Internet-Draft X25519Kyber768Draft00 ciphersuite for ML July 2023
Mahy & Amiot Expires 11 January 2024 [Page]
Intended Status:
R. Mahy
M. Amiot

Messaging Layer Security Ciphersuite using X25519Kyber768Draft00 Key Exchange Mechanism


This document registers a new Messaging Layer Security (MLS) ciphersuite using the hybrid post-quantum resistant / traditional (PQ/T) Key Exchange Mechanism X25519Kyber768Draft00.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at

Discussion of this document takes place on the MLS Working Group mailing list (, which is archived at Subscribe at

Source for this draft and an issue tracker can be found at

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 January 2024.

Table of Contents

1. Introduction

This document reserves a Messaging Layer Security (MLS) [I-D.ietf-mls-protocol] ciphersuite value based on the MLS default ciphersuite, but replacing the KEM with the hybrid post-quantum / traditional Key Exchange Mechanism X25519Kyber768Draft00 [I-D.draft-westerbaan-cfrg-hpke-xyber768d00] which was assigned the Hybrid Public Key Encryption (HPKE) Key Exchange Mechanism (KEM) Identifier value 0x0030.

2. Security Considerations

This ciphersuite uses a hybrid post-quantum/traditional KEM and a traditional signature algorithm. As such, it is designed to provide confidentiality against quantum and classical attacks, but provides authenticity against classical attacks only. This is actually very useful, because an attacker could store MLS-encrypted traffic that uses any classical KEM today. If years or decades in the future a quantum attack on classical KEMs becomes feasible, the traffic sent today (some of which could still be sensitive in the future) will then be readable. By contrast, an attack on a signature algorithm in MLS would require an active attack which can extract the private key during the signature key's lifetime.

The security properties of [I-D.draft-westerbaan-cfrg-hpke-xyber768d00] apply.

3. IANA Considerations

This document registers a new MLS Ciphersuite value.

Value:     0x0030 (please)
Name:      MLS_128_X25519Kyber768Draft00_AES128GCM_SHA256_Ed25519
Required:  N
Reference: This document

4. Normative References

Westerbaan, B. and C. A. Wood, "X25519Kyber768Draft00 hybrid post-quantum KEM for HPKE", Work in Progress, Internet-Draft, draft-westerbaan-cfrg-hpke-xyber768d00-02, , <>.
Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., and K. Cohn-Gordon, "The Messaging Layer Security (MLS) Protocol", Work in Progress, Internet-Draft, draft-ietf-mls-protocol-20, , <>.


Thanks to Joël Alwen, Marta Mularczyk, and Britta Hale.

Authors' Addresses

Rohan Mahy
Mathieu Amiot