Use of ML-KEM in the Cryptographic Message Syntax (CMS)
draft-ietf-lamps-cms-kyber-13

[Ballot comment]
# Orie Steele, ART AD, comments for draft-ietf-lamps-cms-kyber-11
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-lamps-cms-kyber-11.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

### ukm

```
221       no reason to.  For maximum interoperability, recipients using ML-
222       KEM SHOULD accept and process the ukm.  Recipients that do not
223       support the ukm field SHOULD gracefully discontinue processing
224       when the ukm field is present.
```

This is framed weirdly imo.
Failure to process ukm consistently will lead to different key material.

I might consider framing this as:

Recipients who do not understand ukm MUST ignore it, and not raise an error.
Recipients who understand ukm MUST process it in order to achieve interoperability.

I find the treatment of ukm here amusing given its cousin in JOSE:

https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2

### Why not MUST?

```
416   and ciphertext.  Implementations SHOULD NOT use intermediate values
417   directly for any purpose.
```

```
419   Implementations SHOULD NOT reveal information about intermediate
420   values or calculations, whether by timing or other "side channels",
421   otherwise an opponent may be able to determine information about the
422   keying data and/or the recipient's private key.  Although not all
```

Under which circumstances is a side channel useful for interop?

### Weird may

```
433   Parties MAY gain assurance that implementations are correct through
434   formal implementation validation, such as the NIST Cryptographic
435   Module Validation Program (CMVP) [CMVP].
```

[Ballot comment]
Hi Julien, Mike, and Daniel,

Thank you for the effort put into this specification.

I trust that the WG/responsible AD checked the validity of the module and various examples.

Please find below some comments, fwiw. Major comments are marked with (*).

# RFC5911 and RFC9629 are normative (*)

These two are needed, for example, for this import

CURRENT:
  This appendix includes the ASN.1 module [X680] for ML-KEM.  This
  module imports objects from [RFC5911], [RFC9629], [RFC8619],
  [I-D.ietf-lamps-kyber-certificates].

# Deviation from the NIST spec  (*)

Maybe I’m not looking in the correct NIST reference, but the ciphertext sizes indicated below for ML-KEM-768/1024 does not match with the one indicated in Table 3 of NIST.FIPS.203.

CURRENT:
    +=============+=======+==========+==========+============+========+
    | Parameter  | Level | Encap.  | Decap.  | Ciphertext | Shared |
    | Set        |      | Key Size | Key Size | Size      | Secret |
    |            |      |          |          |            | Size  |
    +=============+=======+==========+==========+============+========+
    | ML-KEM-512  | 1    | 800      | 1632    | 768        | 32    |
    +-------------+-------+----------+----------+------------+--------+
    | ML-KEM-768  | 3    | 1184    | 2400    | 1952      | 32    |
    +-------------+-------+----------+----------+------------+--------+
    | ML-KEM-1024 | 5    | 1568    | 3168    | 2592      | 32    |
    +-------------+-------+----------+----------+------------+--------+

# Lack of reasoning  (*)

CURRENT:
      ukm is an optional random input to the key-derivation function.
      For ML-KEM, ukm doesn't provide any additional security benefits.
      Originators using ML-KEM MAY choose to send a ukm, though there is
      no reason to. 

Don’t get why the parameter is sent then.

# How to enforce the requirement  (*)

CURRENT:
  When ML-KEM is employed in the CMS, the underlying components used
  within the KEMRecipientInfo structure SHOULD be consistent with a
  minimum desired security level.

I’m not familiar with the conventions here, but this seems to me week characterization of an expected behavior. How to enforced this?

# Why these are not MUST? (*)

CURRENT:
      ML-KEM-512 SHOULD be used with a KDF capable of outputting a key
      with at least 128 bits of preimage strength and with a key
      wrapping algorithm with a key length of at least 128 bits.

      ML-KEM-768 SHOULD be used with a KDF capable of outputting a key
      with at least 192 bits of preimage strength and with a key
      wrapping algorithm with a key length of at least 192 bits.

      ML-KEM-1024 SHOULD be used with a KDF capable of outputting a key
      with at least 256 bits of preimage strength and with a key
      wrapping algorithm with a key length of at least 256 bits.

Maybe obvious for the authors, but it would expect some explanation what this is not a MUST.

