Post-Quantum TLS without handshake signatures

Talk about Post-Quantum TLS without Handshake Signatures at the Lorentz Workshop (virtual)

Post-Quantum TLS without handshake signatures

Department Lunch Talk about KEMTLS

Rephrasing TLS key exchange in terms of KEMs

In the RFC for TLS 1.3 (RFC8446) especially, the key exchange is defined in terms of (EC)DH key shares being exchanged. This limits us to algorithms which support non-interactive key exchanges, while this is not necessary for the security of TLS 1.3 as defined by RFC8446.1 As we would like to implement (post-quantum) KEMs into TLS 1.3, we will now describe the changes to the spec that would be required. As we can phrase (EC)DH key exchange as a key exchange with Key Encapsulation Mechanisms, this does not actually change TLS.