Post-Quantum Identity-Based TLS for 5G Service-Based Architecture and Cloud-Native Infrastructure

Cloud-native application platforms and latency-sensitive systems such as 5G Core networks rely heavily on certificate-based Public Key Infrastructure (PKI) and mutual TLS to secure service-to-service communication. While effective, this model introduces significant operational and performance overhead, which is further amplified in the post-quantum setting due to large certificates and expensive signature verification. In this paper, we present a certificate-free authentication framework for private distributed systems based on post-quantum Identity-Based Encryption(IBE). Our design replaces certificate and signature based authentication with identity-derived keys and identity-based key encapsulation, enabling mutually authenticated TLS connections without certificate transmission or validation. We describe an IBE-based replacement for private PKI, including identity lifecycle management, and show how it can be instantiated using a threshold Private Key Generator (T-PKG). We apply this framework to cloud-native application deployments and latency-sensitive 5G Core networks. In particular, we demonstrate how identity-based TLS integrates with the 5G Service-Based Architecture while preserving security semantics and 3GPP requirements, and we show how the same architecture can replace private PKI in Kubernetes, including its control plane, without disrupting existing trust domains or deployment models.

💡 Research Summary

The paper tackles the growing inefficiency of certificate‑based private PKI in modern, latency‑sensitive, cloud‑native environments such as 5G Core networks and Kubernetes clusters, especially when transitioning to post‑quantum cryptography. Traditional X.509 certificates encode identities that are already known to the system, leading to unnecessary operational complexity (issuance, distribution, rotation, revocation) and, in the post‑quantum era, to large certificate sizes and costly signature verification. The authors argue that in private, single‑administrative‑domain deployments, authentication should be reduced to proving possession of a system‑defined identity rather than verifying an external credential.

To this end, they propose a certificate‑free authentication framework built on post‑quantum Identity‑Based Encryption (IBE). In IBE, a public key is derived directly from an identity string (e.g., service name, namespace) together with a set of public parameters, eliminating the need for pre‑distributed public keys or certificates. Private keys are generated by a Private Key Generator (PKG). To mitigate the single‑point‑of‑failure risk inherent in PKG, the paper introduces a Threshold PKG (T‑PKG) that distributes the master secret across multiple authorities using lattice‑based secret‑sharing techniques, providing fault tolerance and stronger trust assumptions.

The core contribution is an IBE‑based TLS 1.3 protocol (IBE‑TLS). The authors retain the TLS record layer and key schedule unchanged but replace the CertificateVerify and signature verification steps with an identity‑based key encapsulation mechanism (ID‑ML‑KEM), a post‑quantum KEM derived from the NIST‑standardized ML‑KEM (FIPS 203). During the handshake, a client derives the server’s public key from its identity, encapsulates a shared secret, and sends the ciphertext. The server decapsulates it using its identity‑derived private key; successful decapsulation implicitly authenticates the server. Mutual authentication is achieved by performing the same operation in the opposite direction, thus providing a drop‑in replacement for mutual TLS (mTLS) without any certificates or signatures.

Performance benefits stem from two sources: (1) removal of certificate transmission, chain validation, and signature verification, which in post‑quantum settings can add several kilobytes and tens of milliseconds per handshake; (2) reuse of the efficient ML‑KEM for the Diffie‑Hellman‑like key exchange, keeping computational cost comparable to classical KEM‑only TLS drafts. The authors claim latency reductions of 10–20 % in typical 5G SBA procedures, where a single subscriber registration may involve dozens of NF‑to‑NF TLS handshakes. In Kubernetes, the same approach eliminates the need for cert‑manager, kube‑adm generated certificates, and the associated rotation pipelines for API server, etcd, and kubelet communication.

Security analysis demonstrates compliance with 3GPP security requirements (authentication, integrity, confidentiality, key management). Because identity keys are issued according to system policy, the framework naturally integrates with existing RBAC and admission‑control mechanisms, offering stronger policy‑driven authentication than certificate chains. The lattice‑based IBE construction and the underlying ML‑KEM provide provable post‑quantum security under standard hardness assumptions.

The paper also surveys related work: AuthKEM drafts that replace signatures with KEMs but still rely on certificates, classical IBE‑TLS proposals that lack post‑quantum instantiation, and threshold PKG constructions for lattice‑based IBE. It positions its contribution as the first to combine a post‑quantum IBE primitive, a threshold PKG, and a full‑stack deployment in both 5G SBA and Kubernetes, addressing identity lifecycle management, revocation (handled via identity de‑provisioning), and trust‑domain integration.

Limitations acknowledged include the need for a secure, highly available PKG infrastructure, the difficulty of immediate key revocation after identity retirement (since past ciphertexts remain decryptable), and the absence of a standardized IBE‑TLS extension in the IETF TLS working group. Future work is suggested on dynamic delegation, cross‑domain federation, and formal standardization of IBE‑TLS extensions.

In summary, the authors present a practical, post‑quantum‑secure, certificate‑free TLS solution that reduces operational overhead, improves latency, and aligns authentication semantics with the reality of private, centrally managed cloud‑native and 5G environments.