Dear TLS, I'm sharing a draft for the group's consideration. draft-sullivan-tls-xof-ciphers-00 runs the entire TLS 1.3 key schedule on a single Keccak permutation, instead of HKDF built on HMAC built on the cipher suite's hash, which today is always SHA-2. This is newly practical because deployments using SHA-3, ML-KEM, or ML-DSA already carry a Keccak permutation, so the primitive is already in the stack.
Each derived value comes out in one pass, so a full handshake costs about a third of the permutation calls an HKDF schedule over the same permutation would spend. A cipher suite names an AEAD plus a schedule profile, and nothing else changes. There is no new extension, and the state machine, record layer, and wire format are untouched. Two profiles are defined, one on the standard SHA-3 function and one on a faster reduced-round variant. Test vectors are pinned to cipher-suite values, so the final vectors will follow the code point assignment. https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/ This is a big change to the key schedule, and the draft is very preliminary. Feedback on the approach, or interest in implementing it, would help a lot. Best, Nick On Mon, Jul 6, 2026 at 7:03 PM <[email protected]> wrote: > > A new version of Internet-Draft draft-sullivan-tls-xof-ciphers-00.txt has been > successfully submitted by Nick Sullivan and posted to the > IETF repository. > > Name: draft-sullivan-tls-xof-ciphers > Revision: 00 > Title: TLS 1.3 Cipher Suites with Alternative Key-Schedule Profiles > Date: 2026-07-06 > Group: Individual Submission > Pages: 46 > URL: > https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.txt > Status: https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/ > HTML: > https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.html > HTMLized: https://datatracker.ietf.org/doc/html/draft-sullivan-tls-xof-ciphers > > > Abstract: > > TLS 1.3 builds its key schedule on HKDF over the cipher suite's hash. > This document defines TLS 1.3 cipher suites that build it on a deck > function over a single permutation instead, the one a deployment > already carries when it uses SHA-3, ML-KEM, or ML-DSA. One > permutation then runs the whole schedule, and a full handshake takes > about a third of the permutation calls an HKDF schedule over that > permutation would. Such a cipher suite names an AEAD algorithm > together with a schedule profile that defines every key-schedule > function the connection uses. The profile follows from the > negotiated cipher suite alone, so no new extension is defined and the > TLS 1.3 state machine and wire format are unchanged. Two profiles > are defined, one on the standard SHA-3 function and one on a faster > reduced-round variant of it. > > > > The IETF Secretariat > > _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
