A Quantum of QUIC: Dissecting Cryptography with Post-Quantum Insights
Marcel Kempf, Nikolas Gauder, Benedikt Jaeger, Johannes Zirngibl, Georg Carle
TL;DR
This work addresses how cryptography shapes QUIC performance and practicality in the presence of post-quantum algorithms. It employs a reproducible measurement framework across three major QUIC implementations, using NOOP ciphers to isolate cryptographic costs and integrating PQC primitives via liboqs. Key findings show hardware-accelerated AES-GCM offers the best overall performance, header protection incurs minimal cost, and increasing MTU alone does not compensate for encryption overhead. Among PQC options, Kyber and Dilithium emerge as promising for low handshake impact, while SPHINCS+ introduces substantial latency and operational challenges, with LSQUIC exhibiting limitations for large certificates; overall, PQC integration is feasible with minor code changes and careful scheme selection. The results guide practical deployment of quantum-safe QUIC and point to future work on optimizing big-key PQC handshakes and certificate management in real networks.
Abstract
QUIC is a new network protocol standardized in 2021. It was designed to replace the TCP/TLS stack and is based on UDP. The most current web standard HTTP/3 is specifically designed to use QUIC as transport protocol. QUIC claims to provide secure and fast transport with low-latency connection establishment, flow and congestion control, reliable delivery, and stream multiplexing. To achieve the security goals, QUIC enforces the usage of TLS 1.3. It uses authenticated encryption with additional data (AEAD) algorithms to not only protect the payload but also parts of the header. The handshake relies on asymmetric cryptography, which will be broken with the introduction of powerful quantum computers, making the use of post-quantum cryptography inevitable. This paper presents a detailed evaluation of the impact of cryptography on QUIC performance. The high-performance QUIC implementations LSQUIC, quiche, and MsQuic are evaluated under different aspects. We break symmetric cryptography down to the different security features. To be able to isolate the impact of cryptography, we implemented a NOOP AEAD algorithm which leaves plaintext unaltered. We show that QUIC performance increases by 10 to 20% when removing packet protection. The header protection has negligible impact on performance, especially for AES ciphers. We integrate post-quantum cryptographic algorithms into QUIC, demonstrating its feasibility without major changes to the QUIC libraries by using a TLS library that implements post-quantum algorithms. Kyber, Dilithium, and FALCON are promising candidates for post-quantum secure QUIC, as they have a low impact on the handshake duration. Algorithms like SPHINCS+ with larger key sizes or more complex calculations significantly impact the handshake duration and cause additional issues in our measurements.