Quantum-Safe Hybrid (QSH) Ciphersuite for Transport Layer Security (TLS) version 1.3
draft-whyte-qsh-tls13-03

Document Type Active Internet-Draft (individual)
Last updated 2016-10-05
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
INTERNET-DRAFT                                             J. M. Schanck
Intended Status: Experimental          Security Innovation & U. Waterloo
Expires: 2017-04-04                                             W. Whyte
                                                     Security Innovation
                                                                Z. Zhang
                                                     Security Innovation
                                                              2016-10-04

                 Quantum-Safe Hybrid (QSH) Ciphersuite
             for Transport Layer Security (TLS) version 1.3
                      draft-whyte-qsh-tls13-03.txt

Abstract

   This document describes the Quantum-Safe Hybrid ciphersuite, a new
   cipher suite providing modular design for quantum-safe cryptography
   to be adopted in the handshake for the Transport Layer Security (TLS)
   protocol version 1.3.  In particular, it specifies the use of the
   NTRUEncrypt encryption scheme in a TLS handshake.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html.  

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2017-04-04.

   Update from last version: keeping alive till TLS WG review.

 

Schanck et al.             Expires 2017-04-04                   [Page 1]
INTERNET DRAFT     Quantum-safe handshake for TLS 1.3         2016-10-04

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Modular design for quantum-safe hybrid handshake . . . . . . .  4
   3.  Data Structures and Computations . . . . . . . . . . . . . . .  7
     3.1.  Data structures for Quantum-safe Crypto Schemes  . . . . .  7
     3.2.  Client Hello Extensions  . . . . . . . . . . . . . . . . .  9
     3.3.  HelloRetryRequest Extensions . . . . . . . . . . . . . . . 11
     3.4.  Server Key Share Extension . . . . . . . . . . . . . . . . 12
   4.  Cipher Suites  . . . . . . . . . . . . . . . . . . . . . . . . 14
   5.  Specific information for Quantum Safe Scheme . . . . . . . . . 14
     5.1.  NTRUEncrypt  . . . . . . . . . . . . . . . . . . . . . . . 14
     5.2.  LWE  . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     5.3.  HFE  . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
     5.4.  McEliece/McBits  . . . . . . . . . . . . . . . . . . . . . 15
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
     6.1.  Security, Authenticity and Forward Secrecy . . . . . . . . 15
     6.2.  Quantum Security and Quantum Forward Secrecy . . . . . . . 15
     6.3.  Quantum Authenticity . . . . . . . . . . . . . . . . . . . 15
   7.  Compatibility with TLS 1.2 and earlier version . . . . . . . . 15
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
   10.  References  . . . . . . . . . . . . . . . . . . . . . . . . . 16
     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 16
     10.2.  Informative References  . . . . . . . . . . . . . . . . . 17
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
   Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . 18

 

Schanck et al.             Expires 2017-04-04                   [Page 2]
INTERNET DRAFT     Quantum-safe handshake for TLS 1.3         2016-10-04

1.  Introduction

   Quantum computers pose a significant threat to modern cryptography. 
   Two most widely adopted public key cryptosystems, namely, RSA [PKCS1]
   and Elliptic Curve Cryptography (ECC) [SECG], will be broken by
   general purpose quantum computers.  RSA is adopted in TLS from
   Version 1.0 and to TLS Version 1.3 [RFC2246], [RFC4346], [RFC5246],
   [TLS1.3].  ECC is enabled in RFC 4492 [RFC4492] and adopted in TLS
   version 1.2 [RFC5246] and version 1.3 [TLS1.3].  On the other hand,
   there exist several quantum-safe cryptosystems, such as the
   NTRUEncrypt cryptosystem [EESS1], that deliver similar performance,
   yet are conjectured to be robust against quantum computers.
Show full document text