The Authentication Half of the Migration
Key exchange got a migration story first. Why post-quantum authentication is the harder, slower, and more interesting half of the transition.
There is a comfortable story about the post-quantum transition, and it is mostly about key exchange. Hybrid X25519 + ML-KEM is deployed, the size cost is absorbable inside one round trip, and the migration path is legible. It is easy to mistake that progress for the whole job.
It is not the whole job. A TLS handshake authenticates as well as it agrees on keys, and authentication is where the post-quantum objects are awkward. A handshake carries not one signature but several, plus the certificate chain that binds them. Each standardized post-quantum signature is roughly an order of magnitude larger than the Ed25519 signature the protocol’s budgets were sized around.1
The interesting questions are therefore not “is scheme X secure” but “does transaction Y still fit.” Those are measurement questions, and the lab’s bias is to answer them by building and counting rather than by arguing.
Why negative results count here
If a particular chain configuration cannot be made to fit a given budget, that is a finding worth publishing with the numbers that show it. Documented dead ends are inventory, not waste: the next person who reaches for that configuration deserves to find the measurement already done.
Footnotes
-
The budgets in question are concrete — initial congestion windows, QUIC’s anti-amplification limit, the practical size envelope of a DNSSEC response — and they are the subject of the Compact PQ Authentication direction. ↩