[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

Network Working Group                                          F. Kiefer
Internet-Draft                                                   Mozilla
Intended status: Experimental                             K. Kwiatkowski
Expires: May 10, 2019                                         Cloudflare
                                                       November 06, 2018


                 Hybrid ECDHE-SIDH Key Exchange for TLS
                     draft-kiefer-tls-ecdhe-sidh-00

Abstract

   This draft specifies a TLS key exchange that combines the post-
   quantum key exchange, Supersingular elliptic curve isogenie diffie-
   hellman (SIDH), with elliptic curve Diffie-Hellman (ECDHE) key
   exchange.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 10, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 1]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


1.  Introduction

   Supersingular elliptic curve isogenie diffie-hellman (SIDH) has been
   proposed [SIDH] as a diffie-hellman like key-exchange protocol secure
   against quantum computers.  Because there's not enough confidence in
   the security of SIDH yet it should only be used in combination with a
   classical key-exchange scheme.

   This document defines a way to combine [eSIDH] with the ECDHE key
   exchanges defined in [RFC7748] for the TLS 1.3 [RFC8446] key-
   exchange.

   "x25519" is combined with "sidh503" and "x448" is combined with
   "sidh751".

1.1.  Performance Considerations

   Both handshake partners have to compute the SIDH values in addition
   to the ECDHE values, which requires additional time for computation.
   The handshake messages also get larger because the SIDH values are
   added (see Section 4 for details).

1.2.  Notation

   x25519 and x448 denote the ECDHE algorithms defined over the
   respective curve from [RFC7748].  sidh503 and sidh751 denote the SIDH
   algorithms defined using a prime of bit-length "503" and "751"
   respectively.

1.3.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Hybrid SIDH-ECDHE Key Exchange

   A hybrid key exchange takes the output of two separate key exchanges
   and mixes the results in a secure way.

   The ECDHE and SIDH shared secrets are calculated independently.  The
   shared secret for ECDHE-SIDH is then the concatenation of the ECDHE
   and the SIDH shared secrets.  For x25519sidh503 for example this is

   secret = x25519_secret || sidh_secret




Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 2]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   The HKDF-Extract step used by TLS is relied on to combine entropy
   from both secrets.

2.1.  ECDHE shared secret calculation

   The ECDHE shared secret calculation is performed as described in
   Section 7.4.2 of [RFC8446].

2.2.  SIDH Key Exchange

   This document uses primes p503 and p751 defined in [eSIDH] and [SIKE]
   for sidh503 and sidh751.  See [SIKE] for details on how to compute
   key-exchange messages and the shared secret.  Optimised versions of
   the algorithms mentioned here might be used.

2.2.1.  Field Element Representation

   Each element ("c=a+b*i") of the underlying quadratic field GF(p^2) is
   encoded as an array of bytes in little-endian order, i.e., the least
   significant octet appears first, where each element "a,b" from GF(p)
   is encoded using "itoos" from [SIKE] Section 1.2.6.  In particular,
   an element of GF(p) is converted to

   e_(n-1) * 256^(n-1) + ... + e_1 * 256 + e_0

   with "n" 63 for p503 and 94 for p751.  The octet representation of
   each element is then the concatenation of "e_i" in little endian,
   i.e. "e_0||...||e_(n-1)", and the octet representation of element "c"
   is the concatenation of "a" and "b", "a||b".

   See "fp2toos" [SIKE] Section 1.2.6 to 1.2.8 for details.

2.2.2.  Key-exchange message generation

   After choosing a private key each party computes its public key (P,
   Q, R) using "isogen_l" from [SIKE] Section 1.3.5 and converts each
   element into octets (cf.  Section 2.2.1).

   See "pktoos" from [SIKE] Section 1.2.9 for details on converting the
   public key to octets.

2.2.3.  Shared secret calculation

   The SIDH shared secret is calculated as described in Section 1.3.6 of
   [SIKE] using "isoex_l".

   Calculating SIDH shared secret requires each side to use isogenies of
   different degree.  This document assumes parameterizations as



Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 3]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   described in [SIKE], which is based on 4- and 3-power degree
   isogenies.  In order to calculate the shared secret, the client
   always generates an ephemeral key pair based on 4-power degree
   isogenies.  Accordingly, the server always generates an ephemeral key
   pair based on 3-power degree isogenies.

   The shared secret is a j-invariant and therefore an element of
   GF(p^2).  It is converted to octets as described in Section 2.2.1.

   See "fp2toos" [SIKE] Section 1.2.6 to 1.2.8 for details.  All values
   are encoded without length prefixes or separators.

3.  Negotiated Groups

   This document extends the enum of NamedGroups to use in the
   "supported_groups" extension from TLS 1.3 [RFC8446] Section 4.2.7.
   The new codepoint for the "Supported Groups Registry" is:

   enum {
       ...,
       x25519sidh503(0x0105), x448sidh751(0x0106),
   } NamedGroup;

4.  ECDHE-SIDH key exchange parameters

   This document defines ECDHE-SIDH parameters to use in the "key_share"
   extension from TLS 1.3 (see Section 4.2.8 of [RFC8446]).

   ECDHE parameters for both clients and servers are encoded in the
   "key_exchange" field of a KeyShareEntry as described in Section 4.2.8
   of [RFC8446] and [RFC7748].  SIDH parameters are appended to this
   value.

   In particular, the contents are the serialised value of the following
   struct:

      struct {
          opaque X[coordinate_length];
          opaque P[sidh_coordinate_length];
          opaque Q[sidh_coordinate_length];
          opaque R[sidh_coordinate_length];
      } UncompressedPointRepresentation;

   X is the public point from x25519 or x448 as described in [RFC7748].

   P, Q, and R are the binary representations of three field elements
   over GF(p503^2) and GF(p751^2) respectively from the public SIDH key




Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 4]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   values as described in Section 2.2.2.  All values in the struct are
   encoded without length prefixes or separators.

   Implementers MUST perform the checks to verify the SIDH public key as
   specified in Section 9 of [eSIDH].

5.  Security Considerations

   Security of SIDH is based on the isogeny walk problem, assuming
   elliptic curves between isogenies are supersingular (see [SIKE]
   chapter 4.1).  Algorithms solving this problem as well as usage of
   isogenies as drop-in replacement for Diffie-Hellman are relatively
   young area of research.  Therefore the security behind the ECDHE-SIDH
   handshake does not rely on the security of SIDH exclusively.

   Idea behind ECDHE-SIDH hybrid scheme is to combine an existing key-
   agreement algorithm with what's believed to be a quantum-resistant
   one.  When large quantum computers are available they will be able to
   break both x25519 and x448.  In this case the ECDHE-SIDH scheme is
   still safe assuming SIDH is secure.  On the other hand, if SIDH is
   found to be flawed, the hybrid scheme is still secure against
   classical attacks assuming security of x25519/x448.  Security
   estimates for classical and quantum computers are provided in table
   below based on [SIKE] and [RFC7748].  [RNSL] Chapter 1 provides
   introduction to quantum resource estimates.

        +---------------+-----------+----------+------------------+
        | Scheme        | Classical | Quantum  | NIST PQ category |
        +---------------+-----------+----------+------------------+
        | x25519sidh503 | 128-bit   | 64-qubit | 1                |
        |               |           |          |                  |
        | x448sidh751   | 224-bit   | 96-qubit | 3                |
        +---------------+-----------+----------+------------------+

   As described in [ISOSEC] it is possible to perform active attacks on
   static-static or non-interactive variants of the SIDH scheme.  The
   countermeasure for this attack was described in [KLM15].  Research
   proposes so-called "indirect key validation", using Fujisaki-Okamoto
   type transform.  However, using this transform is impractical and
   thus SIDH can be considered secure only if used for ephemeral keys.
   A more detailed discussion can be found in [URBJAO].

