]> TU Dresden, Germany

muhammad_usama.sardar@tu-dresden.de

Security Transport Layer Security We attest that standalone ML-KEM in TLS 1.3 breaks the existing formal proofs of TLS in state-of-the-art symbolic security analysis tool, ProVerif. We believe this requires a new symbolic proof in ProVerif. To help inform the analysis, we share our understanding of exactly where the ProVerif proofs break, namely transition from symmetric DHKE to asymmetric KEM. More specifically, our understanding is that the existing proofs of TLS in ProVerif are based on commutativity property, whereas commutativity does not apply to standalone ML-KEM in TLS. In general, we see no reason to believe that hybrid key exchanges are not at least as strong as the stronger of the two components. We invite collaborations or independent analysis to extend the ProVerif models to perform such analysis and offer a statement for security considerations of . In our understanding, a couple of WG participants have already started formal analysis in ProVerif. We also attest that from a formal analysis perspective, this is a much bigger change than RFC8773bis, which indeed went for FATT review (cf. ). We, therefore, formally request the chairs to initiate the FATT review of standalone ML-KEM in TLS. This draft also offers some preliminary discussion to help the developers and policy makers make informed choices. Finally, the draft also aims to reduce the endless repitition of arguments from both sides presented on several lists by documenting these arguments so they can simply be referred to. We sincerely believe this will help to focus the discussion on technical matters, such as system model, threat model, security properties, and deployments. We acknowledge several IETF participants who have contributed to this draft with their insights. This draft captures what we understand them to be saying. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction Readers are assumed to be familiar with , , and . Please note that the draft has currently several hyperlinks. We assert that the security considerations of are insufficient. We believe that consistent with process, symbolic and computational analysis (to be interpreted as in SoK) of integration of standalone ML-KEM in the context of TLS is helpful here. We believe that if any WG participant has done any formal analysis, it would be very helpful to share the results with the WG for discussion. Literature review is currently ongoing. Some existing computational analysis for standalone ML-KEM in TLS include this and this. Both are based on pen-and-paper (computational) proofs. At the symbolic level, some analysis -- such as this for KEMTLS in Tamarin -- exists. In our understanding, both client and server encapsulate, which may bring the symmetry.

Gap Analysis We are currently not aware of any peer-reviewed work on integration of standalone ML-KEM in TLS based on ProVerif. Getting a confirmation on the symbolic level seems valuable. Some WG participants seem to disagree with the statement that the hybrid key exchange in TLS is at least as good as standalone ML-KEM in TLS. We are not aware of any literature which claims that standalone ML-KEM in TLS is better than hybrid key exchange in TLS. Getting a confirmation on these subtleties via formal analysis seems very useful for resolving this difference of opinions.

Motivation requires to document the risks in the security considerations. To support those requirements for , this draft aims to formally study the security of standalone ML-KEM in TLS 1.3. This is because of the following reasons. In the last WGLC, had an opposition of several (ca. 25 in our understanding) WG participants -- even more than the supporters (ca. 21 in our understanding). We see 2 possible options:

• Continue tabletop discussions on subjective estimation of urgency, risks, costs, tradeoffs, etc., and keep burning WG energy by endless repitition.
• Do some technical analysis using (symbolic and computational) formal methods to get a confirmation on the security of integration of standalone ML-KEM in the context of TLS and offer a statement for security considerations.

We believe the former cannot resolve the dispute. We sincerely hope the latter will help.

Expected Learning We believe formal methods can provide additional value for security considerations of this draft in order to maintain the high cryptographic assurance of TLS. Adversary can record all traffic and decrypt it when ML-KEM is broken. The opinions of WG participants here vary from "ML-KEM is secure" to "ML-KEM is probably already secrectly broken." Formal methods can operate under the assumption that ML-KEM is secure, and focus on the integration of ML-KEM in TLS under this assumption.

