Performanz Evaluation von PQC in TLS 1.3 unter variierenden Netzwerkcharakteristiken
The used cryptographic primitives rely on the computational difficulty of certain mathematical problems. In the last years there has been much research on quantum computers which could be able to efficiently solve these problems in future years. Especially asymmetric primitives, used for authentication and key exchange could be broken. The affected algorithms are actually used within many internet protocols and applications and quantum-safe alternatives are urgently needed. NIST started a process to find and standardize quantum-safe digital signature schemes and key establishment schemes, but the candidates and alternatives come along with specific characteristics and differ from classical proceedings. So, besides analyzing the security of these new algorithms, it is also necessary to evaluate their performance and integrability into existing infrastructures and applications. Especially the integration into TLS protocol, used within about 90 percent of today’s internet connections, plays an important role. The current version 1.3 uses the threatened asymmetric primitives for both, digital signatures and key establishment.
In this work, NIST candidates and alternatives for quantum-safe key establishment were evaluated while using them within TLS 1.3. The focus was on analyzing the performance trend while changing certain network parameters like rate or packetloss and examining the suitability of the PQC algorithms under different network scenarios and in the entire application context. To achieve this, the framework of Paquin, Stebila, and Tamvada was extended to emulate various network conditions while frequently establishing a TLS 1.3 connection and measuring handshake duration.
Among our key results, we observe that on the one hand the evaluated candidates Kyber, Saber and NTRU as well as the alternative NTRU Prime achieve very good overall performance and partially beat the classical ECDH. Choosing a higher security level or hybrid versions does not have a significant impact to the handshake times. On the other hand the alternatives FrodoKEM, HQC, SIKE and BIKE show individual disadvantages and the performance is linked to the used security level and variant. This applies in particular to FrodoKEM. SIKE seems to be a worthwhile alternative in specific circumstances, like rates less than 2 Mbps, due to its small key and ciphertext sizes. In general, network conditions should be taken into account while choosing the algorithm and parameter set. Furthermore, it becomes clear that the handshake performance dependents on numerous factors, like TCP mechanisms and MTU, which could compensate the disadvantages of PQC or make them obsolete.