Securing the Internet’s Core: A Quantum-Resistant RPKI

by

Author: Denis Avetisyan

A new framework, pqRPKI, addresses the looming threat of quantum computers by fortifying the Resource Public Key Infrastructure against cryptographic attacks.

A secure validation process utilizes a Merkle Tree Ladder, where a message is signed at a leaf node, and verification relies on reconstructing the root hash through an authentication path comprised of sibling hashes.
A secure validation process utilizes a Merkle Tree Ladder, where a message is signed at a leaf node, and verification relies on reconstructing the root hash through an authentication path comprised of sibling hashes.

This paper details pqRPKI, a practical post-quantum RPKI architecture that minimizes repository size and speeds up validation using a Merkle Tree Ladder and a streamlined Manifest.

The security of Internet routing relies on the Resource Public Key Infrastructure (RPKI), yet its current RSA foundations are vulnerable to emerging quantum computing threats. This paper introduces ‘pqRPKI: A Practical RPKI Architecture for the Post-Quantum Era’, a framework designed to mitigate this risk by relocating verification material into the RPKI Manifest and leveraging a multi-layer Merkle Tree Ladder to dramatically reduce repository size and validation times. Through a working implementation, pqRPKI achieves significant reductions in both footprint and validation latency-down to 546.8 MB and 102.7 seconds for full-cycle validation-while preserving compatibility with existing infrastructure. Will this approach enable a smooth and efficient transition to a post-quantum Internet routing system without sacrificing performance or scalability?

Securing the Foundation: Understanding the Looming Threat

The foundation of a stable and secure internet relies heavily on the proper exchange of routing information between networks – a process critically safeguarded by the Resource Public Key Infrastructure (RPKI). This system acts as a digital notary, verifying which organization legitimately “owns” specific blocks of IP addresses and is authorized to announce them across the internet. Without RPKI, malicious actors could falsely claim ownership of these address blocks, diverting network traffic – a practice known as route hijacking – to intercept data, launch denial-of-service attacks, or simply disrupt connectivity. By cryptographically validating routing announcements, RPKI ensures that traffic follows the intended path, protecting the integrity of the global internet and bolstering its resilience against increasingly sophisticated cyber threats. Essentially, it’s a crucial layer of trust built into the very fabric of internet communication, preventing widespread disruptions and maintaining the reliability of online services.

The foundation of internet routing security, the Resource Public Key Infrastructure (RPKI), currently depends on RSA-2048 signatures to validate network route announcements. While presently secure, this cryptographic standard faces a growing threat from the rapid advancement of quantum computing. Quantum algorithms, specifically Shor’s algorithm, possess the theoretical capability to efficiently break RSA-2048, potentially allowing malicious actors to forge routing information and redirect internet traffic. This isn’t an immediate concern, but the lengthy process of updating the globally distributed RPKI infrastructure – involving certificate authorities, internet service providers, and network operators – necessitates a proactive and timely transition to quantum-resistant cryptographic algorithms to prevent future disruptions and maintain the stability of the global internet.

The escalating development of quantum computing presents a fundamental challenge to the security of the internet’s core infrastructure, specifically the global routing system. Current cryptographic algorithms, such as those underpinning the Resource Public Key Infrastructure (RPKI), are anticipated to become vulnerable to attacks from sufficiently powerful quantum computers. This isn’t a distant threat; the potential for ‘store now, decrypt later’ attacks necessitates immediate action. A proactive transition to post-quantum cryptography – algorithms resistant to both classical and quantum computing – is therefore crucial. Failure to adopt these new standards could result in widespread route hijacking, network instability, and a significant erosion of trust in the internet’s ability to reliably deliver data. This transition requires coordinated effort across network operators, equipment manufacturers, and standards bodies to ensure a secure and resilient future for global communications.

Resource Public Key Infrastructure (RPKI) organizes a Certificate Authority’s objects as a ladder, with the Manifest and Certificate Revocation List forming the base, and allows parent registries to authenticate aggregated child data using trust anchors.
Resource Public Key Infrastructure (RPKI) organizes a Certificate Authority’s objects as a ladder, with the Manifest and Certificate Revocation List forming the base, and allows parent registries to authenticate aggregated child data using trust anchors.

