Skip to content

Updating to respond to comments from Allie B, Quynh and Casey #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alharrison merged 1 commit into from
May 27, 2026
Merged

Updating to respond to comments from Allie B, Quynh and Casey #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions draft-harrison-sshm-mlkem.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: "Module-Lattice Key Exchange in SSH"
abbrev: "TODO - Abbreviation"
category: std

docname: draft-harrison-sshm-mlkem-00
docname: draft-harrison-sshm-mlkem-01
submissiontype: IETF # also: "independent", "editorial", "IAB", or "IRTF"
number:
date:
Expand Down Expand Up @@ -115,11 +115,23 @@ When using ML-KEM as the Key Exchange Method, the following private namespace me
#define SSH_MSG_KEX_KEM_REPLY 31

# Key Exchange Method: ML-KEM
The client sends SSH_MSG_KEX_KEM_INIT. With this, the client sends C_INIT which is the ephemeral client ML-KEM public key, C_PK. C_PK represents the 'pk' output of the post-quantum KEM's 'KeyGen' at the client.
The client sends SSH_MSG_KEX_KEM_INIT with the following structure:

The server sends SSH_MSG_KEX_KEM_REPLY. With this, the server sends S_REPLY which is the concatenation of S_CT. S_CT is the ciphertext 'ct' output of the 'Encaps' algorithm generated by the server which encapsulates a secret to the client public key C_PK. Before producing S_CT, the server MUST perform the encapsulation key checks defined in Section 6.2 of [FIPS203], and abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason, if they fail.
byte SSH_MSG_KEX_KEM_INIT
string C_INIT

C_PK and S_CT are used to establish the shared secret, K_PQ. K_PQ is the post-quantum shared secret decapsulated from S_CT. Before decapsulating, the client MUST check if the ciphertext S_CT length matches the selected ML-KEM variant. The client MUST abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason if the S_CT length does not match the ML-KEM variant or decapsulation fails for any other reason.
where C_INIT is the ephemeral client ML-KEM public key (C_PK). C_PK represents the public key 'pk' of the client's KeyGen.

The server sends SSH_MSG_KEX_KEM_REPLY with the following structure:

byte SSH_MSG_KEX_KEM_REPLY
string K_S, server's public host key
string S_REPLY
string The signature of hash 'H'

where S_REPLY is the ML-KEM ciphertext (S_CT) from the encapsulation of the client's ML-KEM ephemeral public key.

C_PK and S_CT are used to establish the shared secret, K_PQ. K_PQ is the post-quantum shared secret decapsulated from S_CT. Before decapsulating, the client MUST check if the ciphertext S_CT length matches the selected ML-KEM variant. The client MUST abort using a disconnect message (SSH_MSG_DISCONNECT) with a SSH_DISCONNECT_KEY_EXCHANGE_FAILED as the reason if any of the 3 checks specified in Section 7.3 of FIPS 203 fail.

The derivation of encryption keys is done from the shared secret K_PQ according to Section 7.2 in [RFC4253] with a modification on the exchange hash H. The hash H is the result of computing the HASH, where HASH is the hash algorithm specified in the named key exchange method name, over the concatenation of the following

Expand Down