Paper 2022/1712

KEMTLS vs. Post-Quantum TLS: Performance On Embedded Systems

Ruben Gonzalez, Neodyme AG, Garchin, Germany
Thom Wiggers, Radboud University Nijmegen

TLS is ubiquitous in modern computer networks. It secures transport for high-end desktops and low-end embedded devices alike. However, the public key cryptosystems currently used within TLS may soon be obsolete as large-scale quantum computers, once realized, would be able to break them. This threat has led to the development of post-quantum cryptography (PQC). The U.S. standardization body NIST is currently in the process of concluding a multi-year search for promising post-quantum signature schemes and key encapsulation mechanisms (KEMs). With the first PQC standards around the corner, TLS will have to be updated soon. However, especially for small microcontrollers, it appears the current NIST post-quantum signature finalists pose a challenge. Dilithium suffers from very large public keys and signatures; while Falcon has significant hardware requirements for efficient implementations. KEMTLS is a proposal for an alternative TLS handshake protocol that avoids authentication through signatures in the TLS handshake. Instead, it authenticates the peers through long-term KEM keys held in the certificates. The KEMs considered for standardization are more efficient in terms of computation and/or bandwidth than the post-quantum signature schemes. In this work, we compare KEMTLS to TLS 1.3 in an embedded setting. To gain meaningful results, we present implementations of KEMTLS and TLS 1.3 on a Cortex-M4-based platform. These implementations are based on the popular WolfSSL embedded TLS library and hence share a majority of their code. In our experiments, we consider both protocols with the remaining NIST finalist signature schemes and KEMs, except for Classic McEliece which has too large public keys. Both protocols are benchmarked and compared in terms of run-time, memory usage, traffic volume and code size. The benchmarks are performed in network settings relevant to the Internet of Things, namely low-latency broadband, LTE-M and Narrowband IoT. Our results show that KEMTLS can reduce handshake time by up to 38%, can lower peak memory consumption and can save traffic volume compared to TLS 1.3.

Available format(s)
Publication info
Published elsewhere. SPACE 2022
post-quantum kemtls tls 1.3 transport layer security public-key cryptography wolfssl embedded devices NIST PQC
Contact author(s)
mail+kemtls @ ruben-gonzalez de
thom @ thomwiggers nl
2022-12-10: approved
2022-12-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ruben Gonzalez and Thom Wiggers},
      title = {KEMTLS vs. Post-Quantum TLS: Performance On Embedded Systems},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1712},
      year = {2022},
      doi = {10.1007/978-3-031-22829-2_6},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.