Paper 2026/1416

Beyond Size: Do Hybrid PQC Certificates Actually Enforce the Classical–PQC Binding? A Cost-and-Security Study

Minwoo Lee, Hansung University
Minjoo Sim, Hansung University
Siwoo Eum, Hansung University
Subeen Cho, Hansung University
Yulim Hyoung, Hansung University
Hwajeong Seo, Hansung University
Abstract

As TLS 1.3 migrates to post-quantum cryptography (PQC), hybrid X.509 transition strategies—alternative-signature (Catalyst), Composite, Chameleon, and signature combiners—are compared on cost but rarely on whether they actually enforce the classical↔PQC binding they promise. We show they often do not, and that the failure persists even in stacks that do check the binding. The same BouncyCastle library accepts a Catalyst certificate carrying a forged ML-DSA signature on its default path yet rejects it via an opt-in call; and wolfSSL, the only stack that checks a present alternative signature by default, cannot require one, so a stripped certificate is silently accepted (a path whose experimental build also shipped CVE-2026-5393). That no stack can mandate the binding is the surprise; that an ignored non-critical extension is skipped by nine verifiers is the expected X.509 baseline, which we reproduce with an independent non-BouncyCastle generator. Composite, by contrast, binds structurally (three verifiers across three OID families reject corruption of either half). Folding this measured enforcement axis into a four-axis cost model (strategy sizes differ by under 4.4%) overturns the cost-led recommendation: once enforcement is priced in, the compatibility winner Catalyst is displaced by a structurally-bound encoding—a combiner where the operator controls both endpoints, or Composite once a like-for-like P-256 pairing ships. A compatibility-led ranking can thus recommend a strategy whose PQC protection no deployed verifier enforces.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Preprint.
Keywords
Post-quantum cryptographyX.509TLS 1.3Hybrid certificatesML-DSACrypto agility
Contact author(s)
minunejip @ gmail com
minjoos9797 @ gmail com
shuraatum @ gmail com
chosubin1208 @ gmail com
yulim4hyoung @ gmail com
hwajeong84 @ gmail com
History
2026-07-16: approved
2026-07-11: received
See all versions
Short URL
https://ia.cr/2026/1416
License
No rights reserved
CC0

BibTeX

@misc{cryptoeprint:2026/1416,
      author = {Minwoo Lee and Minjoo Sim and Siwoo Eum and Subeen Cho and Yulim Hyoung and Hwajeong Seo},
      title = {Beyond Size: Do Hybrid {PQC} Certificates Actually Enforce the Classical–{PQC} Binding? A Cost-and-Security Study},
      howpublished = {Cryptology {ePrint} Archive, Paper 2026/1416},
      year = {2026},
      url = {https://eprint.iacr.org/2026/1416}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.