Professional Documents
Culture Documents
Draft
Draft
Abstract
We present a construction of an hybrid version of KEMTLS where we
combine both a post-quantum IBE and a classical PKI key enchapsulation
mechanism (KEM). Mixing both kind of primitives, we present experi-
mental results showing that this construction can achieve better network
timings when compared with other hybrid TLS constructions. Moreover,
we also can deal with problems that IBE constructions struggle with, like
how to revoke identities, and how to deal to some extend with the key
escrow problem. This is done at the coast of forsaking some properties
usually associated with IBE, like avoiding the use of certificates.
1 Introduction
The Transport Layer Security (TLS) is one of the most used cryptographic pro-
tocol designed to provide communications security over a computer network. It
is widely used over the Internet to transfer web pages and to secure connections
between machines. After the protocol is run, even over untrusted channels,
both the client and the server are able to exchange encrypted messages se-
curely. The full specification for TLS 1.3, the most recent version, is provided
in RFC8446 [10].
To use TLS, we usually require a public key infrastructure (PKI). When the
client and the server are exchanging messages following the protocol, the server
sends a certificate chain to the client containing its public key and a chain of
signed certificates where each one provides its own key for signature verification
and the last certificate is self-signed by a trusted Certificate Authority (CA).
In TLS 1.3, clients and servers can exchange a shared secret using a single
round trip based on Diffie-Hellman key agreement protocol. The previous ver-
sion, TLS 1.2 had a different authentication mechanism that required an extra
round trip. Before version 1.3, several other proposals were made trying to
improve the protocol. In [9] a proposal was made trying to use identity-based
cryptography in TLS. The paper showed that an IBE-based TLS using bilinear
pairings would require less data to be transferred over the network at the coast
of requiring more expensive computations. One of the main selling points of
identity-based encryption, which was advocated by earlier proposals was that it
did not require certificates. Instead of this, a web page URL could be used as
1
the server public key and a central authority could derive the associated secret
key and transfer it to the correct server that owns that page.
However, identity-based TLS was not sufficient attractive to be used. The
improvement in network timings for classical TLS was interesting, but the ben-
efit was not enough to justify the drawbacks and the changes in infrastructure.
Using IBE in TLS requires us to deal with the following challenges:
Moreover, despite the promise that with IBE we could dismiss certificates, in
practice this is very hard to be achieved. Public keys are not the only thing that
requires certification. In an IBE-based protocol, the server would need to inform
the client about which PKG it is using. The message with this information also
should be authenticated somehow.
2
proposals about how can we change TLS to keep it safe, even if such CRQC is
built.
The main problem of such change is that post-quantum cryptographic algo-
rithms are not so well studied and tested as the classical constructions based on
elliptic curves and RSA. Starting in 2016, NIST began a post-quantum cryptog-
raphy standardization program where a competition between several candidates
took place. Only in 2022, NIST announced five post-quantum algorithms that
could be standardized, while selecting four others to pass to another round of
tests and studies. The novelty of such algorithms makes people cautious of sim-
ply replacing what we already have, algorithms that endured decades of attacks
and scrutiny, by proposals that are so recent.
A solution for this dilemma is using hybrid schemes: a classical and a post-
quantum scheme are combined in such a way that if only one of them is secure,
the entire scheme is secure. Some papers with these proposals and their perfor-
mance results can be seen in [4].
Another problem from post-quantum algorithms is that several proposals
have bigger keys or produce bigger signatures, requiring more bandwidth to
be used. One proposal to lower the bandwidth requirement is the KEMTLS
protocol, where a post-quantum key encapsulation mechanism (KEM) instead
of post-quantum signatures [11]. This makes the gap smaller between the sizes
from classical implementations and post-quantum ones.
Finally, the possible change to post-quantum algorithms renewed the inter-
est in IBE model. In [1] new experiments showed that like in the classical model,
when considering only post-quantum constructions, IBE schemes also requires
less bandwidth, but require more computational timings. However, the sav-
ings in network timings are much bigger and the performance cost is relatively
smaller. As it is not known how to deal satisfactorily with some of the IBE
problems like the revocation in general usage, the paper suggested to use IBE
in post-quantum versions of TLS aimed at wireless sensors networks. In [12]
more experiments comparing timings from IBE and PKI constructions in the
context of IOT environments are presented. An hybrid IBE construction is also
considered.
