Huawei Int. Pte Ltd

9 North Buona Vista Drive, #13-01 The Metropolis Tower 1 Singapore 138588 Singapore Wang.Guilin@huawei.com

ELVIS-PLUS

PO Box 81 Moscow (Zelenograd) 124460 RU svan@elvis.ru

General IP Security Maintenance and Extensions keyword This draft specifies a new authentication mechanism, called KEM (Key Encapsulation Mechanism) -based authentication, for the Internet Key Exchange Protocol Version 2 (IKEv2). This is motivated by the fact that some post-quantum KEMs (like ML-KEM) are more efficient than post-quantum signature algorithms (like ML-DSA).

Version -02 was completely rewritten to accommodate ideas expressed in PQuAKE protocol. Two changes have been made in version -01, as a response to comments received at 122 meeting:

• More details about how each side does for running KEM authentication in .
• Added section about KEM authentication with preshared public key.

Cryptographically-relevant quantum computers (CRQC) pose a threat to cryptographically protected data. In particular, the so-called harvest-now-and-decrypt-later (HNDL) attack is considered an imminent threat. To mitigate this threat against the Internet Key Exchange Protocol Version 2 (IKEv2) , an extension allowing multiple key exchanges in IKEv2 was introduced to achieve post-quantum (PQ) security for the key exchange. "Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) using PQC" specifies how NIST PQ digital algorithms ML-DSA and SLH-DSA can be used in IKEv2. On the other hand, "Post-Quantum Traditional (PQ/T) Hybrid PKI Authentication in the Internet Key Exchange Version 2 (IKEv2)" specifies how to run general hybrid PQ/T digital algorithms in IKEv2. Motivated by the fact that ML-KEM is much more efficient than ML-DSA , "KEM-based Authentication for TLS 1.3" specifies how KEM can be used to achieve post-quantum secure authentication for the TLS 1.3 protocol. The basic idea is as follows: when one entity A receives the certified long term public key of another entity B, A can authenticate B by encapsulating a secret key k using B's KEM public key, and confirming that the communicating entity is indeed B if the entity can successfully return the correct k to A. The similar idea for TLS is presented in , followed by a number of research papers then. Besides saving communication overhead and computational time, as pointed out in , KEM-based authentication also benefits to reduce implementation code size, as the code for PQ signature may not need, and KEM-based authentication can re-use the KEM code for ephemeral key establishment. This draft specifies how to use KEM-based authentication for the Internet Key Exchange Protocol Version 2 (IKEv2) .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Key Encapsulation Mechanism and Digital Signature Key encapsulation mechanism (KEM) is a kind of key exchange, which allows one entity to encapsulate a secret key under a (longterm or ephemeral) public key of another entity. By following the definition given in , a KEM consists of three algorithms:

• KeyGen(k) -> (pk, sk): A probabilistic key generation algorithm, which generates a public encapsulation key pk and a secret decapsulation key sk, when a security parameter k is given.
• Encaps(pk) -> (ct, ss): A probabilistic encapsulation algorithm, which takes as input a public encapsulation key pk and outputs a ciphertext ct and shared secret ss.
• Decaps(sk, ct) -> ss: A decapsulation algorithm, which takes as input a secret decapsulation key sk and ciphertext ct and outputs a shared secret ss.

By following the definition given in , a signature scheme consists of the following three algorithms:

• SKeyGen(k) -> (spk, ssk): A probabilistic key generation algorithm, which generates a public verifying key spk and a private signing key ssk, when a security parameter k is given..
• Sign(ssk, m) -> s: A deterministic or probabilistic signature generation algorithm, which takes as input a private signing key ssk and a message m, and outputs a signature s.
• Verify(spk, s, m) -> b: A deterministic verification algorithm, which takes as input a public verifying key spk, a signature s and a message m, and outputs a bit b indicating accept (b=1) or reject (b=0) of the signature-message pair (s, m).

