メインコンテンツまでスキップ

Appendix B. Parameter Set Security and Sizes

この節では CMS で ML-KEM を使用する RFC 原文を保持し, KEMRecipientInfo, HKDF, AES Key Wrap, ASN.1 identifiers, IANA registration, authenticated-enveloped-data example を含めます.

Appendix B.  Parameter Set Security and Sizes

Instead of defining the strength of a quantum algorithm using the
imprecise notion of bits of security, NIST has defined security
levels by picking a reference scheme, which is expected to offer
notable levels of resistance to both quantum and classical attacks.
To wit, a KEM algorithm that achieves NIST Post-Quantum Cryptography
(PQC) security must require computational resources to break IND-CCA2
security comparable or greater than that required for key search on
AES-128, AES-192, and AES-256 for Levels 1, 3, and 5, respectively.
Levels 2 and 4 use collision search for SHA-256 and SHA-384 as
reference.

+=============+=======+==========+==========+============+========+
| Parameter | Level | Encap. | Decap. | Ciphertext | Shared |
| Set | | Key Size | Key Size | Size | Secret |
| | | | | | Size |
+=============+=======+==========+==========+============+========+
| ML-KEM-512 | 1 | 800 | 1632 | 768 | 32 |
+-------------+-------+----------+----------+------------+--------+
| ML-KEM-768 | 3 | 1184 | 2400 | 1088 | 32 |
+-------------+-------+----------+----------+------------+--------+
| ML-KEM-1024 | 5 | 1568 | 3168 | 1568 | 32 |
+-------------+-------+----------+----------+------------+--------+

Table 2: ML-KEM parameter Sets, NIST Security Level, and Sizes
in Bytes