Internet DRAFT - draft-whyte-select-pkc-qsh
draft-whyte-select-pkc-qsh
INTERNET-DRAFT J. M. Schanck
Intended Status: Experimental Security Innovation & U. Waterloo
Expires: 2017-04-04 W. Whyte
Security Innovation
Z. Zhang
Security Innovation
2016-10-04
Criteria for selection of public-key cryptographic algorithms
for quantum-safe hybrid cryptography
draft-whyte-select-pkc-qsh-02.txt
Abstract
Authenticated key exchange mechanisms instantiated with cryptosystems
based on integer factorization, finite field discrete log, or
elliptic curve discrete log, are believed to be secure now but are
vulnerable to a harvest-then-decrypt attack where an attacker who
cannot currently break the mechanism records the traffic anyway, then
decrypts it at some point in the future when quantum computers become
available. The Quantum-safe Hybrid approach is a modular design,
allowing any authenticated key exchange mechanism to be protected
against the harvest-then-decrypt attack by exchanging additional
secret material protected with an ephemeral key for a quantum-safe
public key cryptographic algorithm and including that secret material
in the Key Derivation Function (KDF) run at the end of the key
exchange. This approach has been proposed in TLS as the Quantum-safe
Hybrid handshake mechanism for Transport Layer Security protocol
(QSH_TLS). This document provides a guideline to criteria for
selecting public key encryption algorithms approved for experimental
use in the quantum safe hybrid setting.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html.
Schanck et al. Expires 2017-04-04 [Page 1]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Update from last version: keeping alive till TLS WG review.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Quantum Attacks on Cryptosystems . . . . . . . . . . . . . 4
2.1.1. Shor's algorithm . . . . . . . . . . . . . . . . . . . 4
2.1.2. Grover's algorithm . . . . . . . . . . . . . . . . . . 5
2.2. Harvest-then-decrypt attack . . . . . . . . . . . . . . . 5
2.3. Quantum-safe hybrid approach . . . . . . . . . . . . . . . 5
2.4. Symmetric algorithm . . . . . . . . . . . . . . . . . . . 6
2.5. Random bit generation . . . . . . . . . . . . . . . . . . 6
3. Selection Criteria . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Similar work . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. Mandatory aspects . . . . . . . . . . . . . . . . . . . . 7
3.2.1. Security levels . . . . . . . . . . . . . . . . . . . 7
3.2.2. Freely available specifications of the algorithm . . . 7
3.2.3. Freely available source code for a reference
implementation . . . . . . . . . . . . . . . . . . . . 8
3.3 Desirable aspects . . . . . . . . . . . . . . . . . . . . . 8
3.3.1. SUPERCOP implementation . . . . . . . . . . . . . . . 8
3.3.2. Constant-time implementation . . . . . . . . . . . . . 9
3.3.3. Standardization . . . . . . . . . . . . . . . . . . . 9
3.3.4. Patent and IP related issues . . . . . . . . . . . . . 9
4. Recommendations, justifications and considerations . . . . . . 9
4.1. Preliminary list of recommendations . . . . . . . . . . . 9
4.2. Schemes under consideration . . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Normative References . . . . . . . . . . . . . . . . . . . 10
6.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Copyright Notice . . . . . . . . . . . . . . . . . . . . . . . . . 14
Schanck et al. Expires 2017-04-04 [Page 2]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
1. Introduction
Quantum computers pose a significant threat to modern cryptography.
The two most widely adopted public key cryptosystems, namely, RSA
[PKCS1] and Elliptic Curve Cryptography (ECC) [SECG], will be broken
by general purpose quantum computers. RSA is adopted in TLS from
Version 1.0 to TLS Version 1.3 [RFC2246], [RFC4346], [RFC5246],
[TLS1.3]. ECC is enabled in RFC 4492 [RFC4492] and adopted in TLS
version 1.2 [RFC5246] and 1.3 [TLS1.3]. Those two primitives are the
only public key cryptography that TLS relies on.
