]> ML-KEM and Hybrid Cipher Suites for Messaging Layer Security Rohan Mahy Consulting Services
rohan.ietf@gmail.com
Cisco
rlb@ipv.sx
sec MLS ML-KEM Kyber post-quantum post quantum KEM KEM PQ/T hybrid hybrid KEM Key Exchange Mechanism This document registers new cipher suites for Messaging Layer Security (MLS) based on "post-quantum" algorithms, which are intended to be resilient to attack by quantum computers. These cipher suites are constructed using the new Module-Lattice Key Encapsulation Mechanism (ML-KEM), optionally in combination with traditional elliptic curve KEMs, together with appropriate authenticated encryption, hash, and signature algorithms. About This Document Status information for this document may be found at . Discussion of this document takes place on the MLS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction The potential availability of a cryptographically-relevant quantum computer has caused concern that well-funded adversaries could overturn long-held assumptions about the security assurances of classical Key Exchange Mechanisms (KEMs) and classical cryptographic signatures, which are fundamental to modern security protocols, including the MLS protocol . Of particular concern are "harvest now, decrypt later" attacks, by which an attacker could collect encrypted traffic now, before a quantum computer exists, and later use a quantum computer to break the confidentiality protections on the collected traffic. In response to these concerns, the cryptographic community has defined "post-quantum" algorithms, which are designed to be resilient to attacks by quantum computers. Symmetric algorithms can be made post-quantum secure simply by using longer keys and hashes. For asymmetric operations such as KEMs and signatures, entirely new algorithms are needed. In this document, we define ciphersuites that use the post-quantum secure Module-Lattice-Based KEM (ML-KEM) together with appropriate symmetric algorithms and traditional signature algorithms. These cipher suites address the risk of "harvest now, decrypt later" attacks, while not taking on the additional cost of post-quantum signatures. Following the pattern of base MLS, we define several variations, to allow for users that prefer to only use NIST-approved cryptography, users that prefer a higher security level, and users that prefer a PQ/traditional hybrid KEM over pure ML-KEM:
  • ML-KEM-768 + X25519 (Medium security, Non-NIST, PQ/T hybrid)
  • ML-KEM-768 + P-256 (Medium security, NIST, PQ/T hybrid)
  • ML-KEM-1024 + P-384 (High security, NIST, PQ/T hybrid)
  • ML-KEM-768 (Medium security, NIST, pure PQ)
  • ML-KEM-1024 (High security, NIST, pure PQ)
For all the cipher suites defined in this document, we use AES256 GCM as the Authenticated Encryption with Authenticated Data (AEAD) algorithm; HMAC with SHA-384 as the hash function; and XOF(SHAKE256) (Section 3.2 of ) as the Key Derivation Function (KDF). For the PQ/T hybrid KEMs and the pure ML-KEM HPKE integration, we use the KEMs defined in .
IANA Considerations
MLS Cipher Suites This document requests that IANA add the following entries to the "MLS Cipher Suites" registry, replacing "XXXX" with the RFC number assigned to this document:
Value Name Rec Reference
TBD1 MLS_128_KitchenSink-KEM(ML-KEM-768,X25519)_AES256GCM_SHA384_Ed25519 Y RFCXXXX
TBD2 MLS_128_QSF-KEM(ML-KEM-768,P-256)_AES256GCM_SHA384_P256 Y RFCXXXX
TBD3 MLS_192_QSF-KEM(ML-KEM-1024,P-384)_AES256GCM_SHA384_P384 Y RFCXXXX
TBD4 MLS_128_ML_KEM_768_AES256GCM_SHA384_P256 Y RFCXXXX
TBD5 MLS_192_ML_KEM_1024_AES256GCM_SHA384_P384 Y RFCXXXX
The mapping of cipher suites to HPKE primitives , HMAC hash functions, and TLS signature schemes is as follows:
Value KEM KDF AEAD Hash Signature
0xTBD1 0x0051 0x0011 0x0002 SHA384 ed25519
0xTBD2 0x0050 0x0011 0x0002 SHA384 ecdsa_secp256r1_sha256
0xTBD3 0x0052 0x0011 0x0002 SHA384 ecdsa_secp384r1_sha384
0xTBD4 0x0041 0x0011 0x0002 SHA384 ecdsa_secp256r1_sha256
0xTBD5 0x0042 0x0011 0x0002 SHA384 ecdsa_secp384r1_sha384
The hash used for the MLS transcript hash is the one referenced in the cipher suite name. "SHA384" refers to the SHA-384 functions defined in .
Security Considerations This ciphersuites defined in this document combine a post-quantum (or PQ/T hybrid) KEM with a traditional signature algorithm. As such, they are designed to provide confidentiality against quantum and classical attacks, but provide authenticity against classical attacks only. Thus, these cipher suites do not provide full post-quantum security, only post-quantum confidentiality. Cipher suites using post-quantum secure signature algorithms may be defined in the future. For security considerations related to the KEMs used in this document, please see the documents that define those KEMs and .
References Normative References Secure hash standard National Institute of Standards and Technology (U.S.) Module-lattice-based key-encapsulation mechanism standard National Institute of Standards and Technology (U.S.) SHA-3 standard :: permutation-based hash and extendable-output functions National Institute of Standards and Technology (U.S.) Recommendation for block cipher modes of operation :: GaloisCounter Mode (GCM) and GMAC National Institute of Standards and Technology The Messaging Layer Security (MLS) Protocol Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. An Interface and Algorithms for Authenticated Encryption This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] HMAC: Keyed-Hashing for Message Authentication This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind Post-Quantum and Post-Quantum/Traditional Hybrid Algorithms for HPKE Cisco Updating key exchange and public-key encryption protocols to resist attack by quantum computers is a high priority given the possibility of "harvest now, decrypt later" attacks. Hybrid Public Key Encryption (HPKE) is a widely-used public key encryption scheme based on combining a Key Encapsulation Mechanism (KEM), a Key Derivation Function (KDF), and an Authenticated Encryption with Associated Data (AEAD) scheme. In this document, we define KEM algorithms for HPKE based on both post-quantum KEMs and hybrid constructions of post- quantum KEMs with traditional KEMs, as well as a KDF based on SHA-3 that is suitable for use with these KEMs. When used with these algorithms, HPKE is resilient with respect to attacks by a quantum computer. Hybrid Public Key Encryption Cisco Inria Inria Apple This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes a variant that authenticates possession of a pre-shared key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. The Transport Layer Security (TLS) Protocol Version 1.3 This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations. Informative References Hybrid PQ/T Key Encapsulation Mechanisms SandboxAQ This document defines generic techniques to achive hybrid post- quantum/traditional (PQ/T) key encapsulation mechanisms (KEMs) from post-quantum and traditional component algorithms that meet specified security properties. It then uses those generic techniques to construct several concrete instances of hybrid KEMs.
Acknowledgments This work would not be possible without the hard work of the CFRG Hybrid KEM design team: Aron Wussler, Bas Westerbaan, Deirdre Connolly, Mike Ounsworth, Nick Sullivan, and Stephen Farrell. Thanks also to Joël Alwen, Marta Mularczyk, and Britta Hale.