Certificate Chain Sizes Under Post-Quantum Signatures
Preliminary numbers on how large a TLS certificate chain becomes under each standardized post-quantum signature, and where it crosses the QUIC amplification limit.
This report estimates the on-the-wire size of a minimal TLS 1.3 certificate chain — leaf plus one intermediate — when the signatures and subject public keys are instantiated with each standardized post-quantum scheme, and compares the result against the budget that matters first: QUIC’s anti-amplification limit.
The budget
Before the client address is validated, a QUIC server may send at most three times what it has received. With a client initial of about bytes, the server’s first flight is bounded by
The certificate message competes for that 3600-byte envelope with the rest of the server’s flight. The question is which schemes leave room and which force the server to wait for address validation, adding a round trip.
Preliminary sizes
The table gives illustrative per-object sizes; the chain column is two signatures plus two public keys plus fixed overhead.
| Scheme | Public key | Signature | Est. chain |
|---|---|---|---|
| Ed25519 (ref) | 32 B | 64 B | ~0.8 KB |
| ML-DSA-44 | 1312 B | 2420 B | ~7.9 KB |
| Falcon-512 | 897 B | 666 B | ~3.4 KB |
| SLH-DSA-128s | 32 B | 7856 B | ~15.9 KB |
PLACEHOLDER values for structural illustration only — see TODO above.
Preliminary reading
On these illustrative numbers, only the Ed25519 baseline and (marginally) Falcon-512 keep a two-certificate chain inside a single 3600-byte envelope; the lattice and hash-based alternatives push the first flight past the amplification limit on their own. That is a hypothesis to be confirmed against measured certificates, not a result — but it sets the target for the Compact PQ Authentication measurements.