<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-chen-lamps-cms-frodokem-01" category="std" consensus="true" submissionType="IETF" xml:lang="en" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="FrodoKEM in the CMS">Use of FrodoKEM in the Cryptographic Message Syntax</title>
    <seriesInfo name="Internet-Draft" value="draft-chen-lamps-cms-frodokem-01"/>
    <author initials="M." surname="Chen" fullname="Meiling Chen">
      <organization>China Mobile</organization>
      <address>
        <postal>
          <city>BeiJing</city>
          <country>China</country>
        </postal>
        <email>chenmeiling@chinamobile.com</email>
      </address>
    </author>
    <author initials="L." surname="Su" fullname="Li Su">
      <organization>China Mobile</organization>
      <address>
        <postal>
          <city>BeiJing</city>
          <country>China</country>
        </postal>
        <email>suli@chinamobile.com</email>
      </address>
    </author>
    <author initials="G." surname="Wang" fullname="Guilin Wang">
      <organization>Huawei Int. Pte Ltd</organization>
      <address>
        <postal>
          <city>Singapore</city>
          <country>Singapore</country>
        </postal>
        <email>wang.guilin@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <area>Security</area>
    <workgroup>lamps</workgroup>
    <keyword>Internet-Draft</keyword>
    <keyword>keyword2</keyword>
    <abstract>
      <?line 56?>

<t>FrodoKEM is a quantum-resistant key encapsulation mechanism (KEM) based on the standard Learning With Errors (LWE) problem，standardized by ISO. FrodoKEM offers multiple parameter sets, with the recommended sets for general use including (e)FrodoKEM-976-AES and (e)FrodoKEM-976-SHAKE for security level 3, and (e)FrodoKEM-1344-AES and (e)FrodoKEM-1344-SHAKE for security level 5. This document specifies the conventions for using FrodoKEM in the Cryptographic Message Syntax (CMS), using the KEMRecipientInfo structure defined in "Use of Key Encapsulation Mechanism (KEM) Algorithms in the Cryptographic Message Syntax (CMS)" <xref target="RFC9629"/>.</t>
    </abstract>
  </front>
  <middle>
    <?line 60?>

<section anchor="notes-of-change">
      <name>Notes of Change</name>
      <t>Changes made in version draft-chen-lamps-cms-frodokem-01:</t>
      <ul spacing="normal">
        <li>
          <t>Update the references with two individual drafts of CFRG.</t>
        </li>
        <li>
          <t>Change the citation of FrodoKem from I-D.LBES25 to ISO18033-2-AMD2.</t>
        </li>
      </ul>
    </section>
    <section anchor="introduction">
      <name>Introduction</name>
      <t>FrodoKEM <xref target="ISO18033-2-AMD2"/> is one of three KEMs in the process of ISO standardization [FrodoKEM]. Its security is based on a well-studied hard problem in unstructured lattices, called the learning with errors problem. There are Internet drafts on the algorithm specification of FrodoKEM <xref target="I-D.draft-longa-cfrg-frodokem"/> and how to securely use it <xref target="I-D.draft-longa-cfrg-frodokem-security-considerations"/>. FrodoKEM has both AES and SHAKE variants to offer optimized performance across different hardware platforms. AES variants are highly suitable for devices with hardware acceleration for AES (like AES-NI on Intel processors). SHAKE variants provide competitive or better performance on platforms lacking AES hardware acceleration (such as many embedded systems and general-purpose CPUs). To cover both scenarios, this specification SHALL include both variants.</t>
      <t><xref target="RFC9629"/> defines the KEMRecipientInfo structure for the use of KEM algorithms in the CMS enveloped-data, authenticated-data, and authenticated-enveloped-data content types. This document specifies the conventions for the direct use of eight recommended FrodoKEM parameter sets within the KEMRecipientInfo structure: (e)FrodoKEM-976-AES, (e)FrodoKEM-976-SHAKE, (e)FrodoKEM-1344-AES and (e)FrodoKEM-1344-SHAKE.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC8174">RFC2119</xref>.</t>
      </section>
      <section anchor="frodokem">
        <name>FrodoKEM</name>
        <t>FrodoKEM <xref target="ISO18033-2-AMD2"/> is one of three KEMs in the process of ISO standardization [FrodoKEM].  Its security is based on a well-studied hard problem in unstructured lattices, called the learning with errors problem. In total, FrodoKEM [FrodoKEM] has 12 variants.  Namely, it offers 3 NIST security levels 1, 3, and 5; the pseudorandom generator (PRG) uses AES128 or SHAKE 128; and the KEM public key can be a long-term key (standard mode) or a short-term key (ephemeral mode).</t>
        <t>According to the current standardization progress in ISO, FrodoKEM will be standardized for only 8 variants for NIST security levels 3 and 5.  Namely, there are (e)FrodoKEM-976 and (e)FrodoKEM-1344, but not (e)FrodoKEM-640 for security level 1.  To align with ISO, this specification specifies the use of (e)FrodoKEM varaints for security
   levels 3 and 5 only, not variants for security level 1.</t>
        <t>Based on the above, this document specifies only eight variants of (e)FrodoKEM for Cryptographic Message Syntax.  Namely, (e)FrodoKEM-976-AES and (e)FrodoKEM-976-SHAKE for security level 3, and
   (e)FrodoKEM-1344-AES and (e)FrodoKEM-1344-SHAKE for security level 5.</t>
        <t>Key encapsulation mechanism (KEM) is a kind of key exchange, which allows one entity to encapsulate a secret under a (long-term or ephemeral) public key of another entity. By following the definition given in [W-D.K25], a KEM consists of three algorithms:</t>
        <ul spacing="normal">
          <li>
            <t>KeyGen(k) -&gt; (pk, sk): A probabilistic key generation algorithm, which generates a public encapsulation key pk and a secret decapsulation key sk, when a security parameter k is given.</t>
          </li>
          <li>
            <t>Encaps(pk) -&gt; (ct, ss): A probabilistic encapsulation algorithm, which takes as input a public encapsulation key pk and outputs a ciphertext ct and a shared secret ss.</t>
          </li>
          <li>
            <t>Decaps(sk, ct) -&gt; ss: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret ss.</t>
          </li>
        </ul>
        <t>FrodoKEM comes in several parameter sets, each designed to meet one of the NIST Post-Quantum Cryptography (PQC) security levels. Here is a table summarizing the key sizes for the main variants of FrodoKEM.</t>
        <artwork><![CDATA[
   +-------+----------------+--------+--------+------------+--------+
   | Level | Algorithms     | Public | Secret | Ciphertext | Shared |
   |       |                | Key pk | Key sk | ct         | Secret |
   |       |                |        |        |            | ss     |
   +-------+----------------+--------+--------+------------+--------+
   | 3     | FrodoKEM-976   | 15,632 | 31,296 | 15,792     | 24     |
   +-------+----------------+--------+--------+------------+--------+
   | 3     | eFrodoKEM-976  | 15,632 | 31,296 | 15,744     | 24     |
   +-------+----------------+--------+--------+------------+--------+
   | 5     | FrodoKEM-1344  | 21,520 | 43,088 | 21,696     | 32     |
   +-------+----------------+--------+--------+------------+--------+
   | 5     | eFrodoKEM-1344 | 21,520 | 43,088 | 21,632     | 32     |
   +-------+----------------+--------+--------+------------+--------+

