Dear TLS,

I'm sharing a draft for the group's consideration.
draft-sullivan-tls-xof-ciphers-00 runs the entire TLS 1.3 key schedule
on a single Keccak permutation, instead of HKDF built on HMAC built on
the cipher suite's hash, which today is always SHA-2. This is newly
practical because deployments using SHA-3, ML-KEM, or ML-DSA already
carry a Keccak permutation, so the primitive is already in the stack.

Each derived value comes out in one pass, so a full handshake costs
about a third of the permutation calls an HKDF schedule over the same
permutation would spend.

A cipher suite names an AEAD plus a schedule profile, and nothing else
changes. There is no new extension, and the state machine, record
layer, and wire format are untouched. Two profiles are defined, one on
the standard SHA-3 function and one on a faster reduced-round variant.
Test vectors are pinned to cipher-suite values, so the final vectors
will follow the code point assignment.

https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/

This is a big change to the key schedule, and the draft is very
preliminary. Feedback on the approach, or interest in implementing it,
would help a lot.

Best,
Nick

On Mon, Jul 6, 2026 at 7:03 PM <[email protected]> wrote:
>
> A new version of Internet-Draft draft-sullivan-tls-xof-ciphers-00.txt has been
> successfully submitted by Nick Sullivan and posted to the
> IETF repository.
>
> Name:     draft-sullivan-tls-xof-ciphers
> Revision: 00
> Title:    TLS 1.3 Cipher Suites with Alternative Key-Schedule Profiles
> Date:     2026-07-06
> Group:    Individual Submission
> Pages:    46
> URL:      
> https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.txt
> Status:   https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/
> HTML:     
> https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.html
> HTMLized: https://datatracker.ietf.org/doc/html/draft-sullivan-tls-xof-ciphers
>
>
> Abstract:
>
>    TLS 1.3 builds its key schedule on HKDF over the cipher suite's hash.
>    This document defines TLS 1.3 cipher suites that build it on a deck
>    function over a single permutation instead, the one a deployment
>    already carries when it uses SHA-3, ML-KEM, or ML-DSA.  One
>    permutation then runs the whole schedule, and a full handshake takes
>    about a third of the permutation calls an HKDF schedule over that
>    permutation would.  Such a cipher suite names an AEAD algorithm
>    together with a schedule profile that defines every key-schedule
>    function the connection uses.  The profile follows from the
>    negotiated cipher suite alone, so no new extension is defined and the
>    TLS 1.3 state machine and wire format are unchanged.  Two profiles
>    are defined, one on the standard SHA-3 function and one on a faster
>    reduced-round variant of it.
>
>
>
> The IETF Secretariat
>
>

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to