idnits 2.17.1 draft-kiefer-tls-ecdhe-sidh-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 06, 2018) is 1996 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group F. Kiefer 3 Internet-Draft Mozilla 4 Intended status: Experimental K. Kwiatkowski 5 Expires: May 10, 2019 Cloudflare 6 November 06, 2018 8 Hybrid ECDHE-SIDH Key Exchange for TLS 9 draft-kiefer-tls-ecdhe-sidh-00 11 Abstract 13 This draft specifies a TLS key exchange that combines the post- 14 quantum key exchange, Supersingular elliptic curve isogenie diffie- 15 hellman (SIDH), with elliptic curve Diffie-Hellman (ECDHE) key 16 exchange. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on May 10, 2019. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 Supersingular elliptic curve isogenie diffie-hellman (SIDH) has been 53 proposed [SIDH] as a diffie-hellman like key-exchange protocol secure 54 against quantum computers. Because there's not enough confidence in 55 the security of SIDH yet it should only be used in combination with a 56 classical key-exchange scheme. 58 This document defines a way to combine [eSIDH] with the ECDHE key 59 exchanges defined in [RFC7748] for the TLS 1.3 [RFC8446] key- 60 exchange. 62 "x25519" is combined with "sidh503" and "x448" is combined with 63 "sidh751". 65 1.1. Performance Considerations 67 Both handshake partners have to compute the SIDH values in addition 68 to the ECDHE values, which requires additional time for computation. 69 The handshake messages also get larger because the SIDH values are 70 added (see Section 4 for details). 72 1.2. Notation 74 x25519 and x448 denote the ECDHE algorithms defined over the 75 respective curve from [RFC7748]. sidh503 and sidh751 denote the SIDH 76 algorithms defined using a prime of bit-length "503" and "751" 77 respectively. 79 1.3. Terminology 81 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 82 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 83 "OPTIONAL" in this document are to be interpreted as described in BCP 84 14 [RFC2119] [RFC8174] when, and only when, they appear in all 85 capitals, as shown here. 87 2. Hybrid SIDH-ECDHE Key Exchange 89 A hybrid key exchange takes the output of two separate key exchanges 90 and mixes the results in a secure way. 92 The ECDHE and SIDH shared secrets are calculated independently. The 93 shared secret for ECDHE-SIDH is then the concatenation of the ECDHE 94 and the SIDH shared secrets. For x25519sidh503 for example this is 96 secret = x25519_secret || sidh_secret 97 The HKDF-Extract step used by TLS is relied on to combine entropy 98 from both secrets. 100 2.1. ECDHE shared secret calculation 102 The ECDHE shared secret calculation is performed as described in 103 Section 7.4.2 of [RFC8446]. 