Transitioning the TLS protocol to post-quantum cryptography

Abstract

The simplest approach to transition the Transport Layer Security (TLS) protocol to resist attacks by a quantum computer is to replace Diffie-Hellman key exchange with a post-quantum key encapsulation mechanism (KEM) and a traditional signature with a post-quantum signature. The various trade-offs present in post-quantum algorithms -- either larger keys, slower computation, or less confidence in newer security assumptions -- mean that the situation is more complicated. In this talk Stebila will discuss various issues around and options for transitioning the TLS protocol to use post-quantum cryptography.

First Stebila will discuss "hybrid" or "composite" options, in which two algorithms -- a traditional algorithm and a post-quantum one -- are used simultaneously, with an update on the progress towards standardization of these options.

Next he'll discuss the KEMTLS alternative protocol design which uses long-term KEM keys for TLS handshake authentication instead of digital signatures.  Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we can reduce communication size. Stebila will discuss the original KEMTLS option as well as a variant involving pre-distributed keys, which can help in Internet-of-Things settings. He'll also talk about issues involving certification of KEM public keys, such as proof of possession during registration.

Speaker

Dr. Douglas Stebila is an Associate Professor of cryptography in the Department of Combinatorics & Optimization at the University of Waterloo.  His research focuses on improving the security of Internet communications protocols and developing practical quantum-resistant cryptography. He is the leader of the Open Quantum Safe project, an open-source software project for prototyping and evaluating quantum-resistant cryptography.  He holds an MSc from the University of Oxford and a PhD from the University of Waterloo.