Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
draft-ietf-tls-ecdhe-mlkem-04
| Document | Type | Active Internet-Draft (tls WG) | |
|---|---|---|---|
| Authors | Kris Kwiatkowski , Panos Kampanakis , Bas Westerbaan , Douglas Stebila | ||
| Last updated | 2026-02-17 (Latest revision 2026-02-08) | ||
| Replaces | draft-kwiatkowski-tls-ecdhe-mlkem | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Reviews |
GENART IETF Last Call review
(of
-03)
by Dale Worley
Ready w/nits
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Joseph A. Salowey | ||
| Shepherd write-up | Show Last changed 2025-11-18 | ||
| IESG | IESG state | RFC Ed Queue | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Paul Wouters | ||
| Send notices to | joe@salowey.net | ||
| IANA | IANA review state | Version Changed - Review Needed | |
| IANA action state | RFC-Ed-Ack | ||
| IANA expert review state | Expert Reviews OK | ||
| RFC Editor | RFC Editor state | EDIT | |
| Details |
draft-ietf-tls-ecdhe-mlkem-04
Transport Layer Security K. Kwiatkowski
Internet-Draft PQShield
Intended status: Standards Track P. Kampanakis
Expires: 12 August 2026 AWS
B. E. Westerbaan
Cloudflare
D. Stebila
University of Waterloo
8 February 2026
Post-quantum hybrid ECDHE-MLKEM Key Agreement for TLSv1.3
draft-ietf-tls-ecdhe-mlkem-04
Abstract
This draft defines three hybrid key agreement mechanisms for TLS 1.3
- X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024 - that
combine the post-quantum ML-KEM (Module-Lattice-Based Key
Encapsulation Mechanism) with an ECDHE (Elliptic Curve Diffie-
Hellman) exchange.
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://tlswg.github.io/draft-ietf-tls-ecdhe-mlkem/draft-ietf-tls-
ecdhe-mlkem.html. Status information for this document may be found
at https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/.
Discussion of this document takes place on the Transport Layer
Security Working Group mailing list (mailto:tls@ietf.org), which is
archived at https://mailarchive.ietf.org/arch/browse/tls/. Subscribe
at https://www.ietf.org/mailman/listinfo/tls/.
Source for this draft and an issue tracker can be found at
https://github.com/tlswg/draft-ietf-tls-ecdhe-mlkem.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Kwiatkowski, et al. Expires 12 August 2026 [Page 1]
Internet-Draft ECDHE-MLKEM February 2026
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 August 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
3. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
4. Negotiated Groups . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Client share . . . . . . . . . . . . . . . . . . . . . . 4
4.2. Server share . . . . . . . . . . . . . . . . . . . . . . 5
4.3. Shared secret . . . . . . . . . . . . . . . . . . . . . . 5
5. Regulatory Context . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
7.1. X25519MLKEM768 . . . . . . . . . . . . . . . . . . . . . 7
7.2. SecP256r1MLKEM768 . . . . . . . . . . . . . . . . . . . . 7
7.3. SecP384r1MLKEM1024 . . . . . . . . . . . . . . . . . . . 7
7.4. Obsoleted Supported Groups . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
Kwiatkowski, et al. Expires 12 August 2026 [Page 2]
Internet-Draft ECDHE-MLKEM February 2026
1. Introduction
ML-KEM is a key encapsulation mechanism (KEM) defined in the
[NIST-FIPS-203]. It is designed to withstand cryptanalytic attacks
from quantum computers.
The [hybrid] document defines a framework for combining traditional
key exchanges with next-generation key exchange in TLS 1.3. The goal
of this approach is to provide security against both classical and
quantum adversaries while maintaining compatibility with existing
infrastructure and protocols.
This document applies the framework to ML-KEM and specifies code
points for the hybrid groups.
2. Motivation
This document introduces three new supported groups for hybrid post-
quantum key agreements in TLS 1.3: the X25519MLKEM768,
SecP256r1MLKEM768, and SecP384r1MLKEM1024 which combine ML-KEM with
ECDH in the manner of [hybrid]. Any of the hybrid groups specified
in this document may be implemented in a FIPS-approved way as
discussed in Section 5.
