PKI and ML-DSA Based Quantum Algorithm Certificate Chains

PKI and ML-DSA (FIPS 204) Based Quantum Algorithm Certificate Chains

It’s Time to start thinking about (and therefore testing) ML-DSA based certificate chains

Compiled and researched by Steve Monti SafeCipher.com

Size of ML-DSA-87 Certificates

ML-DSA-87 introduces significantly larger signatures compared to traditional ECDSA/RSA signatures. The signature size for ML-DSA-87 is approximately 4.6 KB, which is much larger than the typical 0.1 KB for ECDSA P-384 or 0.4 KB for RSA 3072.

Impact on Handshake Performance

The larger signature size increases the size of the Certificate and CertificateVerify messages exchanged during the TLS 1.3 handshake. This leads to a longer handshake duration, particularly in scenarios with lower bandwidth or higher network latency.

When using default TCP congestion control settings (e.g., TCP initcwnd=10), the large ML-DSA- 87 certificate chains can trigger additional round-trip times (RTTs), further slowing down the handshake process.

Impact on Time-To-First-Byte (TTFB)

The larger certificate chains result in a noticeable increase in the Time-To-First-Byte (TTFB), as the client needs to download and verify these larger certificates before it can begin processing any data from the server.

Under stable network conditions, the impact on TTFB is pronounced but manageable. However, in unstable or lossy networks, the increased handshake data due to ML-DSA-87 can significantly degrade TTFB, sometimes resulting in up to a 32% increase in handshake time under low bandwidth and high loss scenarios.

Impact on Time-To-Last-Byte (TTLB)

While the larger ML-DSA-87 signatures slow down the initial handshake, the impact on overall connection time (TTLB) diminishes as more data is transferred. This is because the initial overhead of downloading and verifying the larger certificate chain becomes less significant in the context of a larger overall data transfer.

For large data transfers (e.g., 200KiB or more), the additional time required due to the larger ML- DSA-87 signatures becomes a smaller percentage of the total connection time. The impact on TTLB in stable, high-bandwidth networks remains under 5%, even with the larger ML-DSA-87 signatures.

High Loss and Low Bandwidth Conditions

In environments with high packet loss or low bandwidth, the large size of ML-DSA-87 signatures exacerbates the performance degradation during the handshake phase. However, once the handshake is complete and data transfer begins, the overall impact on the connection’s TTLB decreases as more data is transferred.

Summary

Using ML-DSA-87 signatures in TLS 1.3 introduces larger certificate chains, which significantly increases the time required for digital signature verification during the handshake. This leads to a longer Time-To-First-Byte (TTFB), particularly in low bandwidth or high loss environments.

However, as more data is transferred during the connection, the impact on overall Time-To-Last- Byte (TTLB) decreases, especially in high-bandwidth, stable networks. The overhead introduced by ML-DSA-87 is less impactful on the total connection time as the size of the data being transferred increases, but it remains a concern for environments where network stability and bandwidth are limited.