Post-quantum TLS without handshake signatures

Handshake size versus handshake establishment time, for signed KEX and KEMTLS ciphersuites, including and excluding transmission/processing of one intermediate CA certificate. Latency 30.9 ms, bandwidth 1000 Mbps, 0% packet loss. Label syntax: ABCD: A = ephemeral key exchange, B = leaf certificate, C = intermediate CA certificate, D = root certificate. Label values: <u>D</u>ilithium, <u>e</u>CDH X25519, <u>F</u>alcon, <u>K</u>yber, <u>N</u>TRU, <u>R</u>ainbow, <u>r</u>SA-2048, <u>S</u>IKE, <u>X</u>MSS<sup>MT</sup><sub>s</sub>; all level-1 schemes (NIST Round 3).


We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than half the bandwidth of a size-optimized post-quantum instantiation of TLS 1.3. In a speed-optimized instantiation, KEMTLS reduces the amount of server CPU cycles by almost 90% compared to TLS 1.3, while at the same time reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for signatures from the server's trusted code base.

Keywords: post-quantum cryptography, key-encapsulation mechanisms, Transport Layer Security, NIST PQC


Peter Schwabe, Douglas Stebila, Thom Wiggers. Post-quantum TLS without handshake signatures. In Jonathan Katz, Giovanni Vigna, editors, Proc. 27th ACM Conference on Computer and Communications Security (CCS) 2020. ACM, November 2020. © The authors.







This research was supported by:
  • Natural Sciences and Engineering Research Council of Canada (NSERC) Discovery grant RGPIN-2016-05146
  • NSERC Discovery Accelerator Supplement grant RGPIN-2016-05146
  • European Research Council Starting Grant No. 805031 (EPOQUE)