105 2.2. SIDH Key Exchange 107 This document uses primes p503 and p751 defined in [eSIDH] and [SIKE] 108 for sidh503 and sidh751. See [SIKE] for details on how to compute 109 key-exchange messages and the shared secret. Optimised versions of 110 the algorithms mentioned here might be used. 112 2.2.1. Field Element Representation 114 Each element ("c=a+b*i") of the underlying quadratic field GF(p^2) is 115 encoded as an array of bytes in little-endian order, i.e., the least 116 significant octet appears first, where each element "a,b" from GF(p) 117 is encoded using "itoos" from [SIKE] Section 1.2.6. In particular, 118 an element of GF(p) is converted to 120 e_(n-1) * 256^(n-1) + ... + e_1 * 256 + e_0 122 with "n" 63 for p503 and 94 for p751. The octet representation of 123 each element is then the concatenation of "e_i" in little endian, 124 i.e. "e_0||...||e_(n-1)", and the octet representation of element "c" 125 is the concatenation of "a" and "b", "a||b". 127 See "fp2toos" [SIKE] Section 1.2.6 to 1.2.8 for details. 129 2.2.2. Key-exchange message generation 131 After choosing a private key each party computes its public key (P, 132 Q, R) using "isogen_l" from [SIKE] Section 1.3.5 and converts each 133 element into octets (cf. Section 2.2.1). 135 See "pktoos" from [SIKE] Section 1.2.9 for details on converting the 136 public key to octets. 138 2.2.3. Shared secret calculation 140 The SIDH shared secret is calculated as described in Section 1.3.6 of 141 [SIKE] using "isoex_l". 143 Calculating SIDH shared secret requires each side to use isogenies of 144 different degree. This document assumes parameterizations as 145 described in [SIKE], which is based on 4- and 3-power degree 146 isogenies. In order to calculate the shared secret, the client 147 always generates an ephemeral key pair based on 4-power degree 148 isogenies. Accordingly, the server always generates an ephemeral key 149 pair based on 3-power degree isogenies. 151 The shared secret is a j-invariant and therefore an element of 152 GF(p^2). It is converted to octets as described in Section 2.2.1. 154 See "fp2toos" [SIKE] Section 1.2.6 to 1.2.8 for details. All values 155 are encoded without length prefixes or separators. 157 3. Negotiated Groups 159 This document extends the enum of NamedGroups to use in the 160 "supported_groups" extension from TLS 1.3 [RFC8446] Section 4.2.7. 161 The new codepoint for the "Supported Groups Registry" is: 163 enum { 164 ..., 165 x25519sidh503(0x0105), x448sidh751(0x0106), 166 } NamedGroup; 168 4. ECDHE-SIDH key exchange parameters 170 This document defines ECDHE-SIDH parameters to use in the "key_share" 171 extension from TLS 1.3 (see Section 4.2.8 of [RFC8446]). 