Protocol for secure communication between mission control and satellites.
Standardized by the Consultative Committee for Space Data Systems (CCSDS).
Purely symmetric using pre-established keys.
⇒ No good way to establish or update keys.
ESA wanted an asymmetric solution.
Requirements
Ability to establish keys between unknown parties.
There are plans to use SDLS for satellite swarms.
Forward Secrecy
Algorithms:
US, EU, PRC, … might end up with different requirements, standard has to be agnostic.
Base a recommendation on established algorithms:
Primarily NIST winners
Solutions otherwise approved in Europe.
Hybrid Security
Ongoing Debate in the Community.
ESA insisted on the possibility, we agree.
Slightly More Unusual
Reliability:
Always a factor, but to a much greater extend in space!
Satellites are somewhat authenticated by their position in the sky.
⇒ If ground stations are trustworthy, they potentially don’t require authentication on the protocol level!
Key establishment not a phase of a data transmission protocol, but run independently of those.
🌏
🛰️
Non Issues
Anonymity
Deniability
Neither is really relevant on this level.
Considered Solutions
We analyzed two classes of handshakes, both with support for an optional pre-shared key:
Sign + KEM
KEMs for key establishment and signatures for authenticity.
Dual/Triple KEM
KEM-only approach. (2 - 3 KEMs)
Approach
Focus on sizes. (Compute not as much of a bottleneck with most modern algorithms.)
Don’t make the protocol hybrid, use hybrid primitives instead.
Prove security in version of BR-model.
eCK-PFS-PSK very likely possible, but only real difference is dealing with corrupted randomness. (Not a relevant attack vector here.)
Simplifies the security notion quite a bit at little real cost. (Corrupted randomness is generally considered an implementation vulnerability and not something that protocols should necessarily deal with.)
Separate KEMs in analysis:
Allows different KEM primitives within the same protocol. (e.g. Kyber for ephemeral Confidentiality and Classic McEliece for long-term authenticity.)
Recommended protocol heavily based on Post Quantum Noise
Use handshake phase as full protocol
Add explicit key confirmation message instead of relying in implicit authentication by first message
Add mechanism to update long-term keys.
Results
3 × (Kyber + ECDH) relatively clear winner.
If transmission of long-term keys is rare, Classic McEliece can be an improvement, but very high short term cost.
Kyber + Falcon runner up, but:
Notorious difficulty to implement securely.
Can in theory safe one roundtrip, but too fragile.
Stateful signatures and chains of one-time signatures are not competitive.
Skipping responder authentication is possible and saves some bandwidth, but usually not worth the risks.
Standardization
Protocol currently in standardization by CCSDS
No updates for long term keys.
Additional confirmation from satellite.
Otherwise only minor changes.
Summary
We designed a key installment protocol for space systems.
(PQ-) Noise gave a solid foundation, with few required adjustments.
Resulting Protocol is currently in standardization by CCSDS.
Questions?
Appendix: Sizes of Sign+KEM
SK = Sign+KEM, SKU = with long-term-key-Update, SC = Signature-Chain
Scheme
Packet 1
Packet 2
SK(Kyber512+X25519+Dilithium+ECDSA)
3348
3300
SKU(Kyber512+X25519+Dilithium+ECDSA)
4692
4644
SK(Kyber512+X25519+Falcon+ECDSA)
1594
1546
SKU(Kyber512+X25519+Falcon+ECDSA)
2523
2475
SK(Kyber512+X25519+XMSS-SHA2_10_256)
3364
3316
SKU(Kyber512+X25519+XMSS-SHA2_10_256)
3428
3380
SC(Kyber512+X25519,WOTS+(32,16))
3024
2992
SC(Kyber768+X25519,WOTS+(32,16))
2408
3312
SC(Kyber1024+X25519,WOTS+(32,16))
3792
3792
SC(Kyber1024+X25519,WOTS+(64,16))
10032
10032
Appendix: Sizes of Triple-KEM
TK = Triple-KEM, TKU = with long-term-key-Update
Scheme
Packet 1
Packet 2
Packet 3
TK(Kyber512+X25519,McEliece348864+X25519)
992
960
16
TKU(Kyber512+X25519,McEliece348864+X25519)
262144
262128
16
TK(Kyber512+X25519)
1664
1616
16
TKU(Kyber512+X25519)
2496
2464
16
TK(Kyber768+X25519)
2368
2256
16
TKU(Kyber768+X25519)
3584
3488
16
TK(Kyber1024+X25519)
3232
3216
16
TKU(Kyber1024+X25519)
4832
4832
16
Appendix: Sizes of Our Pre-Selection
TK = Triple-KEM, TKU = with long-term-key-Update, SC = Signature-Chain
