]> Cloudflare

bas@cloudflare.com

University of Waterloo

dstebila@uwaterloo.ca

None kyber x25519 post-quantum This memo defines X25519Kyber768Draft00, a hybrid post-quantum key exchange for TLS 1.3. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Source for this draft and an issue tracker can be found at .

Introduction

Motivation The final draft for Kyber is expected in 2024. There are already early deployments of post-quantum key agreement, with more to come before Kyber is standardised. To promote interoperability of early implementations, this document specifies a preliminary hybrid post-quantum key agreement.

Warning: relation with X25519Kyber768Draft00 for HPKE In a hybrid KEM with the same name is defined for use in HPKE. It differs from the hybrid KEM implicit in this document: here we use the X25519 shared secret directly, whereas in , the ephemeral X25519 public key (ciphertext) is mixed in. For use in HPKE this is required to be IND-CCA2 robust. This is not required for use in TLS 1.3, thanks to the inclusion of the keyshare in the message transcript.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Construction We instantiate draft-ietf-tls-hybrid-design-06 with X25519 and Kyber768Draft00 . The latter is Kyber as submitted to round 3 of the NIST PQC process . For the client's share, the key_exchange value contains the concatenation of the client's X25519 ephemeral share (32 bytes) and the client's Kyber768Draft00 public key (1184 bytes). The resulting key_exchange value is 1216 bytes in length. For the server's share, the key_exchange value contains the concatenation of the server's X25519 ephemeral share (32 bytes) and the Kyber768Draft00 ciphertext (1088 bytes) returned from encapsulation for the client's public key. The resulting key_exchange value is 1120 bytes in length. The shared secret is calculated as the concatenation of the X25519 shared secret (32 bytes) and the Kyber768Draft00 shared secret (32 bytes). The resulting shared secret value is 64 bytes in length.

Security Considerations For TLS 1.3, this concatenation approach provides a secure key exchange if either component key exchange methods (X25519 or Kyber768Draft00) are secure .

IANA Considerations This document requests/registers a new entry to the TLS Named Group (or Supported Group) registry, according to the procedures in .

Value:

0x6399 (please)

Description:

X25519Kyber768Draft00

DTLS-OK:

Y

Recommended:

N

Reference:

This document

Comment:

Pre-standards version of Kyber768

References Normative References This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties. MPI-SPI & Radboud University Cloudflare This memo specifies a preliminary version ("draft00", "v3.02") of Kyber, an IND-CCA2 secure Key Encapsulation Method. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://bwesterb.github.io/draft-schwabe-cfrg-kyber/draft-cfrg- schwabe-kyber.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-cfrg-schwabe-kyber/. Source for this draft and an issue tracker can be found at https://github.com/bwesterb/draft-schwabe-cfrg-kyber. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References University of Waterloo Cisco Systems University of Haifa Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. Venafi sn3rd This document updates the changes to TLS and DTLS IANA registries made in RFC 8447. It adds a new value "D" for discouraged to the recommended column of the selected TLS registries. This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, 7301, and 8447. Cloudflare Cloudflare This memo defines X25519Kyber768Draft00, a hybrid post-quantum KEM, for HPKE (RFC9180). This KEM does not support the authenticated modes of HPKE.

Change log

• RFC Editor's Note: Please remove this section prior to publication of a final version of this document.

Since draft-tls-westerbaan-xyber768d00-02

• Explain relation with HPKE hybrid

Since draft-tls-westerbaan-xyber768d00-01

• Change reference for X25519

Since draft-tls-westerbaan-xyber768d00-00

• Set working group to None.
• Bump to cfrg-schwabe-kyber-02