RFC 9180

Hybrid Public Key Encryption, February 2022

File formats:

icon for HTML icon for text file icon for v3pdf icon for XML icon for inline errata
R. Barnes
K. Bhargavan
B. Lipp
C. Wood

Cite this RFC: TXT  |  XML

DOI:  10.17487/RFC9180

Discuss this RFC: Send questions or comments to cfrg@irtf.org

Other actions: View Errata  |  Submit Errata  |  Find IPR Disclosures from the IETF  |  View History of RFC 9180


This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.

This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 8729.

Advanced Search