Although these algorithms are currently believed to be secure, data
encrypted using these algorithms is vulnerable to a "harvest-then-
decrypt" attack where an attacker who cannot currently break the
mechanism records the traffic anyway, then decrypts it at some point
in the future when quantum computers become available. See section 2
for a detailed account of those attacks.
The Quantum-safe Hybrid approach, which has a concrete proposal as
the Quantum-safe Hybrid handshake for Transport Layer Security
protocol (QSH_TLS) [QSHTLS], addresses this attack by introducing a
quantum-safe public key encapsulation mechanism along with the
classical authenticated handshake. QSH_TLS is a modular design that
allows in principle for any quantum-safe encryption algorithm to be
used in the hybrid approach.
Since the IETF has not yet designated a single algorithm for use to
provide quantum-safety, and since the quantum-safe algorithm used is
intended to enhance security rather than being the only source of
security, it is appropriate for there to be multiple algorithms that
may be used in a quantum-safe hybrid setting. This provides an
opportunity for implementers to compare different quantum-safe
algorithms before the choice of a single one becomes vital. However,
an algorithm should clearly satisfy some baseline set of criteria
before it is approved for use in the quantum-safe hybrid setting,
even if those criteria are more relaxed than they would be for
selecting a single algorithm to rely on.
This document specifies what those criteria are.
The remainder of this document is organized as follows. Section 2
provides necessary background of the modular design of quantum-safe
handshake for TLS. Section 3 specifies selection criteria. Section
4 provides a preliminary list of recommended encryption algorithms.
Section 5 describes IANA considerations.
This is followed by the lists of normative and informative references
cited in this document, the authors' contact information, and
Schanck et al. Expires 2017-04-04 [Page 3]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
statements on intellectual property rights and copyrights.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Well-known abbreviations and acronyms can be found at RFC Editor
Abbreviations List [REAL].
2. Background
2.1. Quantum Attacks on Cryptosystems
If there exists a general purpose quantum computer, any cryptosystem
that is built on top of the mathematical hard problems of integer
factorization, finite field discrete logarithm (DL), or elliptic
curve discrete logarithm (ECDL) will be vulnerable. This includes
RSA, DSA, DH, ECDH, ECDSA and other variants of these ciphers,
including variants currently under consideration for standardization
by CFRG and all public key cryptosystems used in TLS. A quantum
computer may allow a real-time attack on the authentication within a
handshake protocol, or may allow an attacker to decrypt previously
recorded network traffic.
It is not clear when quantum computers will become available. The EU
has expressed in their Horizon 2020 project a desire for systems to
be "quantum-ready" by 2020 [H2020]. Research groups have
optimistically predicted practical and powerful quantum computer
could become available by the same date [TPM15], which may be large
enough to solve some instances of the elliptic curve discrete log
problem that are currently secure. It is, however, clear that data
exchanged today may be vulnerable to the harvest-then-decrypt attack
described below.
2.1.1. Shor's algorithm
Many of the hard problems used in public key cryptography can be
reduced to the Hidden Subgroup Problem over a finite cyclic group.
For an finite cyclic group G and finite set X, a function f : G -> X
is said to hide a subgroup H if f(a) = f(b) iff a - b is in H. The
Hidden Subgroup Problem (HSP) is to determine the hidden subgroup H
given black box access to f. Shor's algorithm [SHOR97] is a
probabilistic quantum algorithm that solves the HSP over any finite
cyclic group in polynomial time. Among the problems that reduce to
the HSP are the integer factorization and discrete logarithm problems
that underly RSA, DSA, DH, ECDH, and ECDSA, hence all of these
systems are vulnerable to quantum attacks.
Schanck et al. Expires 2017-04-04 [Page 4]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
2.1.2. Grover's algorithm
Grover's algorithm [GROV96] is a probabilistic quantum algorithm that
finds the unique input to a black box function that produces a
particular output value. Compared with classical algorithms,
Grover's algorithm finds the solution with a quadratic boost, i.e.,
within O(N^(1/2)) evaluations of the function, where N is the size of
the function's domain.