In August of 2024, NIST released ML-KEM and ML-DSA , which are both module-lattice-based post-quantum algorithms. Each of both algorithms has three sets of parameters corresponding to three NIST security levels. Namely, ML-KEM-512 for Level 1, ML-KEM-768 for Level 3, and ML-KEM-1024 for for Level 5, while ML-DSA-44 for Level 2, ML-DSA-65 for Level 3, and ML-DSA-87 for Level 5.

Comparison of ML-KEM and ML-DSA This section compares ML-KEM and ML-DSA, with respect to the sizes of key, ciphertext and signature, and also the computational overhead of key generation, encapsulation, signing, decapsulation, and verifying. First of all, to compare the communication overhead when using ML-DSA and ML-KEM, data from Table 2 in and Table 3 in are used to generate the following . The results show the comparison of keys and signature over ciphertext between ML-DSA and ML-KEM. Namely, for all corresponding security levels, the following statements can be concluded:

• The private key size of ML-DSA is about 1.5 times of the decapsulation key size of ML-KEM,
• The public size of ML-DSA is about 1.6 times of that of ML-KEM, and
• The signature size of ML-DSA is about 3 times of the ciphertext size of ML-KEM.

Communication Overhead Comparison of ML-DSA and ML-KEM

	Private Key/Decapsulation Key	Public Key/Encapsulation Key	Signature/Ciphertext
ML-DSA-44/ML-KEM-512	2,650/1,632 =157%	1,312/800 =164%	2,420/768 =315%
ML-DSA-65/ML-KEM-768	4,032/2,400 =168%	1,952/1,184 =165%	3,309/1,088 =304%
ML-DSA-87/ML-KEM-1024	4,896/3,168 =155%	2,592/1,568 =165%	4,627/1,568 =295%

Specifically, for the three security levels, when ML-KEM is used to replace ML-DSA for authentication, the saved communication overhead, namely public key+signature for ML-DSA and encapsulation key+ciphertext for ML-KEM, is 2,164, 2,989, and 4,083 bytes, respectively. Those savings are helpful to improve the performance of IKEv2. In fact, as shown in the experiment in simulated environment, the average time delay for IKEv2 can increase a few times due to large size of PQ public key, ciphertext and signature, especially when the IP packet loss rate reaches about 1%. Next, the computation overhead comparison will be given now. In , the authors present their implementation results of Dilithium and Kyber, via various optimization techniques for Keccak and the two PQ algorithms. Concretely, Table 6 in shows the performance comparison of Dilithium and Kyber on ARMv7 Cortex-M4 processor, presented by clock cycles. By ignoring the small difference between ML-KEM and its informal version Kyber, also ML-DSA and its informal version Dilithium, the following is obtained. Computational Overhead Comparison of ML-DSA and ML-KEM

	KeyGen Time/SKeyGen Time	Encap Time/Sign Time	Decap Time/Verify Time
ML-DSA-44/ML-KEM-512	1,357k/369k =368%	3,487k/448k =778%	1,350k/409k =330%
ML-DSA-65/ML-KEM-768	2,394k/604k =396%	5,574k/732k =761%	2,302k/674k =342%
ML-DSA-87/ML-KEM-1024	4,069k/962k =423%	7,730k/1,119k =691%	3,998k/1,043k =383%

By assuming that the computational comparison shown in reasonably presents the performance difference of ML-KEM and ML-DSA at the same platform with similar implementation techniques, for all three corresponding security levels, the following statements can be derived:

• The private key generation time of ML-DSA is about 4 times of that of ML-KEM.
• The signature signing time of ML-DSA is about 7 times of the encapsulation time of ML-KEM.
• The signature verifying time of ML-DSA is over 3 times of the decapsulation time of ML-KEM.

In the scenario of KEM-based authentication, both the private keys for ML-DSA and ML-KEM will be long term keys, so the private key generation time can be ignored, as it is just one time overhead. Therefore, by combining signature signing and verifying together, and also combining encapsulation and decapsulation together, we can simply say that the computational time of ML-DSA is about 5 times of that of ML-KEM.

With a KEM-based authentication in IKEv2 peers first perform an ephemeral key exchange that allows them to derive session keys for protecting subsequent exchanges. This ephemeral key exchange may take place entirely in the IKE_SA_INIT exchange or be accompanied by a series of subsequent IKE_INTERMEDIATE exchanges , in which case it would be a hybrid key exchange. To run KEM-based Authentication in IKEv2, the two peers first exchange their long-term KEM certificates, and then exchange random values encapsulated with each other's long-term KEM public key from the corresponding KEM certificate. Here, both long-term KEM certificates and the KEM ciphertexts encapsulating the random values are sent via the IKE_INTERMEDIATE exchanges. After decapsulating these random values the two peers cam demonstrate their knowledge of the random values sent by the other side in the subsequent IKE_AUTH exchange, thus confirming that they do possess the corresponding KEM private keys linked to their long-term KEM certificates. Mode details about the KEM-based authentication are provided in <citations for PQuAKE and other papers needed>.

The KEM-based authentication in IKEv2 relies on the IKE_INTERMEDIATE exchange that MUST be supported. In addition, the following extensions can contribute to the security and the robustness of the protocol.

• IKE fragmentation SHOULD be negotiated in case peers use UDP as a transport for IKE, since KEM public key and KEM ciphertext can be of significant size.
• Multiple key exchanges has to be utilized if a hybrid key exchange combining traditional and post-quantum key exchange methods is required.
• Using group Postquantum Preshared Key (PPK) can contribute to the identity hiding, thus it is RECOMMENDED to use.
• The ability to authenticate the full protocol transcript protects peers against downgrade attacks and SHOULD be used.

The initiator wishing to use the KEM-based authentication indicates this to the responder by including a new status type notification USE_AUTHKEM (with type <TBA2>) into the IKE_SA_INIT request message. This notification has the Protocol ID and SPI Size both set to 0 (meaning no SPI is present), and its notification data is empty. To be able to use the KEM-based authentication the initiator MUST also include the INTERMEDIATE_EXCHANGE_SUPPORTED notification. If the responder receives the IKE_SA_INIT request containing the USE_AUTHKEM notification and it supports and is configured to use the KEM-based authentication, then it sends this notification back in the response. The responder can optionally include the Certificate Request payload (as defined in ) to help the initiator to select the right KEM certificate. The responder can also indicate which KEMs it is willing to use for authentication by including the SUPPORTED_AUTH_METHODS notification in the response. In this case the notification SHOULD NOT contain announcements with the Auth Method other than a newly defined "KEM-based Authentication" (<TBA1>). The format of announcement is defined in . Peers can also negotiate other IKEv2 extensions during IKE_SA_INIT. Some of them are listed in . In particular, the figures below show the optional use of PPK during KEM-based authentication.

N(INTERMEDIATE_EXCHANGE_SUPPORTED), [N(USE_PPK_INT),] N(USE_AUTHKEM) <--- HDR(IKE_SA_INIT), SAr1, KEr, Nr, [CERTREQ,] N(INTERMEDIATE_EXCHANGE_SUPPORTED), [N(SUPPORTED_AUTH_METHODS),] [N(USE_PPK_INT),] N(USE_AUTHKEM) ]]>

Peers MUST ignore the USE_AUTHKEM notification in the message if it is not accompanied by the INTERMEDIATE_EXCHANGE_SUPPORTED notification. If using the KEM-based authentication is mandatory for the responder and the initiator did not propose it or failed to make a valid proposal, then the responder MUST send the NO_PROPOSAL_CHOSEN notification indicating that the proposed parameters are unacceptable. Otherwise the responder can continue establishing IKE SA using other authentication method. If using the KEM-based authentication is mandatory for the initiator and it failed to negotiate it with the responder, then the initiator MUST cancel establishing IKE SA. Otherwise the initiator can continue using other authentication method. After the IKE_SA_INIT exchange completes, peers calculate the session keys as defined in Section 2.14 of and use these keys to protect the next exchange.

