Hybrid-Key Exchanges As an Interim-To-Permanent Solution to Cryptographic Agility Matthew Campagna Amazon Web Services Agenda

Hybrid-Key Exchanges as an Interim-to-Permanent Solution to Cryptographic Agility Matthew Campagna Amazon Web Services Agenda

Classical cryptographic reasoning

Post-quantum cryptography

Hybrid key exchange

Post-Quantum-s2n Here is what keeps me up at night

Record

AWS Cloud

Client Internet Here is what keeps me up at night

Record

New capabilities AWS Cloud

Client Internet Here is what keeps me up at night

Record plaintext data and harvest New capabilities AWS Cloud

Client Internet Confidentiality requirement Security of an algorithm

The computation complexity of the best known attacks. ! • Defines the bit strength of an algorithm. • Bounds the algorithm security lifetime.

O(2n) How assured am I better attacks are not coming? L [a, c] n • How long has this problem been studied? • Who has studied it and what is the published record of that analysis. • No compression of the iterative analyze/discover/disseminate process Best known attacks

Best known attack Invented Standardized Widely used Year Attack ECC 1985 1999 2000s 1978 Pollard rho 2"

1/3 FF 1976 1991 1990s 1990 NFS Ln[1/3, (64/9) ] 1/3 RSA 1978 1998 1990s 1990 NFS Ln[1/3, (64/9) ] AES 1998 2001 2005 - Exhaust 2n DES 1975 1977 1980s 1991 Differential cryptanalysis SHA1 - 1995 1990s 2005 Collision < 2" SHA2 2001 2002 2005 - Birthday attack 2" SHA3 2008 2015 ? - Birthday attack 2" ChaCha20 2008 2015 2018 - Exhaust 2n Impact of quantum computing on cryptography

Shor’s algorithm (1994): Can solve the discrete log problem (breaking Diffie-Hellman and Elliptic Curve Cryptography), and factor composite numbers (breaking RSA)

Grover’s algorithm (1996): Can search an unsorted database of N items in Ο( # ) time (reducing the security of symmetric ciphers and preimage search for hash functions) Timeline for quantum computing What has ETSI been doing

2013 – Initial ETSI IQC Quantum Safe Cryptography Workshop

2014 – Started ETSI QSC Industry Specification Group

2015 – Published the ETSI Quantum Safe Cryptography and Security

2016 – ETSI CYBER QSC Technical Committee (Chair: Mark Pecen) CYBER-QSC-008 (TR 103 616): Quantum Safe Signatures CYBER-QSC-0012 (TR 103 618): Quantum Safe Identity Based Encryption CYBER-QSC-0015 (TS): Quantum-Safe Hybrid Key Exchanges NIST Standardization Process

2015 - NSA changes Suite B algorithms to prepare for post-quantum 2016 – NIST issues a call for proposals for post-quantum proposals 2017 – Round 1: 69 initial complete packages 2019 – Round 2: 17 key encapsulation mechanisms, 9 signature schemes

round candidates More analysis … conference nd Conference rd round candidates st round candidatesst Analysis and evaluationAnalysisnd and evaluation Draft standards Call for proposal1 1 2 2 3 ………

Jan, Nov, April, Jan, Aug, 2022- 2017 2017 2018 2019 2019 2023 NIST PQ KEM Round 2 Submissions 300000 bytes

20000 bytes 10000 bytes

5000 bytes

2500 bytes

1000 bytes

100K 1M 10M 100M 1B Quantum-safe cryptography - recap

We can’t solely rely on new algorithms until we have more assurance

We want to test them to understand impact to applications and protocols we use today

We do both - perform hybrid key exchanges

One classical, like Elliptic Curve Diffie Hellman

One quantum-safe, like BIKE or SIKE

Combine them in a cryptographically non-lossy way Hybrid key agreements

Alice Bob

Generate (a, A) A Generate (b, B)

