Measuring TLS key exchange with post-quantum KEM


Recently Cloudflare announced a wide-scale post-quantum experiment that was conducted in cooperation with Google. We focused on using post-quantum key exchange algorithms by real clients for the TLS session establishment over real networks. Our goal was to find most suitable quantum-resistant key exchange algorithm to be used on the Internet as well as understand difficulties related to deployment of post-quantum cryptography. To achieve those goals we selected two significantly different post-quantum KEMs – SIKE and NTRU. This choice allowed us to assess how size of the public key will affect performance of TLS handshake and whether it is worth to favor schemes with small public keys over those which perform much faster but also have much bigger public key size. We implemented those algorithms in BoringSSL library which then was integrated into Google’s Chrome Canary web browser and Cloudflare’s edge servers. Such software and service package was made public and used by real users. This enabled us to perform measurements on real-world use cases, both on server and client side. We collected, analyzed data and studied the results. In this invited talk will discuss the outcomes of the experiment.

Measuring Post-Quantum TLS