Paper 2020/1499

Analysing the HPKE Standard

Joël Alwen, Wickr
Bruno Blanchet, Inria Paris
Eduard Hauck, Ruhr-Universität Bochum
Eike Kiltz, Ruhr-Universität Bochum
Benjamin Lipp, Inria Paris
Doreen Riepel, Ruhr-Universität Bochum

The Hybrid Public Key Encryption (HPKE) scheme is an emerging standard currently under consideration by the Crypto Forum Research Group (CFRG) of the IETF as a candidate for formal approval. Of the four modes of HPKE, we analyse the authenticated mode HPKE_Auth in its single-shot encryption form as it contains what is, arguably, the most novel part of HPKE and has applications to other upcoming standards such as MLS. HPKE_Auth’s intended application domain is captured by a new primitive which we call Authenticated Public Key Encryption (APKE). We provide syntax and security definitions for APKE schemes, as well as for the related Authenticated Key Encapsulation Mechanisms (AKEMs). We prove security of the AKEM scheme DH-AKEM underlying HPKE_Auth based on the Gap Diffie-Hellman assumption and provide general AKEM/DEM composition theorems with which to argue about HPKE_Auth’s security. To this end, we also formally analyse HPKE_Auth’s key schedule and key derivation functions. To increase confidence in our results we use the automatic theorem proving tool CryptoVerif. All our bounds are quantitative and we discuss their practical implications for HPKE_Auth. As an independent contribution we propose the new framework of nominal groups that allows us to capture abstract syntactical and security properties of practical elliptic curves, including the Curve25519 and Curve448 based groups (which do not constitute cyclic groups).

Note: Revision of the nominal groups framework. Revision of the proofs in Appendix A. Updated security bounds.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in EUROCRYPT 2021
authentication signcryption key encapsulation mechanism formal verification CryptoVerif
Contact author(s)
jalwen @ wickr com
bruno blanchet @ inria fr
eduard hauck @ rub de
eike kiltz @ rub de
benjamin lipp @ inria fr
doreen riepel @ rub de
2022-08-06: last of 2 revisions
2020-12-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Joël Alwen and Bruno Blanchet and Eduard Hauck and Eike Kiltz and Benjamin Lipp and Doreen Riepel},
      title = {Analysing the HPKE Standard},
      howpublished = {Cryptology ePrint Archive, Paper 2020/1499},
      year = {2020},
      doi = {10.1007/978-3-030-77870-5_4},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.