]> Unaffiliated

rohan.ietf@gmail.com

sec MLS ML-KEM Kyber post-quantum post quantum KEM KEM PQ/T hybrid hybrid KEM Key Exchange Mechanism This document registers a new Messaging Layer Security (MLS) ciphersuite using the X-Wing hybrid post-quantum resistant / traditional (PQ/T) Key Exchange Mechanism (KEM). About This Document Status information for this document may be found at . Discussion of this document takes place on the MLS Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The potential availability of a cryptographically-relevant quantum computer has caused concern that well-funded adversaries could overturn long-held assumptions about the security assurances of classical Key Exchange Mechanisms (KEMs) and classical cryptographic signatures, which are fundamental to modern security protocols, including the MLS protocol . The MLS Working Group has expressed strong desire to have a handful of complimentary post-quantum security extensions for use with the MLS protocol to address the related threats:

1. A straightforward MLS cipher suite that replaces a classical KEM with a hybrid post-quantum/traditional KEM. Such a cipher suite could be implemented as a drop-in replacement in many MLS libraries without changes to any other part of the MLS stack. The aim is for implementations to have a single KEM which would be performant and work for the vast majority of implementations. It addresses the the harvest-now / decrypt-later threat model using the simplest, and most practicable solution available.
2. Versions of existing cipher suites that use post-quantum signatures; and specific guidelines on the construction, use, and validation of hybrid signatures.
3. One or more mechanisms which reduce the bandwidth or storage requirements, or improve performance when using post-quantum algorithms (for example by updating post-quantum keys less frequently than classical keys, or by sharing portions of post-quantum keys across a large number of clients or groups.)

This document addresses the first of these work items. It reserves an MLS cipher suite value based on the MLS default cipher suite, but replacing the KEM with the X-Wing hybrid post-quantum / traditional KEM. The IANA Hybrid Public Key Encryption (HPKE) Key Exchange Mechanism (KEM) Identifier value for X-Wing is pending at the time of this writing. X-Wing is a "concrete, simple choice for [a] post-quantum hybrid KEM, that should be suitable for the vast majority of use cases". X-Wing combines the ML-KEM post-quantum KEM and the X25519 traditional KEM. The MLS cipher suite uses the other components of the default MLS cipher suite MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519. This document replaces a previous, similar proposal based on the KEM in .

Security Considerations This ciphersuite uses a hybrid post-quantum/traditional KEM and a traditional signature algorithm. As such, it is designed to provide confidentiality against quantum and classical attacks, but provides authenticity against classical attacks only. This is actually very useful, because an attacker could store MLS-encrypted traffic that uses any classical KEM today. If years or decades in the future a quantum attack on classical KEMs becomes feasible, the traffic sent today (some of which could still be sensitive in the future) will then be readable. By contrast, an attack on a signature algorithm in MLS would require an active attack which can extract the private key during the signature key's lifetime. The security properties of apply.

IANA Considerations This document registers a new MLS Ciphersuite value.

References Normative References Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. SandboxAQ MPI-SP & Radboud University Cloudflare This memo defines X-Wing, a general-purpose post-quantum/traditional hybrid key encapsulation mechanism (PQ/T KEM) built on X25519 and ML- KEM-768. This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. Cloudflare Cloudflare This memo defines X25519Kyber768Draft00, a hybrid post-quantum KEM, for HPKE (RFC9180). This KEM does not support the authenticated modes of HPKE. Informative References n.d. This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.

Acknowledgments Thanks to Joël Alwen, Marta Mularczyk, Britta Hale, and Richard Barnes.