# Redundant Behaviors  (*)

The above SHOULDs are redundant with the ones in Section 7. Unless I missed subtle things here, please keep the use of normative language in one single place:

Section 7:
  To achieve 128-bit security, ML-KEM-512 SHOULD be used, the key-
  derivation function SHOULD provide at least 128 bits of preimage
  strength, and the symmetric key-encryption algorithm SHOULD have a
  security strength of at least 128 bits.  To achieve 192-bit security,
  ML-KEM-768 SHOULD be used, the key-derivation function SHOULD provide
  at least 192 bits of preimage strength, and the symmetric key-
  encryption algorithm SHOULD have a security strength of at least 192
  bits.  In the case of AES Key Wrap, a 256-bit key is typically used
  because AES-192 is not as commonly deployed. 

# Other comments are provided below

## Abstract

### Regional matters

Please s/NIST/US National Institute of Standards and Technology (NIST)

### Abstract should be self-contained

OLD: using the KEMRecipientInfo structure

NEW: using the KEMRecipientInfo structure defined in “Using Key Encapsulation Mechanism (KEM) Algorithms in the Cryptographic Message Syntax (CMS)” (RFC 9629)

## Introduction

* Acronym already introduced in the first sentence

s/Native support for Key Encapsulation Mechanisms (KEMs)/KEMs

## Business as usual

CURRENT:
      |  RFC EDITOR: Please replace the following references to
      |  [I-D.ietf-lamps-kyber-certificates] with a reference to the
      |  published RFC.

No need to have this note as this what the RFC will do anyway :-)

Consider deleting this note and similar ones.

## Section 3

CURRENT:
  All identifiers used to indicate ML-KEM within the CMS are defined
  elsewhere
  ^^^^^^^^

Can we please add references where these identifiers were defined? Thanks.

## Can we please cite Appendix B and Appendix C in the main body?

Hope this helps.

Cheers,
Med

[Ballot comment]
Thank you to Joel Halpern for the GENART review.

** Section 4.
  To achieve 128-bit security, ML-KEM-512 SHOULD be used, the key-
  derivation function SHOULD provide at least 128 bits of preimage
  strength, and the symmetric key-encryption algorithm SHOULD have a
  security strength of at least 128 bits.  To achieve 192-bit security,
  ML-KEM-768 SHOULD be used, the key-derivation function SHOULD provide
  at least 192 bits of preimage strength, and the symmetric key-
  encryption algorithm SHOULD have a security strength of at least 192
  bits.  In the case of AES Key Wrap, a 256-bit key is typically used
  because AES-192 is not as commonly deployed.  To achieve 256-bit
  security, ML-KEM-1024 SHOULD be used, the key-derivation function
  SHOULD provide at least 256 bits of preimage strength, and the
  symmetric key-encryption algorithm SHOULD have a security strength of
  at least 256 bits.

I’m wondering if the editorial construct of “To achieve ###-bit of security, ML-KEM-### SHOULD be used …” is the clearest way to express this guidance.  It doesn’t motivate when you would NOT use this guidance (i.e., SHOULD suggests choice).  Additionally, the stated parameter set is really the minimum to achieve “##-bit security”.

** Appendix A
  This appendix includes the ASN.1 module [X680] for ML-KEM.  This
  module imports objects from [RFC5911], [RFC9629], [RFC8619],
  [I-D.ietf-lamps-kyber-certificates].
AND
    SMIME-CAPS
      FROM AlgorithmInformation-2009  -- [RFC5911]
        { iso(1) identified-organization(3) dod(6) internet(1)
          security(5) mechanisms(5) pkix(7) id-mod(0)
          id-mod-algorithmInformation-02(58) }

This import makes RFC5911 a normative reference.  It is currently informative.

** Idnit says:
  == The document seems to lack the recommended RFC 2119 boilerplate, even if
    it appears to use RFC 2119 keywords -- however, there's a paragraph with
    a matching beginning. Boilerplate error?

Please check that the right boiler plate is being used in Section 1.1

[Ballot comment]
Thanks for the work done in this document.

I am trusting the responsible AD,the LAMPS WG chairs, and the shepherd about the IPR situation and the associated consensus.

Minor regret: there is no justification for the intended status in the shepherd write-up.

IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-lamps-cms-kyber-10. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which we must complete.

In the SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) registry in the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry group located at:

https://www.iana.org/assignments/smi-numbers/

a single new registration will be made as follows:

Decimal: [ TBD-at-Registration ]
Description: id-mod-cms-ml-kem-2024
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we have completed the required Expert Review via a separate request.

