenticate
d variants, including one that authenticates possession of a pre-shared key and
two optional ones that authenticate possession of a key encapsulation mechanism
(KEM) private key. HPKE works for any combination of an asymmetric KEM, key deri
vation function (KDF), and authenticated encryption with additional data (AEAD)
encryption function. Some authenticated variants may not be supported by all KEM
s. We provide instantiations of the scheme using widely used and efficient primi
tives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based ke
y derivation function (HKDF), and SHA2.</t>
<t>This document is a product of the Crypto Forum Research Group (
CFRG) in the IRTF.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9180"/>
<seriesInfo name="DOI" value="10.17487/RFC9180"/>
</reference>
<reference anchor="I-D.ietf-lamps-dilithium-certificates">
<front> <front>
<title>Internet X.509 Public Key Infrastructure - Algorithm Identifi <title>Serious Cryptography, 2nd Edition</title>
ers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA)</title> <author fullname="Jean-Philippe Aumasson">
<author fullname="Jake Massimo" initials="J." surname="Massimo"> <organization/>
<organization>AWS</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>AWS</organization>
</author>
<author fullname="Sean Turner" initials="S." surname="Turner">
<organization>sn3rd</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="26" month="June" year="2025"/> <date year="2024" month="August"/>
<abstract>
<t> Digital signatures are used within X.509 certificates, Certi
ficate
Revocation Lists (CRLs), and to sign messages. This document
specifies the conventions for using FIPS 204, the Module-Lattice-
Based Digital Signature Algorithm (ML-DSA) in Internet X.509
certificates and certificate revocation lists. The conventions for
the associated signatures, subject public keys, and private key are
also described.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-dilithium-ce
rtificates-12"/>
</reference>
<reference anchor="RFC9242">
<front>
<title>Intermediate Exchange in the Internet Key Exchange Protocol V
ersion 2 (IKEv2)</title>
<author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
<date month="May" year="2022"/>
<abstract>
<t>This document defines a new exchange, called "Intermediate Exch
ange", for the Internet Key Exchange Protocol Version 2 (IKEv2). This exchange c
an be used for transferring large amounts of data in the process of IKEv2 Securi
ty Association (SA) establishment. An example of the need to do this is using ke
y exchange methods resistant to Quantum Computers (QCs) for IKE SA establishment
. The Intermediate Exchange makes it possible to use the existing IKE fragmentat
ion mechanism (which cannot be used in the initial IKEv2 exchange), helping to a
void IP fragmentation of large IKE messages if they need to be sent before IKEv2
SA is established.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9242"/>
<seriesInfo name="DOI" value="10.17487/RFC9242"/>
</reference>
<reference anchor="RFC9370">
<front>
<title>Multiple Key Exchanges in the Internet Key Exchange Protocol
Version 2 (IKEv2)</title>
<author fullname="CJ. Tjhai" initials="CJ." surname="Tjhai"/>
<author fullname="M. Tomlinson" initials="M." surname="Tomlinson"/>
<author fullname="G. Bartlett" initials="G." surname="Bartlett"/>
<author fullname="S. Fluhrer" initials="S." surname="Fluhrer"/>
<author fullname="D. Van Geest" initials="D." surname="Van Geest"/>
<author fullname="O. Garcia-Morchon" initials="O." surname="Garcia-M
orchon"/>
<author fullname="V. Smyslov" initials="V." surname="Smyslov"/>
<date month="May" year="2023"/>
<abstract>
<t>This document describes how to extend the Internet Key Exchange
Protocol Version 2 (IKEv2) to allow multiple key exchanges to take place while
computing a shared secret during a Security Association (SA) setup.</t>
<t>This document utilizes the IKE_INTERMEDIATE exchange, where mul
tiple key exchanges are performed when an IKE SA is being established. It also i
ntroduces a new IKEv2 exchange, IKE_FOLLOWUP_KE, which is used for the same purp
ose when the IKE SA is being rekeyed or is creating additional Child SAs.</t>
<t>This document updates RFC 7296 by renaming a Transform Type 4 f
rom "Diffie-Hellman Group (D-H)" to "Key Exchange Method (KE)" and renaming a fi
eld in the Key Exchange Payload from "Diffie-Hellman Group Num" to "Key Exchange
Method". It also renames an IANA registry for this Transform Type from "Transfo
rm Type 4 - Diffie- Hellman Group Transform IDs" to "Transform Type 4 - Key Exch
ange Method Transform IDs". These changes generalize key exchange algorithms tha
t can be used in IKEv2.</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="9370"/> <refcontent>ISBN 9781718503847</refcontent>
<seriesInfo name="DOI" value="10.17487/RFC9370"/>
</reference> </reference>
</references> <reference anchor="Grover-Search" target="https://link.aps.org/doi/10.11
<references anchor="sec-informative-references"> 03/PhysRevA.60.2746">
<name>Informative References</name>
<reference anchor="Grover-search">
<front> <front>
<title>C. Zalka, “Grover’s quantum searching algorithm is optimal,” <title>Grover's quantum searching algorithm is optimal</title>
Physical Review A, vol. 60, pp. 2746-2751, 1999.</title> <author fullname="Christof Zalka">
<author>
<organization/> <organization/>
</author> </author>
<date/> <date year="1999" month="October"/>
</front> </front>
<seriesInfo name="DOI" value="10.1103/PhysRevA.60.2746"/>
<refcontent>Physical Review A, vol. 60, no. 4, pp. 2746-2751</refconte
nt>
</reference> </reference>
<reference anchor="Threat-Report" target="https://globalriskinstitute.or g/publications/quantum-threat-timeline-report-2020/"> <reference anchor="Threat-Report" target="https://globalriskinstitute.or g/publications/quantum-threat-timeline-report-2020/">
<front> <front>
<title>Quantum Threat Timeline Report 2020</title> <title>Quantum Threat Timeline Report 2020</title>
<author> <author fullname="Michele Mosca">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Marco Piani">
<organization/>
</author>
<date year="2021" month="January" day="27"/>
</front> </front>
<refcontent>Global Risk Institute</refcontent>
</reference> </reference>
<reference anchor="QC-DNS" target="https://www.icann.org/octo-031-en.pdf "> <reference anchor="QC-DNS" target="https://www.icann.org/octo-031-en.pdf ">
<front> <front>
<title>Quantum Computing and the DNS</title> <title>Quantum Computing and the DNS</title>
<author> <author fullname="Paul Hoffman">
<organization/> <organization/>
</author> </author>
<date/> <date year="2024" month="April" day="22"/>
</front> </front>
<refcontent>ICANN Office of the Chief Technology Officer, OCTO-031v2</ refcontent>
</reference> </reference>
<reference anchor="NIST" target="https://csrc.nist.gov/projects/post-qua ntum-cryptography/post-quantum-cryptography-standardization"> <reference anchor="NIST" target="https://csrc.nist.gov/projects/post-qua ntum-cryptography/post-quantum-cryptography-standardization">
<front> <front>
<title>Post-Quantum Cryptography Standardization</title> <title>Post-Quantum Cryptography Standardization</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="Cloudflare" target="https://blog.cloudflare.com/nist- post-quantum-surprise/"> <reference anchor="Cloudflare" target="https://blog.cloudflare.com/nist- post-quantum-surprise/">
<front> <front>
<title>NIST’s pleasant post-quantum surprise</title> <title>NIST's pleasant post-quantum surprise</title>
<author> <author fullname="Bas Westerbaan">
<organization/> <organization/>
</author> </author>
<date/> <date year="2022" month="July" day="08"/>
</front> </front>
<refcontent>Cloudflare Blog</refcontent>
</reference> </reference>
<reference anchor="CS01" target="https://eprint.iacr.org/2001/108"> <reference anchor="CS01" target="https://eprint.iacr.org/2001/108">
<front> <front>
<title>Design and Analysis of Practical Public-Key Encryption Scheme s Secure against Adaptive Chosen Ciphertext Attack</title> <title>Design and Analysis of Practical Public-Key Encryption Scheme s Secure against Adaptive Chosen Ciphertext Attack</title>
<author> <author fullname="Ronald Cramer">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Victor Shoup">
<organization/>
</author>
<date year="2001"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2001/108</refcontent>
</reference> </reference>
<reference anchor="BHK09" target="https://eprint.iacr.org/2009/418"> <reference anchor="BHK09" target="https://eprint.iacr.org/2009/418">
<front> <front>
<title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title> <title>Subtleties in the Definition of IND-CCA: When and How Should Challenge-Decryption be Disallowed?</title>
<author> <author fullname="Mihir Bellare">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Dennis Hofheinz">
<organization/>
</author>
<author fullname="Eike Kiltz">
<organization/>
</author>
<date year="2009"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2009/418</refcontent>
</reference> </reference>
<reference anchor="GMR88" target="https://people.csail.mit.edu/silvio/Se lected%20Scientific%20Papers/Digital%20Signatures/A_Digital_Signature_Scheme_Sec ure_Against_Adaptive_Chosen-Message_Attack.pdf"> <reference anchor="GMR88" target="https://people.csail.mit.edu/silvio/Se lected%20Scientific%20Papers/Digital%20Signatures/A_Digital_Signature_Scheme_Sec ure_Against_Adaptive_Chosen-Message_Attack.pdf">
<front> <front>
<title>A digital signature scheme secure against adaptive chosen-mes <title>A digital signature scheme secure against adaptive chosen-mes
sage attacks.</title> sage attacks</title>
<author> <author fullname="Shafi Goldwasser">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Silvio Micali">
<organization/>
</author>
<author fullname="Ronald L. Rivest">
<organization/>
</author>
<date year="1988" month="April"/>
</front> </front>
<seriesInfo name="DOI" value="10.1137/0217017"/>
<refcontent>SIAM Journal on Computing, vol. 17, no. 2, pp. 281-308</re
fcontent>
</reference> </reference>
<reference anchor="PQCAPI" target="https://csrc.nist.gov/CSRC/media/Proj ects/Post-Quantum-Cryptography/documents/example-files/api-notes.pdf"> <reference anchor="PQCAPI" target="https://csrc.nist.gov/CSRC/media/Proj ects/Post-Quantum-Cryptography/documents/example-files/api-notes.pdf">
<front> <front>
<title>PQC - API notes</title> <title>PQC - API notes</title>
<author> <author>
<organization/> <organization>NIST</organization>
</author> </author>
<date/> <date/>
</front> </front>
</reference> </reference>
<reference anchor="RSA8HRS" target="https://arxiv.org/abs/1905.09749"> <reference anchor="RSA8HRS" target="https://arxiv.org/abs/1905.09749">
<front> <front>
<title>How to factor 2048 bit RSA integers in 8 hours using 20 milli on noisy qubits</title> <title>How to factor 2048 bit RSA integers in 8 hours using 20 milli on noisy qubits</title>
<author> <author fullname="Craig Gidney">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Martin Ekera">
<organization/>
</author>
<date year="2021" month="April" day="13"/>
</front> </front>
<refcontent>arXiv:1905.09749v3</refcontent>
</reference> </reference>
<reference anchor="RSA10SC" target="https://www.quintessencelabs.com/blo g/breaking-rsa-encryption-update-state-art"> <reference anchor="RSA10SC" target="https://www.quintessencelabs.com/blo g/breaking-rsa-encryption-update-state-art">
<front> <front>
<title>Breaking RSA Encryption - an Update on the State-of-the-Art</ title> <title>Breaking RSA Encryption - an Update on the State-of-the-Art</ title>
<author> <author>
<organization/> <organization>QuintessenceLabs</organization>
</author> </author>
<date/> <date year="2019" month="June" day="13"/>
</front> </front>
</reference> </reference>
<reference anchor="RSAShor" target="https://arxiv.org/pdf/quant-ph/02050 95.pdf"> <reference anchor="RSAShor" target="https://arxiv.org/pdf/quant-ph/02050 95.pdf">
<front> <front>
<title>Circuit for Shor’s algorithm using 2n+3 qubits</title> <title>Circuit for Shor's algorithm using 2n+3 qubits</title>
<author> <author fullname="Stephane Beauregard">
<organization/> <organization/>
</author> </author>
<date/> <date year="2003" month="February" day="21"/>
</front> </front>
<refcontent>arXiv:quant-ph/0205095v3</refcontent>
</reference> </reference>
<reference anchor="LIBOQS" target="https://github.com/open-quantum-safe/ liboqs"> <reference anchor="LIBOQS" target="https://github.com/open-quantum-safe/ liboqs">
<front> <front>
<title>LibOQS - Open Quantum Safe</title> <title>LibOQS - Open Quantum Safe</title>
<author> <author>
<organization/> <organization/>
</author> </author>
<date/> <date year="2025" month="November"/>
</front> </front>
<refcontent>commit 97f6b86</refcontent>
</reference> </reference>
<reference anchor="KyberSide" target="https://eprint.iacr.org/2022/1452" > <reference anchor="KyberSide" target="https://eprint.iacr.org/2022/1452" >
<front> <front>
<title>A Side-Channel Attack on a Hardware Implementation of CRYSTAL S-Kyber</title> <title>A Side-Channel Attack on a Hardware Implementation of CRYSTAL S-Kyber</title>
<author> <author fullname="Yanning Ji">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Ruize Wang">
<organization/>
</author>
<author fullname="Kalle Ngo">
<organization/>
</author>
<author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Linus Backlund">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/1452</refcontent>
</reference> </reference>
<reference anchor="SaberSide" target="https://link.springer.com/article/ 10.1007/s13389-023-00315-3"> <reference anchor="SaberSide" target="https://link.springer.com/article/ 10.1007/s13389-023-00315-3">
<front> <front>
<title>A side-channel attack on a masked and shuffled software imple mentation of Saber</title> <title>A side-channel attack on a masked and shuffled software imple mentation of Saber</title>
<author> <author fullname="Kalle Ngo">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Thomas Johansson">
<organization/>
</author>
<date year="2023" month="April" day="25"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/s13389-023-00315-3"/>
<refcontent>Journal of Cryptographic Engineering, vol. 13, pp. 443-460
</refcontent>
</reference> </reference>
<reference anchor="SideCh" target="https://eprint.iacr.org/2022/919"> <reference anchor="SideCh" target="https://eprint.iacr.org/2022/919">
<front> <front>
<title>Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking</title> <title>Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking</title>
<author> <author fullname="Kalle Ngo">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Ruize Wang">
<organization/>
</author>
<author fullname="Elena Dubrova">
<organization/>
</author>
<author fullname="Nils Paulsrud">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/919</refcontent>
</reference> </reference>
<reference anchor="LatticeSide" target="https://eprint.iacr.org/2019/948 "> <reference anchor="LatticeSide" target="https://eprint.iacr.org/2019/948 ">
<front> <front>
<title>Generic Side-channel attacks on CCA-secure lattice-based PKE and KEM schemes</title> <title>Generic Side-channel attacks on CCA-secure lattice-based PKE and KEM schemes</title>
<author> <author fullname="Prasanna Ravi">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Sujoy Sinha Roy">
<organization/>
</author>
<author fullname="Anupam Chattopadhyay">
<organization/>
</author>
<author fullname="Shivam Bhasin">
<organization/>
</author>
<date year="2019"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2019/948</refcontent>
</reference> </reference>
<reference anchor="Mitigate1" target="https://eprint.iacr.org/2022/873"> <reference anchor="Mitigate1" target="https://eprint.iacr.org/2022/873">
<front> <front>
<title>POLKA: Towards Leakage-Resistant Post-Quantum CCA-Secure Publ ic Key Encryption</title> <title>POLKA: Towards Leakage-Resistant Post-Quantum CCA-Secure Publ ic Key Encryption</title>
<author> <author fullname="Clément Hoffmann">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Benoît Libert">
<organization/>
</author>
<author fullname="Charles Momin">
<organization/>
</author>
<author fullname="Thomas Peters">
<organization/>
</author>
<author fullname="François-Xavier Standaert">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/873</refcontent>
</reference> </reference>
<reference anchor="Mitigate2" target="https://ieeexplore.ieee.org/docume nt/9855226"> <reference anchor="Mitigate2" target="https://ieeexplore.ieee.org/docume nt/9855226">
<front> <front>
<title>Leakage-Resilient Certificate-Based Authenticated Key Exchang e Protocol</title> <title>Leakage-Resilient Certificate-Based Authenticated Key Exchang e Protocol</title>
<author> <author initials="T." surname="Tsai">
<organization/> <organization/>
</author> </author>
<date/> <author initials="S." surname="Huang">
<organization/>
</author>
<author initials="Y." surname="Tseng">
<organization/>
</author>
<author initials="Y." surname="Chuang">
<organization/>
</author>
<author initials="Y." surname="Hung">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<seriesInfo name="DOI" value="10.1109/OJCS.2022.3198073"/>
<refcontent>IEEE Open Journal of the Computer Society, vol. 3, pp. 137
-148</refcontent>
</reference> </reference>
<reference anchor="Mitigate3" target="https://eprint.iacr.org/2022/916"> <reference anchor="Mitigate3" target="https://eprint.iacr.org/2022/916">
<front> <front>
<title>Post-Quantum Authenticated Encryption against Chosen-Cipherte xt Side-Channel Attacks</title> <title>Post-Quantum Authenticated Encryption against Chosen-Cipherte xt Side-Channel Attacks</title>
<author> <author fullname="Melissa Azouaoui">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Yulia Kuzovkova">
<organization/>
</author>
<author fullname="Tobias Schneider">
<organization/>
</author>
<author fullname="Christine van Vredendaal">
<organization/>
</author>
<date year="2022"/>
</front> </front>
<refcontent>Cryptology ePrint Archive, Paper 2022/916</refcontent>
</reference> </reference>
<reference anchor="CNSA2-0" target="https://media.defense.gov/2025/May/3 0/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF"> <reference anchor="CNSA2-0" target="https://media.defense.gov/2025/May/3 0/2003728741/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS.PDF">
<front> <front>
<title>Announcing the Commercial National Security Algorithm Suite 2 .0</title> <title>Announcing the Commercial National Security Algorithm Suite 2 .0</title>
<author> <author>
<organization/> <organization>NSA</organization>
</author> </author>
<date/> <date year="2022" month="September"/>
</front> </front>
</reference> </reference>
<reference anchor="LattFail1" target="https://link.springer.com/chapter/ 10.1007/978-3-030-17259-6_19#chapter-info"> <reference anchor="LattFail1" target="https://link.springer.com/chapter/ 10.1007/978-3-030-17259-6_19">
<front> <front>
<title>Decryption Failure Attacks on IND-CCA Secure Lattice-Based Sc hemes</title> <title>Decryption Failure Attacks on IND-CCA Secure Lattice-Based Sc hemes</title>
<author> <author fullname="Jan-Pieter D'Anvers">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Qian Guo">
<organization/>
</author>
<author fullname="Thomas Johansson">
<organization/>
</author>
<author fullname="Alexander Nilsson">
<organization/>
</author>
