FWIW I have been working on synthetic TLS benchmarks as part of work in the Embedded Microprocessor Benchmark Consortium.
I presented about the work in SAAG twice: here is the first presentation https://datatracker.ietf.org/meeting/103/materials/slides-103-saag-iot-benchmarking-00 and here is the update https://www.ietf.org/proceedings/103/slides/slides-103-saag-iot-benchmarking-00 Here is the page to EEMBC: https://www.eembc.org/securemark/ It contains videos and documents explaining the benchmarks. It also lists the submitted scores from different vendors. Here is the code for the initial version of the benchmark: https://github.com/eembc/securemark-tls The reference implementation for version 2 (based on TLS 1.3 and more advanced algorithms) is here: https://github.com/eembc/securemark-v2 I think it would be worthwhile to create a version of the EEMC benchmark using PQC algorithms. Ciao Hannes Am 26.06.2023 um 13:48 schrieb Thom Wiggers:
Hi TLS-wg and PQUIP-rg, Recently, I have computed the sizes and measured the performance of post-quantum TLS (both PQ key exchange and post-quantum authentication). In these experiments, I have examined combinations of Kyber, Dilithium, Falcon, SPHINCS+-(sf), HQC, and XMSS. The experiments include measuring their performance over two network settings, one high-bandwidth, low-latency and one low-bandwidth, high-latency connection. I have examined the instances at NIST PQC security levels I, III and V, and for both unilaterally authenticated and mutually authenticated TLS. The report on these experiments (which is basically an excerpt of my PhD thesis manuscript) can be found in the attached document. It's a fairly dense document, so refer to the reading suggestions to easily find what you are looking for. It can be found at https://wggrs.nl/post/tls-measurements/handout-tls.pdf. I hope this document can be useful to: * get a feeling for how we can combine (signature) algorithms to fit their differing roles in the handshake * to see how this affects the handshake sizes, and * have some indication of how the performance of these combinations of algorithms is in a TLS stack on a network. * Additionally, I believe my results are useful to compare the cost of different NIST security levels. The experiments do not include SCTs or OSCP staples, but I think that their effect can mostly be extrapolated from the reported results. Also note that I am simulating the network environment, so the effect of the initial congestion window is much less gradual than observed in practice. As I write in the document, I want to examine the NIST on-ramp candidates' suitability for use in TLS as soon as the list of algorithms is formally out; for my PhD thesis they unfortunately came into the picture too late. Cheers, Thom Wiggers PQShield
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
