X25519Kyber768 Post-Quantum Key Exchange for HTTPS Communication
The X25519Kyber768 algorithm combines the elliptic curve-based X25519 with the Kyber768 post-quantum key exchange scheme, offering a robust and quantum-resistant solution for securing HTTPS communication.
This hybrid mechanism combines the output of two cryptographic algorithms to create the session key used to encrypt the bulk of the TLS connection:
- X25519 — an elliptic curve algorithm widely used for key agreement in TLS today
- Kyber-768 — a quantum-resistant Key Encapsulation Method, approved by NIST
Transport Layer Security (TLS)
TLS protocol is designed to offer secure communication over a computer network. It makes sure that client-server interactions occur through a protected channel achieved by employing symmetric encryption to encrypt the transmitted data. The necessary symmetric key for communication is exchanged between the parties as part of the handshake process.
TLS 1.3
TLS 1.3 represents the most recent iteration of the Transport Layer Security protocol, improving both security and efficiency compared to its predecessor, TLS 1.2. This version minimizes connection latency by streamlining the handshake process with fewer messages. Additionally, TLS 1.3 introduces enhanced support for secure cipher suites, effectively addressing vulnerabilities found in earlier protocols.
Key Exchange in TLS 1.3
The client initiates the TLS handshake by sending a ClientHello message to the server. The client uses following TLS extensions to send the key sharing data to the server.
- supported_groups: List of supported key sharing algorithms
- key_share: names (group)and public keys (key_exchange) of some or all of the supported groups
In response, the server, having chosen a supported key share algorithm, communicates its name and public keys via the ServerHello response.
How X25519Kyber768 works
X25519 facilitates key exchange through elliptic curve Diffie-Hellman, while Kyber768 adds a layer of post-quantum secure key encapsulation. The sequence unfolds as follows:
- Client generates both X25519 & Kyber key pairs, while the server only generates a X25519 key pair.
- The client transmits its X25519 and Kyber public keys (within the ClientHello request) to the server.
- Upon receiving the ClientHello request, the server generates a random secret and then use the client’s Kyber public key to encapsulate it. Then, the server sends its X25519 public key along with the encapsulated secret (in the ServerHello response) to the client.
- The client, upon receiving the ServerHello response, computes the X25519 shared secrets using its X25519 private key. Also, the client decapsulates the encapsulated secret using its Kyber private key.
- Simultaneously, the server calculates its own shared secrets.
However, the shared key sizes of X25519Kyber768 are significantly larger than traditional X25519, which might reduce the efficiency of the key exchange process.