<author fullname="Frederik Vercauteren">
<organization/>
</author>
<author fullname="Ingrid Verbauwhede">
<organization/>
</author>
<date year="2019" month="April" day="06"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/978-3-030-17259-6_19"/>
<refcontent>Public-Key Cryptography - PKC 2019, Lecture Notes in Compu
ter Science, vol. 11443, pp. 565-598</refcontent>
</reference> </reference>
<reference anchor="LattFail2" target="https://link.springer.com/chapter/ 10.1007/978-3-030-45727-3_1"> <reference anchor="LattFail2" target="https://link.springer.com/chapter/ 10.1007/978-3-030-45727-3_1">
<front> <front>
<title>(One) Failure Is Not an Option: Bootstrapping the Search for <title>(One) Failure Is Not an Option: Bootstrapping the Search for
Failures in Lattice-Based Encryption Schemes.</title> Failures in Lattice-Based Encryption Schemes</title>
<author> <author fullname="Jan-Pieter D'Anvers">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Mélissa Rossi">
<organization/>
</author>
<author fullname="Fernando Virdia">
<organization/>
</author>
<date year="2020" month="May" day="01"/>
</front> </front>
<seriesInfo name="DOI" value="10.1007/978-3-030-45727-3_1"/>
<refcontent>Advances in Cryptology - EUROCRYPT 2020, Lecture Notes in
Computer Science, vol. 12107, pp. 3-33</refcontent>
</reference> </reference>
<reference anchor="BSI-PQC" target="https://www.bsi.bund.de/SharedDocs/D ownloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html?nn=916626"> <reference anchor="BSI-PQC" target="https://www.bsi.bund.de/SharedDocs/D ownloads/EN/BSI/Publications/Brochure/quantum-safe-cryptography.html?nn=916626">
<front> <front>
<title>Quantum-safe cryptography fundamentals, current development s and recommendations</title> <title>Quantum-safe cryptography - fundamentals, current development s and recommendations</title>
<author> <author>
<organization/> <organization>BSI</organization>
</author> </author>
<date year="2022" month="May"/> <date year="2022" month="May" day="18"/>
</front> </front>
</reference> </reference>
<reference anchor="PQRSA" target="https://cr.yp.to/papers/pqrsa-20170419 .pdf"> <reference anchor="PQRSA" target="https://cr.yp.to/papers/pqrsa-20170419 .pdf">
<front> <front>
<title>Post-quantum RSA</title> <title>Post-quantum RSA</title>
<author> <author fullname="Daniel J. Bernstein">
<organization/> <organization/>
</author> </author>
<date year="2017" month="April"/> <author fullname="Nadia Heninger">
<organization/>
</author>
<author fullname="Paul Lou">
<organization/>
</author>
<author fullname="Luke Valenta">
<organization/>
</author>
<date year="2017" month="April" day="19"/>
</front> </front>
</reference> </reference>
<reference anchor="SP-800-56C" target="https://nvlpubs.nist.gov/nistpubs /SpecialPublications/NIST.SP.800-56Cr2.pdf"> <reference anchor="SP-800-56C" target="https://nvlpubs.nist.gov/nistpubs /SpecialPublications/NIST.SP.800-56Cr2.pdf">
<front> <front>
<title>Recommendation for Key-Derivation Methods in Key-Establishmen t Schemes</title> <title>Recommendation for Key-Derivation Methods in Key-Establishmen t Schemes</title>
<author> <author fullname="Elaine Barker">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Lily Chen">
<organization/>
</author>
<author fullname="Richard Davis">
<organization/>
</author>
<date year="2020" month="August"/>
</front> </front>
<seriesInfo name="NIST SP" value="800-56Cr2"/>
<seriesInfo name="DOI" value="10.6028/NIST.SP.800-56Cr2"/>
</reference> </reference>
<reference anchor="Lyu09" target="https://www.iacr.org/archive/asiacrypt 2009/59120596/59120596.pdf"> <reference anchor="Lyu09" target="https://www.iacr.org/archive/asiacrypt 2009/59120596/59120596.pdf">
<front> <front>
<title>V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to La <title>Fiat-Shamir With Aborts: Applications to Lattice and Factorin
ttice and Factoring-Based Signatures“, ASIACRYPT 2009</title> g-Based Signatures</title>
<author> <author fullname="Vadim Lyubashevsky">
<organization/> <organization/>
</author> </author>
<date/> <date/>
</front> </front>
<refcontent>ASIACRYPT 2009</refcontent>
</reference> </reference>
<reference anchor="SP-1800-38C" target="https://www.nccoe.nist.gov/sites /default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf"> <reference anchor="SP-1800-38C" target="https://www.nccoe.nist.gov/sites /default/files/2023-12/pqc-migration-nist-sp-1800-38c-preliminary-draft.pdf">
<front> <front>
<title>Migration to Post-Quantum Cryptography Quantum Readiness: Qua <title>Migration to Post-Quantum Cryptography Quantum Readiness: Tes
ntum-Resistant Cryptography Technology Interoperability and Performance Report</ ting Draft Standards, Volume C: Quantum-Resistant Cryptography Technology Intero
title> perability and Performance Report</title>
<author> <author fullname="William Newhouse">
<organization/> <organization/>
</author> </author>
<date/> <author fullname="Murugiah Souppaya">
</front>
</reference>
<reference anchor="KEEPINGUP" target="https://eprint.iacr.org/2023/1933"
>
<front>
<title>Keeping Up with the KEMs: Stronger Security Notions for KEMs
and automated analysis of KEM-based protocols</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="William Barke">
</front>
</reference>
<reference anchor="NISTFINAL" target="https://www.nist.gov/news-events/n
ews/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards">
<front>
<title>NIST Releases First 3 Finalized Post-Quantum Encryption Stand
ards</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Chris Brown">
</front>
</reference>
<reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi
les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf">
<front>
<title>ANSSI views on the Post-Quantum Cryptography transition</titl
e>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Panos Kampanakis">
</front>
</reference>
<reference anchor="HQC" target="http://pqc-hqc.org/">
<front>
<title>HQC</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Jim Goodman">
</front>
</reference>
<reference anchor="BIKE" target="http://pqc-hqc.org/">
<front>
<title>BIKE</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Julien Prat">
</front>
</reference>
<reference anchor="PQUIP-WG" target="https://datatracker.ietf.org/group/
pquip/documents/">
<front>
<title>Post-Quantum Use In Protocols (pquip) Working Group</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Robin Larrieu">
</front>
</reference>
<reference anchor="OQS" target="https://openquantumsafe.org/">
<front>
<title>Open Quantum Safe Project</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="John Gray">
</front>
</reference>
<reference anchor="CRQCThreat" target="https://sam-jaques.appspot.com/qu
antum_landscape_2024">
<front>
<title>CRQCThreat</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Mike Ounsworth">
</front>
</reference>
<reference anchor="QuantSide" target="https://arxiv.org/pdf/2304.03315">
<front>
<title>QuantSide</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Cleandro Viana">
</front>
</reference>
<reference anchor="AddSig" target="https://csrc.nist.gov/Projects/pqc-di
g-sig/standardization">
<front>
<title>AddSig</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Hubert Le Van Gong">
</front>
</reference>
<reference anchor="BPQS" target="https://eprint.iacr.org/2018/658.pdf">
<front>
<title>BPQS</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Kris Kwiatkowsk">
</front>
</reference>
<reference anchor="PCI" target="https://docs-prv.pcisecuritystandards.or
g/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf">
<front>
<title>Payment Card Industry Data Security Standard</title>
<author>
<organization/> <organization/>
</author> </author>
<date>n.d.</date> <author fullname="Anthony Hu">
</front> <organization/>
</reference>
<reference anchor="I-D.irtf-cfrg-bbs-signatures">
<front>
<title>The BBS Signature Scheme</title>
<author fullname="Tobias Looker" initials="T." surname="Looker">
<organization>MATTR</organization>
</author>
<author fullname="Vasilis Kalos" initials="V." surname="Kalos">
<organization>MATTR</organization>
</author>
<author fullname="Andrew Whitehead" initials="A." surname="Whitehead
">
<organization>Portage</organization>
</author> </author>
<author fullname="Mike Lodder" initials="M." surname="Lodder"> <author fullname="Robert Burns">
<organization>CryptID</organization> <organization/>
</author> </author>
<date day="7" month="July" year="2025"/> <author fullname="Christian Paquin">
<abstract> <organization/>
<t> This document describes the BBS Signature scheme, a secure,
multi-
message digital signature protocol, supporting proving knowledge of a
signature while selectively disclosing any subset of the signed
messages. Concretely, the scheme allows for signing multiple
messages whilst producing a single, constant size, digital signature.
Additionally, the possessor of a BBS signatures is able to create
zero-knowledge, proofs of knowledge of a signature, while selectively
disclosing subsets of the signed messages. Being zero-knowledge, the
BBS proofs do not reveal any information about the undisclosed
messages or the signature itself, while at the same time,
guaranteeing the authenticity and integrity of the disclosed
messages.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-bbs-signature
s-09"/>
</reference>
<reference anchor="I-D.ietf-sshm-ntruprime-ssh">
<front>
<title>Secure Shell (SSH) Key Exchange Method Using Hybrid Streamlin
ed NTRU Prime sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512</title>
<author fullname="Markus Friedl" initials="M." surname="Friedl">
<organization>OpenSSH</organization>
</author> </author>
<author fullname="Jan Mojzis" initials="J." surname="Mojzis"> <author fullname="Jane Gilbert">
<organization>TinySSH</organization> <organization/>
</author> </author>
<author fullname="Simon Josefsson" initials="S." surname="Josefsson" <author fullname="Gina Scinta">
> <organization/>
</author>
<date day="15" month="August" year="2025"/>
<abstract>
<t> This document describes a widely deployed hybrid key exchang
e method
in the Secure Shell (SSH) protocol that is based on Streamlined NTRU
Prime sntrup761 and X25519 with SHA-512.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-sshm-ntruprime-ssh
-05"/>
</reference>
<reference anchor="RFC9528">
<front>
<title>Ephemeral Diffie-Hellman Over COSE (EDHOC)</title>
<author fullname="G. Selander" initials="G." surname="Selander"/>
<author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Ma
ttsson"/>
<author fullname="F. Palombini" initials="F." surname="Palombini"/>
<date month="March" year="2024"/>
<abstract>
<t>This document specifies Ephemeral Diffie-Hellman Over COSE (EDH
OC), a very compact and lightweight authenticated Diffie-Hellman key exchange wi
th ephemeral keys. EDHOC provides mutual authentication, forward secrecy, and id
entity protection. EDHOC is intended for usage in constrained scenarios, and a m
ain use case is to establish an Object Security for Constrained RESTful Environm
ents (OSCORE) security context. By reusing CBOR Object Signing and Encryption (C
OSE) for cryptography, Concise Binary Object Representation (CBOR) for encoding,
and Constrained Application Protocol (CoAP) for transport, the additional code
size can be kept very low.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9528"/>
<seriesInfo name="DOI" value="10.17487/RFC9528"/>
</reference>
<reference anchor="I-D.draft-ounsworth-cfrg-kem-combiners">
<front>
<title>Combiner function for hybrid key encapsulation mechanisms (Hy
brid KEMs)</title>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
<organization>Entrust Limited</organization>
</author> </author>
<author fullname="Aron Wussler" initials="A." surname="Wussler"> <author fullname="Eunkyung Kim">
<organization>Proton AG</organization> <organization/>
</author> </author>
<author fullname="Stavros Kousidis" initials="S." surname="Kousidis" <author fullname="Volker Krumme">
> <organization/>
<organization>BSI</organization>
</author> </author>
<date day="31" month="January" year="2024"/> <date year="2023" month="December"/>
<abstract>
<t> The migration to post-quantum cryptography often calls for p
erforming
multiple key encapsulations in parallel and then combining their
outputs to derive a single shared secret.
This document defines a comprehensible and easy to implement Keccak-
based KEM combiner to join an arbitrary number of key shares, that is
compatible with NIST SP 800-56Cr2 [SP800-56C] when viewed as a key
derivation function. The combiners defined here are practical split-
key PRFs and are CCA-secure as long as at least one of the ingredient
KEMs is.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ounsworth-cfrg-kem-comb <seriesInfo name="NIST SP" value="1800-38C"/>
iners-05"/> <refcontent>Preliminary Draft</refcontent>
</reference> </reference>
<reference anchor="I-D.irtf-cfrg-hybrid-kems"> <reference anchor="KEEPINGUP" target="https://eprint.iacr.org/2023/1933" >
<front> <front>
<title>Hybrid PQ/T Key Encapsulation Mechanisms</title> <title>Keeping Up with the KEMs: Stronger Security Notions for KEMs
<author fullname="Deirdre Connolly" initials="D." surname="Connolly" and automated analysis of KEM-based protocols</title>
> <author fullname="Cas Cremers">
<organization>SandboxAQ</organization> <organization/>
</author> </author>
<author fullname="Richard Barnes" initials="R." surname="Barnes"> <author fullname="Alexander Dax">
<organization>Cisco</organization> <organization/>
</author> </author>
<author fullname="Paul Grubbs" initials="P." surname="Grubbs"> <author fullname="Niklas Medinger">
<organization>University of Michigan</organization> <organization/>
</author> </author>
<date day="20" month="July" year="2025"/> <date year="2023"/>
<abstract>
<t> This document defines generic constructions for hybrid Key
Encapsulation Mechanisms (KEMs) based on combining a traditional
cryptographic component and a post-quantum (PQ) KEM. Hybrid KEMs
built using these constructions provide strong security properties as
long as either of the underlying algorithms are secure.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-hybrid-kems-0 5"/> <refcontent>Cryptology ePrint Archive, Paper 2023/1933</refcontent>
</reference> </reference>
<reference anchor="I-D.ietf-hpke-pq"> <reference anchor="NISTFINAL" target="https://www.nist.gov/news-events/n ews/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards">
<front> <front>
<title>Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms f <title>NIST Releases First 3 Finalized Post-Quantum Encryption Stand
or HPKE</title> ards</title>
<author fullname="Richard Barnes" initials="R." surname="Barnes"> <author>
<organization>Cisco</organization> <organization>NIST</organization>
</author> </author>
<date day="30" month="June" year="2025"/> <date year="2024" month="August" day="13"/>
<abstract>
<t> Updating key exchange and public-key encryption protocols to
resist
attack by quantum computers is a high priority given the possibility
of "harvest now, decrypt later" attacks. Hybrid Public Key
Encryption (HPKE) is a widely-used public key encryption scheme based
on combining a Key Encapsulation Mechanism (KEM), a Key Derivation
Function (KDF), and an Authenticated Encryption with Associated Data
(AEAD) scheme. In this document, we define KEM algorithms for HPKE
based on both post-quantum KEMs and hybrid constructions of post-
quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3
that is suitable for use with these KEMs. When used with these
algorithms, HPKE is resilient with respect to attacks by a quantum
computer.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-hpke-pq-01"/>
</reference> </reference>
<reference anchor="I-D.draft-connolly-cfrg-xwing-kem"> <reference anchor="ANSSI" target="https://cyber.gouv.fr/sites/default/fi les/document/follow_up_position_paper_on_post_quantum_cryptography.pdf">
<front> <front>
<title>X-Wing: general-purpose hybrid post-quantum KEM</title> <title>ANSSI views on the Post-Quantum Cryptography transition (2023
<author fullname="Deirdre Connolly" initials="D." surname="Connolly" follow up)</title>
> <author>
<organization>SandboxAQ</organization> <organization>ANSSI</organization>
</author>
<author fullname="Peter Schwabe" initials="P." surname="Schwabe">
<organization>MPI-SP &amp; Radboud University</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="7" month="July" year="2025"/> <date year="2023" month="December" day="21"/>
<abstract>
<t> This memo defines X-Wing, a general-purpose post-quantum/tra
ditional
hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML-
KEM-768.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-connolly-cfrg-xwing-kem -08"/>
</reference> </reference>
<reference anchor="RFC5652"> <reference anchor="HQC" target="http://pqc-hqc.org/">
<front> <front>
<title>Cryptographic Message Syntax (CMS)</title> <title>HQC</title>
<author fullname="R. Housley" initials="R." surname="Housley"/> <author>
<date month="September" year="2009"/> <organization/>
<abstract> </author>
<t>This document describes the Cryptographic Message Syntax (CMS). <date/>
This syntax is used to digitally sign, digest, authenticate, or encrypt arbitra
ry message content. [STANDARDS-TRACK]</t>
</abstract>
</front> </front>
<seriesInfo name="STD" value="70"/>
<seriesInfo name="RFC" value="5652"/>
<seriesInfo name="DOI" value="10.17487/RFC5652"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-cms-sphincs-plus"> <reference anchor="BIKE" target="https://bikesuite.org/">
<front> <front>
<title>Use of the SLH-DSA Signature Algorithm in the Cryptographic M <title>BIKE</title>
essage Syntax (CMS)</title> <author>
<author fullname="Russ Housley" initials="R." surname="Housley"> <organization/>
<organization>Vigil Security, LLC</organization>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<author fullname="Panos Kampanakis" initials="P." surname="Kampanaki
s">
<organization>Amazon Web Services</organization>
</author>
<author fullname="Bas Westerbaan" initials="B." surname="Westerbaan"
>
<organization>Cloudflare</organization>
</author> </author>
<date day="13" month="January" year="2025"/> <date/>
<abstract>
<t> SLH-DSA is a stateless hash-based signature scheme. This do
cument
specifies the conventions for using the SLH-DSA signature algorithm
with the Cryptographic Message Syntax (CMS). In addition, the
algorithm identifier and public key syntax are provided.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cms-sphincs- plus-19"/>
</reference> </reference>
<reference anchor="I-D.ietf-pquip-pqt-hybrid-terminology"> <reference anchor="PQUIP-WG" target="https://datatracker.ietf.org/group/ pquip/documents/">
<front> <front>
<title>Terminology for Post-Quantum Traditional Hybrid Schemes</titl <title>Post-Quantum Use In Protocols (pquip)</title>
e> <author>
<author fullname="Flo D" initials="F." surname="D"> <organization>IETF</organization>
<organization>UK National Cyber Security Centre</organization>
</author>
<author fullname="Michael P" initials="M." surname="P">
<organization>UK National Cyber Security Centre</organization>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author> </author>
<date day="10" month="January" year="2025"/> <date/>
<abstract>
<t> One aspect of the transition to post-quantum algorithms in
cryptographic protocols is the development of hybrid schemes that
incorporate both post-quantum and traditional asymmetric algorithms.