   Table 1: Size (in bytes) of keys and ciphertexts of FrodoKEM
]]></artwork>
      </section>
    </section>
    <section anchor="use-of-the-frodokem-algorithm-in-the-cms">
      <name>Use of the FrodoKEM Algorithm in the CMS</name>
      <t>The FrodoKEM algorithm MAY be used for one or more recipients in the CMS enveloped-data content type <xref target="RFC5652"/>, the CMS authenticated-data content type <xref target="RFC5652"/>, or the CMS authenticated-enveloped-data content type [RFC5083]. In each case, the KEMRecipientInfo <xref target="RFC9629"/> structure is used with the FrodoKEM algorithm to securely transport a content-encryption key from an originator to a recipient.</t>
      <t>The steps for processing FrodoKEM with KEMRecipientInfo follow Section 2 of <xref target="RFC9629"/>. To support the FrodoKEM algorithm, a CMS originator MUST implement the Encapsulate() function, and a CMS recipient MUST implement the Decapsulate() function.</t>
      <section anchor="recipientinfo-conventions">
        <name>RecipientInfo Conventions</name>
        <t>When the FrodoKEM algorithm is used for a recipient, the RecipientInfo choice for that recipient MUST be the OtherRecipientInfo choice using the KEMRecipientInfo structure defined in <xref target="RFC9629"/>. The fields of KEMRecipientInfo have the following meanings:</t>
        <ul spacing="normal">
          <li>
            <t>version is the syntax version number; it MUST be 0.</t>
          </li>
          <li>
            <t>rid identifies the recipient's certificate or public key.</t>
          </li>
          <li>
            <t>kem identifies the KEM algorithm; it MUST contain one of id-kem-frodokem976-shake, id-kem-frodokem1344-shake, id-kem-efrodokem976-shake, id-kem-efrodokem1344-shake, id-kem-frodokem976-aes, id-kem-frodokem1344-aes, id-kem-efrodokem976-aes or id-kem-efrodokem1344-aes. These identifiers are reproduced in Section 3.</t>
          </li>
          <li>
            <t>kemct is the ciphertext generated for this recipient.</t>
          </li>
          <li>
            <t>kdf identifies the key derivation algorithm. Implementations MUST support the HKDF <xref target="RFC5869"/> with SHA-256 [FIPS180] using the id-alg-hkdf-with-sha256 KDF object identifier <xref target="RFC8619"/>. As specified in <xref target="RFC8619"/>, when this object identifier appears in an ASN.1 type AlgorithmIdentifier, the parameters field MUST be absent. Implementations MAY support other KDFs.</t>
          </li>
          <li>
            <t>kekLength is the size of the key-encryption key in octets.</t>
          </li>
          <li>
            <t>ukm is an optional input to the key derivation function. The secure use of FrodoKEM in the CMS does not depend upon the use of the ukm value, and therefore this document has no requirements for this value. See Section 3 of <xref target="RFC9629"/> for more information on the ukm parameter.</t>
          </li>
          <li>
            <t>wrap identifies the key-encryption algorithm used to encrypt the content-encryption key.  </t>
            <ul spacing="normal">
              <li>
                <t>Implementations supporting FrodoKEM-976-AES or FrodoKEM-976-SHAKE MUST support the AES-Wrap-192 Key Wrap algorithm <xref target="RFC3394"/>, using the id-aes192-wrap key-encryption algorithm object identifier <xref target="RFC3565"/>.</t>
              </li>
              <li>
                <t>Implementations supporting FrodoKEM-1344-AES or FrodoKEM-1344-SHAKE MUST support the AES-Wrap-256 Key Wrap algorithm <xref target="RFC3394"/>, using the id-aes256-wrap key-encryption algorithm object identifier <xref target="RFC3565"/>.</t>
              </li>
              <li>
                <t>Implementations MAY support other key-encryption algorithms.</t>
