Researchers from Amazon Web Services, Panos Kampanakis and Will Childs-Klein, have studied the impact of post-quantum key exchange and authentication on the performance of TLS 1.3, a protocol used for secure digital communication. They found that the introduction of ML-KEM and ML-DSA, NIST’s post-quantum algorithm picks, will slow down connection establishment. Still, the impact diminishes as the amount of transferred data increases. The study also revealed that under stable network conditions, the impact on the time-to-last-byte is lower than on the time-to-first-byte. The research provides valuable insights into the performance of quantum-resistant algorithms in real-world applications.
Impact of Post-Quantum TLS 1.3 on Real-World Connections
The implementation of post-quantum key exchange and authentication with ML-KEM and ML-DSA, NIST’s postquantum algorithm selections, has been shown to affect the performance of TLS 1.3, a protocol used in various applications such as web browsing, e-banking, and streaming. Previous studies have primarily focused on the overhead of quantum-resistant algorithms on the time-to-first-byte (TTFB), which is the time taken for the handshake process. However, these studies do not fully capture the impact on real-world TLS 1.3 connections that transfer substantial amounts of data.
The introduction of an extra 10KB of ML-KEM and ML-DSA exchanges in the connection negotiation will inflate the connection establishment time more than it will increase the total connection time of a web connection carrying 200KB of data. This work aims to quantify the impact of ML-KEM and ML-DSA on typical TLS 1.3 connections which transfer a few hundreds of KB from the server to the client.
Quantum-Resistant Algorithms and TLS 1.3
The concern for asymmetric cryptographic algorithms used today, including in TLS 1.3, is quantum computing. A cryptanalytically-relevant quantum computer (CRQC) could implement quantum algorithms that would break (EC)DH key exchange and RSA or ECDSA signatures as used in TLS. This is why academia and industry have been working on new algorithms which are not known to be vulnerable against quantum algorithms.
The US National Institute of Standards and Technology (NIST) has been working on standardizing some of these algorithms in its Post-Quantum (PQ) Project. At the end of the Project’s Round 3, it published new post-quantum algorithm draft standards which include ML-KEM as a Key Encapsulation Mechanism (KEM) for key exchange, ML-DSA as the preferred, general-use signature scheme, and SLH-DSA as a hash-based signature.
Evaluating the Impact of Post-Quantum Algorithms on TLS 1.3
A lot of works have been investigating the impact of new post-quantum algorithms on TLS 1.3. Essentially all of these studies compared the TLS 1.3 handshake time of classical key exchanges and authentication against post-quantum ones and used it as an indication of the degradation the new algorithms will bring to TLS connections.
The handshake time measured in previous studies can be seen as the Time-To-First-Byte (TTFB) which corresponds to the time the application takes until it can start sending data over the secure tunnel. These comparisons were useful to quantify the overhead of each new algorithm introduced to the handshake.
Introducing Time-To-Last-Byte (TTLB) as a Performance Metric
This work introduces the Time-To-Last-Byte (TTLB) as a more accurate metric for the impact of new post-quantum TLS 1.3 handshakes on real-world TLS connections. Intuitively, the more data a connection transfers, the less impactful post-quantum handshake message size will be.
The work experimentally shows that the impact of heavy post-quantum handshakes diminishes as the amount of data transferred over the tunnel increases. It also experimentally evaluates the impact of ML-KEM-768 and ML-DSA-44 or ML-DSA-65 in TLS 1.3 connections using TTLB under different network conditions.
Conclusion and Future Work
The work concludes that the impact of ML-KEM and ML-DSA on the TLS 1.3 time-to-last-byte under stable network conditions is lower than the impact on the time-to-first-byte and diminishes as the transferred data increases. The time-to-last-byte increase stays below 5% for high-bandwidth, stable networks.
It also shows that connections under lossy or volatile network conditions could see higher impact from post-quantum handshakes, but these connections’ time-to-last-byte increase still drops as the transferred data increases. Finally, it shows that such connections are already significantly slow and volatile regardless of the TLS handshake.
Future work will continue to explore the impact of post-quantum algorithms on TLS 1.3 and other protocols, with a focus on real-world applications and network conditions.