173 ECDHE parameters for both clients and servers are encoded in the 174 "key_exchange" field of a KeyShareEntry as described in Section 4.2.8 175 of [RFC8446] and [RFC7748]. SIDH parameters are appended to this 176 value. 178 In particular, the contents are the serialised value of the following 179 struct: 181 struct { 182 opaque X[coordinate_length]; 183 opaque P[sidh_coordinate_length]; 184 opaque Q[sidh_coordinate_length]; 185 opaque R[sidh_coordinate_length]; 186 } UncompressedPointRepresentation; 188 X is the public point from x25519 or x448 as described in [RFC7748]. 190 P, Q, and R are the binary representations of three field elements 191 over GF(p503^2) and GF(p751^2) respectively from the public SIDH key 192 values as described in Section 2.2.2. All values in the struct are 193 encoded without length prefixes or separators. 195 Implementers MUST perform the checks to verify the SIDH public key as 196 specified in Section 9 of [eSIDH]. 198 5. Security Considerations 200 Security of SIDH is based on the isogeny walk problem, assuming 201 elliptic curves between isogenies are supersingular (see [SIKE] 202 chapter 4.1). Algorithms solving this problem as well as usage of 203 isogenies as drop-in replacement for Diffie-Hellman are relatively 204 young area of research. Therefore the security behind the ECDHE-SIDH 205 handshake does not rely on the security of SIDH exclusively. 207 Idea behind ECDHE-SIDH hybrid scheme is to combine an existing key- 208 agreement algorithm with what's believed to be a quantum-resistant 209 one. When large quantum computers are available they will be able to 210 break both x25519 and x448. In this case the ECDHE-SIDH scheme is 211 still safe assuming SIDH is secure. On the other hand, if SIDH is 212 found to be flawed, the hybrid scheme is still secure against 213 classical attacks assuming security of x25519/x448. Security 214 estimates for classical and quantum computers are provided in table 215 below based on [SIKE] and [RFC7748]. [RNSL] Chapter 1 provides 216 introduction to quantum resource estimates. 218 +---------------+-----------+----------+------------------+ 219 | Scheme | Classical | Quantum | NIST PQ category | 220 +---------------+-----------+----------+------------------+ 221 | x25519sidh503 | 128-bit | 64-qubit | 1 | 222 | | | | | 223 | x448sidh751 | 224-bit | 96-qubit | 3 | 224 +---------------+-----------+----------+------------------+ 226 As described in [ISOSEC] it is possible to perform active attacks on 227 static-static or non-interactive variants of the SIDH scheme. The 228 countermeasure for this attack was described in [KLM15]. Research 229 proposes so-called "indirect key validation", using Fujisaki-Okamoto 230 type transform. However, using this transform is impractical and 231 thus SIDH can be considered secure only if used for ephemeral keys. 232 A more detailed discussion can be found in [URBJAO]. 