| Internet-Draft | ECDHE-MLKEM | August 2024 |
| Kwiatkowski & Kampanakis | Expires 16 February 2025 | [Page] |
This draft defines a hybrid key agreement for TLS 1.3 that combines a post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE).¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/.¶
Discussion of this document takes place on the Transport Layer Security Working Group mailing list (mailto:tls@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe at https://www.ietf.org/mailman/listinfo/tls/.¶
Source for this draft and an issue tracker can be found at https://github.com/post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 16 February 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
ML-KEM is a key encapsulation method (KEM) that is designed to withstand cryptanalytic attacks from quantum computers.¶
Experimentation and early deployments are crucial steps in transitioning to post-quantum cryptography. This document specifies a hybrid post-quantum key agreement for use in the TLS 1.3 protocol to promote interoperability of these deployments.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document introduces a new supported group for hybrid post-quantum key agreements in TLS 1.3. The hybrid key agreement is detailed in the [hybrid] draft, which combines the ML-KEM as defined in [FIPS-203], with the ECDHE scheme using elliptic curves from ANSI X9.62 [ECDSA] and NIST SP 800-186 [DSS].¶
The new group enables the derivation of TLS session keys using FIPS-approved schemes. NIST's special publication 800-56Cr2 [SP56C] approves the usage of HKDF [HKDF] with two distinct shared secrets, with the condition that the first one is computed by a FIPS-approved key-establishment scheme. This draft specifies a new supported group where both shared secrets are calculated by FIPS-approved mechanisms. The first one involves ECDHE with a FIPS-approved curve secp256r1 (NIST P-256) specified by NIST SP 800-56Ar3 [SP56A] and NIST SP 800-186 [DSS]. The second shared secret is obtained from the FIPS-approved ML-KEM-768 as defined in [FIPS-203].¶
The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768.¶
When this group is negotiated, the client's share is a fixed-size concatenation of the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of [RFC8446]. The ML-KEM's ephemeral share is the public key of the key generation step (see [FIPS-203], section 7.1) represented as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and 1184 of ML-KEM part).¶
The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext returned from encapsulation (see [FIPS-203], section 7.2). The server ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of [RFC8446]. The server share is the ML-KEM's ciphertext returned from the Encapsulate step (see [FIPS-203], section 7.2) represented as an octet string. The size of server's share is 1153 bytes (65 bytes of ECDHE part and 1088 of ML-KEM part).¶
Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in Section 7.4.2 of [RFC8446]. The ML-KEM shared secret is the value returned from either encapsulation (on the server side) or decapsulation (on the client side) represented as an octet string. The size of a shared secret is 64 bytes (32 bytes of ECDHE part and 32 of ML-KEM part).¶
The same security considerations as those described in [hybrid] apply to the approach used by this document. Implementers are encouraged to use implementations resistant to side-channel attacks, especially those that can be applied by remote attackers.¶
This document requests/registers a new entry to the TLS Supported Groups registry, according to the procedures in Section 6 of [tlsiana]. These identifiers are to be used with the final, ratified by NIST, version of ML-KEM which is specified in [FIPS-203].¶