This document defines terminology for such schemes. It is intended
to be used as a reference and, hopefully, to ensure consistency and
clarity across different protocols, standards, and organisations.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqt-hybrid-t erminology-06"/>
</reference> </reference>
<reference anchor="I-D.ietf-tls-hybrid-design"> <reference anchor="OQS" target="https://openquantumsafe.org/">
<front> <front>
<title>Hybrid key exchange in TLS 1.3</title> <title>Open Quantum Safe Project</title>
<author fullname="Douglas Stebila" initials="D." surname="Stebila"> <author>
<organization>University of Waterloo</organization> <organization/>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author>
<author fullname="Shay Gueron" initials="S." surname="Gueron">
<organization>University of Haifa and Meta</organization>
</author> </author>
<date day="21" month="July" year="2025"/> <date/>
<abstract>
<t> Hybrid key exchange refers to using multiple key exchange al
gorithms
simultaneously and combining the result with the goal of providing
security even if a way is found to defeat the encryption for all but
one of the component algorithms. It is motivated by transition to
post-quantum cryptography. This document provides a construction for
hybrid key exchange in the Transport Layer Security (TLS) protocol
version 1.3.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-tls-hybrid-design- 14"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-pq-composite-sigs"> <reference anchor="CRQCThreat" target="https://sam-jaques.appspot.com/qu antum_landscape_2024">
<front> <front>
<title>Composite ML-DSA for use in X.509 Public Key Infrastructure</ <title>Landscape of Quantum Computing</title>
title> <author fullname="Sam Jaques">
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth"> <organization/>
<organization>Entrust Limited</organization>
</author>
<author fullname="John Gray" initials="J." surname="Gray">
<organization>Entrust Limited</organization>
</author>
<author fullname="Massimiliano Pala" initials="M." surname="Pala">
<organization>OpenCA Labs</organization>
</author>
<author fullname="Jan Klaußner" initials="J." surname="Klaußner">
<organization>Bundesdruckerei GmbH</organization>
</author>
<author fullname="Scott Fluhrer" initials="S." surname="Fluhrer">
<organization>Cisco Systems</organization>
</author> </author>
<date day="7" month="July" year="2025"/> <date/>
<abstract>
<t> This document defines combinations of ML-DSA [FIPS.204] in h
ybrid
with traditional algorithms RSASSA-PKCS1-v1_5, RSASSA-PSS, ECDSA,
Ed25519, and Ed448. These combinations are tailored to meet security
best practices and regulatory guidelines. Composite ML-DSA is
applicable in any application that uses X.509 or PKIX data structures
that accept ML-DSA, but where the operator wants extra protection
against breaks or catastrophic bugs in ML-DSA.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-pq-composite -sigs-07"/>
</reference> </reference>
<reference anchor="I-D.ietf-lamps-cert-binding-for-multi-auth"> <reference anchor="QuantSide" target="https://arxiv.org/pdf/2304.03315">
<front> <front>
<title>Related Certificates for Use in Multiple Authentications with <title>Exploration of Quantum Computer Power Side-Channels</title>
in a Protocol</title> <author fullname="Chuanqi Xu">
<author fullname="Alison Becker" initials="A." surname="Becker"> <organization/>
<organization>National Security Agency</organization>
</author> </author>
<author fullname="Rebecca Guthrie" initials="R." surname="Guthrie"> <author fullname="Ferhat Erata">
<organization>National Security Agency</organization> <organization/>
</author> </author>
<author fullname="Michael J. Jenkins" initials="M. J." surname="Jenk <author fullname="Jakub Szefer">
ins"> <organization/>
<organization>National Security Agency</organization>
</author> </author>
<date day="10" month="December" year="2024"/> <date year="2023" month="May" day="09"/>
<abstract>
<t> This document defines a new CSR attribute, relatedCertReques
t, and a
new X.509 certificate extension, RelatedCertificate. The use of the
relatedCertRequest attribute in a CSR and the inclusion of the
RelatedCertificate extension in the resulting certificate together
provide additional assurance that two certificates each belong to the
same end entity. This mechanism is particularly useful in the
context of non-composite hybrid authentication, which enables users
to employ the same certificates in hybrid authentication as in
authentication done with only traditional or post-quantum algorithms.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-lamps-cert-binding -for-multi-auth-06"/> <refcontent>arXiv:2304.03315v2</refcontent>
</reference> </reference>
<reference anchor="I-D.draft-bonnell-lamps-chameleon-certs"> <reference anchor="AddSig" target="https://csrc.nist.gov/Projects/pqc-di g-sig/standardization">
<front> <front>
<title>A Mechanism for Encoding Differences in Paired Certificates</ <title>Post-Quantum Cryptography: Additional Digital Signature Schem
title> es</title>
<author fullname="Corey Bonnell" initials="C." surname="Bonnell"> <author>
<organization>DigiCert</organization> <organization>NIST</organization>
</author>
<author fullname="John Gray" initials="J." surname="Gray">
<organization>Entrust</organization>
</author>
<author fullname="D. Hook" initials="D." surname="Hook">
<organization>KeyFactor</organization>
</author>
<author fullname="Tomofumi Okubo" initials="T." surname="Okubo">
<organization>DigiCert</organization>
</author>
<author fullname="Mike Ounsworth" initials="M." surname="Ounsworth">
<organization>Entrust</organization>
</author> </author>
<date day="16" month="April" year="2025"/> <date/>
<abstract>
<t> This document specifies a method to efficiently convey the
differences between two certificates in an X.509 version 3 extension.
This method allows a relying party to extract information sufficient
to reconstruct the paired certificate and perform certification path
validation using the reconstructed certificate. In particular, this
method is especially useful as part of a key or signature algorithm
migration, where subjects may be issued multiple certificates
containing different public keys or signed with different CA private
keys or signature algorithms. This method does not require any
changes to the certification path validation algorithm as described
in RFC 5280. Additionally, this method does not violate the
constraints of serial number uniqueness for certificates issued by a
single certification authority.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-bonnell-lamps-chameleon -certs-06"/>
</reference> </reference>
<reference anchor="I-D.draft-ietf-pquip-hybrid-signature-spectrums"> <reference anchor="BPQS" target="https://eprint.iacr.org/2018/658">
<front> <front>
<title>Hybrid signature spectrums</title> <title>Blockchained Post-Quantum Signatures</title>
<author fullname="Nina Bindel" initials="N." surname="Bindel"> <author fullname="Konstantinos Chalkias">
<organization>SandboxAQ</organization> <organization/>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author>
<author fullname="Deirdre Connolly" initials="D." surname="Connolly"
>
<organization>SandboxAQ</organization>
</author> </author>
<author fullname="Flo D" initials="F." surname="D"> <author fullname="James Brown">
<organization>UK National Cyber Security Centre</organization> <organization/>
</author> </author>
<date day="20" month="June" year="2025"/> <author fullname="Mike Hearn">
<abstract> <organization/>
<t> This document describes classification of design goals and s
ecurity
considerations for hybrid digital signature schemes, including proof
composability, non-separability of the component signatures given a
hybrid signature, backwards/forwards compatibility, hybrid
generality, and simultaneous verification.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-hybrid-signa
ture-spectrums-07"/>
</reference>
<reference anchor="I-D.ietf-pquip-pqc-hsm-constrained">
<front>
<title>Adapting Constrained Devices for Post-Quantum Cryptography</t
itle>
<author fullname="Tirumaleswar Reddy.K" initials="T." surname="Reddy
.K">
<organization>Nokia</organization>
</author> </author>
<author fullname="Dan Wing" initials="D." surname="Wing"> <author fullname="Tommy Lillehagen">
<organization>Cloud Software Group Holdings, Inc.</organization> <organization/>
</author> </author>
<author fullname="Ben S" initials="B." surname="S"> <author fullname="Igor Nitto">
<organization>UK National Cyber Security Centre</organization> <organization/>
</author> </author>
<author fullname="Kris Kwiatkowski" initials="K." surname="Kwiatkows <author fullname="Thomas Schroeter">
ki"> <organization/>
<organization>PQShield</organization>
</author> </author>
<date day="4" month="July" year="2025"/>
<abstract>
<t> This document offers guidance on incorporating Post-Quantum
Cryptography (PQC) into resource-constrained devices, including IoT
devices and lightweight Hardware Security Modules (HSMs), which
operate under tight limitations on compute power, memory, storage,
and energy. It highlights how the Root of Trust acts as the
foundation for secure operations, enabling features such as seed-
based key generation to reduce the need for persistent storage,
efficient approaches to managing ephemeral keys, and methods for
offloading cryptographic tasks in low-resource environments.
Additionally, it examines how PQC affects firmware update mechanisms
in such constrained systems.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-hsm-cons trained-01"/> <refcontent>Cryptology ePrint Archive, Paper 2018/658</refcontent>
</reference> </reference>
<reference anchor="I-D.hale-mls-combiner"> <reference anchor="PCI" target="https://docs-prv.pcisecuritystandards.or g/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf">
<front> <front>
<title>Flexible Hybrid PQ MLS Combiner</title> <title>Payment Card Industry Data Security Standard</title>
<author fullname="Joël" initials="" surname="Joël"> <author>
<organization>AWS</organization> <organization>PCI Security Standards Council</organization>
</author>
<author fullname="Britta Hale" initials="B." surname="Hale">
<organization>Naval Postgraduate School</organization>
</author>
<author fullname="Marta Mularczyk" initials="M." surname="Mularczyk"
>
<organization>AWS</organization>
</author>
<author fullname="Xisen Tian" initials="X." surname="Tian">
<organization>Naval Postgraduate School</organization>
</author> </author>
<date day="26" month="September" year="2024"/> <date/>
<abstract>
<t> This document describes a protocol for combining a tradition
al MLS
session with a post-quantum (PQ) MLS session to achieve flexible and
efficient hybrid PQ security that amortizes the computational cost of
PQ Key Encapsulation Mechanisms and Digital Signature Algorithms.
Specifically, we describe how to use the exporter secret of a PQ MLS
session, i.e. an MLS session using a PQ ciphersuite, to seed PQ
guarantees into an MLS session using a traditional ciphersuite. By
supporting on-demand traditional-only key updates (a.k.a. PARTIAL
updates) or hybrid-PQ key updates (a.k.a. FULL updates), we can
reduce the bandwidth and computational overhead associated with PQ
operations while meeting the requirement of frequent key rotations.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-hale-mls-combiner-01"/> <refcontent>PCI DSS: v4.0.1</refcontent>
</reference> </reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
bonnell-lamps-chameleon-certs.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
connolly-cfrg-xwing-kem.xml"/>
<reference anchor="I-D.ietf-mls-combiner" target="https://datatracker.ietf.org/d
oc/html/draft-ietf-mls-combiner-02">
<front>
<title>Amortized PQ MLS Combiner</title>
<author initials="X." surname="Tian" fullname="Xisen Tian">
<organization>Naval Postgraduate School</organization>
</author>
<author initials="B." surname="Hale" fullname="Britta Hale">
<organization>Naval Postgraduate School</organization>
</author>
<author initials="M." surname="Mularczyk" fullname="Marta Mularczyk">
<organization>AWS</organization>
</author>
<author initials="J." surname="Alwen" fullname="Joël Alwen">
<organization>AWS</organization>
</author>
<date month="October" day="22" year="2025"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-mls-combiner-02"/>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-hpke-pq.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-lamps-pq-composite-sigs.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-pquip-hybrid-signature-spectrums.xml"/>
<reference anchor="I-D.ietf-pquip-pqc-hsm-constrained" target="https://datatrack
er.ietf.org/doc/html/draft-ietf-pquip-pqc-hsm-constrained-05">
<front>
<title>
Adapting Constrained Devices for Post-Quantum Cryptography
</title>
<author initials="T." surname="Reddy.K" fullname="Tirumaleswar Reddy.K">
<organization>Nokia</organization>
</author>
<author initials="D." surname="Wing" fullname="Dan Wing">
<organization>Citrix</organization>
</author>
<author initials="B." surname="Salter" fullname="Ben Salter">
<organization>UK National Cyber Security Centre</organization>
</author>
<author initials="K." surname="Kwiatkowski" fullname="Kris Kwiatkowski">
<organization>PQShield</organization>
</author>
<date month="April" day="1" year="2026"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-pquip-pqc-hsm-constrained-05
"/>
</reference>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ietf-tls-hybrid-design.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
irtf-cfrg-bbs-signatures.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
irtf-cfrg-hybrid-kems.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.
ounsworth-cfrg-kem-combiners.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
941.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
528.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5
652.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
814.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
794.xml"/>
<xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9
763.xml"/>
</references> </references>
</references> </references>
<?line 855?>
<section numbered="false" anchor="acknowledgements"> <section numbered="false" anchor="acknowledgements">
<name>Acknowledgements</name> <name>Acknowledgements</name>
<t>This document leverages text from an earlier draft by Paul Hoffman. Tha <t>This document leverages text from an earlier Internet-Draft by <contact
nks to Dan Wing, Florence D, Thom Wiggers, Sophia Grundner-Culemann, Panos Kampa fullname="Paul Hoffman"/>. Thanks to <contact fullname="Dan Wing"/>, <contact f
nakis, Ben S, Sofia Celi, Melchior Aelmans, Falko Strenzke, Deirdre Connolly, Ha ullname="Florence D"/>, <contact fullname="Thom Wiggers"/>, <contact fullname="S
ni Ezzadeen, Britta Hale, Scott Rose, Hilarie Orman, Thomas Fossati, Roman Danyl ophia Grundner-Culemann"/>, <contact fullname="Panos Kampanakis"/>, <contact ful
iw, Mike Bishop, Mališa Vučinić, Éric Vyncke, Deb Cooley, Dirk Von Hugo and Dani lname="Ben S"/>, <contact fullname="Sofia Celi"/>, <contact fullname="Melchior A
el Van Geest for the discussion, review and comments.</t> elmans"/>, <contact fullname="Falko Strenzke"/>, <contact fullname="Deirdre Conn
<t>In particular, the authors would like to acknowledge the contributions olly"/>, <contact fullname="Hani Ezzadeen"/>, <contact fullname="Britta Hale"/>,
to this document by Kris Kwiatkowski.</t> <contact fullname="Scott Rose"/>, <contact fullname="Hilarie Orman"/>, <contact
</section> fullname="Thomas Fossati"/>, <contact fullname="Roman Danyliw"/>, <contact full
</back> name="Mike Bishop"/>, <contact fullname="Mališa Vučinić"/>, <contact fullname="É
<!-- ##markdown-source: ric Vyncke"/>, <contact fullname="Deb Cooley"/>, <contact fullname="Dirk Von Hug
H4sIAAAAAAAAA+S96XIbWZYm+J9P4cWwtiI7AXDVQsVkd1EUFaJpCYagyKiZ o"/>, and <contact fullname="Daniel Van Geest"/> for the discussion, review and
6WmlA3CQngTcEe4OMhBMjeXP+T31Y6zNep5m3iSfZM53lrs4HJSUmZ1V3a3M comments.</t>
kEjAl3vPvffs5zv9fn+ryZtZ9izZvizrpv/DMi2a5Tw5q1aLpryq0sX1KpmW <t>In particular, the authors would like to acknowledge the contributions
VXJeXOVFllX19lY6GlXZLe744az93ThtsquyWj1L8mJabm1NynGRzunxkyqd to this document by <contact fullname="Kris Kwiatkowski"/>.</t>
Nv08a6b9xc/LfEF/j/uZ3dif0X11s1UvR/O8rvOyaFYLuuvi/MPLrWI5H2XV <!-- [rfced] Please review the "Inclusive Language" portion of the online
s60JXfNsa1wWdVbUy/pZ0lTLbIsGcrSVVllKAxpm42WVN6vtrbuyurmqyuWC Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language>
h/njxeX21k22ok8nz7aSfkIj39raus2KJT0xSexKHtk2fSBv3/6JnpIXV8l3 and let us know if any changes are needed. Updates of this nature typically
+B6fz9N8xteN/wlTGZTVFT5Oq/E1fXzdNIv62d4ersJH+W02sMv28MHeqCrv result in more precise language, which is helpful for readers. For example,
6myP7t/bpgHUTVpMPqazsqC3rbJ6a5E/S/73phz3krqsmiqb1vTTaq4/NFU+ please consider whether "tradition" should be updated for clarity. While the
bnrJuJzPs6KhT4i683SxoCH+H1tb6bK5LitMj0aUJNPlbCakPyWSVGnyPC2y NIST website
6g9Zxt/SiNIi/zVtiNTPknflTZ7y52Oi3rPkTVlMykI+KJdFg/X8scibbJK8 <https://web.archive.org/web/20250214092458/https://www.nist.gov/nist-research-l
ppdNyjl/lyk5Un7BYKQv+KcCjxvQMLfXB/Mhr5bzdJbVd2mVvM8mk9UXjIeG ibrary/nist-technical-series-publications-author-instructions#table1>
fkVUqmTsVXbFV71OqyJt0ps0HuhFMdGbbXw3gyZ468cKb31wkC/yOc0oL+tk indicates that this term is potentially biased, it is also ambiguous.