• As an example, formal methods can help justify design choices, such as the preference for hybrid key exchanges. It can also help identify all the assumptions under which the properties hold.
• As a relevant data point in the context of standardization, LAKE WG has done formal analysis for EDHOC-PSK with KEM (ref).
• Computational analysis (cf. SoK) -- using tools such as CryptoVerif -- seems like a reasonable approach to ensure security of ML-KEM in TLS, such as binding shared secret ss to the TLS transcript hash.

Minimum Viable Modeling Based on the discussion on list, simply replacing ideal DHKE by ideal ML-KEM in the formal model is not very useful. We ought to focus on the more security-critical questions about integration of ML-KEM in TLS. We present a few high-level observations to consider for security considerations of :

• The model ought to consider that any agent could have initiated the TLS, rather than assigning the agents with static roles of client and server in the model. When agents are assigned non-static roles, it would be interesting to see whether the asymmetry issue becomes visible in some property. We consider it very critical for security considerations of and this is the key point of this draft.
• Different failure modes proposed on list can be modeled.
• A large part of the problem is the careful investigation of what to model, under what threat model, under what system model, under what implementation scenarios etc. We believe some of this is important for security considerations of .
• It will be interesting to see some analysis about any subtle cases where hybrid key exchange in TLS is not at least as good as standalone ML-KEM in TLS. Our understanding is that some participants would like to see some statement on the comparison since hybrid key exchange is the de facto industry standard.
• We believe brainstorming about some robustness (vs. security) properties would also be useful. Even if the security properties hold, does standalone ML-KEM make side-channel leakage easier? This might be a valuable consideration for the implementers.
• Analysis may be helpful to ensure that the changes -- such as the removal of hash function (cf. Appendix C.1, bullet 3 in ) -- from Kyber to ML-KEM preserve the security proofs of Kyber.

We invite collaborations or independent analysis to extend the ProVerif models to perform this analysis. Any analysis on these or related security and robustness matters is very welcome.

Previous Formal Requests for FATT Review We have formally requested the chairs to initiate the FATT process for . See this, this, and this.

FATT Review is Harmless For those who are worried, please note the legitimate outcome nothing required in . Please also note : Moreover, WG retains its authority :

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

• Symbolic analysis: see SoK
• Computational analysis: see SoK
• Standalone ML-KEM refers to .
• Hybrid key exchange refers to and .

We believe that symbolic and computational models are complementary and not a substitute of each other.

Where ProVerif Proofs Break We attest that: While ML-KEM looks like just a "trivial" addition, it makes changes as deep as the key schedule of TLS. It essentially replaces the key exchange by key encapsulation. While the former is symmetric, the latter is asymmetric. This symmetry is in terms of exchange of roles assigned to the agents, and that the order does not matter. The existing proofs in ProVerif, therefore, utilize this symmetry for the commutativity of the key shares g^x and g^y, where g^x and g^y represent the public key shares of the endpoints. In ProVerif syntax: (see original source here and re-used here) Key encapsulation does not enjoy this commutativity property, or even an analogous symmetry argument. There is essentially only one endpoint (say client) which generates the key pair (dk,ek) where dk represents the secret decapsulation key and ek represents the public encapsulation key. As opposed to both endpoints sending their public key shares g^x and g^y in a traditional key exchange (DHKE), a KEM creates a roles-asymmetry where only one of the endpoints (client in above example) sends the public encapsulation key ek and the peer (server) sends a ciphertext ct. This asymmetry breaks the existing proofs of TLS 1.3 in ProVerif and requires a new proof. Please note that breaking the existing ProVerif proof does not imply that the standalone ML-KEM proposal in TLS is insecure. It just means that a new proof is required. We welcome feedback and collaborations from the community on doing a thorough analysis in ProVerif -- such as in -- while preserving the cryptographic soundness.

