1 Topic by Sunnysunday (edited by Sunnysunday 2025-08-30 01:29:53)

  • Registered: 2024-09-29
  • Posts: 18

Topic: Performance of PQC on wolfssl compared to ECDHE

I have been conducting tests using wolfssl with ML-KEM PQC on Nordic hardware, measuring DTLS Handshake duration and power consumption.

With the long keys being generated in ML_KEM_512 (800 Bytes with ML_KEM vs 65 with ECDHE), I was expecting much longer handshake times and overall reduced performance compared to normal ECC_SECP256R1, but my measurements indicate that performance is about equal (Cipher Suite TLS13-AES128-GCM-SHA256 with 128 Bit PSK).

Can this be? What's your experience at Wolfssl with ML_KEM_512 Performance compared to ECDHE?

I thought maybe there is something wrong with my setup.

I enforce ML_KEM_512 with two Wolfssl function like this on the client side:

wolfSSL_CTX_UseSupportedCurve(ctx, WOLFSSL_ML_KEM_512);
wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512);

In Wireshark I see the approximately 800 Byte keys being sent in client hello and server hello, so I guess my setup is working. This is the Server Hello:

Datagram Transport Layer Security
    DTLSv1.3 Record Layer: Handshake Protocol: Server Hello
        Content Type: Handshake (22)
        Version: DTLS 1.2 (0xfefd)
        Epoch: 0
        Sequence Number: 0
        Length: 840
        Handshake Protocol: Server Hello
            Handshake Type: Server Hello (2)
            Length: 828
            Message Sequence: 0
            Fragment Offset: 0
            Fragment Length: 828
            Version: DTLS 1.2 (0xfefd)
                [Expert Info (Chat/Deprecated): This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [This legacy_version field MUST be ignored. The supported_versions extension is present and MUST be used instead.]
                    [Severity level: Chat]
                    [Group: Deprecated]
            Random: 999619785a3ac2ea78c817e21c867cb34c60170ba578b15102d54c1c35b7f4d4
            Session ID Length: 0
            Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
            Compression Method: null (0)
            Extensions Length: 788
            Extension: pre_shared_key (len=2)
                Type: pre_shared_key (41)
                Length: 2
                Pre-Shared Key extension
                    Selected Identity: 0
            Extension: key_share (len=772) MLKEM512
                Type: key_share (51)
                Length: 772
                Key Share extension
                    Key Share Entry: Group: MLKEM512, Key Exchange length: 768
                        Group: MLKEM512 (512)
                        Key Exchange Length: 768
                        Key Exchange […]: 443a003543a7c73daa189d1a15463e1f22db158ff72744f7eccbcac8608f8d920ac37c5086c6e47bd83d62521b25199a0981dddcc5a6f0cba81c2f42cca888d916243787da19052b30a29892a9bca9a11bbc4ec82a80bbf1f18c98857d08ac7a2513b2a7fbdbe4d7f9e49938daf
            Extension: supported_versions (len=2) DTLS 1.3
                Type: supported_versions (43)
                Length: 2
                Supported Version: DTLS 1.3 (0xfefc)
            [JA3S Fullstring: 65277,4865,41-51-43]
            [JA3S: 671c44eba0297291f3364ac4756f7253]

So is it expected that ML_KEM512 would perform about the same compared to ECDHE or must there be something I have missed in my measurements?

Share

2 Reply by anthony

  • Registered: 2021-08-12
  • Posts: 154

Re: Performance of PQC on wolfssl compared to ECDHE

Hello SunnySunday,

My name is Anthony and I am a member of the wolfSSL team.  I am not surprised by your results.  Have you tried running our bench-marking application?  You'll notice that ML-KEM is actually much faster than ECDHE.  So while the processing time is faster, your transmission might be slower because of the increase in data going over the wire.  As such, they will balance out and you get the results that you are seeing.

Warm regards, Anthony

Share