You are looking at a specific version 20210421:135303 of this paper. See the latest version.

Paper 2020/534

Post-quantum TLS without handshake signatures

Peter Schwabe and Douglas Stebila and Thom Wiggers

Abstract

We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than half the bandwidth of a size-optimized post-quantum instantiation of TLS 1.3. In a speed-optimized instantiation, KEMTLS reduces the amount of server CPU cycles by almost 90% compared to TLS 1.3, while at the same time reducing communication size, reducing the time until the client can start sending encrypted application data, and eliminating code for signatures from the server's trusted code base.

Note: Small updates to the security model and proof

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. ACM CCS 2020
DOI
10.1145/3372297.3423350
Keywords
TLSTransport Layer Securityauthentication protocolspublic-key cryptographykey-encapsulation mechanismspost-quantumNIST PQC
Contact author(s)
peter @ cryptojedi org,dstebila @ uwaterloo ca,thom @ thomwiggers nl
History
2022-03-15: last of 7 revisions
2020-05-07: received
See all versions
Short URL
https://ia.cr/2020/534
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.