Paper 2024/176
The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections
Abstract
It has been shown that post-quantum key exchange and authentication with ML-KEM and ML-DSA, NIST’s postquantum algorithm picks, will have an impact on TLS 1.3 performance used in the Web or other applications. Studies so far have focused on the overhead of quantum-resistant algorithms on TLS time-to-first-byte (handshake time). Although these works have been important in quantifying the slowdown in connection establishment, they do not capture the full picture regarding real-world TLS 1.3 connections which carry sizable amounts of data. Intuitively, the introduction of an extra 10KB of ML-KEM and ML-DSA exchanges in the connection negotiation will inflate the connection establishment time proportionally more than it will increase the total connection time of a Web connection carrying 200KB of data. In this work, we quantify the impact of ML-KEM and ML-DSA on typical TLS 1.3 connections which transfer a few hundreds of KB from the server to the client. We study the slowdown in the time-to-last-byte of postquantum connections under normal network conditions and in more unstable environments with high packet delay variability and loss probabilities. We show that the impact of ML-KEM and ML-DSA on the TLS 1.3 time-to-last-byte under stable network conditions is lower than the impact on the handshake and diminishes as the transferred data increases. The time-to-last-byte increase stays below 5% for high-bandwidth, stable networks. It goes from 32% increase of the handshake time to under 15% increase of the time-to-last-byte when transferring 50KiB of data or more under low-bandwidth, stable network conditions. Even when congestion control affects connection establishment, the additional slowdown drops below 10% as the connection data increases to 200KiB. We also show that connections under lossy or volatile network conditions could see higher impact from post-quantum handshakes, but these connections’ time-to-lastbyte increase still drops as the transferred data increases. Finally, we show that such connections are already significantly slow and volatile regardless of the TLS handshake.
Note: A TLS 1.3 connection's TTFB consists of the handshake time and one more RTT for the client request-response (in most use-cases). We made minor text changes to prevent the misconception that TTFB=handshake time.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. MADweb 2024
- DOI
- 10.14722/madweb.2024.23010
- Keywords
- PQ TLS 1.3 Time-To-Last-Byte performancepost-quantum TLS 1.3 TTLBPQ impact on TLS 1.3 time-to-last-byte
- Contact author(s)
-
kpanos @ amazon com
childw @ amazon com - History
- 2024-03-13: last of 6 revisions
- 2024-02-06: received
- See all versions
- Short URL
- https://ia.cr/2024/176
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/176, author = {Panos Kampanakis and Will Childs-Klein}, title = {The impact of data-heavy, post-quantum {TLS} 1.3 on the Time-To-Last-Byte of real-world connections}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/176}, year = {2024}, doi = {10.14722/madweb.2024.23010}, url = {https://eprint.iacr.org/2024/176} }