TLS oriented figure of merit for signature sizes

291 views
Skip to first unread message

Watson Ladd

unread,
Jun 1, 2023, 6:20:42 PM6/1/23
to pqc-...@list.nist.gov
Dear PQniks,

I propose the following figure of merit for signature sizes:
3*signature size + 2 *public key size. To normalize for comparison we
can divide by 5. This is inspired by what goes over the wire in a TLS
handshake: an intermediate cert and end entity cert each with a
signature and public key, and a signature on a key exchange. Larger
certificate chains bring the ratio closer to 1:1.

This figure of merit is not applicable for all situations, but may
prove instructive for TLS and similar protocols and guide in parameter
selection.

Sincerely,
Watson Ladd

--
Astra mortemque praestare gradatim

Bas Westerbaan

unread,
Jun 1, 2023, 6:38:44 PM6/1/23
to Watson Ladd, pqc-...@list.nist.gov
This is inspired by what goes over the wire in a TLS
handshake: an intermediate cert and end entity cert each with a
signature and public key, and a signature on a key exchange. Larger
certificate chains bring the ratio closer to 1:1.

Great idea. I'd add two extra signatures on top for Certificate Transparency's SCTs. [1]

Best,

 Bas


[1] And we might be headed to three even.
 

Kampanakis, Panos

unread,
Jun 2, 2023, 9:59:42 AM6/2/23
to Bas Westerbaan, Watson Ladd, pqc-forum

+1, but for the general case I would not count SCTs.  

Maybe there could  be a “general TLS figure of merit” and a “web TLS figure of merit”.

 

From: 'Bas Westerbaan' via pqc-forum <pqc-...@list.nist.gov>
Sent: Friday, June 2, 2023 1:38 AM
To: Watson Ladd <watso...@gmail.com>
Cc: pqc-...@list.nist.gov <pqc-...@list.nist.gov>
Subject: RE: [EXTERNAL][pqc-forum] TLS oriented figure of merit for signature sizes

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMjbhoUN95ShCSarcd8eptTQvD140f%3DS6oS5Ur%3DH_-tQSH6zXQ%40mail.gmail.com.

D. J. Bernstein

unread,
Jun 16, 2023, 8:50:53 AM6/16/23
to pqc-...@list.nist.gov
Watson Ladd writes:
> I propose the following figure of merit for signature sizes:
> 3*signature size + 2 *public key size.

Straightforward caching of reused keys and signatures moves the 3 and 2
much closer to 1 and 0.

The typical web page is above 2MB and growing. Transmitting current
keys+signatures is a negligible part of the costs of HTTPS. There has
been very little incentive to deploy caching mechanisms. However, if
plugging a post-quantum system into HTTPS turns these sizes into
important costs, then people will respond with caching, at which point
counting 3*siglen+2*pklen will be an overestimate of costs.

Also, if the remaining 1*siglen (the fresh signature in SIGMA) is large
enough by itself to be an important cost, then people will respond by
replacing that signature with a KEM ciphertext, which is an attractive
option in any case.

I would rather see a metric chosen on the basis of evidence that the
metric reflects important long-term costs that users will see throughout
the lifetime of the signature system.

---D. J. Bernstein
signature.asc
Reply all
Reply to author
Forward
0 new messages