Justification based on FATT Process Our formal request for FATT review is fully in conformance with the current process, which explicitly states: As presented in , we attest that modifies the:

• TLS key schedule
• cryptographic protocol such that commutativity property is no longer valid.

This breaks the following proofs in ProVerif:

• Bhargavan et al.'s model of draft 20 of TLS 1.3: and and all 5 public forks as well as one nested fork:
  • arthuraa/reftls
  • blipp/reftls
  • chris-wood/reftls
  • ekr/reftls
    • ajayeeralla/reftls
  • jhoyla/reftls
• Our previous work extending the model of Bhargavan et al. to the current state of and integrating remote attestation: and (under Apache-2.0 License) and all 3 public forks:
  • jupenur/formal-spec-id-crisis
  • nathanaelritz/formal-spec-id-crisis
  • telephonicrobotics/formal-id-crisis-spec (owner of this repo is the same as the one before this and has indicated that there was no active private development in this repo)
• A couple of our ongoing works which are not yet public

Note: Forks may or may not have substantive changes. It is hard for us to know and judge how much research and development effort someone did privately and did not make it public and hence, we do not want to add our personal estimation of whether someone has substantially worked after forking. Readers are welcome to make their own opinions by exploring the repos or contact the respective repo owners for further details. The hyperlinks provide one instance of usage of equation in the main branch based on what is publicly available. In our understanding, a couple of WG participants are already working on formal analysis of analyzing the items mentioned in . A new section will be added when they will share their results of the items in .

Comparison with RFC8773bis Please note that RFC8773bis is a much smaller change: it's pretty much standard TLS and still went for FATT review. Based on that, we see no reason to believe that -- with key schedule level changes -- should not be sent to FATT.

FATT Review for Hybrid Key Exchange? Some participants have raised concern that the same issue may apply to hybrid key exchange as well and one of the proposals is to block that draft. We very strongly oppose this proposal because of the following reasons:

Stage of Publication has IETF consensus and is in the publication queue. Given the consensus, we see absolutely no reason to block that. As we understand, FATT process was specifically designed to resolve concerns rather than gatekeeping. In contrast, as mentioned in , standalone MLKEM is still within the WG and has a very different profile with ca. 25 oppositions in our understanding in the last WGLC. FWIW, this is exactly what makes formal analysis potentially helpful to resolve the issue, build high confidence and offer a statement for security considerations after a careful formal analysis.

Technical Rationale Technically, a proof of is done in the computational model using CryptoVerif (cf. ref). As per list discussion, it appears that the proof applies to the latest version of the spec , as there seem to be no substantive changes from the perspective of formal proof. Moreover, we believe that the two drafts and are incomparable on this specific point as hybrid key exchange still maintains the symmetry in the DHKE part. From formal (symbolic) analysis perspective, g^x and g^y are still sent in hybrid key exchange, g^xy is still computed and we believe the commutativity property is applicable for that part as-is. From formal (symbolic) analysis perspective, ML-KEM is complementary to that. Specifically, from , for the symbolic analysis, X25519MLKEM768 in TLS may be viewed as:

Marginal Additional Effort for Hybrid Key Exchange Once the formal analysis for standalone ML-KEM in TLS is done, we expect that the additional effort for hybrid key exchange in TLS will only be marginal, as the building blocks for DHKE already exist in ProVerif.

What if Issue is Found? Should there be a groundbreaking discovery of an issue which applies also to , we are confident that the WG will find a way out, such as very quickly applying the fix proposed by the formal analysis, doing a very quick WGLC and IETF LC while requesting the AD and RFC Editor to keep the draft at its place in the publication queue.

Formal Analysis (Work-in-progress) We have presented observation from our ongoing symbolic security analysis (cf. limitations in ) using ProVerif on the mailing list. For brevity, we omit other assumptions in the properties below and focus on the difference. This assumes hybrid constructor to be secure. We believe that in general:

Hybrid Key Exchange More formally, the property hybrid key exchange should provide is: As presented in , hybrid key exchange preserves ECDHE component gxy, and concatenates ML-KEM component ss as an additional factor. So as long as at least one of these two secrets is not available to the adversary, all security properties should hold. In particular, even if ML-KEM is completely broken, i.e., ss is available to the adversary, the protocol retains the security level of ECDHE.