   Security against side-channel attacks is described in [SIKE].
   Implementers are encouraged to use a constant-time implementation.

   The security of the described key exchange relies on the security, in
   particular the collision resistance, of the used key-derivation
   function.  TLS 1.3 uses HKDF [RFC5869] as its key-derivation



Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 5]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   function.  It is therefore important that the hash function used in
   HKDF is collision-resistant.

6.  Test vectors

   This section gives a test vectors for "x25519sidh503".

6.1.  1-RTT Handshake

   Client SIDH-ECDHE public key:

   Public Key (X25519||SIDH) [Len: 410 (32+378)]
       2b 5b 10 41 56 2f c7 04 d8 56 ce 41 9c e3 7d e6
       ae 0e 32 a9 98 5e a5 95 47 5a 9d a2 98 59 67 16
       6f ed 78 ba b1 01 e7 f4 c4 f4 9a d6 4f ac 8d ee
       ee 46 57 10 f7 12 40 41 7a 45 53 c2 35 b5 f7 a0
       42 9e c3 38 d3 7c 47 11 78 f7 8d d3 c9 18 9c 79
       7c dc d3 7f e4 93 ac 63 c4 77 5e 36 43 d5 2a 43
       ee a9 37 b6 88 41 86 98 c9 dc d6 b7 20 66 ab 3d
       d1 e4 f7 90 80 8d 8e fb 0b bf 79 bb b6 e2 13 c0
       38 4e 86 20 13 49 81 be 31 f9 2c 73 a3 2a e9 3c
       e1 7e b5 1b 75 2d 3f 26 79 7c c2 e5 e5 16 57 1d
       6f b4 06 4b 5d b1 9b bd d2 cf 4b f1 2b cd f9 b2
       5f 2c 9d 1b d1 78 55 4c b7 ec fa 7a 3a 64 dd db
       6b 43 0f 67 e9 61 1d 57 fe 63 c8 d4 b3 0f 7a 2f
       60 1b 0f 6a 3a e6 80 0c 14 b7 05 ae 06 bb 5c 46
       71 1b 0e d7 a0 e7 bb 5d 87 37 c4 56 d8 c4 b2 e1
       01 a6 39 70 14 13 50 22 4f cf d9 20 77 51 f7 c4
       37 27 c0 57 5c f2 be 36 3b f7 38 1f 95 5f 54 fc
       f4 ce 96 24 fa 04 d8 62 03 aa 9b 24 28 56 47 e9
       c3 04 24 5e ee b5 3e 16 25 c9 b3 0d 70 6e e7 a1
       a8 76 bf 8c 53 78 7f d0 a3 13 26 fd 3a b5 f6 11
       05 60 af 4a ad 7e 45 0c 41 de 52 e5 29 4d a1 42
       c3 7b 88 7b 6a ed 66 03 04 25 12 78 31 36 94 58
       86 e6 00 59 13 99 0c c1 5d 1c d0 f7 aa c3 73 a9
       dd 25 ac cd 4d 04 2a dd 77 f0 b0 96 6e 3a 0b 76
       df 59 92 de 38 fe e5 10 5d 8b 6d e5 b9 1e 1e 8c
       8b 9c a5 9c 52 2f 26 d6 73 0d

   Client SIDH-ECDHE private key:

   SIDH Private Key [Len: 32]
       37 83 09 b4 a8 c4 b8 6a 83 84 36 8a 18 55 d8 48
       69 f2 31 60 2e f0 a6 70 d3 24 fe 92 e5 25 82 01

   X25519 Private Key [Len: 32]
       a0 31 67 54 87 02 0f cb ef 07 40 af d3 ec 90 19
       88 02 fa d5 83 46 46 c9 8e 0e 49 c0 e1 3e 86 1a



Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 6]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   Client Hello:

   CH [Len: 522]
       01 00 02 06 03 03 bf d0 ca 2e 81 e2 6e c4 d8 01
       6b 2e 86 f3 2e d9 d0 f9 83 93 85 03 50 3f 67 05
       71 cf 82 1d 5c e4 00 00 02 13 01 01 00 01 db 00
       00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01
       00 01 00 00 0a 00 04 00 02 01 05 00 33 01 a0 01
       9e 01 05 01 9a 2b 5b 10 41 56 2f c7 04 d8 56 ce
       41 9c e3 7d e6 ae 0e 32 a9 98 5e a5 95 47 5a 9d
       a2 98 59 67 16 6f ed 78 ba b1 01 e7 f4 c4 f4 9a
       d6 4f ac 8d ee ee 46 57 10 f7 12 40 41 7a 45 53
       c2 35 b5 f7 a0 42 9e c3 38 d3 7c 47 11 78 f7 8d
       d3 c9 18 9c 79 7c dc d3 7f e4 93 ac 63 c4 77 5e
       36 43 d5 2a 43 ee a9 37 b6 88 41 86 98 c9 dc d6
       b7 20 66 ab 3d d1 e4 f7 90 80 8d 8e fb 0b bf 79
       bb b6 e2 13 c0 38 4e 86 20 13 49 81 be 31 f9 2c
       73 a3 2a e9 3c e1 7e b5 1b 75 2d 3f 26 79 7c c2
       e5 e5 16 57 1d 6f b4 06 4b 5d b1 9b bd d2 cf 4b
       f1 2b cd f9 b2 5f 2c 9d 1b d1 78 55 4c b7 ec fa
       7a 3a 64 dd db 6b 43 0f 67 e9 61 1d 57 fe 63 c8
       d4 b3 0f 7a 2f 60 1b 0f 6a 3a e6 80 0c 14 b7 05
       ae 06 bb 5c 46 71 1b 0e d7 a0 e7 bb 5d 87 37 c4
       56 d8 c4 b2 e1 01 a6 39 70 14 13 50 22 4f cf d9
       20 77 51 f7 c4 37 27 c0 57 5c f2 be 36 3b f7 38
       1f 95 5f 54 fc f4 ce 96 24 fa 04 d8 62 03 aa 9b
       24 28 56 47 e9 c3 04 24 5e ee b5 3e 16 25 c9 b3
       0d 70 6e e7 a1 a8 76 bf 8c 53 78 7f d0 a3 13 26
       fd 3a b5 f6 11 05 60 af 4a ad 7e 45 0c 41 de 52
       e5 29 4d a1 42 c3 7b 88 7b 6a ed 66 03 04 25 12
       78 31 36 94 58 86 e6 00 59 13 99 0c c1 5d 1c d0
       f7 aa c3 73 a9 dd 25 ac cd 4d 04 2a dd 77 f0 b0
       96 6e 3a 0b 76 df 59 92 de 38 fe e5 10 5d 8b 6d
       e5 b9 1e 1e 8c 8b 9c a5 9c 52 2f 26 d6 73 0d 00
       2b 00 03 02 7f 1c 00 0d 00 04 00 02 04 01 00 2d
       00 02 01 01 00 1c 00 02 40 01

   Server selected KE = (EC)DHE.  Group = 261.

