pqRPKI: A Practical RPKI Architecture for the Post-Quantum Era

Here is an explanation of the pqRPKI paper, translated into everyday language with creative analogies.

The Big Problem: The "Quantum" Threat to Internet Traffic

Imagine the Internet is a massive, global highway system. RPKI (Resource Public Key Infrastructure) is the official "Traffic Control Center" that issues permits to truck drivers (Autonomous Systems) saying, "You are allowed to drive on this specific stretch of road (IP address)."

Right now, these permits are signed with RSA, a digital lock that has kept the highway safe for decades. But scientists are worried that in the future, "Quantum Computers" will be like super-powered master keys that can break these locks instantly. If that happens, hackers could forge permits, hijack traffic, and cause chaos.

To fix this, we need to swap the old locks for new, "Post-Quantum" (PQ) locks. But here's the catch: The new locks are huge.

The Problem: The current system works like a library where every single book (permit) has its own heavy, bulky security seal attached to it. If you swap the small seals for giant PQ seals, the library becomes so heavy and slow that the librarians (the computers checking the permits) can't keep up. The internet would slow to a crawl, and the "books" would take up so much space they'd overflow the shelves.

The Solution: pqRPKI (The "Master Receipt" System)

The authors propose pqRPKI, a smarter way to organize the library so we can use the giant new locks without breaking the system.

1. The Old Way: "One Seal Per Book"

Currently, every single permit has its own signature.

Analogy: Imagine a school where every student has to wear a heavy, oversized backpack just to prove they are a student. If the school has 10,000 students, that's 10,000 heavy backpacks. If you make the backpacks bigger (for the new locks), the school becomes a logistical nightmare.

2. The pqRPKI Way: "The Master Receipt"

The authors realized that the library already has a Manifest (a master list of all books and their checksums). They decided to move the heavy security work out of the individual books and into this master list.

The Analogy: Instead of putting a heavy seal on every single book, the librarian puts one giant, super-secure seal on the Master Receipt that lists every book.
- The individual books stay small and light (they don't get bigger).
- The heavy lifting is done once, on the list.
- To check if a book is real, you don't check the book's seal; you check the Master Receipt, which proves the book belongs in the list.

How It Works: The "Ladder" and the "Elevator"

The paper uses a structure called a Merkle Tree Ladder (MTL). Let's visualize this as a giant, multi-story parking garage.

The Cars (The Permits): These are the routing permits (ROAs). They are parked in rows.
The Ladder (The Structure): Instead of checking every car individually, the garage has a security system that groups cars into blocks, then blocks into floors, then floors into the whole building.
The "Rungs":
- Object Rungs: These hold the actual permits. They are stable.
- Metadata Rungs (The Elevator): The "Manifest" (the list of what's in the garage) and "CRL" (the list of stolen/revoked permits) are treated as a special, fast-moving elevator at the top.
- Why this matters: When a car is added or removed, you don't have to rebuild the whole garage. You just update the elevator (the Manifest) and the specific floor it touches. This keeps the system fast even when things change constantly.

The "Dual-Stack" Transition: Wearing Two Watches

We can't switch to the new system overnight. We need a transition period where the old RSA locks and new PQ locks work together (Dual-Stack).

The Challenge: Usually, doing this means doubling the size of everything (two seals per book).
The pqRPKI Trick: Because the system uses the "Master Receipt" approach, the new PQ security layer is grafted onto the existing list. It doesn't duplicate the books; it just adds a new, secure header to the list.
Result: The transition adds almost zero extra weight (only 3.4% overhead) compared to today's system. It's like adding a new, high-tech security camera to the front door without having to rebuild the entire house.

Why This is a Game-Changer

The paper tested this system on real-world data and found amazing results:

Tiny Footprint: Even with the giant new locks, the total size of the "library" is 65% smaller than if we had just slapped the new locks on every single book.
Super Speed: The system can check the entire global library of permits in under 2 minutes.
- Current System: Takes 20–40 minutes to update.
- pqRPKI: Can update in under 2 minutes.
- Why it matters: If a hacker tries to hijack a route, the internet can detect and block it almost instantly, rather than waiting an hour for the "Traffic Control Center" to catch up.

Summary in One Sentence

pqRPKI saves the internet from future quantum hackers by moving the heavy security work from individual "books" to a single, smart "Master Receipt," making the system faster, smaller, and ready for the future without breaking the present.

Here is a detailed technical summary of the paper "pqRPKI: A Practical RPKI Architecture for the Post-Quantum Era."

1. Problem Statement

The Resource Public Key Infrastructure (RPKI) is the Internet's mechanism for securing BGP routing by binding IP prefixes to authorized Autonomous Systems (AS). Currently, RPKI relies on RSA-2048 signatures. With the advent of quantum computing, RSA is vulnerable, necessitating a transition to Post-Quantum Cryptography (PQC).

However, a naïve replacement of RSA with PQC signatures (e.g., Falcon, ML-DSA) is impractical for RPKI due to its unique "bulk" operational model:

Volume: Relying Parties (RPs) must download and validate the entire global repository (hundreds of thousands of objects) every 20–60 minutes.
Overhead: PQC keys and signatures are significantly larger than RSA (e.g., Falcon signatures are ~3x larger). A direct swap would inflate repository sizes by 1.7x to 4.0x and validation times by 1.8x to 2.6x.
Dual-Stack Transition: A long transition period is required where both RSA and PQC signatures coexist. A naïve approach would double the storage and bandwidth costs during this phase, potentially exceeding operational budgets.
Churn: RPKI objects (Manifests, CRLs, and End-Entity certificates) are re-signed frequently (every 8–24 hours). Embedding large PQC authentication paths in every object would cause massive "re-sign storms" and storage bloat.

