Re: [TLS] Post-Quantum TLS instantiations and synthetic benchmarks

2023-06-26 Thread Martin Thomson 
Hi Thom,

I infer - though it is not explicit - that this experiment is based on the 
assumption that KEM-TLS is used, rather than a simpler integration.  Can you 
comment on what you see as the relative impact of that difference?

On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote:
> Hi TLS-wg and PQUIP-rg,
>
> Recently, I have computed the sizes and measured the performance of 
> post-quantum TLS (both PQ key exchange and post-quantum 
> authentication). In these experiments, I have examined combinations of 
> Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments 
> include measuring their performance over two network settings, one 
> high-bandwidth, low-latency and one low-bandwidth, high-latency 
> connection.
>
> I have examined the instances at NIST PQC security levels I, III and V, 
> and for both unilaterally authenticated and mutually authenticated TLS.
>
> The report on these experiments (which is basically an excerpt of my 
> PhD thesis manuscript) can be found in the attached document. It's a 
> fairly dense document, so refer to the reading suggestions to easily 
> find what you are looking for.
>
> It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf.
>
> I hope this document can be useful to:
>
> * get a feeling for how we can combine (signature) algorithms to fit 
> their differing roles in the handshake
> * to see how this affects the handshake sizes, and 
> * have some indication of how the performance of these combinations of 
> algorithms is in a TLS stack on a network. 
> * Additionally, I believe my results are useful to compare the cost of 
> different NIST security levels. 
>
> The experiments do not include SCTs or OSCP staples, but I think that 
> their effect can mostly be extrapolated from the reported results. Also 
> note that I am simulating the network environment, so the effect of the 
> initial congestion window is much less gradual than observed in 
> practice.
>
> As I write in the document, I want to examine the NIST on-ramp 
> candidates' suitability for use in TLS as soon as the list of 
> algorithms is formally out; for my PhD thesis they unfortunately came 
> into the picture too late.
>
> Cheers,
>
> Thom Wiggers
> PQShield
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Post-Quantum TLS instantiations and synthetic benchmarks

2023-06-26 Thread Thom Wiggers 
Hi TLS-wg and PQUIP-rg,

Recently, I have computed the sizes and measured the performance of
post-quantum TLS (both PQ key exchange and post-quantum authentication). In
these experiments, I have examined combinations of Kyber, Dilithium,
Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments include measuring
their performance over two network settings, one high-bandwidth,
low-latency and one low-bandwidth, high-latency connection.

I have examined the instances at NIST PQC security levels I, III and V, and
for both unilaterally authenticated and mutually authenticated TLS.

The report on these experiments (which is basically an excerpt of my PhD
thesis manuscript) can be found in the attached document. It's a fairly
dense document, so refer to the reading suggestions to easily find what you
are looking for.

It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf.

I hope this document can be useful to:

* get a feeling for how we can combine (signature) algorithms to fit their
differing roles in the handshake
* to see how this affects the handshake sizes, and
* have some indication of how the performance of these combinations of
algorithms is in a TLS stack on a network.
* Additionally, I believe my results are useful to compare the cost of
different NIST security levels.

The experiments do not include SCTs or OSCP staples, but I think that their
effect can mostly be extrapolated from the reported results. Also note that
I am simulating the network environment, so the effect of the initial
congestion window is much less gradual than observed in practice.

As I write in the document, I want to examine the NIST on-ramp candidates'
suitability for use in TLS as soon as the list of algorithms is formally
out; for my PhD thesis they unfortunately came into the picture too late.

Cheers,

Thom Wiggers
PQShield
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls