]> PQShield

kris@amongbytes.com

AWS

kpanos@amazon.com

Cloudflare

bas@cloudflare.com

University of Waterloo

dstebila@waterloo.ca

Security Transport Layer Security ECDH hybrid ML-KEM post-quantum x25519 This draft defines three hybrid key agreements for TLS 1.3: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 which combine a post-quantum KEM with an elliptic curve Diffie-Hellman (ECDHE). About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction ML-KEM is a key encapsulation method (KEM) defined in the . It is designed to withstand cryptanalytic attacks from quantum computers. The document defines a framework for combining traditional key exchanges with next-generation key exchange in TLS 1.3. The goal of this approach is to provide security against both classical and quantum adversaries while maintaining compatibility with existing infrastructure and protocols. This document applies the framework to ML-KEM, a key encapsulation mechanism defined in , and specifies code points for the hybrid groups.

Motivation This document introduces three new supported groups for hybrid post-quantum key agreements in TLS 1.3: the X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 which combine ML-KEM with ECDH in the manner of . Any of the hybrid groups specified in this document may be implemented in a FIPS approved way as discussed in .

• The first one uses X25519 , is widely deployed, and often serves as the most practical choice for a single PQ/T hybrid combiner in TLS 1.3.
• The second group uses secp256r1 (NIST P-256). This group supports use cases that require both shared secrets to be generated by FIPS-approved mechanisms.
• The third group uses secp384r1 (NIST P-384). This group is intended for high-security environments that require FIPS-approved mechanisms with an increased security margin.

Key establishment using NIST curves is outlined in Section 6.1.1.2 of .

Terminology The document defines "traditional" algorithms as those that are already widely adopted and "next-generation" algorithms as those that are not yet widely adopted, such as post-quantum algorithms. In this document, ECDH using Curve25519, P-256, or P-384 is considered traditional, while ML-KEM is considered next-generation. The document defines a "hybrid" key exchange as one that combines a traditional key exchange with a next-generation key exchange. This document uses the term "hybrid" in the same way.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Negotiated Groups

Client share When the X25519MLKEM768 group is negotiated, the client's key_exchange value is the concatenation of the client's ML-KEM-768 encapsulation key and the client's X25519 ephemeral share. The size of the client share is 1216 bytes (1184 bytes for the ML-KEM part and 32 bytes for X25519). Note: The group name X25519MLKEM768 does not adhere to the naming convention outlined in . Specifically, the order of shares in the concatenation has been reversed. This is due to historical reasons. When the SecP256r1MLKEM768 group is negotiated, the client's key_exchange value is the concatenation of the secp256r1 ephemeral share and ML-KEM-768 encapsulation key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in . The size of the client share is 1249 bytes (65 bytes for the secp256r1 part and 1184 bytes for ML-KEM). When the SecP384r1MLKEM1024 group is negotiated, the client's key_exchange value is the concatenation of the secp384r1 ephemeral share and the ML-KEM-1024 encapsulation key. The ECDH share is serialized value of the uncompressed ECDH point represenation as defined in . The size of the client share is 1665 bytes (97 bytes for the secp384r1 part and 1568 for ML-KEM).

Server share When the X25519MLKEM768 group is negotiated, the server's key exchange value is the concatenation of an ML-KEM ciphertext returned from encapsulation to the client's encapsulation key, and the server's ephemeral X25519 share. The size of the server share is 1120 bytes (1088 bytes for the ML-KEM part and 32 bytes for X25519). When the SecP256r1MLKEM768 group is negotiated, the server's key exchange value is the concatenation of the server's ephemeral secp256r1 share encoded in the same way as the client share and an ML-KEM ciphertext returned from encapsulation to the client's encapsulation key. The size of the server share is 1153 bytes (1088 bytes for the ML-KEM part and 65 bytes for secp256r1). When the SecP384r1MLKEM1024 group is negotiated, the server's key exchange value is the concatenation of the server's ephemeral secp384r1 share encoded in the same way as the client share and an ML-KEM ciphertext returned from encapsulation to the client's encapsulation key. The size of the server share is 1665 bytes (1568 bytes for the ML-KEM part and 97 bytes for secp384r1) For all groups, the server MUST perform the encapsulation key check described in Section 7.2 of on the client's encapsulation key, and abort with an illegal_parameter alert if it fails. For all groups, the client MUST check if the ciphertext length matches the selected group, and abort with an illegal_parameter alert if it fails. If ML-KEM decapsulation fails for any other reason, the connection MUST be aborted with an internal_error alert. For all groups, both client and server MUST process the ECDH part as described in , including all validity checks, and abort with an illegal_parameter alert if it fails.

Shared secret For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM shared secret and the X25519 shared secret. The shared secret is 64 bytes (32 bytes for each part). For SecP256r1MLKEM768, the shared secret is the concatenation of the ECDHE and ML-KEM shared secret. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in . The size of the shared secret is 64 bytes (32 bytes for each part). For SecP384r1MLKEM1024, the shared secret is the concatenation of the ECDHE and ML-KEM shared secret. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in . The size of the shared secret is 80 bytes (48 bytes for the ECDH part and 32 bytes for the ML-KEM part). For all groups, both client and server MUST calculate the ECDH part of the shared secret as described in , including the all-zero shared secret check for X25519, and abort the connection with an illegal_parameter alert if it fails.

