]> Messaging Layer Security Ciphersuite using X25519Kyber768Draft00 Key Exchange Mechanism Wire
rohan.mahy@wire.com
Wire
mathieu.amiot@wire.com
sec MLS Kyber post-quantum post quantum KEM KEM PQ/T hybrid hybrid KEM Key Exchange Mechanism This document registers a new Messaging Layer Security (MLS) ciphersuite using the hybrid post-quantum resistant / traditional (PQ/T) Key Exchange Mechanism X25519Kyber768Draft00. About This Document Status information for this document may be found at . Discussion of this document takes place on the MLS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction This document reserves a Messaging Layer Security (MLS) ciphersuite value based on the MLS default ciphersuite, but replacing the KEM with the hybrid post-quantum / traditional Key Exchange Mechanism X25519Kyber768Draft00 which was assigned the Hybrid Public Key Encryption (HPKE) Key Exchange Mechanism (KEM) Identifier value 0x0030.
Security Considerations This ciphersuite uses a hybrid post-quantum/traditional KEM and a traditional signature algorithm. As such, it is designed to provide confidentiality against quantum and classical attacks, but provides authenticity against classical attacks only. This is actually very useful, because an attacker could store MLS-encrypted traffic that uses any classical KEM today. If years or decades in the future a quantum attack on classical KEMs becomes feasible, the traffic sent today (some of which could still be sensitive in the future) will then be readable. By contrast, an attack on a signature algorithm in MLS would require an active attack which can extract the private key during the signature key's lifetime. The security properties of apply.
IANA Considerations This document registers a new MLS Ciphersuite value.
Normative References The Messaging Layer Security (MLS) Protocol Cisco Inria & Mozilla Phoenix R&D Meta Platforms Google University of Oxford Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy and post-compromise security for groups in size ranging from two to thousands. X25519Kyber768Draft00 hybrid post-quantum KEM for HPKE Cloudflare Cloudflare This memo defines X25519Kyber768Draft00, a hybrid post-quantum KEM, for HPKE (RFC9180). This KEM does not support the authenticated modes of HPKE.
Acknowledgments Thanks to Joël Alwen, Marta Mularczyk, and Britta Hale.