Observations on the Performance of PQ KEMs

Abstract

This note discusses two aspects of the performance of Round-2 KEM candidates: (a) the impact of Simultaneous MultiThreading (SMT); (b) the balance between encapsulation and decapsulation. –Software performance can sometimes be improved by parallelization of tasks. In some cases this can be achieved by simultaneous execution on logical CPUs (also known as SMT). Since such a technology opens the door to possible security vulnerabilities, its overall benefit needs careful evaluation. We evaluate the hyper-threaded performance of some of the Round-2 KEM candidates proposed to the NIST Post Quantum Cryptography project.–The common assumption is: that slow decapsulation is performed on a (strong) server side and the weaker client platforms execute the (faster) encapsulation. We argue that this is not necessarily the case in TLS 1.3, which is now suggested as the next generation of secure communication protocols and discuss the implications.