Abstract
While server-only authentication with certificates is the most widely used mode of operation for the Transport Layer Security (TLS) protocol on the world wide web, there are many applications where TLS is used in a different way or with different constraints. For example, embedded Internet-of-Things clients may have a server certificate pre-programmed and be highly constrained in terms of communication bandwidth or computation power. As post-quantum algorithms have a wider range of performance trade-offs, designs other than traditional “signed-key-exchange” may be worthwhile. The KEMTLS protocol, presented at ACM CCS 2020, uses key encapsulation mechanisms (KEMs) rather than signatures for authentication in the TLS 1.3 handshake, a benefit since most post-quantum KEMs are more efficient than PQ signatures. However, KEMTLS has some drawbacks, especially in the client authentication scenario which requires a full additional roundtrip.
We explore how the situation changes with pre-distributed public keys, which may be viable in many scenarios, for example pre-installed public keys in apps, on embedded devices, cached public keys, or keys distributed out of band. Our variant of KEMTLS with pre-distributed keys, called \(\mathsf{KEMTLS\text {-}PDK}\), is more efficient in terms of both bandwidth and computation compared to post-quantum signed-KEM TLS (even cached public keys), and has a smaller trusted code base. When client authentication is used, \(\mathsf{KEMTLS\text {-}PDK}\) is more bandwidth efficient than KEMTLS yet can complete client authentication in one fewer round trips, and has stronger authentication properties. Interestingly, using pre-distributed keys in \(\mathsf{KEMTLS\text {-}PDK}\) changes the landscape on suitability of PQ algorithms: schemes where public keys are larger than ciphertexts/signatures (such as Classic McEliece and Rainbow) can be viable, and the differences between some lattice-based schemes is reduced. We also discuss how using pre-distributed public keys provides privacy benefits compared to pre-shared symmetric keys in TLS.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The full version is available from thomwiggers.nl/publication/kemtlspdk/.
References
Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020). urlhttps://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, August 2016
Barnes, R.L., Bhargavan, K., Lipp, B., Wood, C.A.: Hybrid public key encryption. Internet-draft, Internet Research Task Force (2021), https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-08
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bindel, N., Braun, J., Gladiator, L., Stöckert, T., Wirth, J.: X.509-compliant hybrid certificates for the post-quantum transition. J. Open Sour. Softw. 4(40), 1606 (2019). https://doi.org/10.21105/joss.01606
Bindel, N., Herath, U., McKague, M., Stebila, D.: Transitioning to a quantum-resistant public key infrastructure. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017, vol. 10346, pp. 384–405. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-59879-6_22
Birr-Pixton, J.: A modern TLS library in Rust. https://github.com/ctz/rustls. Accessed 29 Apr 2021
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015. https://doi.org/10.1109/SP.2015.40
Braithwaite, M.: Experimenting with post-quantum cryptography. Posting on the Google Security Blog (2016). https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Celi, S., Wiggers, T.: KEMTLS: post-quantum TLS without signatures. Posting on the Cloudflare Blog (2021). https://blog.cloudflare.com/kemtls-post-quantum-tls-without-signatures/
Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
de Saint Guilhem, C.D., Smart, N.P., Warinschi, B.: Generic forward-secure key agreement without signatures. In: Nguyen, P.Q., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 114–133. Springer, Heidelberg (2017)
Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 400–409. ACM Press, October–November 2006. https://doi.org/10.1145/1180405.1180454
Ding, J., et al.: Rainbow. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10
Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197–1210. ACM Press, October 2015. https://doi.org/10.1145/2810103.2813653
Drucker, N., Gueron, S.: Selfie: reflections on TLS 1.3 with PSK. Cryptology ePrint Archive, Report 2019/347 (2019). https://eprint.iacr.org/2019/347
Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press, November 2014. https://doi.org/10.1145/2660267.2660308
Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_28
Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 2013, pp. 83–94. ACM Press, May 2013
Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Josefsson, S.: Storing Certificates in the Domain Name System (DNS). RFC 4398, March 2006. https://doi.org/10.17487/RFC4398
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010, LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, May 2010. https://doi.org/10.17487/RFC5869
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: EuroS&P 2016. IEEE (2017). https://eprint.iacr.org/2015/978.pdf
Kwiatkowski, K.: Towards post-quantum cryptography in TLS. Posting on the Cloudflare Blog (2019). https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/
LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)
Langley, A.: Cecpq2. Posting on the ImperialViolet Blog (2018). https://www.imperialviolet.org/2018/12/12/cecpq2.html
Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, June 2013. https://doi.org/10.17487/RFC6962
Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)
Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.P. (eds.) 11th International Conference on Post-Quantum Cryptography, PQCrypto 2020, pp. 72–91. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-44223-1_5
Perrin, T.: Noise protocol framework, July 2018. https://noiseprotocol.org/noise.html. Accessed 29 Apr 2021
Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446
Rescorla, E., Sullivan, N., Wood, C.A.: Semi-static Diffie-Hellman key establishment for TLS 1.3. Internet-draft, Internet Engineering Task Force (2020). https://tools.ietf.org/html/draft-rescorla-tls-semistatic-dh-02
Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, D.C.: X.509 internet public key infrastructure Online Certificate Status Protocol - OCSP. RFC 6960, June 2013. https://doi.org/10.17487/RFC6960
Santesson, S., Tschofenig, H.: Transport Layer Security (TLS) Cached Information Extension. RFC 7924, July 2016. https://doi.org/10.17487/RFC7924
Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions
Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 20, pp. 1461–1480. ACM Press, November 2020. https://doi.org/10.1145/3372297.3423350
Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. In: NDSS 2020. The Internet Society , February 2020
Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H.M. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-319-69453-5_2
Sy, E., Burkert, C., Federrath, H., Fischer, M.: Tracking users across the web via TLS session resumption. In: ACM ACSAC 2018, pp. 289–299. ACM Press (2018). https://doi.org/10.1145/3274694.3274708
Acknowledgements
The authors gratefully acknowledge insightful discussions with Patrick Towa on the security model, proof, and pre-distributed keys scenario. This work has been supported by the European Research Council through Starting Grant No. 805031 (EPOQUE) and the Natural Sciences and Engineering Research Council of Canada through Discovery grant RGPIN-2016-05146 and a Discovery Accelerator Supplement.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A KEMTLS
A KEMTLS
Figure 4 presents KEMTLS [43] side-by-side with TLS 1.3. Establishing an ephemeral shared secret happens in a similar way in TLS 1.3 and KEMTLS. The client submits a public key \(g^x\) (TLS 1.3) or \(\mathsf {pk}_e\) (KEMTLS) to the server in the \(\mathtt{ClientHello}\) message. The server then replies with its key share \(g^y\) (TLS 1.3) or ciphertext \(\mathsf {ct}_e\) (KEMTLS). At this point, the server has the information to derive the handshake shared secret. This shared secret \(\mathsf {ss}_e\) is used to encrypt the server’s certificate before transmitting it to the client.
In TLS 1.3, this certificate contains a long-term public key for a digital signature algorithm \(\mathsf {pk}_S\). The server signs the transcript of all the transmitted messages so far and submits this signature in the \(\mathtt{ServerCertificateVerify}\) message. This allows the client to immediately verify the server’s identity: the signature proves the server posesses the private key corresponding to the certificate. The server then finishes the handshake by sending the key confirmation message. The client replies with its own key confirmation message.
When using long-term public keys for KEMs in certificates, signing the transcript is not possible. So, in KEMTLS, the client encapsulates a new shared secret \(\mathsf {ss}_S\) to the server’s long-term public key \(\mathsf {pk}_S\). It then sends over the corresponding ciphertext \(\mathsf {ct}_S\) to the server. Only if the server can decapsulate the shared secret from the ciphertext, can it prove posession of the private key corresponding to the certificate. The server mixes in the new shared secret with the ephemeral secret key and derives new handshake keys. The server’s key confirmation message then proves possesion of the long-term key.
If the client were to wait for the server to prove that it has decapsulated the ciphertext, KEMTLS would need a full extra round-trip over TLS 1.3. However, before the confirmation message, the client already knows that only the intended server would be able to read any data that is encrypted with keys derived from \(\mathsf {ss}_S\). KEMTLS uses this to allow the client to send data to the implicitly authenticated server before it has received the server’s key confirmation message. Once the key confirmation is received, the server is explicitly authenticated and the client then knows the server is present.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Schwabe, P., Stebila, D., Wiggers, T. (2021). More Efficient Post-quantum KEMTLS with Pre-distributed Public Keys. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham. https://doi.org/10.1007/978-3-030-88418-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-88418-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88417-8
Online ISBN: 978-3-030-88418-5
eBook Packages: Computer ScienceComputer Science (R0)