Testing Post-Quantum Cryptography with Docker

Introduction

With the rise of quantum computing, current TLS implementations using Elliptic Curve Cryptography (ECC) face future risks. Post-Quantum Cryptography (PQC) offers resistance against quantum attacks, but introduces operational overhead during deployment. AWS has published a migration plan, and this article explores startup, connectivity, and latency aspects of PQC implementation.

This article references and utilizes the open-source projects oqs-provider and oqs-demos available on GitHub.

System Specifications

MacBook Air M2 arm64

Background Knowledge

Where PQC is Used in TLS

Post-Quantum Cryptography integration in TLS handshake:

TLS Handshake with PQC:

Client → Server: ClientHello ("Can you use PQC algorithms?")
Client ← Server: ServerHello ("Yes, let's use Kyber for key exchange")
Client → Server: PQC Key Exchange (quantum-resistant algorithms)
Client ← Server: Certificate (signed with PQC digital signature)
Client ↔ Server: Secure communication established with quantum-resistant keys

Key PQC Algorithm Categories

• Key Encapsulation Mechanisms (KEM): Kyber, Classic McEliece
• Digital Signatures: Dilithium, Falcon, SPHINCS+
• Hash-based Signatures: XMSS, LMS

Docker Setup

Environment Preparation

# Clone the OQS demo repository
git clone https://github.com/open-quantum-safe/oqs-demos.git
cd oqs-demos

# Build PQC-enabled OpenSSL container
docker build -t oqs-openssl -f openssl/Dockerfile .

Basic PQC Server Configuration

# Start PQC-enabled HTTPS server
docker run -it --rm --name oqs-server \
  -p 4433:4433 \
  oqs-openssl \
  openssl s_server \
  -cert /opt/oqs-provider/certs/server.crt \
  -key /opt/oqs-provider/certs/server.key \
  -port 4433 \
  -groups kyber512 \
  -verify_return_error

Performance Testing

Connection Latency Comparison

# Traditional ECDSA connection test
time openssl s_client -connect server:443 -cipher ECDHE-ECDSA-AES256-GCM-SHA384

# PQC Kyber connection test  
time openssl s_client -connect server:4433 -groups kyber512

Handshake Size Analysis

Comparing message sizes in TLS handshake:

Practical Testing Results

Startup Performance

• Container Boot Time: ~2-3 seconds (similar to standard OpenSSL)
• Key Generation: PQC keys take 50-200ms vs 10-20ms for ECDSA
• Certificate Loading: Larger certificates increase parsing time

Connection Establishment

• Handshake Duration: 150-300ms additional latency
• Bandwidth Usage: 10-20x increase in handshake data
• CPU Overhead: 2-5x computational cost

Runtime Characteristics

# Monitor resource usage during PQC operations
docker stats oqs-server

# Measure handshake performance
curl -w "@curl-format.txt" -o /dev/null -s "https://localhost:4433/"

Migration Considerations

Immediate Challenges

• Certificate Size: PKI infrastructure must handle larger certificates
• Network Protocols: UDP-based protocols face fragmentation issues
• Hardware Constraints: IoT devices need specialized optimization
• Compatibility: Gradual rollout required for interoperability

Performance Optimization Strategies

• Hybrid Approaches: Combine classical and PQC algorithms
• Caching: Reuse expensive PQC computations where possible
• Hardware Acceleration: Specialized chips for PQC operations
• Algorithm Selection: Choose appropriate PQC variant for use case

Real-World Deployment

Docker Compose Example

version: '3.8'
services:
  pqc-web-server:
    build: 
      context: .
      dockerfile: Dockerfile.pqc
    ports:
      - "443:4433"
    environment:
      - PQC_ALGORITHM=kyber512
      - SIGNATURE_ALGORITHM=dilithium2
    volumes:
      - ./certs:/opt/certs
    command: >
      openssl s_server 
      -cert /opt/certs/server-pqc.crt 
      -key /opt/certs/server-pqc.key 
      -port 4433 
      -groups kyber512
      -sigalgs dilithium2

Conclusion

Testing Post-Quantum Cryptography with Docker reveals both the promise and challenges of quantum-resistant security. While PQC algorithms provide necessary protection against future quantum threats, they introduce significant operational overhead in terms of bandwidth, latency, and computational requirements.

Key findings from this exploration:

• PQC implementation is feasible with current technology
• Performance impact is substantial but manageable
• Gradual migration strategies are essential
• Infrastructure adaptations are necessary for large-scale deployment

Organizations should begin testing and planning for PQC migration now, as quantum computing capabilities continue to advance. The transition will require careful balance between security requirements and performance constraints.