While an exact cost analysis of Grover's algorithm will depend
crucially on architecture dependent parameters that are not currently
available, it is a common belief among cryptographers that Grover's
algorithm is effective against symmetric primitives [BRA98]. To be
conservative we ignore constant factors and simply assume that
Grover's algorithm finds preimages quadratically faster than
classical brute force search. Likewise, we assume that Grover's
algorithm reduces the time required to recover the key of a symmetric
cipher by a quadratic factor. As an example, AES-256 provides 256
bits of security against classical computers, but is assumed to
provide only 128 bits of security against quantum computers.
2.2. Harvest-then-decrypt attack
The harvest-then-decrypt attack is a straightforward yet effective
attack. In such an attack, the attacker stores encrypted data for
long periods of time until legal, technological, or cryptanalytic
means become available for revealing keys.
Under the context of quantum computing, this attack becomes extremely
powerful. TLS relies on RSA and ECC, both will be broken when
quantum computer becomes available. Hence, any data encrypted now
will be vulnerable to this attack. It is likely that it will be some
time before breaks become so cheap that all harvested traffic can be
decrypted. However, this is little consolation to the people whose
traffic is initially targeted for decryption. It seems prudent to
provide protection against the harvest-then-decrypt attack natively
to secure data exchange protocols as soon as possible.
2.3. Quantum-safe hybrid approach
The quantum safe hybrid approach defeats the quantum harvest-then-
decrypt attack by introducing a second quantum-safe cryptographic
primitive running in parallel with existing handshake approaches.
This measure assures that when the classical cryptography fails, the
attacker still need to break the corresponding quantum-safe
encryption algorithm.
It is easy to see that this approach is at least as strong as the
Schanck et al. Expires 2017-04-04 [Page 5]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
stronger primitive of classical cryptography and the quantum-safe
cryptography in the pre-quantum world [QSHTOR]. Therefore, it is an
ideal approach to migrate into quantum-safe cryptography for TLS as
it does not reduce the security guarantees that TLS is already
delivering; in the meantime, it allows for trial usage of quantum-
safe algorithms and protects data against the aforementioned harvest-
the-decrypt attack.
2.4. Symmetric algorithm
For 128 bit security, implementations of a quantum-safe hybrid
approach SHOULD use a symmetric algorithm with a 256-bit key, but MAY
use a symmetric algorithm with a 128-bit key for interoperability or
performance reasons.
2.5. Random bit generation
For 128 bit security, implementations of a quantum-safe hybrid
approach SHOULD ensure that any Deterministic Random Bit Generator
(DRBG) used in key generation or encryption for a quantum-safe
primitives is instantiated with at least 256 bits of entropy from a
secure random source.
3. Selection Criteria
The hybrid approach is a modular design, which, in order to support
various quantum-safe algorithms, does not recommend any specific
quantum-safe encryption algorithm. In this section we give
guidelines for selecting encryption algorithms that are suitable for
experimental use in the hybrid approach.
3.1. Similar work
To date, multiple groups have been involved in the work of evaluating
quantum-safe encryption algorithms.
o The National Security Agency of the United States has
announced a plan to migrate to quantum-safe cryptography [NSA15].
o The ETSI Quantum-Safe Cryptography (QSC) Industry
Specification Group (ISG) aims to assess and make recommendations
for quantum-safe cryptographic primitives and protocols, taking
into consideration both the current state of academic cryptology
and quantum algorithm research, as well as industrial requirements
for real-world deployment [ETSIQ].
o The Secure Architectures of Future Emerging Cryptography
(SAFEcrypto) project [SAFEC], supported by H2020 project, focuses
Schanck et al. Expires 2017-04-04 [Page 6]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
on practical implementation of quantum-safe encryptions
algorithms, particularly lattice-based public key cryptography.
o The Post-quantum cryptography for long-term security
(PQCRYPTO) group, also supported by H2020 project, has made their
initial recommendations of long-term secure post-quantum systems
[PQCRY].
