I presented my work on The Performance of Post-Quantum TLS 1.3 at CoNEXT 2023! A recording is available on YouTube.

Perspective

Our work gives a practical view on the performance of post-quantum TLS. We are no cryptography experts, but specialized on network measurements. Modern networks are very complex and the large key sizes of the post-quantum algorithms can have significant side-effects in unoptimized setups. Moreover, existing optimizations might just not hold anymore because some of the basic assumptions changed. For example, using traditional algorithms we can fit the whole handshake in a single IP packet, so it makes sense to group them together, however, the post-quantum algorithms need multiple packets anyway, so we can optimize differently. Seeing the recent progress in Quantum Computers, it gets more and more likely that our traditional cryptography is broken in the near future, so we should do something now! The hybrid algorithms are a great choice to enable on your own servers already now to secure against the “store-now, decrypt-later” threat.

About the Paper

This research looks at the performance implications of using post-quantum algorithms in TLS 1.3 handshakes. Quantum Computers are known to break the encryption and authentication techniques we use to secure our communication over the Internet as soon as they get more powerful. Novel post-quantum algorithms claim to be resilient against these Quantum Computers. However, they have different performance characteristics. We investigate currently relevant algorithms and found that most are as fast as our state-of-the-art algorithms and some are even faster. In contrast to other works, we highlight the perspective of real-worl networks that are complex. For example, the large key sizes of the post-quantum algorithms can cause unwanted side effects that we highlight in the paper (e.g., additional RTTs for each handshake). Our results might be relevant for algorithm designers, TLS library developers, and server admins that want to decide on the best algorithms or want to tune their library or their servers. We could confirm that hybrid algorithms are a good choice right now because we observed a neglectible performance drawback in using them.

Why is it important?

Quantum Computers are not powerful enough to break the encryption algorithms we use today. However, there exists the threat of “store-now, decrypt-later” attacks, basically, an attack where an actor captures network traffic today and extracts the sensitive data as soon as more powerful Quantum Computers are available. This means we should use the novel post-quantum algorithms ideally already yesterday! This paper highlights the implications this could have on the performance.