Hybrid Post Quantum Groups in TLS 1.3

Recently, we announced our wolfSSL libOQS integration and we said we were planning to hybridize our KEMs with NIST-standardized ECDSA. The hybridization is completed. This is a brief summary of why this matters and what we did.

It might come as a shock, but the sad truth is that we do not actually know that these algorithms will resist attacks from quantum computers. But wait, it gets worse. We don’t even know that these algorithms are safe against a conventional computer!! For all we know, someone could break lattice-based cryptography tomorrow.  Please don’t panic.  Why? Because this is how cryptography has always worked.

We started using ECC because it looked promising and as more and more people studied it and tried to break it and failed, the more we trusted it. We never actually knew that ECC was safe, but no matter how hard we tried, we simply could not break it and so we trusted it. But now we know we will have quantum computers so we have to move to something else.

So what do we do? One solution is to not put our full faith into these new algorithms. For now, in the early days, we can hedge our bets by hybridizing post-quantum algorithms with cryptographic algorithms that we actually trust. ECC with NIST standardized curves seem like good candidates and we have to keep using them anyways since FIPS compliance is a priority.

This brings up a very important point. You can now experiment with post-quantum cryptography while staying FIPS compliant. This is a quote from the NIST PQ Crypto FAQ at https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs:

> Additionally, NIST plans to incorporate a cleaner, and therefore preferable, hybrid key establishment construction in a future revision of SP 800-56C:

> In any of the key derivation methods specified in SP 800 – 56C, the revision would permit a concatenation of Z and T, e.g.,  Z||T, to serve as the shared secret instead of Z. This would require the insertion of T into the coding for the scheme and the FIPS 140 validation code may need to be modified.

This means that as you are testing and experimenting in preparation for your migration to post-quantum cryptography you can do it in a more realistic situation; an environment that uses FIPS-certified software.

So how do we achieve hybridization? We followed the design described in https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-03.txt. In a nutshell:

– The client’s key share is the classical public key concatenated with the post-quantum public key.
– The server’s key share is the classical public key concatenated with the post-quantum ciphertext.
– The shared secret is the classical shared secret concatenated with the post-quantum shared secret.

The future on the cryptography landscape is scary and exciting. We at wolfSSL Inc want to help you navigate these dangers with cutting edge technologies so that calm is what you’ll be feeling with wolfSSL in your corner..

If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.