Key sizes of post quantum cryptography keys with OpenSSL 3.5

2025-08-25 2025-08-25   812 words   ~4 mins
#PQC #OpenSSL #KEM

Table of Contents

OpenSSL and specs

Since version 3.5, OpenSSL natively supports PQC keys and signatures. There is no need to use OQS-Provider as an provider to use PQC signatures and KEMs.

However, as we already expected, the sizes of PQC KEMs should be larger than Ante Quantum Cryptography (AQC) keys. To get a benchmark of the sizes, I wrote a small shellskript to generate different key pairs with OpenSSL 3.5 and order them by size.

Turns out that ML-DSA-87 is even larger than a RSA8096 key and ML-KEM-1024 is still larger than a RSA4096.

There have been papers that benchmark the runtime and energy consumption of ECC and PQC , but on my benchmark machine (Thinkpad X201 Core i5-540M, 2x2,53 GHz, Arch Linux, OpenSSL 3.5.2) the runtime can be neglected. The skript runs for ca. 30 seconds to create 38 key pairs.

Key size by type

Algorithm Size in bytes
Key-dh_1024_160.pem 481
Key-dh_1024_160.pub 625
Key-dh_2048_224.pem 843
Key-dh_2048_224.pub 1149
Key-dh_2048_256.pem 839
Key-dh_2048_256.pub 1149
Key-DSA-2048.pem 879
Key-DSA-2048.pub 1190
Key-DSA-4096.pem 1574
Key-DSA-4096.pub 2230
Key-Ed25519.pem 119
Key-Ed25519.pub 113
Key-Ed448.pem 156
Key-Ed448.pub 146
Key-ffdhe2048.pem 493
Key-ffdhe2048.pub 800
Key-ffdhe3072.pem 676
Key-ffdhe3072.pub 1149
Key-ffdhe4096.pem 855
Key-ffdhe4096.pub 1495
Key-ffdhe6144.pem 1212
Key-ffdhe6144.pub 2189
Key-ffdhe8192.pem 1562
Key-ffdhe8192.pub 2884
Key-ML-DSA-44.pem 3613
Key-ML-DSA-44.pub 1860
Key-ML-DSA-65.pem 5604
Key-ML-DSA-65.pub 2726
Key-ML-DSA-87.pem 6774
Key-ML-DSA-87.pub 3595
Key-ML-KEM-1024.pem 4479
Key-ML-KEM-1024.pub 2206
Key-ML-KEM-512.pem 2399
Key-ML-KEM-512.pub 1166
Key-ML-KEM-768.pem 3439
Key-ML-KEM-768.pub 1686
Key-modp_1536.pem 396
Key-modp_1536.pub 621
Key-modp_2048.pem 493
Key-modp_2048.pub 804
Key-modp_3072.pem 676
Key-modp_3072.pub 1149
Key-modp_4096.pem 855
Key-modp_4096.pub 1495
Key-modp_6144.pem 1212
Key-modp_6144.pub 2189
Key-modp_8192.pem 1562
Key-modp_8192.pub 2880
Key-RSA-1024.pem 916
Key-RSA-1024.pub 272
Key-RSA-2048.pem 1704
Key-RSA-2048.pub 451
Key-RSA-4096.pem 3272
Key-RSA-4096.pub 800
Key-RSA-768.pem 721
Key-RSA-768.pub 223
Key-RSA-8192.pem 6392
Key-RSA-8192.pub 1491
Key-RSA-PSS.pem 1704
Key-RSA-PSS.pub 451
Key-SLH-DSA-SHA2-128s.pem 168
Key-SLH-DSA-SHA2-128s.pub 122
Key-SLH-DSA-SHA2-192s.pem 213
Key-SLH-DSA-SHA2-192s.pub 142
Key-SLH-DSA-SHA2-256s.pem 258
Key-SLH-DSA-SHA2-256s.pub 166
Key-SLH-DSA-SHAKE-128s.pem 168
Key-SLH-DSA-SHAKE-128s.pub 122
Key-SLH-DSA-SHAKE-192s.pem 213
Key-SLH-DSA-SHAKE-192s.pub 142
Key-SLH-DSA-SHAKE-256s.pem 258
Key-SLH-DSA-SHAKE-256s.pub 166
Key-X25519.pem 119
Key-X25519.pub 113
Key-X448.pem 152
Key-X448.pub 146