* The first one uses X25519 [RFC7748], is widely deployed, and often
serves as the most practical choice for a single post-quantum/
traditional (PQ/T) hybrid combiner [RFC9794] in TLS 1.3.
* The second group uses secp256r1 (NIST P-256) [NIST-FIPS-186].
This group supports use cases that require both shared secrets to
be generated by FIPS-approved mechanisms.
* The third group uses secp384r1 (NIST P-384) [NIST-FIPS-186]. This
group is intended for high-security environments that require
FIPS-approved mechanisms with an increased security margin.
Key establishment using NIST curves is outlined in Section 6.1.1.2 of
[NIST-SP-800-56A].
2.1. Terminology
The [hybrid] document defines "traditional" algorithms as those that
are already widely adopted and "next-generation" algorithms as those
that are not yet widely adopted, such as post-quantum algorithms. In
this document, ECDH using Curve25519, P-256, or P-384 is considered
traditional, while ML-KEM is considered next-generation.
Kwiatkowski, et al. Expires 12 August 2026 [Page 3]
Internet-Draft ECDHE-MLKEM February 2026
The [hybrid] document also defines a "hybrid" key exchange as the
simultaneous use of multiple key exchange algorithms, with their
outputs combined to provide security as long as at least one of the
component algorithms remains secure, even if the others are
compromised. This document uses the term "hybrid" with the same
meaning.
3. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
4. Negotiated Groups
4.1. Client share
When the X25519MLKEM768 group is negotiated, the client's
key_exchange value is the concatenation of the client's ML-KEM-768
encapsulation key and the client's X25519 ephemeral share. The size
of the client share is 1216 bytes (1184 bytes for the ML-KEM part and
32 bytes for X25519).
Note: The group name X25519MLKEM768 does not adhere to the naming
convention outlined in Section 3.2 of [hybrid]. Specifically, the
order of shares in the concatenation has been reversed. This is due
to historical reasons.
When the SecP256r1MLKEM768 group is negotiated, the client's
key_exchange value is the concatenation of the secp256r1 ephemeral
share and ML-KEM-768 encapsulation key. The ECDHE share is the
serialized value of the uncompressed ECDH point representation as
defined in Section 4.2.8.2 of [RFC8446]. The size of the client
share is 1249 bytes (65 bytes for the secp256r1 part and 1184 bytes
for ML-KEM).
When the SecP384r1MLKEM1024 group is negotiated, the client's
key_exchange value is the concatenation of the secp384r1 ephemeral
share and the ML-KEM-1024 encapsulation key. The ECDH share is
serialized value of the uncompressed ECDH point represenation as
defined in Section 4.2.8.2 of [RFC8446]. The size of the client
share is 1665 bytes (97 bytes for the secp384r1 part and 1568 for ML-
KEM).
Kwiatkowski, et al. Expires 12 August 2026 [Page 4]
Internet-Draft ECDHE-MLKEM February 2026
4.2. Server share
When the X25519MLKEM768 group is negotiated, the server's key
exchange value is the concatenation of an ML-KEM ciphertext returned
from encapsulation to the client's encapsulation key, and the
server's ephemeral X25519 share. The size of the server share is
1120 bytes (1088 bytes for the ML-KEM part and 32 bytes for X25519).
When the SecP256r1MLKEM768 group is negotiated, the server's key
exchange value is the concatenation of the server's ephemeral
secp256r1 share encoded in the same way as the client share and an
ML-KEM ciphertext returned from encapsulation to the client's
encapsulation key. The size of the server share is 1153 bytes (1088
bytes for the ML-KEM part and 65 bytes for secp256r1).
When the SecP384r1MLKEM1024 group is negotiated, the server's key
exchange value is the concatenation of the server's ephemeral
secp384r1 share encoded in the same way as the client share and an
ML-KEM ciphertext returned from encapsulation to the client's
encapsulation key. The size of the server share is 1665 bytes (1568
bytes for the ML-KEM part and 97 bytes for secp384r1)
For all groups, the server MUST perform the encapsulation key check
described in Section 7.2 of [NIST-FIPS-203] on the client's
encapsulation key, and abort with an illegal_parameter alert if it
fails.
