Hybrid Key Agreement/KEM Construction and Integration to IPsec IKEv2 VPN (Q42a)
Hybrid key agreement schemes combining classical and post-quantum schemes have a key benefit as the solid and well-researched security of classical schemes is combined with the quantum-safety of new schemes. However, while today many key agreement protocols are based on Diffie-Hellman (DH)-style key agreements, most of the proposed post-quantum schemes are another cryptographic primitive: Key Encapsulation Mechanisms (KEMs). In this presentation we propose hybrid key agreement protocols that are able to combine any (two or more) DH- and KEM protocols. Versions will be presented that minimize the communication phases, communication latency, and that preserve FIPS certification. Security considerations will be discussed, such as the preservation of CCA security of KEM schemes. A unified API for the Hybrid Key Agreement schemes will be presented which serves as a basis for integration into higher level protocols. We will present our work in integrating the Hybrid Key Agreement API to IPsec IKEv2 VPN. The utilized VPN is based on strongSwan and incorporates a new plugin that uses the Hybrid Key Agreement API. The utilized cryptographic library allows to easily swap in and out cryptographic providers, which in turn allows to quickly update the algorithms used for the Hybrid Key Agreement. Finally, we will present empirical evaluations of the VPN Hybrid Key Agreement integration, including: – Integration of different post-quantum schemes, such as SIKE, SIDH, NewHope, Kyber, NTRU, BIKE and Saber. – Combination of post-quantum schemes with ECDH and DH. – Impact on message sizes. – Impact on performance (total latency, network overhead). – Limitations due to the IKEv2 protocol, and ongoing standardization efforts. We hope that this presentation provides practical insights of how to meet two goals simultaneously with the help of hybrid construction – use post-quantum cryptography and be compliant with current standards. There is a consensus emerging in the PQ community that such hybrid key agreement solutions are crucial already today if long-term data confidentiality needs to be guaranteed. Our VPN integration further advocates for cryptographic agility when deploying quantum-safe solutions, by providing a generic Hybrid Key Agreement API and allowing to easily swap the used algorithms.