A Comparative Study of Hybrid Post-Quantum Cryptographic X.509 Certificate Schemes

TL;DR

This paper compares different hybrid post-quantum cryptographic X.509 certificate schemes, analyzing their size, efficiency, and migration aspects to aid secure transition to quantum-resistant standards.

Contribution

It provides a comprehensive analysis and comparison of hybrid PQC X.509 certificate schemes, highlighting their strengths and weaknesses for practical deployment.

Findings

Hybrid schemes vary in size and efficiency

Some schemes offer better migration feasibility

Guidelines for selecting suitable schemes are provided

Abstract

As quantum computing hardware continues to advance, the integration of such technology with quantum algorithms is anticipated to enable the decryption of ciphertexts produced by RSA and Elliptic Curve Cryptography (ECC) within polynomial time. In response to this emerging threat, the U.S. National Institute of Standards and Technology (NIST) finalized a series of Post-Quantum Cryptography (PQC) standards in August 2024 and outlined a roadmap for PQC migration. Consequently, the design of X.509 certificates that adhere to PQC standards has become a crucial focus in the development of certificate management systems. To further strengthen security and facilitate a smooth migration process, several hybrid certificate schemes have been proposed internationally based on the X.509 certificate format, including the composite scheme, the catalyst scheme, and the chameleon scheme. This study presents a comprehensive analysis and comparison of these hybrid certificate schemes from multiple perspectives (e.g., certificate size, computational efficiency, and migration feasibility) to assess their suitability for various applications and services.