Post-Quantum Encryption Bypasses Digital Certificates for Faster, More Secure 5G Networks

Researchers are addressing the growing challenge of securing 5G networks and cloud-native infrastructure against emerging quantum computing threats. Vipin Kumar Rathi from Ramanujan College, University of Delhi, Lakshya Chopra from coRAN Labs Private Limited, and Nikhil Kumar Rajput from Ramanujan College, University of Delhi, et al., present a novel certificate-free authentication framework utilising post-quantum Identity-Based Encryption (IBE). This work is significant because it moves beyond traditional certificate-based Public Key Infrastructure, which introduces operational and performance overhead, particularly when considering the computational demands of post-quantum cryptography. By replacing certificates with identity-derived keys, their design enables mutually authenticated TLS connections without certificate transmission or validation, offering a potentially more efficient and scalable solution for securing sensitive systems like 5G Core networks and Kubernetes deployments.

Identity-Based Encryption for streamlined and secure private network authentication offers significant advantages over traditional methods

Researchers have developed a certificate-free authentication framework poised to significantly enhance security and performance in private distributed systems, including cloud-native applications and 5G Core networks. This framework allows for the creation of secure connections without relying on the complex processes of certificate issuance, distribution, and revocation.
Researchers successfully integrated identity-based TLS with the 5G Service-Based Architecture, ensuring adherence to existing security semantics and 3GPP requirements. Furthermore, the same architecture was demonstrated to seamlessly replace private PKI within Kubernetes, including its control plane, without disrupting established trust domains or deployment models.

This work demonstrates a fundamental shift in authentication paradigms for private networks, moving away from the overhead of traditional PKI. By deriving public keys directly from identity strings, the system eliminates certificates entirely, simplifying the authentication process and reducing computational burden.
The protocol preserves the TLS 1.3 record layer and key schedule, streamlining integration with existing infrastructure. The research highlights a practical solution to the escalating costs associated with post-quantum cryptography, particularly in systems where authentication is frequent and latency is paramount, such as 5G Core networks.

The core contribution of this study lies in the design of a post-quantum identity-based TLS protocol, including a mutually authenticated variant. Security is derived from a lattice-based identity primitive, adapted from ML-KEM (FIPS 203), while utilizing unmodified ML-KEM for the TLS ephemeral key exchange. Demonstrations within Kubernetes and 5G infrastructure showcase the viability of this approach, offering certificate-free mutual authentication between network functions and Kubernetes components, all while maintaining existing security guarantees and operational compatibility.

Module-NTRU based identity-based key encapsulation and decryption procedures offer strong security guarantees

A lattice trapdoor sampling technique, specifically adapting mechanisms from the Module-NTRU (MNTRU) framework, underpins the identity-based key encapsulation mechanism (ID-ML-KEM) central to this work. Subsequently, the Extract algorithm derives an identity private key sk_ID from the master secret key (msk) and a given identity string ID.

The encryption process, encapsulated within the Encrypt algorithm, takes the master public key (mpk), identity string ID, and a message m as input, producing a ciphertext ct. Conversely, the Decrypt algorithm recovers the original message m by decapsulating the ciphertext ct using the corresponding identity private key sk_ID, mirroring ML-KEM decryption to recover handshake secrets.

This ID-ML-KEM achieves IND-sID-CPA security, relying on the decisional Ring-LWE assumption and proven within a selective-identity model where adversaries commit to a target identity prior to system setup. This research replaces certificate and signature-based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation.

The system operates with operational considerations mirroring conventional PKI, including revocation and trust scoping, but avoids X.509 certificates and digital signatures, instead relying on identity strings and public/private keypairs. Revocation is achieved by embedding validity constraints, such as epochs or time windows, into identities, eliminating the need for certificate revocation lists. Multiple T-PKG instances can function as trust anchors for distinct domains, analogous to multiple private certificate authorities.

Identity-Based Encryption facilitates certificate-free authentication in distributed systems and 5G networks by utilizing a public key derived from an identity

Researchers developed a certificate-free authentication framework based on post-quantum Identity-Based Encryption (IBE) for private distributed systems. The proposed system enables implicit authentication without exchanging certificates or digital signatures, demonstrating applicability to latency-sensitive cloud-native systems and 5G Core networks.

Within the 5G Service-Based Architecture, IBE-based PKI and IBE-TLS can replace certificate-based post-quantum mutual TLS while maintaining existing authentication semantics and security requirements. The same architecture adapts to the Kubernetes control plane, mapping certificate roles to IBE equivalents for identity issuance and revocation.

Implementation plans include a reference implementation in Go, leveraging concurrency and cryptographic libraries to evaluate deployability and interoperability. Extending this stack to QORE will facilitate preliminary performance analysis and provide a reference architecture for the community. Integrating the scheme with SPIFFE would align identity-based TLS with standardized workload identity models in cloud-native environments, while mapping to decentralized identity systems (DIDs) could enable controlled cross-domain federation.

To address long-term key material risks, future implementations should leverage Hardware Security Modules (HSMs) integrated into Kubernetes deployments, protecting PKG secret shares and issued identity private keys. The construction builds on the ID-ML-KEM framework, acknowledging that larger key and ciphertext sizes may lead to slightly higher decapsulation failure rates. This scheme is proven IND-sID-CPA secure in the Random Oracle Model under the decisional Ring-LWE assumption, though further work is needed to systematically explore parameter choices and reduce key sizes.

Identity-Based Encryption for secure private network authentication and PKI replacement offers a simplified and scalable solution

A certificate-free authentication framework based on Identity-Based Encryption (IBE) has been developed for use in private distributed systems. This approach has been successfully applied to both cloud-native application deployments and latency-sensitive 5G Core networks, integrating with the 5G Service-Based Architecture while maintaining security and adhering to 3GPP requirements.

Furthermore, the architecture can replace private PKI within Kubernetes, including its control plane, without disrupting existing trust domains or deployment models. Future research directions include a formal verification of the protocol’s security properties and a detailed performance evaluation of the IBE operations compared to traditional PKI operations in various deployment scenarios. The presented framework offers a potential pathway to reduce the operational and performance overhead associated with certificate management in modern distributed systems.