TLS

Post-Quantum TLS without handshake signatures

We present an alternative to TLS 1.3, by authenticating using only Key-Encapsulation Mechanisms. This allows us to get rid of handshake signatures, as post-quantum signature schemes are expensive, both in bytes and computation times.

Post-Quantum TLS with KEMs

We investigate getting rid of signatures in TLS

Rephrasing TLS key exchange in terms of KEMs

In the RFC for TLS 1.3 ( RFC8446) especially, the key exchange is defined in terms of (EC)DH key shares being exchanged. This limits us to algorithms which support non-interactive key exchanges, while this is not necessary for the security of TLS 1.3 as defined by RFC8446.1 As we would like to implement (post-quantum) KEMs into TLS 1.3, we will now describe the changes to the spec that would be required.

Using (post-quantum) KEMs in TLS 1.3

The new TLS 1.3 standard [1] does not yet provide any support for post-quantum algorithms. In this blog post we’ll be talking about how we could negotiate a post-quantum key exchange using a (post-quantum) Key Encapsulation Mechanism (KEM). In the NIST Standardisation effort [2], many KEMs are currently under consideration.