Faster Post-quantum TLS 1.3 Based on ML-KEM: Implementation and Assessment

Faster Post-quantum TLS 1.3 Based on ML-KEM: Implementation and Assessment

연구 분야: Cryptography

학회: European Symposium on Research in Computer Security

TLS is extensively utilized for secure data transmission over networks. However, with the advent of quantum computers, the security of TLS based on traditional public-key cryptography is under threat. To counter quantum threats, it is imperative to integrate Post-Quantum Cryptography (PQC) into TLS (PQ-TLS, for short). Most PQ-TLS research focuses on integration and evaluation, but few studies address the improvement of PQ-TLS performance by optimizing PQC implementation. As a critical part of PQ-TLS, post-quantum key encapsulation Mechanisms (PQ-KEMs) directly impact PQ-TLS handshake performance. ML-KEM is a NIST-standardized PQ-KEM. In this work, we explore how to improve ML-KEM performance using the latest Intel’s Advanced Vector Extensions instruction set AVX-512. We give our implementation details of parallelizing polynomial multiplication, modular reduction, and other computationally intensive modules strategically within ML-KEM. Our optimized ML-KEM implementation achieves up to 1.64\(\times \) speedup compared to the latest AVX2 implementation. Based on our ML-KEM AVX-512 implementation, we introduce a novel batch key generation method for ML-KEM that can seamlessly integrate into the TLS protocols. The batch method accelerates the key generation procedure by 3.5\(\times \) to 4.9\(\times \). Finally, we integrate the optimized AVX-512 implementation of ML-KEM into TLS 1.3 and assess handshake performance under both PQ-only and PQ-hybrid modes. The assessment demonstrates that our faster ML-KEM implementation results in a higher number of TLS 1.3 handshakes per second under both modes. To further investigate ML-KEM performance improvement, we revisit two IND-1-CCA KEM constructions proposed at Eurocrypt’22 and Asiacrypt’23, implement them based on ML-KEM and integrate the one of better performance into TLS 1.3 with benchmarks.