Beyond Certificates: A New Era for Public Key Infrastructure

Author: Denis Avetisyan

A novel approach to public key management leverages identity-based cryptography and hardware security to dramatically simplify and scale critical systems like resource certification.

This review details IPK-pq, a post-quantum public key infrastructure scheme eliminating certificate chains for enhanced efficiency and security in environments like RPKI.

Traditional certificate-based Public Key Infrastructure (PKI) faces scalability challenges with the expanding Internet of Things and anticipated complexities of post-quantum cryptography. This paper introduces ‘Efficient ML-DSA Public Key Management Method with Identity for PKI and Its Application’, proposing a novel identity-based scheme, \textit{IPK-pq}, that eliminates certificate chains by leveraging NIST ML-DSA and hardware security modules. \textit{IPK-pq} enhances security and efficiency, particularly within resource-intensive applications like Resource PKI (RPKI), through an improved identity mapping mechanism and formal security proofs. Could this approach pave the way for more scalable and secure next-generation PKI systems capable of managing increasingly complex digital infrastructures?

Decoding the Quantum Threat: The Fragility of Modern Trust

The backbone of modern internet security, public key infrastructure – most notably algorithms like RSA – relies on the computational difficulty of certain mathematical problems for its effectiveness. However, the anticipated arrival of large-scale quantum computers presents a critical threat to this system. Quantum algorithms, such as Shor’s algorithm, can efficiently solve these previously intractable problems, effectively breaking the cryptographic protections that currently secure online transactions, sensitive data, and digital communications. This isn’t a hypothetical future concern; research indicates that even with conservative estimates of quantum computer development, the window to transition away from these vulnerable algorithms is rapidly closing, potentially exposing decades of encrypted data to decryption and misuse. The very foundations of trust in the digital world are therefore at risk, necessitating proactive measures to safeguard against this emerging quantum threat.

The rapidly approaching reality of quantum computing presents a significant and urgent threat to current encryption standards. Modern cryptography, which underpins secure online transactions, data storage, and communications, relies on mathematical problems that are exceedingly difficult for classical computers to solve, but potentially trivial for a sufficiently powerful quantum computer. This vulnerability isn’t theoretical; malicious actors are already actively developing “harvest now, decrypt later” strategies, collecting encrypted data with the intention of cracking it once quantum computers become readily available. Therefore, a proactive shift to post-quantum cryptography – algorithms designed to resist attacks from both classical and quantum computers – is not merely a technical upgrade, but a critical necessity to avert widespread data breaches and maintain the integrity of digital infrastructure. Failure to transition swiftly could result in the compromise of sensitive information ranging from financial records and intellectual property to national security data.

While post-quantum cryptography offers a potential defense against future quantum computer attacks, practical implementation faces significant hurdles. Many proposed algorithms, though mathematically secure, demand substantially more computational resources – processing power and memory – than current cryptographic standards like RSA. This performance overhead can drastically slow down secure communications and render them impractical for widespread use, particularly in resource-constrained environments such as mobile devices or the Internet of Things. Furthermore, the complexity of key management in these new systems often presents a considerable challenge; larger key sizes and intricate key derivation functions require robust and secure storage solutions, alongside sophisticated protocols to prevent key compromise and ensure seamless operation across diverse networks. These combined factors – performance limitations and key management difficulties – are currently impeding the rapid and comprehensive adoption of post-quantum cryptography, despite the growing urgency to secure digital infrastructure against emerging quantum threats.

Beyond Certificates: Redefining Identity in a Post-Trust World

Identity-Based Cryptography (IBC) streamlines public key infrastructure by eliminating the need for traditional Public Key Infrastructure (PKI) certificates. In conventional PKI, a Certificate Authority (CA) verifies and issues certificates binding a public key to an identity. IBC, however, generates a user’s public key directly from their identity – typically an email address or username – using a master key held by a trusted authority, known as the Identity Authority (IdA). The corresponding private key is then securely delivered to the user, often via a secure channel. This approach simplifies key management as users no longer need to obtain, store, and validate certificates, reducing administrative overhead and potential points of failure associated with certificate revocation and renewal. The public key can be calculated as $PK = H(ID)$ , where H is a cryptographic hash function and ID represents the user’s identity.

