Quantum Safe Public Key Infrastructure: Hybrid Classical PQC Certificate Chains and Migration Framework for Enterprise TLS
DOI:
https://doi.org/10.15662/IJEETR.2024.0604014Keywords:
Post Quantum Cryptography, CRYSTALS Kyber, CRYSTALS Dilithium, Hybrid PKI, TLS Migration, X.509, NIST FIPS 203/204, Quantum Security, Certificate Transparency, Crypto AgilityAbstract
The imminent threat of cryptographically relevant quantum computers (CRQCs) to RSA and elliptic curve cryptography — combined with the 'harvest now, decrypt later' attack paradigm — necessitates an urgent enterprise PKI migration to post quantum cryptographic (PQC) algorithms. This paper presents a comprehensive hybrid PKI framework enabling phased, backward compatible migration from classical to post quantum certificate chains. The framework embeds dual signatures (ECDSA + CRYSTALS Dilithium3) within X.509v3 certificates following the emerging RFC 9480 composite certificate standard. We provide Algorithm 2 (HybridCertIssue) specifying the complete certificate generation and verification protocol, and a migration roadmap structured across five phases from 2021 to 2035+. Experimental evaluation on a 10,000 node enterprise PKI demonstrates: TLS handshake overhead of +4.6 KB, latency increase of +38ms (LAN p50), and Dilithium3 signing throughput of 800 ops/sec on FIPS 140 3 HSMs. Security proofs establish that the hybrid scheme is secure if either the classical or PQC scheme is unforgeable — requiring an adversary to simultaneously break both ECDSA and Dilithium3. The migration cost model scales O(n log n) for n node PKI hierarchies. A 30 organization survey quantifies migration readiness: only 41% have completed cryptographic asset inventory, representing the critical first blocker.
References
[1] Shor, P. W. (1994). Algorithms for quantum computation: discrete logarithms and factoring. Proc. 35th Annual Symposium on Foundations of Computer Science, 124 134. https://doi.org/10.1109/SFCS.1994.365700
[2] NIST. ( 2021). Post Quantum Cryptography: FIPS 203 (ML KEM), FIPS 204 (ML DSA), FIPS 205 (SLH DSA). National Institute of Standards and Technology. https://csrc.nist.gov/projects/post quantum cryptography
[3] Mosca, M. (2018). Cybersecurity in an era with quantum computers: will we be ready? IEEE Security and Privacy, 16(5), 38 41. https://doi.org/10.1109/MSP.2018.3761723
[4] Bindel, N., Braun, J., Gladiator, L., Stockert, T., & Wirth, J. (2017). X.509 compliant hybrid certificates for the post quantum transition. IACR Cryptology ePrint Archive, 2017/1086.
[5] Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., & Stehle, D. (2018). CRYSTALS Dilithium: A lattice based digital signature scheme. IACR Transactions on Cryptographic Hardware and Embedded Systems, 238 268.
[6] Ounsworth, M., & Pala, M. (2021). Composite Signatures for PKIX. IETF Draft draft ounsworth pq composite sigs. Internet Engineering Task Force.
[7] Sun, Q., et al. (2019). Dual algorithm X.509 certificates for hybrid TLS. Workshop on Usable Security (USEC). https://doi.org/10.14722/usec.2019.23014
[8] Housley, R. (2015). Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory to Implement Algorithms. RFC 7696. IETF.
[9] National Cybersecurity Center of Excellence. ( 2021). Migration to Post Quantum Cryptography. NIST SP 1800 38 (Initial Preliminary Draft). https://www.nccoe.nist.gov/pqc migration
[10] Google. ( 2021). Certificate Transparency Policy (Version 3.0). https://googlechrome.github.io/CertificateTransparency/ct_policy.html
[11] Stabile, D., & Mosca, M. (2020). Post quantum key exchange for the internet and the open quantum safe project. Proc. SAC 2016, LNCS 10532, 14 37. https://doi.org/10.1007/978 3 319 69453
[12] Bernstein, D. J., & Lange, T. (2017). Post quantum cryptography. Nature, 549(7671), 188 194. https://doi.org/10.1038/nature23461
