Benchmarking Post-quantum Cryptography in TLS

  • Christian Paquin
  • Douglas StebilaEmail author
  • Goutam Tamvada
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12100)


Post-quantum cryptographic primitives have a range of trade-offs compared to traditional public key algorithms, either having slower computation or larger public keys and ciphertexts/signatures, or both. While the performance of these algorithms in isolation is easy to measure and has been a focus of optimization techniques, performance in realistic network conditions has been less studied. Google and Cloudflare have reported results from running experiments with post-quantum key exchange algorithms in the Transport Layer Security (TLS) protocol with real users’ network traffic. Such experiments are highly realistic, but cannot be replicated without access to Internet-scale infrastructure, and do not allow for isolating the effect of individual network characteristics.

In this work, we develop and make use of a framework for running such experiments in TLS cheaply by emulating network conditions using the networking features of the Linux kernel. Our testbed allows us to independently control variables such as link latency and packet loss rate, and then examine the performance impact of various post-quantum-primitives on TLS connection establishment, specifically hybrid elliptic curve/post-quantum key exchange and post-quantum digital signatures, based on implementations from the Open Quantum Safe project. Among our key results, we observe that packet loss rates above 3–5% start to have a significant impact on post-quantum algorithms that fragment across many packets, such as those based on unstructured lattices. The results from this emulation framework are also complemented by results on the latency of loading entire web pages over TLS in real network conditions, which show that network latency hides most of the impact from algorithms with slower computations (such as supersingular isogenies).


Post-quantum key exchange Post-quantum authentication Transport Layer Security (TLS) Network performance Emulation 



We would like to thank Eric Crockett for helpful discussions in the early parts of this work. We are grateful to Geovandro C. C. F. Pereira, Justin Tracey, and Nik Unger for their help with the network emulation experiments. We also thank the anonymous reviewers for their helpful suggestions.

Contributors to the Open Quantum Safe project are listed on the project website [29]. The Open Quantum Safe project has received funding from Amazon Web Services and the Tutte Institute for Mathematics and Computing, and in-kind contributions of developer time from Amazon Web Services, Cisco Systems, evolutionQ, IBM Research, and Microsoft Research. The post-quantum algorithm implementations used in the experiments are directly or indirectly from the original NIST submission teams. Some implementations have been provided by the PQClean project [16].

D.S. is supported in part by Natural Sciences and Engineering Research Council (NSERC) of Canada Discovery grant RGPIN-2016-05146 and a NSERC Discovery Accelerator Supplement. Computation time on Azure was donated by Microsoft Research.

