ETSI TS 103 744 V1.1.1 (2020-12)

ETSI TS 103 744 V1.1.1 (2020-12)






TECHNICAL SPECIFICATION
CYBER;
Quantum-safe Hybrid Key Exchanges

---------------------- Page: 1 ----------------------
2 ETSI TS 103 744 V1.1.1 (2020-12)



Reference
DTS/CYBER-QSC-0015
Keywords
key exchange, quantum safe cryptography

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2020.
All rights reserved.

DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.

3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners.
®
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 103 744 V1.1.1 (2020-12)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 8
3.1 Terms . 8
3.2 Symbols . 9
3.3 Abbreviations . 9
4 Purpose of quantum-safe hybrid key exchanges . 10
4.1 Status of quantum-safe key exchange protocols . 10
5 Architecture for quantum-safe hybrid key exchange . 10
5.1 Functional entities . 10
5.2 Information relationships (reference points) . 11
6 Introductory information . 11
6.1 Introduction . 11
6.2 Notation . 11
6.2.1 Radix . 11
6.2.2 Conventions . 12
6.2.3 Bit/Byte ordering . 12
6.2.4 Integer encoding . 12
7 Cryptographic primitives . 12
7.1 Hash functions (hash) . 12
7.2 Context formatting function (f) . 13
7.3 PseudoRandom Function (PRF) . 13
7.3.1 PRF description . 13
7.3.2 PRF to HMAC mapping . 14
7.4 Key Derivation Functions (KDFs) . 14
7.4.1 KDF description . 14
7.4.2 KDF to HKDF mapping . 14
7.5 Elliptic Curve Diffie-Hellman (ECDH) . 15
7.5.1 ECDH description . 15
7.5.2 Elliptic curve domain parameters . 15
7.6 Key encapsulation mechanisms (KEMs) . 15
7.6.1 KEM description . 15
7.6.2 Post-quantum KEMs . 16
8 Hybrid key agreement schemes . 16
8.1 General . 16
8.1.1 Key exchange abstraction . 16
8.1.2 Key exchange abstraction to ECDHE . 17
8.1.3 Key exchange abstraction to KEM . 17
8.2 Concatenate hybrid key agreement scheme . 17
8.3 Cascade hybrid key agreement scheme . 19
Annex A (informative): Background . 21
A.1 Quantum computing threats to classical key exchange protocols . 21
A.2 Rationale for quantum-safe hybrid key exchanges . 21
ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 103 744 V1.1.1 (2020-12)
Annex B (informative): Security consideration . 23
B.1 Security definitions . 23
Annex C (informative): Test Vectors . 24
C.1 Introduction . 24
C.2 Test vectors for CatKDF . 24
C.2.1 ECDH with NIST P-256, SIKEp434, and SHA-256 . 24
C.2.2 ECDH with NIST P-256, SIKEp434, and SHA3-256 . 25
C.2.3 ECDH with NIST P-384, SIKEp503 and SHA-384 . 25
C.2.4 ECDH with NIST P-384, SIKEp503, and SHA3-384 . 25
C.2.5 ECDH with NIST P-384, SIKEp610 and SHA-384 . 26
C.2.6 ECDH with NIST P-384, SIKEp610, and SHA3-384 . 26
C.2.7 ECDH with NIST P-521, SIKEp751 and SHA-512 . 27
C.2.8 ECDH with NIST P-384, SIKEp751, and SHA3-512 . 27
C.2.9 ECDH with NIST P-256, Kyber512, and SHA-256 . 28
C.2.10 ECDH with NIST P-256, Kyber512, and SHA3-256 . 28
C.2.11 ECDH with NIST P-384, Kyber768 and SHA-384 . 29
C.2.12 ECDH with NIST P-384, Kyber768, and SHA3-384 . 30
C.2.13 ECDH with NIST P-512, Kyber1024 and SHA-512 . 30
C.2.14 ECDH with NIST P-512, Kyber1024, and SHA3-512 . 31
C.3 Test vectors for CasKDF . 32
C.3.1 ECDH with NIST P-256, SIKEp434, and SHA-256 . 32
C.3.2 ECDH with NIST P-256, SIKEp434, and SHA3-256 . 32
C.3.3 ECDH with NIST P-384, SIKEp503 and SHA-384 . 33
C.3.4 ECDH with NIST P-384, SIKEp503, and SHA-384 . 34
C.3.5 ECDH with NIST P-384, SIKEp610 and SHA-384 . 34
C.3.6 ECDH with NIST P-384, SIKEp610, and SHA3-384 . 35
C.3.7 ECDH with NIST P-521, SIKEp751 and SHA-512 . 35
C.3.8 ECDH with NIST P-384, SIKEp751, and SHA3-512 . 36
C.3.9 ECDH with NIST P-256, Kyber512, and SHA-256 . 36
C.3.10 ECDH with NIST P-256, Kyber512, and SHA3-256 . 37
C.3.11 ECDH with NIST P-384, Kyber768 and SHA-384 . 38
C.3.12 ECDH with NIST P-384, Kyber768, and SHA3-384 . 39
C.3.13 ECDH with NIST P-384, Kyber1024 and SHA-512 . 40
C.3.14 ECDH with NIST P-384, Kyber1024, and SHA3-384 . 41
History . 42


ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 103 744 V1.1.1 (2020-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
Hybrid Key Exchanges are constructions that combine a traditional key exchange, such as elliptic curve Diffie Hellman
[1], with a quantum-safe key exchange such as Supersingular Isogeny Key Establishment (SIKE) [i.17], into a single
key exchange. Hybrid key exchanges are a migration technique to move to quantum-safe technology in advance of
establishing full security assurance in the underlying post-quantum cryptographic scheme.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 103 744 V1.1.1 (2020-12)
1 Scope
The present document specifies several methods for deriving cryptographic keys from multiple shared secrets. The
shared secrets are established using existing classical key agreement schemes, like elliptic curve Diffie-Hellman
(ECDH) in NIST SP800-56Ar3 [1], and new quantum-safe key encapsulation mechanisms (KEMs).
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] NIST SP800-56Ar3: "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete
Logarithm Cryptography".
NOTE: Available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/nist.sp.800-56Ar3.pdf.
[2] IETF RFC 2104: "HMAC: Keyed-Hashing for Message Authentication".
NOTE: Available at https://tools.ietf.org/html/rfc2104.
[3] IETF RFC 5869: "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)".
NOTE: Available at https://tools.ietf.org/html/rfc5869.
[4] FIPS PUB 180-4: "Secure Hash Standard (SHS)".
NOTE: Available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.180-4.pdf.
[5] FIPS PUB 202: "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions".
NOTE: Available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf.
[6] FIPS PUB 186-4: "Digital Signature Standard (DSS)".
NOTE: Available at https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.186-4.pdf.
[7] IETF RFC 5639: "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve
Generation".
NOTE: Available at https://tools.ietf.org/html/rfc5639.
[8] IETF RFC 7748: "Elliptic Curves for Security".
NOTE: Available at https://tools.ietf.org/html/rfc7748.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 103 744 V1.1.1 (2020-12)
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] NIST Post Quantum Round 2 Submission: "BIKE: Bit Flipping Key Encapsulation", Round 3
Submission, 22 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.2] NIST Post Quantum Round 3 Submission: "Classic McEliece: conservative code-based
cryptography", 10 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.3] NIST Post Quantum Round 3 Submission: "CRYSTALS-Kyber", Version 3.0, 1 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.4] NIST Post Quantum Round 3 Submission: "FrodoKEM Learning With Errors Key Encapsulation",
30 September 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.5] NIST Post Quantum Round 3 Submission: "Hamming Quasi-Cyclic (HQC)", 1 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.6] NIST Post Quantum Round 3 Submission: "NTRU", 30 September 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.7] NIST Post Quantum Round 3 Submission: "NTRU Prime: round 3", 7 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.8] NIST Post Quantum Round 3 Submission: "SABER: Mod-LWR based KEM (Round 3
Submission)", Accessed 26 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.9] NIST Post Quantum Round 3 Submission: "Supersingular Isogeny Key Encapsulation",
1 October 2020.
NOTE: Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions.
[i.10] Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin: "Randomness Extraction and Key
derivation Using the CBC, Cascade, and HMAC Modes", Crypto 04, LNCS 3152, pp. 494-510.
Springer Verlag, 2004.
[i.11] F. Giacon, F. Heuer, B. Poettering: "KEM Combiners", Public-Key Cryptography - PKC 2018,
LNCS 10769.
NOTE: Available at https://eprint.iacr.org/2018/024.pdf.
[i.12] N. Bindel, J. Brendel, M. Fischlin, B. Goncalves, D. Stebila: "Hybrid Key Encapsulation
Mechanisms and Authenticated Key Exchange", IACR eprint 2018-903.
NOTE: Available at https://eprint.iacr.org/2018/903.pdf.
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 103 744 V1.1.1 (2020-12)
[i.13] N. Bindel, U. Herath, M. McKague, D. Stebila: "Transitioning to a Quantum-Resistant Public Key
th
Infrastructure", Post-Quantum Cryptography, 8 International Workshop, PQCrypto 2017,
Utrecht, The Netherlands Proceedings. pp. 384-405. Springer International Publishing, Cham
(2017).
th
[i.14] Simon, D. R.: "On the power of quantum computation", SFCS 94 Proceedings of the 35 Annual
Symposium on Foundations of Computer Science, November 1994, Pages 116-123.
NOTE: Available at https://doi.org/10.1109/SFCS.1994.365701.
[i.15] Shor, P.W.: "Algorithms for quantum computation: discrete logarithms and factoring", SFCS 94:
Proceedings of the 35th Annual Symposium on Foundations of Computer Science,
November 1994, Pages 124-134.
NOTE: Available at https://dl.acm.org/doi/abs/10.1109/SFCS.1994.365700.
[i.16] NIST CAVP SP 800-56A ECC CDH Primitive Test Vectors.
NOTE: Available at https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-
Program/documents/components/ecccdhtestvectors.zip.