234 Security against side-channel attacks is described in [SIKE]. 235 Implementers are encouraged to use a constant-time implementation. 237 The security of the described key exchange relies on the security, in 238 particular the collision resistance, of the used key-derivation 239 function. TLS 1.3 uses HKDF [RFC5869] as its key-derivation 240 function. It is therefore important that the hash function used in 241 HKDF is collision-resistant. 243 6. Test vectors 245 This section gives a test vectors for "x25519sidh503". 247 6.1. 1-RTT Handshake 249 Client SIDH-ECDHE public key: 251 Public Key (X25519||SIDH) [Len: 410 (32+378)] 252 2b 5b 10 41 56 2f c7 04 d8 56 ce 41 9c e3 7d e6 253 ae 0e 32 a9 98 5e a5 95 47 5a 9d a2 98 59 67 16 254 6f ed 78 ba b1 01 e7 f4 c4 f4 9a d6 4f ac 8d ee 255 ee 46 57 10 f7 12 40 41 7a 45 53 c2 35 b5 f7 a0 256 42 9e c3 38 d3 7c 47 11 78 f7 8d d3 c9 18 9c 79 257 7c dc d3 7f e4 93 ac 63 c4 77 5e 36 43 d5 2a 43 258 ee a9 37 b6 88 41 86 98 c9 dc d6 b7 20 66 ab 3d 259 d1 e4 f7 90 80 8d 8e fb 0b bf 79 bb b6 e2 13 c0 260 38 4e 86 20 13 49 81 be 31 f9 2c 73 a3 2a e9 3c 261 e1 7e b5 1b 75 2d 3f 26 79 7c c2 e5 e5 16 57 1d 262 6f b4 06 4b 5d b1 9b bd d2 cf 4b f1 2b cd f9 b2 263 5f 2c 9d 1b d1 78 55 4c b7 ec fa 7a 3a 64 dd db 264 6b 43 0f 67 e9 61 1d 57 fe 63 c8 d4 b3 0f 7a 2f 265 60 1b 0f 6a 3a e6 80 0c 14 b7 05 ae 06 bb 5c 46 266 71 1b 0e d7 a0 e7 bb 5d 87 37 c4 56 d8 c4 b2 e1 267 01 a6 39 70 14 13 50 22 4f cf d9 20 77 51 f7 c4 268 37 27 c0 57 5c f2 be 36 3b f7 38 1f 95 5f 54 fc 269 f4 ce 96 24 fa 04 d8 62 03 aa 9b 24 28 56 47 e9 270 c3 04 24 5e ee b5 3e 16 25 c9 b3 0d 70 6e e7 a1 271 a8 76 bf 8c 53 78 7f d0 a3 13 26 fd 3a b5 f6 11 272 05 60 af 4a ad 7e 45 0c 41 de 52 e5 29 4d a1 42 273 c3 7b 88 7b 6a ed 66 03 04 25 12 78 31 36 94 58 274 86 e6 00 59 13 99 0c c1 5d 1c d0 f7 aa c3 73 a9 275 dd 25 ac cd 4d 04 2a dd 77 f0 b0 96 6e 3a 0b 76 276 df 59 92 de 38 fe e5 10 5d 8b 6d e5 b9 1e 1e 8c 277 8b 9c a5 9c 52 2f 26 d6 73 0d 279 Client SIDH-ECDHE private key: 281 SIDH Private Key [Len: 32] 282 37 83 09 b4 a8 c4 b8 6a 83 84 36 8a 18 55 d8 48 283 69 f2 31 60 2e f0 a6 70 d3 24 fe 92 e5 25 82 01 285 X25519 Private Key [Len: 32] 286 a0 31 67 54 87 02 0f cb ef 07 40 af d3 ec 90 19 287 88 02 fa d5 83 46 46 c9 8e 0e 49 c0 e1 3e 86 1a 289 Client Hello: 291 CH [Len: 522] 292 01 00 02 06 03 03 bf d0 ca 2e 81 e2 6e c4 d8 01 293 6b 2e 86 f3 2e d9 d0 f9 83 93 85 03 50 3f 67 05 294 71 cf 82 1d 5c e4 00 00 02 13 01 01 00 01 db 00 295 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 296 00 01 00 00 0a 00 04 00 02 01 05 00 33 01 a0 01 297 9e 01 05 01 9a 2b 5b 10 41 56 2f c7 04 d8 56 ce 298 41 9c e3 7d e6 ae 0e 32 a9 98 5e a5 