Certificate-less Public Key Cryptography (CPK) addresses limitations inherent in traditional Public Key Infrastructure (PKI) by eliminating the need for certificates issued by fully trusted Certificate Authorities (CAs). In CPK systems, users derive their public keys from their identity and a master secret held by a trusted authority, but this authority does not issue certificates. This approach reduces the reliance on a single point of trust and mitigates risks associated with certificate revocation and compromise. Instead of verifying a certificate chain, CPK relies on the trusted authority confirming a user’s identity and the validity of the key derivation process. While a trusted authority is still required, the scope of its trust is limited to identity verification and key derivation parameters, simplifying the trust model compared to traditional PKI, which requires full trust in the CA’s certificate issuance and revocation practices.

IPK-pq is a Public Key Infrastructure (PKI) framework designed to address the limitations of traditional certificate-based systems and prepare for the advent of quantum computing. It combines the strengths of Identity-Based Cryptography (IBC) and Certificate-less Public Key Cryptography (CPK) to achieve simplified key management and enhanced security. Specifically, IPK-pq utilizes IBC to generate public keys directly from user identities, eliminating the need for a Public Key Infrastructure (PKI) for key distribution. Simultaneously, it incorporates CPK principles to minimize reliance on a fully trusted central authority, instead relying on a set of Key Delegation Authorities (KDAs). This architecture reduces the computational overhead associated with certificate validation and revocation, while also mitigating single points of failure, and crucially, is designed to be resistant to attacks from both classical and quantum computers by employing post-quantum cryptographic algorithms.

Performance Under the Microscope: Engineering Efficiency and Resilience

IPK-pq employs Matrix-Based Identity Mapping as a method for deriving key seed matrices from user identities. This technique maps each unique identity to a specific matrix, enabling efficient key generation without requiring storage of full public keys or pre-computed values. The mapping process leverages mathematical properties of matrices to ensure a deterministic and reversible relationship between the identity and the seed matrix, facilitating both key generation and subsequent cryptographic operations. This approach reduces computational overhead and storage requirements compared to traditional key derivation schemes, contributing to the overall performance and scalability of the system.

IPK-pq is designed to leverage the capabilities of Hardware Security Modules (HSMs) for increased cryptographic performance. Specifically, the framework is optimized for deployment with the NXP C293 PCIe Card, an HSM that offloads and accelerates computationally intensive operations. This integration yields significant performance gains; with the NXP C293, IPK-pq achieves up to a 33x improvement in Ring One Attribute (ROA) verification and a 27x improvement in ROA generation. This translates to a ROA generation throughput of 1765 Transactions per second (TPS) and a ROA verification throughput of 10296 TPS when utilizing the HSM.

Integration with a Hardware Security Module (HSM) significantly enhances IPK-pq performance. Specifically, utilizing the NXP C293 PCIe Card results in up to a 33x improvement in Ring One Attribute (ROA) verification speed and a 27x improvement in ROA generation speed. This hardware acceleration allows IPK-pq to achieve a ROA generation throughput of 1765 Transactions per second (TPS) and a ROA verification throughput of 10296 TPS, representing substantial gains over software-only implementations.

IPK-pq’s secure key derivation process relies on the SHAKE128 and SHAKE256 cryptographic hash functions, both members of the SHA-3 family. These functions are utilized to generate pseudorandom keys from initial seed material, providing diffusion and preventing direct correlation between the identity and the derived key. SHAKE128 produces a 256-bit output, while SHAKE256 outputs 512 bits; the selection of which function to employ can be adjusted based on the desired security level and performance trade-offs within the key derivation scheme. The use of these extendable-output functions (XOFs) allows for the generation of keys of varying lengths as needed by the system.