Once the KEM-based authentication is negotiated in IKE_SA_INIT, a series of the IKE_INTERMEDIATE exchanges takes place. These exchanges can be classified as those for the purpose of the KEM-based authentication and those for other purposes. The exchanges for the KEM base authentication MUST follow all other IKE_INTERMEDIATE exchanges, so that they take place right before the IKE_AUTH exchange.

First, if multiple key exchanges were negotiated, then one or more IKE_INTERMEDIATE exchanges are performed, right after the IKE_SA_INIT exchange, as defined in .

<--- HDR(IKE_INTERMEDIATE), SK {KEr(n)} ]]>

Each of these exchanges updates the session keys as defined in Section 2.2.2 of . If the use of PPKs as defined in is negotiated, then the IKE_INTERMEDIATE exchange negotiating the PPK to use is performed then as defined in Section 3.1 of .

<--- HDR(IKE_INTERMEDIATE), SK {N(PPK_IDENTITY)} ]]>

After this exchange the session keys are updated as defined in Section 3.1.1 of . If both additional key exchange(s) and the use of PPKs as defined in are negotiated, then the last additional key exchange MAY alternatively be combined with negotiation the PPK in a single IKE_INTERMEDIATE exchange as shown in . Note, that in many cases only one additional key exchange will be negotiated (as a part of PQ/T hybrid key exchange), thus in this case the last additional key exchange will also be the only one.

<--- HDR(IKE_INTERMEDIATE), SK {KEr(m), N(PPK_IDENTITY)} ]]>

If this combined IKE_INTERMEDIATE exchange takes place, then upon its completion session keys are updated twice - fist as defined in Section 2.2.2 of and then, provided the peers negotiate the PPK to use, as defined in Section 3.1.1 of . Note, that while generally requires that the PPK negotiation is performed in the last IKE_INTERMEDIATE exchange right before the IKE_AUTH exchange, it also allows this requirement to be overridden by other specification. This document specifically overrides this requirement by allowing the IKE_INTERMEDIATE exchanges concerned with the KEM-based authentication to take place between the negotiation of PPK and the IKE_AUTH exchange.

The next IKE_INTERMEDIATE exchanges perform the necessary actions for the KEM-based authentication. First, the peers exchange their KEM certificates. The initiator can optionally include the Certificate Request payload to help the responder to select the right KEM certificate. The initiator can also indicate which KEMs it is willing to use for authentication by including the SUPPORTED_AUTH_METHODS notification in the response. In this case the notification SHOULD NOT contain announcements with the Auth Method other than the "KEM Authentication" (<TBA1>). The format of announcement is defined in . The initiator's certificate and the responder's one MAY contain public keys for different KEMs, provided that peers support these KEMs, - there is no requirement that they are for the same KEM. Since KEM certificates can have significant size, peers MAY use hash-and-URL certificate lookup (by using "Hash and URL of X.509 certificate" or "Hash and URL of X.509 bundle" certificate encoding). In this case the CERT payload would contain the URL and the hash of the certificate(s) as defined in Section 3.6 of . The advantage of this approach is that a host can avoid downloading the peer's certificates if it cached this certificate from a previous connection. The hash of a certificate provided in the Certificate payload is used to find the certificate in a cache in this case. Besides the KEM certificate, additional intermediate signing certificates can be sent. The KEM certificate MUST be the first and the only KEM certificate in the message.

<--- HDR(IKE_INTERMEDIATE), SK {CERT} ]]>

This exchange does not update the current session keys. Once peers exchange their KEM certificates they verify each other's certificate to make sure that it is valid, properly signed by a certificate chain leaded to a trusted CA, and that it is acceptable for peer authentication based on the local policy. The exact verification steps are out of scope of this document, but generally should follow those defined in . The next IKE_INTERMEDIATE exchange is used to exchange the ciphertexts CT_i and CT_r obtained as a result of encapsulation of random values SS_i and SS_r using the long-term KEM public keys. The KEM public keys are extracted from the KEM certificates received in the previous exchange. The peers send each other a new status type notification AUTHKEM_DATA (with type <TBA3>). The Protocol ID and SPI Size fields are set to 0 (meaning no SPI is present). The Notification Data is a concatenation of two values CT and SSCONF prepared by each peer, where CT_i and SSCONF_i are prepared by the initiator, while CT_r and SSCONF_r are prepared by the responder. These values are computed as follows ("x" is either "i" or "r"):

