Hi all, Glad to see this document adopted by the WG.
One small question- in Section 3, the draft reads, "As with (EC)DH keys today, generating an ephemeral key exchange keypair for ECDH and ML-KEM is still REQUIRED per connection by this specification (IND-CPA security)." However, my understanding of RFC7296 (Section 2.12) is that it doesn't actually prohibit the re-use of ephemeral keys." Is there guidance other than 7296 that explicitly prohibits ephemeral key re-use? Or is it better to rephrase to something like: "Generating an ephemeral key exchange keypair for ECDH and ML-KEM is REQUIRED per connection by this specification, as is common practice for (EC)DH keys today." Thanks, Rebecca Rebecca Guthrie she/her Center for Cybersecurity Standards (CCSS) Cybersecurity Collaboration Center (CCC) National Security Agency (NSA) -----Original Message----- From: [email protected] <[email protected]> Sent: Thursday, May 1, 2025 6:14 AM To: [email protected] Cc: [email protected] Subject: [IPsec] I-D Action: draft-ietf-ipsecme-ikev2-mlkem-00.txt Internet-Draft draft-ietf-ipsecme-ikev2-mlkem-00.txt is now available. It is a work item of the IP Security Maintenance and Extensions (IPSECME) WG of the IETF. Title: Post-quantum Hybrid Key Exchange with ML-KEM in the Internet Key Exchange Protocol Version 2 (IKEv2) Authors: Panos Kampanakis Gerardo Ravago Name: draft-ietf-ipsecme-ikev2-mlkem-00.txt Pages: 10 Dates: 2025-04-29 Abstract: NIST recently standardized ML-KEM, a new key encapsulation mechanism, which can be used for quantum-resistant key establishment. This draft specifies how to use ML-KEM as an additional key exchange in IKEv2 along with traditional key exchanges. This Post-Quantum Traditional Hybrid Key Encapsulation Mechanism approach allows for negotiating IKE and Child SA keys which are safe against cryptanalytically-relevant quantum computers and theoretical weaknesses in ML-KEM. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-ietf-ipsecme-ikev2-mlkem-00.html Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ IPsec mailing list -- [email protected] To unsubscribe send an email to [email protected]
