Skip to content

CONCEPT Cited by 1 source

HPKE (Hybrid Public Key Encryption)

Definition

HPKE (RFC 9180) is a standardised primitive for hybrid public-key encryption: the sender uses an asymmetric key encapsulation mechanism (KEM) to establish a shared secret with the recipient's public key, derives a symmetric key via a KDF, and then encrypts the payload with an AEAD cipher. One public key, one shot, no interactive handshake.

HPKE is what you use when:

  • You want public-key encryption semantics (anyone can send to a public key; only the key-holder can decrypt).
  • You do not want a full TLS-style handshake (no round-trip).
  • You want forward secrecy at the per-message level — every send generates a fresh ephemeral KEM secret.

Role in Oblivious HTTP

HPKE is the cryptographic primitive underneath OHTTP. An OHTTP request is an HPKE-encrypted blob addressed to the gateway's public key, wrapped in an outer HTTP exchange to the relay:

  • Device fetches the gateway's HPKE public key (e.g. from a third-party CDN).
  • Device HPKE-encrypts the inner HTTP request, producing an opaque blob.
  • Device POSTs the blob to the relay; the relay forwards it to the gateway without being able to decrypt.
  • Gateway decrypts with its HPKE private key and processes the inner request.

The forward-secure, one-shot nature of HPKE means a later compromise of the gateway's private key does not retroactively expose earlier messages, provided ephemeral material is discarded. This is the property that lets OHTTP be a single-message-hop protocol while still providing confidentiality.

Seen in

Last updated · 319 distilled / 1,201 read