Google's CECPQ1 experiment in 2016 integrated a post-quantum key-exchange algorithm, newhope1024, into TLS 1.2. The Google-Cloudflare CECPQ2 experiment in 2019 integrated a more efficient key-exchange algorithm, ntruhrss701, into TLS 1.3. This paper revisits the choices made in CECPQ2, and shows how to achieve higher performance for post-quantum key exchange in TLS 1.3 using a higher-security algorithm, sntrup761. Previous work had indicated that ntruhrss701 key generation was much faster than sntrup761 key generation, but this paper makes sntrup761 key generation much faster by generating a batch of keys at once. Batch key generation is invisible at the TLS protocol layer, but raises software-engineering questions regarding the difficulty of integrating batch key exchange into existing TLS libraries and applications. This paper shows that careful choices of software layers make it easy to integrate fast post-quantum software, including batch key exchange, into TLS with minor changes to TLS libraries and no changes to applications. As a demonstration of feasibility, this paper reports successful integration of its fast sntrup761 library, via a lightly patched OpenSSL, into an unmodified web browser and an unmodified TLS terminator. This paper also reports TLS 1.3 handshake benchmarks, achieving more TLS 1.3 handshakes per second than any software included in OpenSSL.
翻译:2016年谷歌的 CECPQ1 实验 2016年谷歌的CECPQ1 实验将一个后Qontum 关键交换算法(Newhope1024) 整合到 TLS 1. 2. 2019年谷歌- Cloudflare CECPQ2 实验将一个更有效的关键交换算法(ntruhrs701) 整合到 TLS 1.3. 。 本文回顾了在 CECPQ2 中做出的选择, 并展示了如何在 TLS 1.3 中实现后 TLS 关键交换的更高性能, 使用一种更高的安全算法( stontrup761 ) 。 先前的工作表明, 苯rpss 701 关键生成比 sntrps 701 关键生成要快得多得多, 但是, 这张纸质 761 通过一次生成一批钥匙来使调制761 关键生成更快。 在 TLSLS 协议层 上, 无法看到关于将批次键交换转换到现有 TLS 软件的硬化硬化的硬化硬化软件的硬化硬化软件。