              </li>
            </ul>
          </li>
        </ul>
      </section>
      <section anchor="underlying-components">
        <name>Underlying Components</name>
        <t>When FrodoKEM is used in CMS, the underlying components used in the KEMRecipientInfo structure SHOULD be consistent with the desired minimum security level. To meet the requirements for the KDF and key-wrap algorithm from Section 7 of <xref target="RFC9629"/>, the table below provides the minimum requirements for the components used with FrodoKEM.</t>
        <artwork><![CDATA[
+------------+------------------+--------------+-------------+
| Security   |  Algorithm       | KDF preimage |Symmetric key|
|  Strength  |                  | strength     |encryption   |
|            |                  |              |strength     |
+------------+------------------+--------------+-------------+
| 192-bit    | FrodoKEM-976-AES | 192-bit      |192-bit      |
+------------+------------------+--------------+-------------+
| 256-bit    | FrodoKEM-1344-AES| 256-bit      |256-bit      |
+------------+------------------+--------------+-------------+
Table 2: FrodoKEM KEMRecipientInfo component security levels
]]></artwork>
      </section>
      <section anchor="use-of-the-hkdf-based-key-derivation-function">
        <name>Use of the HKDF-based Key Derivation Function</name>
        <t>The HKDF function is a composition of the HKDF-Extract and HKDF-
   Expand functions.</t>
        <t>HKDF(salt, IKM, info, L)
     = HKDF-Expand(HKDF-Extract(salt, IKM), info, L)</t>
        <t>When used with KEMRecipientInfo, the salt parameter is unused, that
   is it is the zero-length string "".  The IKM, info and L parameters
   correspond to the same KDF inputs from Section 5 of <xref target="RFC9629"/>.  The
   info parameter is independently generated by the originator and
   recipient.  Implementations MUST confirm that L is consistent with
   the key size of the key-encryption algorithm.</t>
      </section>
      <section anchor="certificate-conventions">
        <name>Certificate Conventions</name>
        <t><xref target="RFC5280"/> specifies the profile for X.509 certificates used in Internet applications. FrodoKEM requires a static public key for the recipient, which the originator obtains from the recipient's certificate. The conventions for carrying a FrodoKEM public key are specified in [I-D.draft-smyslov-lamps-frodokem-certificates].</t>
      </section>
      <section anchor="smime-capabilities-attribute-conventions">
        <name>SMIME Capabilities Attribute Conventions</name>
        <t>Section 2.5.2 of <xref target="RFC8551"/> defines the SMIMECapabilities attribute for advertising a partial list of algorithms that an S/MIME implementation can support. When constructing a CMS SignedData content type <xref target="RFC5652"/>, a compliant implementation MAY include the SMIMECapabilities attribute to announce support for one or more of the FrodoKEM algorithm identifiers.</t>
        <t>The SMIMECapability SEQUENCE representing a FrodoKEM algorithm MUST contain one of the FrodoKEM object identifiers in the capabilityID field. When one of the FrodoKEM object identifiers appears in the capabilityID field, the parameters MUST NOT be present.</t>
      </section>
    </section>
    <section anchor="identifiers">
      <name>Identifiers</name>
      <t>The identifiers for indicating the use of FrodoKEM in the CMS are defined in [CSOR] and <xref target="RFC8619"/>. For convenience, they are reproduced here.</t>
      <t>frodokem OBJECT IDENTIFIER ::= { iso(1) standard(0)
     encryption-algorithms(18033) part2(2)
     key-encapsulation-mechanism(2) 7 }</t>
      <artwork><![CDATA[
 id-kem-frodokem976-shake OBJECT IDENTIFIER ::= { frodokem 1 }

