Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure

Vipin Kumar Rathi, Lakshya Chopra, Nikhil Kumar Rajput

TL;DR

This work proposes a certificate-free, post-quantum identity-based TLS (IBE-TLS) framework to replace certificate-based private PKI in private, centrally managed environments such as 5G SBA and Kubernetes. It grounds the approach in lattice-based ID-ML-KEM, deployed via a Threshold Private Key Generator (TPKG) to issue identity-bound private keys, thereby enabling mutual TLS without X.509 certificates or PKI distribution. The authors detail the IBE-PKI lifecycle, TLS handshake modifications, and integration strategies for 5G Core and Kubernetes control planes, including identity namespaces and epoch-based key rotation. The potential benefits include reduced operational overhead, lower control-plane signaling, and compatibility with post-quantum security requirements, with caveats around key escrow, revocation, and standardization hurdles. Overall, the paper presents a coherent, architecture-level pathway for certificate-free authentication in private cloud-native systems facing quantum threats, supported by a detailed design and deployment scenarios for 5G and Kubernetes contexts.

Abstract

Cloud-native application platforms and latency-sensitive systems such as 5G Core networks rely heavily on certificate-based Public Key Infrastructure (PKI) and mutual TLS to secure service-to-service communication. While effective, this model introduces significant operational and performance overhead, which is further amplified in the post-quantum setting due to large certificates and expensive signature verification. In this paper, we present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption(IBE). Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation. We describe an IBE-based replacement for private PKI, including identity lifecycle management, and show how it can be instantiated using a threshold Private Key Generator (T-PKG). We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks. In particular, we demonstrate how identity-based TLS integrates with the 5G Service-Based Architecture while preserving security semantics and 3GPP requirements, and we show how the same architecture can replace private PKI in Kubernetes, including its control plane, without disrupting existing trust domains or deployment models.

Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure

TL;DR

This work proposes a certificate-free, post-quantum identity-based TLS (IBE-TLS) framework to replace certificate-based private PKI in private, centrally managed environments such as 5G SBA and Kubernetes. It grounds the approach in lattice-based ID-ML-KEM, deployed via a Threshold Private Key Generator (TPKG) to issue identity-bound private keys, thereby enabling mutual TLS without X.509 certificates or PKI distribution. The authors detail the IBE-PKI lifecycle, TLS handshake modifications, and integration strategies for 5G Core and Kubernetes control planes, including identity namespaces and epoch-based key rotation. The potential benefits include reduced operational overhead, lower control-plane signaling, and compatibility with post-quantum security requirements, with caveats around key escrow, revocation, and standardization hurdles. Overall, the paper presents a coherent, architecture-level pathway for certificate-free authentication in private cloud-native systems facing quantum threats, supported by a detailed design and deployment scenarios for 5G and Kubernetes contexts.

Abstract

Cloud-native application platforms and latency-sensitive systems such as 5G Core networks rely heavily on certificate-based Public Key Infrastructure (PKI) and mutual TLS to secure service-to-service communication. While effective, this model introduces significant operational and performance overhead, which is further amplified in the post-quantum setting due to large certificates and expensive signature verification. In this paper, we present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption(IBE). Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation. We describe an IBE-based replacement for private PKI, including identity lifecycle management, and show how it can be instantiated using a threshold Private Key Generator (T-PKG). We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks. In particular, we demonstrate how identity-based TLS integrates with the 5G Service-Based Architecture while preserving security semantics and 3GPP requirements, and we show how the same architecture can replace private PKI in Kubernetes, including its control plane, without disrupting existing trust domains or deployment models.
Paper Structure (109 sections, 6 equations, 5 figures, 17 tables, 1 algorithm)

This paper contains 109 sections, 6 equations, 5 figures, 17 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions
  3. Motivation
  4. Authentication in Private Distributed Systems
  5. Private PKI as a Mismatch
  6. Authentication in 5G Core Networks
  7. Post-Quantum Cryptography Exposes the Problem
  8. Identity-Based Authentication as an Alternative
  9. No pre-distribution of public keys
  10. Post-Quantum Identity-Based TLS
  11. Goals of this work.
  12. Related Work
  13. KEM-Based Authentication in TLS
  14. Identity-Based Encryption
  15. Identity-Based TLS
  16. ...and 94 more sections

Figures (5)

  • Figure 1: Overview of a TLS 1.3 handshake with identity-based authentication using ID-ML-KEM-768 and X25519. Identity-based encapsulation replaces certificate-based authentication, while the TLS 1.3 key schedule and Finished messages provide key confirmation and implicit authentication.
  • Figure 2: Schematic representation of the TLS 1.3 key schedule. Context strings ensure domain separation, while transcript hashes $\mathsf{th}_1$ and $\mathsf{th}_2$ bind derived secrets to the handshake state.
  • Figure 3: Key lifecycle management with T-PKG
  • Figure 4: Service Resolution and IBE-TLS communication
  • Figure 5: Kubernetes CertificateSigningRequest (CSR) resource specification