For all groups, the client MUST check if the ciphertext length
matches the selected group, and abort with an illegal_parameter alert
if it fails. If ML-KEM decapsulation fails for any other reason, the
connection MUST be aborted with an internal_error alert.
For all groups, both client and server MUST process the ECDH part as
described in Section 4.2.8.2 of [RFC8446], including all validity
checks, and abort with an illegal_parameter alert if it fails.
4.3. Shared secret
For X25519MLKEM768, the shared secret is the concatenation of the ML-
KEM shared secret and the X25519 shared secret. The shared secret is
64 bytes (32 bytes for each part).
For SecP256r1MLKEM768, the shared secret is the concatenation of the
ECDHE and ML-KEM shared secret. The ECDHE shared secret is the
x-coordinate of the ECDH shared secret elliptic curve point
represented as an octet string as defined in Section 7.4.2 of
[RFC8446]. The size of the shared secret is 64 bytes (32 bytes for
each part).
Kwiatkowski, et al. Expires 12 August 2026 [Page 5]
Internet-Draft ECDHE-MLKEM February 2026
For SecP384r1MLKEM1024, the shared secret is the concatenation of the
ECDHE and ML-KEM shared secret. The ECDHE shared secret is the
x-coordinate of the ECDH shared secret elliptic curve point
represented as an octet string as defined in Section 7.4.2 of
[RFC8446]. The size of the shared secret is 80 bytes (48 bytes for
the ECDH part and 32 bytes for the ML-KEM part).
For all groups, both client and server MUST calculate the ECDH part
of the shared secret as described in Section 7.4.2 of [RFC8446],
including the all-zero shared secret check for X25519, and abort the
connection with an illegal_parameter alert if it fails.
5. Regulatory Context
This section provides informal notes on how the hybrid key agreement
mechanisms defined in this document relate to existing NIST guidance
on key derivation and hybrid key establishment.
* *FIPS-compliance*. All groups defined in this document permit
FIPS-approved key derivation as per [NIST-SP-800-56C] and
[NIST-SP-800-135]. NIST's special publication 800-56Cr2
[NIST-SP-800-56C] approves the usage of HKDF [RFC5869] with two
distinct shared secrets, with the condition that the first one is
computed by a FIPS-approved key-establishment scheme. FIPS also
requires a certified implementation of the scheme, which will
remain more ubiquitous for secp256r1 in the coming years. For
this reason, the ML-KEM shared secret is placed first in
X25519MLKEM768, while the ECDH shared secret is placed first in
SecP256r1MLKEM768 and SecP384r1MLKEM1024. This means that for
SecP256r1MLKEM768 and SecP384r1MLKEM1024, the ECDH implementation
must be certified whereas the ML-KEM implementation does not
require certification. In contrast, for X25519MLKEM768, the ML-
KEM implementation must be certified.
* *SP800-227 compliance*. The NIST Special Publication 800-227
[NIST-SP-800-227] provides general guidance on the design and use
of key-encapsulation mechanisms, including hybrid constructions.
The key agreements defined in this document follow the principles
described in Section 4.6 of [NIST-SP-800-227], which discusses the
combination of post-quantum and classical key-establishment
schemes and the use of approved key combiners. In particular, the
shared-secret concatenation and HKDF-based derivation used by the
TLS 1.3 are consistent with the composite-KEM constructions and
key-combiner recommendations outlined in Sections 4.6.1 and 4.6.2
of [NIST-SP-800-227]. Section 4.6.3 of [NIST-SP-800-227] further
provides relevant security considerations for hybrid KEM designs
underlying the approach used in this document.
Kwiatkowski, et al. Expires 12 August 2026 [Page 6]
Internet-Draft ECDHE-MLKEM February 2026
6. Security Considerations
The same security considerations as those described in [hybrid] apply
to the approach used by this document. The security analysis relies
crucially on the TLS 1.3 message transcript, and one cannot assume a
similar hybridisation is secure in other protocols.