OL4u8yJPi/Qmr79gpKfNNW3OeEDfVVk2zqIRTewFgzp8gQyqP8pmMzoRo3oj "Tradition" is a subjective term, as it is not the same for everyone. -->
DedlQ+fyVTmbZaMsu+kY2Iv8Kj/LqiYY22XeNPVoWV1dt1Z2eBoNrsnng2t7
9D9N6EFjelA0lryg4/d2kHy/LGo6VI08UUb3Nr/JWl/Q0J4Rl6DzWjfJG8w9
m/AXxkr0O/6MtnmWNc+Sw0f7+8mwnNERaZL3ZTpJ/vynf0mGS7o5OdjfDyb2
fdOkd2kv+b5oaCuW8ezOiLQT2yITGt/rw9fJ0XePwinPaciD0ob8T5mMBjOm
Q1qU1ZyIesuc4u2b/uvzt8/45sQ458uLy2H/cP+I5l5OlrOs/yZtGiJaf5TW
ODLZqn9ejNNFvZzx6iRvs/E1rVU9T4bgAGk12dYnptUV5m6cpLidLZa0D+ja
ZnBV3u7hB3yyh3fuvbsYfhjgpwG9fbCYTOUpzCiTaTqrMxnyi+Fp95CP14b8
nIeM3dOks2SYX9ERW1bZ33Cgx5sGOnzzavNIHz3DEJqMznCdvErr67/DSB9t
HCkx2lrG6aXnbFWU8zyd9en8ZEk6IzGYN9fzmkXkosKH03Tc0KdyRhMaZjLJ
63GV0Y6elVepXo+vkp9VENMeXCybrJLZtCeTVr/ktyxeaKR7fE9/cb138mj/
6f7hE7qFJNdt1h7rKQ2EDqK9Yi67cUxUdKPmQdOkU2zhpM4gvbqHMJkN0vGc
xzAp872D/cHBwfGjvcOjJ08Pjgf45/FjuvH92sKe0jEgiTXhV30/alJigyRr
1xa0ZkJdLkezfNyns6S6Sb2qm2xe/2bDMreGBfLY0I4enRwd7w/4n8Ou5X3/
8uzx/sn+M/nx6dHJgf346NGx/Xh8/Fh/PN4/4k/ffXj/Y0xofNJNNXAYHlxe
TLJfBvV1M5/RhS+rclI6BuOOgH7a/agpvr3JZK50xdksJQ1q/HZ8PstJ7sSP
0i8T+7b7kWO5ajAfZ3yVPfrlu64Dir30siTFK6uSWcT5sHlpyye1X0tsx8TT
ZX026Yw0vD7uGECF3PuCBTo8evSMGDUud6za7f2+bN7WoM8Gyf+Wzm5IaPz5
T/9VLvzzn/5L7c6E3IT96I9ETqNf0OFOZ70//+n/TS6vVzUfmvfZbZ7dJae9
5LacDZLH+71ksRgkh0+OH/cPnzw66CUHJycng3jCXdP6cE1qbNN/ny1IDLUG
bIq5XAMVgJamyBK5ODncP9zfQNGrWTlKZ1Vekypb0+OImwjH4BPFrKje03n3
GxlCo4/vV/z4Ph7fuRI/nPVfvBtuGOsZ8y4mIp1g0owSunbDKO/u7gY0mqLg
sZXEJ/v7RwdkIWziwWDUrfdutmBMJijr3TCGcV2NvVxYVOUfsnFT7y3wWCPQ
OHjs5m/6dfzCrgmczcrlZEqGQtaaBmbGm3Exy9KaHp6E70nqZUXSpM42TGJE
kmQwds+GEsMirh8N1h7Suahnw/2D1pheZDiRvI6nRTqjnU+HYZpcVnS8+RAE
/Jl0HZACIo7U52xOp54NMxKKVyn2YHI6SRc4psnZdUnGXHKWL65Jxcx+oa9I
lxvfbJhbRmMumkGejiveJof7+wfE1p92TeL5q9f7J61ZDJcj+qHJaUR5IRsy
m5LY4bHSdC7eveifnZ0+S34iLZ4n+6q8g7RfziY01pR04uIq67/I3ARH9Ii8
pi/Ku2zyH7982Cd7xwedw/7u7funT9ck5USFomOkSc2UJT4VETY1wo6ZsH2i
fZ1e0fdM1XqwYYCLrKS9NhjXpA0PSDsfZJPlXp3PbvNyb0gq15j09X93uD8c
56Qa59N8TL9cpgtSLPZUXONbx+T3Tj/qxx/dhx9lK3yUnfDxVAb80XbCR9kJ
/bcy4I+yDTadfTLfTy8v2qf/hzOy7OnzpCibrP6iM342fH+2N8/IYNy7tOMe
cpF+yEVIkRgv2fLey35J50Sx/jQnfXQvXeR9fuem8ZLy8/TV+zabxN5qSlUK
iYMfP01GeYOLaXc22RWRF9v0aUL7j35c1uCkh/tkrcxm2HtFmdcrklh006bZ
ev2QrMm9gxNSafdPnhyfbBjkwf7wrDXI5yQP2AeCYQUnu0/HI/lxgUdAYcVZ
Yv28X05JiGT906p5gNP/vMQMa1px0jDU0GXOtTfS9/WrOiXub+/rL/lV4Kv0
d6p27foMhuICiUR9Xo3JaGQ1E18za/VSXcla/OboS0kZqdokGB/tn2y0FN5c
PP/+h/bCv8lH9CGR8PsFsRkTWMN0uomn01m6Xo6YSCXd4rk43bI3y0flz3XX
y1+vRlk1zCdtAXOa4MM+MbSiyGbKcsXseEUy647ERnKB/Y3NnhpzPHv/vw4/
nL4Z9vmxX8zqDg/3SOnu1LOH6abx1RjfWMeXBuObp/UNKZZgzfX1cjqd0S91
OW14zPnamPkNG4ZK+s3NoMZ46aQxbWlb5eNZxobC/v6Tvfrg6OjpSX//8Ki/
T8rIo/5R5yxorGdt/bKDwGzYxWY26fR1ckojf1c2JEuzWxo7fTxaJa/yK5KI
/e+rCanLb1PobldfQ/KTg84zrq/voPl3WZFVZBgM1ynPAyex2FdhE+v4l6/P
eTloLiqUNp2g9YEenOydHHeKwbckk6/ok7Yecvn9m9cknz+UtOCTOnlDzILE
BanMpJA0UJViHZAGraqH6CdJrJ98DUWfPulcfRvoYfuMByObQWwm8MZBdoKB
yfKfLuEtbPijiQztF5CeBDZJo6Ycl7MNI8yzLPtlAY/oAD+qmSvSae+EzNTD
w8cPjfboIc05HlbA803LUFkdaG1d2/3rtmvncM/eDU8P+/tt9lAU5bIYg21D
7JzBHV6Nc1KP3vHBh/NAAwHJqePz4jg8HGwyk1gLGEyyaVbUGSsHNLJHe2/T
1d7RPlS2oyeHT58cH+z1+f/7pDucfsQAP9IzP56++e779xcfXr0dDi5fvNx0
9F6SfrWuWTv64mvs1YBfqEZqCnTMPoYPHrd1/kZ7a9FkleNvJ0+e9om1He33
D54cPjrpP/54cPKNXtTn+M0D82hv+J3vi2zXTeGiZp5GOsL3C3FIPy/Lpm4q
CVeIvsA2NstlvY31nXiO68bEJiX2a+Z7/OjJ4ZP+0ceDTstheNEnZbLbqGWZ
m4S2Hrulp0sy91j0zOpeQmtV4chPiKPPygXrjMwkq0yCNxMxux/QkEZ1PhjR
Q2lH7g2vSbpNXpRjUrfLu2JWppN67/zdHg107zK04p9X5fia6LgXKgiRYTqA
o+k/FsVv6cQ9jnnEwdMBqYc4jqxhrzvsLkMrlL7epGFXg9Vi0JR7C7EQFj9D
lSNm/2T/+OCkrSjh88H+8YDl1fCy/3R/v//ocZv47yO68ZaBV/0Fiaxbc6nD
l8gbiP3tJA2IMPU1aP+Zg7LZIzxcZOArEY3ZQTy8HOhAq8ONqt9q6QxQN5Hf
DfA5Sc7r7La+WbH76WWeNn1a43leJT8Rr0pOR2XV1M+S08XCvReWgp4M3kkv
xZVMirLyAmd90RN7yenw4pQUtssPCYzNbRtFl9PFGLFGLPfSGh/RlmEz9dHJ
AWm4J4/dD366bT3osn8Aohw9PWvP+m1Ou4+XiWax2UtjH77P0klekHnwzD4K
BHx0x4dsfF2UZDeskgtSnSrSjqt0RAKXWD97jbOKfYJkZqin7CFSFONxmflt
UJPAqPdIIqTLWbMnpt4hlMGDQ0Rw+3ObVZ/9K/XC5j/uL6psls/zIq1WfY58
b6Ta6/Pzy4t33/14GftpX2cZ88kfF8kdtgT4JbRFREGqEhzOyzhitLxD+FRA
o8TM02VTzlmAp4G/hr5WtW2hCkbd7QHukNJHZD8eHann7eXFu9M3LWc3fUxE
hs+KGPnLvCJN4Yj+pdfnv0JRDNc9ZOvqKtswEl4YdzKzu7rPanLNP2Ncx3v7
T8XDVenLySynlxOrn9rLY+dXYFaanw720+m74fCiFSnBRwncu7VZuZu3Lwm3
os69XrnGGGE30TSWt4Np1bm7nAo3LeFR+rhcfKSB8yM/Mjf9iB9oAB91Kh8j
3i577JWJLudn+OFsfUDw+tAevv55bM795xevz+Mb8cmX3MkJFv2fvovujuj0
Y00qQeG02jrZ4VSL3STKsOikGoJQRNnxDdHOJVNwwsYePyPwytD9ztjWUaxZ
2In6eTrfBeNaKQvJ6SIq7384E797K5jiPu9e8Dqd9/+Q/rwknYXUnnpRckjZ
hPNHRLbrMS3rR+xiONPxhbfNIs0DH39JDPDwiITp/hFZq9jRkwnJhdaW5s82
7NDIOeY8YljuSX6FoMzeumP7+WWL5tv45EvZysHTvcePnurWvTxrnb/LdMUC
/IzeiMSOJWmQq+QFbQnP/uJ479r2Ia2J2PHtYDHOa73FHXoeA7303x3uvxgO
9+xJ+KhPH/Rvjz/ufzzgwW1t9fv9JB1BhaXds/WBWEE6AScCX01DjRD+8Nkq
ATe6hcRqh3KTHWyc3eSO3cqkKMLGr0PnWVo1PbCTSa72jMRqkhsyEYPA8iQj
E3BFrLUpJ+kqKUd1OcuarJekNbMq4v+k96TioE/rejlfiKRY4pUkXwpVxUnx
MNroqIoymYmYuS5nkwEZ3DTbSYXge3Odk4rr5AdLGzIWqpRIsxyzc3qOPA/P
DiH1oxCGn0MvuSN6XSdw30w4xsDTIapA3iejErIvIARe5p6iTu3kA40oMTaQ
wDCGnUpPXiUuwyyhv/nJI1o39hZh2ehpTAveEfEYIxV/h+yB3R6NsCFDxeyX
XIKb7Br74YwFRPYLjRrfa3TaBb7GFjyAhnpbzm6zCYcgHI34oRvJNEh+LGbI
qyHF4jYvl3W83xLxjhI1sThJfZ1PG1p97EFikYgWEGHZ94Bgkq4cfSkUTybL
DO/GOJdFTvwK1yzgrshYa9g0KDkT83wymWVbW99ABavKCe0BMIatH6Jtj/nR
0Py++gP2SIqXllUmW3Rckp62aEAYucnM+RqBB1V8Fxx2rb9N8kYeeAcrE2Go
2wzbKMWIafuIccnK08JFqeAhNI16kJzR38RWSWOcZf6WbDqF+s0vy5D8w+Qu
K9Ie4ezGx1eIFxe822D4YW5QvkDAwORj0rlX/7xGDrdHaIHUYiS2McqYVMVt
Rt/SyTtt+LmcVNJEG51+Zr5AtsSk9zUMqBYOVO/SA9MmoV2RsNudqDXJ6MYl
FMS0XpHFhZTDkOXskNpaJjdE9QJcppMv7fKMCjL/Vxkt8S2yIYnCAwTTiDoV
dmkGdy2OzFWJ6Tric05MQEIN003zjJgS0XONij2vH1+VRGa6ZrTMZ7wmc9pZ
tHnvyAhYCusgcctjWScJbebvi4xzK+kcz1f0zLwW+qyTD/NDCk2GNU+xWwtI
AtmsZ5c/yub5Dj/QBGgxeGMap+JdK6s6JnX1W2KXmHktN5TLZiFWS3IFn2w6
6y+WtPlIg+InlwWtEA2xhm1KR5pzVeWYViVNDTyVlugun7X3HI2cSF+WveQ6
xVlJCuK8CCE24d14tvBkGiAx0F/G2QzsB4diWSADSxKCg/3GD9aQ1ZflOPXW
5ZN7fyScmDQ0Os1IiUVhyKIxqQWUPY6o0dyxLXT3yDwfWEsSGRzjxM08YZIt
dPJ8Okjj7UwS+jAn62AX4x2k3GEH0ABBnOmS5eD62+gFSvyQJZskKZznKGbv
yikGiBFM8nFjEkiib9Mkm2ek9YBDsi6Cw41xpU7s8A1pfdMzgRQfv2WBDE8S
mg24xhXUO/r0DkFw3gS8mUbwwWSeo2Ef0KbOcZzu770u/OkTnaXzX4gcNViy
O9rX4BcsHxCzASPAam4QuTHX4aUrp9OsatEa61XUIHW4F/6xRpLEbX4Lji9b
YJ370utDjtQWxGk8tJaCo0c4RbJqml9dN7ToiEisEZk5IbHrioWIVwLoDZAh
oOgguWhMUPOalfMR2a0WwjINhscsoom1L5N4NRm8NfNKFlg056W71/Fev4Fz
7Fx2EBDzqTJmjAt+3DXrHyLAIx4sPBmqJn6lxb2U7VXT4CGWaho9LU0l54dW
edsMbXpaOd3u+Q9gVdHvdELcR5V5draZEHqcWmJ0484IdUYNT4GFLwuV8jJ4
2AtgxKTcViRH7nhpulmBExck+pdXTBORjaEW2nk6ie0qH0eofOd9Dgn+5z/9
i3j26IdTUpPmabHLYzo/O0t2zmeznFTycXJG2zWLvAm7A2Q5hFPlCCcxWWKP
psg62jHhNWowWnXxfWHpJNnty36Q9kksvKDFLFImI7TTDbyZD6IMxJ19FgaO
PYcC9VTWUnLKvJ48qdI76OP0HDp5XkOn2SygkdlDZW1Zxs/BmyRBVHavmCt0
JDqXQgwQ0pUXLKlVNQs5roTZdEL4kjV3Y6EyTuF6eMvAl7g4OyKwG64lkcOF
nzcpzLwHA59uz+7UU5sJuWijwRKc0lJmzV1GTNgZZ6wAe5+m0MIeIoxwRJuA
WREnXza5ekNZSzLpYmSSg4AZQdMMlRPiWBD0pEwXWZ9e16d/aYHIshpndij9
xL7FzGhEK1ZoVLqLFQKHL+1jpqVaPs7wwPo9aEdiV49ZJZsYdcJFnOQQCVg0
Ji3tn3JZ0QoSg5+FCgh0hTr/NfMEbZuU8VEbJC+8RQSduE/SgWWoJl/R5Omr
2kxAVOKQjrPkwiVTxcTGsn1mhxceY+yf6wrchXS9lk5f4dipVimWAOmW01w5
HLSG4mrGaV8Y/QB+iPD2NJ/XysZvadymQSZXy3zCTnDeJ7aV79T5Br0jOkaz
fFSRpoaVLIhidJnbgr2udQq4dU83Fay8PvGBud+8tHlEqcthvi4RWcGmy/zw
x5ysToNckIXn2GnNGWicRgpJtahybIZ4yXrBeXTaUbA9bOFxF7ZDFtVjzK0e
gwwceNCFRYeb5AU9K8/6r7LZbJ7KrgKXr5sVrcaN6Mmy1EIgXQDsyxr6AX5g
5VIVTbqFTDYXQFem5rP7eLfqg2j8nKPEJuCmSbUHHO7m04l9PKO35o3t1qyt
uiqnhhBwxl/kB2F2k9bXMHvHGnWoyrkwTNqNIsDpVJCaomKpIn6B+j2VHX+l
VTmDe89MVDD2LqHvKRPWRNVQO0h6LkjlbZTzw0cCdsc6uflW6PE4qtBzYVjX
ZUtbT+eoLWK1pCyhKqeaCtrxTllYtUXwo11FyrRxYfDfWiV6k97Ql7xXwPno
PYNkiHPgFVRhJlC+lA+RnVs3zO5nmrOhSi+UPvpZvaYykNnMO4Wa9IoudmEs
ZqKqJyyuIIVIS7zi2LUJvXHZZ0HJD/M0z0S8FJynF9+ZspZMmgHkDHL/R9kU
ZjkfV57tQJypHbkbMGlWyc674emuTVWrEDnVsE404DNhD5Akb4GZqfUVcQib
tcTisXN+HCaFczDZO21NyKCR3JNPnxIJmGn4xygBDk9H2eXEeAW59hqEeS94
PMLrvssgupOX2YQZ8/fEVsaiolxY+QJiYjaenefDi102nfiI+Anz7NzSdSUX
eLZ6f68pDTQZWV87RumM9nUtqxeT1i3HhRUNcD6dec75hUH0dQfRP2GbRDcn
b3rJaGlyWtQfuC2agLebFyNeLKIuR8Robwgl2f+RBgyKPcMBMykij1VLK9TE
kcgBFTyr+8YV2zj+3BO5rnAH7WF1mCKb9B+xV7gejIjrJmD6dtu11me+FfA3
HVrCzl1IFLUN6NR/OQdO4RpNkIJeJajzEJ4sVS08Pq0Ci0eYzpprMXG8L5tm
zAV2bJ6LrxNTaFYLtfiJRc01h4zzFCcl5kLCiZk1O3tIBjYJzNzm2jRMvIEH
xtovVkIEhWoBTkMnSiEWEmvXzKjNFwGdZcK53tt4wFy8bp7l2Z5nMTfPUnDL
Dau7g7K8bmfSrrBtNvGLVdIpsxxXQL1qOldhTgx/NCvHN/7XeLF6ydvTM/o7
a8aDMPbBVL9dzgr1RhMJ1l2UrUDHpMxEWWe1SY6Uqk5prRTr1AjAN64bc+gE
b92RhUiJfHXmiemP6/29FPxgJxGBSiirNZmqW21FtDW2ZUGcSzTfwBEhu97m
iUUgxYToTDwDPG3nh9cvdiG0wytEo8X3HTYtEVvTl0XXmpW5d/llxITAegLm
3dIa2LUvz2eljtYJNmnGnpbZSizyPFj6yO8LiznZwZzpm3ZtpaqULlXZThaM
+GXBuc3Fyqnr5vC1pV/T8x15r0pRFsRnki0Cu531HSY3G+bGaZ1ziJMZWko0
uLWaIE6DpVFiDbnGLTIfVCKaUan81EW1XezLxSE2+G2us9mClS95CiYuz4Lq
SlJP2HXLBQR+b4+j352Bc0VLVQg3CAlWSw2P07DSmrUVwUzIGy4aTPIpuAYM
LmIKjYpF9q1aDVsGAxa/uPcxq8X4Lt5/eEnMVnw4ycuy4kQm9X1yekOyc/by
