Hi Markku, Hi Nick!

I will certainly look closer into the details but it appears that you are optimizing TLS in the wrong place. The key derivation is the least expensive part in TLS and spending time optimizing it will bring little benefit. I am saying this because I have for years been looking at optimizing different parts of the TLS protocol with constrained IoT in mind.

This brings me to the core question: What is the problem you are trying to solve in the first place? I do not recall that anyone has voiced performance problems with the key derivation in TLS before this draft was published.

Ciao
Hannes


Am 08.07.2026 um 12:16 schrieb Markku-Juhani O. Saarinen:
Hi,

Thanks for this. I quickly put together an implementation of draft-sullivan-tls-xof-ciphers-00.txt around Rustls to do some measurements:

https://github.com/mjosaarinen/altkdf-rs

( Editorial comments in https://github.com/mjosaarinen/altkdf-rs/blob/main/FINDINGS.md )

The theoretical side of the design seems very defensible -- clean proof target. In terms of concrete security, the Keccak variants have a much larger security margin than the SHA-2 family.

Given how much work we put into reducing the number of permutation calls with ML-KEM and Hybrid combiners -- carefully debating and analyzing each permutation -- this one yields a staggering reduction, making the key schedule much faster (and the handshake probably too.)

For the representative full handshake: PSK + (EC)DHE + 0-RTT leaves + NewSessionTicket + one KeyUpdate each direction + one exporter, the per-endpoint counts over 24-round Keccak-f[1600] are:

41  * f1600: Deck implementation, measured stateful
46  * f1600: Deck implementation, measured recompute
52  * f1600: Section A.1 in draft-sullivan-tls-xof-ciphers-00
156 * f1600: HKDF-SHA3-256 / RFC 8446 baseline
117 * f1600: Appendix D "FIPS" KMAC256 schedule

So 41 vs 156 permutations by my count.

( Note: The draft slightly overcounts permutations in its estimates. )

It's a quick prototype built with extensive AI assistance, but it includes basic correctness measures: primitive KATs (RFC 9861 TurboSHAKE256, FIPS 202 SHAKE256, SP 800-185 KMAC256, including multi-block and long-output), 73 self-generated Appendix C/D vectors, and byte-for-byte reproduction of all of them by an independent Python implementation written from the draft alone.

- Keccak-p[1600,nr] permutation and the rate-136/capacity-512 sponge
- Five framed deck operations (Init/Absorb/Fork/Squeeze/Ratchet)
- KMAC-layout MAC
- Three-stage E/H/T schedule with its two ratchets
- Section 5 derivations (record keys, Finished/PSK binders, exporters, resumption and key-update, and the §10 external-PSK importer with ImportedIdentityV2).
- All five cipher suites (0xFF01–0xFF05, both profiles, three AEADs)

Plus for comparisons:

- Appendix D FIPS-component schedule (RFC 8446 with KMAC256 as the PRF)
- a permutation-count benchmark reproducing §A.1, live-secret zeroization (§15.7.2.2)

Cheers,
-markku

Dr. Markku-Juhani O. Saarinen <[email protected]>


On Tue, Jul 7, 2026 at 2:34 AM Nick Sullivan <[email protected]> wrote:

    Dear TLS,

    I'm sharing a draft for the group's consideration.
    draft-sullivan-tls-xof-ciphers-00 runs the entire TLS 1.3 key schedule
    on a single Keccak permutation, instead of HKDF built on HMAC built on
    the cipher suite's hash, which today is always SHA-2. This is newly
    practical because deployments using SHA-3, ML-KEM, or ML-DSA already
    carry a Keccak permutation, so the primitive is already in the stack.

    Each derived value comes out in one pass, so a full handshake costs
    about a third of the permutation calls an HKDF schedule over the same
    permutation would spend.

    A cipher suite names an AEAD plus a schedule profile, and nothing else
    changes. There is no new extension, and the state machine, record
    layer, and wire format are untouched. Two profiles are defined, one on
    the standard SHA-3 function and one on a faster reduced-round variant.
    Test vectors are pinned to cipher-suite values, so the final vectors
    will follow the code point assignment.

    https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/

    This is a big change to the key schedule, and the draft is very
    preliminary. Feedback on the approach, or interest in implementing it,
    would help a lot.

    Best,
    Nick

    On Mon, Jul 6, 2026 at 7:03 PM <[email protected]> wrote:
    >
    > A new version of Internet-Draft
    draft-sullivan-tls-xof-ciphers-00.txt has been
    > successfully submitted by Nick Sullivan and posted to the
    > IETF repository.
    >
    > Name:     draft-sullivan-tls-xof-ciphers
    > Revision: 00
    > Title:    TLS 1.3 Cipher Suites with Alternative Key-Schedule
    Profiles
    > Date:     2026-07-06
    > Group:    Individual Submission
    > Pages:    46
    > URL:
    https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.txt
    > Status:
    https://datatracker.ietf.org/doc/draft-sullivan-tls-xof-ciphers/
    > HTML:
    https://www.ietf.org/archive/id/draft-sullivan-tls-xof-ciphers-00.html
    > HTMLized:
    https://datatracker.ietf.org/doc/html/draft-sullivan-tls-xof-ciphers
    >
    >
    > Abstract:
    >
    >    TLS 1.3 builds its key schedule on HKDF over the cipher
    suite's hash.
    >    This document defines TLS 1.3 cipher suites that build it on
    a deck
    >    function over a single permutation instead, the one a deployment
    >    already carries when it uses SHA-3, ML-KEM, or ML-DSA.  One
    >    permutation then runs the whole schedule, and a full
    handshake takes
    >    about a third of the permutation calls an HKDF schedule over that
    >    permutation would.  Such a cipher suite names an AEAD algorithm
    >    together with a schedule profile that defines every key-schedule
    >    function the connection uses.  The profile follows from the
    >    negotiated cipher suite alone, so no new extension is defined
    and the
    >    TLS 1.3 state machine and wire format are unchanged. Two profiles
    >    are defined, one on the standard SHA-3 function and one on a
    faster
    >    reduced-round variant of it.
    >
    >
    >
    > The IETF Secretariat
    >
    >

    _______________________________________________
    TLS mailing list -- [email protected]
    To unsubscribe send an email to [email protected]


_______________________________________________
TLS mailing list [email protected]
To unsubscribe send an email [email protected]
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to