 id-kem-frodokem1344-shake OBJECT IDENTIFIER ::= { frodokem 2 }

 id-kem-efrodokem976-shake OBJECT IDENTIFIER ::= { frodokem 3 }

 id-kem-efrodokem1344-shake OBJECT IDENTIFIER ::= { frodokem 4 }

 id-kem-frodokem976-aes OBJECT IDENTIFIER ::= { frodokem 5 }

 id-kem-frodokem1344-aes OBJECT IDENTIFIER ::= { frodokem 6 }

 id-kem-efrodokem976-aes OBJECT IDENTIFIER ::= { frodokem 7 }

 id-kem-efrodokem1344-aes OBJECT IDENTIFIER ::= { frodokem 8 }
]]></artwork>
      <t>id-alg-hkdf-with-sha256 OBJECT IDENTIFIER ::= { iso(1)
    member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
    smime(16) alg(3) 28 }</t>
      <t>aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
    organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }</t>
      <t>hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
    organization(1) gov(101) csor(3) nistAlgorithm(4) 2 }</t>
      <t>id-shake256 OBJECT IDENTIFIER ::= { hashAlgs 12 }</t>
      <t>id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations sections of [I-D.draft-smyslov-lamps-frodokem-certificates] and <xref target="RFC9629"/> apply to this specification as well.</t>
      <t>Implementations MUST protect the FrodoKEM private key, the key-encryption key, the content-encryption key, the message-authentication key, and the content-authentication-encryption key. Of these keys, all but the private key are ephemeral and MUST be erased after use. Compromise of the FrodoKEM private key can lead to the compromise of all messages protected with that key.</t>
      <t>The generation of the private key and the FrodoKEM encapsulation function depend on random numbers. The use of inadequate pseudo-random number generators (PRNGs) to generate these values can result in little or no security. Generation of high-quality random numbers is difficult; see [FRODO-SPEC] for more information.</t>
      <t>The encapsulation and decapsulation of FrodoKEM only output the shared secret and the ciphertext. Implementations MUST NOT use the intermediate values directly for any purpose. Implementations SHOULD NOT leak information about the intermediate values or computations through timing or other "side channels", as an attacker may be able to determine information about keying data and/or the recipient's private key.</t>
      <t>In general, it is good cryptographic practice to use a given FrodoKEM key pair in only one scheme. This practice avoids the risk that a vulnerability in one scheme could compromise the security of the other.</t>
    </section>
    <section anchor="IANA">
      <name>IANA Considerations</name>
      <t>TBD</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>This document borrows heavily from draft-ietf-lamps-cms-kyber-13, [RFC9690], and the original FrodoKEM specification [FRODO-SPEC]. Thanks go to the authors of those documents.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3394">
          <front>
            <title>Advanced Encryption Standard (AES) Key Wrap Algorithm</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="October" year="2002"/>
            <abstract>
              <t>The purpose of this document is to make the AES Key Wrap algorithm 
conveniently available to the Internet community. The United States 
of America has adopted AES as the new encryption standard. The AES 
Key Wrap algorithm will probably be adopted by the USA for 
encryption of AES keys. The authors took most of the text in this 
document from the draft AES Key Wrap posted by NIST.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3394"/>
          <seriesInfo name="DOI" value="10.17487/RFC3394"/>
        </reference>
        <reference anchor="RFC3565">
          <front>
            <title>Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <date month="July" year="2003"/>
            <abstract>
              <t>This document specifies the conventions for using the Advanced Encryption Standard (AES) algorithm for encryption with the Cryptographic Message Syntax (CMS). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3565"/>
          <seriesInfo name="DOI" value="10.17487/RFC3565"/>
        </reference>
        <reference anchor="RFC5280">
          <front>
            <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title>
            <author fullname="D. Cooper" initials="D." surname="Cooper"/>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <author fullname="S. Boeyen" initials="S." surname="Boeyen"/>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="W. Polk" initials="W." surname="Polk"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5280"/>
          <seriesInfo name="DOI" value="10.17487/RFC5280"/>
        </reference>
        <reference anchor="RFC5652">
          <front>
            <title>Cryptographic Message Syntax (CMS)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="September" year="2009"/>
            <abstract>
              <t>This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="70"/>
          <seriesInfo name="RFC" value="5652"/>
          <seriesInfo name="DOI" value="10.17487/RFC5652"/>
        </reference>
        <reference anchor="RFC5869">
          <front>
            <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5869"/>
          <seriesInfo name="DOI" value="10.17487/RFC5869"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC8551">
          <front>
            <title>Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification</title>
            <author fullname="J. Schaad" initials="J." surname="Schaad"/>
            <author fullname="B. Ramsdell" initials="B." surname="Ramsdell"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 4.0. S/MIME provides a consistent way to send and receive secure MIME data. Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin. Encryption provides data confidentiality. Compression can be used to reduce data size. This document obsoletes RFC 5751.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8551"/>
          <seriesInfo name="DOI" value="10.17487/RFC8551"/>
        </reference>
        <reference anchor="RFC8619">
          <front>
            <title>Algorithm Identifiers for the HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <date month="June" year="2019"/>
            <abstract>
              <t>RFC 5869 specifies the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) algorithm. This document assigns algorithm identifiers to the HKDF algorithm when used with three common one-way hash functions.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8619"/>
          <seriesInfo name="DOI" value="10.17487/RFC8619"/>
        </reference>
        <reference anchor="RFC9629">
          <front>
            <title>Using Key Encapsulation Mechanism (KEM) Algorithms in the Cryptographic Message Syntax (CMS)</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="J. Gray" initials="J." surname="Gray"/>
            <author fullname="T. Okubo" initials="T." surname="Okubo"/>
            <date month="August" year="2024"/>
            <abstract>
              <t>The Cryptographic Message Syntax (CMS) supports key transport and key agreement algorithms. In recent years, cryptographers have been specifying Key Encapsulation Mechanism (KEM) algorithms, including quantum-secure KEM algorithms. This document defines conventions for the use of KEM algorithms by the originator and recipients to encrypt and decrypt CMS content. This document updates RFC 5652.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9629"/>
          <seriesInfo name="DOI" value="10.17487/RFC9629"/>
        </reference>
        <reference anchor="ISO18033-2-AMD2" target="https://www.iso.org/standard/86890.html">
          <front>
            <title>ISO/IEC 18033-2:2006/Amd 2, Information technology—Security techniques — Encryption algorithms — Part 2:symmetric ciphers, Amendment 2</title>
            <author>
              <organization>ISO</organization>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.draft-longa-cfrg-frodokem">
          <front>
            <title>FrodoKEM: key encapsulation from learning with errors</title>
            <author fullname="Patrick Longa" initials="P." surname="Longa">
              <organization>Microsoft</organization>
            </author>
            <author fullname="Joppe W. Bos" initials="J. W." surname="Bos">
              <organization>NXP Semiconductors</organization>
            </author>
            <author fullname="Stephan Ehlen" initials="S." surname="Ehlen">
              <organization>Federal Office for Information Security</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <date day="22" month="June" year="2026"/>
            <abstract>
              <t>   This internet draft specifies FrodoKEM, an IND-CCA2 secure Key
   Encapsulation Mechanism (KEM).