Our proposal: We built a hybrid version of KEMTLS, but instead of
just mixing a classical and a post-quantum construction, we mix two slightly
different primitives: a classical PKI-based KEM and a post-quantum IBE KEM.
The rationale for this mix is the data from [1] that show that IBE is much more
attractive in the post-quantum scenario than in the classical one. We use IBE
construction as a way to lower badwidth requeriments in hybrid constructions.
Because of the PKI classical construction, we still require certificates. But these
certificates would not be much bigger than certificates that we already use, based
on P256 curves. Because the post-quantum part of the scheme uses IBE, we
do not neet to put their public keys in the certificate, but we still can use it to
authenticate other relevant data, like the the chosen PKG, or perhaps a random
string that should be attached to the identity. This random string could be
changed if the IBE secret key is compromised, and the revocation mechanisms
would not need to be different than what we already have.
3
2 Preliminaries
2.1 Key Enchapsulation Mechanisms (KEMs)
A Key Enchapsulation Mechanism (KEM) is a tuple of three algorithms (KEM.Keygen,
KEM.Encaps, KEM.Decaps) defined as follows:
4
• IDKEM.Encaps(mpk, ID) → (k, c): Given the master public key mpk
and an identity string ID, this probabilistic polinomially-bounded algo-
rithm produces a secret k and a ciphertext c.
• IDKEM.Decaps(skID , c) → k: Given a secret key skID associated with
identity ID and a ciphertext, this deterministic polinomially-bounded al-
gorithm produces a secret k.
It is required that if a given pair (k, c) was produced by the encapsulation al-
gorithm using a given mpk and identity ID, then passing to the decapsulation al-
gorithm the corresponding secret key produced by IDKEM.Extract(msk, ID)
and the ciphertext c, allows us to recover the secret k as result. For a secure
ID-KEM, we expect that no adversary is able to distinguish between the correct
secret k associated with a known ciphertext c and a random value k ′ taken from
some distribution (IND-CPA model) for any identity ID chosen by the adver-
sary, except with negligible probability. The adversary is always able to query
an oracle that computes IDKEM.Extract(msk, ·) for any identity, except the
chosen one. If the scheme keeps this property even if the attacker is also able
to query another oracle that runs IDKEM.Decaps(skID , ·) for the chosen ID,
except that it cannot query de decapsulation of c, then the ID-KEM is also
secure in the IND-CCA model.
5
• HKEM.M asterKeyGen(1λ ) → (mpk, msk): The key generation algo-
rithm that produces the master public key and master secret key. It is
identical to the IDKEM.KeyGen algorithm.
• HKEM.LocalKeyGen(1λ ) → (pk, sk): The key generation that will be
run locally for each user. This algorithm is identical to the KEM.KeyGen
algorithm.
• HKEM.Extract(msk, ID) → skID : Given the master secret key and an
identity, generates a secret key corresponding to the identity. It is identical
to the IDKEM.Extract algorithm.
• HKEM.Encaps(mpk, pk, ID) → (k, c): This polinomially-bounded prob-
abilistic algorithm, given the master public key mpk, a public key pk and
an identity string ID produces a secret k and a ciphertext c that encap-
sulates securely the given secret.
• KEM.Decaps(skID , sk, c) → k: This polinomially-bounded deterministic
algorithm, given the secret key associated with identity ID, a second
secret key sk and a ciphertext c, returns the secret k encapsulated in the
ciphertext.
As the first three algorithms are the same than algorithms already present
in the KEM and IDKEM schemes, we just need to define how to build the
encapsulation and decapsulation algorithms. Adapting the Xor-then-MAC con-
struction from [7], we can define them as:
6
7. return ⊥
8. else:
9. return kkem
• HKEM.Decaps(skID , sk, c) :
1. (c1 , c2 ) ← c
2. k1 ← KEM.Decaps(sk, c1 )
3. k2 ← IDKEM.Decaps(skID , c1 )
4. kd ← dP RF (k1 , k2 )
5. return P RF (kd , c)
7
2. Server → Client: (cephemeral , Certif icate(pkS , P KG))
Knowing the client’s ephemeral public key pkephemeral , the server can
compute cephemeral running the encapsulation algorithm KEM.Encaps
from the ephemeral KEM. It also sends to the client its public key pkS
and it indicates which PKG will be used in the identity-based part of our
hybrid algorithms. These information are sent with a certificate chain.
