KEMTLS Experimentation Via wolfSSL

A new, exciting paper has been released by Ruben Gonzalez from Neodyme AG and Thom Wiggers from Radboud University. They compare post-quantum algorithms in TLS 1.3 and KEMTLS.  KEMTLS is a newly proposed modification to the TLS 1.3 protocol that would eliminate the need for signing operations during a handshake protocol.  Note that a long term KEM public key would be embedded into a leaf certificate so the certificate chain would still need to be verified with a signature scheme.  The team did the work of modifying wolfSSL to support KEMTLS in their own fork of wolfSSL. Their paper can be found at .

The paper concludes that KEMTLS would allow for lower memory consumption.  However, there was no clear winner with regards to handshake times.  In some situations, post-quantum TLS 1.3 was faster, while in other cases KEMTLS did better.  If you are curious about it, please do download the paper.

We would like to thank the authors for the following words:

"WolfSSL is designed to be memory efficient and fast on embedded systems. On top, it already supports TLS 1.3 and has a clean implementation of TLS’s state machine. ...WolfSSL’s crypto provider, called WolfCrypt, has a clean API that can be extended easily."

Here at wolfSSL, we appreciate it when our code quality is noticed.

Are you curious about any other protocols? Our wolfSSL library also supports DTLS 1.2 and recently support for DTLS 1.3 was added.  We support SSH, MQTT and SCEP via our wolfSSH, wolfMQTT and wolfSCEP products. If you are curious, don't be shy! The full source code for all of these products are available for download under open source licenses at You can also reach out to us for more details at