IPK-pq demonstrates functional performance even in software-only deployments, achieving a Registered Oracle Attestation (ROA) generation throughput of 63 Transactions per second (TPS) and a ROA verification throughput of 312 TPS. These figures indicate that, while optimized for hardware acceleration, the framework remains viable for applications where a Hardware Security Module (HSM) is unavailable or impractical. The software-based performance provides a baseline capability and allows for broader deployment options beyond systems specifically equipped with dedicated cryptographic hardware.

Reclaiming the Network: Securing Resources and Protecting Routes

Traditional Public Key Infrastructure (PKI) manages digital identities, but doesn’t inherently address the unique challenges of securing Internet Number Resources (INRs) – the foundational identifiers of the internet, such as IP addresses and Autonomous System (AS) numbers. Resource PKI builds upon this existing framework by specifically tailoring it to manage the lifecycle and authenticity of these INRs. This extension is critical because it establishes a verifiable link between an INR and its legitimate owner, preventing unauthorized use or malicious redirection. By cryptographically binding ownership to these resources, Resource PKI enables more robust security mechanisms for the internet’s core infrastructure, paving the way for improvements in routing security and overall network stability. The system moves beyond simply identifying who owns a resource to cryptographically proving that ownership, which is a fundamental shift in how internet infrastructure security is approached.

IPK-pq represents a novel approach to bolstering the security of internet routing by directly interfacing with Resource Public Key Infrastructure (RPKI). This integration addresses the critical vulnerability of route hijacking, where malicious actors can redirect internet traffic by falsely announcing ownership of IP address blocks. The system functions by cryptographically verifying the origin of routing information, ensuring that only authorized entities can announce routes. This verification process relies on digital signatures tied to RPKI certificates, creating a chain of trust that extends from the IP address owner to the routing system. By establishing this secure pathway, IPK-pq effectively mitigates the risk of traffic interception and redirection, safeguarding the integrity of internet communication and bolstering the stability of the global network.

Current internet routing security schemes often struggle with scalability due to their O(n) communication complexity – meaning the amount of data exchanged increases linearly with the number of network participants. This presents a significant challenge as the internet continues to expand. However, the introduced framework circumvents this limitation by achieving O(1) communication complexity. This represents a fundamental shift; regardless of internet size, the communication overhead remains constant. Such efficiency isn’t merely incremental, but rather a pivotal improvement that allows for robust security measures to be applied across the entire network without incurring prohibitive costs or performance bottlenecks, paving the way for a more resilient and scalable internet infrastructure.

A significant advancement in internet infrastructure security lies in the reduced storage demands of IPK-pq. Traditional methods for securing routing information necessitate linearly increasing storage space as the network expands, creating scalability challenges. In contrast, IPK-pq achieves constant storage costs through key size reduction, demonstrably minimizing the burden on network operators. Studies reveal substantial savings-specifically, reductions of 4083 bytes, 5494 bytes, and 7483 bytes-compared to the escalating storage requirements of standard schemes. This efficiency isn’t merely incremental; it represents a fundamental shift towards a more sustainable and scalable security framework for the increasingly complex internet landscape, allowing for robust protection without prohibitive infrastructure costs.

The security of Internet infrastructure hinges on established standards and robust components, and this framework leverages existing protocols to bolster trust and data integrity. Specifically, it builds upon RFC7935, which details mechanisms for digitally signing and verifying routing information, providing a foundation for secure route control. To further ensure reliability, the system incorporates a Manifest, a digitally signed record of resource ownership and authorization, alongside standard Certificate Revocation Lists. These lists serve as a crucial defense against compromised or invalid certificates, preventing malicious actors from falsely claiming network resources. By adhering to these widely adopted specifications and utilizing proven components, the framework minimizes implementation challenges and maximizes interoperability, contributing to a more secure and resilient Internet routing ecosystem.

