From 7d911118e61a4fc8309f0adb86a041861166dd26 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 14 Aug 2024 09:33:05 -0500 Subject: [PATCH 1/3] Replace reference I-D.cfrg-schwabe-kyber with FIPS-203 --- draft-kwiatkowski-tls-ecdhe-mlkem.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-kwiatkowski-tls-ecdhe-mlkem.md b/draft-kwiatkowski-tls-ecdhe-mlkem.md index 38285d1..435eb7e 100644 --- a/draft-kwiatkowski-tls-ecdhe-mlkem.md +++ b/draft-kwiatkowski-tls-ecdhe-mlkem.md @@ -70,7 +70,7 @@ Experimentation and early deployments are crucial part of the migration to post- This document defines an additional supported group which can be used for hybrid post-quantum key agreements. The hybrid key agreement for TLS 1.3 is detailed in the {{hybrid}} draft. We compose the hybrid scheme with the ML-KEM -as defined in {{kyber}} draft, and the ECDHE scheme parametrized with +as defined in {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}} draft, and the ECDHE scheme parametrized with elliptic curves defined in ANSI X9.62 [ECDSA] and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}}. @@ -88,15 +88,15 @@ The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draf When this group is negotiated, the client's share is a fixed-size concatenation of the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}. -The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{kyber}}) represented +The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}) represented as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and 1184 of ML-KEM part). The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext -returned from encapsulation (see {{kyber}}). The server ECDHE share is the serialized +returned from encapsulation (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}). The server ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}. The server share is the ML-KEM's ciphertext returned from the Encapsulate step -(see {{kyber}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes +(see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes of ECDHE part and 1088 of ML-KEM part). Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM @@ -117,7 +117,7 @@ This document requests/registers a new entry to the TLS Supported Groups registry, according to the procedures in {{Section 6 of tlsiana}}. These identifiers are to be used with the point-in-time specified versions of ML-KEM in the third round - of NIST's Post-quantum Project which is specified in {{kyber}}. + of NIST's Post-quantum Project which is specified in {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}. The identifiers used with the final, ratified by NIST, version of ML-KEM will be specified later with in a different draft. \[ EDNOTE: The identifiers for the final, ratified version of From 5dadbd675ccad52579011d0a9c87ce9aeb6fa4ea Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 14 Aug 2024 09:56:51 -0500 Subject: [PATCH 2/3] Align the text to FIPS-203 --- draft-kwiatkowski-tls-ecdhe-mlkem.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/draft-kwiatkowski-tls-ecdhe-mlkem.md b/draft-kwiatkowski-tls-ecdhe-mlkem.md index 435eb7e..33c6737 100644 --- a/draft-kwiatkowski-tls-ecdhe-mlkem.md +++ b/draft-kwiatkowski-tls-ecdhe-mlkem.md @@ -70,7 +70,7 @@ Experimentation and early deployments are crucial part of the migration to post- This document defines an additional supported group which can be used for hybrid post-quantum key agreements. The hybrid key agreement for TLS 1.3 is detailed in the {{hybrid}} draft. We compose the hybrid scheme with the ML-KEM -as defined in {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}} draft, and the ECDHE scheme parametrized with +as defined in {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}, and the ECDHE scheme parametrized with elliptic curves defined in ANSI X9.62 [ECDSA] and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}}. @@ -88,16 +88,17 @@ The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draf When this group is negotiated, the client's share is a fixed-size concatenation of the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of {{!RFC8446}}. -The ML-KEM's ephemeral share is the public key of the KeyGen step (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}) represented -as an octet string. The size of client share is 1249 bytes (65 bytes of ECDHE part and -1184 of ML-KEM part). +The ML-KEM's ephemeral share is the public key of the key generation step (see +{{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}, section 7.1) represented as an octet string. The size +of client share is 1249 bytes (65 bytes of ECDHE part and 1184 of ML-KEM part). The server's share is a fixed-size concatenation of ECDHE share and ML-KEM's ciphertext -returned from encapsulation (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}). The server ECDHE share is the serialized -value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 -of {{!RFC8446}}. The server share is the ML-KEM's ciphertext returned from the Encapsulate step -(see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}) represented as an octet string. The size of server's share is 1153 bytes (65 bytes -of ECDHE part and 1088 of ML-KEM part). +returned from encapsulation (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}, section 7.2). +The server ECDHE share is the serialized value of the uncompressed ECDH point representation +as defined in Section 4.2.8.2 of {{!RFC8446}}. The server share is the ML-KEM's ciphertext +returned from the Encapsulate step (see {{?FIPS-203=DOI.10.6028/NIST.FIPS.203}}, section 7.2) +represented as an octet string. The size of server's share is 1153 bytes (65 bytes of ECDHE +part and 1088 of ML-KEM part). Finally, the shared secret is a concatenation of the ECDHE and the ML-KEM shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH From 42fce9960899388aa1c9de9e46be5568638390b5 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Wed, 14 Aug 2024 10:01:45 -0500 Subject: [PATCH 3/3] Update name of the group --- draft-kwiatkowski-tls-ecdhe-mlkem.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/draft-kwiatkowski-tls-ecdhe-mlkem.md b/draft-kwiatkowski-tls-ecdhe-mlkem.md index 33c6737..d48ae34 100644 --- a/draft-kwiatkowski-tls-ecdhe-mlkem.md +++ b/draft-kwiatkowski-tls-ecdhe-mlkem.md @@ -83,7 +83,7 @@ and NIST SP 800-186 {{?DSS=DOI.10.6028/NIST.SP.800-186}} correspondingly. ## Construction -The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768Draft00. +The name of the new supported hybrid post-quantum group is SecP256r1MLKEM768. When this group is negotiated, the client's share is a fixed-size concatenation of the ECDHE share and ML-KEM's public key. The ECDHE share is the serialized value of @@ -105,7 +105,8 @@ shared secrets. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in Section 7.4.2 of {{!RFC8446}}. The ML-KEM shared secret is the value returned from either encapsulation (on the server side) or decapsulation -(on the client side) represented as an octet string. The size of a shared secret is 64 bytes. +(on the client side) represented as an octet string. The size of a shared +secret is 64 bytes (32 bytes of ECDHE part and 32 of ML-KEM part). # Security Considerations @@ -129,7 +130,7 @@ This document requests/registers a new entry to the TLS Supported Groups : 25499 (0x639B) Description: - : SecP256r1MLKEM768Draft00 + : SecP256r1MLKEM768 DTLS-OK: : Y