The level 1 post-quantum Signal Protocols

In this section, we look at the three most suitable level 1 post-quantum Signal Protocols according to our analysis. The resulting three most suitable post- quantum Signal Protocols can be seen in Table6.14.

Level 1 quantum Creating and generating Network load Total

-safe Signal CPU Time (s) Energy* (mJ) Storage (KB) Time (s) Size (KB) Time

L kyper512 + SIDH503 3140461651 2.24 2701 234.5 0.26 336.5 2.5

C bike1_l1 + SIDH503 3886944035 2.78 5809 499.7 0.77 856.3 3.5

I Full SIDH503 5869841645 4.19 167606 43.2 0.09 166.9 4.3

Tab. 6.14.: The resulting best post-quantum Signal Protocol of level 1 and their impact they have in terms of CPU cycles, time (s), energy (mJ), storage space (KB), bandwidth (s) and network utilisation (KB). The total time indicates the total time it takes for both creating and sending the created keys.

These three most suitable post-quantum Signal protocols are created by looking at each scenario individually. For the initial and the X3DH scenario there is only one level 1 option: SIDH503, while for the Double Ratchet scenario there are multiple (as explained in Section5.3.1). For the Double Ratchet scenario we look

at Table6.11 in Section6.3, and see that there is not one single best suitable algorithm. Some algorithms perform better, while others require less storage space or bandwidth.

We therefore decided to choose a most suitable per type cryptography, resulting in one full isogeny based post-quantum Signal Protocol, one isogeny-/code- based post-quantum Signal Protocol and one isogeny-/lattice-based post-quantum Signal Protocol.

For the fully isogeny based post-quantum Signal Protocol we compare the only two level 1 isogeny candidates: SIDH503and SIKE503. We can conclude that SIDH503is the most suitable becauseSIDH503requires less storage space and less CPU cycles thenSIKE503. That is actually a good match, becauseSIDH503 is a perfect plug and play substitute forECDHand could directly replace ECDH (without the minor changes that the KEMs need to make the algorithm work with

them, as was explained in Section5.3.1).

For the most suitable isogeny-/code-based Signal Protocol we compared the different code-based algorithms. The level 1 bike algorithms are the better options for CPU time, bandwidth and network utilisation. Exceptleda1n02and leda1n03, which required less storage space than thebikealgorithms. However, the difference is small andleda1n02andleda1n03needs more time to create the keys, 13 seconds in total. We conclude thatBike1_l1was the most suitable for our analysis. Compared toBike2_l1it needed a bit less time to create the keys but has a equal storage space and bandwidth requirements, whilebike3_l1needs a bit more in all three categories.

For the isogeny-/lattice-based Signal Protocol the most suitable algorithm is harder to find, because there are more lattice-based candidates. Especially becausenewhope512,kyper512andlight_saberare on some fields a close match in the Double Ratchet scenario. Whilenewhope512is the fasted with creating keys,light_saberuses the least energy. In the end, the decisive factor was the total time it would take to both create and send the keys, because the required storage space and energy consumption differ very little. This results inkyper512being the most suitable algorithm for the isogeny-/lattice-based Signal Protocol. The energy consumption of the SIDH keys is estimated(*) and therefore is very high in comparison to the other algorithms, see Section6.3.2for how this number was estimated.

We see a big difference in run time in the three different level 1 post-quantum Signal Protocols. This difference can be explained becauseSIDH503takes double the CPU cycles and time to generate the keys and shared secrets needed for the

Double Ratchet scenario, compared tobike1_l1andkyber512. The difference in required storage space is explained bySIDH503which require less storage space than their lattice and code based competitor. Because bike requests the most bandwidth, we see that the isogeny-/code based version is slow on that front.

We conclude that the initialisation of the quantum-safe Signal Protocols, varying in the post-quantum algorithms used, are feasible for the average user. There is no most suitable combination of post-quantum algorithms. A balance between a low run time and a low network load would be optimal. Especially because the higher storage space requirements of some post-quantum algorithms, although high in comparison to others, are not a problem for the minimal phone. The complete isogeny based post-quantum Signal Protocol was most easy to imple- ment (as explained in Section5.3.1) and therefore, although being the more slow combination, is a good option.

However, because the isogeny-/lattice-based withkyper512is performing fastest, as can be seen in Table 6.14, we could say that that one is the winner for the fastest level 1 post-quantum Signal Protocol. It only needs2.5seconds to both create and send the 150 keys an average user needs during the day.

Again it is important to note that these post-quantum Signal Protocols should be implemented in a hybrid form withECDH, as described in Section4.3. In the next section, we see thatECDHhas a small impact on the performance, storage space and network load of the Signal Protocol. Thereby, we can conclude that a hybrid Signal Protocol, with bothECDH and one of the three mentioned, most suitable, post-quantum Signal Protocols, is feasible.