   Server SIDH-ECDHE public key:











Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 7]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   Public Key (X25519||SIDH) [Len: 410 (32+378)]
       f8 c6 8f 4e 57 6b fb ec b3 de 23 d9 db 89 fc 1b
       f4 6f 01 a5 c0 91 61 fd c4 e7 bc 58 b4 eb 5f 76
       44 c4 c7 7b a3 09 1a 60 c7 15 8f 1e d6 83 f2 1c
       f8 36 13 a4 b3 c5 bc 4e 73 41 96 36 34 9a 9e 5a
       bc fc 9d fa 2b c3 2c 85 17 44 9b 21 8f bf ba f7
       7b 6c 19 c3 07 19 45 34 1e 88 cd 86 41 f8 32 38
       41 3d 75 20 e1 c9 4a 94 03 e4 2f 4b 38 2d 93 39
       b7 71 e9 84 80 b9 aa ca 97 39 5a c6 68 a7 b2 6f
       b0 3e 10 f0 02 e3 e3 62 78 23 b4 f7 f1 a8 ce cd
       71 a8 3a 23 81 63 ba 70 92 ea c6 9b 2c 35 93 6d
       b5 58 61 6d 2c 06 a5 4d 0d 27 35 20 0b 77 d0 0d
       65 f0 24 11 71 0b 71 45 2b 73 9c 42 fd d4 09 ba
       8a ed d2 9e 78 9c 2f 43 91 5d e7 3a 19 0b f8 2b
       71 6d 47 ae 86 e4 7a 9e e1 a0 de b5 08 bd a4 30
       bb c1 3e ad db 75 79 36 a0 0a ea 70 a0 9c 64 f7
       ba 92 a4 02 05 4d d4 9b ba a8 b3 9e 92 cd 28 13
       0e 84 81 90 84 cd ae 09 b2 0b 12 23 1c b4 3a 18
       cb 66 a1 8a 81 63 d4 e7 06 1c 16 04 29 20 2b cf
       da a3 90 55 15 4a 15 ab 30 95 f1 20 b0 84 f5 7e
       0f 92 f6 7f 4d 8c 22 2a a8 80 41 7b ee fa 85 f8
       e2 4d 45 38 28 eb e2 fd a5 c6 1e 37 98 9f a2 ed
       13 b9 dd f5 21 bc 78 10 2f 99 21 dc 30 55 57 58
       c6 59 89 13 f9 76 aa e1 ec 0d 82 27 74 a1 86 b5
       d1 74 12 49 5f ac a0 25 d2 91 5a 26 11 5e 0e f8
       d2 7f 00 7f 8e 8b 7d 89 93 ba 69 4c 5f c7 7c df
       d0 45 f4 17 3c 0c 03 df bf 1e

   Server SIDH-ECDHE private key:

   SIDH Private Key [Len: 32]
       ca a5 1b 8d cc 2e df b0 b9 f5 ed 9d b0 1c f4 7c
       b6 61 07 4d 5f e3 9d 6a 24 48 71 48 f3 11 4d 0a

   X25519 Private Key [Len: 32]
       a1 27 74 2c 0e ea 56 25 41 68 f4 7c d0 94 30 03
       5e 7e cb 3d e0 4f 84 36 41 e8 b4 39 1e 45 99 91

   Handshake secrets "tls13 s hs traffic":












Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 8]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   PRK [Len: 32]
       35 7b 46 ed 6d f0 40 77 ae 2a a0 f4 47 cc df c1
       78 54 74 48 d4 ff 69 05 f9 d5 2f 9a 00 1c e8 86

   Hash [Len: 32]
       52 a5 04 4f 78 da 41 12 b8 ac 35 f3 37 54 0c 51
       18 ba c9 be c7 de 06 21 b2 f8 22 b6 e1 fa b5 96

   Info [Len: 54]
       00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
       61 66 66 69 63 20 52 a5 04 4f 78 da 41 12 b8 ac
       35 f3 37 54 0c 51 18 ba c9 be c7 de 06 21 b2 f8
       22 b6 e1 fa b5 96

   Derived key [Len: 32]
       e4 31 ba e7 1e 38 f1 d6 81 17 83 56 d3 8d 0e 35
       cf 42 6a 05 a2 2b 03 df d6 bb 4f 72 94 d2 9f c3

   Handshake secrets "tls13 c hs traffic":

