mrsylerpowers
commented
1 year ago Hybrid public key encryption RFC 9180 has become a RFC. HPKE now has a wide number of interoperable implementations in widely used cryptographic libraries.
BouncyCastle would be great place to have a HPKE implementation as I am working on implementing a TLS standard that requires HPKE.
dghgit
chris-wood
Hybrid public key encryption is a well-known cryptographic construction that allows a sender to encrypt arbitrarily-sized messages under a receiver’s public key. ECIES, for example, is one variant of this particular construction built on elliptic curve Diffie Hellman for non-interactive key exchange. However, there exists a number of standardized versions of ECIES, each of which differs in features, flexibility, security properties and, importantly, interoperability.
HPKE is an emerging IRTF standard aimed at providing a single standard for all applications and use cases wherein public key encryption is required. This includes several other IETF standards, such as the Message Layer Security protocol, TLS Encrypted Client Hello, and Oblivious DNS over HTTPS. HPKE is flexible in almost every dimension, being built primarily on Key Encapsulation Mechanisms (KEMs), Key Derivation Functions, and AEAD algorithms. (Parameterization by KEMs is particularly useful in making the protocol ready for post-quantum algorithms.)
HPKE has a growing number of interoperable implementations in widely used cryptographic libraries. The draft has test vectors available for all supported features.
HPKE is through the CFRG review process, is currently under review by the ISRG, and will likely be an RFC within the next couple of months. Given the maturity of the specification, growing number of dependent protocols and use cases, and wide community support, it seems like a fine candidate to include in BouncyCastle. Assuming there’s support, we are willing to contribute code or reviews to help land the feature.