Post-Quantum PKI: Preparing the Trust Infrastructure

Public key infrastructure, or PKI, is the invisible foundation of digital trust. Every TLS connection to a website, every software code signature, every signed email exchange, every certificate-based authentication relies on the same bedrock: a hierarchy of certificate authorities that guarantee the identity of parties and the integrity of communications. Today, this infrastructure protects billions of daily transactions. Tomorrow, it will need to withstand a threat it was never designed for: the quantum computer.

Why Current PKI Is Vulnerable

The digital certificates that power the global PKI rely almost exclusively on two families of signature algorithms: RSA and ECDSA. These algorithms derive their security from mathematical problems considered hard for classical computers — integer factorization for RSA, the elliptic curve discrete logarithm for ECDSA. However, Shor's algorithm, executed on a sufficiently powerful quantum computer, solves both problems in polynomial time. This means an attacker with such a computer could forge certificates, impersonate any certificate authority, and compromise the entire chain of trust. The consequence is staggering: all TLS connections, digital signatures, and authentication mechanisms based on classical PKI would become vulnerable.

Post-Quantum Signature Algorithms

To address this threat, NIST finalized two post-quantum digital signature standards in August 2024. ML-DSA (FIPS 204), based on module lattices, offers high performance with reasonable signature and key sizes. It is intended to become the primary replacement for RSA and ECDSA in most PKI use cases. SLH-DSA (FIPS 205), based exclusively on hash functions, takes a different approach: it relies on no complex structural assumptions, making it particularly resilient, but at the cost of larger signatures. SLH-DSA is recommended as a fallback solution or for environments where algorithmic diversity is a security requirement.

Hybrid Certificates: A Smooth Transition

Migrating a global PKI cannot happen overnight. This is why the technical community is developing the concept of hybrid certificates, which combine a classical signature (RSA or ECDSA) and a post-quantum signature (ML-DSA or SLH-DSA) within a single X.509 certificate. This approach guarantees backward compatibility: systems that do not yet support post-quantum algorithms can verify the classical signature, while updated systems also verify the post-quantum signature. ANSSI and the German BSI explicitly recommend this hybrid strategy as the most prudent path toward complete migration.

Challenges to Overcome

The transition to a post-quantum PKI raises considerable technical challenges. The first is certificate size. A level-3 ML-DSA certificate produces signatures of approximately 3,300 bytes and public keys of 1,900 bytes, compared to 256 bytes for an ECDSA P-256 signature. This increase has a direct impact on TLS handshake protocols, certificate chains, and resource-constrained embedded systems. The second challenge concerns performance: although ML-DSA is fast at verification, the increased size of data exchanged during connection establishment adds latency, particularly on low-bandwidth networks. Finally, the migration of certificate authorities themselves represents an immense undertaking: trust roots must be regenerated, operating system and browser certificate stores must be updated, and audit and compliance procedures must be adapted to the new algorithms.

Roadmap: What Organizations Should Do Now

Organizations that wish to anticipate the post-quantum PKI migration must act now, even though the operational quantum risk is still on the 2030-2035 horizon. The first step is to conduct a complete cryptographic inventory of all certificates, internal certificate authorities, and protocols using RSA or ECDSA signatures. The second step is to assess software and hardware dependencies: TLS libraries, HSM modules, embedded systems, and legacy applications. The third step is to launch hybrid pilots on non-critical environments to measure the impact on performance and compatibility. Finally, organizations must closely follow IETF standardization work on hybrid X.509 certificates and TLS 1.3 updates to integrate post-quantum algorithms.

PKI is the silent pillar of the digital economy. Its migration to post-quantum will be neither simple nor fast, but it is inevitable. Organizations that begin preparing today will hold a decisive advantage: the advantage of time.