]> ML-KEM and Hybrid Cipher Suites for Messaging Layer Security Rohan Mahy Consulting Services
rohan.ietf@gmail.com
Cisco
rlb@ipv.sx
sec MLS ML-KEM Kyber post-quantum post quantum KEM KEM PQ/T hybrid hybrid KEM Key Exchange Mechanism This document reigsters new cipher suites for Messaging Layer Security (MLS) based on "post-quantum" algorithms, which are intended to be resilient to attack by quantum computers. These cipher suites are constructed using the new Module-Lattice Key Encapsulation Mechanism (ML-KEM), optionally in combination with traditional elliptic curve KEMs, together with appropriate authenticated encryption, hash, and signature algorithms. About This Document Status information for this document may be found at . Discussion of this document takes place on the MLS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction The potential availability of a cryptographically-relevant quantum computer has caused concern that well-funded adversaries could overturn long-held assumptions about the security assurances of classical Key Exchange Mechanisms (KEMs) and classical cryptographic signatures, which are fundamental to modern security protocols, including the MLS protocol . Of particular concern are "harvest now, decrypt later" attacks, by which an attacker could collect encrypted traffic now, before a quantum computer exists, and later use a quantum computer to break the confidentiality protections on the collected traffic. In response to these concerns, the cryptographic community has defined "post-quantum" algorithms, which are designed to be resilient to attacks by quantum computers. Symmetric algorithms can be made post-quantum secure simply by using longer keys and hashes. For asymmetric operations such as KEM and signature, entirely new algorithms are needed. In this document, we define ciphersuites that use the post-quantum secure Module-Lattice-Based KEM (ML-KEM) together with appropriate symmetric algorithms and traditional signature algorithms. These cipher suites address the risk of "harvest now, decrypt later" attacks, while not taking on the additional cost of post-quantum signatures. Following the pattern of base MLS, we define several variations, to allow for users that prefer to only use NIST-approved cryptography, users that prefer a higher security level, and users that prefer a PQ/traditional hybrid KEM over pure ML-KEM:
  • ML-KEM-768 + X25519 (Medium security, Non-NIST, PQ/T hybrid)
  • ML-KEM-768 + P-256 (Medium security, NIST, PQ/T hybrid)
  • ML-KEM-1024 + P-384 (High security, NIST, PQ/T hybrid)
  • ML-KEM-768 (Medium security, NIST, pure PQ)
  • ML-KEM-1024 (High security, NIST, pure PQ)
For the PQ/T hybrid cipher suites, we use the KEM combinators defined in and . For the pure-PQ cipher suites, we use the HPKE integration for ML-KEM defined in .
IANA Considerations
HPKE KDF Identifiers This document requests that IANA add the following entry to the HPKE KDF Identifiers registry.
  • Value: TBD0
  • KDF: XOF(SHAKE256)
  • Nh: 32
  • Reference: Section 3.2 of
MLS Cipher Suites This document requests that IANA add the following entries to the "MLS Cipher Suites" registry, replacing "XXXX" with the RFC number assigned to this document:
Value Name Rec Reference
TBD1 MLS_128_X_Wing_AES256GCM_SHA384_Ed25519 Y RFCXXXX
TBD2 MLS_128_QSF-KEM(ML-KEM-768,P-256)_AES256GCM_SHA384_P256 Y RFCXXXX
TBD3 MLS_192_QSF-KEM(ML-KEM-1024,P-384)_AES256GCM_SHA384_P384 Y RFCXXXX
TBD4 MLS_128_ML_KEM_768_AES256GCM_SHA384_P256 Y RFCXXXX
TBD5 MLS_192_ML_KEM_1024_AES256GCM_SHA384_P384 Y RFCXXXX
All of these cipher suites use HMAC with SHA384 as their MAC function. The mapping of cipher suites to HPKE primitives , HMAC hash functions, and TLS signature schemes is as follows:
Value KEM KDF AEAD Hash Signature
0xTBD1 0x647a TBD0 0x0002 SHA384 ed25519
0xTBD2 TBDH0 TBD0 0x0002 SHA384 ecdsa_secp256r1_sha256
0xTBD3 TBDH1 TBD0 0x0002 SHA384 ecdsa_secp384r1_sha384
0xTBD4 0x0041 TBD0 0x0002 SHA384 ecdsa_secp256r1_sha256
0xTBD5 0x0042 TBD0 0x0002 SHA384 ecdsa_secp384r1_sha384
The values TBDH0 and TBDH1 refer to the code points to be assigned by IANA for the following hybrid KEMs defined in :
  • TBDH0 = QSF-KEM(ML-KEM-768,P-256)-XOF(SHAKE256)-KDF(SHA3-256)
  • TBDH1 = QSF-KEM(ML-KEM-1024,P-384)-XOF(SHAKE256)-KDF(SHA3-256)
The hash used for the MLS transcript hash is the one referenced in the cipher suite name. "SHA384" refers to the SHA-384 functions defined in .
Security Considerations This ciphersuites defined in this document combine a post-quantum (or PQ/T hybrid) KEM with a traditional signature algorithm. As such, they are designed to provide confidentiality against quantum and classical attacks, but provide authenticity against classical attacks only. Thus, these cipher suites do not provide full post-quantum security, only post-quantum confidentiality. Cipher suites using post-quantum secure signature algorithms may be defined in the future. For security considerations related to the KEMs used in this document, please see the documents that define those KEMs .
Normative References Secure hash standard National Institute of Standards and Technology (U.S.) Module-lattice-based key-encapsulation mechanism standard National Institute of Standards and Technology (U.S.) SHA-3 standard :: permutation-based hash and extendable-output functions National Institute of Standards and Technology (U.S.) The Messaging Layer Security (MLS) Protocol Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. X-Wing: general-purpose hybrid post-quantum KEM SandboxAQ MPI-SP & Radboud University Cloudflare This memo defines X-Wing, a general-purpose post-quantum/traditional hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML- KEM-768. Hybrid PQ/T Key Encapsulation Mechanisms SandboxAQ This document defines generic techniques to achive hybrid post- quantum/traditional (PQ/T) key encapsulation mechanisms (KEMs) from post-quantum and traditional component algorithms that meet specified security properties. It then uses those generic techniques to construct several concrete instances of hybrid KEMs. ML-KEM for HPKE SandboxAQ This document defines Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) KEM options for Hybrid Public-Key Encryption (HPKE). ML-KEM is believed to be secure even against adversaries who possess a cryptographically-relevant quantum computer. HMAC: Keyed-Hashing for Message Authentication This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind Hybrid Public Key Encryption This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.
Acknowledgments This work would not be possible without the hard work of the CFRG Hybrid KEM design team: Aron Wussler, Bas Westerbaan, Deirdre Connolly, Mike Ounsworth, Nick Sullivan, and Stephen Farrell. Thanks also to Joël Alwen, Marta Mularczyk, and Britta Hale.