/Xe7A4TKPpAakIvsbEfKsupZcuqDxcz+1Oavw7iYVYQ86M9xcnZJj7BcEg1t
EXe9EocFH2BXz8hlEM9YW6GdTsRd2Dd0VhpxpLWZkx3GnH28BR9A1KfILsiq
qmSP0NYbOvjBO1CJvJw1/aac0cbnUNVIlkCMSyj5IPCcLsoXxKEW0SBbJJD3
IFZXiX1sQUJ28PDxxzLzLMDpkKTVEQ1K1bTe2pzqw/HgZ+Fnm92So7UqLecZ
AhNwnjMLZ5PKsxbKe29HKC6tdLkEoORamgFv33oJDZMT0Gch7etuz+ZGHSq0
1rLBFQkvaCsAfzlDKoMaOEG8E9bqtErnGRzGPvk+JiMrtZgisuH9qyNHKJ8G
UOlBR7AzXWo4/YyBs2x1tmIWpLKzT9t+ZY80W5PqlcLXxPMcv4To7fbYqC6Z
4XBumiZXTXbPzg+QTU7xIdCeXOFIfmjHabyXKUlHGAoJefEXlSwGbSjJduiB
DBzwrGGt4g/M/R655XXLbiNgiN08JqmcrYVkNEuDVXQXVTB8HrZaLAo8gs1L
Lyd1dzLgDEL+elyKa6t73OI+mMr8cE37/Qs2+vKFGb3Y1tj+WcP7uc/6hbqP
iGbqS/nWiQcaq3hf3ABUJvNiLBC05CMMRTLZbnywtD2QdvoKKYUSMguE3xRn
cj3owPb0dqBwSiqQuPNGst/CBJ2Br6/2a9e1dLxxRubRCAPk4rsM5f61GEbi
VZBqUPGJVGkuhfyIEBY621kKhBo+J/5khpGKumt/dY5xzGKZjFp1LxTTJW9v
EsWQInQLB/F50GU0aHUHgajTclkYqyUGK8y2rEQGuV3aEe+pXeid01BW0EIQ
X8UeDaiMI8PUpCUs5LSGOzNFyERU1n4fvtCcPfMwdcQGBmMxxa/mWja6jimJ
M6CnApqbZmCBb0sYlrm0+Y293lbDD3G3kRmCW9HD6zSfyNYWNadmDwExuF8z
F/cQ/sJ2bXKbVrklT9MJ4bACv0u4m3GqthmyrFlJXPmxyfUthhaRTNSSMJPo
g+Oi26pQ9raT7bWsuG0+J9vKEPFrbeyzzZfdy+C/7rk4dE9za2DDikUWuG54
raKqDXe8NXADdSENUnLg7PflAdAavjGMhjAxLOT5W1tcXj7W7CNzVzsfFCxl
bM66HOfM2VyGi60OR/nX5L2LAW6KVYrzt+2gnUjK2jInO9XFR4L0tqLb/mXn
tDef6bQiblKRkZRhMHCJ8DX46E15q+4IIy6O0F25xkdlu4hAuEtXZvHP8Ele
3DCjcXRiH4F4sLG4UfrDYF2r5h3cg9NCGKq42on3rUZVPqnjLJMwzzDORYP2
SDN9CX1CqsB75gjy/ite21pcgWsR/W71r5Xx1mQLPsfLOpBOjn0i87Sq04r4
UmDZsDtH5FMQhM+Ka7ChSXBTjyWabryVZqSMx5zdqa61LyGFGJec37y19YIs
5bzJTEJUV1lf3L7rfHdSOr1AvMkaGQFGEhzrhTnofGpgnJDYMRw+ozQ/Yp8k
m8x/VJbEroRfMUZDHZiv4jIVpqCpOUjScroVp0MuFgC1AWJZ+GJP02AEFhmb
qIdYkysfTmrBqOMoPoKokLb5baqB8Hk0ZTzOSjpgSn4TeAojzfL+G3duP21t
Yb8uCxey06QIZx66R6iObBfEiV70PdxZHOQy76GwOOhNta/nc25dk4xE7nFV
1rwMcOZKlD8viHjh8XDGhXNeOoLt9pA8uhZUBzuTwJG3Z641vDBbcZqliz9G
e0hEFW/zrKXABM7X/nqemRq6xXi2hHuELuByGuwRpHw4mkZ+QJvX6flQPEEO
mcMX27YjkXLHq7enZ/3hq9PDR493e2yyZixRaFp0OMTKqblAMOLetaSVa1yA
dpP7Zc7J0aolZeotaaU7Mc/d7IOG1eYI0PJG67BpxH0M2W/zdsjOKCAeY044
yxs2sNjnKlMC+VHGVHGwGLSQxDa3wZyrgPPM8S6J/ksq1drWdQNVa8VT8UuJ
6JKk4HPfsIoAGqSzub6JZfAxyFTwrRg1zvEWcUC6aQIlcIy5Z5PlQmnpcKqK
9fMNR2VPEkE0OyvUDNqvJ3bCnBJK6Uwvv/YpsWR7Sn62o7TnGqCfufyDRHuO
DuiqR5o/2zGsBa3KpdOENClUKoTpRPKCITVGEuZEbLN3B4lCHOfnS5iNrEeR
q6yfz2l1dlmrg3j3Bet8OGs/xfCZXD4QXMX1FJvJi5VPAgixcDnd8s1cLn7t
YyZ4tc9NUZdsp7LlDpHPE3fFH5u1UTGplkWjpF3fQsyJNLfKZwcZw5xBV/N5
QaNsnMLL0DlXoslyrAkFPkDO9ZiuflXY88Hh0z6cfBvCMnTd4X++f3z8ye0Y
/xBjvhK/qNnsi1SSICc1iPatP0gyuH3NNuipiRWNeBy9/gPNFjtARxV84R+n
boPMfG30PHihZrOMyw97m6ckqWqjzFy8nBsLbodUjblA78CjH2bcsSuju65A
Eu+6Gc81UW22Yr+3H5wYNOzazpzZLXsLUx53ab8QGPYEWVd6MbLEmCdiR4tb
dn0YbIBwEgKnKyApHIZbPpeSEzJKVLPkTbBDW+XP/9f/Pd7dO/yEM9xLoC7U
yLMj4ihwz6PHHRomv4Iz5WVfIsjCbxkhp00Rl2h/HjzuJQf7h8d/xSOODjWy
Ay6HCBAiZ/f3cHFplOz+3kO9ffq0G2SX4VwV17LrWMlURZKdNRoLYsW4Cdxq
VpZAqkSfCJTsnEpG+qSrqHa3LfBzt3c0e9AzIFXLiwyGQFrl2CtrvFySfO7M
5mAjShYsrW+cP1IzMIIyHCKmmn6QuohG5DAQY9En3qCgAqJrIxcReZBwGBz1
s2uynhtaFkZ3ZFFGBtKdCqyOx6UkPbNbZVwjhK6ddipb9BdwQomLgvKrRSZG
qPgSzI4i1TROFdDyEKevWo51XvskMAvMK0TlJ6jpuWVpFSrvgozuMQ0ZvIGH
c/nDWU8cqXmtWeBrngRm4JaQiIjiZGNq6mileoJjOBat4OAJiS4aBwfoNlTj
uZfS23Rr9uSHk0PZafiFjqsJFBK2Y0414aWxmXC64yQo/WEgh2yTFk/P7Dkl
tu0K+LLqwVNoWnTXctb0nHAKKKO83ZSUzD1CoEAsdwFZTXT0xWjThB+3LTlH
mhO0OGio8V2u1IHUjjPGau+TTF4i1e/aZ+NoTpS9dBgQPcof0jSmHS5g36Wd
xj8oQ0JqE5Bwkp2vxc7ZDROjej7jSGyuOrPFxzKzbboh7LG19ec//dd1MDbA
qoYylFPRhRDd5UWamE6qn481s8tsvebIrt11eQNaZ6Srt3R5U6qI3QLXdp7+
oTQCb0gWcb5U9VSxP5Qrcm2nzznpRRMr8rBCx3nDenKHwH52Fvv6qFuvKxs1
s1KCMZcSxCYr0kHgFUk1vUdUektHYr9vmOVxPvsundNOuL9XoF3dN0OkblRV
COfLlwCAlwSb5atqPrcWEnsJounjnDfUdiS6u1xFopT7eHcH5maekrGPpUrm
KTAw1PXUAfEHWFnEAZYFdlQm9XNpR9ECqydBKY56EiNfX90sJ1jNWvzj8ZJK
FcGkJ3kELCNZ56VV6zPAI/vVgeaIR95Kaj+ZHVzLnYn5gbEFtdrijGpHtkF4
QTv89Il/BL6k/ggUx0+fYF/lYJxY1DnEXKF56MR9MokIOeOyZUPcEd241EJU
lNkMGaTKq8Vn0CzpLsscck5phIRprS0bGHTb5HHym7yOc5+JAXqXEnoeKBto
u3WQ6hMUDVoMYIPnW9Sytp+WdLHnatSkkCBjOAAzJ3kQKFFmQOMkpZnEsZXH
OztdnAictG1RoB3aG1VjBOEpOgOOqySu8qt0tGqkbIFfc3/PiEt0inriMBbl
uFVxEcVAuVTDlW6QYIIE6sUCfhPLYqOj0pOwXt3TsoXwWraCuqi86RU7+SAb
9D7Pu+USRuEFnirqfDczb1da5/hdX/jdA/xeBJHDAAnxDRVorZVx0YU+Wbt0
MpeBEqNNhnIbyD9XPSklY71BDzP7ITgaTVRNrwocPsQ+ARQo7mfN5POuPY2M
ufrn8ecH6tL5cXJgBrDtDXZJO2tUIlccP/LVyPPiUcKz02K23rvvzFvzenNA
qssJH9xzf+9wSzwzSvlEh3kMgWs7mk3wJHY9rEpd+HpcLvRYRuE+txycmtam
lEsM9OESQYEQeaOeD+j/fTOPas0ICQYVyB+rHEB2j0+xWcvw0ZBLziGSb5IP
wcGJ99yldyDzkM54mM8ZtspJTW5bdEoM5PNpOj5JsfP09fTEJZtOXK2bNdIq
urpVaG1wK3nVNqMY6WvxMZa/LF1bweQp/VBnLrcQcDHI75gFDmYOb3X6jp5t
bf17zr5Jr6osc7WrYE1cPsGw+q0LNAG7F+Q4t6pZW8rWzotXnJTaqt1sX3V+
RtdFmlc0jPB9QiOICp+g1PMucwTHDM0Owkbc1PGy49mbqmFYOkiiEadUaM2I
DzR4EIhYR2MLU+wQud1tKQdzson5s3NdEr9FLrW2R3tDkBUmChSGkc3hfVrf
NCBEYBzQBp7YJnG9VTTiyvHHcHQ7KtPhLlDBvOtDOQkpHoXjcsLoLYhX5ap7
LBhrkFWBAcCswsfFq98zdfA6Xauw4nS3MQrP5KkdgktXyLSIytfS7ba3mZ+h
HKSeTabn0IVuMy7sykyqqHrbnt1aBBDMGc/FmXrRhp+vn61/5moZwp0bBEbk
PWzbuxwGCbAwsA7ysZeFJuQCL25eTlz+HYsw6I89j9nDpht3lGLJJpU7AxLw
c3Rfww034UnvhWYLRwpE5RZeJITsB2ucsLoX1f7U6TyLEqxTkRE3D7McrdIV
BBs1CPIvOETMWXmkKeeuRmrXWkcAZHHxKzR3gxM8xA+iVia/K9QO15/Bq/38
+TBaafy+85x4x3X/ebnKCmBVEvOg3RhSFCkyckbGqz57YSrOlF5rWeDBHOrk
16wq+4jYzLLJFfuAy2lfgY6cm4fNxVl5J8HcmWbx4uDMylrLcX3AWXLwSP5w
HUFWu6iiHAXzkWEXVi6fT+/CDpMyrdCbFdMjCMHiOVAsAFVpp/Yh3TV0538F
P/RRbbag3JHierWWW8wNGJn8hjLDtznHGrEhriwbqiX5eHCCm+7v/+NF/8Ug
r5ppfzytrvqjUd3304bjGpvjDCmTQNlyXOJZx2dtaeoibcElRjAMTkRgHE8M
8xNNtWZ3XwD6Ec9Jlu6zRazQN7QAlq2Z+3ufKPGJ1TR2RqI2wrnAyEYAEFPb
PtZE1tss8bh4Ut6drRdXsNbM6Ywh3swouNclspkLMdmRSALDbXLs4EMrd9Nh
LYVu+wlthj5XxDvzUTjVV6Z6S5oTNFpJZISOwi4GdQgBxCJ0EqkEVfwo8b+m
nfXW3PgLtda7WrqnNbYhp9BScpGhkqjow5/FJqw0r85YEIGH4fRHjTtLnWqE
QNCZHacklM1rHFs9nRuqq6RsJOdAiNRpAhu/tF/8NIUMvdj3o2mX3Q9P7iSw
bVm9AhEgWZlxlTfK2Fl7s+Rt3er4HK5b8ZMj3dgb++idwsgDOvhYrqmgc2It
yHlpOdFZYQzh54zEfQ5IMCk8DIZ+aEgJOSqotQqQ83kd9NpELHk+c2eo82fM
u8Qa1EiDjxY8Jd3wjSyBAP93NWG0on+wt/t76fD46dNf0cwx2bGOkMQz8cxX
KL19lrxK5/AMwBdR5/2z1XjGCSyTuM2YK6SJdI+2nKlXBZ1yAAJk+gTzhWuy
Bb1hbG8ooH4V7Bh/n2WT/lsywjWvhX8flrMSOR4779++H+5y+oorXrZBC6sY
RA+g6+1qkf8uG1ySn9hr2TevJYNZ4FpzPzt/0l1eSWNHKcvIFv16gUMX1+ex
vj7L2kMehkMIEexYwZUibc4T4FG4UiIO82hhEjBzWVkfCdqKbiictbRynjfe
eJsxIrVfGEvetdKHUDwM/K70qN1u870Ad/3qtpxuyx3rltNmmnjUF/bNtCc8
0idIsz88QH6S3CVt/rGu1tntj3chtKIeIS4OXgNEli8XdeKb5GL4/Ref5dMN
Tmo849rhhETiF4w3LkwY+5exwRy/IyzJXastFlBmVlSWI4/A8hUMhsmqzRxB
2PV7nFm++fTPsrQqLF1Od7DADF5loyo1p0KYrKSrUcvCthpEYiDPN71snc3Q
h9+Vi0Uqh24Q/tJmAhuOvxPQdiTpFoGfS6TVt7tX5iUih0QN1lYz7hQ4ps37
FGGoNleqafu0Aa5yLtLVhD3n19a8vol208IIUWIulEKfSlunDYgx8Tptv+vT
mkwyCM3kQ7UsBI9j4ZrDJu8Z1R1ZNNvJDp6/61cn+Z1F4jS5EmDvWTqfcZEU
LmY3IVwD6B+6ePL4YDcovJwxpt6Vnp6lBDKGw1dOtUfz9bq+nvf5bjwJv6rO
6zpK4uYPHrv3/htrBvlJqzT0VzFrJ2TxCdZmY60YVNG0Bxj6Qz1D1hYrLZJh
2W2WSJjT2wm7HsKtlWWplzpOtIs59xmBSoNPXW/osRdMMg1Q0xTWV9RlX4sR
t+kQoEoE+LI9qxSUciNat1fvXrzZtWILgThAayoStozNK7lB/NR0QipQypEc
AacSZ/osXRaMduoqNshaaUo2SJlut1k7E1swni3WvCI9cZGJiJOxleJecNiP
Hna1IwidcaY8PbC3+YVAv1jWnPCpViqHn2S8I/F+O6d7WIjMaRESMFS4wVri
oZZk6bw5lmtjiizNhVM022aQLme8/qauS1WW88ZJZqo31xVukycsHrVZPs0k
k8vg1dpVnxxg3DGjcyJIc2ny4c2QHkfjv05vaLdB0HP+Rmtful2IjCpTgeHD
c28OLFp79zSv5gJLHRSLCfSFOtgV8FGQ8ca0seqeu3uWXcEnZHgNUnKm3419
36k6fiJwmSYTqT0tfYhEKtgCjJY5KUFjxktPzhGzZsEJUvZnzDoDaoPrBBhw
LZwwWSrvQGHHpjyjKktNZg+QUyQSmY9JZeMSV203WDmrjMMbFjWUYdNe+T/x
J0nT+vZqa+s3/Q1/Nn7BX279MdnwZ+MX/GV032rzfb+07/uSca5f88A4o1f/
L637/sPafb923pf4dKCrdLF5kNGQZAG27p8l37wt63EqcP6/3ZZf5iRiZ9si
TOoIGZ1B8lyywQS4vVDmpWIrYM7Bc9qenKiFMuKOF/iUb4DVu/3LNu0T7tXp
dUnNZfeA7cyaLHFF8ic1skJPWG3znV5TWZE+xhxNkhUEk0mCYAIYEp0BkZrb
v2779yOvdGasu4XI3YEHvFpj75nSgtNGaGZqvvOjWkw9rG8Ga8+0lyJkz8Sw
uTg+5KCl8trlIzCRQQGeM3OZNrtl3hJWP+d013KhagHoL/SScmhN6ceaaaQK
zjkM1NJWAz+pJb257Aj/NLHQ8spxWLCfpawx0YSu/A2N+orDq0tO5kfJyVzh
k0XQzALMAplWMBBXVxzSmxuYaqQ9Rc0mfDeqXQj4KPjvxQe3uVSSSCmzoyMH
pxhKh9GNFBYUz8FqkfGdz6VkN7prlwvT/ZdZqHMtrlkUdm/BIBwR3S91p4gX
YN4ikbNfJG10TRxbnqqM24JvQRYv6glnAqWjOSCuN0CAUq3heI2kc1ynb0sz
6QlA0NSnX2labR9eqr7zohokN0a5DvTMNQ7sdXVhegTlLZbckS8mMpulcnbH
Sbwjrvm8KIry1so4Gy7hnctb70jJENx1BRwpddKCvcfPH2VFNs2bgKfcklEy
SzVkZGi1JHBpeXlHuVRkpCmlFYOs5gx8U5cqydkhEr4q4V45tacJWzoaYnL5
2NYJnolgcn5Z5EwYDroowN+CjBxTG7TZgJ40cfaFMOgSqtJi8kkmWANSCTpa
Tq4ynxbhxuEgTicC9qLxN2H6yEuEOu1Q+phr0e6oo4Qn2frLTHAT1stD4egS
YljXBOwqJMcoBrkypGuAECg3EHphERyCtm9R4IIq2pAh7MOANgIR5qRucAE6
sTonRd6eKZwbcqtgGN2pck/U9ezXzC0++XTMlsxucmzHKVdPcWW0tgWYeqli
yq0YuKLALtIGBZrYEXRnFcLak143QYUF17qVM42TMcYG7imXjVY6YRhaf5Mh
S7xWrZpd+HReEnrrTYy1l8MeV4ezdqbJC5dW66fKiuO3hvhAB6y3hnMY4Qij
0DhDlq5o4a7qyGmyQfyjVbEdgCj3vQUUgjPLq1gL4L4LbM5dsp9Qn+44HIsu
05M+/zg85MMl3PMfzs/pb+3teU42v7ARB63WCsyMy75CmLDTcmh6eceLzOzo
SCAcC36jT0zRzwV8L9S/GR7OkJ1Brr7y+WdJky4YFpqeC0Oy1GJ/pB5A+Lun
9ZLLi3e0hyYuBZWYekpzWihF0ayjQazKWRn+VqlOA7IEiMH4suIXcXqIolXz
5udD6aAcEtECYKPx2RP26o/UsxBWgzaplKDSO5cTdStK1Wffm08queI1yYrb