Note that PQCRYPTO is the only group that has made initial
recommendations on quantum-safe cryptography.
This document describes criteria for quantum-safe encryption
algorithms, with a focus on those algorithms existing today and
suitable for transitional use until the quantum era. The intent is
ultimately to align with other industry groups while enabling earlier
deployment of algorithms that can reasonably be expected to make
things better, not worse.
3.2. Mandatory aspects
Algorithms to be considered by quantum-safe hybrid approach MUST meet
the following criteria.
3.2.1. Security levels
The candidate algorithm MUST provide 128 bit security in the quantum-
safe setting.
If the candidate algorithm is subject to decryption failures, these
MUST happen with a probability of less than 2^-74 (such that 128
billion devices (2^7 * 2^30) each initiating 128 billion connections
(2^7 * 2^30) will with high probability encounter no decryption
failures). Note that an attacker will be able to create invalid
messages that do not decrypt correctly, so an implementation will
have to correctly handle this failure case even when the chance of a
decryption failure is negligible on a valid message (or even when
this chance is zero).
3.2.2. Freely available specifications of the algorithm
The candidate algorithm MUST have a set of publicly accessible
documents specifying common techniques and implementation choices.
The documents MAY be Internet Drafts. Topics MUST include:
o Cryptographic primitives: the building blocks for a secure
cryptographic scheme;
Schanck et al. Expires 2017-04-04 [Page 7]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
o Cryptographic schemes: complete sequences of operations for
performing secure cryptographic functions;
o Supported parameter choices: specific selections of approved
sets of values for cryptographic parameters;
o Classical security levels for the proposed parameter sets;
o Argument for post-quantum security levels for the proposed
parameter sets;
o Encoding of cryptographic data items: specifies
encoding/decoding of public keys and ciphertexts.
In addition, it MAY include relevant information to assist in the
development and interoperable implementation, including:
o Security considerations;
o Open issues.
3.2.3. Freely available source code for a reference implementation
It is important to have a stable reference implementation available
for the candidate algorithm. The code needs to be rigorously tested
and reviewable. A poor implementation of a good cryptosystem can be
as harmful as a broken cryptosystem.
The implementation SHOULD also be open source to allow for public
auditing. In particular, any default choice of parameters MUST be
justified.
3.3 Desirable aspects
The following aspects are desirable. Algorithms that meet those
criteria are preferred.
3.3.1. SUPERCOP implementation
System for Unified Performance Evaluation Related to Cryptographic
Operations and Primitives (SUPERCOP) [SUPEC] is a toolkit developed
by the Virtual Application and Implementation Research (VAMPIRE) Lab
for measuring the performance of cryptographic software. The latest
release of SUPERCOP measures the performance of hash functions,
secret key stream ciphers, public key encryption systems, public key
signature systems, and public key secret sharing systems.
The candidate algorithm MAY have a reference implementation for
Schanck et al. Expires 2017-04-04 [Page 8]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
SUPERCOP. Performance of the implementation on SUPERCOP MAY be taken
into consideration when selections are made.
3.3.2. Constant-time implementation
An implementation of a cryptosystem is constant-time means that the
time for encryption/decryption functions is constant, regardless of
the input and the output of the functions. As an example, the time
to decrypt any valid ciphertext should use a same time as decrypting
an invalid ciphertext and producing a decryption error. Constant
time implementation is important for cryptography as it makes side-
channel attacks substantially harder.
Algorithms with provable constant time implementations SHOULD be
preferred. However, this is not an absolute requirement as the QSH
setting uses ephemeral keys and an implementation of QSH SHOULD only
decrypt once with any key, so an attacker is unlikely to gain
sufficient information from the time of a single decryption to
recover the plaintext.
3.3.3. Standardization
The candidate algorithm MAY be standardized by another standards
body, such as ANSI X.9, IEEE, or ETSI. Algorithms that maintain
creditability among multiple standards bodies SHOULD be preferred.
