Post-quantum TLS experiments
Instantiations, transmission requirements, and performance measurements for NIST security levels I, III and V
Recently, I have computed the sizes and measured the performance of post-quantum TLS (both PQ key exchange and post-quantum authentication). In these experiments, I have examined combinations of Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC and (custom versions of) XMSSMT. The experiments include measuring their performance over two network settings, one high-bandwidth, low-latency and one low-bandwidth, high-latency connection. I have examined the instances at NIST PQC security levels I, III and V, and for both unilaterally authenticated and mutually authenticated TLS.
The report on these experiments (which is basically an excerpt of my PhD thesis manuscript) can be found in the attached document. It’s a fairly dense document, so refer to the reading suggestions to easily find what you are looking for. I hope this document can be useful to get a feeling for how we can combine (signature) algorithms to fit their differing roles in the handshake, to see how this affects the handshake sizes, and have some indication of how the performance of these combinations of algorithms is in a TLS stack on a network. Additionally, I believe my results are useful to compare the cost of different NIST security levels.
The experiments do not include
OSCP staples, but I think that their effect can mostly be extrapolated from the reported results. Also note that I am simulating the network environment, so the effect of the initial congestion window is much less gradual than observed in practice.
As I write in the document, I want to examine the NIST on-ramp candidates’ suitability for use in TLS as soon as the list of algorithms is formally out; for my PhD thesis they unfortunately came into the picture too late.