HybridkemX25519Kyber768+HKDF specifications

[collapsinghierarchy]

I have found that you referenced the IETF draft https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/ for the "hybrid" HPKE part. I have several questions in that regard.

• The darft is, however, expired. The according repository from IETF (https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc) says that "This was for the NIST Round 3 Draft version of Kyber for prototyping" and therefore it seems now to be obsolete. Do you have plans for transitioning to another standard?

• I know about the CatKDF from one of ETSIs Cyber group (https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf ), which pretty much resembles the HKDF combination that is also used in the "hybrid" HPKE in this repository. Are there mentionable differences and why? Or do you simply use the HPKE KDF security guarantees from RFC9180 to derive the key from the concatenated keys from DH and PQ-KEM? But then again there is no currently active specification for combining the DH and PQ-KEM. (Or did i miss something?)

[dajiaji]

The darft is, however, expired. The according repository from IETF (https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc) says that "This was for the NIST Round 3 Draft version of Kyber for prototyping" and therefore it seems now to be obsolete. Do you have plans for transitioning to another standard?

First, to answer your first question: hpke-xyber768d00 will not be updated going forward, and I plan to remove its implementation. x-wing is a strong alternative. The author also commented that x-wing should be used instead of hpke-xyber768d00. I have already implemented the x-wing module, so please give it a try.

[dajiaji]

Regarding your second question, I haven’t yet caught up with CatKDF, so I’m unable to answer it at this time. I’ll find some time to research it and get back to you.

[collapsinghierarchy]

Thank you for the clarification. It makes sense regarding the first question.

As far as my understanding goes catKDF is "basically" the HKDF derivation HKDF(concat(ss1, ss2, enc1, enc2)) from the expired hpke-xyber768d00 draft. Which again is "basically" the CtKDF from https://eprint.iacr.org/2020/1364.pdf . But overall there are always small nuances and additional steps. And it's more general compared to the "xyber" draft that has kyber and ecdh baked into.

And btw for the ETSI document there is a more revent version now TS 103 744 - V1.2.1 - CYBER. My state of knowledge is still TS 103 744 - V1.1.1 - CYBER, but from the first glance it contains only the usual changes (kyber -> ML-KEM et al.)