Paper 2019/858

Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH

Eric Crockett, Christian Paquin, and Douglas Stebila


Once algorithms for quantum-resistant key exchange and digital signature schemes are selected by standards bodies, adoption of post-quantum cryptography will depend on progress in integrating those algorithms into standards for communication protocols and other parts of the IT infrastructure. In this paper, we explore how two major Internet security protocols, the Transport Layer Security (TLS) and Secure Shell (SSH) protocols, can be adapted to use post-quantum cryptography. First, we examine various design considerations for integrating post-quantum and hybrid key exchange and authentication into communications protocols generally, and in TLS and SSH specifically. These include issues such as how to negotiate the use of multiple algorithms for hybrid cryptography, how to combine multiple keys, and more. Subsequently, we report on several implementations of post-quantum and hybrid key exchange in TLS 1.2, TLS 1.3, and SSHv2. We also report on work to add hybrid authentication in TLS 1.3 and SSHv2. These integrations are in Amazon s2n and forks of OpenSSL and OpenSSH; the latter two rely on the liboqs library from the Open Quantum Safe project.

Available format(s)
Publication info
Published elsewhere. NIST 2nd PQC Standardization Conference, Santa Barbara, California, August 2019
post-quantum cryptographyTLSSSH
Contact author(s)
dstebila @ uwaterloo ca
2019-07-24: received
Short URL
Creative Commons Attribution


      author = {Eric Crockett and Christian Paquin and Douglas Stebila},
      title = {Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH},
      howpublished = {Cryptology ePrint Archive, Paper 2019/858},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.