The risk that a quantum computer may break cryptographic standard, which is currently used today, has ignited several efforts to standardize quantum -resistant algorithms and introduce them to transport encryption protocols such as TLS 1.3. The choice of post-quantum algorithm will of course affect TLS 1.3’s performance. So far, studies of these effects have focused on the “handshake time” required for two parties to establish a quantum -resistant encrypted connection, known as it Time for first byte.
Although these studies have been important in the quantification of increases in handshake time, they do not give a full picture of the effect of cryptography after quantity on TLS 1.3 compounds after the real world, which often has significant romanticism of data. At the 2024 workshop about measurements, attacks and defense of the Internet (Madweb) we presented a paper that advocates Time to last byte (TTLB) as a metric to wrap the overall effect of data-heavy, quantum-resistant algorithms, such as ML-Kem and ML-DSA in the real world TLS 1.3 compounds. Our paper shows that the new algorithms will have a much lower net effect on compounds that transmit significant romanta of data than they do on TLS 1.3 handshakes.
Cryptography post-quantum
TLS 1.3, the latest version of Transport Layer Security Protocol, is used to negotiate and establish secure channels that encrypt and authenticate data that passes between a customer and a server. TLS 1.3 is used in numbers web applications, included e-banking and streaming media.
Asymmetric cryptographic algorithms, such as the one used in TLS 1.3, depend on their safety on the difficulty of the discreet logarithm or integer factorization problems that a cryptanalytic related quantum computer could solve effectively. The U.S. National Institute of Standards and Technology (NIST) has worked to standardize quantum-resistant algorithms and have chosen ML key enclosure mechanism (KEM) for key exchange. NIST has also chosen ML-DSA for signatures or cryptographic approval.
Since these algorithms have Kilobyte size public keys, chiffer texts and signatures against 50- to 400-byte sizes in the existing algorithms-ville de pump amnt for data that were exchanged in a TLS handshake. A number of works have compared handshake time using traditional TLS 1.3 key exchange and approval to it using post-quantum (PQ) key exchange and approval.
These comparisons are we useful to quantify the cost each new algorithm introduced to Time for first byteBut completing the handshake protocol. However, they ignored the data transfer time over the safe connection that, together with the handshake time, constitutes the overall delay before the application can start processing data. The total time from the start of the connection to the end of data transfer, on the other hand Time to last byte (TTLB). How much TTLB slot is acceptable depends a lot on the application.
Experience
We designed to experience to simulate different network conditions and measured TTLB for classic and post-quantum algorithms in TL’s 1.3 connections, where the client makes a small request and the server responds with Hungs of Kilobytes (KB) of data. We used Linux names areas in an Ubuntu 22.04 Virtual-Machine instance. The naming areas we associated with the help of virtual ethernet interfaces. To emulate the “network” between the naming areas, we used the Linux core Netem tool that can introduce delays with variable networks, bandwidth fluctuations and packaging between the client and the server.
Our experiences had several configurable parameters that enabled us to compare the effect of the PQ algorithm on TTLB under stable, unstable, fast and slow network conditions:
- TLS Key Exchange Mechanism (Classic ECDH or ECDH+ML-KEM Post-Quantum Hybrid)
- TLS certificate chain size similar to classic RSA or ML-SDSA certificates.
- Initcwnd initial TCP overload
- Network delay between client and server or trip-return time (RTT)
- Bandwidth between client and server
- Loss of loss per Package
- Amount of data transferred from the server to the client
Results
The results of our tests are thoroughly analyzed in the paper. They essentially show that a few extra KB in TLS 1.3 handshakes due to the public keys after the quantum, ciptherxts and signatures will not be noticeable in connections that transfer the hang of KB or more. Connections that transmit less than 10-20 KB of data are likely to be bodily by the new data handshake.
A bar chart whose y-axis is “handshake time % increase” and if x-axis is a sequence of percentiles (50., 75. And 90.). At each percentile, two columns are one blue (for the traditional handshake protocol) and one orange (for handshake after the quantum). In all three cases, the orange bar is about twice as high as the blue.
