Hybrid Post-quantum Key Exchange SM2-MLKEM for TLSv1.3

Introduction This document introduces one new NamedGroup and related key exchange scheme in TLSv1.3 protocol. This NamedGroup is used in the Supported Groups extension during the handshake procedure of TLSv1.3, to achieve a hybrid key exchange in combination with the post-quantum key exchange algorithm ML-KEM768 ():

This new NamedGroup uses an elliptic curve called curveSM2 which is defined in SM2 related standards. Those standards are either published by international standard organizations or by Chinese standard organizations. Please read .

The SM2 Elliptic Curve SM2, ISO/IEC 14888-3:2018 (as well as in ) is a set of elliptic curve based cryptographic algorithms including digital signature, public key encryption and key exchange scheme. In this document, only the SM2 elliptic curve is involved, which has already been added assigned by IANA. Please read for more information.

Terminology Although this document is not an IETF Standards Track publication it adopts the conventions for normative language to provide clarity of instructions to the implementer, and to indicate requirement levels for compliant TLSv1.3 implementations. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Hybrid Key Exchange Scheme Definitions

TLS Versions The new supported group item and related key exchange scheme defined in this document are only applicable to TLSv1.3. Implementations of this document MUST NOT apply this supported group or key exchange scheme to any older versions of TLS.

CurveSM2 The hybrid key exchange scheme defined in this document uses a fixed elliptic curve parameter set defined in . This curve has the name curveSM2. As per , the SM2 elliptic curve ID used in the Supported Groups extension is defined as:

Implementations of the hybrid key exchange mechanism defined in this document MUST conform to what requires, that is to say, the only valid elliptic curve parameter set for SM2 signature algorithm (a.k.a curveSM2) is defined as follows:

The above elliptic curve parameter set is also previously defined in .

Hybrid Key Exchange

Hello Messages The use of the hybrid named group defined by this document is negotiated during the TLS handshake with information exchanged in the Hello messages. The main procedure follows what defines. That is to say, the non-post-quantum part (a.k.a. the ECDHE part) of the hybrid key exchange is based on standard ECDH with curveSM2.

ClientHello To use the hybrid named group curveSM2MLKEM768 defined by this document, a TLSv1.3 client MUST include 'curveSM2MLKEM768' in the 'supported_groups' extension of the ClientHello structure defined in Section 4.2.7 of . Then the TLS client's 'key_exchange' value of the 'key_share' extension is the concatenation of the curveSM2 ephemeral share and ML-KEM768 encapsulation key. The ECDHE share is the serialized value of the uncompressed ECDH point representation as defined in Section 4.2.8.2 of . The size of the client share is 1249 bytes (65 bytes for the curveSM2 public key and 1184 bytes for ML-KEM).

ServerHello If a TLSv1.3 server receives a ClientHello message containing the hybrid named group curveSM2MLKEM768 defined in this document, it MAY choose to negotiate on it. If so, then the server MUST construct its 'key_exchange' value of the 'key_share' extension as the concatenation of the server's ephemeral curveSM2 share encoded in the same way as the client share and an ML-KEM ciphertext encapsulated by the client's encapsulation key. The size of the server share is 1153 bytes (1088 bytes for the ML-KEM part and 65 bytes for curveSM2).

Key Scheduling According to , the shared secret is calculated in a 'concatenation' approach: the two shared secrets are concatenated together and used as the shared secret in the standard TLSv1.3 key schedule. Thus for curveSM2MLKEM768, the shared secret is the concatenation of the ECDHE and ML-KEM shared secret. The ECDHE shared secret is the x-coordinate of the ECDH shared secret elliptic curve point represented as an octet string as defined in Section 7.4.2 of . The size of the shared secret is 64 bytes (32 bytes for each part). Both client and server MUST calculate the ECDH part of the shared secret as described in Section 7.4.2 of . As already described in , SM2 is actually a set of cryptographic algorithms including one key exchange protocol which defines methods such as key derivation function, etc. This document does not use an SM2 key exchange protocol, and an SM2 key exchange protocol SHALL NOT be used in the hybrid key exchange scheme defined in . Implementations of this document MUST always conform to what TLSv1.3 and its successors require about the key derivation and related methods.

IANA Considerations IANA has assigned the value 4590 (0x11EE) with the name 'curveSM2MLKEM768', to the "TLS Supported Groups" registry:' Value Description DTLS-OK Recommended Reference 4590 (0x11EE) curveSM2MLKEM768 No No this RFC

Security Considerations At the time of writing, there are no security issues have been found for relevant algorithms.