vCq5F0zQUUbeuVwoNqCDnhPxWGhsGqJgG9X44u4RQy6d9AVUH2KPT6kcTQOu
41ok2kJ9xiUxwH5fGpeuAIOTzabOiWRTEp4eTYe0mBQwd8wxBBLril1cdPWo
5DxnKBGTctHwtl2U8HFk4R38dB2eIgpO03k+y9PKO1aAVhICsAoAonGwOR3i
peqdrIfF3I9XmpnWnVaMepqMsisoZ6EbAuO0aJ96fAACYsWmNQ2Ke4pM5Umz
lL08BfBRycBYMLM3EBfH8VRv/pkLIWC2fmtSRAfPW1IkydRyuxmXF6pixTKt
X3NwuFXtweyRvQPoLRUqRDBtaIRwV6pGYC7nWMS0cfMV3ZC3kzewPVuywn4t
QmQQ/Vz7I8WKoudZvLhXax2r8jm3TcbseorGRNunYgTlpB5nBUS4oYCaVylO
fYAvzRfjXP6w94GToVE8x1VOEbp2wqJklgogIzz+0z7OUwoPaZzDZyqcxRWF
R2i9bwfauXM9omXgcPhml21HPqxEkZ7tyY42XTxMGvZ6Oo33R4+qkqFNHexz
4uDC/eHXLl6cJBY4bXrJ2Sn+8h8lb9OCtgXzuUsfvn41fKtcU/KiSLpdM+7e
sMHSQJ3nteFjKbAnMXVDEGPFy4gRtC2R2NWvWoEi9+eyAB2He7EWynMc8PvU
SCUru0awCOoIsJC15otNV55yfcT4DHlfZqSGI1s9E19rZzXJHoveMxYF2WEg
xFrzerTrLA+TlRCtALSFYT852MsZXJslsnrFJf5AFxtLiovyQ0i55WCilZbp
4341V5wEsNhG4E6XJHCjgJqgytrPoqpP9LtB8r1kHigVQmdjXpdXWbGyGzkU
ytU/TRY+7O3lGUlkxlx6BXkkIY5WSREUIAg5ZyfOSuWCUTOvVoDNWtjw4Uo1
Y8HVMdbLTBrTzAQTOJ1sznfTksZ0Vit8jFUGWD+rcE1CDyVDOgRVlff30hJT
4iDftPqPb8L0u/8mDnFubcV5ApuS+ixIo74JllwxiAUbTRIRsiKKVOUyqglm
hmbHc8wlWkRXnC/HMzoYwGFZSMKKFnNAFIFX4tMJew3Y30JiFd3YobptuxIQ
yy9yJSFpZDczngDbVKh5gjSFhSpNIV2CaR7UIUL9inpQ+QewTneXo3r3XLRy
CThiq7rXmwrDj4eZgZDMbQYltJcg/S/8XewQS3e3apxeZ8C0B7m8nGUbvsRe
ir+pSm3050l1OgvQ9NyQp5mGxblPs6Q0Cku5K9GVuCn7qWwBiVcwk5KBOohS
ad6Xuj5f7eSP6AHWpwRPl3LozXuxXWvleypozxFxMkVQWI6DBd2NBPdT1OsA
HHwl5YX8pNTyeGDipVdF3mAhpxHoNjA7uLzt8Z//9C8H+//f/yPBPnoOg21y
eZJM8K6Up9Xrjwtmo0872OfH4Xm9uKOKN/o7nhYnaDZWD+5dAK3cgXZ7PsQ+
jEhid9n6LV3SOc7q5euLf44EPFDjwjMg2JQdwIp2HCRHqaeJGb1E0kaYdpZe
4JpxwNl9B2QCDR5GbCvMx7R1NtMx9XseaGTmvPSoqWpxcHMC1qCRzcsHISgJ
3HYP4U3KZ+IuXW3bEZu4fmvBg6dEcfaVe5gyxickBheMuFbYTXNwc6oYEgqg
EERQ/7D85plVBrnszmA9GVvFeWXGOAUoFnXx1va0ZJ1toIJl3wbtLbKrGUmt
EfwN07RSgH49ZmtPJL16gpwEyXWQ4ihNgmBcsajajA7elcjQAHAX6Ik9ZUdV
QJqAoq6Uq2ERMPFp7UDbSwXHcZpC0Po8Px7FM+24wMhEAsHhEiyJDvToa0lz
NM2w56Da2fXEeJUef4fZkFSyiNhg4z5GN+sJD0nH7E6wLGLL9FcBF1SyYWo/
LxHnpcuYezs8ioAStHJjrppkzF8iC1SmC1tR90LO9ZQh+BewaRbjPCg4SNPK
GY9PmR0txfzkgHRgxgCYxW0l2Iot5AC2I8MkNDbFTf3pteJRrsBDZwKSqCFv
EC3rG4P9t6PyNujvqLB3HL73uXEMpsGhNsiYl3T3AcJsb8tKcmmKhvE2Ne5O
+wQIFxoBEi8Tu43XHsHi+86ddYnzyLQ9xlVLJ5xqM2a/ryyuFGLHCr1n4i7h
SXCxf8+OQr3g8aEtnfa7oyXxYzvE9N5hMWhMEG+9qFr6oZa8uKjFZ0zzT6sI
UULrthyiZZ25CjrR7gsBCJyT2Y0iPhypOj4tgXPfAUaLQhtk/W3WZr1BQaos
7tDEpsvXQWZkyswcTch0yx+cPNln1xMAOBrOTvYAnzTXNynnUotVkVU3s8xa
f1iGpuqi6+p9CyEAsEPugLWTY8OT18Rl4g9AwA1gRq88/IEijtmZDdSKV8+H
u7KPmAx+ip4SRIfAkrfMMlqyf347HCpMwtEJb/RXw+Hem7f24aNHx+LqeH75
Az7DP/SB61mjjb+9H7SDVr5YtifMomseUX0Wx0pI2Dm3IbdKccFchrThgoK8
cXX/mn4hrSukdSgHmzQrsLkOQjCBPcDFaZfspuREMYPyj7JGHHQNZFEIytdo
8pQxjVlZxyiw4iReJXjsXGJHWSGQMW7mxDeuIBfcmXLQNmmjRW5DJciGLcA2
AHvpuK6JFt3l8niFyXOm0D8SwAg5JD5+nKxmsIpo5NyKU7iQUZoc7vfhX3SZ
Mt8GkbdCS0pSD853uK/uSHUvhqqHi5y6VChdMt8/RSnDWWCSHGAIp42r6WwE
GKHtJrQUCP4Vct9HTDRUw3brIHmR1xLO1WzN1ZrLsNHyTrjnihIKP3FkX9J1
pxaacXIp/YOfr8rHN+YWcoAetmvD1bE4pyLzGL0dfp5WGjE9UHMSFAjK3nSF
s1L1IiincQYFMrZ0qombKqNoDBI0HXcOK5Zvt2VuPAQpnHCK1BpTtqR5d3wT
4kxBOhb7uFwKliYxGAi6bFKuroTHdMZd2TjSEQbYXS4ccVjxk/vUNEZTrG0T
wNHT5B6+Wm+U4wSvmKagr3fFgpjo8of1Wt6RV9+/J1G5w0wbsx9xjrAqypyD
3WiIocoyJEQYG4yQTjn/tzAwBHvltRdx3RWKvPE1cV6zScKl8ceao+UtsG7Z
GnPnpR04YshpDQPSgGu6fHXx7myo5AmhFNstIXN/sTC+m4yTK527kpQ3kfpn
8Ah+Tup7t+EnbTGERvWtKBdTrgr6CrLU5/c/3V+TxHPOs+aeofQYSzKXznA5
ut5VWc7dSXiurXp/gOus/Ostb8YXnndmlBN1hass2EcWY+W4tHMznsOE9R2r
QHHjjF68y4nIWqAjHUPkF5cWL4+xp1itTFR+s/PqhzOBII0+trgQ8tFqruBM
WZ7RFhzfJDs/nPXfvrg809qWQeAgcGG92UyVnVFVoqcRK5bvWUM7RnU8nW4y
YZ4lmu/v5tjjcpcdVy5hOmlHPYQ2QiOt5OL1uSaKo5SBtg4Xkm1tnT5U+KAV
fvk6Fq8/qi1Y4JkLR6xXhBoQsMfovSsl6oQdJAjHvgGEgna4XnPtoiMNgKx7
QHoupbsF3B5UTO54J5Z29uqqnwfY31xgWiVvDBZyXEgQqDZkRue/ZJO+AOm2
5h6CNPAMJL28Cy42jIOlEQw1wwMYCMRdGZT+kflfM3zGC4EESCVaF2MBJDsv
zl/vilSUpHNNhEnDG7XcM7rvNe4zlf+O9gBdR8+yHNAA7CUN0oTjpvK6XoFj
PXjLzqvL1+e727RT/4GU6pODpyhHdUUaQX+JZDuiP6cQqLuHm6s7HFluvDEx
4AIifquWaJSxQeBICGILQVBGKTWNrsqks5IyK2RV+LO9VnFlG59DGkhLlx/B
luvEMUnEM8O3sMPGjkeQdWBoB/TONbwDK9PWiKBF9D473I7XNxGqRHR+Pc1H
4uLFKEWV33YJq9IwBptlgV8s+1O0Zr5hoFWuKjzkGyTo92x10EO3MhdjE9Vw
YZUC1HbEnM/os0+f+BhMsikNeU40/i4rdnaT/n+gI3/TS+qbXf+tcD36XL6H
njBugu9fZPz9uOH7cE1db20Jc/n94ub31prMb+le8vvaf+7tIPp83LjPAz+a
y6tSCHC/uTNtMg2i/r6u/UMjrxtzJU+UaX61jJKwuS5bUy9nyEpF5iZRXS2k
MHr8LE68785E9wnkvwl/3nD1H0l2ceCJfvpjMiTLixY4+eNXP3tD2vpvopx8
PPaPiSxy8tto9f/Yb1/4xU/c+OcrLlzcfNmFQXr/l79601Q2Lsr6I4g6sveF
bP5Y/F1H8SUXjpvPXRgUSjxUk9F6NQggk2+d+fbO+eInfvGsfa1Fk476NAL6
zwouILLWDypqLxibNcDmmYgap1eQWrfxu2TnlCStqB+sCgo/2yxsMIhAaCsj
LjkMhyYEEupQX4M1XmdVogVeYIAlJ4NjBSyBqH90+BQeWucwhytplvVhxU8S
jpJZTI69lCxtMpYTtQ6OX11oFapl2Fg2gYob3HHHXsJA+4FIIttrJxW7bO/t
xdtzCC1kEF1+d5nAAJ3tOkezQk1P1N2FiFk4XWgw4hMU9eULeDMG2AVP9vq/
a7bcyZffuByesbybVu0Zv799pf2pbw56xDoP9LsvZeFfcxK/6ko3lM9d6Yfy
MBv/Qg76MAtd4+Se0LUsLBP6a+gQrcEh1uDQvvqqhzBLpa18/gvJkgPw08Pd
r3zI34ImX3YlTfIzV36ZZNkkWowOh6DDwa68u32lMibFYyKFdFe/+1Ip9JWb
3xeXfZ5KYwWJ+re7+el/GhhtE/BvNJJYVE+u+6kX1S02LlKbJC2E9U9kTv1j
C5cIaR1Bo7JQR5c4rrWJWNP5nTUg6H8mjiIDjQ1Xgc+n25Xbm0gUhm/OXEkU
mubih5ROOTRuLdERf6cK0QCiLI00kp71AH5HMvEikImx4vHugjUPdZJaQoDr
gXvtGjZp8QLnmW2Yv2R+ihy3remR4ix5WIfhxDQ8DRxs0SHRTIqsYWenIkvU
uz7rvUI5e87u3/t7v+SI7l0jtzZtC+8oGdfhOghBexpsjBQtgVp0md7MtltF
1GwHOwDRzHKDd6ZhmOk2j7QfOD6R2pVbBhENFcTvBQFPFcMI+8gypNpVW/L9
hSgh4QTgODPASWuo9Y8R4D2ZxYe/tzrUvPnSlZTc9PEaDl2gFxKxX8UENrWM
yav9wDBL8+NwLJKjY/n0gSGHDeiCPZg7L39QyMJ7m4gTAN4bCjcnEoRH5MWr
DiO7Xd7ezZH+Z1TnNmkuDz3TayZCh/Uru2Vv15XdsvffhNrZ+7Ir/8eS5v+j
qbL/GspJv8g/r6FIaA98s86R3JEWGYMTKsSDRtfHVr9pbgPTT8QG/706jXZ/
LxKn6AO6rUJ9et3k429ZFDlwJ44Ac0K0dyMHrJeTGdImwoqyauEQXtDlL6qA
DcQaN0iIRJpuIVTASF5jppKOcwmDIXHFiz45mFbYTsnzPNOiQvTOoAGJyVHO
u+o3Vb6IJhO6Yk2iCIS2IEB46cbokyLCOSdfOqKMVJ1oCzwpZKRhcFyj5+C5
OsSX5n64VCHObNTWtwjcjDnu5oulpdu0JbzrMFcOHkBqSZqqa+rcNGW0clna
VTpBb/CpdNFY7w/1b1ZUfoVbUbnFwWcc0n97t+JDF3pPxt/VIf05/r/ukz6A
U/qg5ZU++Bq3NFaAxf5hawW+hph/mxl99kKaau9zboi/wr990HJwy8bcDbei
XHgIqh+2qH642+nWOOMIe1bt8GLRvbtt3ervu7Ux8C+68F97ax+2VkM26ddt
7Q0r8Lfb2uuxibQrOKFujlcZZNrv1wf0+153SoCoDnZ9ryvPZL09dCMpU5I8
EpmT1hKeQQwYjxqRBE0Cydr1CgITz2UZtfUwh9lXB3i7eOnvcXL+yEv2exW+
eq0UY9witzEvwjTRCA96vV45gMa3XP9W1qjaq2H6itaVKzB/lly8e9E/Ozs9
TO7v6Uf8hCzkqYlk6cxuPWF9IMRH7h3cIRQETgdM46JZR/okDwd6qt6gONNS
GyQKDVV9QAaeB2Qc5a7+Tme/7bQGD259fnnx7rsfL5Fm7fEQLPcxjp3bcquP
JipLc9jTDm3C0zOrOO/ADzdIRdZUfMFBqAN6aCDNpx3VWYOYfZjoig3JqrEL
6gcJOiGQfOS6kfsVdUoKw1rBK/oc3Whkj+giocsGSuxarZjCeaFumFvZRlRV
LNFJlU6bPqlmNdeWSccAHHB3Ny6W3LFWXwEhAC6ureTWYcxdRs09QQyxIbq6
f0axQdYtFZM32XGbm31DsnF2HVI+O/CuU9Lw4YtCkpyU2c1861fQwb0z2qm1
ttO5yxis01LotItcY61ygt7SHDHUcmPav/zoJenKWvrFDXlVddeNb91zXMpa
BHJnkHCoLIGGrHDS/kB/Ywd6a8t9CJIIeP0yJz6m75Z6k3SSLpgUZ3yy+2c+
vUQapO3GWasTTxoip53e9Tw6zryz6no5PzHWq4EtuX7rciDXejwKx+mH5WOu
eWsh2dMLLmJH4g3aWuludrN348VA+Yip748rgYR3nA33DxxQ9fNXr/dPuK5J
DpSHhZcGqq2MStcLcO2NtDg/gsicV8locGtjQpKgAclJSJmupKctUdquNi+P
UXYHi4UqhjxpQQ4EUIbeUAsNX92O6lJtKkk4bDcY7GlbYam9CbYsZ2taw5UA
8dOjKSQeP6+96JwsaXMPMWEUdLtByctnKaa1t7NV1PtipeioUp5DAjYC7RBH
OS38xfmHl/3brGnMuWrecU5ti5pTwF/BuQHADgxOKmoHZ+XdwI+OlQ+Fnwcy
FDvSug5KdwKjz/dzZch5o1RXXJdUUETga5DQQwj7pG0tdHZueQzmZyrdP7kc
g5MionqqmMOZriC1sMZm1QM+o70T41FGGkkIZ2KkGSTCoZ4LI97a4hPI4BGS
pIedSTS/4oIMg2/wjL4JkNM4h8MfBL+9tTQNpdvPjOXHskurQfTkbwfcRC/f
7iXbweIEn7K3M7qQ8a6sIMt57a1woB2pky6BI8HcY3Eh+ctgLTjhbg0vCtvZ
6txRfdLqBKGXMAKgc8ngJHOAwj3f9daRkumldKwPylgDl405nJCDLDkwXuOI
Qy0G0MwhQ+n3UUQKZ7sS16t/caZxqIBpOYg0h3eJiy6QwrVg4Si+Bd3jh6dh
NuTXPs8KLqMBBnpgz97nF4/eUaqC4GIyEi6FCmbZTIzionFP1Y5VAHprRCNr
6/uwl6zvQhlJvA0Z+MkAI1zjM0ZiihUK5oQp6rSkkIa3kLtGalVC1A5LmFLk
fY3fXbzAGArGGbfKeFrxbL6QrCiGPFhF69tBl1pa5gbbTL8yUGrOV0clVdNh
+khadaBtmVtWNmb9wAbmItJaCnlQf1oYAJUBqOsCwbeu+eKuoa/SjJlyKHtc
RpcHCYgUOR7uMy1AcM3S1X5FMVFQ+cjF88sGZlc88EkumAYuPO1AkkRG6F6L
9CAbiPVdbeWum7rCVWx4y3ilXXu0Wiwvri2pXQW6oNdHzcd6hjTmFDXdAqqd
8Z69Wqa0h5osE4wAeMgNZKZLqQ/as04mVcY6L7uHrQtQSC6Zuae6ltdbsTKs
sV+tuERhZZrMukAxkjkIenUttTiFaIa2+VXzM8Q9CENGOywXq5bbwIDoBfWY
lOS8djLbH9W0VgCtRcoqFb1bLDBJheANrLaw1ieTCvLipfbHgrAMC3+YsWsE
BTg84dH+VhjOVCB69evZzIAH4t3lat0A2s9KUra2m3kbay05Jyl+c724QTuI
t0K3qFYM9OdCWSn3uM5M9wEYyFrNzbbV2hRhdU3U47qrCarLbFfHw0O38jIs
Zzed6QEfeJ7ST8vsR+n1zJBygSTv2q1qo/oU03VdNbBAVUGeA6ZM28QJpeuo
3SGHnlhhWODdcgDk+zaDkfJRVToFvM2hTSiDFg5VJ4ZUywu480rWISgMPA8a
boRJqFtbcsdD1TfRHQr/oOVJrQoqoRZta7FOTs9PXyQ7aZRrHOjE2kHDY4CR
PbHrrUsemB4KTBCYafGzrLQ/1EoZUYhJE1xaG5CVQ6emTdHXk8LFO9hrACFa
WIV3YccvanHafkxX77u4OC5qK8tTcn1oGycsdC+Y8yjCNhP71Hd4wdnsL34O
rNdJmYmuYY+xUv183M8WoCYQkaLcGJmZQADyoFwJ5otX+rNo8QrN4OgSL8Bc
2gK1Gi6an+Zg8CjoPCkuJTqkRUlsS3xFvyDzGa4irT1s98xCL+x1OITwAKio
Y89wqH2Jp4Dr+fWkqjOkBRwnbrpkSrSoHT4HmxGM2cdOjKirX/2gS6s9AdhF
5z++7J+9Ffimofy8tWUf7jAQjXoHlgUjGcTuG/PHamejVF029/ffvX3/9Ckd
SLZMuyzRTZQTz42T3LbPC9fOfNUT17Ac0PGYQb9KbeEoDgpAz/QszsyjRhMW
RnCKcBn4sdUobxiC00Xsbfpu+Tycmopwp3S0wB16orGYniDKknHiqHcqkO7X
ITuZ2XJxPkNybu5IDBdAlS6BIleELRAGCsfl4bl4YbX+21Qvm2DgKBrakutc