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2025-07-01):

From: The IESG
To: IETF-Announce
CC: debcooley1@gmail.com, draft-ietf-lamps-cms-kyber@ietf.org, housley@vigilsec.com, lamps-chairs@ietf.org, spasm@ietf.org
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (Use of ML-KEM in the Cryptographic Message Syntax (CMS)) to Proposed Standard


The IESG has received a request from the Limited Additional Mechanisms for
PKIX and SMIME WG (lamps) to consider the following document: - 'Use of
ML-KEM in the Cryptographic Message Syntax (CMS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2025-07-01. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) is a
  quantum-resistant key-encapsulation mechanism (KEM).  Three
  parameters sets for the ML-KEM algorithm are specified by NIST in
  FIPS 203.  In order of increasing security strength (and decreasing
  performance), these parameter sets are ML-KEM-512, ML-KEM-768, and
  ML-KEM-1024.  This document specifies the conventions for using ML-
  KEM with the Cryptographic Message Syntax (CMS) using the
  KEMRecipientInfo structure.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-kyber/



No IPR declarations have been submitted directly on this I-D.

# Shepherd Write-up for draft-ietf-lamps-cms-kyber-09

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format,
  which is specified in the companion document (draft-ietf-lamps-kyber-
  certificates).  The LAMPS WG reached a place that everyone can live
  with the result, even though everyone is not happy.  That is, the two
  documents represent a place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  The patent situation was not addressed to the satisfaction of all parties.
  The following messages in the archive represent the best summary of the
  patent situation.  Only one person has expressed concern, and the
  potential patent holder has not chosen to make an IPR disclosure.
  Further, despite the discussion, no one has made a third-party IPR
  disclosure.
 
  https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/
  https://mailarchive.ietf.org/arch/msg/spasm/jhpFJNGrmBn1D9oEDZHAuqfzleY/

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    In addition to the points made in response to question 3, the authors have
    explicitly stated that they are unaware of any IPR that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about the document lacking "the recommended RFC 2119
    boilerplate".  It is incorrect.  The boilerplate is present in Section 1.1,
    and the document contains references for [RFC2119] and [RFC8174].

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are two normative DOWNREFs: RFC 3394 and RFC 5869.  Both are
    already in the DOWNREF registry.
 
18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    One normative references has not been published yet: draft-ietf-lamps-
    kyber-certificates.  This document is already with the IESG.  It is
    very likely that it will be published at the same time as this document.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.

# Shepherd Write-up for draft-ietf-lamps-cms-kyber-09

## Document History

1. Does the working group (WG) consensus represent the strong concurrence of a
  few individuals, with others being silent, or did it reach broad agreement?

  There is support in the LAMPS WG for this document.  The discussion was
  very active, and LAMPS WG consensus was reached.

2. Was there controversy about particular points, or were there decisions where
  the consensus was particularly rough?

  There was much controversy, especially about the private key format,
  which is specified in the companion document (draft-ietf-lamps-kyber-
  certificates).  The LAMPS WG reached a place that everyone can live
  with the result, even though everyone is not happy.  That is, the two
  documents represent a place where all parties are equally unhappy.

3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If
  so, please summarize the areas of conflict in separate email messages to the
  responsible Area Director. (It should be in a separate email because this
  questionnaire is publicly available.)

  The patent situation was not addressed to the satisfaction of all parties.
  The following messages in the archive represent the best summary of the
  patent situation.  Only one person has expressed concern, and the
  potential patent holder has not chosen to make an IPR disclosure.
  Further, despite the discussion, no one has made a third-party IPR
  disclosure.
 
  https://mailarchive.ietf.org/arch/msg/spasm/GKFhHfBeCgf8hQQvhUcyOJ6M-kI/
  https://mailarchive.ietf.org/arch/msg/spasm/jhpFJNGrmBn1D9oEDZHAuqfzleY/

4. For protocol documents, are there existing implementations of the contents of
  the document? Have a significant number of potential implementers indicated
  plans to implement? Are any existing implementations reported somewhere,
  either in the document itself (as [RFC 7942][3] recommends) or elsewhere
  (where)?

  Some code written, which is the reason that the private key format
  discussion became so difficult.  No implementer wanted to make changes.

## Additional Reviews

5. Do the contents of this document closely interact with technologies in other
  IETF working groups or external organizations, and would it therefore benefit
  from their review? Have those reviews occurred? If yes, describe which
  reviews took place.

  No concerns about interaction with other technologies.

6. Describe how the document meets any required formal expert review criteria,
  such as the MIB Doctor, YANG Doctor, media type, and URI type reviews.

  No special reviews are needed.