Building Resilience: Designing a Post-Quantum RPKI Foundation

A post-quantum Resource Public Key Infrastructure (pqRPKI) is being developed to mitigate the threat posed by future quantum computing attacks on the existing RPKI. Current RPKI relies on algorithms like RSA and ECDSA, which are vulnerable to Shor’s algorithm when executed on a sufficiently powerful quantum computer. pqRPKI utilizes post-quantum cryptographic algorithms, specifically focusing on lattice-based schemes like Falcon, ML-DSA, and Dilithium, as these are believed to be resistant to both classical and quantum attacks. These algorithms offer comparable security levels to current standards while relying on mathematical problems that are not efficiently solvable by known quantum algorithms. The National Institute of Standards and Technology (NIST) is currently standardizing these and other post-quantum algorithms to facilitate widespread adoption and interoperability.

Merkle Tree Ladders (MTL) are implemented within pqRPKI to address the increased signature sizes associated with post-quantum cryptographic algorithms. Traditional RPKI relies on individual digital signatures for each Resource Certificate and Route Origin Authorization. pqRPKI, utilizing algorithms like Falcon, Dilithium, and ML-DSA, produces significantly larger signatures. MTL allows for the aggregation of multiple signatures into a single, compact signature path, reducing the overall data volume propagated throughout the BGP system. This aggregation is achieved by constructing a Merkle tree where leaf nodes represent the signatures of individual objects. A signature path, representing a sequence of hashes up the tree to the root, then verifies the authenticity of a set of objects. This minimizes the number of signatures that need to be validated by relying parties, improving scalability and reducing computational overhead compared to validating each signature individually.

The design of a post-quantum RPKI (pqRPKI) prioritizes compatibility with the currently deployed Resource Public Key Infrastructure. Rather than necessitating a complete replacement of existing systems, the pqRPKI architecture is intended to function as an extension, allowing network operators to incrementally adopt post-quantum cryptographic algorithms. This is achieved by maintaining the core RPKI data structures and operational procedures while introducing new signature schemes and key formats. The phased implementation minimizes disruption to existing routing infrastructure and allows operators to transition at their own pace, reducing both financial burden and operational complexity. Existing tools and software can be adapted to support pqRPKI objects with minimal modifications, further streamlining the adoption process.

Refining Efficiency: Optimizing RPKI Repository Performance

Maintaining a manageable Resource Public Key Infrastructure (RPKI) repository is critical for efficient routing security operations. Traditional RPKI repositories can become quite large, impacting synchronization and validation times. Techniques like the incrementally-RPKI (iRPKI) framework reduce size by transmitting only changes to the RPKI data, rather than the entire dataset. The Null Scheme further optimizes repository size by allowing the exclusion of certain valid, but less critical, RPKI objects. These methods collectively minimize storage requirements, decrease bandwidth consumption during updates, and improve the overall performance of RPKI infrastructure.

The RPKI Repository Delta Protocol (RRDP) is designed to optimize the synchronization of Resource Public Key Infrastructure (RPKI) repository data between different instances. Rather than requiring full repository downloads, RRDP facilitates the transfer of only the incremental changes, or “deltas,” since the last synchronization. This approach substantially minimizes bandwidth consumption, particularly for geographically distributed instances or those with limited network capacity. By reducing the volume of data transmitted, RRDP also directly lowers latency associated with repository updates, ensuring that validators receive timely information about route origin authorizations and route validation data. This is critical for maintaining the security and stability of the global routing system.

The pqRPKI framework demonstrably reduces the size and improves the performance of the RPKI repository. In a post-quantum cryptography (PQC)-only configuration, pqRPKI achieves an average repository size of 546.8 MB, representing a 35.9% reduction compared to existing implementations. Validation of the full repository is completed in under 2 minutes, a 51.8% improvement over current RSA-based RPKI. Furthermore, pqRPKI improves synchronization time by 47.9%, resulting in a repository that is 3.4% smaller than the current RSA-based standard, while also offering substantial gains in operational efficiency.

The integration of optimization techniques – including iRPKI, the Null Scheme, and the RPKI Repository Delta Protocol – with the pqRPKI framework is designed to mitigate performance impacts associated with the transition to post-quantum cryptography. Current evaluations indicate that pqRPKI, when implemented alongside these optimizations, achieves a 35.9% reduction in average repository size (down to 546.8 MB) in a post-quantum only configuration. Furthermore, full repository validation is completed in under 2 minutes, representing a 51.8% improvement over existing RSA-based RPKI. Synchronization times also benefit, with a 47.9% reduction achieved. These results demonstrate that the post-quantum transition can be managed without introducing substantial performance degradation, maintaining the scalability and efficiency of the RPKI infrastructure.