About This Document

   This note is to be removed before publishing as an RFC.

   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-longa-cfrg-frodokem/.

   Source for this draft and an issue tracker can be found at
   github.com/dstebila/frodokem-internet-draft.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-longa-cfrg-frodokem-03"/>
        </reference>
        <reference anchor="I-D.draft-longa-cfrg-frodokem-security-considerations">
          <front>
            <title>Security Considerations for FrodoKEM</title>
            <author fullname="Patrick Longa" initials="P." surname="Longa">
              <organization>Microsoft</organization>
            </author>
            <author fullname="Joppe W. Bos" initials="J. W." surname="Bos">
              <organization>NXP Semiconductors</organization>
            </author>
            <author fullname="Stephan Ehlen" initials="S." surname="Ehlen">
              <organization>Federal Office for Information Security</organization>
            </author>
            <author fullname="Douglas Stebila" initials="D." surname="Stebila">
              <organization>University of Waterloo</organization>
            </author>
            <date day="22" month="June" year="2026"/>
            <abstract>
              <t>   ISO standardized FrodoKEM in June 2026 [ISO18033-2-AMD2].  This
   document provides security guidance for FrodoKEM for use in
   protocols.  It explains what security claims protocol designers may
   rely on, what assumptions and conditions are required, what parameter
   sets are in scope, and what implementors need to do to use FrodoKEM
   safely.  The scope follows the current FrodoKEM Internet-Draft
   [I-D.FrodoKEM].

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-longa-cfrg-frodokem-security-considerations-00"/>
        </reference>
      </references>
    </references>
    <?line 251?>