   Info [Len: 54]
       00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
       61 66 66 69 63 20 52 a5 04 4f 78 da 41 12 b8 ac
       35 f3 37 54 0c 51 18 ba c9 be c7 de 06 21 b2 f8
       22 b6 e1 fa b5 96

   Derived key [Len: 32]
       d2 99 cb cb 70 91 05 b6 3f 62 a5 e7 a2 5c 9c 07
       2b 98 d9 0c d0 92 1c f2 0f c3 6a fa b3 57 4d 2a

   Server Handshake:

   SH [Len: 468]
       02 00 01 d0 03 03 8b 94 f0 f0 25 bd 87 30 3f 1c
       7c 86 e0 bc 25 e3 7f d7 ca 77 88 c5 a3 3c 69 34
       c8 ec a9 64 15 85 00 13 01 00 01 a8 00 33 01 9e
       01 05 01 9a f8 c6 8f 4e 57 6b fb ec b3 de 23 d9
       db 89 fc 1b f4 6f 01 a5 c0 91 61 fd c4 e7 bc 58
       b4 eb 5f 76 44 c4 c7 7b a3 09 1a 60 c7 15 8f 1e
       d6 83 f2 1c f8 36 13 a4 b3 c5 bc 4e 73 41 96 36
       34 9a 9e 5a bc fc 9d fa 2b c3 2c 85 17 44 9b 21
       8f bf ba f7 7b 6c 19 c3 07 19 45 34 1e 88 cd 86
       41 f8 32 38 41 3d 75 20 e1 c9 4a 94 03 e4 2f 4b
       38 2d 93 39 b7 71 e9 84 80 b9 aa ca 97 39 5a c6
       68 a7 b2 6f b0 3e 10 f0 02 e3 e3 62 78 23 b4 f7
       f1 a8 ce cd 71 a8 3a 23 81 63 ba 70 92 ea c6 9b
       2c 35 93 6d b5 58 61 6d 2c 06 a5 4d 0d 27 35 20
       0b 77 d0 0d 65 f0 24 11 71 0b 71 45 2b 73 9c 42



Kiefer & Kwiatkowski      Expires May 10, 2019                  [Page 9]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


       fd d4 09 ba 8a ed d2 9e 78 9c 2f 43 91 5d e7 3a
       19 0b f8 2b 71 6d 47 ae 86 e4 7a 9e e1 a0 de b5
       08 bd a4 30 bb c1 3e ad db 75 79 36 a0 0a ea 70
       a0 9c 64 f7 ba 92 a4 02 05 4d d4 9b ba a8 b3 9e
       92 cd 28 13 0e 84 81 90 84 cd ae 09 b2 0b 12 23
       1c b4 3a 18 cb 66 a1 8a 81 63 d4 e7 06 1c 16 04
       29 20 2b cf da a3 90 55 15 4a 15 ab 30 95 f1 20
       b0 84 f5 7e 0f 92 f6 7f 4d 8c 22 2a a8 80 41 7b
       ee fa 85 f8 e2 4d 45 38 28 eb e2 fd a5 c6 1e 37
       98 9f a2 ed 13 b9 dd f5 21 bc 78 10 2f 99 21 dc
       30 55 57 58 c6 59 89 13 f9 76 aa e1 ec 0d 82 27
       74 a1 86 b5 d1 74 12 49 5f ac a0 25 d2 91 5a 26
       11 5e 0e f8 d2 7f 00 7f 8e 8b 7d 89 93 ba 69 4c
       5f c7 7c df d0 45 f4 17 3c 0c 03 df bf 1e 00 2b
       00 02 7f 1c

