Optimizing post-quantum TLS on embedded clients

Abstract

Transport Layer Security (TLS) is the most widely used cryptographic protocol on the Internet. It ensures the confidentiality, integrity, and authenticity of application data using a combination of cryptographic primitives including Diffie-Hellman key exchange, digital signatures, cryptographic hash functions, and authenticated encryption with associated data (AEAD). Unfortunately, Peter Shor's quantum integer factorization algorithm and recent progress in engineering large-scale quantum computers posed an existential threat to number-theoretic and elliptic-curve public-key cryptographic algorithms used in TLS. The risk of "harvest-now-decrypt-later" attacks and the enormity of efforts needed to migrate existing digital infrastructure meant that we needed to start transitioning to using post-quantum cryptography (PQC) as soon as possible.

Since the earliest public experimentation of adopting PQC in TLS by Google, and the start of NIST's PQC standardization project, a collaboration between government, industry, and academia over the last two decades have produced impressive progress towards a quantum-safe future. As of July 2025, NIST has standardized three PQC algorithms (ML-KEM, ML-DSA, SLH-DSA), and research projects such as Open Quantum Safe (OQS) have integrated PQC algorithms into popular cryptographic protocols (TLS, SSH, VPN, etc.) for experimental deployment and evaluation. While the migration to PQC is gathering momentum, deploying PQC to embedded systems received comparatively less attention despite the proliferation of IoT devices and the growing importance of IoT security. There are fewer readily available embedded TLS libraries with PQC support, and less systematic efforts toward understanding the performance and security impact of deploying post-quantum TLS on embedded clients.

In this work, we made several contributions to understanding and optimizing post-quantum TLS on embedded systems. First, we reduced client's computational workload in ephemeral key exchange by replacing IND-CCA KEM with IND-1CCA KEM. Specifically, we proposed methods for constructing IND-1CCA KEM that avoided the expensive re-encryption technique used in the Fujisaki-Okamoto transformation. Second, we implemented KEM-based authentication (KEMTLS) as an alternative to signature-based authentication in TLS. Compared to signature-based authentication, KEM-based authentication reduces bandwidth requirements and allows the client to start sending application data at an earlier time. Last but not least, we provided a clean, simple implementation of post-quantum TLS and KEMTLS with which we benchmarked the handshake performance on an embedded client. By combining these optimization techniques, we reduced client's TLS handshake latency to 84.17 ms, a 34.4% reduction compared to using elliptic-curve algorithms (128.40 ms).