KEMTLS: Post-quantum TLS without signatures - Cloudflare

Modern protocols, such as the Signal protocol, the Noise framework, or WireGuard, rely on key exchange mechanisms for authentication; but they are unsuitable for the TLS 1.3 case as they expect the long-term key material to be known in advance by the interested parties.

We also had this problem when bootstrapping device linking over pubsub. We have some extra components to work with (e.g. well-authenticated UCANs can be assumed, root of trust, &c).

A related paper: Post-Quantum TLS Without Handshake Signatures, September 2020

As we cannot force certificate authorities to use certificates with long-term post-quantum KEM keys, we decided to use Delegated Credentials. A delegated credential is a short-lasting key that the certificate’s owner has delegated for use in TLS. Therefore, they can be used for post-quantum KEM keys.

Also feels familiar.

1 Like