By: Panos Kampanakis and Peter Panburana and Ellie Daw and ISARA Corporation Security Developer Daniel Van Geest.
Date: originally posted to the IACR Cryptology ePrint Archive Thu Jan 11, 2018
Abstract: If quantum computers were built, they would pose concerns for public key cryptography as we know it. Among other cryptographic techniques, they would jeopardize the use of PKI X.509 certificates (RSA, ECDSA) used today for authentication. To overcome the concern, new quantum secure signature schemes have been proposed in the literature. Most of these schemes have significantly larger public key and signature sizes than the ones used today. Even though post-quantum signatures could work well for some use cases like software signing, there are concerns about the effect their size and processing cost would have on technologies using X.509 certificates. In this work, we investigate the viability of post-quantum signatures in X.509 certificates and protocols that use them (e.g. TLS, IKEv2). We prove that, in spite of common concerns, they could work in today’s protocols and could be a viable solution to the emergence of quantum computing. We also quantify the overhead they introduce in protocol connection establishment and show that even though it is significant, it is not detrimental. Finally, we formalize the areas of further testing necessary to conclusively establish that the signature schemes standardized in NIST’s PQ Project can work with X.509 certs in a post-quantum Internet.
Category / Keywords: public-key cryptography / post-quantum certificates, hybrid certificates, hash-based certificates