Post-Quantum Authentication in TLS 1.3: A Performance Study

The potential development of large-scale quantum computers is raising concerns among IT and security research professionals due to their ability to solve (elliptic curve) discrete logarithm and integer factorization problems in polynomial time. All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National Institute of Standards and Technology (NIST) has initiated a process to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees. Since PQ algorithms present significant differences over classical ones, their overall evaluation should not be performed out-of-context. This work presents a detailed performance evaluation of the NIST signature algorithm candidates and investigates the imposed latency on TLS 1.3 connection establishment under realistic network conditions. In addition, we investigate their impact on TLS session throughput and analyze the trade-off between lengthy PQ signatures and computationally heavy PQ cryptographic operations. Our results demonstrate that the adoption of at least two PQ signature algorithms would be viable with little additional overhead over current signature algorithms. Also, we argue that many NIST PQ candidates can effectively be used for less time-sensitive applications, and provide an in-depth discussion on the integration of PQ authentication in encrypted tunneling protocols, along with the related challenges, improvements, and alternatives. Finally, we propose and evaluate the combination of different PQ signature algorithms across the same certificate chain in TLS. Results show a reduction of the TLS handshake time and a significant increase of a server\u27s TLS tunnel connection rate over using a single PQ signature scheme

Hybrid post-quantum cryptography in network protocols

Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Ciência da Computação, Florianópolis, 2023.A segurança de redes é essencial para as comunicações do dia-a-dia. Protocolos como o Transport Layer Security (TLS) e o Automatic Certificate Management Environment (ACME) permitem comunicações seguras para várias aplicações. O TLS fornece canais seguros com autenticação de pares comunicantes, desde que estes pares já possuam um certificado digital para comprovar sua identidade. Já o protocolo ACME contribui com a adoção de TLS com funcionalidades para envio e gerenciamento de certificados digitais. Tanto o TLS quanto o ACME dependem da Criptografia de Chaves Públicas para autenticação e troca de chaves (Key Exchange - KEX). No entanto, o advento do Computador Quântico Criptograficamente Relevante (CQCR) enfraquece os protocolos de KEX e certificados digitais criados com a criptografia clássica usada atualmente, tais como RSA e Diffie-Hellman. Dada a grande adoção do TLS e ACME, esta ameaça alcança uma escala global. Neste contexto, trata-se de tese dos desafios da adoção da Criptografia Pós-Quântica (CPQ) no TLS e ACME, focando-se na abordagem recomendada chamada de CPQ híbrido (ou modo híbrido). A CPQ é criada usando suposições matemáticas diferentes das em uso atualmente. Essas suposições são viáveis ??para construção de esquemas criptográficos resistentes ao computador quântico, pois não se conhece algoritmo (clássico ou quântico) eficiente. Porém, a transição para CPQ é assunto complexo. No modo híbrido, a transição para CPQ é suavizada, pois ela é combinada com a criptografia tradicional. Assim, esta tese defende uma estratégia de adoção de CPQ pelo modo híbrido com as seguintes contribuições: um estudo secundário classificando e mostrando a eficiência e segurança do modo híbrido; uma ferramenta para verificar as garantias quantum-safe em conexões TLS de usuários; um estudo e uma otimização para a emissão de certificados digitais com CPQ no ACME; o projeto e implementação de uma abordagem híbrida para uma alternativa de TLS chamada KEMTLS; e um conceito híbrido inovador, com implementação, para autenticação usando certificados embrulhados. Na maioria dos cenários de avaliações com modo híbrido propostos neste trabalho, as previsões de desempenho não são significativas quando comparadas com a implantação de CPQ sem o modo híbrido. O conceito inovador da autenticação híbrida também habilitou um plano de contingência para o modo híbrido, contribuindo com a adoção do CPQ. Por meio das propostas e avaliações em diferentes cenários, abordagens e protocolos, esta tese soma esforços em direção ao uso de CPQ híbrido para mitigar os efeitos preocupantes da ameaça quântica à criptografia.Abstract: Network security is essential for today?s communications. Protocols such as Transport Layer Security (TLS) and Automatic Certificate Management Environment (ACME) enable secure communications for various applications. TLS provides secure channels with peer authentication, given that the peer already has a digital certificate to prove its identity. ACME contributes to TLS adoption with facilities for issuing and managing digital certificates. Both protocols depend on Public-Key Cryptography for authentication and Key Exchange (KEX) of symmetric key material. However, the advent of a Cryptographically Relevant Quantum Computer (CRQC) weakens KEX and digital certificates built with today?s classical cryptography (like RSA and Diffie-Hellman). Given the widespread adoption of TLS and ACME, such a threat reaches a global scale. In this context, this thesis aims at the challenges of adopting Post- Quantum Cryptography (PQC) in TLS and ACME, focusing on the recommended approach called Hybrid PQC (or hybrid mode). PQC is created using different mathematical assumptions in which there is no known efficient solution by classical and quantum computers. Hybrids ease the PQC transition by combining it with classical cryptography. This thesis defends the hybrid mode adoption by the following contributions: a secondary study classifying and showing hybrid mode efficiency and security; a tool for users checking their TLS connections for quantum-safe guarantees; a study and an optimized approach for issuance of PQC digital certificates in ACME; a design and implementation of a hybrid approach for the TLS alternative called KEMTLS; and a novel hybrid concept (and implementation) for authentication using wrapped digital certificates. In all proposed hybrid mode evaluations, the penalty in performance was non-significant when compared to PQC-only deployment, except in certain situations. The novel concept for hybrid authentication also allows a contingency plan for hybrids, contributing to the PQC adoption. By proposing and evaluating different scenarios, approaches and protocols, this thesis sums efforts towards using hybrid PQC to mitigate the worrisome effects of the quantum threat to cryptography

