To some extent, this may be yelling for the impossible. Unfortunately, using ML-DSA for the Web PKI in its current form is also impossible.
I do not think that word means what they think it means :) Consider that, when TLS was first adopted, average end-user bandwidth was at least 1000 times slower than today, so an RSA-512 handshake took a lot longer than a post-quantum handshake would now. OK, but TLS was only rarely used back then; still, I bet bandwidth has gone up tenfold since the point that TLS started to become the norm.
But I agree that post-quantum keys & signatures are too damn big. I don’t really care about TLS, but Ed25519 is so nice for key-based identity systems — your ID is only 32 bytes and signatures only 64.
A fresh TCP connection, which is where a TLS handshake happens, is not using all your bandwidth. It’s bound by latency and the initial congestion window. Neither of those have improved by a 1000x
One of the projects I’m working on uses a LOT of signatures – basically signing every hop in a connection rather than the connection end-to-end. With elliptic curve crypto that works fine because each signature is very small. PQC may materially change what we can implement though because the signatures are much larger.
I do not think that word means what they think it means :) Consider that, when TLS was first adopted, average end-user bandwidth was at least 1000 times slower than today, so an RSA-512 handshake took a lot longer than a post-quantum handshake would now. OK, but TLS was only rarely used back then; still, I bet bandwidth has gone up tenfold since the point that TLS started to become the norm.
But I agree that post-quantum keys & signatures are too damn big. I don’t really care about TLS, but Ed25519 is so nice for key-based identity systems — your ID is only 32 bytes and signatures only 64.
A fresh TCP connection, which is where a TLS handshake happens, is not using all your bandwidth. It’s bound by latency and the initial congestion window. Neither of those have improved by a 1000x
One of the projects I’m working on uses a LOT of signatures – basically signing every hop in a connection rather than the connection end-to-end. With elliptic curve crypto that works fine because each signature is very small. PQC may materially change what we can implement though because the signatures are much larger.