   SH [Len: 651]
       08 00 00 14 00 12 00 0a 00 04 00 02 01 05 00 1c
       00 02 40 01 00 00 00 00 0b 00 01 c3 00 00 01 bf
       00 01 ba 30 82 01 b6 30 82 01 1f a0 03 02 01 02
       02 01 05 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b
       05 00 30 13 31 11 30 0f 06 03 55 04 03 0c 08 72
       73 61 5f 73 69 67 6e 30 1e 17 0d 31 38 30 36 31
       30 31 30 32 34 31 32 5a 17 0d 32 38 30 36 31 30
       31 30 32 34 31 32 5a 30 13 31 11 30 0f 06 03 55
       04 03 0c 08 72 73 61 5f 73 69 67 6e 30 81 9f 30
       0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81
       8d 00 30 81 89 02 81 81 00 c6 96 5e 96 71 5a ea
       40 c2 c0 60 c7 c7 4e 98 b3 40 0c 02 a3 1c 9c 8e
       e7 c6 57 6b 48 8c 23 04 d4 e8 54 09 37 c2 b8 b1
       ac b4 49 b7 76 ef 59 f8 3f 7c 4e e3 6a fa 32 04
       53 74 85 2d 0d 8e 91 ad 2d 65 52 ec f2 54 1c 82
       f1 b5 46 c8 5e ec e1 4e 6a f1 a1 c8 9f 9c 2b e1
       79 3b 85 58 80 19 d5 f2 87 cb c0 13 5f 56 56 d3
       75 78 bb 71 ef fa df e4 98 76 31 47 72 9b 5d 6a
       fe d7 c9 58 e6 d2 c6 2c 5f 02 03 01 00 01 a3 1a
       30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
       03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86
       48 86 f7 0d 01 01 0b 05 00 03 81 81 00 07 58 be
       81 c3 60 a0 cb 94 bc 79 81 0c b5 c6 ec 84 c6 c0
       f8 d9 63 50 0a 7e b2 9d 80 95 5d b2 ba c9 31 72
       73 d5 78 97 d1 5f e3 d9 f8 54 25 e0 1a 0e 7f 2b
       ec 20 27 b6 ba ff 9c 38 42 23 ed 10 c4 51 54 f2
       a3 45 54 df 59 be 83 d4 b8 00 7f 13 a3 27 40 ca
       af 66 72 f5 f7 cf 1e 4d 6c 94 e4 02 46 cf f7 9d
       13 7e 72 6b 77 20 15 9c c9 f7 c2 f1 5f 00 91 d3
       da c6 2e 71 f0 51 82 db 13 b2 ee c7 0c 00 00 0f
       00 00 84 04 01 00 80 7e c8 cb 1d d8 2e 83 d4 7e



Kiefer & Kwiatkowski      Expires May 10, 2019                 [Page 10]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


       69 8a db 8d 39 79 13 49 9f 03 21 7a 2f 5f ef df
       2e 07 58 a8 0f 4b 61 85 10 25 01 3c cc 14 ef ac
       35 17 c8 ed 27 17 0f 6e e5 78 7e 19 b5 0a 99 2d
       bd 68 f4 47 0e 0a 11 cb 57 12 d5 73 cd 20 05 a4
       b5 04 6c 13 6c 1b 9a f9 15 aa cc ca c2 22 83 fe
       37 5f c3 f2 24 09 e3 d5 df 26 9f ab 84 e9 92 68
       38 73 09 b1 58 55 43 79 02 59 0c 13 cc 68 4f 53
       62 4b 72 d7 3b 17 86 14 00 00 20 d1 6e ba a6 9a
       12 01 ec 46 fb e4 2c 8b 0e dd b5 73 a9 d7 e1 da
       ba c5 c3 0d 53 5d 90 24 fd 53 60

   Client finished handshake:

   Client finished [Len: 36]
       14 00 00 20 8e 34 2d 9d 69 fb 95 76 65 05 03 4d
       cf 27 21 59 7c 45 f7 0e 3f 1e d9 29 18 4b 29 87
       6a a5 c1 4d

   Shared secret (server & client):

