Post-Quantum TLS on Embedded Systems

We present our integration of post-quantum cryptography (PQC), more specifically of the post-quantum KEM scheme Kyber for key establishment and the post-quantum signature scheme SPHINCS$^+$, into the embedded TLS library mbed TLS. We measure the performance of these post-quantum primitives on four different embedded platforms with three different ARM processors and an Xtensa LX6 processor. Furthermore, we compare the performance of our experimental PQC cipher suite to a classical TLS variant using elliptic curve cryptography (ECC). Post-quantum key establishment and signature schemes have been either integrated into TLS or ported to embedded devices before. However, to the best of our knowledge, we are the first to combine TLS, post-quantum schemes, and embedded systems and to measure and evaluate the performance of post-quantum TLS on embedded platforms. Our results show that post-quantum key establishment with Kyber performs well in TLS on embedded devices compared to ECC variants. The use of SPHINCS$^+$ signatures comes with certain challenges in terms of signature size and signing time, which mainly affects the use of embedded systems as PQC-TLS server but does not necessarily prevent embedded systems to act as PQC-TLS clients

Performance Evaluation of Post-Quantum TLS 1.3 on Resource-Constrained Embedded Systems

Transport Layer Security (TLS) constitutes one of the most widely used protocols for securing Internet communications and has also found broad acceptance in the Internet of Things (IoT) domain. As we progress toward a security environment resistant to quantum computer attacks, TLS needs to be transformed to support post-quantum cryptography. However, post-quantum TLS is still not standardised, and its overall performance, especially in resource-constrained, IoT-capable, embedded devices, is not well understood. In this paper, we showcase how TLS 1.3 can be transformed into quantum-safe by modifying the TLS 1.3 architecture in order to accommodate the latest Post-Quantum Cryptography (PQC) algorithms from NIST PQC process. Furthermore, we evaluate the execution time, memory, and bandwidth requirements of this proposed post-quantum variant of TLS 1.3 (PQ TLS 1.3). This is facilitated by integrating the pqm4 and PQClean library implementations of almost all PQC algorithms selected for standardisation by the NIST PQC process, as well as the alternatives to be evaluated in a new round (Round 4). The proposed solution and evaluation focuses on the lower end of resource-constrained embedded devices. Thus, the evaluation is performed on the ARM Cortex-M4 embedded platform NUCLEO-F439ZI that provides $180$ MHz clock rate, $2$ MB Flash Memory, and $256$ KB SRAM. To the authors\u27 knowledge, this is the first systematic, thorough, and complete timing, memory usage, and network traffic evaluation of PQ TLS 1.3 for all the NIST PQC process selections and upcoming candidate algorithms, that explicitly targets resource-constrained embedded systems

KEMTLS vs. Post-Quantum TLS: Performance On Embedded Systems

TLS is ubiquitous in modern computer networks. It secures transport for high-end desktops and low-end embedded devices alike. However, the public key cryptosystems currently used within TLS may soon be obsolete as large-scale quantum computers, once realized, would be able to break them. This threat has led to the development of post-quantum cryptography (PQC). The U.S. standardization body NIST is currently in the process of concluding a multi-year search for promising post-quantum signature schemes and key encapsulation mechanisms (KEMs). With the first PQC standards around the corner, TLS will have to be updated soon. However, especially for small microcontrollers, it appears the current NIST post-quantum signature finalists pose a challenge. Dilithium suffers from very large public keys and signatures; while Falcon has significant hardware requirements for efficient implementations. KEMTLS is a proposal for an alternative TLS handshake protocol that avoids authentication through signatures in the TLS handshake. Instead, it authenticates the peers through long-term KEM keys held in the certificates. The KEMs considered for standardization are more efficient in terms of computation and/or bandwidth than the post-quantum signature schemes. In this work, we compare KEMTLS to TLS 1.3 in an embedded setting. To gain meaningful results, we present implementations of KEMTLS and TLS 1.3 on a Cortex-M4-based platform. These implementations are based on the popular WolfSSL embedded TLS library and hence share a majority of their code. In our experiments, we consider both protocols with the remaining NIST finalist signature schemes and KEMs, except for Classic McEliece which has too large public keys. Both protocols are benchmarked and compared in terms of run-time, memory usage, traffic volume and code size. The benchmarks are performed in network settings relevant to the Internet of Things, namely low-latency broadband, LTE-M and Narrowband IoT. Our results show that KEMTLS can reduce handshake time by up to 38%, can lower peak memory consumption and can save traffic volume compared to TLS 1.3

Energy Consumption Evaluation of Post-Quantum TLS 1.3 for Resource-Constrained Embedded Devices