Supplementary material


  1. 1.
    Amazon Web Services. s2n (2014).
  2. 2.
    Apache Software Foundation. ab - Apache HTTP server benchmarking tool (2019).
  3. 3.
    Biederman, E.W.: IP-NETNS(8), January 2013.
  4. 4.
    Biederman, E.W., Pospíšek, T.: VETH(4), February 2018.
  5. 5.
    Bindel, N., et al.: qTESLA. Technical report, National Institute of Standards and Technology (2019).
  6. 6.
    Bos, J.W., et al.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 1006–1018. ACM Press, October 2016.
  7. 7.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015.
  8. 8.
    Braithwaite, M.: Experimenting with post-quantum cryptography, July 2016.
  9. 9.
    Campagna, M., Crockett, E.: Hybrid Post-Quantum Key Encapsulation Methods (PQ KEM) for Transport Layer Security 1.2 (TLS). Internet-Draft draft-campagna-tls-bike-sike-hybrid-01, Internet Engineering Task Force, May 2019. Work in Progress.
  10. 10.
    Crockett, E., Paquin, C., Stebila, D.: Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. In: NIST 2nd Post-Quantum Cryptography Standardization Conference 2019, August 2019Google Scholar
  11. 11.
    Dowling, B., Fischlin, M., Günther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1197–1210. ACM Press, October 2015.
  12. 12.
    http archive. Page weight, Novober 2019.
  13. 13.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). Scholar
  14. 14.
    Jao, D., et al.: SIKE. Technical report, National Institute of Standards and Technology (2019).
  15. 15.
    Kampanakis, P., Sikeridis, D.: Two post-quantum signature use-cases: Non-issues, challenges and potential solutions. Cryptology ePrint Archive, Report 2019/1276 (2019).
  16. 16.
    Kannwischer, M.J., Rijneveld, J., Schwabe, P., Stebila, D., Wiggers, T.: The PQClean project, November 2019.
  17. 17.
    Kiefer, F., Kwiatkowski, K.: Hybrid ECDHE-SIDH key exchange for TLS. Internet-Draft draft-kiefer-tls-ecdhe-sidh-00, Internet Engineering Task Force, November 2018. Work in Progress.
  18. 18.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). Scholar
  19. 19.
    Kwiatkowski, K., Langley, A., Sullivan, N., Levin, D., Mislove, A., Valenta, L.: Measuring TLS key exchange with post-quantum KEM. In: NIST 2nd Post-Quantum Cryptography Standardization Conference 2019, Auguest 2019Google Scholar
  20. 20.
    Langley, A.: CECPQ2, December 2018.
  21. 21.
    Langley, A.: Post-quantum confidentiality for TLS, April 2018.
  22. 22.
    Langley, A.: Real-world measurements of structured-lattices and supersingular isogenies in TLS, October 2019.
  23. 23.
    Lantz, B., Heller, B., Handigol, N., Jeyakumar, V., O’Connor, B., Burkard, C.: Mininet, November 2019.
  24. 24.
    Ludovici, F., Pfeifer, H.P.: NETEM(4), November 2011.
  25. 25.
    Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2019).
  26. 26.
    Mozilla. Telemetry portal, February 2020.
  27. 27.
    Naehrig, M., et al.: FrodoKEM. Technical report, National Institute of Standards and Technology (2019).
  28. 28.
    NGINX, Inc.: NGINX | High Performance Load Balancer, Web Server, & Reverse Proxy (2019).
  29. 29.
    Open Quantum Safe Project. Open Quantum Safe, November 2019.
  30. 30.
    Open Quantum Safe Project. OQS-OpenSSL\_1\_0\_2-stable, November 2019.
  31. 31.
    Open Quantum Safe Project. OQS-OpenSSL\_1\_1\_1-stable, November 2019.
  32. 32.
    Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3. RFC 8446, August 2018.
  33. 33.
    Schanck, J.M., Stebila, D.: A Transport Layer Security (TLS) extension for establishing an additional shared secret. Internet-Draft draft-schanck-tls-additional-keyshare-00, Internet Engineering Task Force, April 2017. Work in Progress.
  34. 34.
    Schanck, J.M., Whyte, W., Zhang, Z.: Quantum-safe hybrid (QSH) ciphersuite for Transport Layer Security (TLS) version 1.2. Internet-Draft draft-whyte-qsh-tls12-02, Internet Engineering Task Force, July 2016. Work in Progress.
  35. 35.
    Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2019).
  36. 36.
    Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Post-quantum authentication in TLS 1.3: a performance study. Cryptology ePrint Archive, Report 2020/071 (2020).
  37. 37.
    Stebila, D., Fluhrer, S., Gueron, S.: Design issues for hybrid key exchange in TLS 1.3. Internet-Draft draft-stebila-tls-hybrid-design-01, Internet Engineering Task Force, July 2019. Work in Progress.
  38. 38.
    Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the Open Quantum Safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017). Scholar
  39. 39.
    The Ethernet Alliance. Ethernet jumbo frames, November 2009.
  40. 40.
    Unger, N., Goldberg, I.: Qatar University, and the Qatar Foundation for Education, Science and Community Development. Netmirage, November 2019.
  41. 41.
    Whyte, W., Zhang, Z., Fluhrer, S., Garcia-Morchon, O.: Quantum-safe hybrid (QSH) key exchange for Transport Layer Security (TLS) version 1.3. Internet-Draft draft-whyte-qsh-tls13-06, Internet Engineering Task Force, October 2017. Work in Progress.
  42. 42.
    Zaverucha, G., et al.: Picnic. Technical report, National Institute of Standards and Technology (2019).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Christian Paquin
    • 1
  • Douglas Stebila
    • 2
    Email author
  • Goutam Tamvada
    • 2
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.University of WaterlooWaterlooCanada

Personalised recommendations