[i.17] SIKE Round 2 Known Answers Tests (KATs).
NOTE: Available at https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-
2/submissions/SIKE-Round2.zip.
[i.18] Campagna, M., Petcher, A.: "Security of Hybrid Key Encapsulation", IACR eprint 2020-1364.
NOTE: Available at https://eprint.iacr.org/2020/1364.pdf.
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
asymmetric cryptography: cryptographic system that utilizes a pair of keys, a private key known only to one entity,
and a public key which can be openly distributed without loss of security
big-endian: octet ordering that signifies "big-end", or most significant octet value is stored to the left, or at the lowest
storage location
EXAMPLE: The decimal value 108591, which is 0x0001A82F as a hex encoded 32-bit integer, is encoded as a
length 4 octet string as 0001A82F.
cryptographic hash function: function that maps a bit string of arbitrary length to a fixed length bit string (message
digest or digest for short)
NOTE: Hash functions are designed to satisfy the following properties:
1) (One-way) It is computationally infeasible to find any input that maps to any pre-specified output.
2) (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the
same output.
cryptographic key: binary string used as a secret by a cryptographic algorithm
EXAMPLE: AES-256 requires a random 256-bit string as a secret key.
entity: person, device or system that is executing the steps of one of the processes defined or referenced in the present
document
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 103 744 V1.1.1 (2020-12)
key agreement scheme: key-establishment procedure in which the resultant secret keying material is a function of
contributions of the entities participating, such that no entity can predetermine that value of the secret keying material
independently of the other entities' contributions
key derivation: process to derive key material from one or more shared secrets
key encapsulation mechanism: method to secure the establishment of a cryptographic key for transmission using
public key cryptography
key establishment/exchange method: cryptographic procedure by which cryptographic keys are established between
two parties
label: octet string that specifies a separation of use for the application or instance of the key derivation or exchange
message digest/digest: fixed-length output of a cryptographic hash function over a variable length input
octet string: ordered sequence of octets/bytes consisting of 8-bits each
private key: key in an asymmetric cryptographic scheme that is kept secret
public key: key in an asymmetric cryptographic scheme that can be made public without loss of security
public key cryptography: See asymmetric cryptography.
random oracle: theoretical black box that responds to every unique query with a uniformly random selection from the
set of possible responses, with repeated queries receiving the same response
n
security level: measure of the strength of a cryptographic algorithm. If 2 operations are required to break the
cryptographic algorithm/scheme/method, then the security level is n. Sometimes also referred to as bit-strength
shared secret: secret value that has been computed using a key-establishment scheme
3.2 Symbols
For the purposes of the present document, the following symbols apply:
A || B The concatenation of binary strings A followed by B
∅ A zero-length octet string
[x] An integer value x expressed as an n-bit integer
n
q  The least integer value x greater than or equal to q
len(A) The number of octets in an octet string A
hash( ) A cryptographic hash function
digest_len The length in octets of a hash function's digest
C A ciphertext value created by a KEM
d A private key for elliptic curve cryptography
k A cryptographic secret or key
P A public key for an asymmetric cryptographic scheme
psk A pre-shared key
Q A public key for elliptic curve cryptography
sk A private key for an asymmetric cryptographic scheme
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AES Advanced Encryption Standard
CAVP Cryptographic Algorithm Validation Program
CDH Cofactor Diffie-Hellman
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECDHE Elliptic Curve Diffie-Hellman Ephemeral
HKDF HMAC-based Key Derivation Function
HMAC Hash-based Message Authentication Code
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TS 103 744 V1.1.1 (2020-12)
IND-CCA INDistinguishability under Chosen-Ciphertext Attacks
IND-CPA INDistinguishability under Chosen-Plaintext Attacks
KDF Key Derivation Function
KEM Key Encapsulation Mechanism
LNCS Lecture Notes in Computer Science
MA Message from entity A
MB Message from entity B
NIST National Institute of Standards and Technology
OW-CPA One-Way Chosen-Plaintext Attack
PRF PseudoRandom Function
QA A public-key from entity A
QB A public-key from entity B
QKD Quantum Key Distribution
RSA Rivest, Shamir and Adelman
SIKE Supersingular Isogeny Key Encapsulation
SP Special Publication
SSH Secure Shell
TLS Transport Layer Security
4 Purpose of quantum-safe hybrid key exchanges
4.1 Status of quantum-safe key exchange protocols
NIST has initiated a process of analysing and standardizing one or more new quantum-safe key encapsulation
mechanisms suitable to replace cl
...