Our cryptographically secure implementation, aimed at the 128-bit security level, reveals that the performance price when switching from non-quantum-safe key exchange is not too high. With our R-LWE ciphersuites integrated into the OpenSSL library and using the Apache web server on a 2-core desktop computer, we could serve 506 RLWE-ECDSA-AES128-GCM-SHA256 HTTPS connections per second for a 10 KiB payload. Compared to elliptic curve Diffie--Hellman, this means an 8 KiB increased handshake size and a reduction in throughput of only 21%. This demonstrates that provably secure post-quantum key-exchange can already be considered practical.
Category / Keywords: cryptographic protocols / post-quantum, learning with errors, Transport Layer Security (TLS), key exchange Original Publication (with major differences): IEEE Security & Privacy 2015 Date: received 4 Aug 2014, last revised 16 Mar 2015 Contact author: stebila at qut edu au Available format(s): PDF | BibTeX Citation Version: 20150316:235249 (All versions of this report) Short URL: ia.cr/2014/599 Discussion forum: Show discussion | Start new discussion