Compact PQ Authentication

Key exchange has a migration story. The hybrid X25519 + ML-KEM key exchange is already deployed at scale, and the size cost of a kilobyte-class key encapsulation is absorbable inside a single round trip. Authentication is the harder, less-finished half of the transition: a TLS handshake does not carry one signature but several, alongside the certificates that bind them, and those objects sit inside budgets — initial congestion windows, amplification limits, UDP datagram sizes — that were sized for 64-byte signatures, not 3-kilobyte ones.

This direction takes the three NIST-standardized signature schemes — ML-DSA (FIPS 204), Falcon, and SLH-DSA (FIPS 205) — and measures how they behave inside those budgets rather than in isolation. The unit of study is the protocol transaction, not the primitive: a full handshake, a complete certificate chain, a DNSSEC response that must or must not fragment.

Working questions

• Where does a post-quantum certificate chain first exceed the QUIC anti-amplification limit, and which scheme choices push it back under?
• What is the real handshake-latency distribution under packet loss when the CertificateVerify and chain no longer fit the initial flight?
• For DNSSEC, which (if any) of the standardized schemes fit inside the practical response-size envelope without truncation-and-retry over TCP?

These are implementation-and-measurement questions, and the answers belong in Writing as reproductions with numbers attached.