Standalone ML-KEM On the other hand, the formal property standalone ML-KEM can provide is:

Comparison Leaking out the ECDHE key from hybrid key exchange should downgrade the security to the level of a standalone ML-KEM. Therefore, hybrid key exchange is in general more secure, unless:

• ECDHE is fully broken, in which case it still falls equivalent to standalone ML-KEM,
• in the hypothetical scenario that there is an implementation bug in the ECDHE part which is triggered only in composition. We have not yet seen any concrete evidence of such a scenario on the list.

Issues That Formal Methods Probably Cannot Solve The answers to the following issues are largely dependent on several factors, and the opinions vary largely. It is necessary to mention that even several respectable cryptographers in the community are not aligned on the issue -- for example see the long bet. Hence, our personal opinion is probably not that important. Probably the best we can do is to capture our understanding of the views of WG participants.

Recommendation of Designers The authors of Kyber/ML-KEM (see this) say: A WG participant shares that:

Thorough Review Please see a very thorough review here, which is self-sufficient.

'Significantly Harder' Argument Some participants believe in the 'significantly harder' argument, which assumes independence of breakage of ML-KEM and traditionals: Please see this for what "broken" may mean here modulo some exclusions. Given the very different type of cryptographic constructions involved, independence might be a reasonable assumption. However, some participants disagree with 'significantly harder' argument with a reasonable counter-argument that in reality, cryptography is much more complicated than that (cf. this): In our understanding, most other counter-arguments seem to break the exclusions. Please note that this argument is based on the security of primitives, rather than the composition of primitives in protocols. Hence, formal methods probably have nothing to help here.

Urgency It is unclear whether and if applicable when Cryptographically-Relevant Quantum Computer (CRQC) will eventually become practical. The opinions vary from never because of complicated physics (see this) to be prepared for it as early as 2029 (see Google 2029 and Cloudflare 2029). Technically, please note that Google has not even released the quantum circuit underlying their recent claims -- apparently the reason for this urgency. So Google's claims may not yet be justified. Moreover, in our understanding, these deadlines are for PQ-based protection in general regardless of hybrid key exchange or standalone KEMs in TLS. Since hybrid key exchange is wildly in use, these deadlines are mainly for quantum-safe authentication. In any case, some participants see no reason to create panic for publication of based on this because many implementations -- such as OpenSSL -- have already implemented standalone ML-KEM, and it is just a matter of enabling it. And frankly, nobody needs permission from the IETF to enable it.

"Cost" "Cost" has been presented on the list as the motivation for standalone ML-KEM in TLS but we have not seen any supporting analysis. Our observation from is that -- for example -- for X25519MLKEM768, the traditional part seems negligible compared to ML-KEM part in key_exchange:

Bytes in field	PQ part (ML-KEM)	Traditional part (X25519)
Client share	1184	32
Server share	1088	32

We believe other "costs" will depend on several factors -- including but not limited to implementation details and deployment scenario -- and it is quite subjective. There seems to be a need for a thorough study to understand the "cost." We invite the WG participants to perform cost analysis and share the results with the WG.

Is Publication Necessary? Code Points for ML-KEM have already been assigned. provides detailed rationale as to why publication of such documents and the debates around that may be unnecessary. In our understanding, makes similar arguments.

Shiny New Crypto ML-KEM is quite new in the IETF and even in the IRTF. Some WG participants have shown concern over premature publication of until a detailed analysis has been done by CFRG. CFRG is starting some efforts for analysis. The extended deadline for submission is 22.06. Please see the latest CFRG chairs email for further details.

