Thanks! These results are pretty much in line with expectations. It looks like you don't model packet loss and the effect of that. One concern I have is that increases in the number of packets will significantly increase exposure to loss. 1-(1-p)^n tends to increase quite a bit as n increases. p of 0.02 is a lot more common than people like to think, for which a full 10 packet CWND would need retransmissions almost 19% of the time.
Also, RSA is probably OK here, even with the wildly asymmetric CPU costs, but the size comparisons would look better with P-256. Your claim that KDDD is faster than errr (errr) might not look as favourable for eeee (though the client cost should increase, I'm not sure if eeee would be slower). On Tue, Jun 27, 2023, at 17:49, Thom Wiggers wrote: > Hi Martin, > > As Sofía correctly saw, this is just plain TLS with the > "straightforward" DH->KEM and Sig->PQ-Sig substitutions. > > I, of course, do have another 50 pages on how KEMTLS performs and > compare it to these results, but I will save those for another day ;-) > > Cheers, > > Thom > PQShield > > Op di 27 jun 2023 om 05:19 schreef Sofia Celi <cheren...@riseup.net>: >> Hi Martin, >> >> I’m not the author of the note but, as far as I understand, it is not at all >> about KEMTLS. The experiments use NIST submitted PQC KEM algorithms for the >> key exchange and NIST submitted Signature algorithms for authentication. Not >> sure if I would call this a “simpler integration” (as digital signatures are >> as complex as KEMs) but, as far as I know, that is not KEMTLS ;) >> >> Thanks, >> >> Sent from the phone >> >> >> > On 27 Jun 2023, at 00:56, Martin Thomson <m...@lowentropy.net> wrote: >> > >> > Hi Thom, >> > >> > I infer - though it is not explicit - that this experiment is based on the >> > assumption that KEM-TLS is used, rather than a simpler integration. Can >> > you comment on what you see as the relative impact of that difference? >> > >> >> On Mon, Jun 26, 2023, at 21:48, Thom Wiggers wrote: >> >> Hi TLS-wg and PQUIP-rg, >> >> >> >> Recently, I have computed the sizes and measured the performance of >> >> post-quantum TLS (both PQ key exchange and post-quantum >> >> authentication). In these experiments, I have examined combinations of >> >> Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments >> >> include measuring their performance over two network settings, one >> >> high-bandwidth, low-latency and one low-bandwidth, high-latency >> >> connection. >> >> >> >> I have examined the instances at NIST PQC security levels I, III and V, >> >> and for both unilaterally authenticated and mutually authenticated TLS. >> >> >> >> The report on these experiments (which is basically an excerpt of my >> >> PhD thesis manuscript) can be found in the attached document. It's a >> >> fairly dense document, so refer to the reading suggestions to easily >> >> find what you are looking for. >> >> >> >> It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf. >> >> >> >> I hope this document can be useful to: >> >> >> >> * get a feeling for how we can combine (signature) algorithms to fit >> >> their differing roles in the handshake >> >> * to see how this affects the handshake sizes, and >> >> * have some indication of how the performance of these combinations of >> >> algorithms is in a TLS stack on a network. >> >> * Additionally, I believe my results are useful to compare the cost of >> >> different NIST security levels. >> >> >> >> The experiments do not include SCTs or OSCP staples, but I think that >> >> their effect can mostly be extrapolated from the reported results. Also >> >> note that I am simulating the network environment, so the effect of the >> >> initial congestion window is much less gradual than observed in >> >> practice. >> >> >> >> As I write in the document, I want to examine the NIST on-ramp >> >> candidates' suitability for use in TLS as soon as the list of >> >> algorithms is formally out; for my PhD thesis they unfortunately came >> >> into the picture too late. >> >> >> >> Cheers, >> >> >> >> Thom Wiggers >> >> PQShield >> >> >> >> _______________________________________________ >> >> TLS mailing list >> >> TLS@ietf.org >> >> https://www.ietf.org/mailman/listinfo/tls >> > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
