Hi Thom, I infer - though it is not explicit - that this experiment is based on the assumption that KEM-TLS is used, rather than a simpler integration. Can you comment on what you see as the relative impact of that difference?
On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote: > Hi TLS-wg and PQUIP-rg, > > Recently, I have computed the sizes and measured the performance of > post-quantum TLS (both PQ key exchange and post-quantum > authentication). In these experiments, I have examined combinations of > Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments > include measuring their performance over two network settings, one > high-bandwidth, low-latency and one low-bandwidth, high-latency > connection. > > I have examined the instances at NIST PQC security levels I, III and V, > and for both unilaterally authenticated and mutually authenticated TLS. > > The report on these experiments (which is basically an excerpt of my > PhD thesis manuscript) can be found in the attached document. It's a > fairly dense document, so refer to the reading suggestions to easily > find what you are looking for. > > It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf. > > I hope this document can be useful to: > > * get a feeling for how we can combine (signature) algorithms to fit > their differing roles in the handshake > * to see how this affects the handshake sizes, and > * have some indication of how the performance of these combinations of > algorithms is in a TLS stack on a network. > * Additionally, I believe my results are useful to compare the cost of > different NIST security levels. > > The experiments do not include SCTs or OSCP staples, but I think that > their effect can mostly be extrapolated from the reported results. Also > note that I am simulating the network environment, so the effect of the > initial congestion window is much less gradual than observed in > practice. > > As I write in the document, I want to examine the NIST on-ramp > candidates' suitability for use in TLS as soon as the list of > algorithms is formally out; for my PhD thesis they unfortunately came > into the picture too late. > > Cheers, > > Thom Wiggers > PQShield > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls