Re: Consultation:Additional “ephemeral public key” and “ephemeral private key" implementations for quictls/opens

Nobuo Aoki b20001send at
Thu Sep 2 01:03:08 UTC 2021

Dear OpenSSL users

Thanks for thinking about it.
(Especially grateful to Mr./Ms. Mattl, Michael and Kris. )

I took a little time to clarify our questions.
The attached document is a diagram of our idea 
of how the original protocol and TLS should work together.

We want to implement QUIC-TLS, which is lightweight and secure.
Specifically, we would like to implement a handshake protocol by incorporating non-standard protocols.
For example, we are considering a post-quantum key exchange protocol.
This is just a part of our research, and we are not considering a new standardization proposal for TLS handshaking that includes the above protocols at this stage.

What we would like to hear:
1. what exactly is the structure that stores ephemeral keys in ECDHE/DHE?
2. What is the function that calculates the ephemeral public key of ECDHE/DHE and stores the value in the above structure?
3. After receiving a client hello or server hello message, where is the part that extracts the ephemeral public key of the communication partner from the received message? Also, where is the place to calculate the session key from ECDHE/DHE?

Additional two information.
Current situation:
I'm trying to implement it using "msquic".
The handshake in "msquic" uses "quictls" forked from OpenSSL, but I think the implementation of the TLS handshake is based on OpenSSL.

I would like to be able to use the TLS handshake part of OpenSSL (ClientHello, ServerHello) with protocol messages on behalf of ECDHE and DHE to perform key exchange and pass the generated session key to the TLS record protocol.

Nobuo Aoki (master 1st student, Japan).

(It seems that the file could not be attached because of the large sending byte size. Instead, I'll share it from my university's storage. Here is the link for sharing) <>

> 2021/08/30 16:57、Matt Caswell <matt at>のメール:
> On 29/08/2021 20:41, Nobuo Aoki wrote:
>> I am trying to identify the implementation
>> where “ephemeral public key” and “ephemeral private key” can be added,
> I am unclear from your question whether you are asking how to add a new public/private key scheme for integration into TLS. Or whether you are simply asking for the location in the code where the key_share is generated. If the latter then you might look here for the client side:
> And here for the server side:
> Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list