Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure

TL;DR

This paper introduces a post-quantum, certificate-free authentication framework using identity-based encryption for secure, efficient service communication in 5G and cloud-native environments, reducing overhead and enhancing security.

Contribution

It presents a novel post-quantum identity-based TLS framework that replaces traditional PKI, enabling certificate-free mutual authentication in 5G and cloud-native systems.

Findings

Successfully integrates with 5G Service-Based Architecture

Enables certificate-free TLS in Kubernetes environments

Maintains security and trust without traditional PKI

Abstract

Cloud-native application platforms and latency-sensitive systems such as 5G Core networks rely heavily on certificate-based Public Key Infrastructure (PKI) and mutual TLS to secure service-to-service communication. While effective, this model introduces significant operational and performance overhead, which is further amplified in the post-quantum setting due to large certificates and expensive signature verification. In this paper, we present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption(IBE). Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation. We describe an IBE-based replacement for private PKI, including identity lifecycle management, and show how it can be instantiated using a threshold Private Key Generator (T-PKG). We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks. In particular, we demonstrate how identity-based TLS integrates with the 5G Service-Based Architecture while preserving security semantics and 3GPP requirements, and we show how the same architecture can replace private PKI in Kubernetes, including its control plane, without disrupting existing trust domains or deployment models.