Skip to main content
SpringerLink
Log in

Implementing and Measuring KEMTLS

  • Conference paper
  • First Online:
Book cover Progress in Cryptology – LATINCRYPT 2021 (LATINCRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12912))

Abstract

KEMTLS is a novel alternative to the Transport Layer Security (TLS) handshake that integrates post-quantum algorithms. It uses key encapsulation mechanisms (KEMs) for both confidentiality and authentication, achieving post-quantum security while obviating the need for expensive post-quantum signatures. The original KEMTLS paper presents a security analysis, Rust implementation, and benchmarks over emulated networks. In this work, we provide full Go implementations of KEMTLS and other post-quantum handshake alternatives, describe their integration into a distributed system, and provide performance evaluations over real network conditions. We compare the standard (non-quantum-resistant) TLS 1.3 handshake with three alternatives: one that uses post-quantum signatures in combination with post-quantum KEMs (PQTLS), one that uses KEMTLS, and one that is a reduced round trip version of KEMTLS (KEMTLS-PDK). In addition to the performance evaluations, we discuss how the design of these protocols impacts TLS from an implementation and configuration perspective.

Bas Westerbaan—Cloudflare, Inc, Amsterdam, Netherlands

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    It took, for example, 5 years to standardize TLS 1.3 [39].

  2. 2.

    Advanced modes of the TLS 1.3 handshake can also use a pre-shared key (PSK) exchange, PSK with ephemeral key exchange, and password-based authentication.

  3. 3.

    Authentication is as strong as its weakest link, so until the entire certificate chain has post-quantum security we do not have a fully post-quantum authenticated protocol. However, the approach suffices for the purpose of our experiments.

  4. 4.

    While it is stated in the draft that the DC signature algorithm “is expected to be the same as the sender’s CertificateVerify.algorithm”, this is not a hard requirement, and in KEMTLS the Certificate Verify messages are not sent.

  5. 5.

    This extension is only available for TLS 1.2, so we adapted it to be used in TLS 1.3.

References

  1. Adrian, D., et al.: Imperfect forward secrecy: how Diffie-Hellman fails in practice. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 5–17. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2810103.2813707

  2. Arai, K., Matsuo, S.: Formal verification of TLS 1.3 full handshake protocol using proverif (Draft-11). IETF TLS mailing list (2016). https://mailarchive.ietf.org/arch/msg/tls/NXGYUUXCD2b9WwBRWbvrccjjdyI

  3. Aviram, N., et al.: DROWN: breaking TLS using SSLv2. In: 25th USENIX Security Symposium (USENIX Security 2016), pp. 689–706. USENIX Association, Austin, August 2016. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/aviram

  4. Barnes, R., Iyengar, S., Sullivan, N., Rescorla, E.: Delegated credentials for TLS. Internet-Draft draft-ietf-tls-subcerts-10, Internet Engineering Task Force, January 2021. https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-10. Work in Progress

  5. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    Chapter  Google Scholar 

  6. Beurdouche, B., et al.: A messy state of the union: taming the composite state machines of TLS. In: 2015 IEEE Symposium on Security and Privacy, pp. 535–552 (2015). https://doi.org/10.1109/SP.2015.39

  7. Braithwaite, M.: Experimenting with post-quantum cryptography. Google Security Blog, Google Online Security, July 2016. https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html. Accessed 16 Feb 2021

  8. Campagna, M., Crockett, E.: Hybrid post-quantum key encapsulation methods (PQ KEM) for transport layer security 1.2 (TLS). Internet-Draft draft-campagna-tls-bike-sike-hybrid-06, Internet Engineering Task Force, March 2021. https://datatracker.ietf.org/doc/html/draft-campagna-tls-bike-sike-hybrid-06. Work in Progress

  9. Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. In: Second PQC Standardization Conference, University of California, Santa Barbara, August 2019. https://csrc.nist.gov/Presentations/2019/prototyping-post-quantum-and-hybrid-key-exchange

  10. Faz-Hernández, A., Kwiatkowski, K.: Introducing CIRCL: An Advanced Cryptographic Library. Cloudflare, Inc, June 2019. https://blog.cloudflare.com/introducing-circl/. Accessed Feb 2021