• CT_x is a ciphertext obtained as a result of encapsulation of a random value SS_x with a the long-term public key from the peer's certificate.
• SSCONF_x is computed as prf(SK_px, SS_x), where prf is the negotiated PRF for this SA.

As a result, the data in the AUTHKEM_DATA notification sent by the initiator is CT_i | SSCONF_i and the data in this notification sent by the responder is CT_r | SSCONF_r.

<--- HDR(IKE_INTERMEDIATE), SK {N(AUTHKEM_DATA)} ]]>

Upon receiving the message each side performs the following steps:

1. Splits the content of the AUTHKEM_DATA notification into CT and SSCONF parts based on the known sizes of the ciphertext of the used KEM algorithm and the output size of the negotiated PRF.
2. Decrypts CT using the receiver's own private key corresponding to its own KEM certificate, which was sent in the previous exchange to the peer, and gets the SS value encapsulated by the peer.
3. Computes peer's SSCONF value and checks whether it matches the received SSCONF value.

If the computed and the received SSCONF values match, then the host can be sure that it received exactly the same SS value as was sent by its peer. To complete authentication the host needs to prove this fact to its peer, and to make sure that the peer also received exactly the same SS value as it sent. Upon completion of this exchange the session keys are updated. A new value of SKEYSEED is computed as:

Then all the session keys (SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi, and SK_pr) are computed as defined in Section 2.14 of . These session keys are then used for protecting all subsequent exchanges starting from the IKE_AUTH exchange.

The IKE_AUTH exchange immediately follows the IKE_INTERMEDIATE exchange where peers sent each other encrypted SS values. The IKE_AUTH exchange is basically unchanged from that defined in . The Auth Method field in the AUTH payloads MUST be "KEM Authentication". The format of the AUTH payload is computed as defined in .

<--- HDR(IKE_AUTH), SK{IDr, AUTH, SAr2, TSi, TSr} ]]>

With KEM based authentication peers have to exchange their KEM certificates before actual authentication of each other. Certificates usually contain some identity information, that the CA asserts the included public key is bound to. This makes peers aware of each other's identity before the IKE_AUTH exchange starts. However, IKEv2 doesn't rely on the identities from certificates when performing authentication. Instead, Identification payloads (IDi and IDr) are mandatory in the IKE_AUTH exchange and exactly they are included into the AUTH payload calculation. The content of the IDi and IDr payload may differ from the identification information in the corresponding certificate, as stated in Section 3.5 of .

This section is to be removed eventually. It provides ideas for alternative design of the protocol. The presented sequence of exchanges requires two additional exchanges (namely IKE_INTERMEDIATE exchanges) for KEM-based authentication compared to signature-based authentication. It is possible to only have one additional IKE_INTERMEDIATE exchange, but this either results in some degradation of security properties or leads to additional protocol complexity. Note, that the amount of data exchanged over the wire would not changed, the different items would just be combined in one message. This, it turn, would increase size of these messages that might not be desirable from reliable delivery point of view.

It is possible to exchange certificates before all additional key exchanges (and optional negotiation of the PPK) are completed. In this case the certificates would only be protected with session keys computed after the IKE_SA_INIT exchange (in case of hybrid key exchange that would be traditional key exchange). In this case, the exchange shown in is not needed, since the certificates would be exchanged in the previous exchange. For example, the exchange shown in would look like:

<--- HDR(IKE_INTERMEDIATE), SK {KEr(m), (PPK_IDENTITY), CERT} ]]>

This design would decrease the level of identity hiding, since the session keys used to protect the certificates in case of hybrid key exchange could be cracked by an attacker using quantum computer. On the other hand, KEM-based authentication is generally more succeptible to learning the identities of the peers by an attacker, because the peers have to exchange their certificates before authenticating each other, which makes it possible for the attacker in the middle to learn them.

