Analysis of PQConnect - And its underlying cryptographic primitives
Waseem, Talal (2025)
2025
Tietotekniikan DI-ohjelma - Master's Programme in Information Technology
Informaatioteknologian ja viestinnän tiedekunta - Faculty of Information Technology and Communication Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2025-06-06
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-202505286335
https://urn.fi/URN:NBN:fi:tuni-202505286335
Tiivistelmä
Quantum computing threatens current public-key cryptography. New quantum-safe communication protocols are needed to address this threat. PQConnect is a tunnelling protocol designed for automated, end-to-end secure communication that resists quantum attacks while remaining compatible with existing infrastructure. It employs a hybrid handshake integrating classical and post-quantum primitives to establish shared keys.
This thesis analyses PQConnect’s handshake, which uses a nested hybrid key exchange combining three schemes. It layers Classic McEliece (a code-based key encapsulation), X25519 (Curve25519 elliptic-curve Diffie–Hellman), and SNTRUP761 (Streamlined NTRU Prime) key encapsulations. These are being utilized as Key Encapsulation Mechanisms (KEMs). The layers are nested so that each inner exchange is concealed by outer layers, making any single layer difficult to break. The analysis details how each layer contributes to key establishment and how fresh ephemeral keys ensure forward secrecy.
Additional PQConnect mechanisms are examined, including streaming verification of hand-shake data and DNS-based key distribution. Streaming verification processes large hand-shake records incrementally, reducing memory usage. For key distribution, PQConnect retrieves hashed server public keys via authenticated DNS records: a client fetches a hash of the server’s long-term key from DNS and verifies it before initiating the handshake, avoiding reliance on centralized certificates. A ratcheting key schedule derives new chain keys for each time epoch and per-packet encryption keys, limiting key exposure and extending forward secrecy beyond the initial handshake.
For performance evaluation, packet-level traffic was captured using Wireshark for both PQConnect and traditional TLS sessions. Captured packets were analyzed to compare handshake flows and performance metrics such as packet size and total transmitted data. The results show that PQConnect introduces only a modest increase in packet sizes and overall data volume, with no significant latency overhead. Streaming verification and DNS-based lookup were confirmed to function correctly without noticeable delay.
In conclusion, the study finds that PQConnect can establish quantum-secure tunnels with minimal performance penalty. Its hybrid handshake effectively integrates post-quantum primitives while maintaining compatibility with current infrastructure. DNS-based key distribution and streaming verification enhance trust and efficiency. The ratchet mechanism provides robust forward secrecy. These findings suggest that PQConnect is a practical and future-ready solution for secure tunnelling.
This thesis analyses PQConnect’s handshake, which uses a nested hybrid key exchange combining three schemes. It layers Classic McEliece (a code-based key encapsulation), X25519 (Curve25519 elliptic-curve Diffie–Hellman), and SNTRUP761 (Streamlined NTRU Prime) key encapsulations. These are being utilized as Key Encapsulation Mechanisms (KEMs). The layers are nested so that each inner exchange is concealed by outer layers, making any single layer difficult to break. The analysis details how each layer contributes to key establishment and how fresh ephemeral keys ensure forward secrecy.
Additional PQConnect mechanisms are examined, including streaming verification of hand-shake data and DNS-based key distribution. Streaming verification processes large hand-shake records incrementally, reducing memory usage. For key distribution, PQConnect retrieves hashed server public keys via authenticated DNS records: a client fetches a hash of the server’s long-term key from DNS and verifies it before initiating the handshake, avoiding reliance on centralized certificates. A ratcheting key schedule derives new chain keys for each time epoch and per-packet encryption keys, limiting key exposure and extending forward secrecy beyond the initial handshake.
For performance evaluation, packet-level traffic was captured using Wireshark for both PQConnect and traditional TLS sessions. Captured packets were analyzed to compare handshake flows and performance metrics such as packet size and total transmitted data. The results show that PQConnect introduces only a modest increase in packet sizes and overall data volume, with no significant latency overhead. Streaming verification and DNS-based lookup were confirmed to function correctly without noticeable delay.
In conclusion, the study finds that PQConnect can establish quantum-secure tunnels with minimal performance penalty. Its hybrid handshake effectively integrates post-quantum primitives while maintaining compatibility with current infrastructure. DNS-based key distribution and streaming verification enhance trust and efficiency. The ratchet mechanism provides robust forward secrecy. These findings suggest that PQConnect is a practical and future-ready solution for secure tunnelling.