Key size order by size desc

Algorithm Size in bytes
Key-ML-DSA-87.pem 6774
Key-RSA-8192.pem 6392
Key-ML-DSA-65.pem 5604
Key-ML-KEM-1024.pem 4479
Key-ML-DSA-44.pem 3613
Key-ML-DSA-87.pub 3595
Key-ML-KEM-768.pem 3439
Key-RSA-4096.pem 3272
Key-ffdhe8192.pub 2884
Key-modp_8192.pub 2880
Key-ML-DSA-65.pub 2726
Key-ML-KEM-512.pem 2399
Key-DSA-4096.pub 2230
Key-ML-KEM-1024.pub 2206
Key-modp_6144.pub 2189
Key-ffdhe6144.pub 2189
Key-ML-DSA-44.pub 1860
Key-RSA-PSS.pem 1704
Key-RSA-2048.pem 1704
Key-ML-KEM-768.pub 1686
Key-DSA-4096.pem 1574
Key-modp_8192.pem 1562
Key-ffdhe8192.pem 1562
Key-modp_4096.pub 1495
Key-ffdhe4096.pub 1495
Key-RSA-8192.pub 1491
Key-modp_6144.pem 1212
Key-ffdhe6144.pem 1212
Key-DSA-2048.pub 1190
Key-ML-KEM-512.pub 1166
Key-modp_3072.pub 1149
Key-ffdhe3072.pub 1149
Key-dh_2048_256.pub 1149
Key-dh_2048_224.pub 1149
Key-RSA-1024.pem 916
Key-DSA-2048.pem 879
Key-modp_4096.pem 855
Key-ffdhe4096.pem 855
Key-dh_2048_224.pem 843
Key-dh_2048_256.pem 839
Key-modp_2048.pub 804
Key-RSA-4096.pub 800
Key-ffdhe2048.pub 800
Key-RSA-768.pem 721
Key-modp_3072.pem 676
Key-ffdhe3072.pem 676
Key-dh_1024_160.pub 625
Key-modp_1536.pub 621
Key-modp_2048.pem 493
Key-ffdhe2048.pem 493
Key-dh_1024_160.pem 481
Key-RSA-PSS.pub 451
Key-RSA-2048.pub 451
Key-modp_1536.pem 396
Key-RSA-1024.pub 272
Key-SLH-DSA-SHAKE-256s.pem 258
Key-SLH-DSA-SHA2-256s.pem 258
Key-RSA-768.pub 223
Key-SLH-DSA-SHAKE-192s.pem 213
Key-SLH-DSA-SHA2-192s.pem 213
Key-SLH-DSA-SHAKE-128s.pem 168
Key-SLH-DSA-SHA2-128s.pem 168
Key-SLH-DSA-SHAKE-256s.pub 166
Key-SLH-DSA-SHA2-256s.pub 166
Key-Ed448.pem 156
Key-X448.pem 152
Key-X448.pub 146
Key-Ed448.pub 146
Key-SLH-DSA-SHAKE-192s.pub 142
Key-SLH-DSA-SHA2-192s.pub 142
Key-SLH-DSA-SHAKE-128s.pub 122
Key-SLH-DSA-SHA2-128s.pub 122
Key-X25519.pem 119
Key-Ed25519.pem 119
Key-X25519.pub 113
Key-Ed25519.pub 113

