Post-quantum signatures are not easily deployable in the WebPKI. Using the signature algorithms recently standardized by NIST as drop-in replacements for existing classical algorithms on the Web would incur significant performance degradations, making this approach infeasible unless a cryptographically-relevant quantum computer (CRQCs) is imminent. There’s a real risk that post-quantum signatures do not see widespread adoption before CRQCs become a reality, unless we make changes to how signatures are used in the WebPKI.
This talk dives into several of the more promising proposals for making post-quantum signatures deployable, from TLS extensions to reduce the number of transmitted signatures, to using key agreement as an authentication mechanism, to complete overhauls of the WebPKI. We discuss ongoing work to evaluate the feasibility of each of these proposals and to address known unknowns.
- *Luke Valenta* - Research Engineer at @cloudflare