95 47 5a 9d 299 a2 98 59 67 16 6f ed 78 ba b1 01 e7 f4 c4 f4 9a 300 d6 4f ac 8d ee ee 46 57 10 f7 12 40 41 7a 45 53 301 c2 35 b5 f7 a0 42 9e c3 38 d3 7c 47 11 78 f7 8d 302 d3 c9 18 9c 79 7c dc d3 7f e4 93 ac 63 c4 77 5e 303 36 43 d5 2a 43 ee a9 37 b6 88 41 86 98 c9 dc d6 304 b7 20 66 ab 3d d1 e4 f7 90 80 8d 8e fb 0b bf 79 305 bb b6 e2 13 c0 38 4e 86 20 13 49 81 be 31 f9 2c 306 73 a3 2a e9 3c e1 7e b5 1b 75 2d 3f 26 79 7c c2 307 e5 e5 16 57 1d 6f b4 06 4b 5d b1 9b bd d2 cf 4b 308 f1 2b cd f9 b2 5f 2c 9d 1b d1 78 55 4c b7 ec fa 309 7a 3a 64 dd db 6b 43 0f 67 e9 61 1d 57 fe 63 c8 310 d4 b3 0f 7a 2f 60 1b 0f 6a 3a e6 80 0c 14 b7 05 311 ae 06 bb 5c 46 71 1b 0e d7 a0 e7 bb 5d 87 37 c4 312 56 d8 c4 b2 e1 01 a6 39 70 14 13 50 22 4f cf d9 313 20 77 51 f7 c4 37 27 c0 57 5c f2 be 36 3b f7 38 314 1f 95 5f 54 fc f4 ce 96 24 fa 04 d8 62 03 aa 9b 315 24 28 56 47 e9 c3 04 24 5e ee b5 3e 16 25 c9 b3 316 0d 70 6e e7 a1 a8 76 bf 8c 53 78 7f d0 a3 13 26 317 fd 3a b5 f6 11 05 60 af 4a ad 7e 45 0c 41 de 52 318 e5 29 4d a1 42 c3 7b 88 7b 6a ed 66 03 04 25 12 319 78 31 36 94 58 86 e6 00 59 13 99 0c c1 5d 1c d0 320 f7 aa c3 73 a9 dd 25 ac cd 4d 04 2a dd 77 f0 b0 321 96 6e 3a 0b 76 df 59 92 de 38 fe e5 10 5d 8b 6d 322 e5 b9 1e 1e 8c 8b 9c a5 9c 52 2f 26 d6 73 0d 00 323 2b 00 03 02 7f 1c 00 0d 00 04 00 02 04 01 00 2d 324 00 02 01 01 00 1c 00 02 40 01 326 Server selected KE = (EC)DHE. Group = 261. 328 Server SIDH-ECDHE public key: 330 Public Key (X25519||SIDH) [Len: 410 (32+378)] 331 f8 c6 8f 4e 57 6b fb ec b3 de 23 d9 db 89 fc 1b 332 f4 6f 01 a5 c0 91 61 fd c4 e7 bc 58 b4 eb 5f 76 333 44 c4 c7 7b a3 09 1a 60 c7 15 8f 1e d6 83 f2 1c 334 f8 36 13 a4 b3 c5 bc 4e 73 41 96 36 34 9a 9e 5a 335 bc fc 9d fa 2b c3 2c 85 17 44 9b 21 8f bf ba f7 336 7b 6c 19 c3 07 19 45 34 1e 88 cd 86 41 f8 32 38 337 41 3d 75 20 e1 c9 4a 94 03 e4 2f 4b 38 2d 93 39 338 b7 71 e9 84 80 b9 aa ca 97 39 5a c6 68 a7 b2 6f 339 b0 3e 10 f0 02 e3 e3 62 78 23 b4 f7 f1 a8 ce cd 340 71 a8 3a 23 81 63 ba 70 92 ea c6 9b 2c 35 93 6d 341 b5 58 61 6d 2c 06 a5 4d 0d 27 35 20 0b 77 d0 0d 342 65 f0 24 11 71 0b 71 45 2b 73 9c 42 fd d4 09 ba 343 8a ed d2 9e 78 9c 2f 43 91 5d e7 3a 19 0b f8 2b 344 71 6d 47 ae 86 e4 7a 9e e1 a0 de b5 08 bd a4 30 345 bb c1 3e ad db 75 79 36 a0 0a ea 70 a0 9c 64 f7 346 ba 92 a4 02 05 4d d4 9b ba a8 b3 9e 92 cd 28 13 347 0e 84 81 90 84 cd ae 09 b2 0b 12 23 1c b4 3a 18 348 cb 66 a1 8a 81 63 d4 e7 06 1c 16 04 29 20 2b cf 349 da a3 90 55 15 4a 15 ab 30 95 f1 20 b0 84 f5 7e 350 0f 92 f6 7f 4d 8c 22 2a a8 80 41 7b ee fa 85 f8 351 e2 4d 45 38 28 eb e2 fd a5 c6 1e 37 98 9f a2 ed 352 13 b9 dd f5 21 bc 78 10 2f 99 21 dc 30 55 57 58 353 c6 59 89 13 f9 76 aa e1 ec 0d 82 27 74 a1 86 b5 354 d1 74 12 49 5f ac a0 25 d2 91 5a 26 11 5e 0e f8 355 d2 7f 00 7f 8e 8b 7d 89 93 ba 