Shaping a Quantum-Resistant Future: Strategies for Post-Quantum PKI
Grazia D'Onghia, Diana Gratiela Berbecaru, Antonio Lioy
TL;DR
The paper analyzes the imminent need to quantum-proof PKI by examining the threat to classical public-key cryptography and outlining a practical transition path for X.509 certificates, CRLs, and OCSP. It surveys PQC categories and current NIST standardization status, then proposes a phased PKI migration comprising hybrid, parallel, composite, and pure PQ certificates, along with corresponding CRL/OCSP adaptations. Key contributions include explicit design requirements, a multi-stage roadmap, and synthesis of implementation experiences and challenges (notably certificate size and compatibility). The work aims to accelerate real-world PQI deployment by providing concrete transition strategies, design considerations, and directions for future measurement and standardization efforts.
Abstract
As the quantum computing era approaches, securing classical cryptographic protocols becomes imperative. Public key cryptography is widely used for signature and key exchange but it is the type of cryptography more threatened by quantum computing. Its application typically requires support via a public-key certificate, which is a signed data structure and must therefore face twice the quantum challenge: for the certified keys and for the signature itself. We present the latest developments in selecting robust Post-Quantum algorithms and investigate their applicability in the Public Key Infrastructure context. Our contribution entails defining requirements for a secure transition to a quantum-resistant Public Key Infrastructure, with a focus on adaptations for the X.509 certificate format. Additionally, we explore transitioning Certificate Revocation List and Online Certificate Status Protocol to support quantum-resistant algorithms. Through comparative analysis, we elucidate the complex transition to a quantum-resistant PKI.