   Shared secret (X25519||SIDH) [Len: 158 (32+126)]
       f0 93 ac 03 ca 0b 5c 05 e6 c3 d3 7f ae 71 10 57
       a6 a6 3e c7 7c 12 8d 21 8b 39 fc a5 8a 19 69 02
       31 c8 0b 85 96 07 d4 f2 9b 5d ca a1 2d 69 78 2a
       4f d8 1e c5 ea 87 ff 24 a2 7e b3 96 db 63 d5 66
       cd f8 13 d3 34 70 e8 03 10 34 44 68 2d 6b 11 1a
       a9 a0 58 cd 54 ed ce 8b 27 bc 3d ef 23 4b 2e f7
       0b 28 de 95 d9 de 45 4a 73 48 d1 ad 51 21 f6 fe
       fa ae 22 64 b5 2c db f7 99 7e 5b 3c 09 06 d9 eb
       e1 a3 a7 8f 34 74 a2 77 a0 85 ca 11 d4 1b 44 53
       ed eb 8c 67 b4 f2 62 6e 54 4c 97 a9 1a 27

7.  IANA Considerations

   TODO: register the codepoints

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.







Kiefer & Kwiatkowski      Expires May 10, 2019                 [Page 11]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

   [SIDH]     Jao, D. and L. De Feo, "Towards quantum-resistant
              cryptosystems from supersingular elliptic curve isogenie",
              PQCrypto-2011 , 2011,
              <https://eprint.iacr.org/2011/506.pdf>.

   [SIKE]     Azarderakhsh, R., Campagna, M., Costello, C., De Feo, L.,
              Hess, B., Jalali, A., Jao, D., Koziel, B., LaMacchia, B.,
              Longa, P., Naehrig, M., Renes, J., Soukharev, V., and D.
              Urbanik, "Supersingular Isogeny Key Encapsulation",
              Submission to the NIST Post-Quantum Standardization
              project , 2017, <http://sike.org/files/SIDH-spec.pdf>.

8.2.  Informative References

   [eSIDH]    Costello, C., Longa, P., and M. Naehrig, "Efficient
              algorithms for supersingular isogeny Diffie-Hellman",
              IACR-CRYPTO-2016 , 2016,
              <https://eprint.iacr.org/2016/413.pdf>.

   [ISOSEC]   Galbraith, S., Petit, C., Shani, B., and Y. Bo Ti, "On the
              security of supersingular isogeny cryptosystems", IACR-
              CRYPTO-2016 , 2016,
              <https://eprint.iacr.org/2016/859.pdf>.

   [KLM15]    Kirkwood, D., Lackey, B., McVey, J., Motley, M., Solinas,
              J., and D. Tuller, "Failure is not an Option:
              Standardization Issues for Post-Quantum Key Agreement",
              Workshop on Cybersecurity in a Post Quantum World, 2015 ,
              2015.





Kiefer & Kwiatkowski      Expires May 10, 2019                 [Page 12]


Internet-Draft           ECDHE-SIDH Key Exchange           November 2018


   [RNSL]     Roetteler, M., Naehrig, M., Svore, K., and K. Lauter,
              "Quantum Resource Estimates for Computing Elliptic Curve
              Discrete Logarithms", arXiv , 2017,
              <https://arxiv.org/pdf/1706.06752.pdf>.

   [URBJAO]   Urbanik, D. and D. Jao, "SoK: The Problem Landscape of
              SIDH", IACR-CRYPTO-2018 , 2018,
              <https://eprint.iacr.org/2018/336.pdf>.

Acknowledgements

   o  Martin Thomson
      Mozilla
      mt@mozilla.com

Authors' Addresses

   Franziskus Kiefer
   Mozilla

   Email: franziskuskiefer@gmail.com


   Krzysztof Kwiatkowski
   Cloudflare

   Email: kris@cloudflare.com
























Kiefer & Kwiatkowski      Expires May 10, 2019                 [Page 13]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/