Figure 1 shows the percentage increase in the duration of TLS 1.3 handshakes for the 50th, 75th and 90. Percentage of the total data set collection for 1 Mbps bandwidth; 0%, 1%, 3%and 10%loss of loss; and 35 milliseconds and 200 millisecond rtt. We can see the ML-SDSA size (16KB) certificate chain takes the general most twice as much time as the 8KB chain. This means that if we manage to store the amount of ML-DSA Authorization Data Low, it would denote the speed of handshake after the quantities in low bandwidth compounds.
Figure 2 shows the percentage increase in the duration of the handshake after the quantum relative to the existing algorithm for all percentiles and different data sizes at 0% loss and 1 Gbps bandwidth. We can observe that although the slowdown is low (∼3%) at 0 kibytes (kib or more at 1,024 bytes, the closest effect of 2 to 1,000) falls from the server (corresponding to the handshake) even more (∼1%) as the data from the server rises. At the 90th percentile, the slowdown is slightly lower.
Figure 3 shows the percentage increase in TTLB between exists and Post-Quantum TLS 1.3 compounds carrying 0-200kib data from the server for each percentile at 1 Mbps bandwidth, 200 ms RTT and 0% loss. We can see that increases for the three percentiles are almost identical. They start high (∼33%) at 0kib from the server, but the data size from the server rises, they fall to ∼6%because the handshake data size is written off the connection.
Figure 4 shows the percentage increase in TTLB between exists and Post-Quantum TLS 1.3 compounds carrying 0-200 kib data from the server for each percentile at 1 Mbps bandwidth, 200ms RTT and 10% loss of loss. It shows that the TTLB increase at 10% loses between 20-30% for all percentiles. The same experiment for 35ms RTT gave similar results. Although an increase of 20-30% may seem high, we note that driving the experience can lead to smaller or higher percentage increases due to the general networking instabilities in the scenario. Also, remember that TTLBs for the existing algorithm of 200kib from the server, 200ms RTT and 10% loss were 4.644ms, 7.093ms and 10,178ms, while their equivalents after the quantum were 6.010ms, 8,883ms and 12,378ms. At 0% loss they were 2,364ms, 2,364ms and 2,364ms. So while the TTLBs for the connections after Quantum increased by 20-30% relative to the Convention’s connections, the conventional connections are already inspector (with 97-3331%) due to network loss. An extra 20-30% will probably not make much difference in an already very broken-down time.
Figure 5 shows the percentage increase in TTLB between existing and Posantum TLS 1.3 Connections for 0% loss of loss and 0-200kib data sizes transferred from the server. To model a very volatile RTT, we used a pareto-normal distribution with an average of 35ms and 35/4ms jitter. We can see the increase in Post-Quantum connection TTLB high at 0kib server data and falls to 4-5%. As with previous experiment, the percentages we are more unstable, the higher the loss of losses, but overall the results show that even under “volatile network conditions”, TTLB drops to acceptable levels as the amendment of transferred data increases.
To confirm the volatility under unstable network conditions we used TTLB Cumulative Function (CDF) for Post-Quantum TLS 1.3 Transfer of 200kib from Server (Figure 6). We observe that under all types of volatile conditions (1 Gbps and 5% loss, 1 Mbps and 10% loss, pareto-normal distributed network delay), TTLB increases very early in the experience targeting test, which shows that the total connection times are very unstable. We made the same observation with TLS 1.3 handshake times under unstable networking conditions.
Conclusion
This work demonstrated that the practical effect of data-heavy, post-quantum algorithms on TLS 1.3 connections is lower than their effect on the handshake itself. Low loss, low-or high bandwidth compounds will see little influence from handshakes after the quantums when transmitting sizables of data. We also showed that although the effects of PQ handshakes could vary under unstable conditions with higher loss speeds or delays with high variability, they remain within certain limits and falls as the total ament of transferred data increases. In addition, we saw that unstable inherent gives poor completion times; A small latency increase due to handshake after quantum would not make them less useful than before. This does not mean that the cropping of amnt for handshake data is undesirable, especially if small app data feels compared to the size of the handshake messages.
For more details, look over.