Hi Martin, As Sofía correctly saw, this is just plain TLS with the "straightforward" DH->KEM and Sig->PQ-Sig substitutions.
I, of course, do have another 50 pages on how KEMTLS performs and compare it to these results, but I will save those for another day ;-) Cheers, Thom PQShield Op di 27 jun 2023 om 05:19 schreef Sofia Celi <cheren...@riseup.net>: > Hi Martin, > > I’m not the author of the note but, as far as I understand, it is not at > all about KEMTLS. The experiments use NIST submitted PQC KEM algorithms for > the key exchange and NIST submitted Signature algorithms for > authentication. Not sure if I would call this a “simpler integration” (as > digital signatures are as complex as KEMs) but, as far as I know, that is > not KEMTLS ;) > > Thanks, > > Sent from the phone > > > > On 27 Jun 2023, at 00:56, Martin Thomson <m...@lowentropy.net> wrote: > > > > Hi Thom, > > > > I infer - though it is not explicit - that this experiment is based on > the assumption that KEM-TLS is used, rather than a simpler integration. > Can you comment on what you see as the relative impact of that difference? > > > >> On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote: > >> Hi TLS-wg and PQUIP-rg, > >> > >> Recently, I have computed the sizes and measured the performance of > >> post-quantum TLS (both PQ key exchange and post-quantum > >> authentication). In these experiments, I have examined combinations of > >> Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments > >> include measuring their performance over two network settings, one > >> high-bandwidth, low-latency and one low-bandwidth, high-latency > >> connection. > >> > >> I have examined the instances at NIST PQC security levels I, III and V, > >> and for both unilaterally authenticated and mutually authenticated TLS. > >> > >> The report on these experiments (which is basically an excerpt of my > >> PhD thesis manuscript) can be found in the attached document. It's a > >> fairly dense document, so refer to the reading suggestions to easily > >> find what you are looking for. > >> > >> It can be found at > https://wggrs.nl/post/tls-measurements/handout-tls.pdf. > >> > >> I hope this document can be useful to: > >> > >> * get a feeling for how we can combine (signature) algorithms to fit > >> their differing roles in the handshake > >> * to see how this affects the handshake sizes, and > >> * have some indication of how the performance of these combinations of > >> algorithms is in a TLS stack on a network. > >> * Additionally, I believe my results are useful to compare the cost of > >> different NIST security levels. > >> > >> The experiments do not include SCTs or OSCP staples, but I think that > >> their effect can mostly be extrapolated from the reported results. Also > >> note that I am simulating the network environment, so the effect of the > >> initial congestion window is much less gradual than observed in > >> practice. > >> > >> As I write in the document, I want to examine the NIST on-ramp > >> candidates' suitability for use in TLS as soon as the list of > >> algorithms is formally out; for my PhD thesis they unfortunately came > >> into the picture too late. > >> > >> Cheers, > >> > >> Thom Wiggers > >> PQShield > >> > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
