3

As there don't seem to be any PQC alternatives for Diffie-Hellman (DH / ECDH), DH must have been replaced by key encapsulation using an ephemeral key pair. However, since TLS 1.3 always performs ephmemeral key agreement during the handshake I think that it is not possible to directly replace DHE / ECDHE with key encapsulation.

Which changes have been made in the protocol for adjusting it for Post Quantum Cryptography during the testing phase, e.g. using liboqs? Does this alter the TLS specification significantly?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323

2 Answers2

3

As there don't seem to be any PQC alternatives for Diffie-Hellman (DH / ECDH), DH must have been replaced by key encapsulation using an ephemeral key pair.

I don't believe that is correct; a postquantum Key Encapsulation Method (KEM) would appear to be the natural replacement for DH/ECDH within TLS. In the KEM, one side (the client) produces a KEM public key, the other side (the server) produces a response, and they both generate a 'shared secret'; this is what TLS 1.3 needs.

Now, the server can't have a static key (because, unlike DH, the server response depends on the client public key). On the other hand, TLS 1.3 currently doesn't assume that.

All of the NIST public encryption candidates can work like this; except for the ones that make it problematic by having huge key sizes, they all can fit within the current TLS 1.3 architecture.

poncho
  • 154,064
  • 12
  • 239
  • 382
2

CSIDH can serve as a drop-in replacement for the (EC)DH key-exchange protocol while maintaining security against quantum computer.

Moreover, OQS modified openssl library to use the liboqs. The TLS was modified not following the standards, as you said.

jmr
  • 95
  • 5