What is it about?

This research looks at the performance implications of using post-quantum algorithms in TLS 1.3 handshakes. Quantum Computers are known to break the encryption and authentication techniques we use to secure our communication over the Internet as soon as they get more powerful. Novel post-quantum algorithms claim to be resilient against these Quantum Computers. However, they have different performance characteristics. We investigate currently relevant algorithms and found that most are as fast as our state-of-the-art algorithms and some are even faster. In contrast to other works, we highlight the perspective of real-worl networks that are complex. For example, the large key sizes of the post-quantum algorithms can cause unwanted side-effects that we highlight in the paper (e.g., additional RTTs for each handshake). Our results might be relevant for algorithm designers, TLS library developers, and server admins that want to decide on the best algorithms or want to tune their library or their servers. We could confirm that hybrid algorithms are a good choice right now because we observed a neglectible performance drawback in using them.

Featured Image

Why is it important?

Quantum Computers are not powerful enough to break the encryption algorithms we use today. However, there exists the threat of "store-now, decrypt-later" attacks, basically, an attack where an actor captures network traffic today and extracts the sensitive data as soon as more powerful Quantum Computers are available. This means we should use the novel post-quantum algorithms ideally already yesterday! This paper highlights the implications this could have on the performance.

Perspectives

Our work gives a practical view on the performance of post-quantum TLS. We are no cryptography experts ,but specialized on network measurements. Modern networks are very complex and the large key sizes of the post-quantum algorithms can have significant side-effects in unoptimized setups. Moreover, existing optimizations might just not hold anymore because some of the basic assumptions changed. For example, using traditional algorithms we can fit the whole handshake in a single IP packet, so it makes sense to group them together, however, the post-quantum algorithms need multiple packets anyway, so we can optimize differently. Seeing the recent progress in Quantum Computers, it gets more and more likely that our traditional cryptography is broken in the near future, so we should do something now! The hybrid algorithms are a great choice to enable on your own servers already now to secure against the "store-now, decrypt-later" threat.

Markus Sosnowski
Technical University of Munich (TUM)

Post Quantum Safe Algorithm in TLS are more and more important especially as we need to ensure that what we exchange today is not broken in the future. We analyzed the impact of different Post Quantum Algorithms on the handshake in an isolated environment. With this we showed that the general influence of Post Quantum Safe Algorithm can even improve the performance of our handshake today. Here our work provides valuable insights for network and web engineers for their decisions in the future.

Florian Wiedner
Technische Universitat Munchen

Read the Original

This page is a summary of: The Performance of Post-Quantum TLS 1.3, December 2023, ACM (Association for Computing Machinery),
DOI: 10.1145/3624354.3630585.
You can read the full text:

Read

Resources

Contributors

The following have contributed to this page