← Back to context

Comment by westurner

1 day ago

From > Problem is PQ signatures are large. If certificate chain is small that could be acceptable, but if the chain is large, then it can be expensive in terms of bandwidth and computation during TLS handshake. That is the exchange sends many certificates which embed a signature and a large (PQ) public key.

> Merkle Tree Certificates ensures that an up to date client only needs 1 signature, 1 public key, 1 merkle tree witness.

> Looking at an MTC generated certificate they've replaced the traditional signing algorithm and signature with a witness.

> That means all a client needs is a signed merkle root which comes from an expanding Merkle Tree signed by the MTCA (Merkle Tree CA), which is delivered somehow out of band.

From "Keeping the Internet fast and secure: introducing Merkle Tree Certificates" (2025-10)

5 comments

westurner

Reply
durumcrustulum  18 hours ago

ML-KEM is a key establishment scheme, not a signature scheme.

  • westurner  15 hours ago

    From Gemini then:

      Algorithm         Role
    Public Key Size   Signature / Ciphertext Size
  ECDSA P-256 (Identity / Signing)
    ~64 bytes      ~64 bytes
  X25519 (Key Exchange)
    32 bytes        32 bytes
  ML-DSA-44 (PQ; Identity / Signing)
    1,312 bytes     2,420 bytes
  ML-KEM-768 (PQ; Key Exchange)
    1,184 bytes     1,088 bytes

    > If you tried to make "ML-KEM Certificates" (using a newer mechanism called AuthKEM where you authenticate by proving you can decrypt a challenge rather than signing), you would replace the ~2.4 KB ML-DSA signature with a ~1 KB ML-KEM ciphertext. This saves about 50% of the bandwidth compared to ML-DSA, but it is still roughly 35x larger than a traditional ECC certificate chain.

    /? AuthKEM:

    kemtls/draft-celi-wiggers-tls-authkem: https://github.com/kemtls/draft-celi-wiggers-tls-authkem

    "KEM-based Authentication for TLS 1.3" https://kemtls.org/draft-celi-wiggers-tls-authkem/draft-celi... :

    > Table 1. Size comparison of public-key cryptography in TLS 1.3 and AuthKEM handshakes.

      Handshake HS auth algorithm HS Auth bytes Certificate chain bytes Sum
  ...
  AuthKEM Kyber-768 2272 6152 (Dilithium-2) 8424
  AuthKEM Kyber-768 2272 2229 (Falcon-512) 4564

    "KEM-based pre-shared-key handshakes for TLS 1.3" > "2.2. Key Encapsulation Mechanisms", "3. Abbreviated AuthKEM with pre-shared public KEM keys": https://kemtls.org/draft-celi-wiggers-tls-authkem/draft-wigg...