Skip to content

Commit

Permalink
Kyber -> ML-KEM (#10)
Browse files Browse the repository at this point in the history
* Swap kyber with MLKEM in draft name
* Change file name to include MLKEM
* Link to the latest version of this draft
* Bump value of the code point. We can't use the same codepoint as for Kyber. Temporarily we will
change it to 0x639A + 1.
  • Loading branch information
kriskwiatkowski authored Aug 14, 2024
1 parent ced5ed7 commit 0979552
Showing 1 changed file with 27 additions and 26 deletions.
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
title: Post-quantum hybrid ECDHE-Kyber Key Agreement for TLSv1.3
abbrev: ECDHE-Kyber
title: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
abbrev: ECDHE-MLKEM
category: info

docname: draft-kwiatkowski-tls-ecdhe-kyber-latest
docname: draft-kwiatkowski-tls-ecdhe-mlkem-latest
submissiontype: IETF # also: "independent", "IAB", or "IRTF"
number:
date:
Expand All @@ -14,18 +14,18 @@ ipr: trust200902
# area: AREA
workgroup: None
keyword:
- kyber
- ML-KEM
- post-quantum
venue:
group: TLS
type: Working Group
github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-kyber
latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-kyber/
github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem
latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/

author:
- ins: K. Kwiatkowski
name: Kris Kwiatkowski
organization: PQShield, LTD
organization: PQShield
email: [email protected]
- ins: P. Kampanakis
name: Panos Kampanakis
Expand Down Expand Up @@ -56,7 +56,7 @@ a post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE).
# Introduction

## Motivation
Kyber is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of Kyber KEM is expected to be finalized in 2024.
ML-KEM is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of ML-KEM is expected to be finalized in 2024.

Experimentation and early deployments are crucial part of the migration to post-quantum cryptography. To promote interoperability of those deployments this document provides specification of preliminary hybrid post-quantum key agreement to be used in TLS 1.3 protocol.

Expand All @@ -69,8 +69,8 @@ Experimentation and early deployments are crucial part of the migration to post-

This document defines an additional supported group which can be used for
hybrid post-quantum key agreements. The hybrid key agreement for TLS 1.3 is
detailed in the {{hybrid}} draft. We compose the hybrid scheme with the Kyber
KEM as defined in {{kyber}} draft, and the ECDHE scheme parametrized with
detailed in the {{hybrid}} draft. We compose the hybrid scheme with the ML-KEM
as defined in {{kyber}} draft, and the ECDHE scheme parametrized with
elliptic curves defined in ANSI X9.62 [ECDSA] and NIST SP 800-186
{{?DSS=DOI.10.6028/NIST.SP.800-186}}.

Expand All @@ -83,26 +83,26 @@ and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}} correspondingly.

## Construction

The name of the new supported hybrid post-quantum group is SecP256r1Kyber768Draft00.
The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draft00.

When this group is negotiated, the client's share is a fixed-size concatenation of
the ECDHE share and Kyber's public key. The ECDHE share is the serialized value of
the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of
the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}.
The Kyber's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented
The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented
as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and
1184 of Kyber part).
1184 of ML-KEM part).

The server's share is a fixed-size concatenation of ECDHE share and Kyber's ciphertext
The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext
returned from encapsulation (see {{kyber}}). The server ECDHE share is the serialized
value of the uncompressed ECDH point representation as defined in Section 4.2.8.2
of {{!RFC8446}}. The server share is the Kyber's ciphertext returned from the Encapsulate step
of {{!RFC8446}}. The server share is the ML-KEM's ciphertext returned from the Encapsulate step
(see {{kyber}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes
of ECDHE part and 1088 of Kyber part).
of ECDHE part and 1088 of ML-KEM part).

Finally, the shared secret is a concatenation of the ECDHE and the Kyber
Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM
shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH
shared secret elliptic curve point represented as an octet string as
defined in Section 7.4.2 of {{!RFC8446}}. The Kyber shared secret is the
defined in Section 7.4.2 of {{!RFC8446}}. The ML-KEM shared secret is the
value returned from either encapsulation (on the server side) or decapsulation
(on the client side) represented as an octet string. The size of a shared secret is 64 bytes.

Expand All @@ -116,19 +116,19 @@ Implementers are encouraged to use implementations resistant to side-channel att
This document requests/registers a new entry to the TLS Supported Groups
registry, according to the procedures in
{{Section 6 of tlsiana}}. These identifiers are to be used with
the point-in-time specified versions of Kyber in the third round
the point-in-time specified versions of ML-KEM in the third round
of NIST's Post-quantum Project which is specified in {{kyber}}.
The identifiers used with the final, ratified by NIST, version
of Kyber will be specified later with in a different draft.
of ML-KEM will be specified later with in a different draft.
\[ EDNOTE: The identifiers for the final, ratified version of
Kyber should preferably by different that the commonly used
ML-KEM should preferably by different that the commonly used
[OQS codepoints](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-kem-info.md) \]

Value:
: 25498 (0x639A)
: 25499 (0x639B)

Description:
: SecP256r1Kyber768Draft00
: SecP256r1MLKEM768Draft00

DTLS-OK:
: Y
Expand All @@ -140,13 +140,14 @@ This document requests/registers a new entry to the TLS Supported Groups
: This document

Comment:
: Combining secp256r1 ECDH with pre-standards version of Kyber768
: Combining secp256r1 ECDH with pre-standards version of ML-KEM-768

--- back

# Change log

> [**RFC Editor:** Please remove this section]
* draft-kwiatkowski-tls-ecdhe-mlkem-02:
* Change Kyber name to ML-KEM

* draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server

Expand Down

0 comments on commit 0979552

Please sign in to comment.