Multiple studies have evaluated the impact of PQC algorithms in TLS 1.3. These studies have been focusing on server authentication with PQC signatures. To our knowledge, there has been no study focusing on mTLS authentication where the client sends a PQ certificate chain as well. Such connections could be used in Zero Trust Architectures where the client opens multiple connections to various destinations each of which uses mTLS authentication. These sessions will be double impacted by the size of the “authentication data” travelling both directions. This presentation will share experimental results of the Time-to-Last-Byte (TTLB) of mTLS connections using ML-KEM and ML-DSA and transferring small and larger amounts of data. We will evaluate different round-trips, network bandwidth and TCP initial congestion windows. We will discuss the effect of PQC on mTLS sessions and compare it to previous experiments on typical TLS connections. We will cover potential mTLS use-cases that will suffer more than others and ways to improve them.
Mila Anastasova - Applied Scientist at Amazon Web Services (AWS)
Panos Kampanakis - Principal Security Engineer, Applied Scientist at Amazon Web Services (AWS)
‪@amazonwebservices‬