Hi Martin, I’m not the author of the note but, as far as I understand, it is not at all about KEMTLS. The experiments use NIST submitted PQC KEM algorithms for the key exchange and NIST submitted Signature algorithms for authentication. Not sure if I would call this a “simpler integration” (as digital signatures are as complex as KEMs) but, as far as I know, that is not KEMTLS ;)
Thanks, Sent from the phone > On 27 Jun 2023, at 00:56, Martin Thomson <m...@lowentropy.net> wrote: > > Hi Thom, > > I infer - though it is not explicit - that this experiment is based on the > assumption that KEM-TLS is used, rather than a simpler integration. Can you > comment on what you see as the relative impact of that difference? > >> On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote: >> Hi TLS-wg and PQUIP-rg, >> >> Recently, I have computed the sizes and measured the performance of >> post-quantum TLS (both PQ key exchange and post-quantum >> authentication). In these experiments, I have examined combinations of >> Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments >> include measuring their performance over two network settings, one >> high-bandwidth, low-latency and one low-bandwidth, high-latency >> connection. >> >> I have examined the instances at NIST PQC security levels I, III and V, >> and for both unilaterally authenticated and mutually authenticated TLS. >> >> The report on these experiments (which is basically an excerpt of my >> PhD thesis manuscript) can be found in the attached document. It's a >> fairly dense document, so refer to the reading suggestions to easily >> find what you are looking for. >> >> It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf. >> >> I hope this document can be useful to: >> >> * get a feeling for how we can combine (signature) algorithms to fit >> their differing roles in the handshake >> * to see how this affects the handshake sizes, and >> * have some indication of how the performance of these combinations of >> algorithms is in a TLS stack on a network. >> * Additionally, I believe my results are useful to compare the cost of >> different NIST security levels. >> >> The experiments do not include SCTs or OSCP staples, but I think that >> their effect can mostly be extrapolated from the reported results. Also >> note that I am simulating the network environment, so the effect of the >> initial congestion window is much less gradual than observed in >> practice. >> >> As I write in the document, I want to examine the NIST on-ramp >> candidates' suitability for use in TLS as soon as the list of >> algorithms is formally out; for my PhD thesis they unfortunately came >> into the picture too late. >> >> Cheers, >> >> Thom Wiggers >> PQShield >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