  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8U7224bS3LvAvQPDflhyV0OTVKiLOlgg5UlytZat2PacAJD
CJozTbKXc+GZ7pHMc7xBPiCP+Zx8TX4gv5Cq6stcSEo24pP1YnGGfamuqq57
l4Ig2N1RmqfRv/I4S8UJ03khdnfkMqdPpQe93nFvsLsTcn3ClI7YC3Y2F+EC
thWTRCols1SvlrDzcvThYneH54KfsLEIi1zq1e7O4+yExTxZqt2d3Z0oC1Oe
wNoo51MdhHORBjQZhIkKpnkWZQuRBL0+LtZSx7D0oxIsm7ILnHw3umYyZXou
2Fm+WupslvPlXIbsWijFZ4KNV6nmXwCLySQXDyfru67HuzsxTwEpke7uLB5P
dncYC9hlqkWeCh2cI2JmbCFWj1keAe0vWMQ1oDLoDQ6D3qugN2RBQGNMKjaV
cSwiPIEXOku4liGP4xWbrNiXJB7k05DJKUszzWbyAU+FZfMsh5MDZrhxLWQs
0xkyNsWzsxzwO5vLlLPrbCJjgYMhsPOEvRbyr7CUBrIi1fnKrsQRkXAZnzBk
a2JA/iXEuYSAdMMsKc+8kmxc/IDDVBHL7ae8KRAN9okbKHTW24I/Coks77I7
YOGVjsojx3AeX2a5qB1aG7UHPwLM7ozg/2VOIM3RuztpluMtPAi63PcXZ4N+
/9h97+8fH/jv4eHQfQ8HRz3/fTgc+O+jQ7/3qP/K7z0aDvv++7CEf3w4MN+X
49v+UW9/PxgEp9fnBh5jmuczAZo013qpTl6+fHx87EqVdYEzL0kPeR69PDo8
Ou515zqJ7SajCQDx5eXojFmwJ6Cahy9Pk4gNOsDNqaE6A0EX4TzN4my2+u9/
/0+niWZU/lIIxWCYjdIQNQjX83iWwZJ5YmbueK7Z4EStkkToHJQrlMu5yFWH
nSYijeD/MG0Q85LM7L/AXDFgimNgRxxa9jKALcF512g/2JsZD8JpPvOa/y1r
AmUpCsIsVTISOVGtTvDqA9BLPlE656HG36X+K8bZLwVPdZEEuVASma1Rx8EQ
hHwJYmyYlwCbeCpVwlqwr80mXIFyZ8Z8uBtiV4LnKarsJ+AbG+V5livWuvo0
arNlnk1ikfzPf/2HWy1/BQhgDYAr3dIiZdMpMJUlRazlMhZsyXNQGTBDTAkN
zH5EyHhoLkCukfMABacYsJTNRAqEx6wA6yjTMC4ixKYl2g5+cPzqMDgdjRng
sDY+fnv6bkRwHDNZLB5EzPY7a+v7+wcHGwHRxFZIwy77MAeug8kvSGTUUoRy
KkH8kCi4O7CFdHG0u1CI//cYedYCY97u2J24Gja+hzOWEgCjPsB15UWoi1yw
SExlaoz0nnUo7+DqR7Wrv25c/WmpF9+Mzx77bI3AfdcJZCKjCM0qOpKbTAMH
4PgzOGpGg+YLJIFHeJfsAcQC0XnORxqBZx+X5IiMpIBIgTgDMCM9jxkAjOSD
jAqQFQJoDr94/8agZ/EwdyK1YYR3tyJhcGBCCnn1ejQeDJnOmpataygDew57
gN8AoaZ6nxvr71EZIdbAY/Q8F3RxnsWgPoA/YQn7WKlDBrXPDux9l10CMV7q
AKZXVc4eRRwHSoNWwMgcNdaqJR5TpF4wIohNNDhsAQqHXhsGEInYqTexURj1
thBQroHLDAIdHzZ41hoavEF1Qh82+EpcecrI3ZO2zbNH5DfRKCCiIGXXz2zd
Zh/vK7ZnzoFbGZDm9Nqo8QPPJVhFhYeSeWIZeIiE7NdS5GTKQboYD/MMriiS
U5I3TRx+RIYsgZ24THUJtAeIc3M5mwMRqgAxA0aS2kfiQXpx9VB4GIrY4k3L
EFYrlguBX8HNJTIaeR87cYH7aXebVMAcSD7ammQpwIeCEwL3xCZCo5WtEgTg
POYgEeEC7x4P3YxSSxXhnHFU2RT8RzIRERnnldICACBDrX0OlkW+zODazu4+
IoYfMsAGFNxwX4UiBWQzED6NtrIuLUDN1ZU17sJscKSRyu3ueFNj7Zt6zgwi
L3FJYU0giAJfN3LXY/CJYMOzpYgCMC68Q44ezTWgVo4BmfXx+i608RqlA9MD
9X3uAMciCZ5PO1wFSI+u+UIvzXXPSbJkSdnOipNNvrKz2VF2vtcfdpm5nxcv
2AeRJ9IEY+y3F7r89XdcAJaEQhDMMxTbu/44/rDXMf9lN7f0/X7088fL96Nz
/CaJ8B9uxfjt7cer8/Kr3Hl2e309ujk3m2GUNYauT/9lz9zj3u3dh8vbm9Or
PSMF1ZtC8QeDMEHnBAQsc2B1hNIfCRXmcmLc6uuzO9Y/IO+H4fY9fWHAbPwg
sMIx6v/HOfzDvMMloJppHncqtt7jRZa3PygVmbEbkN141UHDbkPCfXZzCQJQ
D6hgW8eFZ8OfDDeUKKIshxFw0cbgaNCd1t37N21UG4UmrD84QqNnTCP8+Ikg
WOVgy2ISQySDMhjyFO+YM/QpAUoqDbd8zJtkkWgjLM4URP26skZAgpBQPEqL
6MZPwxCkmmKzzOh4kZOzaN4acG6W460C8+FWK3x7hMwacaoF0mgeshQcyVFp
6XFsI8/2Db8qbNbeeTd0faM+d9ik0JS7V2cOD3qbQt4+HAMGnsdylhrZIHI2
mPa68bMWrnICUsalo0z5YgrkRnXCiBMdQrDGjDXM8EZg9+tqNsMn4Io6DW0v
USMmG7PrYTfQxKOeiokrfP9BqQlR8UPSE+TIu2fTP8obIRyIkHTKFr+EFDFD
ggb0QhQQx9mjMVnowDDRziowUaHgaLCZYFggFoOfrVLBAC+vOu2qMsJhHC4V
ZNVC7bLXK6ADD3PpDvl8SVhTYQn15/MnCA3fDYb3wCxScIoBlbk5Y09Lh39i
heKPDJOhNyJtLdos+CfWWi46TC3aJ+yUzBqfyBhgWNSsoakVDhwz7JxApllq
6uxFAMuFCR0cXyLRXKEWCFCkZo25ttLJL/BSiOJuSYDJ5ABzQ0GogQK1gYI6
OmsEaL5A5NEWLUHxn6ciKzQsRHpNlUSLL5pB1GIpBOdCWTsRqlQF4XOiuoWk
hpqQVgrRrXPjeQSfYCIhsY5WifJG9LxyQ6QlyCgr0Bi07c0KheCAEAQBYO7Q
M2agPADGO29hTPJdpnTws6m8VI0FuI27n8/aTZPdZW/RQJPemTxBFUkC9udX
J/dEHLiCMlJMOKbNFRvlaCCC/g3+Edf/FJh/7r/+35+2f9RHCcxXdkUm5Gu1
QMBo4s5Iy1esfyNLv7Kzkv0wavj91YJhdlfj31cqTYB8mQ+FH3B15bQD/hyY
rR/mh7JY/1je7FvoNdeKA/1h53B/gCv6ncHxoRl5dTyw6wcHvyc2oo7ONmwO
Dn5XbIZN3qCPouP6neGgBx8H+53e0ZEZOTw+tOv3B78nNqKOzjZsHBI/HhsC
9IF0vY+1/l8hNgOFnqzAkbSt31UNY1ZTc6fjphBl63toGLwt85paewgyCZhf
VJZtIDHCuLNQPt6kykGS5VSONQnlEwlzLfWlTAifFO47fvl6Pr11i7Vx67ue
PbJ3tH9P+QgZ6hBCv87mrLisI5SlAjDARL4vQ29gU7U2pSEPUUtIC5hHBTD0
bwxotKmUCFkG7J7JlHIVgMBLjnbdlSgtlsa824yvVhwmlNaIMMERGkc6cIAy
UNZiMTBXxZIQ3EwNRkzI5Ap2lIfLZAl5HXEW9pUVY9Fqs2mR0mm2GEL7PTWb
tp+LTdtdhlwn6KysieD8JwyItlyEu6wpZWceA3PddajhPIOE1rpOrpvoTkwp
+BZDz40bv7fcXr0C2ASZRRwpW3yqb5/zB3N4GeYmgmOibSJVCJp8bVyazEmZ
yrsbTYtkIvKfMJV2xPS6bmsuAZ8IGeoTL0/7HxQLwa6YBI1UvYzFPYAF1gfq
AGq3UJ6L8o8hiQ2FZBRgXdYVaDHLgchrAdrYmKGUpT4ltu8ST2yr7uJYvth0
UnVCNHYgDzaew00pT2Ap2jEjNwXeXCzpBcBcvFPE/SoDIY6xV1eJS13WEFmp
hBV1k0Cbo2mT+2hTIKWSD41YGWyeUzpT+ja3UlX/t+/OL4yRPDoEs0cWBXLF
YDA8ZJ8vLu/G/aPefUXWgRUAPpgDFgEuRnbjWgSTTf6GdcqSG6b0ddhHmT/1
qX+pDjRlMxyidh0CXy4Fz8nDgME8Hd90+8awe0d26RcbLffBuTI65jWATxTy
cZ0n4OMcS0ymCcSoymUtrkQ6A744XUO/bP0qcL5p3FHcQy10CaFYkGFCg0/L
IIMwSYutBzWuzxtDshPGr7jSyIY2DhZlIAZY+IjEUoD1LZa2rFGU/h9ReOBx
ITqu6pWLKTrxes0Di3JpBkL3SyFz4pEqRZH2d0GcRSnSNd9CSyk0kJVHeIcM
YOCvxrPmERKgDdJc5Wlp3Mmym6ICTrp6+QYP28W4zDyh4ynNG7e3XfWlvhQD
JGwow6zpDT6/fALkgz4E7pid4I8Krp9th8V9p6E8QsGOgOjeSuhmRcImDawh
fw9VvihUJatSENpOFyn1d9EFO34Xutb1c9sBysUPH7HCFK+olShLQB9Qkn3s
