Paper 2024/176

The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections

Panos Kampanakis, Amazon Web Services
Will Childs-Klein, Amazon Web Services
Abstract

It has been shown that post-quantum key exchange and authentication with ML-KEM and ML-DSA, NIST’s postquantum algorithm picks, will have an impact on TLS 1.3 performance used in the Web or other applications. Studies so far have focused on the overhead of quantum-resistant algorithms on TLS time-to-first-byte (handshake time). Although these works have been important in quantifying the slowdown in connection establishment, they do not capture the full picture regarding real-world TLS 1.3 connections which carry sizable amounts of data. Intuitively, the introduction of an extra 10KB of ML-KEM and ML-DSA exchanges in the connection negotiation will inflate the connection establishment time proportionally more than it will increase the total connection time of a Web connection carrying 200KB of data. In this work, we quantify the impact of ML-KEM and ML-DSA on typical TLS 1.3 connections which transfer a few hundreds of KB from the server to the client. We study the slowdown in the time-to-last-byte of postquantum connections under normal network conditions and in more unstable environments with high packet delay variability and loss probabilities. We show that the impact of ML-KEM and ML-DSA on the TLS 1.3 time-to-last-byte under stable network conditions is lower than the impact on the handshake and diminishes as the transferred data increases. The time-to-last-byte increase stays below 5% for high-bandwidth, stable networks. It goes from 32% increase of the handshake time to under 15% increase of the time-to-last-byte when transferring 50KiB of data or more under low-bandwidth, stable network conditions. Even when congestion control affects connection establishment, the additional slowdown drops below 10% as the connection data increases to 200KiB. We also show that connections under lossy or volatile network conditions could see higher impact from post-quantum handshakes, but these connections’ time-to-lastbyte increase still drops as the transferred data increases. Finally, we show that such connections are already significantly slow and volatile regardless of the TLS handshake.

Note: A TLS 1.3 connection's TTFB consists of the handshake time and one more RTT for the client request-response (in most use-cases). We made minor text changes to prevent the misconception that TTFB=handshake time.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. MADweb 2024
DOI
10.14722/madweb.2024.23010
Keywords
PQ TLS 1.3 Time-To-Last-Byte performancepost-quantum TLS 1.3 TTLBPQ impact on TLS 1.3 time-to-last-byte
Contact author(s)
kpanos @ amazon com
childw @ amazon com
History
2024-03-13: last of 6 revisions
2024-02-06: received
See all versions
Short URL
https://ia.cr/2024/176
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/176,
      author = {Panos Kampanakis and Will Childs-Klein},
      title = {The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections},
      howpublished = {Cryptology ePrint Archive, Paper 2024/176},
      year = {2024},
      doi = {10.14722/madweb.2024.23010},
      note = {\url{https://eprint.iacr.org/2024/176}},
      url = {https://eprint.iacr.org/2024/176}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.