2. Methodology: The pqRPKI Architecture

The authors propose pqRPKI, a framework that reorganizes where authentication material lives to leverage RPKI's bulk processing nature. Instead of embedding PQC verification data in every object, it moves this data to the Manifest and utilizes a Multi-level Merkle Tree Ladder (MTL).

Key Design Innovations:

Manifest-Driven Verification Material:
- In standard MTL designs (like DNSSEC), authentication paths (sibling hashes) are embedded in every object.
- pqRPKI relocates the leaf index ( $i$ ) and authentication path ( $\Pi_i$ ) out of the objects and into the Manifest.
- The Manifest acts as a "shared verification channel." RPs fetch the Manifest once per cycle, which contains the ordered file list and leaf commitments ( $H_{0i}$ ).
- Benefit: Object sizes remain small and stable; updates to the ladder (adding/removing objects) only require updating the Manifest and a small suffix of the tree, avoiding a "re-sign storm" across all objects.
Multi-level Merkle Tree Ladder (MTL) with Depth-0 Rungs:
- Object Rungs: Published routing objects (ROAs, etc.) form the leaves of the ladder.
- Metadata Rungs (Depth-0): The Manifest and CRL are modeled as single-leaf, depth-0 rungs appended to the ladder.
- Benefit: Since Manifests and CRLs are re-signed frequently, isolating them as depth-0 rungs ensures that routine metadata refreshes do not perturb the stable object tree or require re-hashing the entire structure.
Deletion without Re-indexing:
- To avoid re-indexing the entire tree when an object is deleted (which would invalidate all subsequent paths), pqRPKI uses placeholders in the Manifest.
- Deleted objects are marked with a placeholder (e.g., 'D') in the file list, but their leaf commitment ( $H_{0i}$ ) is retained. This preserves the tree structure and indices while the object is removed from the repository.
Ladder-Guided Synchronization & Bulk Verification:
- Top-Down Sync: RPs check the authenticated ladder root first. If the root matches the cache, no further action is needed. If it differs, the RP fetches the Manifest to identify exactly which subtrees changed.
- Bottom-Up Bulk Verification: Instead of verifying each object independently (re-hashing shared internal nodes multiple times), the RP reconstructs the tree level-by-level. Internal nodes are computed exactly once per cycle, drastically reducing CPU load.
Backward Compatibility:
- pqRPKI is additive. It preserves existing RSA signatures and object payloads.
- Legacy validators continue to validate RSA unchanged, while upgraded validators use the Manifest and MTL for PQC validation. This enables a seamless dual-stack deployment.

3. Key Contributions

A PQC-Tailored Architecture: The first RPKI design that integrates MTL specifically for the RPKI bulk model, moving verification data to the Manifest to minimize object bloat.
Operational Workflow: A new synchronization and validation workflow that localizes changes via the Manifest and enables $O(N)$ bulk verification (vs. $O(N \log N)$ in naïve MTL).
Practical Migration Path: A design that supports hosted and delegated CA operations, preserves current ROA encodings, and allows for incremental deployment with minimal overhead.
Prototype Implementation: A working implementation of a Publication Point (PP) and Relying Party (RP) evaluated against real-world production data.

4. Results

The authors evaluated pqRPKI using a 7-day dataset of global RPKI repositories (approx. 466k objects, 886 MB).

Repository Size:
- PQC-Only Mode: pqRPKI reduces the repository footprint to 546.8 MB.
  - This is 65.5% smaller than a naïve Falcon implementation and 83.1% smaller than ML-DSA.
  - It is even 35.9% smaller than today's RSA-based RPKI (853.2 MB) because it eliminates redundant path data.
- Dual-Stack Mode (RSA + PQC): pqRPKI adds only 3.4% overhead (882.4 MB total) compared to current RSA-only RPKI. This solves the critical storage bottleneck for the transition period.
- With Compression: When combined with "Null Scheme" or "iRPKI" compression, the dual-stack footprint drops to 159.1 MB.
Validation & Synchronization Speed:
- Full-Cycle Validation: Reduced to 102.7 seconds (vs. 213.2s for RSA and 404.6s for naïve ML-DSA).
- End-to-End Time (PP to Router): Achieved 118.3 seconds, enabling sub-2-minute operating cadences. This is a 1.9x improvement over RSA and 3.6x faster than naïve PQC.
- Signing Time: Bulk signing time for the largest registry (ARIN) dropped from 183.8s (RSA) to 16.8s (pqRPKI), a 90.9% reduction.
Agility: The system handles high-frequency updates (per-minute) with an average latency of 112.3 ms, proving it can support near real-time routing policy enforcement.

5. Significance

Feasibility of PQC Transition: pqRPKI demonstrates that a Post-Quantum transition for RPKI is operationally feasible without requiring massive infrastructure upgrades or accepting prohibitive bandwidth costs.
Real-Time Security: By reducing the validation cycle to under 2 minutes, pqRPKI transforms RPKI from a periodic check into a near real-time defense mechanism, significantly shrinking the "window of vulnerability" for route hijacks.
Scalability: The architecture proves that Merkle Tree Ladders can be adapted for large-scale, hierarchical PKI systems (like RPKI) where they were previously considered too complex or inefficient due to re-indexing costs.
Ecosystem Compatibility: The additive nature of the design ensures that the transition does not break existing tools or require a "big bang" cutover, addressing the primary concern of network operators regarding backward compatibility.

In summary, pqRPKI solves the scaling crisis of Post-Quantum RPKI by shifting the burden of authentication from individual objects to a centralized, efficient metadata channel (the Manifest), enabling a secure, fast, and low-overhead transition to the quantum era.