3. Client → Server: c
Knowing the server identity, its public key pkS and the correct master
public key mpk, the client can run the encapsulation algorithm from our
hybrid scheme to produce a secret k and an encapsulation c. The encap-
sulation is sent to the server, which can then decapsulate it. After this
step, both the client and the server knows the secrets k and kephemeral .
Both can be hashed, which then produces the shared secret.
Here we assume that the client do not know the server public key pkS .
However, like in the usual KEMTLS, we can reduce the key agreement to a
single round trip if we assume that the client already knows the server and has
the secret key stored in the cache. In this case, the protocol runs as below:
4 Experiments
To test the performance and viability of our proposal, we modified the KEMTLS
implementation from [5] to use our hybrid construction. For the identity-based
post-quantum KEM, we choosed the DLP-IBE construction proposed at [6] and
used an implementation from Libsafecrypto library after creating Go bindings
for the library. For the classical KEM, we choosed the construction based on
P256 elliptic curve from the Circl library. We also used the Kyber KEM for our
ephemeral key encapsulations, also provided by the Circl library. The combiner
and the adaptation in the KEMTLS were programmed in Go.
8
5 Conclusion
References
[1] Utsav Banerjee and Anantha P Chandrakasan. Efficient post-quantum tls
handshakes using identity-based key exchange from lattices. In ICC 2020-
2020 IEEE International Conference on Communications (ICC), pages 1–6.
IEEE, 2020.
[2] Alexandra Boldyreva, Vipul Goyal, and Virendra Kumar. Identity-based
encryption with efficient revocation. In Proceedings of the 15th ACM con-
ference on Computer and communications security, pages 417–426, 2008.
[3] Dan Boneh and Matt Franklin. Identity-based encryption from the weil
pairing. In Advances in Cryptology—CRYPTO 2001: 21st Annual Inter-
national Cryptology Conference, Santa Barbara, California, USA, August
19–23, 2001 Proceedings, pages 213–229. Springer, 2001.
[4] Joppe W Bos, Craig Costello, Michael Naehrig, and Douglas Stebila. Post-
quantum key exchange for the tls protocol from the ring learning with
errors problem. In 2015 IEEE Symposium on Security and Privacy, pages
553–570. IEEE, 2015.
[5] Sofı́a Celi, Armando Faz-Hernández, Nick Sullivan, Goutam Tamvada,
Luke Valenta, Thom Wiggers, Bas Westerbaan, and Christopher A
Wood. Implementing and measuring kemtls. In Progress in Cryptology–
LATINCRYPT 2021: 7th International Conference on Cryptology and
Information Security in Latin America, Bogotá, Colombia, October 6–8,
2021, Proceedings, pages 88–107. Springer, 2021.
[6] Léo Ducas, Vadim Lyubashevsky, and Thomas Prest. Efficient identity-
based encryption over ntru lattices. In International Conference on the
Theory and Application of Cryptology and Information Security, pages 22–
41. Springer, 2014.
[7] Federico Giacon, Felix Heuer, and Bertram Poettering. Kem combiners. In
Public-Key Cryptography–PKC 2018: 21st IACR International Conference
on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil,
March 25-29, 2018, Proceedings, Part I 21, pages 190–218. Springer, 2018.
[8] Benoı̂t Libert and Jean-Jacques Quisquater. Efficient revocation and
threshold pairing based cryptosystems. In Proceedings of the twenty-second
annual symposium on Principles of distributed computing, pages 163–171,
2003.
[9] Changyan Peng, Quan Zhang, and Chaojing Tang. Improved tls hand-
shake protocols using identity-based cryptography. In 2009 International
Symposium on Information Engineering and Electronic Commerce, pages
135–139. IEEE, 2009.
9
[10] Eric Rescorla. Rfc 8446: The transport layer security (tls) protocol version
1.3, 2018.
[11] Peter Schwabe, Douglas Stebila, and Thom Wiggers. Post-quantum tls
without handshake signatures. In Proceedings of the 2020 ACM SIGSAC
Conference on Computer and Communications Security, pages 1461–1480,
2020.
[12] Michael Scott. On tls for the internet of things, in a post quantum world.
Cryptology ePrint Archive, 2023.
10