The Post-Quantum TLS Challenge
Transport Layer Security (TLS) protects virtually all internet communication—from web browsing to API calls to email. As we transition to post-quantum cryptography, TLS implementations must evolve while maintaining compatibility with existing infrastructure.
HPTLS addresses this challenge with a ground-up implementation of TLS 1.3 and QUIC that treats post-quantum security as a first-class requirement rather than an afterthought.
Why Hybrid Key Exchange?
The cryptographic community has reached consensus on a hybrid approach for the post-quantum transition:
Classical + Post-Quantum = Defense in Depth
Hybrid Shared Secret = HKDF(ECDH_Secret || ML-KEM_Secret)
This approach provides security even if:
- The post-quantum algorithm is later found vulnerable
- The classical algorithm is broken by quantum computers
- Implementation bugs affect one component
HPTLS implements hybrid key exchange using X25519 combined with ML-KEM-768, following the emerging IETF standards.
Supported Cipher Suites
HPTLS supports all mandatory TLS 1.3 cipher suites plus post-quantum hybrids:
| Cipher Suite | Key Exchange | Status |
|---|---|---|
| TLS_AES_256_GCM_SHA384 | X25519 | Standard |
| TLS_AES_128_GCM_SHA256 | X25519 | Standard |
| TLS_CHACHA20_POLY1305_SHA256 | X25519 | Standard |
| TLS_AES_256_GCM_SHA384 | X25519+ML-KEM-768 | Hybrid PQ |
| TLS_AES_128_GCM_SHA256 | X25519+ML-KEM-768 | Hybrid PQ |
Architecture Overview
Clean Separation of Concerns
HPTLS separates cryptographic operations from protocol logic:
// Protocol layer - no crypto details
pub struct TlsConnection<T: Transport> {
state: HandshakeState,
transport: T,
record_layer: RecordLayer,
}
// Crypto layer - pluggable implementations
pub trait CryptoProvider {
type Kex: KeyExchange;
type Aead: AuthenticatedEncryption;
type Hash: HashFunction;
}
// Default provider uses HPCrypt
pub struct HpCryptProvider;
This architecture enables:
- Easy algorithm upgrades
- FIPS-validated crypto backends
- Hardware security module integration
Zero-Copy Record Processing
HPTLS processes TLS records without unnecessary memory copies:
// Traditional approach: multiple copies
let encrypted = read_record(&mut socket)?; // Copy 1
let decrypted = decrypt(&encrypted, &key)?; // Copy 2
let plaintext = remove_padding(&decrypted)?; // Copy 3
// HPTLS: in-place processing
let mut buffer = read_record_into(&mut socket, &mut scratch)?;
decrypt_in_place(&mut buffer, &key)?; // Single buffer
let plaintext = &buffer[..payload_len]; // Zero-copy view
This reduces memory bandwidth by 3x and improves cache utilization.
QUIC Support
HPTLS provides native QUIC integration with post-quantum key exchange:
use hptls::quic::{QuicConfig, QuicConnection};
let config = QuicConfig::builder()
.with_hybrid_key_exchange(true)
.with_certificate_chain(certs)
.with_private_key(key)
.build()?;
// Server
let mut listener = QuicListener::bind("0.0.0.0:443", config).await?;
while let Some(conn) = listener.accept().await {
tokio::spawn(handle_connection(conn));
}
// Client
let conn = QuicConnection::connect("example.com:443", config).await?;
let (mut send, mut recv) = conn.open_bidirectional_stream().await?;
QUIC Performance
Post-quantum hybrid adds minimal overhead to QUIC handshakes:
| Metric | Standard QUIC | Hybrid PQ QUIC | Overhead |
|---|---|---|---|
| 0-RTT Handshake | 0ms | 0ms | 0% |
| 1-RTT Handshake | 1.2ms | 1.4ms | 17% |
| Key Share Size | 32 bytes | 1,216 bytes | +1,184 bytes |
| Throughput | 4.2 Gbps | 4.1 Gbps | 2% |
The additional key share size is amortized over the connection lifetime.
Migration Strategy
Phase 1: Dual-Stack Deployment
Start by deploying HPTLS alongside existing infrastructure:
// Accept both classical and hybrid connections
let config = TlsConfig::builder()
.prefer_hybrid_key_exchange(true)
.allow_classical_fallback(true)
.build()?;
Phase 2: Hybrid-First
Once client support is widespread:
let config = TlsConfig::builder()
.require_hybrid_key_exchange(true)
.build()?;
Phase 3: Full Post-Quantum
When confidence in post-quantum algorithms matures:
let config = TlsConfig::builder()
.require_post_quantum_only(true) // ML-KEM without classical
.build()?;
API Examples
Simple HTTPS Server
use hptls::{TlsAcceptor, TlsConfig};
use tokio::net::TcpListener;
#[tokio::main]
async fn main() -> Result<()> {
let config = TlsConfig::builder()
.with_certificate_chain_file("cert.pem")?
.with_private_key_file("key.pem")?
.with_hybrid_key_exchange(true)
.build()?;
let acceptor = TlsAcceptor::new(config);
let listener = TcpListener::bind("0.0.0.0:443").await?;
loop {
let (stream, _) = listener.accept().await?;
let acceptor = acceptor.clone();
tokio::spawn(async move {
let tls_stream = acceptor.accept(stream).await?;
handle_request(tls_stream).await
});
}
}
Client with Certificate Verification
use hptls::{TlsConnector, TlsConfig};
let config = TlsConfig::builder()
.with_native_roots() // Use system CA certificates
.with_hybrid_key_exchange(true)
.with_alpn_protocols(&["h2", "http/1.1"])
.build()?;
let connector = TlsConnector::new(config);
let stream = TcpStream::connect("example.com:443").await?;
let tls_stream = connector.connect("example.com", stream).await?;
// Connection is now quantum-resistant
Security Properties
HPTLS provides the following security guarantees:
Forward Secrecy: Compromise of long-term keys does not reveal past session keys
Post-Quantum Confidentiality: Encrypted data remains confidential even against quantum adversaries
Authentication: Server (and optionally client) identity verified via certificates
Integrity: All records authenticated with AEAD, preventing tampering
Replay Protection: Each connection uses unique session keys and nonces
Benchmarks
Performance measurements on AMD Ryzen 9 7950X:
| Operation | HPTLS (Hybrid) | rustls | OpenSSL |
|---|---|---|---|
| Full Handshake | 1.8ms | 1.2ms | 1.1ms |
| Resumed Handshake | 0.4ms | 0.3ms | 0.3ms |
| Encrypt 1KB | 0.8μs | 0.9μs | 0.7μs |
| Decrypt 1KB | 0.8μs | 0.9μs | 0.7μs |
| Throughput | 4.1 Gbps | 4.3 Gbps | 4.5 Gbps |
The 50% handshake overhead is primarily due to larger key shares and is acceptable for most applications given the security benefits.
Getting Started
HPTLS is available now on GitHub:
# Add to Cargo.toml
[dependencies]
hptls = "0.1"
# Or with QUIC support
hptls = { version = "0.1", features = ["quic"] }
Comprehensive documentation, migration guides, and example applications are included.
What's Next
- Certificate Transparency: Integration with CT logs for hybrid certificates
- Encrypted Client Hello: Privacy protection for SNI
- Hardware Acceleration: PKCS#11 and TPM support for key storage
The post-quantum future of secure communications starts now. With HPTLS, your applications are ready.