K = KDF(aB) K = KDF(bA) Hybrid key agreements

Alice Bob

Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B)

B Hybrid key agreements

Alice Bob

Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B) (ss, ct) = Encaps(pk) B , ct Hybrid key agreements

Alice Bob

Generate (a, A) , pk ( sk, pk ) = Gen( ) A Generate (b, B) (ss, ct) = Encaps(pk) ss = Decaps(sk, ct) B , ct

K = KDF(aB || ss) K = KDF(bA || ss) PQ-TLS 1.2 – hybrid key exchange

Client Server (Cert(d, N), e) ClientHello

Generate ECDHE (a, A) Certificate (Cert(d, N)) (sk, pk) = KeyGen( ) ServerKeyExchange (A, pk, sig)) sig = Sign(A, pk…, e) Verify(sig, A, pk…, (d, N)) Generate ECDHE (b, B) (ss, ct) = Encaps(pk) ClientKeyExchange (B, ct) keys = derive keys (bA, ss …) ss = Decaps(sk, ct ) keys = derive keys (aB, ss…) ApplicationData

This is a sketch of a TLS_ECDHE_SIKE_RSA_* negotiated cipher suite connection PQ-TLS 1.2 – hybrid key exchange

Draft experimental RFC within IETF for hybrid key exchange in TLS 1.2

Added SIKE and BIKE reference code into AWS’s s2n (libssl) code base

Add in a hybrid key exchange cipher suites into s2n TLS_ECDHE_BIKE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_SIKE_RSA_WITH_AES_256_GCM_SHA384

Apply the same rigor to this new code as we do to s2n PQ-TLS 1.2 – Bandwidth usage (bytes)

ClientHello ServerKeyExchange ClientKeyExchange

ECDHE-RSA-AES256-GCM-SHA384 139 329 66 ECDHE-BIKE-RSA-AES256-GCM-SHA384 147 2875 2610

ECDHE-SIKE-RSA-AES256-GCM-SHA384 147 711 470 PQ s2n Performance numbers - P50 (ms)

Local host us-west2 us-west1 eu-west2 ap-south1

Ping 0.08 0.69 21 133 22

ECDHE 1.2 2.6 43 278 434 ECDHE-BIKE Hybrid 25 27 67 302 458

ECDHE-SIKE Hybrid 155 156 197 431 588 What comes next

Integrate PQ s2n into AWS SDKs and deploy pq-hybrid into AWS KMS

Move from the Round 1 candidates to Round 2

Add a lattice-based scheme into PQ s2n

Use an ETSI standardized hybrid-key agreement scheme

Increase performance (10x): move from reference code to optimized code

Move from TLS 1.2 to TLS 1.3, consider alternatives to pq-hybrid Double-hulled TLS

AWS Cloud

FIPS-Certified

ECDHE & TLS-AES256-GCM-SHA384 Client Double-hulled TLS

AWS Cloud

FIPS-Certified PQ-KEM & TLS-CHACHA20-POLY1305-SHA3-384 ECDHE & TLS-AES256-GCM-SHA384 Client 7th ETSI/IQC Quantum Safe Cryptography Workshop

When: 5 – 7 November 2019 Where: Amazon Headquarters in Seattle, US Who: Admission is open to all Executive Track: CTO/CISO/Executives and government decision makers looking to understand current trends in quantum-safe or post-quantum cryptography. Technical Track: Technologists and standards participants looking to increase their knowledge in the state of the art in quantum-safe cryptography.

Additional Dates: Submission deadline is 22 June 2019 Thank you! Additional details

AWSLabs: https://github.com/awslabs/s2n

IETF: https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-01 https://tools.ietf.org/html/draft-stebila-tls-hybrid-design-00

ETSI: https://www.etsi.org/events/1607-etsi-iqc-quantum-safe- cryptography-workshop-2019 https://portal.etsi.org/tb.aspx?tbid=856&SubTB=856#/

NIST: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography