Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
draft-kwiatkowski-tls-ecdhe-mlkem-00
This document is an Internet-Draft (I-D).
Anyone may submit an I-D to the IETF.
This I-D is not endorsed by the IETF and has no formal standing in the
IETF standards process.
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Authors | Kris Kwiatkowski , Panos Kampanakis | ||
| Last updated | 2024-08-15 | ||
| Replaced by | draft-ietf-tls-ecdhe-mlkem | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-kwiatkowski-tls-ecdhe-mlkem-00
Transport Layer Security K. Kwiatkowski
Internet-Draft PQShield
Intended status: Informational P. Kampanakis
Expires: 16 February 2025 AWS
15 August 2024
Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
draft-kwiatkowski-tls-ecdhe-mlkem-00
Abstract
This draft defines a hybrid key agreement for TLS 1.3 that combines a
post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE).
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at https://post-
quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/.
Discussion of this document takes place on the Transport Layer
Security Working Group mailing list (mailto:tls@ietf.org), which is
archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe
at https://www.ietf.org/mailman/listinfo/tls/.
Source for this draft and an issue tracker can be found at
https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-
ecdhe-mlkem.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 1]
Internet-Draft ECDHE-MLKEM August 2024
This Internet-Draft will expire on 16 February 2025.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 3
3. Negotiated Groups . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Construction . . . . . . . . . . . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
6.1. Normative References . . . . . . . . . . . . . . . . . . 4
6.2. Informative References . . . . . . . . . . . . . . . . . 5
Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
1.1. Motivation
ML-KEM is a key encapsulation method (KEM) that is designed to
withstand cryptanalytic attacks from quantum computers.
Experimentation and early deployments are crucial steps in
transitioning to post-quantum cryptography. This document specifies
a hybrid post-quantum key agreement for use in the TLS 1.3 protocol
to promote interoperability of these deployments.
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 2]
Internet-Draft ECDHE-MLKEM August 2024
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Negotiated Groups
This document introduces a new supported group for hybrid post-
quantum key agreements in TLS 1.3. The hybrid key agreement is
detailed in the [hybrid] draft, which combines the ML-KEM as defined
in [FIPS-203], with the ECDHE scheme using elliptic curves from ANSI
X9.62 [ECDSA] and NIST SP 800-186 [DSS].
The new group enables the derivation of TLS session keys using FIPS-
approved schemes. NIST's special publication 800-56Cr2 [SP56C]
approves the usage of HKDF [HKDF] with two distinct shared secrets,
with the condition that the first one is computed by a FIPS-approved
key-establishment scheme. This draft specifies a new supported group
where both shared secrets are calculated by FIPS-approved mechanisms.
The first one involves ECDHE with a FIPS-approved curve secp256r1
(NIST P-256) specified by NIST SP 800-56Ar3 [SP56A] and NIST SP
800-186 [DSS]. The second shared secret is obtained from the FIPS-
approved ML-KEM-768 as defined in [FIPS-203].
3.1. Construction
The name of the new supported hybrid post-quantum group is
SecP256r1MLKEM768.
When this group is negotiated, the client's share is a fixed-size
concatenation of the ECDHE share and ML-KEM's public key. The ECDHE
share is the serialized value of the uncompressed ECDH point
representation as defined in Section 4.2.8.2 of [RFC8446]. The ML-
KEM's ephemeral share is the public key of the key generation step
(see [FIPS-203], section 7.1) represented as an octet string. The
size of client share is 1249 bytes (65 bytes of ECDHE part and 1184
of ML-KEM part).
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 3]
Internet-Draft ECDHE-MLKEM August 2024
The server's share is a fixed-size concatenation of ECDHE share and
ML-KEM's ciphertext returned from encapsulation (see [FIPS-203],
section 7.2). The server ECDHE share is the serialized value of the
uncompressed ECDH point representation as defined in Section 4.2.8.2
of [RFC8446]. The server share is the ML-KEM's ciphertext returned
from the Encapsulate step (see [FIPS-203], section 7.2) represented
as an octet string. The size of server's share is 1153 bytes (65
bytes of ECDHE part and 1088 of ML-KEM part).
Finally, the shared secret is a concatenation of the ECDHE and the
ML-KEM shared secrets. The ECDHE shared secret is the x-coordinate
of the ECDH shared secret elliptic curve point represented as an
octet string as defined in Section 7.4.2 of [RFC8446]. The ML-KEM
shared secret is the value returned from either encapsulation (on the
server side) or decapsulation (on the client side) represented as an
octet string. The size of a shared secret is 64 bytes (32 bytes of
ECDHE part and 32 of ML-KEM part).
4. Security Considerations
The same security considerations as those described in [hybrid] apply
to the approach used by this document. Implementers are encouraged
to use implementations resistant to side-channel attacks, especially
those that can be applied by remote attackers.
5. IANA Considerations
This document requests/registers a new entry to the TLS Supported
Groups registry, according to the procedures in Section 6 of
[tlsiana]. These identifiers are to be used with the final, ratified
by NIST, version of ML-KEM which is specified in [FIPS-203].
Value: 25499 (0x639B)
Description: SecP256r1MLKEM768
DTLS-OK: Y
Recommended: N
Reference: This document
Comment: Combining secp256r1 ECDH with the ML-KEM-768
6. References
6.1. Normative References
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 4]
Internet-Draft ECDHE-MLKEM August 2024
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
6.2. Informative References
[DSS] Chen, L., Moody, D., Regenscheid, A., Robinson, A., and K.
Randall, "Recommendations for Discrete Logarithm-based
Cryptography:: Elliptic Curve Domain Parameters", National
Institute of Standards and Technology,
DOI 10.6028/nist.sp.800-186, February 2023,
<https://doi.org/10.6028/nist.sp.800-186>.
[ECDSA] American National Standards Institute, "Public Key
Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm (ECDSA)",
ANSI ANS X9.62-2005, November 2005.
[FIPS-203] "Module-Lattice-Based Key-Encapsulation Mechanism
Standard", National Institute of Standards and Technology,
DOI 10.6028/nist.fips.203, August 2024,
<https://doi.org/10.6028/nist.fips.203>.
[HKDF] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC Editor,
DOI 10.17487/rfc5869, May 2010,
<https://doi.org/10.17487/rfc5869>.
[hybrid] Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key
exchange in TLS 1.3", Work in Progress, Internet-Draft,
draft-ietf-tls-hybrid-design-10, 5 April 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
hybrid-design-10>.
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 5]
Internet-Draft ECDHE-MLKEM August 2024
[SP56A] Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for pair-wise key-establishment
schemes using discrete logarithm cryptography", National
Institute of Standards and Technology,
DOI 10.6028/nist.sp.800-56ar3, April 2018,
<https://doi.org/10.6028/nist.sp.800-56ar3>.
[SP56C] Barker, E., Chen, L., and R. Davis, "Recommendation for
Key-Derivation Methods in Key-Establishment Schemes",
National Institute of Standards and Technology,
DOI 10.6028/nist.sp.800-56cr2, August 2020,
<https://doi.org/10.6028/nist.sp.800-56cr2>.
[tlsiana] Salowey, J. A. and S. Turner, "IANA Registry Updates for
TLS and DTLS", Work in Progress, Internet-Draft, draft-
ietf-tls-rfc8447bis-09, 30 April 2024,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
rfc8447bis-09>.
Appendix A. Change log
* draft-kwiatkowski-tls-ecdhe-mlkem-00:
- Change Kyber name to ML-KEM
- Swap reference to I-D.cfrg-schwabe-kyber with FIPS-203
- Change codepoint. New value is equal to old value + 1.
* draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares
generated by the client and the server
* draft-kwiatkowski-tls-ecdhe-kyber-00: updates following IANA
review
Authors' Addresses
Kris Kwiatkowski
PQShield
Email: kris@amongbytes.com
Panos Kampanakis
AWS
Email: kpanos@amazon.com
Kwiatkowski & KampanakisExpires 16 February 2025 [Page 6]