Key size of full KEYPAIR order by size desc

Algorithm Size in bytes
10369 Key-ML-DSA-87
8330 Key-ML-DSA-65
7883 Key-RSA-8192
6685 Key-ML-KEM-1024
5473 Key-ML-DSA-44
5125 Key-ML-KEM-768
4446 Key-modp_8192
4442 Key-ffdhe8192
4072 Key-RSA-4096
3804 Key-DSA-4096
3565 Key-ML-KEM-512
3401 Key-modp_6144
3401 Key-ffdhe6144
2350 Key-modp_4096
2350 Key-ffdhe4096
2155 Key-RSA-PSS
2155 Key-RSA-2048
2069 Key-DSA-2048
1992 Key-dh_2048_224
1988 Key-dh_2048_256
1825 Key-modp_3072
1825 Key-ffdhe3072
1297 Key-modp_2048
1293 Key-ffdhe2048
1188 Key-RSA-1024
1106 Key-dh_1024_160
1017 Key-modp_1536
940 Key-RSA-768
424 Key-SLH-DSA-SHAKE-256s
424 Key-SLH-DSA-SHA2-256s
355 Key-SLH-DSA-SHAKE-192s
355 Key-SLH-DSA-SHA2-192s
302 Key-Ed448
298 Key-X448
290 Key-SLH-DSA-SHAKE-128s
290 Key-SLH-DSA-SHA2-128s
232 Key-X25519
232 Key-Ed25519

The skript

rm Key-*
clear 

### RSA
for i in 768 1024 2048 4096 8192
do
openssl genrsa -out Key-RSA-$i.pem   $i
openssl rsa -in Key-RSA-$i.pem -pubout -out  Key-RSA-$i.pub 
done 

### DAS
openssl dsaparam -out dsaparam.pem 2048 ; openssl gendsa -out Key-DSA-2048.pem dsaparam.pem ; openssl dsa -in Key-DSA-2048.pem -outform PEM -pubout -out Key-DSA-2048.pub
openssl dsaparam -out dsaparam.pem 4096 ; openssl gendsa -out Key-DSA-4096.pem dsaparam.pem ; openssl dsa -in Key-DSA-4096.pem -outform PEM -pubout -out Key-DSA-4096.pub


### DH/DHX
for i in ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 modp_1536 modp_2048 modp_3072 modp_4096 modp_6144 modp_8192 dh_1024_160 dh_2048_224 dh_2048_256
do
	openssl genpkey -algorithm DH -out  Key-$i.pem -outpubkey   Key-$i.pub  -pkeyopt group:$i
done


for i in RSA-PSS Ed25519 X448 X25519 Ed448 ML-DSA-44 ML-DSA-65 ML-DSA-87  ML-KEM-512  ML-KEM-768 ML-KEM-1024  SLH-DSA-SHA2-128s  SLH-DSA-SHA2-192s SLH-DSA-SHA2-256s SLH-DSA-SHAKE-128s  SLH-DSA-SHAKE-192s  SLH-DSA-SHAKE-256s 
do
openssl genpkey -algorithm $i -out Key-$i.pem -outpubkey  Key-$i.pub
done

printf "\n\n"

openssl version 

printf "\n\n"
echo "`ls -1 Key-*pem  | wc -l` Keypairs generated "

printf "\n\n"
figlet -f small "sort by keytype" | sed 's/^/#   /'
printf "\n\n"

du -b Key-* | awk '{print $2" ; "$1}'

printf "\n\n"
figlet -f small "sort by size desc" | sed 's/^/#   /'
printf "\n\n"

du -b Key-* | sort -rn | awk '{print $2" ; "$1}'
printf "\n\n"
	
figlet -t -f small "sort KEYPAIRS by size desc" | sed 's/^/#   /'
for i in Key-*.pem; do du -cb `basename $i .pem`* ; done | grep -v pub | sed -z 's/\n/,/g '| sed -z 's/insgesamt,/\n/g'| awk '{print $2}'| awk -F"," '{print $2" ; " $1}' | sort -rn | sed  's/.pem//'

Downloads

← prev