Quantum-resistant Transport Layer Security

The reliance on asymmetric public key cryptography (PKC) and symmetric encryption for cyber-security in current telecommunication networks is threatened by the emergence of powerful quantum computing technology. This is due to the ability of quantum computers to efficiently solve problems such as factorization or discrete logarithms, which are the basis for classical PKC schemes. Thus, the assumption that communications networks are secure no longer holds true. Quantum Key Distribution (QKD) and post-quantum cryptography (PQC) are the first cyber-security technologies that allow communications to resist the attacks of a quantum computer. To achieve quantum-resistant communications, the aforementioned technologies need to be incorporated into a network security protocol such as Transport Layer Security (TLS). In this paper, we describe and implement two novel, hybrid solutions in which QKD and PQC are combined inside TLS for achieving quantum-resistant authenticated key exchange: Concatenation and Exclusively-OR (XOR). We present the results, in terms of complexity and security enhancement, of integrating state-of-the-art QKD and PQC technologies into a practical, industry-ready TLS implementation. Our findings demonstrate that the adoption of a PQC-only approach enhances the TLS handshake performance by approximately 9 % compared to classical methods. Furthermore, our hybrid PQC-QKD quantum-resistant TLS comes at a performance cost of approximately 117 % during the key establishment process. In return, we substantially augment the security of the handshake, paving the road for the development of future-proof quantum-resistant communication systems based on QKD and PQC.</p

Quantum-resistant Transport Layer Security

The reliance on asymmetric public key cryptography (PKC) and symmetric encryption for cyber-security in current telecommunication networks is threatened by the emergence of powerful quantum computing technology. This is due to the ability of quantum computers to efficiently solve problems such as factorization or discrete logarithms, which are the basis for classical PKC schemes. Thus, the assumption that communications networks are secure no longer holds true. Quantum Key Distribution (QKD) and post-quantum cryptography (PQC) are the first cyber-security technologies that allow communications to resist the attacks of a quantum computer. To achieve quantum-resistant communications, the aforementioned technologies need to be incorporated into a network security protocol such as Transport Layer Security (TLS). In this paper, we describe and implement two novel, hybrid solutions in which QKD and PQC are combined inside TLS for achieving quantum-resistant authenticated key exchange: Concatenation and Exclusively-OR (XOR). We present the results, in terms of complexity and security enhancement, of integrating state-of-the-art QKD and PQC technologies into a practical, industry-ready TLS implementation. Our findings demonstrate that the adoption of a PQC-only approach enhances the TLS handshake performance by approximately 9 % compared to classical methods. Furthermore, our hybrid PQC-QKD quantum-resistant TLS comes at a performance cost of approximately 117 % during the key establishment process. In return, we substantially augment the security of the handshake, paving the road for the development of future-proof quantum-resistant communication systems based on QKD and PQC.</p

Making Existing Software Quantum Safe: Lessons Learned

In the era of quantum computing, Shor's algorithm running on quantum computers (QCs) can break asymmetric encryption algorithms that classical computers essentially cannot. QCs, with the help of Grover's algorithm, can also speed up the breaking of symmetric encryption algorithms. Though the exact date when QCs will become "dangerous" for practical problems is unknown, the consensus is that this future is near. Thus, one needs to start preparing for the era of quantum advantage and ensure quantum safety proactively. In this paper, we discuss the effect of quantum advantage on the existing software systems and recap our seven-step roadmap, deemed 7E. The roadmap gives developers a structured way to start preparing for the quantum advantage era. We then report the results of a case study, which validates 7E. Our software under study is the IBM Db2 database system, where we upgrade the existing cryptographic schemes to post-quantum cryptography (using Kyber and Dilithium schemes) and report our findings and learned lessons. The outcome of the study shows that the 7E roadmap is effective in helping to plan the evolution of existing software security features towards quantum safety

