Internet-Draft | ECDHE-MLKEM | December 2024 |
Kwiatkowski, et al. | Expires 28 June 2025 | [Page] |
This draft defines three hybrid key agreements for TLS 1.3: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 which combine a post-quantum KEM with an elliptic curve Diffie-Hellman (ECDHE).¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/.¶
Discussion of this document takes place on the Transport Layer Security Working Group mailing list (mailto:tls@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe at https://www.ietf.org/mailman/listinfo/tls/.¶
Source for this draft and an issue tracker can be found at https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 28 June 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
ML-KEM is a key encapsulation method (KEM) defined in the [FIPS203]. It is designed to withstand cryptanalytic attacks from quantum computers.¶
This document introduces three new supported groups for hybrid post-quantum key agreements in TLS 1.3: the X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 which combine ML-KEM with ECDH in the manner of [hybrid].¶
The first one uses X25519 [rfc7748] and is an update to X25519Kyber768Draft00 [xyber], the most widely deployed PQ/T hybrid combiner for TLS v1.3 deployed in 2024.¶
The second one uses secp256r1 (NIST P-256) [ECDSA] [DSS]. The goal of this group is to support a use case that requires both shared secrets to be generated by FIPS-approved mechanisms.¶
The third one uses secp384r1 (NIST P-384) [ECDSA] [DSS]. The goal of this group is to provide support for high security environments that require use of FIPS-approved mechanisms.¶
All constructions aim to provide a FIPS-approved key-establishment scheme (as per [SP56C]).¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
All groups enable the derivation of TLS session keys using FIPS-approved schemes. NIST's special publication 800-56Cr2 [SP56C] approves the usage of HKDF [HKDF] with two distinct shared secrets, with the condition that the first one is computed by a FIPS-approved key-establishment scheme. FIPS also requires a certified implementation of the scheme, which will remain more ubiqutous for secp256r1 in the coming years.¶
For this reason we put the ML-KEM shared secret first in X25519MLKEM768, and the ECDH shared secret first in SecP256r1MLKEM768 and SecP384r1MLKEM1024.¶
Note: The group name X25519MLKEM768 does not adhere to the naming convention outlined in Section 3.2 of [hybrid]. Specifically, the order of shares in the concatenation has been reversed. This is due to historical reasons.¶
The same security considerations as those described in [hybrid] apply to the approach used by this document. The security analysis relies crucially on the TLS 1.3 message transcript, and one cannot assume a similar hybridisation is secure in other protocols.¶
Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers.¶
This document requests/registers three new entries to the TLS Supported Groups registry, according to the procedures in Section 6 of [tlsiana]. These identifiers are to be used with the final, ratified by NIST, version of ML-KEM which is specified in [FIPS203].¶
This document obsoletes 25497 and 25498 in the TLS Supported Groups registry.¶
draft-kwiatkowski-tls-ecdhe-mlkem-03:¶
draft-kwiatkowski-tls-ecdhe-mlkem-02:¶
draft-kwiatkowski-tls-ecdhe-mlkem-01:¶
Add X25519MLKEM768¶
draft-kwiatkowski-tls-ecdhe-mlkem-00:¶
draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server¶
draft-kwiatkowski-tls-ecdhe-kyber-00: updates following IANA review¶