Co-author: Dimitrios Sikeridis.

Motivation

As brought up on multiple occasions, if a real-world quantum computer was ever built, it could jeopardize public key exchange, encryption, and digital signature schemes used in secure tunnel protocols today like (D)TLS, SSH, IKEv2/IPsec and more. To prepare for a post-quantum future, NIST has embarked on a journey of standardizing post-quantum algorithms, IETF has seen RFC draft submissions for using these algorithms and multiple vendors like Cisco, Microsoft, Cloudflare, Google, AWS have been looking at post-quantum key exchange or authentication in TLS. These attempts examine key exchange or authentication performance separately. They have shown some post-quantum algorithms perform slower than classical ones we use today, while others would significantly slow down the TLS handshake.

Almost all secure tunnel protocols would require the introduction of post-quantum algorithms in their key exchange and authentication mechanisms to become quantum-resistant. The performance of quantum-resistant key exchange and authentication altogether has not been extensively investigated yet. Recently we have been focusing on experimenting with quantum-secure key exchange in conjunction with authentication in TLS 1.3 and SSH. The preliminary results are promising as we expected by extrapolating from the previous studies.

PQ Algorithms

We have been focusing on efficient lattice algorithms for key exchange like the ntruhrss701 parameter of the NTRU NIST submission and Kyber-512 of the Kyber submission. These algorithms have relatively small public keys and ciphertexts (