Faster Post-Quantum TLS 1.3 Based on ML-KEM: Implementation and Assessment

TL;DR

This paper enhances post-quantum TLS 1.3 by optimizing ML-KEM with AVX-512 instructions, achieving significant speedups in key generation and handshake performance, thus improving quantum-resistant secure communications.

Contribution

It introduces optimized AVX-512 implementations and a novel batch key generation method for ML-KEM, significantly improving PQ-TLS handshake efficiency and integrating advanced KEMs into TLS 1.3.

Findings

Up to 1.64x speedup with AVX-512 optimization.

Batch key generation accelerates by 3.5x to 4.9x.

Higher handshake throughput in PQ-TLS 1.3 with optimized ML-KEM.

Abstract

TLS is extensively utilized for secure data transmission over networks. However, with the advent of quantum computers, the security of TLS based on traditional public-key cryptography is under threat. To counter quantum threats, it is imperative to integrate post-quantum algorithms into TLS. Most PQ-TLS research focuses on integration and evaluation, but few studies address the improvement of PQ-TLS performance by optimizing PQC implementation. For the TLS protocol, handshake performance is crucial, and for post-quantum TLS (PQ-TLS) the performance of post-quantum key encapsulation mechanisms (KEMs) directly impacts handshake performance. In this work, we explore the impact of post-quantum KEMs on PQ-TLS performance. We explore how to improve ML-KEM performance using the latest Intel's Advanced Vector Extensions instruction set AVX-512. We detail a spectrum of techniques devised to parallelize polynomial multiplication, modular reduction, and other computationally intensive modules within ML-KEM. Our optimized ML-KEM implementation achieves up to 1.64x speedup compared to the latest AVX2 implementation. Furthermore, we introduce a novel batch key generation method for ML-KEM that can seamlessly integrate into the TLS protocols. The batch method accelerates the key generation procedure by 3.5x to 4.9x. We integrate the optimized AVX-512 implementation of ML-KEM into TLS 1.3, and assess handshake performance under both PQ-only and hybrid modes. The assessment demonstrates that our faster ML-KEM implementation results in a higher number of TLS 1.3 handshakes per second under both modes. Additionally, we revisit two IND-1-CCA KEM constructions discussed in Eurocrypt22 and Asiacrypt23. Besides, we implement them based on ML-KEM and integrate the one of better performance into TLS 1.3 with benchmarks.