3.3.4. Patent and IP related issues
The candidate algorithm MAY be either non-patented or patented but
with FRAND (Free or Reasonable and Non-Discriminatory) licensing
statement made and all relevant IETF IP declarations provided.
4. Recommendations, justifications and considerations
4.1. Preliminary list of recommendations
The following list is an (incomplete) list of recommended quantum-
safe encryption algorithms and parameters for 128 bits security that
MAY be considered in the hybrid approach.
o NTRUEncrypt lattice-based encryption scheme with parameter
sets ees443ep1, ees587ep1, and ees743ep1 as defined in [EESS1];
o Specification: [EESS1] provides a concrete specification of
NTRUEncrypt with parameter set ees443ep1, ees587ep1, and
ees743ep1, including primitives, syntax, reference to classical
security analysis in [HOF15], quantum security analysis, and
encode/decode mechanisms
Schanck et al. Expires 2017-04-04 [Page 9]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
o Open-sourced reference implementation: Available from
[NTRU-GIT]
o SUPERCOP implementation: Available for related parameter
sets, not yet available for the recommended parameter sets
o Constant-time implementation: Not yet available
o Standardization: The recommended parameter sets have not
been published in a standard, but the encryption scheme and
other parameter sets have been standardized in IEEE 1363.1 and
ANSI X9.98.
o Patent and IP Issues: NTRUEncrypt is subject to patents
held by Security Innovation. Security Innovation has provided
IPR Declaration 2588 to IETF.
4.2. Schemes under consideration
The following schemes are under consideration. They are well known
quantum safe encryption algorithms in the literature. However, due
to the lack of specifications, implementation of those schemes are
non-trivial. For this reason we list those schemes as "under
consideration". They will be promoted to the recommendation list
once detailed specifications are provided.
o Learning with error lattice-based encryption scheme [REG05],
with parameter set form [LIN11];
o NTRUEncrypt lattice-based encryption scheme instantiated with
learning with error problem [STE11];
o McEliece code-based encryption scheme [MCELI] with parameter
set for McBits [MCBIT];
o McEliece code-based encryption scheme with Quasi-cyclic
Moderate Density Parity-Check (MDPC) codes [MDPC].
5. IANA Considerations
This document does not establish any new IANA registries, nor does it
add any entries to existing registries.
6. References
6.1. Normative References
Schanck et al. Expires 2017-04-04 [Page 10]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
[BER09] Bernstein, D., "Cost analysis of hash collisions: Will
quantum computers make SHARCS obsolete?", SHARCS'09.
<http://cr.yp.to/hash/collisioncost-20090823.pdf>
[BRA98] Brassard, G., Hoyer, P., and Tapp, A., "Quantum
cryptanalysis of hash and claw-free functions", LATIN'98:
Theoretical Informatics.
[EESS1] Consortium for Efficient Embedded Security, "Efficient
Embedded Security Standard #1: Implementation Aspects of
NTRUEncrypt", March 2015.
<https://github.com/NTRUOpenSourceProject/ntru-
crypto/raw/master/doc/EESS1-2015v3.0.pdf>
[ETSIQ] ETSI White Paper No. 8, "Quantum Safe Cryptography and
Security: An introduction, benefits, enablers and
challenges", June 2015.
[GROV96] Grover, L., "A fast quantum mechanical algorithm for
database search", STOC 1996.
[H2020] Lange, T., "PQCRYPTO project in the EU", April, 2015.
<http://pqcrypto.eu.org/slides/20150403.pdf>
[HOF15] Hoffstein, J., Pipher, J., Schanck, J., Silverman, J.,
Whyte, W., and Zhang, Z., "Choosing Parameters for
NTRUEncrypt", 2015. <https://eprint.iacr.org/2015/708>
[LIN11] Lindner, R., and Peikert, C., "Better Key Sizes (and
Attacks) for LWE-Based Encryption", 2011.
[MCBIT] Bernstein, D., Chou, T., and Schwabe, P., "McBits: Fast
Constant-Time Code- Based Cryptography", 2013.