7. If the document contains a YANG module, has the final version of the module
  been checked with any of the [recommended validation tools][4] for syntax and
  formatting validation? If there are any resulting errors or warnings, what is
  the justification for not fixing them at this time? Does the YANG module
  comply with the Network Management Datastore Architecture (NMDA) as specified
  in [RFC 8342][5]?

  This document does not include a YANG module.

8. Describe reviews and automated checks performed to validate sections of the
  final version of the document written in a formal language, such as XML code,
  BNF rules, MIB definitions, CBOR's CDDL, etc.

  ASN.1 is used.  Once a placeholder value is inserted for the module
  identifier that will be assigned by IANA, the ASN.1 module in Appendix A
  compiler without error.

## Document Shepherd Checks

9. Based on the shepherd's review of the document, is it their opinion that this
  document is needed, clearly written, complete, correctly designed, and ready
  to be handed off to the responsible Area Director?

  Yes.

10. Several IETF Areas have assembled [lists of common issues that their
    reviewers encounter][6]. For which areas have such issues been identified
    and addressed? For which does this still need to happen in subsequent
    reviews?

    No concerns were noticed.

11. What type of RFC publication is being requested on the IETF stream ([Best
    Current Practice][12], [Proposed Standard, Internet Standard][13],
    [Informational, Experimental or Historic][14])? Why is this the proper type
    of RFC? Do all Datatracker state attributes correctly reflect this intent?

    As reflected in the Datatracker: Proposed Standard on the IETF Stream.

12. Have reasonable efforts been made to remind all authors of the intellectual
    property rights (IPR) disclosure obligations described in [BCP 79][7]? To
    the best of your knowledge, have all required disclosures been filed? If
    not, explain why. If yes, summarize any relevant discussion, including links
    to publicly-available messages when applicable.

    In addition to the points made in response to question 3, the authors have
    explicitly stated that they are unaware of any IPR that needs to be declared.

13. Has each author, editor, and contributor shown their willingness to be
    listed as such? If the total number of authors and editors on the front
    page is greater than five, please provide a justification.

    Yes.

14. Document any remaining I-D nits in this document. Simply running the [idnits
    tool][8] is not enough; please review the ["Content Guidelines" on
    authors.ietf.org][15]. (Also note that the current idnits tool generates
    some incorrect warnings; a rewrite is underway.)

    IDnits complains about the document lacking "the recommended RFC 2119
    boilerplate".  It is incorrect.  The boilerplate is present in Section 1.1,
    and the document contains references for [RFC2119] and [RFC8174].

    IDnits gets confused by the square brackets in the ASN.1, but I do not
    see any problems.

15. Should any informative references be normative or vice-versa? See the [IESG
    Statement on Normative and Informative References][16].

    No concerns.

16. List any normative references that are not freely available to anyone. Did
    the community have sufficient access to review any such normative
    references?

    All references are freely available.

17. Are there any normative downward references (see [RFC 3967][9] and [BCP
    97][10]) that are not already listed in the [DOWNREF registry][17]? If so,
    list them.

    There are two normative DOWNREFs: RFC 3394 and RFC 5869.  Both are
    already in the DOWNREF registry.
 
18. Are there normative references to documents that are not ready to be
    submitted to the IESG for publication or are otherwise in an unclear state?
    If so, what is the plan for their completion?

    One normative references has not been published yet: draft-ietf-lamps-
    kyber-certificates.  This document is already with the IESG.  It is
    very likely that it will be published at the same time as this document.

19. Will publication of this document change the status of any existing RFCs? If
    so, does the Datatracker metadata correctly reflect this and are those RFCs
    listed on the title page, in the abstract, and discussed in the
    introduction? If not, explain why and point to the part of the document
    where the relationship of this document to these other RFCs is discussed.

    No, this document will not change the status of any other document.

20. Describe the document shepherd's review of the IANA considerations section,
    especially with regard to its consistency with the body of the document.
    Confirm that all aspects of the document requiring IANA assignments are
    associated with the appropriate reservations in IANA registries. Confirm
    that any referenced IANA registries have been clearly identified. Confirm
    that each newly created IANA registry specifies its initial contents,
    allocations procedures, and a reasonable name (see [RFC 8126][11]).

    IANA is requested to assign an object identifier (OID) for the ASN.1
    module identifier.

21. List any new IANA registries that require Designated Expert Review for
    future allocations. Are the instructions to the Designated Expert clear?
    Please include suggestions of designated experts, if appropriate.

    No new IANA registries are needed.