Quantum computers could break currently used asymmetric cryptographic schemes
in a few years using Shor's algorithm. They are used in numerous protocols and
applications to secure authenticity as well as key agreement, and quantum-safe
alternatives are urgently needed. NIST therefore initiated a standardization
process. This requires intensive evaluation, also with regard to performance
and integrability. Here, the integration into TLS 1.3 plays an important role,
since it is used for 90% of all Internet connections. In the present work,
algorithms for quantum-safe key exchange during TLS 1.3 handshake were
reviewed. The focus is on the influence of dedicated network parameters such as
transmission rate or packet loss in order to gain insights regarding the
suitability of the algorithms under corresponding network conditions. For the
implementation, a framework by Paquin et al. was extended to emulate network
scenarios and capture the handshake duration for selected algorithms. It is
shown that the evaluated candidates Kyber, Saber and NTRU as well as the
alternative NTRU Prime have a very good overall performance and partly undercut
the handshake duration of the classical ECDH. The choice of a higher security
level or hybrid variants does not make a significant difference here. This is
not the case with alternatives such as FrodoKEM, SIKE, HQC or BIKE, which have
individual disadvantages and whose respective performance varies greatly
depending on the security level and hybrid implementation. This is especially
true for the data-intensive algorithm FrodoKEM. In general, the prevailing
network characteristics should be taken into account when choosing scheme and
variant. Further it becomes clear that the performance of the handshake is
influenced by external factors such as TCP mechanisms or MTU, which could
compensate for possible disadvantages due to PQC if configured appropriately.Comment: Master's thesis, 160 pages, in Germa