A Network Forged in Resilience: Scaling for the Future, Embracing Coordination

The foundational design of IPK-pq prioritizes future growth and resilience against escalating internet demands. Rather than a monolithic structure, it employs a modular architecture, allowing for the seamless addition of computational resources and cryptographic algorithms as needed. This scalability isn’t simply about handling increased data volume; it’s about adapting to unforeseen advancements in quantum computing and evolving security threats. The system utilizes a hierarchical key structure and distributed key generation, minimizing single points of failure and enabling localized updates without disrupting global connectivity. By decoupling cryptographic operations from underlying hardware, IPK-pq facilitates the integration of new, more efficient algorithms as they emerge, ensuring the internet’s cryptographic infrastructure remains agile and robust for decades to come.

The strength of IPK-pq lies in its pragmatic approach to implementation, prioritizing compatibility with the current internet landscape. Rather than demanding a complete overhaul of existing systems, the protocol is built upon standardized cryptographic components and designed to integrate smoothly with established infrastructure. This ensures interoperability across diverse networks and devices, minimizing disruption during deployment and fostering rapid adoption. By leveraging existing frameworks, IPK-pq avoids the pitfalls of proprietary solutions, promoting a more resilient and universally accessible future for online security and communication, while simplifying the transition for service providers and end-users alike.

The effective rollout of any new internet protocol hinges on a robust framework of global coordination, and IPK-pq is no exception. A globally trusted system doesn’t emerge spontaneously; it requires the concerted effort of key organizations like the Internet Assigned Numbers Authority (IANA), which oversees the global IP address space, and the Regional Internet Registries (RIRs) that distribute those addresses within specific geographic regions. These RIRs, in turn, collaborate with National Internet Registries (NIRs) to manage IP allocation at the country level. This hierarchical structure ensures consistent and verifiable allocation, preventing conflicts and maintaining the integrity of the system. Without seamless communication and standardized practices between IANA, RIRs, and NIRs, the widespread adoption and interoperability of IPK-pq – or any future internet protocol – would be significantly hampered, potentially fragmenting the internet rather than securing it.

The presented IPK-pq scheme, with its focus on eliminating certificate chains through identity-based cryptography, embodies a relentless pursuit of systemic simplification. This mirrors a core tenet of robust design: stripping away unnecessary complexity to reveal fundamental truths. As Ken Thompson observed, “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.” The IPK-pq approach, by minimizing reliance on complex certificate validation, isn’t merely about efficiency; it’s about building a system that is inherently easier to understand, verify, and ultimately, trust – a direct application of Thompson’s insight into the perils of overcomplication.

What Lies Ahead?

The elimination of certificate chains, as proposed, isn’t merely an optimization-it’s a fundamental questioning of established trust models. The presented IPK-pq scheme rightly shifts focus to identity as the root of trust, yet this introduces a new vector for scrutiny. While hardware security modules offer a tempting solution for safeguarding identities, the concentration of such power demands rigorous examination. One must ask: how resilient is this system to compromise within the HSM itself, or to coercion of its administrators? True security isn’t found in complexity, but in radical transparency-allowing independent verification of identity binding.

Further research shouldn’t solely concentrate on refining the cryptographic primitives, but on the socio-technical implications. The paper gestures towards resource-constrained environments, a crucial consideration. However, the real challenge lies in incentivizing widespread adoption. A system is only as secure as its weakest link, and that link is often human behavior. Exploring game-theoretic models for identity management, and understanding the economic forces at play, will prove just as vital as algorithmic improvements.

Ultimately, this work represents a step toward dismantling-and then rebuilding-the very foundations of public key infrastructure. It subtly suggests that the current model, born of scarcity and suspicion, is inherently fragile. The field must now confront a discomfiting truth: the most robust systems aren’t those that prevent failure, but those designed to gracefully accommodate it.

Original article: https://arxiv.org/pdf/2603.25043.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/