Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3

Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 PQShield

kris@amongbytes.com

AWS

kpanos@amazon.com

Transport Layer Security ML-KEM post-quantum This draft defines a hybrid key agreement for TLS 1.3 that combines a post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE). About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction

Motivation ML-KEM is a key encapsulation method (KEM) that is designed to withstand cryptanalytic attacks from quantum computers. Experimentation and early deployments are crucial steps in transitioning to post-quantum cryptography. This document specifies a hybrid post-quantum key agreement for use in the TLS 1.3 protocol to promote interoperability of these deployments.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Negotiated Groups This document introduces a new supported group for hybrid post-quantum key agreements in TLS 1.3. The hybrid key agreement is detailed in the draft, which combines the ML-KEM as defined in , with the ECDHE scheme using elliptic curves from ANSI X9.62 and NIST SP 800-186 . The new group enables the derivation of TLS session keys using FIPS-approved schemes. NIST's special publication 800-56Cr2 approves the usage of HKDF with two distinct shared secrets, with the condition that the first one is computed by a FIPS-approved key-establishment scheme. This draft specifies a new supported group where both shared secrets are calculated by FIPS-approved mechanisms. The first one involves ECDHE with a FIPS-approved curve secp256r1 (NIST P-256) specified by NIST SP 800-56Ar3 and NIST SP 800-186 . The second shared secret is obtained from the FIPS-approved ML-KEM-768 as defined in .

Construction The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768. When this group is negotiated, the client's share is a fixed-size concatenation of the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of . The ML-KEM's ephemeral share is the public key of the key generation step (see , section 7.1) represented as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and 1184 of ML-KEM part). The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext returned from encapsulation (see , section 7.2). The server ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of . The server share is the ML-KEM's ciphertext returned from the Encapsulate step (see , section 7.2) represented as an octet string. The size of server's share is 1153 bytes (65 bytes of ECDHE part and 1088 of ML-KEM part). Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in Section 7.4.2 of . The ML-KEM shared secret is the value returned from either encapsulation (on the server side) or decapsulation (on the client side) represented as an octet string. The size of a shared secret is 64 bytes (32 bytes of ECDHE part and 32 of ML-KEM part).

Security Considerations The same security considerations as those described in apply to the approach used by this document. Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers.

IANA Considerations This document requests/registers a new entry to the TLS Supported Groups registry, according to the procedures in . These identifiers are to be used with the final, ratified by NIST, version of ML-KEM which is specified in .

Value:: 25499 (0x639B)
Description:: SecP256r1MLKEM768
DTLS-OK:: Y
Recommended:: N
Reference:: This document
Comment:: Combining secp256r1 ECDH with the ML-KEM-768

References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Informative References Hybrid key exchange in TLS 1.3 University of Waterloo Cisco Systems University of Haifa Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. IANA Registry Updates for TLS and DTLS Venafi sn3rd This document updates the changes to TLS and DTLS IANA registries made in RFC 8447. It adds a new value "D" for discouraged to the recommended column of the selected TLS registries. This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, 7301, and 8447. HMAC-based Extract-and-Expand Key Derivation Function (HKDF) RFC Editor Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA) American National Standards Institute Module-Lattice-Based Key-Encapsulation Mechanism Standard National Institute of Standards and Technology Recommendations for Discrete Logarithm-based Cryptography:: Elliptic Curve Domain Parameters National Institute of Standards and Technology Recommendation for Key-Derivation Methods in Key-Establishment Schemes National Institute of Standards and Technology Recommendation for pair-wise key-establishment schemes using discrete logarithm cryptography National Institute of Standards and Technology

Change log

draft-kwiatkowski-tls-ecdhe-mlkem-00:
- Change Kyber name to ML-KEM
- Swap reference to I-D.cfrg-schwabe-kyber with FIPS-203
- Change codepoint. New value is equal to old value + 1.
draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server
draft-kwiatkowski-tls-ecdhe-kyber-00: updates following IANA review