← Week 2: ML-KEM and ML-DSA

Day 14: Challenge — PQC Key Operations Benchmark

Phase 3 · July 21, 2026 · Week 2 Review

← Week 2: ML-KEM and ML-DSA

Agenda (2–3 hours)

  • Review (20 min): Week 2 concepts from memory
  • Build (90 min): Comprehensive benchmark binary
  • Analyze (50 min): Write the performance section of your migration roadmap
← Week 2: ML-KEM and ML-DSA

Week 2 Concepts Check

Answer from memory:

  1. What is the FO transform and what security property does it add to a PKE scheme to make a KEM?
  2. What is implicit rejection and why is it timing-safe?
  3. In ML-KEM, why is the shared secret H(message, pk_hash) rather than just the decrypted message?
  4. What is the "abort" in ML-DSA signing and what does it prevent?
  5. Why is ML-DSA verification nearly as fast as ECDSA, even though signatures are 50× larger?
  6. For a CA that signs certificates: what is the throughput impact of switching to ML-DSA-65?
← Week 2: ML-KEM and ML-DSA

Challenge Assignment: Comprehensive Benchmark Binary

Create pqc-demo/src/bench.rs that produces output like:

=== Key Generation ===
X25519:         0.8 µs
ML-KEM-768:    18.2 µs   (22.8× slower)
ECDSA P-256:    9.1 µs
ML-DSA-65:     45.3 µs   ( 4.9× slower)

=== Key Exchange / Encapsulation ===
X25519:         0.9 µs   (both sides)
ML-KEM-768:    26.5 µs   (Encaps + Decaps, 29.4× slower)

=== Sign ===
ECDSA P-256:   43.2 µs
ML-DSA-65:    312.4 µs   ( 7.2× slower)

=== Verify ===
ECDSA P-256:  130.1 µs
ML-DSA-65:    198.6 µs   ( 1.5× slower)   ← nearly the same

=== Key and Signature Sizes ===
X25519 pubkey:         32 bytes
ML-KEM-768 pubkey:   1184 bytes  (37.0× larger)
ECDSA P-256 sig:       64 bytes
ML-DSA-65 sig:       3293 bytes  (51.5× larger)
← Week 2: ML-KEM and ML-DSA

Analysis Questions

After running the benchmark, answer these for your migration roadmap:

TLS handshake impact:

  • A TLS handshake verifies 2-3 certificates. What is the additional latency from switching to ML-DSA cert signatures, given your verify benchmark?
  • Is this latency difference user-perceptible?

CA throughput:

  • Your team's CA issues certificates for provisioning. How many certs/second can it issue with ML-DSA-65 vs ECDSA P-256?
  • What is the bottleneck more likely to be in practice — signing speed or network I/O?

Key exchange overhead:

  • If your provisioning service handles 1000 new TLS connections/second, what is the additional CPU time for ML-KEM-768 vs X25519 key exchange?

Add these findings to the "Performance Impact" section of pqc-migration-roadmap.md.

← Week 2: ML-KEM and ML-DSA

Resources

  • std::time::Instant for benchmarking
  • criterion crate for statistical benchmarks (optional but better)
  • aws-lc-rs: kem, signature, agreement modules