69 4c 5f c7 7c df 356 d0 45 f4 17 3c 0c 03 df bf 1e 358 Server SIDH-ECDHE private key: 360 SIDH Private Key [Len: 32] 361 ca a5 1b 8d cc 2e df b0 b9 f5 ed 9d b0 1c f4 7c 362 b6 61 07 4d 5f e3 9d 6a 24 48 71 48 f3 11 4d 0a 364 X25519 Private Key [Len: 32] 365 a1 27 74 2c 0e ea 56 25 41 68 f4 7c d0 94 30 03 366 5e 7e cb 3d e0 4f 84 36 41 e8 b4 39 1e 45 99 91 368 Handshake secrets "tls13 s hs traffic": 370 PRK [Len: 32] 371 35 7b 46 ed 6d f0 40 77 ae 2a a0 f4 47 cc df c1 372 78 54 74 48 d4 ff 69 05 f9 d5 2f 9a 00 1c e8 86 374 Hash [Len: 32] 375 52 a5 04 4f 78 da 41 12 b8 ac 35 f3 37 54 0c 51 376 18 ba c9 be c7 de 06 21 b2 f8 22 b6 e1 fa b5 96 378 Info [Len: 54] 379 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 380 61 66 66 69 63 20 52 a5 04 4f 78 da 41 12 b8 ac 381 35 f3 37 54 0c 51 18 ba c9 be c7 de 06 21 b2 f8 382 22 b6 e1 fa b5 96 384 Derived key [Len: 32] 385 e4 31 ba e7 1e 38 f1 d6 81 17 83 56 d3 8d 0e 35 386 cf 42 6a 05 a2 2b 03 df d6 bb 4f 72 94 d2 9f c3 388 Handshake secrets "tls13 c hs traffic": 390 Info [Len: 54] 391 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 392 61 66 66 69 63 20 52 a5 04 4f 78 da 41 12 b8 ac 393 35 f3 37 54 0c 51 18 ba c9 be c7 de 06 21 b2 f8 394 22 b6 e1 fa b5 96 396 Derived key [Len: 32] 397 d2 99 cb cb 70 91 05 b6 3f 62 a5 e7 a2 5c 9c 07 398 2b 98 d9 0c d0 92 1c f2 0f c3 6a fa b3 57 4d 2a 400 Server Handshake: 402 SH [Len: 468] 403 02 00 01 d0 03 03 8b 94 f0 f0 25 bd 87 30 3f 1c 404 7c 86 e0 bc 25 e3 7f d7 ca 77 88 c5 a3 3c 69 34 405 c8 ec a9 64 15 85 00 13 01 00 01 a8 00 33 01 9e 406 01 05 01 9a f8 c6 8f 4e 57 6b fb ec b3 de 23 d9 407 db 89 fc 1b f4 6f 01 a5 c0 91 61 fd c4 e7 bc 58 408 b4 eb 5f 76 44 c4 c7 7b a3 09 1a 60 c7 15 8f 1e 409 d6 83 f2 1c f8 36 13 a4 b3 c5 bc 4e 73 41 96 36 410 34 9a 9e 5a bc fc 9d fa 2b c3 2c 85 17 44 9b 21 411 8f bf ba f7 7b 6c 19 c3 07 19 45 34 1e 88 cd 86 412 41 f8 32 38 41 3d 75 20 e1 c9 4a 94 03 e4 2f 4b 413 38 2d 93 39 b7 71 e9 84 80 b9 aa ca 97 39 5a c6 414 68 a7 b2 6f b0 3e 10 f0 02 e3 e3 62 78 23 b4 f7 415 f1 a8 ce cd 71 a8 3a 23 81 63 ba 70 92 ea c6 9b 416 2c 35 93 6d b5 58 61 6d 2c 06 a5 4d 0d 27 35 20 417 0b 77 d0 0d 65 f0 24 11 71 0b 71 45 2b 73 9c 42 418 fd d4 09 ba 8a ed d2 9e 78 9c 2f 43 91 5d e7 3a 419 19 0b f8 2b 71 6d 47 ae 86 e4 7a 9e e1 a0 de b5 420 08 bd a4 30 bb c1 3e ad db 75 79 36 a0 0a ea 70 421 a0 9c 64 f7 ba 92 a4 02 05 4d d4 9b ba a8 b3 9e 422 92 cd 28 13 0e 84 81 90 84 cd ae 09 b2 0b 12 23 423 1c b4 3a 18 cb 66 a1 8a 81 63 d4 e7 06 1c 16 04 424 29 20 2b cf da a3 90 55 15 4a 15 ab 30 95 f1 20 425 b0 84 f5 7e 0f 92 f6 7f 4d 8c 22 2a a8 80 41 7b 426 ee fa 85 f8 e2 4d 45 38 28 eb e2 fd a5 c6 1e 37 427 98 9f a2 ed 13 b9 dd f5 21 bc 78 10 2f 99 21 dc 428 30 55 57 58 c6 59 89 13 f9 76 aa e1 ec 0d 82 27 429 74 a1 