Formal Mapping of FIPS to IETF BCP14 As discussed on the TLS list, we are not aware of any formal mapping of the FIPS recommendations to the IETF BCP14 terminology, such as SHOULD vs. MUST. In general, we believe re-using FIPS recommendations is ambiguous for IETF readers.

Outstanding NIST Comments Some participants believe that NIST has rushed through the process and not addressed all the comments that were submitted during the open review. Please see comments here.

Too Early Some participants simply believe that publication of and related discussions are just too early and unnecessary.

Patents Some WG participants have raised some concerns related to patents. See some relevant patents here.

Security Considerations The whole document is about improving security considerations. Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.

IANA Considerations This document has no IANA actions.

References Normative References National Institute of Standards and Technology (U.S.) SandboxAQ This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as NamedGroups and and registers IANA values in the TLS Supported Groups registry for use in TLS 1.3 to achieve post-quantum (PQ) key establishment. Independent This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes RFCs 5077, 5246, 6961, 8422, and 8446. This document also specifies new requirements for TLS 1.2 implementations. IETF TLS WG In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References TU Dresden This document applies only to non-trivial extensions of TLS, which require formal analysis. It proposes the authors specify a threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft. We also briefly present a few pain points of the team doing the formal analysis which -- we believe -- require refining the process: * Provide protection against FATT-bypass by other TLS-related WGs * Contacting FATT * ML-KEM * Understanding the opposing goals * Response within reasonable time frame IEEE Aiven This document describes the current practices for handling new cryptography within the IETF. Some of these practices are informal and depend on individuals in certain relevant roles, such as Working Group Chairs, the Security Area Directors and the Independent Stream Editor. This document is intended to increase consistency and transparency in how the IETF handles new cryptography, such as new algorithms, ciphers and new primitives or combiners, by providing a reference for the cryptographic practices within the IETF. This document does not describe any new policies and does not prohibit exceptions in the described current practices. Cisco People keep pitching drafts to the TLS Working Group where the only thing the draft does is register a code point for a cryptographic algorithm. Stop doing that. It's unnecessary. Write an email to IANA instead. All RFCs are required to have a Security Considerations section. Historically, such sections have been relatively weak. This document provides guidelines to RFC authors on how to write a good Security Considerations section. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. PQShield AWS Cloudflare University of Waterloo This draft defines three hybrid key agreement mechanisms for TLS 1.3 - X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that combine the post-quantum ML-KEM (Module-Lattice-Based Key Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie- Hellman) exchange. University of Waterloo Cisco Systems University of Haifa Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if all but one of the component algorithms is broken. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3. Discussion of this work is encouraged to happen on the TLS IETF mailing list tls@ietf.org or on the GitHub repository which contains the draft: https://github.com/dstebila/draft-ietf-tls-hybrid-design. University of Waterloo Cisco Systems University of Haifa and Meta Hybrid key exchange refers to using multiple key exchange algorithms simultaneously and combining the result with the goal of providing security even if a way is found to defeat the encryption for all but one of the component algorithms. It is motivated by transition to post-quantum cryptography. This document provides a construction for hybrid key exchange in the Transport Layer Security (TLS) protocol version 1.3.

Acknowledgments We would like to thank Yaakov Stein, Ilari Liusvaara, John Preuß Mattsson, Eric Rescorla, Brian E Carpenter, Nadim Kobeissi, and Tibor Jager for their valuable feedback and contributions. is largely based on the opinions of many IETF participants. Text in is based on the proposal by John Preuß Mattsson. The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")

History -00

• On popular demand, moved from to an independent I-D
• Major change: added
• Some minor clarifications

-01

• Added justification based on FATT process:
• Reorganization, specially in motivation
• Added some common arguments:
• Comparison with hybrid key exchange

-02

• Added gap analysis
• What to model and analyze?
• Added FATT review is harmless
• Extended comparison with hybrid key exchange
• Opinion of designers