The pq-wolfssl development team have done an excellent experimental post-quantum integration. We applaud their efforts and wanted to summarize and share some fascinating things that they published in their paper. First we will discuss their scenario and then their conclusions.
The team’s objective was to study the possibility of a two-step migration strategy for post-quantum signature schemes. In their scenario, initially, only long lived root certificates would use public keys associated with stateful hash-based signature algorithms while the intermediate and end entity certificates continue to have public keys associated with conventional algorithms such ECDSA. It is important to note here (as is done in the paper as well), that stateful hash-based signature algorithms are already specified as IETF RFCs and are generally accepted to be secure as their building blocks are well trusted hash algorithms and Merkle trees and do not depend on new or exotic mathematical constructs.
Eventually, as the other post-quantum algorithms are standardized and trust builds, intermediate certificates can be issued with public keys associated with them. At this step end-entity certificates would then be issued with public keys associated with the new post-quantum algorithms as well. This finishes the migration process.
This begs the question, why not use stateful hash-based signature algorithms all throughout the chain from the beginning? The answer lies in the state. End entity certificates hold public keys that are associated with private keys that will be used during the handshake phase of the TLS 1.3 connection. The management of this state during on-line signing operations is ill advised for reasons that are not within the scope of this blog post. More detailed explanations can be found at NIST’s website.
They found that the first step of the migration could be done practically and with very little impact on connection establishment parameters. In their final migration step where the whole certificate chain and key establishment were all under post-quantum algorithms, they found that the best case scenario was feasable in all respects except RAM usage. They found that RAM usage was significantly higher.
In the paper, the team says “Therefore, we selected the open source TLS library wolfSSL (v4.7.0) for our integrations of PQC, because it is suitable for embedded systems and supports TLS 1.3.”
If you want to do similar experiments, please send a message to firstname.lastname@example.org; we’d love to help out where we can!