86 b5 d1 74 12 49 5f ac a0 25 d2 91 5a 26 430 11 5e 0e f8 d2 7f 00 7f 8e 8b 7d 89 93 ba 69 4c 431 5f c7 7c df d0 45 f4 17 3c 0c 03 df bf 1e 00 2b 432 00 02 7f 1c 434 SH [Len: 651] 435 08 00 00 14 00 12 00 0a 00 04 00 02 01 05 00 1c 436 00 02 40 01 00 00 00 00 0b 00 01 c3 00 00 01 bf 437 00 01 ba 30 82 01 b6 30 82 01 1f a0 03 02 01 02 438 02 01 05 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 439 05 00 30 13 31 11 30 0f 06 03 55 04 03 0c 08 72 440 73 61 5f 73 69 67 6e 30 1e 17 0d 31 38 30 36 31 441 30 31 30 32 34 31 32 5a 17 0d 32 38 30 36 31 30 442 31 30 32 34 31 32 5a 30 13 31 11 30 0f 06 03 55 443 04 03 0c 08 72 73 61 5f 73 69 67 6e 30 81 9f 30 444 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 445 8d 00 30 81 89 02 81 81 00 c6 96 5e 96 71 5a ea 446 40 c2 c0 60 c7 c7 4e 98 b3 40 0c 02 a3 1c 9c 8e 447 e7 c6 57 6b 48 8c 23 04 d4 e8 54 09 37 c2 b8 b1 448 ac b4 49 b7 76 ef 59 f8 3f 7c 4e e3 6a fa 32 04 449 53 74 85 2d 0d 8e 91 ad 2d 65 52 ec f2 54 1c 82 450 f1 b5 46 c8 5e ec e1 4e 6a f1 a1 c8 9f 9c 2b e1 451 79 3b 85 58 80 19 d5 f2 87 cb c0 13 5f 56 56 d3 452 75 78 bb 71 ef fa df e4 98 76 31 47 72 9b 5d 6a 453 fe d7 c9 58 e6 d2 c6 2c 5f 02 03 01 00 01 a3 1a 454 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 455 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 456 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 07 58 be 457 81 c3 60 a0 cb 94 bc 79 81 0c b5 c6 ec 84 c6 c0 458 f8 d9 63 50 0a 7e b2 9d 80 95 5d b2 ba c9 31 72 459 73 d5 78 97 d1 5f e3 d9 f8 54 25 e0 1a 0e 7f 2b 460 ec 20 27 b6 ba ff 9c 38 42 23 ed 10 c4 51 54 f2 461 a3 45 54 df 59 be 83 d4 b8 00 7f 13 a3 27 40 ca 462 af 66 72 f5 f7 cf 1e 4d 6c 94 e4 02 46 cf f7 9d 463 13 7e 72 6b 77 20 15 9c c9 f7 c2 f1 5f 00 91 d3 464 da c6 2e 71 f0 51 82 db 13 b2 ee c7 0c 00 00 0f 465 00 00 84 04 01 00 80 7e c8 cb 1d d8 2e 83 d4 7e 466 69 8a db 8d 39 79 13 49 9f 03 21 7a 2f 5f ef df 467 2e 07 58 a8 0f 4b 61 85 10 25 01 3c cc 14 ef ac 468 35 17 c8 ed 27 17 0f 6e e5 78 7e 19 b5 0a 99 2d 469 bd 68 f4 47 0e 0a 11 cb 57 12 d5 73 cd 20 05 a4 470 b5 04 6c 13 6c 1b 9a f9 15 aa cc ca c2 22 83 fe 471 37 5f c3 f2 24 09 e3 d5 df 26 9f ab 84 e9 92 68 472 38 73 09 b1 58 55 43 79 02 59 0c 13 cc 68 4f 53 473 62 4b 72 d7 3b 17 86 14 00 00 20 d1 6e ba a6 9a 474 12 01 ec 46 fb e4 2c 8b 0e dd b5 73 a9 d7 e1 da 475 ba c5 c3 0d 53 5d 90 24 fd 53 60 477 Client finished handshake: 479 Client finished [Len: 36] 480 14 00 00 20 8e 34 2d 9d 69 fb 95 76 65 05 03 4d 481 cf 27 21 59 7c 45 f7 0e 3f 1e d9 29 18 4b 29 87 482 6a a5 c1 4d 484 Shared secret (server & client): 486 Shared secret (X25519||SIDH) [Len: 158 (32+126)] 487 f0 93 ac 03 ca 0b 5c 05 e6 c3 d3 7f ae 71 10 57 488 a6 a6 3e c7 7c 12 8d 21 8b 39 fc a5 8a 19 69 02 489 31 c8 0b 85 96 07 d4 f2 9b 5d ca a1 