[NIST-SP-800-227] includes guidelines and requirements for
implementations on using KEMs securely. Implementers are encouraged
to use implementations resistant to side-channel attacks, especially
those that can be applied by remote attackers.
All groups defined in this document use and generate fixed-length
public keys, ciphertexts, and shared secrets, which complies with the
requirements described in Section 6 of [hybrid].
7. IANA Considerations
This document requests/registers three new entries to the TLS
Supported Groups registry (https://www.iana.org/assignments/tls-
parameters/tls-parameters.xhtml#tls-parameters-8), according to the
procedures in Section 6 of [RFC9847]. These identifiers are to be
used with the final, ratified by NIST, version of ML-KEM which is
specified in [NIST-FIPS-203].
7.1. X25519MLKEM768
Value: 4588 (0x11EC)
Description: X25519MLKEM768
DTLS-OK: Y
Recommended: N
Reference: This document
Comment: Combining X25519 ECDH with ML-KEM-768
7.2. SecP256r1MLKEM768
Value: 4587 (0x11EB)
Description: SecP256r1MLKEM768
DTLS-OK: Y
Recommended: N
Reference: This document
Comment: Combining secp256r1 ECDH with ML-KEM-768
7.3. SecP384r1MLKEM1024
Value: 4589 (0x11ED)
Description: SecP384r1MLKEM1024
DTLS-OK: Y
Kwiatkowski, et al. Expires 12 August 2026 [Page 7]
Internet-Draft ECDHE-MLKEM February 2026
Recommended: N
Reference: This document
Comment: Combining secp384r1 ECDH with ML-KEM-1024
7.4. Obsoleted Supported Groups
Experimental code points for pre-standard versions of Kyber768 were
added to the TLS registry as X25519Kyber768Draft00 (25497) and
SecP256r1Kyber768Draft00 (25498). This document obsoletes these
entries. IANA is instructed to modify the recommended field to 'D'
and update the reference to add [ this RFC ]. The comment fields for
25497 and 25498 are updated to "Pre-standards version of Kyber768.
Obsoleted by [this RFC]"
8. References
8.1. Normative References
[hybrid] Stebila, D., Fluhrer, S., and S. Gueron, "Hybrid key
exchange in TLS 1.3", Work in Progress, Internet-Draft,
draft-ietf-tls-hybrid-design-16, 7 September 2025,
<https://datatracker.ietf.org/doc/html/draft-ietf-tls-
hybrid-design-16>.
[NIST-FIPS-186]
"Digital Signature Standard (DSS)", National Institute of
Standards and Technology (U.S.),
DOI 10.6028/nist.fips.186-5, February 2023,
<https://doi.org/10.6028/nist.fips.186-5>.
[NIST-FIPS-203]
"Module-lattice-based key-encapsulation mechanism
standard", National Institute of Standards and Technology
(U.S.), DOI 10.6028/nist.fips.203, August 2024,
<https://doi.org/10.6028/nist.fips.203>.
[NIST-SP-800-135]
Dang, Q., "Recommendation for existing application-
specific key derivation functions", National Institute of
Standards and Technology, DOI 10.6028/nist.sp.800-135r1,
2011, <https://doi.org/10.6028/nist.sp.800-135r1>.
[NIST-SP-800-227]
Alagic, G., Barker, E., Chen, L., Moody, D., Robinson, A.,
Silberg, H., and N. Waller, "Recommendations for key-
encapsulation mechanisms", National Institute of Standards
and Technology (U.S.), DOI 10.6028/nist.sp.800-227,
September 2025, <https://doi.org/10.6028/nist.sp.800-227>.
Kwiatkowski, et al. Expires 12 August 2026 [Page 8]
Internet-Draft ECDHE-MLKEM February 2026
[NIST-SP-800-56A]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for pair-wise key-establishment
schemes using discrete logarithm cryptography", National
Institute of Standards and Technology,
DOI 10.6028/nist.sp.800-56ar3, April 2018,
<https://doi.org/10.6028/nist.sp.800-56ar3>.