v2a1AaM8qQVmxx49CmFQ15bQ1sYUnFBz7lwn906nZkWgOtpC1zIxoo0wSN4g
kUQH1rNd7le3KkcMWFrTyils/UP7s0c6UsWmd1YQvzKctTzwxeMUc7uGhxZD
EOtFRLpBbXTddZzTB7x4X+uti/xzhcNDthf0uJeG7gWDaQfRDBfwgcMs6rYc
fAV2VUcjbL6M69pzyKy+eJ56DqI3n4VxjV6IlGE4B1wurs4/P2ebVciDv/wM
S6jiq/x4cWdVlQCf8d71GAorW8jRcutMxHxwqWFKq1PHOR4ZJYvXSwthdVh0
HNgfl04kzFOqvkekoFdloV7paDnw3D98fxsySojpbh+RmnE9T6F7tbyMXZhK
MdZh5GZkAKHYtdjhUhS26Ay20DYJ3YrosOZaiW47oXgWORy3nUbgoOjVzUha
pULFOVRsaXKjdosdK+yRVBsrV1JN38IbuM5IWItofpE1jCJDL4sBFGPmcP9N
0K6SbB3BWPQ9OkWuPgBc9UALR22i6UBDGbzAEElb4K+4WbqBJm8iSNJzQQe0
3oc7b9/8dL67a50R2QHRdumvIWdtv8zTBg3d57nCtZ+OgM+LSvo3qyWCIAl3
xLF0bou3AtxrtaRnXWe39Q27D7gdg+G3VNkfdE25NEGPbiUJejE6XjiEnZdD
p+EbnokPGTh2njBoyLLIwcBIWURWmRQcWiqeAeK5tzOJ63k6mxlEbB3C0Y5L
B3PL20dARARaNgDXv8nCY56QVZ8Ly3ZbsQXypL1TfTtVfRRP4LsUode0iMYv
A6d3+qw6U2YMYwlGOjEw+YLBlBLpNZ8RWQ2o0+9IA2Jk7HglYClNGTn9L0q1
FNHCNGSlJ2yOxwWajEQXYN0ceXhNqMvmXWJ3ceDl05PPvoTat8tomdOGZAr0
ytBkcLWfYjD8g7N2ZrS+NdFvBla/nPfDKgY2GtYXoH0Gvrv8naB+0RT74reL
0Ru9HrThJHzHbTB6yWVGak7VCB/5XZrfLAvg8wF3K+jTmQbP4VMTJHyaW9+h
vzpuIPUJBtmsBT+Vh85QnyWDhuvpJ9MSmA2zzLM66+ZFx6pgYCPhMQ67T7U4
Fpp31m/SORG4XRRHtBvupTqHATSikd3lE2Ak+2hessOnBOj4U6cQeiCjZDFb
trEP+Itda1fpmx/RfnYu/GDojOSKlqi+fapOkbU63d8CteUArNc6PZo4474q
E1HfHRkXpRlek/KuEOhTT0lORrKBIWO5QStUF9nOm7qNYeiO8FQUkA3n16z0
UCO0zzo5xgaO5zNLJEzlWjcrezUXOmM2exohRcnzNXvx1/BaYLmGktnTLACJ
Sz3OnH5pi0NrD0RUIHbF/UexAn2F9fHm3rLgCRhGJndPSR4fc39vI3JfiOyA
36xySnB5fH6SgXgiBZl+AcYtUY1b30hSFn3Pqh7K7/iYADnpHzllh6ikZzBo
LgQUIhRA0V4Dc414HNCaZebQKIVXttC0LMjeQv/lrlEGqmcjHIANSWDCIUK7
2iQpVY+aZ0y5c1KHkDDQFx0c3FGmwbf6qPm7w8MkJ4gMVWw2nhqTLimLqFYv
UDE9B+QXTCtJPe8cnbU2XX9vsjPkfKU3F8+/B4bmrpgRZioSSxWMUKUt46lF
2Qgim3pE0UyQ2YMDzvqxwta+z8YmvlzGyBlL/RxOfhY7Tov0ndiTZUNi6lef
DIO9zViWrkF7J/ik5XhlgAgMemWwAmRod8uCl1ZjS8Uq8Gr7Du9tR9z9fQD7
+sl4rwtnZ0AALhzSgGNdYI6QUgIN3o4eTpZrmIDatcqj4EXChk82iavlAj8e
/ufHx66Y0jnlxIAzmKKe+h2Ny4vvd03H4LPoob85Sykdu0SX1vWS0qX+Fem1
xHv+4PBpMsqbCHW0lxycHHZ8imEdPnq89o2fuY6YFdGsaos/7o7FaPwt4L9e
Ugt8ePeB5W0sF0QngtMlnEJKk1rjPX5kzkvsdBvNF3GWC5te4pofZauSJVrJ
bcYlWmhnJYDfjQB3xa8YuqrCulTOxVLuHNtvqzAlJlVHyCwLnCCbncDiuop8
uqR4zdCoL+rfEJrGD7mMXEeKuzJ4Gfu5n9Fq6s+9QPhChahcaJljbbLvLbDb
00ytrM/UCu9n+zLz6N9rD1mzaBluGM9783Yo0ij7Z40jCACzdz8nQyHRDu7Z
DTGK+QGvSANg4G1gga/f9Ar37JFJil6ApP28xXV5cOEOjcCeKiDHIfDwgxDF
IfnWwIBdQycux+JqpYtC0entdqCxCorp+u0lMMnnOeyvlifOdTp2nm8ib0jQ
CIDPek/Ie5yuSJKVjzDrUQzoF2CzO77m1EH3lfMWeh1F5GbtwdNZdbYmj8Ty
BtFyO44VT6vDx+0L3eWUli49BUY7dzML3RVztNBQbHTns+ixKYiemWr0G9OP
DboH8LfhKQdqcx9TiWeirg981n/7QbbjcNiLMl52JVadXK8W6AiLZ8h2ug43
rsPW1YCkHgK+HO2R8ZVklRgEst69GkQnwtLgauuDwChD8hhUd/uJhHjimICp
U+FJ8E/DK9tn6Psi63+AFhsdpv73H+AbkeYHQftGfsLboREpeScacHCoxBeL
oj7TUdqcIsnrbnv7YF8Mbjd0VXH9vuU5z9IVpBp6RXasKEYVxOFc4Z7Lg2sZ
h4bnh8QhThcqJAgbKIHWxoZVkEXmVWYD1Z4wWwC6vMuw8WPW4RrQbuvZTD40
Pi58d+fgdfw1OrJKT764V0Eev7I1MbtrwCTR8CqXPpAMg7/FBcpF11uOmJDM
DGml7TiYpO4lnH/OglHPojqHfLqb6+XntB99Ki3ki9iwdmjGPrOeoUTEBRlt
F5dK713HYadRrpmlVbbA/ToGPWPau05CrIechk1MpXc5w5TTSzifJMQqT/0j
rUm0gVQrSr0DlKXzCkqlArDOPMEjZJuYgRbjvI4KJr7kuKa26cXYVNp+wxR4
rUkBgWCEnianAxeo/sEFM2YCKtb1FH0nrRC25T179qAGRSbOq9PDPlRMmiD9
/Pocv+z21JAP87hVc9g5PMa1R6SurgTZwxgG761r5j3BIHyPUk6rJeb/C/t8
YkmlgiRoj+OBRNVgxNlySTqJeIh0aD8xLkiRN7/GftcdKThxzKbnAgPHg4Pd
ZA0DF5vXMZPofEaNofjwDZJLbwroQ+YQz73AYfl037udHElc90OzG3hlzdYX
BX7n8vWuqnFCiJ0hfWBqvZPkyqS6F+rtrhWVRUyjda9c3WvT0S/gzk8b1njn
1a5fj64hyOvlOI8yRAkd17YcmDYeOYeaWoTyADg6M57G29/SFmxT8I/J5WsU
UuOvn1BZ+Oq3j+ifV78lucP/yG+H8tvhIxSOcumq/aV1mA/+Q2+h80J/HdJf
B/Tf08dPj/HP02P8c7K/z/8cPOZ/jui8xLfgv+PjxxjD8WMeyvGTp/zPyTH+
eXSwv9+6BU86PDp+in8e7fM/jx/zP08P+Z+Tp09bt+Djg8MTHuOxDPXxAf/z
5An/QyOjW1xDFyQy9MF9trZ+kjCnRJnsK/EAp+DCV3PZEBbAz8XRwInoDLTj
PG+0BZ6vnCnCoWCRxMtaWgu52hzuuegzUySAC+FhtW/XWXoryeUIGDdex5zN
JNYcPMx1nwhZnaAdy57cMC3OQmBfkkaqJRCDlkOReyl0yI20Z5MX0aJTq1Hm
NHTp+OD9ldqYqwnz98N3cCOJSNmVeJ6h/9xs0AmI2JN83DiDVpoG4FfJsgeQ
PdGMY8y6KK61wRwR46bUbhK+EURsZ6BW6YorWp0rjINe1gIj9H2WhSoE4kZA
rSP7hHzkK6SldczxK2NCVCsfi1q2iBS+hqU62BqxNxH5Fmq0xRsh6HttEOnC
GJ1p7HNTfLmZYVqE/jL2hIg7Wc0B7iXrCmo6K6dgdVyRNTQLGjA6x6y9V3ZR
lYgbjFRtUrtEdcSiOF+tzyHgvYGevdFZlthFV4cx3eeuxz3XVrk9WndsUp3E
2CVRp/QyHYeLvmlgmax5SB/Xvtz3YfG1AArIkUGff0sqmatoDTOHpOSL/f4e
/RwlvLywwXFhtwz3fOeG9NgrhdRSCpB/8uPwucCHTUmrZBNfHDVaayad1WW7
RIlJ2Ky0XqzscAJ6br+wFgnJ7+tdaEfywTOwEXhQCyTDMwAN9/kx3mit0q25
N9JtM9cZwPWI9DdKeIx29bvSIOT5YMHtPk//UFrDqg5QFdeHSV0J/jhrxpXh
y3A3Hf4JprY6h4xLdKZx96R2A5UQrFVox56yUr1aczbkfEhBQdZwuli74stO
R1xmyIuOaJjkjFhOi3aTH/h21aK2f3gzTA4GR/yQF++Gw/MzZ7+0TobxfN4K
dpvoiiScyaYO+mP/DszLZRNqhzwjj+0S7sMD+ENruhb1oXZZxXqoyCBaCGmt
SmNn6HRT0k69mcyj2TWrXyfFXx3vH8H459B/3oQ+ZtoMALALkmdNpAT5i5Yc
Zy2oRPuiF/CpiwqAMOyzaMHe6hkZroom/SXZORPnHCCUHz1+hOJ/N+c0kCt2
tEyTQyNQQ+crbssOoeYcqdLRUc6/9D81v6oUrdAuYwbpaztcnMGqOYXcQdCu
ZuRDC68675t7pfm3Xc1M4+SWkJjD1jylnhp19Zq88WMLagyWtT5HmIezzKTC
zoFEdQWsXPSjRQ51KbfpoWe7DpMwbBnYean55ebhJNU8m7RFpllK+u4gxVYV
fzsba6Mypzc+cwZmm0JaWhGsRzx7ey2XV1lDkciTbTOSukLnzP7gwa0e8sJz
FEWTP8MyW/EJy5l13ocNjMSVka3VF01WBYmWds8K04ziI9HTWgHNI9KFcFqu
qb1ORJXSqIx1zaK0zmyrPENMJHBrWEpkyy8SJvTGuhgXmrhUjBFtv6kGoVrz
R0RWSpVcyKFTUsCULSW3yU56e0ngg7BNDAWvo+4wKOjyAf9JyYuOfLC+izbJ
8brL0ptCm0g3LWLW/lwzwdaoxRJmaH6Aa6naIgbfl7UKDlKrHk+jLSGlcXqa
ciZIbzk31dIOS3afXoiz7/SpveQyWJMPcE4wQtn9N2HQWHtthVFTzgsiciBn
Rz2J/ksVEw6IJGwCC489MXJ8hBCLU1E/051U7KoPrLMcogdVaex3iuPajo26
EYTNojACHzdDl1QBj+ELCmWJrAfAfOCotFOcqxYVBcpYcqTil6tPMy6ObgHQ
+fRTS3SU9IMaW9t1nNS5WPEqPVRdQXRx6ZJh8MqwllKOfV4lixKIN2pUiaKr
2MdjDcNqA0Lcco1mKdVVWjjvEbftsVfpRNX2hCNUeyM4k7e9AtLQecpVaWnI
CNrGnFRqqrFTWZUrNGFutaptIF25NjjU6fkw2Tk4fCphbQ1iiz8L/sY9+uso
ipBKeCZAUcHoXWtD7A08EvejMGjOXTCNI2qX2qk4MOXhgAj4I+0nf5De8DqE
WFN4JC7eOdw72vXxqQfQqewP9ump2xkPQVvRINZgrJKOzx7+8/V3RDdv+Tkc
+KFh+n3kIuxsIPtuJyWkBKz/6ODQ2Lb8rHy7b0tAcp4ePt2rPSXsz2HwSLoS
+gAvGisGO+2F3e0YxNofEST94+OHViMaxFGbErRR/yJKPHn81HSL/uNH3YQ4
OXSEiAZxHDwSlDh6eiyUoB/+Ekq8KwOO1YiEYlmMnq18ADoG8ahFCV6FL6aE
UuFg//DYbQj5RWny9EknTegtoMkfo9ae/V/6K3y6TX9tm3AS+Hmxq02uWN5X
0AVT1Fd+uMYy+ocKH78x+rH9yzYzFXuc1F2z0EoZ03yX4z6c5L1T78KJVVux
2/ZqG2k5zJhi3jogka6ZXmEdpWQWj+d1vyYLqhjXfSStIh8+SCqbWOZFsd7u
tNYQgW/hIkTRfJzuBp9S92TulLVnWt1hLqINQoAskI4M614ALbAtMHXbRg9N
0PNPMvG5TRSUTmsPJAdylzairlxoiUwtryYumkrH2zAhie6eac291A9tTmoa
JM8RaFeGY7JIzZH12Ix5CH3ks0VYA9VqXPtiB+9GVrLup8Ln+g02SSQvSf5o
BdQuzrOTFxpmw5dhr+C1b4cxwcLvuqTQFwmVh6/5a74NLtuSIIqxgHswiR4v
zScWIfQdIhUJh1MOnuxrpOOhe+ronidPERWhW4423kIMGlEWxExOEEE5evT4
8fFn76mjew4eH1qoZ9M9YHpuJhy4OT6xwT10Ux3fdHjy5OTQWGebG7T7OeVS
8wIIpNDTXmwupuBtm8FjwLhJ8aarex05hhyrcDgte62jsmHnt5Sxlj714Fn4
zGEArPKm0fyVB+OvOhFfcyTsz0EobN0fr4W1v3y6v9+hGAS3Hjw+Onzg6yQh
habjCXzZZ8flNcK1cZ08+cy4Dp8ePPB1kjx+/PgLxhXMLbx7TUG0Lw+ODtbI
Ed1Kx2+NotG4Do8Pu0iebNI3O9YxILkb18HTDmU2HNfx+kpH4zoAp/wLx+UV
2rVxnTx6mF7H+5/ZX0dH+yefH9ej4GP/Y6Bgtsf15CSYSseth0f7jx74mjfg
F6xj97gCLbg9rkddxym49ehg/YJ4XI++ZB27x+WV8PaXh49OPrOOT0/Wzls0
ruPHh11HmscF55ZmB5Jggr0MdI89j1SR3CKfPnCqMvrHzuvzf653w8vuvwkL
IdTPZUk8LpsEydNaUKHAv0FeopdzDmEkyDgKM0B7TmELBsbhqAjCw2KZVgjv
3jxe+sbzQZrwXyY1XQwg9opZBCGPM+LGiONmFbznUiignqN2DYPqDHmFzhEt
6yF4HFbHVi1SB3xpgs4nzFHaOLcH9YD/lmqA/TmLhxJd9Rd4af6+WkB4TPyc
LkkwfXz1+sXLj2bSBAf08Rqrax3fdR7dlradT0iS5LPjenR44MelmoCXth1M
Onxxl4yPuWHnEz4/rn8+fPTo4KRNMPu2ixxfR6/uJ0Tj4uF33fyvr815NaBj
XP+K2kmypn8E4/pvJG03EUztrQJM5AtY53qO8kN8tLeJiX6ZLfX34KGbHQzJ
f688VP68H54e7h8/ddSSP8pRN++Vrgtiw6DzCUatzwyLk9j7l+4ZjrN3uri/
irNvdJJ/nlOtGXh/b/MuWWOR/Kdt3v29rbtu/rlmRf29jahu9rlmRf29bagN
w2rbKn8nU+WU0SHGsywNUgyDoEPPa8Ithqx8XctAZitBRI2zLbX8lruAxEpx
vReYIRxDfVitN3NDS4ICIMngOWI6jBVDyepuHS5Q0ByiXgPdvnh9fnsoiUk/
vri0UjDOVmPIBqv596k+QAsdX8Nhzw1m4YEPwYRTo5wku8jzrU8fGvxNq/TK
oxD4JnJa2O7yE7gHA5GD7vk4PP148e7ig4OWJLKUBu6bKCppvczQWeQfACJK
B5iT0VxWSOpxmEcrj9sotclBM1duE8PhDs6onGcTDt9b++DtoCfuKHNTyUIM
5vU5OrTOgY3v6AlATsOcMJpC5xsZXiitgBGpXZpB3ghmM502mrAUkIyI7i8o
XJK+DvDj6Y8fXgXUtH46ui3kSNzfDy/7B6SN9o+enqHfsFrgjwdHgyPtPix5
kJs3p+1NzpFymT3R8H2yfJnUCyIs55FaMu0CYPCNZF9WrqOv5M/VkjgMnA+O
vKFAdVbWgmZl2fyMeMsP4eQPfL9yTx+XhRw7fkEuCOc2HUnlkGReS4gJRy5g
ovAS/KBeAkw9lO6KkDtUnnH/zeUPH7ShpYLRSWY6ltQjMVgVRl43ig2q0NJW
hBtBJeeFZXBL3syaK8N7ESybJvJshF6GKtN+DdzeWaoWDJ6bc1XMPWGdmFw9
nQIldL/YQxu/V9gAtBLqSdYNQFHxHhsPT86DBUoC7EOjRmo3kU5Bj5Dj6hqa
BzFgX34cIxAy32AAGME4CUELc9PHXeo97+1y2vAvMZ6KSza7larG65QuXTqU
kzmOg6ssA4oZUuZ5oCHrd5NnEC1Bp5EU3hi8ZbS8qrn40qXxMcuWrjUi0ILH
Yhm7qafnivf9iBMssxpAA5xZH9Z0cI1WnFvOaY/c+dOnH6wW2AphBHxBz1jQ
3431bBKYsHJWXq24iFm6ivAU/Ddup8XjhhssmNfO5Q97H3ZdNyyFquTyJnxj
5+8s7h4jB/CBCzx4SatOcE4vvgJ35mlv07a4RTZqARRI6wBAv0h+wat3L964
JYz6TN3fYxOgjhf4yhdTZesJBC6XvinKo2KtT2fpXW/tXO/QxIMuOw4YTAtW
XadYJIz9+U//pXaNNeCWFGxa9BgxeaPD5/LQzRPbdcP90MIDrMqbrDDWNV0y
7ydJe/b+hzNNnfcT7AkIiGJxWB2SDDwY3IwTzT4/ML4OQzu1ndBq2GeCw7mO
19oJaV1HyvkQAO5puHAcfIILuFuDJGYH5zM2O5cvyVtZ+F1VmRwYUxRjFDqu
iKQd+u+x57TBH/J9Nz/hWSLOWy6BXkfdt44XlkqdFtp2LxBYXW0B8jARPUAG