[MCELI] McEliece, R., "A Public-Key Cryptosystem Based On
Algebraic Coding Theory", 1978.
[MDPC] Misoczki, R., Tillich, J., Sendrier, N., and Barreto, P.,
"MDPC-McEliece: New McEliece variants from Moderate
Density Parity-Check codes", 2013.
[NSA15] NSA, "NSA Suite B Cryptography", Aug 19, 2015.
<https://www.nsa.gov/ia/programs/suiteb_cryptography/>
[NTRU-GIT] https://github.com/NTRUOpenSourceProject/NTRUEncrypt
[PKCS1] RSA Laboratories, "PKCS#1: RSA Encryption Standard version
1.5", PKCS 1, November 1993
Schanck et al. Expires 2017-04-04 [Page 11]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
[PQCRY] PQCRYPTO, "Initial recommendations of long-term secure
post-quantum systems".
<http://pqcrypto.eu.org/docs/initial-recommendations.pdf>
[QSHTLS] Schanck, J., Whyte, W., and Zhang, Z., "Quantum-Safe
Hybrid (QSH) Ciphersuite for Transport Layer Security
(TLS) version 1.3", draft-whyte-qsh-tls13-00, July 2015.
[QSHTOR] Schanck, J., Whyte, W., and Zhang, Z., "A quantum-safe
circuit-extension handshake for Tor", March 2015.
<https://eprint.iacr.org/2015/287>
[REAL] "RFC Editor Abbreviations List", September 2013,
<https://www.rfc-editor.org/rfc-style-
guide/abbrev.expansion.txt/>.
[REG05] Regev, O., "On lattices, learning with errors, random
linear codes, and cryptography", 2005.
[RFC2119] Bradner, S., "Key Words for Use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 2434, October
1998.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B.
Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)", RFC 4492, May 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[SAFEC] Secure Architectures of Future Emerging Cryptography
(SAFEcrypto). <http://www.safecrypto.eu/>
[SHOR97] Shor, P., "Polynomial-time algorithms for prime
factorization and discrete logarithm problems", SIAM J.
Computing 26 (1997), 1484-1509.
<http://www.research.att.com/~shor/papers/QCjournal.pdf>
Schanck et al. Expires 2017-04-04 [Page 12]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
[STE11] Stehle, D., and Steinfield, R., "Making NTRUEncrypt and
NTRUSign as secure as worst-case problems over ideal
lattices", 2011.
[TLS1.3] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-05, March 2015.
[TPM15] Morgan, T., "Google Sees Long, Expensive Road Ahead For
Quantum Computing", July 2015.
<http://www.theplatform.net/2015/07/22/google-sees-long-
expensive-road-ahead-for-quantum-computing/>
6.2. Informative References
[RFC4366] Blake-Wilson, S., Nysrom, M., Hopwood, D., Mikkelsen, J.,
and T. Wright, "Transport Layer Security (TLS)
Extensions", RFC 4366, April 2006.
[RFC5990] Randall, J., Kaliski, B., Brainard, J. and Turner S., "Use
of the RSA-KEM Key Transport Algorithm in the
Cryptographic Message Syntax (CMS)", RFC 5990, September
2010.
[RFC5859] Krawczyk, H., Eronen, P., "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5859, May 2010.
Authors' Addresses
John M. Schanck
Security Innovation, US
and
University of Waterloo, Canada
jschanck@securityinnovation.com
William Whyte
Security Innovation, US
wwhyte@securityinnovation.com
Zhenfei Zhang
Security Innovation, US
zzhang@securityinnovation.com
Schanck et al. Expires 2017-04-04 [Page 13]
�
INTERNET DRAFT PKC Selecting Criteria for QSH-TLS 2016-10-04
Copyright Notice
IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(i), paragraph
2: Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
IETF Trust Legal Provisions of 28-dec-2009, Section 6.b(ii),
paragraph 3: This document is subject to BCP 78 and the IETF Trust's
Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Schanck et al. Expires 2017-04-04 [Page 14]