UO2FIJkCZQJFMuajKLeGfqtf9oy7t+8OE+HKTahUPnDECgGmvYlMZVIkjYSf
IjMqHBiPvKaCgowsqi/S/1i/FwopnVq+qqmlocuUECYCQ0P7HmjUzWGz8cQm
C4iWDUWFzSnN1qH6T8h8vvpGOZOel2mKLwUA7ctcyASLql/HvicHePEV97Ox
zo2ZXq8AUJLvp/FnRXoogWtUBDbsr/+sQ/sR9KNVmEjdyIudVarNw4r6rx9x
Pmrv+vnOftTmYUX91//9fJP0Dip9imta5kWxWSgrk94XtZwXQ5vAPHahITsv
PeyF9bAuy6IgyLldU3Gj05R03Qoe3ugLtVSRGtIA2a3RlyUOOBC+vIkrWorH
kIBcvrvukF/ssKu27RP7s4OJu1tV+OWmdnUX7SMbVmpjk1FG3XF/pU6Jli7F
PR1KdggOjEkfhf4q8iyIjUyDcKP529vDZxyY86gT1VeVCIvghFmeC8h408gF
NAqmSWEpzFF14zRs5KN4hMEHT6ihLFMT0gBl8aoSHU9WdEwlQXUPImW4vMGP
2IxkKvPEpHxXeEjDUhOYanV1S6hXBtlW8s4qeVMlYzWRiGlRwNbK+8abF9ji
qbRNIP/cHfaOqwlY6Xh8gw0ExLF9PVOVRhZrvamYjQSH1UcUZ80r+bAtote5
mE0wW7P39UReaCLTZqtCyPOc/CavdCSUSGBiVM8Ayu4dlaxUnD3Y9i7fwFPl
hH89H19fXo/YGV/SW4ZGPp5qkNhJUWc8Lvc1kO6w6+sg2LBabxQhkDWI3EOk
SkL0gJgoQxyIqJYQw+NDCr1PlcVvkiqI88cvCUlZk0B6WLaBTNdoMcoeBQ8G
MkbzY3pEOH+qEGasU4xF/uYRGCu5RpnnKMOSU5pmBfb9uPiqWeNrlg8rlZYy
5/XVqvppKzYe/fxxdHM2ooRYYPbVEI9KoXFDuaB28lrs6KuOoT/w8tykfJa7
3wimkmJuBreWV7q2FAz0LGGu96+E65hSPQrZi32IqL82dn4iseONAtLZ+Pa9
6Yer5NUXqHkk9RIbHgnXVbMKgekeYehUi92+/uvo7AO7PB/dfLi8uBy9Zycn
f2a/gUHMWv22bzRo9ZyvKk1fUAp8izpW2qQSg9bArbWmsnyHC/xrMiyC8PTv
1pWxrSWhrQh6CvrboZR1oOfBDNbBrJeangez/wSY70Hn4GneYEHqWRjDZzjz
TUAOn+HLNwHZcNNrRbTnoRwZKNtKT0+Lsjk9wd7EPJhk0QolsFCto4Nem+WK
R0q2+v394cExiPEiVCj9+N/guHVsN6tEJqLVP2yjvWqBuA8sRk9h/7dMpjoA
HAKpi0DjqfavOAiSxcAckOUzUA7TBYTnz7KHVr8HH6HKcjwQNEf7lKh10HbC
P+dqDuP/KCxAd1x4A5dDEv7UhXhs+3ZjZXO1LrJtP7J7QMLdKDg8teEANjBj
nH2KeVbrB/ZvLW663i6M4+YD44fvi1m8sTb1MYzdViZIXuuE4oq68chKb4xc
wZhrdF01d7aknIaC086WgmTniTqZmUtMq1JQeVXz865Hzu2vr1kru92Su1WE
h+pgTxD1jZlA16NK7qlslcMzXJEWBjDiBQYL/FsICDWxgAPxqNzwmFkFicFV
LLjPQcLaNkTEkqkcJ8s3Pa79+wYKQqWxx55Yw91yxGNRb4nxaaStxsKXbUw0
jzLm0cC5fQi8I4jcEbZpYgxqi8tmRoXdjDdvVBvpc5mQ5TUVZhVxAIKRAhI/
iBYggNExBXJp5kW7y97UaMNO9ACOp2itjiamRtjXLkMA+BNAgBD04v3t+W0w
vhudba71eg42mouADfW2nGrAQ911phXHJI+1Xhwvf/6VZMujBoZjyFSqR2Ky
lIhIIo8sd0wTdWySIexWtw3p6+DK5mEUqEWtmM0nmUVz0xkUiiVAiIWk53lW
zEDCZILhHsbWVL/cU9SNDxFRKmKFncf0OgChOQ8XMJ/wlXmwiClKj4RplxYb
UAGJRND08A28etnM9P6gqsJrrEvqmvI7tgAwy7KIhbX2xSVWIfCZE85HtnLb
WuevjVq/uMzpvYOuEPBTIeq07XD3IPhDJiP70CjVwmZJ7KGIEQubK9iw30BA
JxVHVR3WVQNttZKY6QLv05vThl1nv73AUdNf/vrcrDsNF2n2GItoZiqdRmKr
byCTLM+xkXEu+IOM7WO9MflS6GnlT5AWK4wp+vsda+KPe/elwbRpdVxyrG7v
q8qEDOPpAi/CmS/zB4W2WxH/bsLhp0xPfRAEbMLxr4/N//4XCPgWT8A8AAA=

-->

</rfc>