2d 69 78 2a 490 4f d8 1e c5 ea 87 ff 24 a2 7e b3 96 db 63 d5 66 491 cd f8 13 d3 34 70 e8 03 10 34 44 68 2d 6b 11 1a 492 a9 a0 58 cd 54 ed ce 8b 27 bc 3d ef 23 4b 2e f7 493 0b 28 de 95 d9 de 45 4a 73 48 d1 ad 51 21 f6 fe 494 fa ae 22 64 b5 2c db f7 99 7e 5b 3c 09 06 d9 eb 495 e1 a3 a7 8f 34 74 a2 77 a0 85 ca 11 d4 1b 44 53 496 ed eb 8c 67 b4 f2 62 6e 54 4c 97 a9 1a 27 498 7. IANA Considerations 500 TODO: register the codepoints 502 8. References 504 8.1. Normative References 506 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 507 Requirement Levels", BCP 14, RFC 2119, 508 DOI 10.17487/RFC2119, March 1997, 509 . 511 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 512 Key Derivation Function (HKDF)", RFC 5869, 513 DOI 10.17487/RFC5869, May 2010, 514 . 516 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 517 for Security", RFC 7748, DOI 10.17487/RFC7748, January 518 2016, . 520 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 521 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 522 May 2017, . 524 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 525 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 526 . 528 [SIDH] Jao, D. and L. De Feo, "Towards quantum-resistant 529 cryptosystems from supersingular elliptic curve isogenie", 530 PQCrypto-2011 , 2011, 531 . 533 [SIKE] Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L., 534 Hess, B., Jalali, A., Jao, D., Koziel, B., LaMacchia, B., 535 Longa, P., Naehrig, M., Renes, J., Soukharev, V., and D. 536 Urbanik, "Supersingular Isogeny Key Encapsulation", 537 Submission to the NIST Post-Quantum Standardization 538 project , 2017, . 540 8.2. Informative References 542 [eSIDH] Costello, C., Longa, P., and M. Naehrig, "Efficient 543 algorithms for supersingular isogeny Diffie-Hellman", 544 IACR-CRYPTO-2016 , 2016, 545 . 547 [ISOSEC] Galbraith, S., Petit, C., Shani, B., and Y. Bo Ti, "On the 548 security of supersingular isogeny cryptosystems", IACR- 549 CRYPTO-2016 , 2016, 550 . 552 [KLM15] Kirkwood, D., Lackey, B., McVey, J., Motley, M., Solinas, 553 J., and D. Tuller, "Failure is not an Option: 554 Standardization Issues for Post-Quantum Key Agreement", 555 Workshop on Cybersecurity in a Post Quantum World, 2015 , 556 2015. 558 [RNSL] Roetteler, M., Naehrig, M., Svore, K., and K. Lauter, 559 "Quantum Resource Estimates for Computing Elliptic Curve 560 Discrete Logarithms", arXiv , 2017, 561 . 563 [URBJAO] Urbanik, D. and D. Jao, "SoK: The Problem Landscape of 564 SIDH", IACR-CRYPTO-2018 , 2018, 565 . 567 Acknowledgements 569 o Martin Thomson 570 Mozilla 571 mt@mozilla.com 573 Authors' Addresses 575 Franziskus Kiefer 576 Mozilla 578 Email: franziskuskiefer@gmail.com 580 Krzysztof Kwiatkowski 581 Cloudflare 583 Email: kris@cloudflare.com