[NIST-SP-800-56C]
Barker, E., Chen, L., and R. Davis, "Recommendation for
Key-Derivation Methods in Key-Establishment Schemes",
National Institute of Standards and Technology,
DOI 10.6028/nist.sp.800-56cr2, August 2020,
<https://doi.org/10.6028/nist.sp.800-56cr2>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/rfc/rfc7748>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/rfc/rfc8446>.
8.2. Informative References
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/rfc/rfc5869>.
[RFC9794] Driscoll, F., Parsons, M., and B. Hale, "Terminology for
Post-Quantum Traditional Hybrid Schemes", RFC 9794,
DOI 10.17487/RFC9794, June 2025,
<https://www.rfc-editor.org/rfc/rfc9794>.
[RFC9847] Salowey, J. and S. Turner, "IANA Registry Updates for TLS
and DTLS", RFC 9847, DOI 10.17487/RFC9847, December 2025,
<https://www.rfc-editor.org/rfc/rfc9847>.
Kwiatkowski, et al. Expires 12 August 2026 [Page 9]
Internet-Draft ECDHE-MLKEM February 2026
Appendix A. Change log
* draft-ietf-tls-ecdhe-mlkem-04:
- Status: Sets document category to Standards Track
- References: Make [hybrid] normative; add/clarify HKDF reference
via RFC 5869; update to RFC 9847 (replacing draft-ietf-tls-
rfc8447bis).
- Text: Rename “Discussion” to “Regulatory context” and expand it
(incl. NIST SP 800-227 notes).
- IANA/TLS registry: Obsoletes the experimental pre-standard
Kyber768 groups X25519Kyber768Draft00 (25497) and
SecP256r1Kyber768Draft00 (25498); instruct IANA to set
Recommended = “D”, update Reference to this RFC, and update
Comments accordingly.
- Editorial: Addressed nits, including normalizing reference
labels to a consistent format (e.g., RFC7748 instead of rfc7748
or ad-hoc labels like HKDF) and renaming NIST references to the
NIST-... form.
* draft-ietf-tls-ecdhe-mlkem-01:
- Alignment with the final version of [hybrid]
- Added new section called Discussion and moved FIPS-compliance
and Failures text there.
- The Construction section has been removed.
* draft-ietf-tls-ecdhe-mlkem-00:
- Change a name of the draft, following adoption by TLS WG
- Fixes references to the to NIST ECC CDH
* draft-kwiatkowski-tls-ecdhe-mlkem-03:
- Adds P-384 combined with ML-KEM-1024
- Adds text that describes error-handling and outlines how the
client and server must ensure the integrity of the key exchange
process.
Kwiatkowski, et al. Expires 12 August 2026 [Page 10]
Internet-Draft ECDHE-MLKEM February 2026
- Adds note on the incompatibility of the codepoint name
X25519MLKEM768 with [hybrid].
- Various cosmetic changes.
* draft-kwiatkowski-tls-ecdhe-mlkem-02:
- Adds section that mentions supported groups that this document
obsoletes.
- Fix a reference to encapsulation in the FIPS 203.
* draft-kwiatkowski-tls-ecdhe-mlkem-01:
- Add X25519MLKEM768
* draft-kwiatkowski-tls-ecdhe-mlkem-00:
- Change Kyber name to ML-KEM
- Swap reference to I-D.cfrg-schwabe-kyber with FIPS-203
- Change codepoint. New value is equal to old value + 1.
* draft-kwiatkowski-tls-ecdhe-kyber-01: Fix size of key shares
generated by the client and the server
* draft-kwiatkowski-tls-ecdhe-kyber-00: updates following IANA
review
Authors' Addresses
Kris Kwiatkowski
PQShield
Email: kris@amongbytes.com
Panos Kampanakis
AWS
Email: kpanos@amazon.com
Bas Westerbaan
Cloudflare
Email: bas@cloudflare.com
Kwiatkowski, et al. Expires 12 August 2026 [Page 11]
Internet-Draft ECDHE-MLKEM February 2026
Douglas Stebila
University of Waterloo
Email: dstebila@waterloo.ca
Kwiatkowski, et al. Expires 12 August 2026 [Page 12]