Skip to main content

More Efficient Post-quantum KEMTLS with Pre-distributed Public Keys

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12972)


While server-only authentication with certificates is the most widely used mode of operation for the Transport Layer Security (TLS) protocol on the world wide web, there are many applications where TLS is used in a different way or with different constraints. For example, embedded Internet-of-Things clients may have a server certificate pre-programmed and be highly constrained in terms of communication bandwidth or computation power. As post-quantum algorithms have a wider range of performance trade-offs, designs other than traditional “signed-key-exchange” may be worthwhile. The KEMTLS protocol, presented at ACM CCS 2020, uses key encapsulation mechanisms (KEMs) rather than signatures for authentication in the TLS 1.3 handshake, a benefit since most post-quantum KEMs are more efficient than PQ signatures. However, KEMTLS has some drawbacks, especially in the client authentication scenario which requires a full additional roundtrip.

We explore how the situation changes with pre-distributed public keys, which may be viable in many scenarios, for example pre-installed public keys in apps, on embedded devices, cached public keys, or keys distributed out of band. Our variant of KEMTLS with pre-distributed keys, called \(\mathsf{KEMTLS\text {-}PDK}\), is more efficient in terms of both bandwidth and computation compared to post-quantum signed-KEM TLS (even cached public keys), and has a smaller trusted code base. When client authentication is used, \(\mathsf{KEMTLS\text {-}PDK}\) is more bandwidth efficient than KEMTLS yet can complete client authentication in one fewer round trips, and has stronger authentication properties. Interestingly, using pre-distributed keys in \(\mathsf{KEMTLS\text {-}PDK}\) changes the landscape on suitability of PQ algorithms: schemes where public keys are larger than ciphertexts/signatures (such as Classic McEliece and Rainbow) can be viable, and the differences between some lattice-based schemes is reduced. We also discuss how using pre-distributed public keys provides privacy benefits compared to pre-shared symmetric keys in TLS.


  • Post-quantum cryptography
  • Transport Layer Security

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88418-5_1
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88418-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.


  1. 1.

    The full version is available from


  1. Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020). url

    Google Scholar 

  2. Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 2016, pp. 327–343. USENIX Association, August 2016

    Google Scholar 

  3. Barnes, R.L., Bhargavan, K., Lipp, B., Wood, C.A.: Hybrid public key encryption. Internet-draft, Internet Research Task Force (2021),

  4. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994).

    CrossRef  Google Scholar 

  5. Bindel, N., Braun, J., Gladiator, L., Stöckert, T., Wirth, J.: X.509-compliant hybrid certificates for the post-quantum transition. J. Open Sour. Softw. 4(40), 1606 (2019).

    CrossRef  Google Scholar 

  6. Bindel, N., Herath, U., McKague, M., Stebila, D.: Transitioning to a quantum-resistant public key infrastructure. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017, vol. 10346, pp. 384–405. Springer, Heidelberg (2017).

    CrossRef  MATH  Google Scholar 

  7. Birr-Pixton, J.: A modern TLS library in Rust. Accessed 29 Apr 2021

  8. Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015.

  9. Braithwaite, M.: Experimenting with post-quantum cryptography. Posting on the Google Security Blog (2016).

  10. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).

    CrossRef  Google Scholar 

  11. Celi, S., Wiggers, T.: KEMTLS: post-quantum TLS without signatures. Posting on the Cloudflare Blog (2021).

  12. Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020).

  13. D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020).

  14. de Saint Guilhem, C.D., Smart, N.P., Warinschi, B.: Generic forward-secure key agreement without signatures. In: Nguyen, P.Q., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 114–133. Springer, Heidelberg (2017)

    Google Scholar 

  15. Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 400–409. ACM Press, October–November 2006.

  16. Ding, J., et al.: Rainbow. Technical report, National Institute of Standards and Technology (2020).

  17. Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  18. Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197–1210. ACM Press, October 2015.

  19. Drucker, N., Gueron, S.: Selfie: reflections on TLS 1.3 with PSK. Cryptology ePrint Archive, Report 2019/347 (2019).

  20. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press, November 2014.

  21. Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  22. Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: Chen, K., Xie, Q., Qiu, W., Li, N., Tzeng, W.G. (eds.) ASIACCS 2013, pp. 83–94. ACM Press, May 2013

    Google Scholar 

  23. Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2020).

  24. Josefsson, S.: Storing Certificates in the Domain Name System (DNS). RFC 4398, March 2006.

  25. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005).

    CrossRef  Google Scholar 

  26. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010, LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010).

  27. Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869, May 2010.

  28. Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: EuroS&P 2016. IEEE (2017).

  29. Kwiatkowski, K.: Towards post-quantum cryptography in TLS. Posting on the Cloudflare Blog (2019).

  30. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)

    Google Scholar 

  31. Langley, A.: Cecpq2. Posting on the ImperialViolet Blog (2018).

  32. Laurie, B., Langley, A., Kasper, E.: Certificate transparency. RFC 6962, June 2013.

  33. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)

    MathSciNet  CrossRef  Google Scholar 

  34. Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2020).

  35. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.P. (eds.) 11th International Conference on Post-Quantum Cryptography, PQCrypto 2020, pp. 72–91. Springer, Heidelberg (2020).

  36. Perrin, T.: Noise protocol framework, July 2018. Accessed 29 Apr 2021

  37. Prest, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2020).

  38. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018.

  39. Rescorla, E., Sullivan, N., Wood, C.A.: Semi-static Diffie-Hellman key establishment for TLS 1.3. Internet-draft, Internet Engineering Task Force (2020).

  40. Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, D.C.: X.509 internet public key infrastructure Online Certificate Status Protocol - OCSP. RFC 6960, June 2013.

  41. Santesson, S., Tschofenig, H.: Transport Layer Security (TLS) Cached Information Extension. RFC 7924, July 2016.

  42. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020).

  43. Schwabe, P., Stebila, D., Wiggers, T.: Post-quantum TLS without handshake signatures. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 20, pp. 1461–1480. ACM Press, November 2020.

  44. Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. In: NDSS 2020. The Internet Society , February 2020

    Google Scholar 

  45. Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H.M. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Heidelberg (2016).

  46. Sy, E., Burkert, C., Federrath, H., Fischer, M.: Tracking users across the web via TLS session resumption. In: ACM ACSAC 2018, pp. 289–299. ACM Press (2018).

Download references


The authors gratefully acknowledge insightful discussions with Patrick Towa on the security model, proof, and pre-distributed keys scenario. This work has been supported by the European Research Council through Starting Grant No. 805031 (EPOQUE) and the Natural Sciences and Engineering Research Council of Canada through Discovery grant RGPIN-2016-05146 and a Discovery Accelerator Supplement.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Thom Wiggers .

Editor information

Editors and Affiliations



Figure 4 presents KEMTLS  [43] side-by-side with TLS 1.3. Establishing an ephemeral shared secret happens in a similar way in TLS 1.3 and KEMTLS. The client submits a public key \(g^x\) (TLS 1.3) or \(\mathsf {pk}_e\) (KEMTLS) to the server in the \(\mathtt{ClientHello}\) message. The server then replies with its key share \(g^y\) (TLS 1.3) or ciphertext \(\mathsf {ct}_e\) (KEMTLS). At this point, the server has the information to derive the handshake shared secret. This shared secret \(\mathsf {ss}_e\) is used to encrypt the server’s certificate before transmitting it to the client.

In TLS 1.3, this certificate contains a long-term public key for a digital signature algorithm \(\mathsf {pk}_S\). The server signs the transcript of all the transmitted messages so far and submits this signature in the \(\mathtt{ServerCertificateVerify}\) message. This allows the client to immediately verify the server’s identity: the signature proves the server posesses the private key corresponding to the certificate. The server then finishes the handshake by sending the key confirmation message. The client replies with its own key confirmation message.

When using long-term public keys for KEMs in certificates, signing the transcript is not possible. So, in KEMTLS, the client encapsulates a new shared secret \(\mathsf {ss}_S\) to the server’s long-term public key \(\mathsf {pk}_S\). It then sends over the corresponding ciphertext \(\mathsf {ct}_S\) to the server. Only if the server can decapsulate the shared secret from the ciphertext, can it prove posession of the private key corresponding to the certificate. The server mixes in the new shared secret with the ephemeral secret key and derives new handshake keys. The server’s key confirmation message then proves possesion of the long-term key.

Fig. 4.
figure 4

Overview of TLS 1.3 and KEMTLS

If the client were to wait for the server to prove that it has decapsulated the ciphertext, KEMTLS would need a full extra round-trip over TLS 1.3. However, before the confirmation message, the client already knows that only the intended server would be able to read any data that is encrypted with keys derived from \(\mathsf {ss}_S\). KEMTLS uses this to allow the client to send data to the implicitly authenticated server before it has received the server’s key confirmation message. Once the key confirmation is received, the server is explicitly authenticated and the client then knows the server is present.

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Schwabe, P., Stebila, D., Wiggers, T. (2021). More Efficient Post-quantum KEMTLS with Pre-distributed Public Keys. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12972. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88417-8

  • Online ISBN: 978-3-030-88418-5

  • eBook Packages: Computer ScienceComputer Science (R0)