Post-Quantum cryptography (PQC), in the past few years, constitutes the main driving force of the quantum resistance transition for security primitives, protocols and tools. TLS is one of the widely used security protocols that needs to be made quantum safe. However, PQC algorithms integration into TLS introduce various implementation overheads compared to traditional TLS that in battery powered embedded devices with constrained resources, cannot be overlooked. While there exist several works, evaluating the PQ TLS execution time overhead in embedded systems there are only a few that explore the PQ TLS energy consumption cost. In this paper, a thorough power/energy consumption evaluation and analysis of PQ TLS 1.3 on embedded systems has been made. A WolfSSL PQ TLS 1.3 custom implementation is used that integrates all the NIST PQC algorithms selected for standardisation as well as 2 out of 3 of those evaluated in NIST Round 4. Also 1 out of 2 of the BSI recommendations have been included. The PQ TLS 1.3 with the various PQC algorithms is deployed in a STM Nucleo evaluation board under a mutual and a unilateral client-server authentication scenario. The power and energy consumption collected results are analyzed in detail. The performed comparisons and overall analysis provide very interesting results indicating that the choice of the PQC algorithms in TLS 1.3 to be deployed on an embedded system may be very different depending on the device use as an authenticated or not authenticated, client or server. Also, the results indicate that in some cases, PQ TLS 1.3 implementations can be equally or more energy consumption efficient compared to traditional TLS 1.3

Thermodynamics of quantum systems under dynamical control

In this review the debated rapport between thermodynamics and quantum mechanics is addressed in the framework of the theory of periodically-driven/controlled quantum-thermodynamic machines. The basic model studied here is that of a two-level system (TLS), whose energy is periodically modulated while the system is coupled to thermal baths. When the modulation interval is short compared to the bath memory time, the system-bath correlations are affected, thereby causing cooling or heating of the TLS, depending on the interval. In steady state, a periodically-modulated TLS coupled to two distinct baths constitutes the simplest quantum heat machine (QHM) that may operate as either an engine or a refrigerator, depending on the modulation rate. We find their efficiency and power-output bounds and the conditions for attaining these bounds. An extension of this model to multilevel systems shows that the QHM power output can be boosted by the multilevel degeneracy. These results are used to scrutinize basic thermodynamic principles: (i) Externally-driven/modulated QHMs may attain the Carnot efficiency bound, but when the driving is done by a quantum device ("piston"), the efficiency strongly depends on its initial quantum state. Such dependence has been unknown thus far. (ii) The refrigeration rate effected by QHMs does not vanish as the temperature approaches absolute zero for certain quantized baths, e.g., magnons, thous challenging Nernst's unattainability principle. (iii) System-bath correlations allow more work extraction under periodic control than that expected from the Szilard-Landauer principle, provided the period is in the non-Markovian domain. Thus, dynamically-controlled QHMs may benefit from hitherto unexploited thermodynamic resources

Dielectric losses in multi-layer Josephson junction qubits

We have measured the excited state lifetimes in Josephson junction phase and transmon qubits, all of which were fabricated with the same scalable multi-layer process. We have compared the lifetimes of phase qubits before and after removal of the isolating dielectric, SiNx, and find a four-fold improvement of the relaxation time after the removal. Together with the results from the transmon qubit and measurements on coplanar waveguide resonators, these measurements indicate that the lifetimes are limited by losses from the dielectric constituents of the qubits. We have extracted the individual loss contributions from the dielectrics in the tunnel junction barrier, AlOx, the isolating dielectric, SiNx, and the substrate, Si/SiO2, by weighing the total loss with the parts of electric field over the different dielectric materials. Our results agree well and complement the findings from other studies, demonstrating that superconducting qubits can be used as a reliable tool for high-frequency characterization of dielectric materials. We conclude with a discussion of how changes in design and material choice could improve qubit lifetimes up to a factor of four.Comment: 10 pages, 4 figures,and 4 table

Two-Level Systems in Evaporated Amorphous Silicon

In $e$-beam evaporated amorphous silicon ($a$-Si), the densities of two-level systems (TLS), $n_{0}$ and $\overline{P}$, determined from specific heat $C$ and internal friction $Q^{-1}$ measurements, respectively, have been shown to vary by over three orders of magnitude. Here we show that $n_{0}$ and $\overline{P}$ are proportional to each other with a constant of proportionality that is consistent with the measurement time dependence proposed by Black and Halperin and does not require the introduction of additional anomalous TLS. However, $n_{0}$ and $\overline{P}$ depend strongly on the atomic density of the film ($n_{\rm Si}$) which depends on both film thickness and growth temperature suggesting that the $a$-Si structure is heterogeneous with nanovoids or other lower density regions forming in a dense amorphous network. A review of literature data shows that this atomic density dependence is not unique to $a$-Si. These findings suggest that TLS are not intrinsic to an amorphous network but require a heterogeneous structure to form