Hi Thom,
I infer - though it is not explicit - that this experiment is based on the
assumption that KEM-TLS is used, rather than a simpler integration. Can you
comment on what you see as the relative impact of that difference?
On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote:
> Hi TLS-wg and PQUIP-rg,
>
> Recently, I have computed the sizes and measured the performance of
> post-quantum TLS (both PQ key exchange and post-quantum
> authentication). In these experiments, I have examined combinations of
> Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments
> include measuring their performance over two network settings, one
> high-bandwidth, low-latency and one low-bandwidth, high-latency
> connection.
>
> I have examined the instances at NIST PQC security levels I, III and V,
> and for both unilaterally authenticated and mutually authenticated TLS.
>
> The report on these experiments (which is basically an excerpt of my
> PhD thesis manuscript) can be found in the attached document. It's a
> fairly dense document, so refer to the reading suggestions to easily
> find what you are looking for.
>
> It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf.
>
> I hope this document can be useful to:
>
> * get a feeling for how we can combine (signature) algorithms to fit
> their differing roles in the handshake
> * to see how this affects the handshake sizes, and
> * have some indication of how the performance of these combinations of
> algorithms is in a TLS stack on a network.
> * Additionally, I believe my results are useful to compare the cost of
> different NIST security levels.
>
> The experiments do not include SCTs or OSCP staples, but I think that
> their effect can mostly be extrapolated from the reported results. Also
> note that I am simulating the network environment, so the effect of the
> initial congestion window is much less gradual than observed in
> practice.
>
> As I write in the document, I want to examine the NIST on-ramp
> candidates' suitability for use in TLS as soon as the list of
> algorithms is formally out; for my PhD thesis they unfortunately came
> into the picture too late.
>
> Cheers,
>
> Thom Wiggers
> PQShield
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls