Hi Nick

This seems like a great start!

I would like to see much broader use of deck functions that provide 
fine-grained cryptographic services, rather than having the IETF assemble 
protocols from various distinct symmetric primitives. Constructions such as 
HMAC and HKDF were developed around hash functions with inherent security and 
functional limitations, and they are not a good foundation for modern protocol 
design.

Instead of performing a full permutation for the relatively infrequent key 
updates, it may be preferable to also use a lightweight "roll" function to 
support inexpensive per-message ratcheting, similar to the approach used by the 
Signal protocol.

The current draft still hands off record protection to a separate AEAD, with 
the deck function merely deriving the traffic keys. In my view, this leaves one 
of the most compelling opportunities unexplored. The key schedule and record 
encryption could be integrated into a single running duplex object.

Cheers,
John Preuß Mattsson

From: Nick Sullivan <[email protected]>
Date: Tuesday, 7 July 2026 at 01:33
To: [email protected] <[email protected]>
Subject: [TLS] Re: New Version Notification for 
draft-sullivan-tls-xof-ciphers-00.txt

Dear TLS,

I'm sharing a draft for the group's consideration.
draft-sullivan-tls-xof-ciphers-00 runs the entire TLS 1.3 key schedule
on a single Keccak permutation, instead of HKDF built on HMAC built on
the cipher suite's hash, which today is always SHA-2. This is newly
practical because deployments using SHA-3, ML-KEM, or ML-DSA already
carry a Keccak permutation, so the primitive is already in the stack.

Each derived value comes out in one pass, so a full handshake costs
about a third of the permutation calls an HKDF schedule over the same
permutation would spend.

A cipher suite names an AEAD plus a schedule profile, and nothing else
changes. There is no new extension, and the state machine, record
layer, and wire format are untouched. Two profiles are defined, one on
the standard SHA-3 function and one on a faster reduced-round variant.
Test vectors are pinned to cipher-suite values, so the final vectors
will follow the code point assignment.

https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-sullivan-tls-xof-ciphers%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C914556f9a3c24e7dcfa008dedbb70c08%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639189776381975014%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=GxZ%2B0t2dt0rzRtzLXH1ld5tO3SoX9a9urbdxCT3meic%3D&reserved=0<https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/>

This is a big change to the key schedule, and the draft is very
preliminary. Feedback on the approach, or interest in implementing it,
would help a lot.

Best,
Nick

On Mon, Jul 6, 2026 at 7:03 PM <[email protected]> wrote:
>
> A new version of Internet-Draft draft-sullivan-tls-xof-ciphers-00.txt has been
> successfully submitted by Nick Sullivan and posted to the
> IETF repository.
>
> Name:     draft-sullivan-tls-xof-ciphers
> Revision: 00
> Title:    TLS 1.3 Cipher Suites with Alternative Key-Schedule Profiles
> Date:     2026-07-06
> Group:    Individual Submission
> Pages:    46
> URL:      
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-sullivan-tls-xof-ciphers-00.txt&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C914556f9a3c24e7dcfa008dedbb70c08%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639189776382001211%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5AhG0%2By8MfxmkVDfDkMjZagD4Ga8jRJ6IRtXJRVFHRg%3D&reserved=0<https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.txt>
> Status:   
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-sullivan-tls-xof-ciphers%2F&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C914556f9a3c24e7dcfa008dedbb70c08%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639189776382019313%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=gCL6u%2FvbSu9GEKQAcDe1k4cz7r1S7afVTs%2FtF%2BHYKiM%3D&reserved=0<https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/>
> HTML:     
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-sullivan-tls-xof-ciphers-00.html&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C914556f9a3c24e7dcfa008dedbb70c08%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639189776382040668%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=LVUGmbDZ5IKxCRjjHKVls6Y3n52P2NpufEhCnXZhOqY%3D&reserved=0<https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.html>
> HTMLized: 
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-sullivan-tls-xof-ciphers&data=05%7C02%7Cjohn.mattsson%40ericsson.com%7C914556f9a3c24e7dcfa008dedbb70c08%7C92e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C639189776382057873%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=RkQd4KObWnFazkizW4uQZLYZpwmWCkemqb32dvGHDpk%3D&reserved=0<https://datatracker.ietf.org/doc/html/draft-sullivan-tls-xof-ciphers>
>
>
> Abstract:
>
>    TLS 1.3 builds its key schedule on HKDF over the cipher suite's hash.
>    This document defines TLS 1.3 cipher suites that build it on a deck
>    function over a single permutation instead, the one a deployment
>    already carries when it uses SHA-3, ML-KEM, or ML-DSA.  One
>    permutation then runs the whole schedule, and a full handshake takes
>    about a third of the permutation calls an HKDF schedule over that
>    permutation would.  Such a cipher suite names an AEAD algorithm
>    together with a schedule profile that defines every key-schedule
>    function the connection uses.  The profile follows from the
>    negotiated cipher suite alone, so no new extension is defined and the
>    TLS 1.3 state machine and wire format are unchanged.  Two profiles
>    are defined, one on the standard SHA-3 function and one on a faster
>    reduced-round variant of it.
>
>
>
> The IETF Secretariat
>
>

_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to