HPKE (RFC 9180) Practical Adoption Playbook

Date: 2026-03-28
Category: knowledge
Audience: security/platform engineers who need modern public-key encryption for protocol design

1) Why HPKE matters now

Most teams eventually hit the same problem:

• They need public-key encryption inside an application protocol,
• but raw “RSA encrypt payload” or ad-hoc ECIES variants are brittle,
• and interoperability across stacks is painful.

HPKE (Hybrid Public Key Encryption, RFC 9180) gives a standard composable pattern:

1. KEM does key encapsulation,
2. KDF derives context-bound secrets,
3. AEAD encrypts payloads.

You get modern crypto agility and cleaner protocol boundaries without inventing a bespoke scheme.

2) Mental model in one minute

Think of HPKE as “TLS-style key schedule, but for your own message format.”

• Sender has recipient public key.
• Sender creates an ephemeral encapsulation (enc) + shared secret.
• Both sides derive symmetric context from shared secret + suite IDs + app info.
• Payload encryption uses AEAD with sequence-bound nonces.

Outputs you carry on the wire are usually:

• enc (KEM encapsulation),
• ciphertext,
• AEAD tag,
• optional app metadata.

3) HPKE modes (choose intentionally)

HPKE has four operation modes:

1. base: anonymous sender, recipient-auth only.
2. psk: adds pre-shared key authentication.
3. auth: sender authentication via sender static key.
4. auth_psk: both sender static auth + PSK.

Practical rule:

• Start with base unless you explicitly need sender auth at the encryption layer.
• Use auth/auth_psk only if your protocol key lifecycle is mature enough to rotate sender static keys safely.
• Use psk when you already have reliable PSK provisioning and replay protections.

4) Cipher suite defaults that are usually sane

From RFC 9180 families, common production defaults are:

• KEM: DHKEM(X25519, HKDF-SHA256)
• KDF: HKDF-SHA256
• AEAD: AES-128-GCM or ChaCha20-Poly1305

Quick choice heuristic:

• Heterogeneous/mobile-heavy clients -> ChaCha20-Poly1305 is often a practical default.
• AES acceleration everywhere (server-class x86 with AES-NI) -> AES-GCM is usually fine.

The key is less “perfect primitive picking” and more fleet-wide consistency + test vectors + rotation discipline.

5) The most common implementation mistakes

5.1 Reusing contexts incorrectly

HPKE contexts are stateful for nonce sequencing. If your library expects one-shot seal/open per context, respect that model.

5.2 Weak domain separation

If info is vague, cross-protocol confusion risk rises. Include protocol/version/role/channel fields in info.

5.3 No replay strategy

HPKE itself is not a replay-prevention system. Your protocol still needs nonce windows, message IDs, timestamps, or sequence checks.

5.4 Bad randomness hygiene

Ephemeral key generation quality is critical. Do not route this through weak PRNG pathways in constrained environments.

5.5 Key rotation as an afterthought

Teams adopt HPKE fast, then discover key-distribution and revocation are the real project. Treat key lifecycle as first-class from day one.

6) Minimal wire-format pattern (battle-tested shape)

A practical envelope:

struct {
  uint16 suite_id;
  uint8  mode;
  opaque key_id[...];      // which recipient key
  opaque enc[...];         // KEM encapsulation
  opaque aad_context[...]; // protocol metadata
  opaque ciphertext[...];
} hpke_message;

Design notes:

• key_id must be explicit for rotation and rollback.
• suite_id must be explicit for crypto agility.
• AAD should include immutable routing/security metadata (tenant, method, path template, etc.).

7) Operational playbook (what to measure)

At minimum track:

• encryption/decryption failure rate by suite_id and key_id,
• unknown/expired key_id rate,
• skew between key publication time and first successful decrypt,
• replay-drop counts,
• p95/p99 latency impact after rollout.

Alert on:

• sudden decrypt-failure spikes after key rotations,
• mixed-suite drift during deployments,
• one region lagging in key propagation.

8) Rollout strategy that avoids 2AM incidents

1. Dual-publish keys (current + next) before client cutover.
2. Canary by traffic slice with strict decrypt-failure SLOs.
3. Keep old key for bounded grace window (not forever).
4. Record key_id at both sender and recipient logs for rapid incident diffing.
5. Exercise a forced key revoke drill before calling rollout complete.

9) Where HPKE is already proving useful

HPKE is already foundational in modern protocols, including:

• Oblivious HTTP (RFC 9458) for encrypted request encapsulation via relay/gateway split,
• Messaging Layer Security (RFC 9420) ecosystem usage for public-key encryption components,
• ECH/TLS privacy work where HPKE is used for encrypted configuration/client-hello flows.

This is why HPKE adoption is increasingly a practical interoperability move, not just crypto-theory interest.

10) Bottom line

If you need protocol-level public-key encryption in 2026, HPKE is usually the safest default choice:

• standardized,
• composable,
• well-analyzed,
• increasingly ecosystem-native.

But the real success criterion is not “we used RFC 9180.” It is: key lifecycle, replay controls, and operational observability were designed together with the cryptography.

References

• RFC 9180 — Hybrid Public Key Encryption (HPKE): https://www.rfc-editor.org/rfc/rfc9180.html
• RFC 9458 — Oblivious HTTP: https://www.rfc-editor.org/rfc/rfc9458.html
• RFC 9420 — The Messaging Layer Security (MLS) Protocol: https://www.rfc-editor.org/rfc/rfc9420.html
• CFRG HPKE working group/history: https://datatracker.ietf.org/doc/charter-ietf-hpke/
• Cloudflare explainer on HPKE ecosystem/implementations: https://blog.cloudflare.com/hybrid-public-key-encryption/