The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections

It has been shown that post-quantum key exchange and authentication with ML-KEM and ML-DSA, NIST’s postquantum algorithm picks, will have an impact on TLS 1.3 performance used in the Web or other applications. Studies so far have focused on the overhead of quantum-resistant algorithms on TLS time-to-first-byte (handshake time). Although these works have been important in quantifying the slowdown in connection establishment, they do not capture the full picture regarding real-world TLS 1.3 connections which carry sizable amounts of data. Intuitively, the introduction of an extra 10KB of ML-KEM and ML-DSA exchanges in the connection negotiation will inflate the connection establishment time proportionally more than it will increase the total connection time of a Web connection carrying 200KB of data. In this work, we quantify the impact of ML-KEM and ML-DSA on typical TLS 1.3 connections which transfer a few hundreds of KB from the server to the client. We study the slowdown in the time-to-last-byte of postquantum connections under normal network conditions and in more unstable environments with high packet delay variability and loss probabilities. We show that the impact of ML-KEM and ML-DSA on the TLS 1.3 time-to-last-byte under stable network conditions is lower than the impact on the handshake and diminishes as the transferred data increases. The time-to-last-byte increase stays below 5% for high-bandwidth, stable networks. It goes from 32% increase of the handshake time to under 15% increase of the time-to-last-byte when transferring 50KiB of data or more under low-bandwidth, stable network conditions. Even when congestion control affects connection establishment, the additional slowdown drops below 10% as the connection data increases to 200KiB. We also show that connections under lossy or volatile network conditions could see higher impact from post-quantum handshakes, but these connections’ time-to-lastbyte increase still drops as the transferred data increases. Finally, we show that such connections are already significantly slow and volatile regardless of the TLS handshake

Quantum-Resistant TLS 1.3:A Hybrid Solution Combining Classical, Quantum and Post-Quantum Cryptography

Hybrid authenticated key exchange combines cryptography key material from different sources (classical, quantum and post-quantum cryptography) to build protocols that are resilient to catastrophic failures, technology advances and future cryptanalytic attacks. In this work, we propose and implement a triple-hybrid version of the transport layer security network protocol TLS 1.3, combining classical and post-quantum cryptography, and quantum key distribution. We evaluate the performance of this triple-hybrid TLS in an experimental network scenario and our analysis shows that the quantum-resistant feature comes at an increased communication cost of approximately 68 % over the total time of the composite handshakes. In exchange, our solution is an enhancement to the TLS 1.3 protocol by adding quantum-resistant cryptography schemes

PERFORMANCE OF HYBRID SIGNATURES FOR PUBLIC KEY INFRASTRUCTURE CERTIFICATES

The modern public key infrastructure (PKI) model relies on digital signature algorithms to provide message authentication, data integrity, and non-repudiation. To provide this, digital signature algorithms, like most cryptographic schemes, rely on a mathematical hardness assumption for provable security. As we transition into a post-quantum era, the hardness assumptions used by traditional digital signature algorithms are increasingly at risk of being solvable in polynomial time. This renders the entirety of public key cryptography, including digital signatures, vulnerable to being broken. Hybrid digital signature schemes represent a potential solution to this problem. In this thesis, we provide the first test implementation of true hybrid signature algorithms. We evaluate the viability and performance of several hybrid signature schemes against traditional hybridization techniques via standalone cryptographic operations. Finally, we explore how hybrid signatures can be integrated into existing X.509 digital certificates and examine their performance by integrating both into the Transport Layer Security 1.3 protocol.Outstanding ThesisGunnery Sergeant, United States Marine CorpsApproved for public release; distribution is unlimited

Post-Quantum Cryptography for Internet of Things: A Survey on Performance and Optimization

Due to recent development in quantum computing, the invention of a large quantum computer is no longer a distant future. Quantum computing severely threatens modern cryptography, as the hard mathematical problems beneath classic public-key cryptosystems can be solved easily by a sufficiently large quantum computer. As such, researchers have proposed PQC based on problems that even quantum computers cannot efficiently solve. Generally, post-quantum encryption and signatures can be hard to compute. This could potentially be a problem for IoT, which usually consist lightweight devices with limited computational power. In this paper, we survey existing literature on the performance for PQC in resource-constrained devices to understand the severeness of this problem. We also review recent proposals to optimize PQC algorithms for resource-constrained devices. Overall, we find that whilst PQC may be feasible for reasonably lightweight IoT, proposals for their optimization seem to lack standardization. As such, we suggest future research to seek coordination, in order to ensure an efficient and safe migration toward IoT for the post-quantum era.Comment: 13 pages, 3 figures and 7 tables. Formatted version submitted to ACM Computer Survey