-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Swap kyber with MLKEM in draft name * Change file name to include MLKEM * Link to the latest version of this draft * Bump value of the code point. We can't use the same codepoint as for Kyber. Temporarily we will change it to 0x639A + 1.
- Loading branch information
1 parent
ced5ed7
commit 0979552
Showing
1 changed file
with
27 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,9 @@ | ||
--- | ||
title: Post-quantum hybrid ECDHE-Kyber Key Agreement for TLSv1.3 | ||
abbrev: ECDHE-Kyber | ||
title: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 | ||
abbrev: ECDHE-MLKEM | ||
category: info | ||
|
||
docname: draft-kwiatkowski-tls-ecdhe-kyber-latest | ||
docname: draft-kwiatkowski-tls-ecdhe-mlkem-latest | ||
submissiontype: IETF # also: "independent", "IAB", or "IRTF" | ||
number: | ||
date: | ||
|
@@ -14,18 +14,18 @@ ipr: trust200902 | |
# area: AREA | ||
workgroup: None | ||
keyword: | ||
- kyber | ||
- ML-KEM | ||
- post-quantum | ||
venue: | ||
group: TLS | ||
type: Working Group | ||
github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-kyber | ||
latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-kyber/ | ||
github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem | ||
latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/ | ||
|
||
author: | ||
- ins: K. Kwiatkowski | ||
name: Kris Kwiatkowski | ||
organization: PQShield, LTD | ||
organization: PQShield | ||
email: [email protected] | ||
- ins: P. Kampanakis | ||
name: Panos Kampanakis | ||
|
@@ -56,7 +56,7 @@ a post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE). | |
# Introduction | ||
|
||
## Motivation | ||
Kyber is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of Kyber KEM is expected to be finalized in 2024. | ||
ML-KEM is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of ML-KEM is expected to be finalized in 2024. | ||
|
||
Experimentation and early deployments are crucial part of the migration to post-quantum cryptography. To promote interoperability of those deployments this document provides specification of preliminary hybrid post-quantum key agreement to be used in TLS 1.3 protocol. | ||
|
||
|
@@ -69,8 +69,8 @@ Experimentation and early deployments are crucial part of the migration to post- | |
|
||
This document defines an additional supported group which can be used for | ||
hybrid post-quantum key agreements. The hybrid key agreement for TLS 1.3 is | ||
detailed in the {{hybrid}} draft. We compose the hybrid scheme with the Kyber | ||
KEM as defined in {{kyber}} draft, and the ECDHE scheme parametrized with | ||
detailed in the {{hybrid}} draft. We compose the hybrid scheme with the ML-KEM | ||
as defined in {{kyber}} draft, and the ECDHE scheme parametrized with | ||
elliptic curves defined in ANSI X9.62 [ECDSA] and NIST SP 800-186 | ||
{{?DSS=DOI.10.6028/NIST.SP.800-186}}. | ||
|
||
|
@@ -83,26 +83,26 @@ and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}} correspondingly. | |
|
||
## Construction | ||
|
||
The name of the new supported hybrid post-quantum group is SecP256r1Kyber768Draft00. | ||
The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draft00. | ||
|
||
When this group is negotiated, the client's share is a fixed-size concatenation of | ||
the ECDHE share and Kyber's public key. The ECDHE share is the serialized value of | ||
the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of | ||
the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}. | ||
The Kyber's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented | ||
The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented | ||
as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and | ||
1184 of Kyber part). | ||
1184 of ML-KEM part). | ||
|
||
The server's share is a fixed-size concatenation of ECDHE share and Kyber's ciphertext | ||
The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext | ||
returned from encapsulation (see {{kyber}}). The server ECDHE share is the serialized | ||
value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 | ||
of {{!RFC8446}}. The server share is the Kyber's ciphertext returned from the Encapsulate step | ||
of {{!RFC8446}}. The server share is the ML-KEM's ciphertext returned from the Encapsulate step | ||
(see {{kyber}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes | ||
of ECDHE part and 1088 of Kyber part). | ||
of ECDHE part and 1088 of ML-KEM part). | ||
|
||
Finally, the shared secret is a concatenation of the ECDHE and the Kyber | ||
Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM | ||
shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH | ||
shared secret elliptic curve point represented as an octet string as | ||
defined in Section 7.4.2 of {{!RFC8446}}. The Kyber shared secret is the | ||
defined in Section 7.4.2 of {{!RFC8446}}. The ML-KEM shared secret is the | ||
value returned from either encapsulation (on the server side) or decapsulation | ||
(on the client side) represented as an octet string. The size of a shared secret is 64 bytes. | ||
|
||
|
@@ -116,19 +116,19 @@ Implementers are encouraged to use implementations resistant to side-channel att | |
This document requests/registers a new entry to the TLS Supported Groups | ||
registry, according to the procedures in | ||
{{Section 6 of tlsiana}}. These identifiers are to be used with | ||
the point-in-time specified versions of Kyber in the third round | ||
the point-in-time specified versions of ML-KEM in the third round | ||
of NIST's Post-quantum Project which is specified in {{kyber}}. | ||
The identifiers used with the final, ratified by NIST, version | ||
of Kyber will be specified later with in a different draft. | ||
of ML-KEM will be specified later with in a different draft. | ||
\[ EDNOTE: The identifiers for the final, ratified version of | ||
Kyber should preferably by different that the commonly used | ||
ML-KEM should preferably by different that the commonly used | ||
[OQS codepoints](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-kem-info.md) \] | ||
|
||
Value: | ||
: 25498 (0x639A) | ||
: 25499 (0x639B) | ||
|
||
Description: | ||
: SecP256r1Kyber768Draft00 | ||
: SecP256r1MLKEM768Draft00 | ||
|
||
DTLS-OK: | ||
: Y | ||
|
@@ -140,13 +140,14 @@ This document requests/registers a new entry to the TLS Supported Groups | |
: This document | ||
|
||
Comment: | ||
: Combining secp256r1 ECDH with pre-standards version of Kyber768 | ||
: Combining secp256r1 ECDH with pre-standards version of ML-KEM-768 | ||
|
||
--- back | ||
|
||
# Change log | ||
|
||
> [**RFC Editor:** Please remove this section] | ||
* draft-kwiatkowski-tls-ecdhe-mlkem-02: | ||
* Change Kyber name to ML-KEM | ||
|
||
* draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server | ||
|
||
|