Signing latency increases with the scale of reissuance, demonstrating higher delays for bulk operations compared to per-minute updates.
Signing latency increases with the scale of reissuance, demonstrating higher delays for bulk operations compared to per-minute updates.

Facilitating Adoption: Flexible Deployment for Broad Impact

The pqRPKI architecture is designed to accommodate diverse network infrastructures through compatibility with both Hosted RPKI and Delegated RPKI deployment models. This deliberate flexibility allows network operators to integrate post-quantum cryptography into their Resource Public Key Infrastructure (RPKI) environments without requiring disruptive, large-scale overhauls. Hosted RPKI enables operators to leverage externally managed cryptographic services, simplifying implementation and reducing operational burdens, while Delegated RPKI empowers those preferring greater control to manage cryptographic functions in-house. This dual-path approach significantly lowers the barrier to adoption, allowing a broader range of networks – from large internet service providers to smaller regional networks – to proactively enhance the security of internet routing against the potential threats posed by future quantum computing capabilities.

The inherent adaptability of pqRPKI – supporting both hosted and delegated deployment models – is projected to significantly accelerate the integration of post-quantum cryptography into the Resource Public Key Infrastructure. This flexibility lowers the barriers to entry for network operators, allowing them to implement these crucial security enhancements at a pace dictated by their individual infrastructure and resource availability. Rather than requiring a disruptive, one-size-fits-all overhaul, operators can choose the deployment strategy that best aligns with their existing systems, fostering a more rapid and widespread transition towards a quantum-resistant internet routing system. This streamlined adoption process is vital, as proactive implementation of post-quantum cryptography is paramount to safeguarding the long-term integrity and stability of the global internet.

The internet’s routing infrastructure faces an evolving threat landscape, particularly with the anticipated arrival of quantum computing capable of breaking current cryptographic standards. Proactive fortification through post-quantum cryptography, specifically within the Resource Public Key Infrastructure (RPKI), is therefore essential for sustained stability. Embracing flexible deployment options-such as Hosted and Delegated RPKI-allows network operators to integrate these defenses at a pace suited to their individual needs and capabilities. This adaptability isn’t merely about adopting new technology; it’s about building a resilient foundation that safeguards the core mechanisms of internet routing against future vulnerabilities, ensuring continued trust and reliable communication for years to come. By strategically layering post-quantum protections, the internet can maintain its operational integrity and withstand the disruptive potential of quantum-based attacks.

The presented work embodies a principle of reductive design, streamlining the Resource Public Key Infrastructure through architectural innovation. It prioritizes efficiency by minimizing repository size and accelerating validation-a clear application of simplification. As John McCarthy observed, “The best way to predict the future is to invent it.” This pqRPKI framework isn’t merely adapting to the inevitability of post-quantum threats; it actively constructs a more manageable and scalable system, anticipating future demands through careful elimination of unnecessary complexity. The multi-level Merkle Tree Ladder is a testament to this, offering a concise and verifiable structure.

What Lies Ahead?

The pursuit of cryptographic agility often leads to architectures burdened by their own cleverness. pqRPKI, in its relocation of validation material and embrace of the Merkle Tree Ladder, at least acknowledges the cost of complexity. Future work, however, must resist the temptation to further ornament this foundation. The real challenge isn’t simply transitioning to post-quantum algorithms, but minimizing the disruption that transition imposes on an already strained ecosystem.

A pressing question remains regarding the practical limits of Manifest size. While reducing repository bloat is laudable, there’s a point where centralized validation proxies-inevitable in any system prioritizing speed-become single points of failure. Research should focus not just on cryptographic primitives, but on the delicate balance between decentralization and performance. They called it a framework to hide the panic, but a truly elegant solution will not need hiding.

Ultimately, the success of any post-quantum RPKI deployment will be measured not in cryptographic strength, but in its transparency and ease of integration. The field should prioritize auditable implementations and interoperability standards. Simplicity, after all, isn’t merely a design goal; it’s a matter of resilience. The more convoluted the system, the more avenues exist for subtle, and potentially catastrophic, failure.

Original article: https://arxiv.org/pdf/2603.06968.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-03-10 11:25