It is possible to get almost the same protection as in the original design but still eliminating one IKE_INTERMEDIATE exchange by complicating the protocol. In this case the exchange shown in is also not needed. The responder sends its certificate first in the previous IKE_INTERMEDIATE exchange. Note, that this exchange contains the last additional key exchange and optionally the PPK negotiation, thus its messages are not yet protected with the session keys that would result in this exchange - the new key are calculated only once the exchange completes. However, the responder can calculate the updated keys before it sends the response message. The idea is that the responder calculates new session keys and use these "future" keys (for the next exchange) to protect its certificate in the encrypted payload, that itself is protected with the "current" session keys.

<--- HDR(IKE_INTERMEDIATE), SK {KEr(m), (PPK_IDENTITY), N(ENCYPTED_CERT)(cert)} ]]>

Then the initiator sends its certificate in the exchange shown in .

<--- HDR(IKE_INTERMEDIATE), SK {N(AUTHKEM_DATA)} ]]>

This sequence of exchanges allows certificates to be protected at the same level as in the original sequence of exchanges (in particular, both certificates can be protected with group PPK). The drawback is the added complexity for implementations, since it could break the traditional state transitions logic of IKE.

The format of the Authentication payload is defined in Section 3.8 of . In case of KEM-based authentication the Auth Method is set to "KEM Authentication" (<TBA1>). The Authentication Data is computed as:

) For the responder: AUTH = prf( prf(SK_pr, "Key Pad for IKEv2"), ) ]]>

The content of the InitiatorSignedOctets and the ResponderSignedOctets is defined in Section 3.3.2 of . If full transcript authentication is employed as specified in , then the InitiatorSignedOctets and the ResponderSignedOctets are additionally modified as defined in .

The format of the announcement for the "KEM Authentication" is the same as for "Digital Signature" as shown in Section 3.2.3 of . For convenience the format is also shown below.

3) | Auth Method | Cert Link | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | ~ AlgorithmIdentifier ASN.1 object ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]>

Length - Length of the announcement in octets, must be greater than 3. Auth Method - Announced authentication method, in this case it is "KEM Authentication". Cert Link - Links this announcement with particular CA; see Section 3.2.2 of for details. AlgorithmIdentifier ASN.1 object - the AlgorithmIdentifier of PKIX (see Section 4.1.1.2 of ), encoded using distinguished encoding rules (DER) . For "KEM Authentication" announcement the AlgorithmIdentifier MUST contain identifier of a KEM algorithm (and not, for example, of a signature algorithm). Identifiers for KEM algorithms are specified in the corresponding documents for these algorithms (e.g., for ML-KEM see ).

To be added.

To be done later. 1) It may be not a good idea by directly showing the decapsulated secret ss as the means of authentication here. The reason is that the entity being authenticated may employ the owner of the KEM public/private key pair as an oracle to decapsualte the secret via running a different session, normally within a separate protocol or scenario where directly showing such a secret is harmless. 2) It may be preferable or MUST limit the use of such a KEM certificate only for KEM authentication.

IANA is requested to make the following changes in the IKEv2 registries "Internet Key Exchange Version 2 (IKEv2) Parameters" :

1. Define a new authentication method "KEM Authentication" in the "IKEv2 Authentication Method" registry:

   Value	IKEv2 Authentication Method
   TBA1	KEM Authentication

2. Define two new status type notifications in the "IKEv2 Notify Message Status Types" registry:

   Value	Notify Message Status Type
   TBA2	USE_AUTHKEM
   TBA3	AUTHKEM_DATA

.. Informative References .. .. .. .. .. ..

Acknowledgements To be added later.

Contributors Uri Blumenthal and Brandon Luo contributed a lot to the design of this protocol as authors of PQuAKE protocol.