Discussion

• FIPS-compliance. All groups defined in this document permit FIPS-approved key derivation as per and . NIST's special publication 800-56Cr2 approves the usage of HKDF with two distinct shared secrets, with the condition that the first one is computed by a FIPS-approved key-establishment scheme. FIPS also requires a certified implementation of the scheme, which will remain more ubiquitous for secp256r1 in the coming years. For this reason we put the ML-KEM shared secret first in X25519MLKEM768, and the ECDH shared secret first in SecP256r1MLKEM768 and SecP384r1MLKEM1024. This means that for SecP256r1MLKEM768 and SecP384r1MLKEM1024, the ECDH implementation must be certified whereas the ML-KEM implementation does not require certification. In contrast, for X25519MLKEM768, the ML-KEM implementation must be certified.
• SP800-227 compliance. The NIST Special Publication 800-227 provides general guidance on the design and use of key-encapsulation mechanisms, including hybrid constructions. The key agreements defined in this document follow the principles described in Section 4.6 of , which discusses the combination of post-quantum and classical key-establishment schemes and the use of approved key combiners. In particular, the shared-secret concatenation and HKDF-based derivation used by the TLS 1.3 are consistent with the composite-KEM constructions and key-combiner recommendations outlined in Sections 4.6.1 and 4.6.2 of . Section 4.6.3 of further provides relevant security considerations for hybrid KEM designs underlying the approach used in this document.

Security Considerations The same security considerations as those described in apply to the approach used by this document. The security analysis relies crucially on the TLS 1.3 message transcript, and one cannot assume a similar hybridisation is secure in other protocols. Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers. All groups defined in this document use and generate fixed-length public keys, ciphertexts, and shared secrets, which complies with the requirements described in .

IANA Considerations This document requests/registers three new entries to the TLS Supported Groups registry, according to the procedures in . These identifiers are to be used with the final, ratified by NIST, version of ML-KEM which is specified in .

X25519MLKEM768

Value:

4588 (0x11EC)

Description:

X25519MLKEM768

DTLS-OK:

Y

Recommended:

N

Reference:

This document

Comment:

Combining X25519 ECDH with ML-KEM-768

SecP256r1MLKEM768

Value:

4587 (0x11EB)

Description:

SecP256r1MLKEM768

DTLS-OK:

Y

Recommended:

N

Reference:

This document

Comment:

Combining secp256r1 ECDH with ML-KEM-768

SecP384r1MLKEM1024

Value:

4589 (0x11ED)

Description:

SecP384r1MLKEM1024

DTLS-OK:

Y

Recommended:

N

Reference:

This document

Comment:

Combining secp384r1 ECDH with ML-KEM-1024

Obsoleted Supported Groups Experimental code points for pre-standard versions of Kyber786 were added to the TLS registry as X25519Kyber768Draft00 (25497) and SecP256r1Kyber768Draft00 (25498). This document obsoletes these entries. IANA is instructed to modify the recommended field to 'D' and update the reference to add [ this RFC ]. The comment fields for 25497 and 25498 are updated to "Pre-standards version of Kyber768. Obsoleted by [this RFC]"

References Normative References This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. National Institute of Standards and Technology (U.S.) National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Informative References University of Waterloo Cisco Systems University of Haifa and Meta Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Venafi sn3rd This document updates the changes to TLS and DTLS IANA registries made in RFC 8447. It adds a new value "D" for discouraged to the Recommended column of the selected TLS registries and adds a "Comment" column to all active registries that do not already have a "Comment" column. Finally, it updates the registration request instructions. This document updates RFC 8447. RFC Editor

Change log

• draft-ietf-tls-ecdhe-mlkem-01:
  • Alignment with the final version of
  • Added new section called Discussion and moved FIPS-compliance and Failures text there.
  • The Construction section has been removed.
• draft-ietf-tls-ecdhe-mlkem-00:
  • Change a name of the draft, following adoption by TLS WG
  • Fixes references to the to NIST ECC CDH
• draft-kwiatkowski-tls-ecdhe-mlkem-03:
  • Adds P-384 combined with ML-KEM-1024
  • Adds text that describes error-handling and outlines how the client and server must ensure the integrity of the key exchange process.
  • Adds note on the incompatibility of the codepoint name X25519MLKEM768 with .
  • Various cosmetic changes.
• draft-kwiatkowski-tls-ecdhe-mlkem-02:
  • Adds section that mentions supported groups that this document obsoletes.
  • Fix a reference to encapsulation in the FIPS 203.
• draft-kwiatkowski-tls-ecdhe-mlkem-01:
  • Add X25519MLKEM768
• draft-kwiatkowski-tls-ecdhe-mlkem-00:
  • Change Kyber name to ML-KEM
  • Swap reference to I-D.cfrg-schwabe-kyber with FIPS-203
  • Change codepoint. New value is equal to old value + 1.
• draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server
• draft-kwiatkowski-tls-ecdhe-kyber-00: updates following IANA review