CZoOeoQb7msYwqyw1seF4F1DbjcSLCKG0MxqYwWS4YsSXX67dMV1SfKoz/D4
9VdVuVzUAmheq9xkHOImrx3OvSK18NmOuIKvWdVeH9yQhSvfRfDz49GCJncI
5yFIo1YQyrAlCVmHK+BP/MywuYDr0CeNb1YhbY1jr/WODI6xrScPIVp2PWNc
OIlHWRkLe3JosKjFkh2W1uN08pfuLq10WyoALdKaWZCmXDFIekfjKio+s9V0
Fr72u/ug8GFzWvQDY25tL6k/UZVa8O7lha4milsTmLpptUPJ7zSvC33toC/v
8o5iXGOcfQaxrdYiMdA4tZmAQ/XqUnqCqoXGURimgWTp1oHBMJZ1sp5hadQ6
wqNoHA7ofwp17yZMC/07xKWWIahmsCi1bLMvY1UsbxiHGwMoudMmrD1rJkF2
CKPuMCBU7WAjZM9Gxy1KQlY0rABLadFdv/UZLsGFuq45hgeuxlu4Gqu3oc2b
IfFMfImNjGUT33fs0Nh/uAHaDTqydYXjNCrBCvQNJVKrRMupGx7KnKYM9hL2
LyT9G3DNXIg1IgPlhisTGd+dljlbU12xd+LN25PtHUJrB40xTDGtpUXfr5nZ
jB43W42DUjCqSKBLuxDuvDfQOK0HftMq2tZkreKok0d/Vg7789WWyBFPiB8f
wLl2JGcufu4r62ky1B8jO9O6Z8y1GwpNmcwMEFa60z+8mNo16VV5B1Cj9mg2
XO+h00KA3o0T+ZYmjgRGgFEFaLXqBQrhpXwnyO4N3ZGuSg/sa7+ZPj2iL3g8
GDgU1p/k+He93QAxuRxNbQqHhcGy2ZRQZp7cyBnY4alUgAHKrpFPwnTKZSEg
LlA8uHzWN2LJ0IFL8PDpNX1HTIcB/4FFJZLhqry+UU+LdsaV8SpMqIPmtGi+
fxaQEbVomCtfUykJWm/Zi25stHjgm8+hpi4A2eKKLIOWEsCzT3NBNV0jIHdr
NfkP1xpXF62hGbN0ktRhbT76/dvL74cXH84dnuT78x+H59KSOSrisYwAgcgc
i89msqyc3qcAUcvFFYqPPNIY8whm/6zYm/YJsAbXttJVMQe4B3cAD5HfDCc6
cwnYmoxdhEixTctCO+3mmNpPSq24qFbVB8TOfPug+lkLNV46CCm8l/VS6Xxe
+JStLenGxoX2bn/rkdXWyKk0Bw8OWril0zbrY436VkW5aAIur2WUWy3aXPhc
ZBQHhj+xZfrK1ypHbZPSDT4AQzHoVmPUTmA8f2SYAgSGhnWHcvtUWl9bAZwc
tqVUgLp6qU1uG36rT9OJ4OFGjKsk3UHqUlQS37VgoGsRVe3WLbhpBwbLprrs
QjXjdRVMPkkPhKAFtzmdAvrVVnLIDNpagfOj+QjU6Zjz04OKq9FSkUUVTcwV
U7LKMyLudMc17QYnkbvGtuLeI8HPHzECmXK7eJFYiYO81HaIEaXxpfS7BxkN
c9vXdkqGsGJRnZn8g6rMlFzzXHrmsrX1kwKC6hrc6D2047fp+dsKPqkSgKv2
+EwQy62zqBGrcnrxPAkaXuJksfRnM0wysDA6TniXoon4DopurafZHXe3EWxH
erAdKCf4pH/S64uEtq3qQD2xZ+hzUWQNloyEhEM8nWREPEEk0kFAWLFMDXv2
fIBBUAae7j470nxFaJ9B41B5ULMjJkVbWJ3vdligwR9mbtrbbgLbLV2UqzJW
GsgIuy7DLA2N4gnvoOiqqAulgkKwWclpepnofO4gh2OQyFbtVy2chuxLbswb
tAfmvt8NO/rNGxy0SGqJb0BvOjW8U4FxsbWgw5Q4fumhUmhMsyZDVuob4WRu
3ewYgYG8oOADAq6XcHqgIK/kgSnAuxIMkWsgJxEByhHX0LIzGxXIQKyGP9lV
fHfB+ih+7BoCywRKb16rNs7gF9DH2ZDkel6x5chSNT8Cz8gFMluCR9vAj9Si
1CZbPGz26jt8P/V2B8/1QAVBvNH6nz/wXB8AkotFNpCgulPfy4itL6kpwk+R
66lnZBecAY1MMAwqAxDWOStsqkigk3DzJeXKvbBnuFaQ5sjevCrVs2FNfrv7
SkRjVNhZvzECAoGKTCHkBQnvg91WW0e7AOhCrjQyVhpwyAtlRu5EaNveWhmM
EK7y9wku7jLAQYLlPoMFFTXmNoHuaqidHhpqKgFGni0w3Ksk7Bn8BB1YorCy
blbWXMWFkmoFnff6bEuA5aosSUSwB/ZqWYXSlSUFC4meii4GT1cW3EJzlsOn
DbiBH5ltR8LCWboetCKS51wcH/CVYDiu7FtHtRJgDdgQaIsB4VJBqMAWUQ/H
spK21PRkqBW1C3g7xuIgZD2WgRTxqJXmxWnMKCLrvdB2nxEpZQH9Y+G7QW86
5CHkHMXb2bbP/Hbd3o3I9QfunPZ5mkFSgi9sGiS9i2UKfRi8ylohgxCtNvHs
VxT1XzwDTt5EdpGANGpOQspzFiw5gasX9mfOHa7cWzJDHiTnMP6QpgGuhpGH
j/VUE8S0SdQvQ7orMzySiqJF3kgTR27DVhaGbhp07iU9iDPLcSBT2WYIWSBu
xAWJAk+2NpKbLFsopn/grWjKcibMV/hkMWkr4YKZYT5hDr2zQjAvbw1rzfJA
WH9pNfNjFXbM7a44pFn4dqFhUEEB89kR6IokQ/Bya8MeuAqrnJ3J4iYwGBx+
H1/E7QHpm55Djw3mLavBDJw1JgdlLikfag3VWdQdLDUcdwhf5V4wMPIxbSmI
2tClpB5A1+gZnL6UZsO+aSmTT7daezuyohSpAOEEeEMLLA1HmCcBLJ+umQLE
sJZR0/HUJtwhVwpfyU8U70KyE3U7HQH1bDYz5801bf9ZRgKKlxUdGUTJhxf8
PetVXfq9uArQDLWrXTEKsHsM0wNiMmZxcGTNlHVSTdreY5KsB7JiAOQ7zjAR
eDG5BaJPLs5rrTk3lI61sLiD8XcbGmtcjmmIWgdc9jWBZ7vbG7StbgbjEYYz
G3rLvN1qsu1bcd5oZozBRcFnTXbGpL5mcKgQ23m49/bi7XkC/yQSrqR5ulSZ
S6oTmWnmGZJ+ZlgUZmF3HoSTR2iD6EVj8KEDN41o6DqAaPtEzBGgJb1gSN4M
iLzM09IbxYE7062Tg+lMFWIu1Ju4nZzOR1YbLmIHDkhk/0/3733bvP/0KYxN
eOR+QzWRLpuLBWlttW/JqAjqgeHk56ygVNxmt2bV1nkf1UtqAHikR6Ab0WIh
gHe4ZtsPQfC/RAws8kwQK0VvFgQmh1TbnhAbsFU2LzUIpLhisfanvki+gJ8K
p9/Ummk5hmzrx3DXULOimX4QsId0Yi10syZMONeEN8MkkjMCfD1hz5Yp5ZTd
bQtEsgJWGxQNg8U3Md6AsFGBYa0je9shgYNcpK6wKzHZS9qkdh5o4WZB0ojG
f9zb+ly1VS3n6I4DxctQvmQnh1hM650dNT1KNq4IS26pEUbEsJPvrktEEOBl
0+0xpdldt/HdRcVs25RINlsqMBwD+tcCWNoIdJEP2lqinAwnV0Hin8b+Ohna
YEv490tJqnjB6FXOd/m9Gi/v1aDZegsVLWVKhRG/WHfmHho5w1pN2CEZqShv
Tt9eDpOfvoNlzMhLcHVquZyGBh0D6raUTDh75VEIookhHtGRvWe0jBqIp1W5
LWe3gkhkunRpqJ2Sq8Vpdxda4F6wPxcqEU7ii+zWtbl7Jyl+9dZWK4LrmR3H
O4Nc3V6QqNtZiKFu3UAyBQV+IYgVn8drRbYTkelq8gtNT5EhT3TIvGEFpVCT
atE3CbotMwUu7XcwexflB6RKjgVVX9QgeWKjUVxJHlTtYlJx46MgR1kQlQxq
O5tOS2142hjY1k42uBr0aCu8Pu8Rjd+fS3h8ki6aaNEtIax0oFH9cHpZcZtX
ZWERwtMgvdjF0BWD7Aqanfqu6yy60zIFGUlVahxdBjJR5Y0sYQijK8qBy+R0
ktqDs9IA+S1ZdcXJGdaVSNsiq4s3TuSdlVf5mCQ6N2/0joOQbuyyWU7E3sDM
TBHNNJSYd6+/otav582N+9f1PKSpanS+GiiOaHBE5CxMoiTjqzPFsM4l06CE
V9og8yRu7AWqBN97sX9+LUky7E6t2R+z9K7Whq7aVBcvSh1sssCe4Wncp4Xh
XtV5vesSLnuubUVneiiu00FLruCduBokOIWlIGYSAi139aBpIUijsYalQxso
bvfL6f/brj446Cq47aOPdF7F2Wl9BlNdcAcYC1eiNE75/xu7liW3jSu6n69A
eZHEVaQqsuNIViqLeXg0Y1nyWLSldQ8JzsADAiyAkIuaytrlhT/C3xLnv3LP
fXTfBsE4K5U4JNBAd9++j3Pu0aaEqYcxn+Tx1oLF6exkRjmMZupHNvN463CE
OD3WD2RFKs0fW36vDBuNWngaEqJVFHf5GJ6Q1J56vF6b6myl2x0e4DBxdiDa
kzV+iwUNSWYNWtGk7fIENhyC3SawGVYwVZq5Ppp1MLzELuEeBfuiw4MTKM20
80osqicMSHWAEYUwBnH0OG29jHmZOPlRMhVm7a3kxcyfiUJLTmlyDBYWH56F
w2sTZJaMoqxit8SRS+CO3vdI+shB0ZRZwngZwG0Yeq1cZUrxGV77EM1kK0Ew
jdZYFeU+zfbxKRq7O+HOqeefkDLJbr3a35bdgh5Ya8/51xYBOcDHR/5XvoVN
lg573Qc1zPQybEvRM43Lah2WO1upIj+qydcMCI9BrlBz5g1tNuq46qeU1zEs
+uP5PWCIj4/fyA1skLCtoiOpHZG7UuC5HA4oHpjPsbgeVDZkJSJj/n4JIJ6n
HGwcrxVe/FSGYv/9DP+Vgr599Dkjv8zQp5q3lAwpzMo3inw89pExTqmOjjof
TJu7wP2mGXDBNYC8LaW6BjAxGzpS06TC6GEPpzqrNwUcKOw1fjevUNuB02rg
Mf7xJk1OY4afd3NiAAYgRsW95jMCGpssPFYLfddhdhOO4UDEgXvs/SNffSYa
HzooEEoNCBKBfK3tIM3ULYi7ZXCI4QaMmdQnkKr0akhucoL6RmKKkZssGuGd
3VkvZCteslhiJU2d0O6MO/9bgkcb/gYOCQUrtEFBBaZMrovPspmeaQ92GSqH
VtuOZfCkVtXRCkE364hyrbqx1ZbFyBhwYW854SgRPfbWi6kxTWqfKs/MGHZR
JTDKtBVzGcoiZwiakEeaDS+nXIlaLpkU+9pQR5OTT5FkrZ6M0mNs6LhQgT6J
ddtC14C7m8OF4rtMJPTTZvQSqGH0NYRkDfg/TyCvAPZP5J30Yk1cy/MDRlAz
bKRGwXJavZe+NMeZ56ctBAa/5rKNQkiXyuax6Hp6/FKm0kH6hK2guugsYX0C
9qH6F8UlVvQsU2/QWRIRtX4LL9ZgYvFZ+RWRzeGO9ZKsj5Go6wEbBy5qIt2K
HOZVOdZSGaFPqkx7pVdgm835THI/elMVQ9/dR01iXzGzsq1kdGdJf9k/blZj
Yu36tlnBOAKcwc3bWuZmoEEw9gHgJFYPdISlHbtyOix+10jOWm0mvQhNmOdj
gCDdoWZlXoxLlFO71GGVJHLNOm7D6E3EnNVQfuqgH9KMBR+s+TEACcOu3XDx
ZuI7+6g3eHLyxtYyn1wdO3HRZI5MdTzSUBxeaoP9P14NFXYXYtcCX4xvvIJH
jQxGJxYvySUmsa/JwbvdoCJobH4iDtCspslemBkfRct0vn9NpqmHtI+czpc+
HIU1kjglacxn6iiW/EGJA2lTLVqxIhPLj2gXzZQIjlEImd25FtcivDrL9rOh
bMIH4UNxgXT+Yz7Yg0XWlCbZeRCQOifOkCiOXHu7L/y1X3gEUdip08s+q/9a
HwEwX9V1tYVHcD50H5BCo81Vzq9oMmmmZoUJEPP2/qHhrMtiJ1UXbXG/VmYl
dyVf4ip9pCbqj1+WHQOJxj85Q9i+bVHD59+RU0mmJ8yKtwNZmiAbXOYxHz17
inJGwfFvwtQLiz6CJp36ajfE6Xev8K5ub4/+VsinAKbVmfwVu2UclV2vHbbL
LStGfjqMSkpUI2rHU4wqpTOJXAXVzYT1DVRfy5EALJvUJeNssiK/dAhWoFYs
vGULLUp9IFc01DS2kqwHzgv6tF9XmizIf+SojnyGsBEhN1nikAxmmrFJMvVG
OubO6BtRxPZl2BZnqvL1P3nCzl0n5/3mCGJSGBcmGhzfucq8dKVUw+VsZJyX
OJP7xEnlsEMr4zFkR0FoVW5Fx09yV6E/wuSVLjfjWJZXvCI1/Z2VdsfhWFpc
sIi0I6YYrYV1RKATdLeDNK60s1ZE5CThVh+8UvVW0B0572LMhlmhzGBPVmBU
h7n0Xcl/PkKaXg1apLsbapGzccnWvC53eX2zENY8SPNf/B2keSgcnF/7A/zx
kT5AbHmVKg+RDD8uY7SmT+KAdCnDcYSCKoRIDTsp0I4cD8Sw42JtlGWQnWvs
5FLhLkpQiggItGsA2XoTqxTkxgWoYqeKThwi4yobp6hg0FosRhVFBSS1FXzz
waGQnICpdxU1boSE7DKKEtUc4GHTWxYBF/KDaw6QIu/G4cNWEJJnbLw+TDpk
81zpJMemVyYiil4o5buMN8sdozA09Vt4hOixpPDguRObExeUvmQhuF1bUmQq
mQkEJLODTNUhYYuFtGkVqCjofOn8Z7650rFmCaSevTzWuhBQmGrfwbZGnqab
hTTrhviUhmwzg5wfAaQzQlpSS3qq6Tuty7tAMyLMy96MSdUMviY+MQBddZEs
oryGlb8Sx5NWzZ14bjYq7M0FBDKI+O7JT5n3W7grDgah85RaQ2ZKkTffxZ+O
OUuRhSAvQByLEXGc6wMUwZXzTd3PDf2HpNsG3OqPfAPoSPdwmpSjxydCJHDS
F0TemFdvvqNcTD1miiHECfXIFCEHoInz5d48EO5DfecIYKNWmkJQt+SYTA3g
T/aK7P04FUsfwGYolKgcLRi6o4UnAWFw0m5qTcsG6l33HEeMy7VRcokkG6sw
LlLb7TFOP/VicVA5KbFZB7ZPGTQY2woxfJLMdVlvNVTHO4ovSMJ1LW9VTay+
SfnZvTqBhjB9w3Y8LWQlPR17YzOUrwTtIctw6qWl6p8yveA2MqyFHnoVZcHJ
fdUOLXGMmbelDfVWkVeYrZaRCHj+LuOOceiUo3Ns+xKa2bSjhl2pG/LczWKS
WN0ocPf/WmDGc9XEwPHbj4WYY2lKGVfZmzkgnvEB7FSFIqgUE/AhdMqHOudq
AIVJrgMqfIpqJ5DohnFXwCZfXAky03VtVYyDqX1yI6f+QHU1BopkTx9URPuQ
qR7BgnQrQYwzNjgDK7neWOLuLMO2h6vlZRj8Za0CZsfgGplDPeLUoLn4287E
EjzZpWTaMP9ciScHs51LKNJJCmrFnFuT5vVj4yRjxtbPzyYFS+G5BdQRGITm
KE70xqptJdurF/09KZ3GiCU4nLcNHC+hMe4ynGvrx8CeJyZ/4NUB57ha7w1c
Eld5pRqQ8RTKzVk6jLLjLY+OLC/O51IePdMrv+fH07UghdiEitCFIVT41Xgm
N2WQ7GezL5JvNrpE1uzJCRj4Swko5PTN6UE1/PuMDgBMRtPKN3MkMl/hUhVZ
3uqR/ifgakQK6+TklAHX5G22XNTSpkzj9MWiFAiUj+lmxWdoemQBCW2sr+nB
5zd0KFXbbVmcDhvyWfCn68XZm+LLZ8+fPnv6/Iu/fv78b88UO/0tmY3C4sdF
WJfFX779bvEp2hmoeBv9Fz3PuAUIrahmrsbW5N0kWqrkKPc8yxyNoYY3Kmvv
sifU0QDq8OeebOcP1zcMh8DLesktNCi8wafz9y9pNJbhZohgJcKNLrWU6A3c
jcuhH3EDuhfaecIXxtycLoF6r8uV7Oz+5PGFkAvK1T8/WVP4WX7yr/F0a1IB
IT9sGxNkAMMi36FCbxkgzjAdN2Go6QhZr2lFc76reeDXdEFffs/5skv0Q4Bt
uJjR3+ky76u7O87PLgCWDPT0FDCQ6ZyfDxSkkm8zo6s2bV+8Iv+O7NED+hOc
0SQu8JM1/eKcotZZ8bqsl/fQSDwtsZ/oS5ehfmiLBVgWHx9oa1/QEbqio4hW
dtNyDHdFu6b46uNH8mFLus8Zkq0QZoajtFi2u13xtoVRuAJUpqLF03GeC+Om
9X9JZonW/Iy+hA1Mz7ivKwofX2N3n1X9fbul/4S6+s9voXg3/P5r1VS//zwr
/v0LYP3v9s1SRnVLI2prYBwvKpq9d7R+roa7VmR4aYTk3L0LyIshQLW0kFKY
eR905YdKswUS8rKrdt04F0/8KjDPW+A+OWMk3jHdJy0IrSI10eRpHcevBZrm
Vx198OonOjsfyGQ/VE9O/guh4D18vIYBAA==
</section>
</back>
</rfc> </rfc>
 End of changes. 273 change blocks. 
2522 lines changed or deleted 1512 lines changed or added

This html diff was produced by rfcdiff 1.48.