Paper 2026/1416
Beyond Size: Do Hybrid PQC Certificates Actually Enforce the Classical–PQC Binding? A Cost-and-Security Study
Abstract
As TLS 1.3 migrates to post-quantum cryptography (PQC), hybrid X.509 transition strategies—alternative-signature (Catalyst), Composite, Chameleon, and signature combiners—are compared on cost but rarely on whether they actually enforce the classical↔PQC binding they promise. We show they often do not, and that the failure persists even in stacks that do check the binding. The same BouncyCastle library accepts a Catalyst certificate carrying a forged ML-DSA signature on its default path yet rejects it via an opt-in call; and wolfSSL, the only stack that checks a present alternative signature by default, cannot require one, so a stripped certificate is silently accepted (a path whose experimental build also shipped CVE-2026-5393). That no stack can mandate the binding is the surprise; that an ignored non-critical extension is skipped by nine verifiers is the expected X.509 baseline, which we reproduce with an independent non-BouncyCastle generator. Composite, by contrast, binds structurally (three verifiers across three OID families reject corruption of either half). Folding this measured enforcement axis into a four-axis cost model (strategy sizes differ by under 4.4%) overturns the cost-led recommendation: once enforcement is priced in, the compatibility winner Catalyst is displaced by a structurally-bound encoding—a combiner where the operator controls both endpoints, or Composite once a like-for-like P-256 pairing ships. A compatibility-led ranking can thus recommend a strategy whose PQC protection no deployed verifier enforces.
Metadata
- Available format(s)
-
PDF
- Category
- Implementation
- Publication info
- Preprint.
- Keywords
- Post-quantum cryptographyX.509TLS 1.3Hybrid certificatesML-DSACrypto agility
- Contact author(s)
-
minunejip @ gmail com
minjoos9797 @ gmail com
shuraatum @ gmail com
chosubin1208 @ gmail com
yulim4hyoung @ gmail com
hwajeong84 @ gmail com - History
- 2026-07-16: approved
- 2026-07-11: received
- See all versions
- Short URL
- https://ia.cr/2026/1416
- License
-
CC0
BibTeX
@misc{cryptoeprint:2026/1416,
author = {Minwoo Lee and Minjoo Sim and Siwoo Eum and Subeen Cho and Yulim Hyoung and Hwajeong Seo},
title = {Beyond Size: Do Hybrid {PQC} Certificates Actually Enforce the Classical–{PQC} Binding? A Cost-and-Security Study},
howpublished = {Cryptology {ePrint} Archive, Paper 2026/1416},
year = {2026},
url = {https://eprint.iacr.org/2026/1416}
}