Lightweight Authenticated Key Exchange
316 views
Skip to first unread message
John Mattsson
Mar 25, 2026, 10:52:42 AM (9 days ago) Mar 25
to pqc-...@list.nist.gov
Hi,
As preparation for an upcoming IETF Lightweight Authenticated Key Exchange (LAKE) WG interim meeting on post-quantum cryptography, I compiled a comparison of various quantum-resistant options, including some algorithms that are not (yet) standardized. For the
NIST signature ramp-on, I selected the smallest multivariate- and isogeny-based signatures. The table presents the approximate total message size (in bytes) required to achieve mutual authentication with ephemeral key exchange. It assumes that both parties
use the same authentication method and that the credentials for mutual authentication are referenced rather than transmitted.
|
|
Auth API |
Mutual Authentication Algorithm |
Ephemeral Key Exchange Algorithm |
Total Message Size (bytes) |
|
Classical |
Signature |
Ed25519 |
X25519 |
220 |
|
|
NIKE |
X25519 |
X25519 |
120 |
|
|
PSK |
PSK |
X25519 |
120 |
|
NIST PQC |
Signature |
ML-DSA-44 |
ML-KEM-512 |
6440 |
|
|
KEM |
ML-KEM-512 |
ML-KEM-512 |
3140 |
|
|
Signature |
FN-DSA-512 |
ML-KEM-512 |
2930 |
|
|
PSK |
PSK |
ML-KEM-512 |
1630 |
|
Research |
KEM |
DAWN-β-512 |
DAWN-β-512 |
1890 |
|
|
Signature |
SQISign-I |
DAWN-β-512 |
1280 |
|
|
Signature |
UOV Is |
DAWN-β-512 |
1180 |
|
|
PSK |
PSK |
DAWN-β-512 |
1020 |
|
|
Signature
|
SQISign-I |
CSIDH-2048 |
830
|
|
|
Signature |
UOV Is |
CSIDH-2048 |
730 |
|
|
NIKE |
CSIDH-2048 |
CSIDH-2048 |
570 |
Note that “total message size” is only one of many relevant factors. KEM-based authentication requires more flights, KEM- and NIKE-based authentication benefit from requiring only a single asymmetric primitive, whereas signature-based authentication require
two, schemes such as UOV, DAWN, and CSIDH are not standardized and may never be, and while UOV offers small signatures, this comes at the cost of very large public keys.
The results highlight that the large message sizes of ML-KEM and ML-DSA, and the lack of NIKE for authentication, are significant concerns for lightweight use cases such as deep space communication and terrestrial LPWAN. It also highlights the importance of
evaluating the total size of an AKE, rather than focusing solely on the size of individual algorithms. LAKE/EDHOC provide a strong framework for benchmarking lightweight post-quantum algorithms, as it supports signature-, and NIKE-based authentication, with
ongoing work covering PSK and KEM-based authentication as well.
PSK authentication is not an optimal solution, as key management is complex and often fragile in practice. While NIST is making strong progress on more compact post-quantum signatures, comparable advances in quantum-resistant key exchange are also critical.
With 2035 only nine years away, there is a clear need for a similar standardization effort focused on smaller, more efficient post-quantum key exchange mechanisms (both KEM and NIKE).
Comments appreciated. Did I miss any important research algorithms?
Cheers,
John Preuß Mattsson
Reply all
Reply to author
Forward
0 new messages