Hybrid Public Key Exchange (HPKE) [RFC 9180] defines an authenticated encryption encapsulation format that combines a semi-static asymmetric key exchange with a symmetric cipher.  This format is used in several IETF protocols, such as MLS [RFC 9420] and TLS Encrypted ClientHello [draft-ietf-tls-esni].  The fact that HPKE is defined in an Informational document on the IRTF stream, however, has caused some confusion as to its usability, especially with other standards organizations.  And there are currently no “post-quantum” (PQ) KEMs defined for HPKE, in the sense of algorithms that are resilient to attack by a quantum computer.

The hpke Working Group is tasked with two responsibilities:

1. Re-publish the HPKE specification as a Standards Track document of the IETF, with targeted changes based on experience with its use:
    * The working group may decide to apply any errata filed on RFC 9180.
    * The working group may decide to remove functionality that is not widely used (e.g., the Auth and AuthPSK modes). 
    * The working group may define how KDFs that are not two-step might be used with HPKE.

2. Define PQ algorithms for HPKE from among the following:
    * New KEMs based on hybrid combinations of ML-KEM and ECDH (ML-KEM-768 with X25519, ML-KEM-768 with P-256, and ML-KEM-1024 with P-384) and standalone ML-KEM (ML-KEM-768 and ML-KEM-1024).
    * New KDFs based on SHA3

Differences between the Standards Track version of HPKE and the Informational version (RFC9180) should be minimized. The Standards Track and Informational versions must have identical behavior for any functionality that they both specify.

The group might select a number of cipher suites that address different use cases, security levels, and attacker threat models.

Deliverables:
1. HPKE specification to the IESG as Proposed Standard (yesterday)
2. New post-quantum and post-quantum/traditional hybrid cipher suites for HPKE to the IESG as Proposed Standard (the day before that)