CryptoSys Home > PKI > Hybrid Public Key Encryption (HPKE)

Hybrid Public Key Encryption (HPKE)

As of v22.0, this toolkit has all the basic cryptographic primitives required to carry out the Hybrid Public Key Encryption (HPKE) scheme described in RFC 9180; namely

Elliptic Curve Diffie-Hellman (ECDH) key agreement - see ECC_DHSharedSecret (Ecc.dh_shared_secret) using the elliptic curve groups
- P-256
- P-384
- P-521
- X25519
- X448
HMAC-based key derivation function (HKDF) using SHA2 - see KDF_Bytes (Kdf.bytes)
- HKDF-SHA256
- HKDF-SHA384
- HKDF-SHA512
Authenticated encryption with additional data (AEAD) - see CIPHER_EncryptAEAD (Cipher.encrypt_aead) using the algorithms
- AES-128-GCM
- AES-256-GCM
- ChaCha20Poly1305

Specific functions HPKE_LabeledExtract and HPKE_LabeledExpand (Hpke.labeled_extract, Hkpe.labeled_expand) are provided here to carry out the functions LabeledExtract() and LabeledExpand() defined in HKPE.

The function HPKE_DerivePrivateKey (Hpke.derive_private_key) is provided to derive an EC private key using the deterministic method described in HKPE. The corresponding public key can be derived using ECC_PublicKeyFromPrivate (Ecc.publickey_from_private). Together these provide the HKPE function DeriveKeyPair().

Note that these functions are intended to be used in an object-oriented language like C# or Python, not in raw ANSI C or VB6. See the Python code hpke_test.py below.

In this implementation, the KDF algorithm is chosen automatically to match the KEM ECDH group curve as follows (from Table 2 in [RFC9180]).

KEM	ECDH group	KDF
DHKEM(P-256, HKDF-SHA256	P-256	HKDF-SHA256
DHKEM(P-384, HKDF-SHA384	P-384	HKDF-SHA384
DHKEM(P-521, HKDF-SHA512	P-521	HKDF-SHA512
DHKEM(X25519, HKDF-SHA256	X25519	HKDF-SHA256
DHKEM(X448, HKDF-SHA512	X448	HKDF-SHA512

Furthermore, the ciphersuite's KDF is assumed to be always equal to the DHKEM's associated KDF from the above table.

Because these are all standalone functions with no context, the ECDH curve group used in the scheme must be specified. This automatically defines the KDF and associated HMAC algorithm to be used as per the above table.

The LabeledExtract() and LabeledExpand() functions facilitate domain separation of KDF calls by incorporating a label and a suite_id which has a value derived from identifiers for the EC curve group, the KDF algorithm and, sometimes, the AEAD algorithm. Note that the suite_id value is different depending on where the KDF is used. In this implementation, specifying the curve name will automatically select the corresponding KDF algorithm, and the absence or presence of an option flag for an AEAD algorithm dictates whether the KDF is being used inside a KEM algorithm (zero flag) or in the remainder of HPKE (specific AEAD algorithm flag).

The string literal "HPKE-v1" is currently hardcoded into the LabeledExtract() and LabeledExpand() functions. Future implementations may offer an alternative if the specification is changed.

Python Code

This is a "proof-of-concept" program to show that cryptosyspki.py v22.0 has all the features necessary to carry out the required computations for RFC9180 "Hybrid Public Key Encryption". It reads a cut-down version of the test-vectors.json file [TestVectors] and computes and verifies the values. Currently the code only supports mode 0.

	hpke_test.py	Test source code
	test-vectors-1.json	Cut-down sample of test-vectors.json
	hpke_test.zip	Download all as zip

References

[RFC9180] RFC 9180 Hybrid Public Key Encryption. R. Barnes, et al. February 2022.
[TestVectors] HPKE Test Vectors, test-vectors.json (5.6 MB).

Contact us

To contact us or comment on this page, please send us a message.

[Go to top]

This page last updated 26 October 2023