A Scalable Framework for Post-Quantum Authentication in Public Key Infrastructures

TL;DR

This work tackles the challenge of secure, scalable authentication in the post-quantum era by designing a hierarchical PKI framework with automated certificate issuance that supports PQC signatures acrossCore CA layers. It implements a three-layer architecture (root CA, intermediate CAs, end-entities) with crypto-agility, enabling seamless switching between classical and PQC algorithms such as $SPHINCS^+$, $Falcon$, and $Dilithium$. Through full-network simulations, the authors evaluate signing, verification, and distribution of certificates under various client loads (up to two ICAs), revealing substantial trade-offs: $SPHINCS^+$ incurs high signing costs but benefits from stateless verifications, while other PQC schemes balance key size and performance differently. The results demonstrate the viability of scalable PQC adoption in PKI, with practical implications for QKD domains and IoT, and set the stage for broader automation and deployment in real-world networks.

Abstract

This work explores the performance and scalability of a hierarchical certificate authority framework with automated certificate issuance employing post-quantum cryptographic (PQC) signature algorithms. The system is designed for compatibility with both classical and PQC algorithms, promoting crypto-agility while ensuring robust security against quantum-based threats. The proposed framework design expects minimal cryptographic requirements from potential clients, protects certificates of high importance against cross-dependent chains-of-trust and allows for prompt switching between classical and PQC algorithms. Finally, we evaluate SPHINCS$^+$, Falcon, and Dilithium variants in various configurations of certificate issuance and verification accommodating a large client base, underlining the trade-offs in balancing performance, scalability, and security.

Figures (8)

• Figure 1: Interactions between the root CA and an intermediate CA. The root CA endpoints are reached in the context of the certify service using HTTP requests.
• Figure 2: Interactions between an intermediate CA (ICA) and the EE (client). The ICA endpoints are reached in the context of the enroll and certify service, while the root CA endpoints are reached in the context of the verify service, using HTTP requests.
• Figure 3: Average time measured for the application of PQC signature algorithms at the root CA level, with respect to the number of EEs (clients). Each bar corresponds to a different PQC algorithm. The certificates signed concern public keys produced with RSA.
• Figure 4: Average time measured for the issuance of certificates to two ICAs, with respect to the number of EEs. Each ICA issued certificates to the same number of EEs. Each bar corresponds to a different PQC signature algorithm employed by the root CA.
• Figure 5: Average time measured for the verification of certificates bearing the root CA PQC signature, with respect to the number of EEs (clients). Each bar corresponds to a different PQC algorithm. The certificates signed concern public keys produced with RSA.