From 097955264cfeaaa5a6ce0a854d9e11cd26752062 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 14 Aug 2024 15:18:05 +0100 Subject: [PATCH] Kyber -> ML-KEM (#10) * Swap kyber with MLKEM in draft name * Change file name to include MLKEM * Link to the latest version of this draft * Bump value of the code point. We can't use the same codepoint as for Kyber. Temporarily we will change it to 0x639A + 1. --- ...md => draft-kwiatkowski-tls-ecdhe-mlkem.md | 53 ++++++++++--------- 1 file changed, 27 insertions(+), 26 deletions(-) rename draft-kwiatkowski-tls-ecdhe-kyber.md => draft-kwiatkowski-tls-ecdhe-mlkem.md (77%) diff --git a/draft-kwiatkowski-tls-ecdhe-kyber.md b/draft-kwiatkowski-tls-ecdhe-mlkem.md similarity index 77% rename from draft-kwiatkowski-tls-ecdhe-kyber.md rename to draft-kwiatkowski-tls-ecdhe-mlkem.md index 3c35bf9..38285d1 100644 --- a/draft-kwiatkowski-tls-ecdhe-kyber.md +++ b/draft-kwiatkowski-tls-ecdhe-mlkem.md @@ -1,9 +1,9 @@ --- -title: Post-quantum hybrid ECDHE-Kyber Key Agreement for TLSv1.3 -abbrev: ECDHE-Kyber +title: Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3 +abbrev: ECDHE-MLKEM category: info -docname: draft-kwiatkowski-tls-ecdhe-kyber-latest +docname: draft-kwiatkowski-tls-ecdhe-mlkem-latest submissiontype: IETF # also: "independent", "IAB", or "IRTF" number: date: @@ -14,18 +14,18 @@ ipr: trust200902 # area: AREA workgroup: None keyword: - - kyber + - ML-KEM - post-quantum venue: group: TLS type: Working Group - github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-kyber - latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-kyber/ + github: post-quantum-cryptography/draft-kwiatkowski-tls-ecdhe-mlkem + latest: https://post-quantum-cryptography.github.io/draft-kwiatkowski-tls-ecdhe-mlkem/ author: - ins: K. Kwiatkowski name: Kris Kwiatkowski - organization: PQShield, LTD + organization: PQShield email: kris@amongbytes.com - ins: P. Kampanakis name: Panos Kampanakis @@ -56,7 +56,7 @@ a post-quantum KEM with elliptic curve Diffie-Hellman (ECDHE). # Introduction ## Motivation -Kyber is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of Kyber KEM is expected to be finalized in 2024. +ML-KEM is a key encapsulation method (KEM) designed to be resistant to cryptanalytic attacks with quantum computers. Standardization of ML-KEM is expected to be finalized in 2024. Experimentation and early deployments are crucial part of the migration to post-quantum cryptography. To promote interoperability of those deployments this document provides specification of preliminary hybrid post-quantum key agreement to be used in TLS 1.3 protocol. @@ -69,8 +69,8 @@ Experimentation and early deployments are crucial part of the migration to post- This document defines an additional supported group which can be used for hybrid post-quantum key agreements. The hybrid key agreement for TLS 1.3 is -detailed in the {{hybrid}} draft. We compose the hybrid scheme with the Kyber -KEM as defined in {{kyber}} draft, and the ECDHE scheme parametrized with +detailed in the {{hybrid}} draft. We compose the hybrid scheme with the ML-KEM +as defined in {{kyber}} draft, and the ECDHE scheme parametrized with elliptic curves defined in ANSI X9.62 [ECDSA] and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}}. @@ -83,26 +83,26 @@ and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}} correspondingly. ## Construction -The name of the new supported hybrid post-quantum group is SecP256r1Kyber768Draft00. +The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draft00. When this group is negotiated, the client's share is a fixed-size concatenation of -the ECDHE share and Kyber's public key. The ECDHE share is the serialized value of +the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}. -The Kyber's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented +The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and -1184 of Kyber part). +1184 of ML-KEM part). -The server's share is a fixed-size concatenation of ECDHE share and Kyber's ciphertext +The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext returned from encapsulation (see {{kyber}}). The server ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 -of {{!RFC8446}}. The server share is the Kyber's ciphertext returned from the Encapsulate step +of {{!RFC8446}}. The server share is the ML-KEM's ciphertext returned from the Encapsulate step (see {{kyber}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes -of ECDHE part and 1088 of Kyber part). +of ECDHE part and 1088 of ML-KEM part). -Finally, the shared secret is a concatenation of the ECDHE and the Kyber +Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as -defined in Section 7.4.2 of {{!RFC8446}}. The Kyber shared secret is the +defined in Section 7.4.2 of {{!RFC8446}}. The ML-KEM shared secret is the value returned from either encapsulation (on the server side) or decapsulation (on the client side) represented as an octet string. The size of a shared secret is 64 bytes. @@ -116,19 +116,19 @@ Implementers are encouraged to use implementations resistant to side-channel att This document requests/registers a new entry to the TLS Supported Groups registry, according to the procedures in {{Section 6 of tlsiana}}. These identifiers are to be used with - the point-in-time specified versions of Kyber in the third round + the point-in-time specified versions of ML-KEM in the third round of NIST's Post-quantum Project which is specified in {{kyber}}. The identifiers used with the final, ratified by NIST, version - of Kyber will be specified later with in a different draft. + of ML-KEM will be specified later with in a different draft. \[ EDNOTE: The identifiers for the final, ratified version of - Kyber should preferably by different that the commonly used + ML-KEM should preferably by different that the commonly used [OQS codepoints](https://github.com/open-quantum-safe/openssl/blob/OQS-OpenSSL_1_1_1-stable/oqs-template/oqs-kem-info.md) \] Value: - : 25498 (0x639A) + : 25499 (0x639B) Description: - : SecP256r1Kyber768Draft00 + : SecP256r1MLKEM768Draft00 DTLS-OK: : Y @@ -140,13 +140,14 @@ This document requests/registers a new entry to the TLS Supported Groups : This document Comment: - : Combining secp256r1 ECDH with pre-standards version of Kyber768 + : Combining secp256r1 ECDH with pre-standards version of ML-KEM-768 --- back # Change log -> [**RFC Editor:** Please remove this section] +* draft-kwiatkowski-tls-ecdhe-mlkem-02: + * Change Kyber name to ML-KEM * draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares generated by the client and the server