Energy Consumption of Post Quantum Cryptography: Dilithium and Kyber Beat Our Existing TLS 1.3

Like it or not, our existing public key methods will be easily cracked by quantum computers. We must thus look to new quantum robust…
Experimental setup [1]

Energy Consumption of Post Quantum Cryptography: Dilithium and Kyber Beat Our Existing TLS 1.3 Performance

Like it or not, our existing public key methods will be easily cracked by quantum computers. We must thus look to new quantum robust methods to provide our key exchange, digital signing and public key encryption methods. Thus, TLS 1.3 and above will have to migrate away from anything that uses RSA and ECC, and towards quantum robust methods, such as with lattice techniques. For this, NIST recently started the standardization of Kyber for key exchange and public key encryption, and for Dilithium in digital signatures. There will be others coming along behind them, though, possibly with Bike, FrodoKEM and Falcon for key exchange, and Sphincs+ for digital signatures.

But, there’s a feeling that Post Quantum Cryptograph (PQC) will not be as fast, and be most costly for energy consumption than our existing public key methods. But, a new paper puts this fear aside and shows that the best PQC methods can beat our elliptic curve and RSA methods for a TLS 1.3 handshake.

TLS

With TLS, we insert a layer above the transport layer (Figure 1), and which creates an end-to-end tunnel between two hosts. In a traditional public key encryption handshake, we use ECDH (Elliptic Curve Diffie Hellman) to generate a shared session key between Bob and Alice. In the past, we have used the RSA method to pass the shared key, but this has now been dropped for TLS 1.3. These days, with TLS 1.3, we only use ECDH.

The encryption tunnel is then created using the session key, and using an defined symmetric key method (normally AES or ChaCha20). Unfortunately, ECDH is open to an Eve-in-the-middle attack, and so we need to integrate authentication of Alice to Bob. This is achieved with a digital signature method such as RSA or ECDSA. With ECDH+ECDSA or ECDH+RSA, we typically end up with ECDHE.

Figure 1: Outline of TLS

Performance of PQC

Every single tick of the clock on a computer system costs a little bit of energy, and where a processor running at 100% consumes much more energy than it idling. Along, with challenges in the amount of energy that our digital systems consume, we have the threat of quantum computers on our existing public key systems. For this, we now see the rise of PQC methods, such as using lattice techniques. But, what is the energy footprint of these PQC methods, and how does it compare with RSA and ECC for our TLS connections?

Well, the energy footprint of PQC with TLS has now been assessed with this new paper:

Figure 2: [1]

PQC TLS 1.3 handshake: KEM and Digital Signature

The usage of TLS 1.3 matches well with a real-life situation. With PQC, we do not have the concept of the Diffie-Hellman key exchange method, and now replace it with an encapsulation of the key within an encrypted transmission (Figure 3) — KEM (Key Encapsulation Method).

Figure 3: PQC TLS 1.3 handshake [1]

An important part of the process is the signing of the key exchange, and which protects against an Eve-in-the-middle attack. We thus need a digital signature method, alongside our KEM. For PQC KEMs, we have Kyber, Bike, HQC and FrodoKEM, and for digital signatures, we have Dilithium, Sphincs+, and Falcon. Normally, in our TLS 1.3 handshakes, we only use elliptic curve methods, so ECDHE is the standard handshaking technique, and then we can choose RSA or ECDSA for the digital signature.

In the experiment, a PicoScope is used to measure the energy consumption of each method (Figure 4):

Figure 4: Experimental setup [1]

The experiment involves a breakdown of the handshake, and for key generation, encryption (signing) and decryption (verifying). It can be seen from Table 1, that RSA is costly for key generation.

Table 1: TLS timings [1]

For KEM, we see that Kyber512 compares well with ECDHE, and that the performance is similar in most areas, along with having a similar energy footprint. In fact, Kyber512 improves on ECDHE for energy consumption in the handshake of the key. Bike and FrodoKEM do less well, and are considerably slower the Kyber512 and ECDHE, and also consume much more energy. In the case of FrodoKEM, the energy consumption is more than 25 times greater than Kyber512 and ECDHE. HQC performs better than Bike and FrodoKEM, but still consumes more energy than Kyber512 and ECDHE.

For signatures, we can see why NIST selected Dilithium as a standard, as it has a similar performance to ECDSA. The other PQCs struggle with performance and are even slower than RSA signatures. Sphincs+ is especially hungry for energy and has a poor performance level. Surprisingly Falcon did not do well in this test — even though it is a lattice method (and thus similar to Dilithium).

Table 2 outlines the methods when they are paired. The benchmark for current handshakes is ECDHE with either an RSA or ECDSA signature. Overall, ECDSA+ECDHE has a much lower energy footprint than RSA+ECDHE (due to the costly RSA signature part). For the PQC methods, we see that Dilithium and Kyber provide improved energy consumption to ECDSA+ECDHE, but much better than RSA+ECDHE. Unfortunately, Sphincs+Kyber is extremely costly in both performance and energy consumption. This is due to its large digital signature, and which must be carried in many TLS packets.

Table 2: TLS timings

When we benchmark energy consumption against RSA+ECDHE and ECDSA+ECDHE (Table 3), we see that Dilithium+Kyber are Falcon+Kyber generally much more efficient compared with RSA+ECDHE, but only Dilithium and Kyber beats ECDSA+ECHDE. The performance of all the PQC methods, apart from Sphincs+ and Kyber, do pretty well compared with our existing key exchange methods.

Table 3: Comparison of energy consumption [1]

Conclusions

Shock! We thought that we just couldn’t get better than ECDSA+ECHDE for TLS 1.3 performance, but Dilithium+Kyber have beaten it! Overall, most of the PQC KEMs and digitial signatures did very well against our existing key exchange methods, and generally much better than RSA+ECDHE. One problem area was with the Sphincs+ key exchange method, and which consumes much more energy and is generally slower than our traditional TLS 1.3 methods.

NIST are keen that we don’t become too dependent on the lattice methods, and HQC looks a good alterative for key exchange, along with FrodoKEM and Bike providing good performance levels. But, for digital signatures, we are struggling to find a good non-lattice alternative, as Sphincs+ looks slow and energy inefficient.

Postscript

Here is a performance assessment of key exchange methods:

https://asecuritysite.com/pqc/pqc_kem

and for digital signature methods:

https://asecuritysite.com/pqc/pqc_sig

References

[1] George Tasopoulos and Charis Dimopoulos and Apostolos P. Fournaris and Raymond K. Zhao and Amin Sakzad and Ron Steinfeld, Energy Consumption Evaluation of Post-Quantum TLS 1.3 for Resource-Constrained Embedded Devices, Cryptology ePrint Archive, Paper 2023/506.