  11. Feman, R.C., Willis, T.: Securing the web, together. Google Security Blog, March 2016. https://security.googleblog.com/2016/03/securing-web-together_15.html. Accessed 16 May 2021

  12. Ghedini, A., Vasiliev, V.: TLS Certificate Compression. RFC 7924, RFC Editor, December 2020. https://doi.org/10.17487/RFC8879

  13. Hoyland, J., Wood, C.: TLS 1.3 extended key schedule. Internet-Draft draft-jhoyla-tls-extended-key-schedule-03, Internet Engineering Task Force, December 2020. https://datatracker.ietf.org/doc/html/draft-jhoyla-tls-extended-key-schedule-03. Work in Progress

  14. Hülsing, A., Rijneveld, J., Schanck, J., Schwabe, P.: High-speed key encapsulation from NTRU. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 232–252. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_12

    Chapter  Google Scholar 

  15. Iyengar, J., Thomson, M.: QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000, May 2021. https://doi.org/10.17487/RFC9000

  16. Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  17. Josefsson, S.: Storing Certificates in the Domain Name System (DNS). RFC 4398, RFC Editor, March 2006. https://doi.org/10.17487/RFC4398

  18. Kampanakis, P., Sikeridis, D.: Two post-quantum signature use-cases: non-issues, challenges and potential solutions. In: 7th ETSI/IQC Quantum Safe Cryptography Workshop 2019, November 2019. https://eprint.iacr.org/2019/1276

  19. Kiefer, F., Kwiatkowski, K.: Hybrid ECDHE-SIDH Key Exchange for TLS. Internet-Draft draft-kiefer-tls-ecdhe-sidh-00, Internet Engineering Task Force, May 2019. https://datatracker.ietf.org/doc/html/draft-kiefer-tls-ecdhe-sidh-00. Work in Progress

  20. Kumar, D., et al.: Security challenges in an increasingly tangled web. In: Barrett, R., Cummings, R., Agichtein, E., Gabrilovich, E. (eds.) Proceedings of the 26th International Conference on World Wide Web, WWW 2017, Perth, Australia, 3–7 April 2017, pp. 677–684. ACM (2017). https://doi.org/10.1145/3038912.3052686

  21. Kwiatkowski, K., Langley, A., Sullivan, N., Levin, D., Mislove, A., Valenta, L.: Measuring TLS key exchange with post-quantum KEM. University of California, Santa Barbara, August 2019. https://csrc.nist.gov/Presentations/2019/measuring-tls-key-exchange-with-post-quantum-kem

  22. Lamik, M.: Introducing Cloudflare Radar. The Cloudflare Blog, September 2020. https://blog.cloudflare.com/introducing-cloudflare-radar. Accessed 16 May 2021

  23. Langley, A.: CECPQ2. ImperialViolet, December 2018. https://www.imperialviolet.org/2018/12/12/cecpq2.html. Accessed 16 Feb 2021

  24. Langley, A.: Real-world measurements of structured-lattices and supersingular isogenies in TLS. ImperialViolet, October 2019. https://www.imperialviolet.org/2019/10/30/pqsivssl.html. Accessed 16 Feb 2021

  25. Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  26. Marculescu, M.: Introducing gRPC, a new open source HTTP/2 RPC framework. Google Developers, February 2015. https://developers.googleblog.com/2015/02/introducing-grpc-new-open-source-http2.html

  27. National Institute of Standards and Technology: Post-Quantum Cryptography Standardization, January 2017. https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization. Accessed 16 May 2021

  28. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  29. Rescorla, E.: The Transport Layer Security TLS Protocol Version 1.3. RFC 8446, RFC Editor, August 2018. https://doi.org/10.17487/RFC8446

  30. Santesso, S., Tschofenig, H.: Transport Layer Security (TLS) Cached Information Extension. RFC 7924, RFC Editor, July 2016. https://doi.org/10.17487/RFC7924

  31. Schanck, J.M., Stebila, D.: A Transport Layer Security (TLS) Extension For Establishing An Additional Shared Secret. Internet-Draft draft-schanck-tls-additional-keyshare-00, Internet Engineering Task Force, April 2017. https://datatracker.ietf.org/doc/html/draft-schanck-tls-additional-keyshare-00. Work in Progress

  32. Schanck, J.M., Whyte, W., Zhang, Z.: Quantum-Safe Hybrid (QSH) Ciphersuite for Transport Layer Security (TLS) version 1.2. Internet-Draft draft-whyte-qsh-tls12-02, Internet Engineering Task Force, January 2017. https://datatracker.ietf.org/doc/html/draft-whyte-qsh-tls12-02. Work in Progress

  33. Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020: 27th Conference on Computer and Communications Security, pp. 1461–1480. ACM Press, Virtual Event, 9–13 November 2020. https://doi.org/10.1145/3372297.3423350

  34. Schwabe, P., Stebila, D., Wiggers, T.: More efficient post-quantum KEMTLS with pre-distributed public keys (2021). https://eprint.iacr.org/2021/779

  35. Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. In: ISOC Network and Distributed System Security Symposium - NDSS 2020. The Internet Society, San Diego, 23–26 February 2020

    Google Scholar 

  36. Stebila, D., Mosca, M.: Post-quantum Key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_2

    Chapter  Google Scholar 

  37. Steblia, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3. Internet-Draft draft-ietf-tls-hybrid-design-03, Internet Engineering Task Force, April 2021. https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design-03. Work in Progress

  38. Sullivan, N.: Why TLS 1.3 isn’t in browsers yet. The Cloudflare Blog, December 2017. https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/. Accessed 15 April 2021

  39. Sullivan, N.: A detailed look at RFC 8446 (a.k.a. TLS 1.3). The Cloudflare Blog, August 2018. https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/. Accessed 16 February 2021

  40. Syta, E., et al.: Scalable bias-resistant distributed randomness. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 444–460 (2017). https://doi.org/10.1109/SP.2017.45. https://drand.love

  41. Thomson, M.: Suppressing intermediate certificates in TLS. Internet-Draft draft-thomson-tls-sic-00, Internet Engineering Task Force, March 2019. https://datatracker.ietf.org/doc/html/draft-thomson-tls-sic-00. Work in Progress

  42. Whyte, W., Zhang, Z., Fluhrer, S., Garcia-Morchon, O.: Quantum-Safe Hybrid (QSH) Key Exchange for Transport Layer Security (TLS) version 1.3. Internet-Draft draft-whyte-qsh-tls13-06, Internet Engineering Task Force, October 2017. https://datatracker.ietf.org/doc/html/draft-whyte-qsh-tls13-06. Work in Progress

Download references

Acknowledgements

Authors wish to thank Latincrypt’s reviewers for their useful suggestions. A special mention to Jonathan Hoyland for reviewing an early version of this document. Thom Wiggers was supported during this work by the European Commission through the ERC Starting Grant 805031 (EPOQUE). Goutam Tamvada was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146.

Author information

Authors and Affiliations

  1. Cloudflare, Inc., Lisbon, Portugal

    Sofía Celi, Armando Faz-Hernández, Nick Sullivan, Luke Valenta & Christopher A. Wood

  2. Cloudflare, Inc., San Francisco, United States

    Armando Faz-Hernández, Nick Sullivan, Luke Valenta & Christopher A. Wood

  3. University of Waterloo, Waterloo, Canada

    Goutam Tamvada

  4. Radboud University, Nijmegen, Netherlands

    Thom Wiggers

  5. PQShield, Ltd, Oxford, UK

    Bas Westerbaan

Authors
  1. Sofía Celi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Armando Faz-Hernández
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nick Sullivan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Goutam Tamvada
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Luke Valenta
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Thom Wiggers
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Bas Westerbaan
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Christopher A. Wood
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sofía Celi .

Editor information

Editors and Affiliations

  1. Microsoft Research, Redmond, WA, USA

    Patrick Longa

  2. Universitat Pompeu Fabra, Barcelona, Spain

    Carla Ràfols

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Celi, S. et al. (2021). Implementing and Measuring KEMTLS. In: Longa, P., Ràfols, C. (eds) Progress in Cryptology – LATINCRYPT 2021. LATINCRYPT 2021. Lecture Notes in Computer Science(), vol 12912. Springer, Cham. https://doi.org/10.1007/978-3-030-88238-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88238-9_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88237-2

  • Online ISBN: 978-3-030-88238-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation