Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyber and SPHINCS+ with mbed TLS

Bürstinghaus-Steinbach, Kevin; Krauß, Christoph; Niederhagen, Ruben; Schneider, Michael

doi:10.1145/3320269.3384725

Cited by 34 publications

(21 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, with respect to the time 𝑧, Mosca estimated since 2015 [8] that there is a 1/7 chance of breaking RSA-2048 by 2026 and a 1/2 chance by 2031. Therefore, incorporating post-quantum ciphers in the TLS protocol is currently a significant research field (see, e.g., [9][10][11][12][13][14] ).…”

Section: Introductionmentioning

confidence: 99%

Evaluating the performance of post-quantum secure algorithms in the TLS protocol

Tzinos¹,

Limniotis²,

Kolokotronis³

2022

J Surveill Secur Saf

View full text Add to dashboard Cite

Aim: The imminent advent of large-scale quantum computers within the next years is expected to highly affect the security of several cryptosystems that are now considered secure; this mainly holds for classical, long-established, public key cryptographic algorithms such as RSA and elliptic curve cryptography. Apparently, any security protocol that relies on such ciphers, including the transport layer security (TLS) protocol which constitutes a somewhat de facto standard for the security on the web, will not be considered secure in the post-quantum era. To alleviate the security risks stemming from quantum computing, several proposals have been submitted to the relevant procedure initiated by NIST towards evaluating and standardizing one or more quantum-resistant public-key cryptographic algorithms. This paper focuses on embedding post-quantum secure cryptographic algorithms into the TLS protocol to analyze its performance. More precisely, the paper aims to analyze whether this transition to post-quantum secure algorithms will have a significant impact on the user experience due to the possible increase of client--server communication times. Methods: Having as the starting point several important works in the field, several experiments were carried out, using combinations of cloud and local virtual machines per case and considering all the post-quantum cryptographic algorithm finalists for key exchange from the third round of the ongoing NIST process, for various cryptographic as well as network parameters. Results: Our results exhibit that, for key exchange in TLS, the best performance among the post-quantum secure ciphers is achieved by the Saber and CRYSTAL-Kyber variants for all security levels, regardless of the underlying computing power. The performance is comparable to that of the corresponding one achieved by a classical elliptic curve algorithm for key exchange for both RTT and packet loss ratio — i.e., the network parameters seem to have the same effect on post-quantum secure algorithms as in the case of a conventional elliptic curve algorithm. However, the effect of the network parameters on the performance is more crucial than the effect of the underlying chosen ciphers. Conclusion: According to the experiments, we conclude that there exist very promising algorithms that could be utilized in TLS in the near future, which may behave even better than the conventional elliptic curve algorithms for key exchange. It should also be pointed out that NIST announced on 5 July 2022 (i.e., after the completion of our research experiments) that, for general encryption used when we access secure websites, the CRYSTALS-Kyber algorithm has been selected, having as one of its advantages the speed of operation. Hence, the results of our paper are fully in line with the progress of the NIST process. Taking into account that the NIST process is still ongoing (now in its fourth round) with the aim to select more algorithms, as well as that some algorithms may be standardized outside NIST, it becomes evident that our results provide very useful insights on performance aspects of the post-quantum secure algorithms.

show abstract

Section: Introductionmentioning

confidence: 99%

Evaluating the performance of post-quantum secure algorithms in the TLS protocol

Tzinos¹,

Limniotis²,

Kolokotronis³

2022

J Surveill Secur Saf

View full text Add to dashboard Cite

show abstract

“…In [22], Bürstinghaus-Steinbach et al showed the integration of the post-quantum key encapsulation mechanism (KEM) scheme Kyber for key establishment and the post-quantum signature scheme SPHINCS+ into the embedded TLS library mbedTLS [1]. They measured the performance of these post-quantum primitives on four different embedded platforms and presented the challenges regarding large certificates chain and slow signing process during the TLS handshake protocol.…”

Section: Related Workmentioning

confidence: 99%

“…They concluded that these challenges affect the use of embedded systems as TLS server but do not necessarily prevent them from acting as TLS client. While the writers of [22] recommended that the use of hardware accelerators may be considered to speed up the SPHINCS+ computations [22], no countermeasures were suggested for the huge size of the chain of trust.…”

Section: Related Workmentioning

confidence: 99%

“…In case Diffie-Hellman (DH) is used for key exchange, a ServerKeyExchange message is sent containing the server's ephemeral DH public key, a signature over the public DH key, client random, and server random. To ensure post-quantum security, in the same light, DH should be replaced by a post-quantum KEM (e.g., Kyber as in [22]).…”

Section: Handshake Protocolmentioning

confidence: 99%

“…Module-LWE addresses the limitation of R-LWE: the size of polynomials increases with security. For Module, only the number of rows and columns (noted k and l respectively in the official submission of Dilithium [22]) impacts security, not the polynomial size (256 coefficients), which is set the same for all.…”

Section: Dilithium Signature Schemementioning

confidence: 99%

See 2 more Smart Citations

XMSS-based Chain of Trust

Marzougui¹,

Seifert²

EPiC Series in Computing

View full text Add to dashboard Cite

Given that large-scale quantum computers can eventually compute discrete logarithm and integer factorization in polynomial time [44], all asymmetric cryptographic schemes will break down. Hence, replacing them becomes mandatory. For this purpose, the Na- tional Institute of Standards and Technology (NIST) initiated a standardization process for post-quantum schemes. These schemes are supposed to substitute classical cryptography in different use-cases, such as client-server authentication during the TLS handshake. How- ever, their signatures, public key sizes, and signature verification time impose difficulty, especially for resource-constrained devices. In this paper, we improve the TLS hand- shake performance relying on post-quantum signatures by combining the XMSS and the Dilithium signature schemes along the chain of certificates. We provide proof-of-concept implementation of our solution by integrating the two signature schemes in the WolfSSL library. Moreover, we evaluate the performance of our solution and establish that it re- duces the signature verification time considerably and minimizes the size of the chain of trust. We provide a security proof of the proposed chain of trust which is relies on the security of the XMSS scheme.

show abstract

Efficient Hash-Based Redactable Signature for Smart Grid Applications

Zhu

Abuadbba

et al. 2022

Computer Security – ESORICS 2022

View full text Add to dashboard Cite

Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyber and SPHINCS+ with mbed TLS

Cited by 34 publications

References 19 publications

Evaluating the performance of post-quantum secure algorithms in the TLS protocol

Evaluating the performance of post-quantum secure algorithms in the TLS protocol

XMSS-based Chain of Trust

Efficient Hash-Based Redactable Signature for Smart Grid Applications

Contact Info

Product

Resources

About