Lab-01: Classical vs Post-Quantum
Lab-01: Classical vs Post-Quantum
Section titled “Lab-01: Classical vs Post-Quantum”Same PKI, Different Crypto
Section titled “Same PKI, Different Crypto”Key Message: Same workflow, new capabilities. The PKI must evolve to handle multiple algorithms — but your commands stay the same.
The Scenario
Section titled “The Scenario”“I want to issue post-quantum certificates. Does it change my PKI workflow?”
Short answer: No. The PKI workflow is identical. Only the algorithm name changes.
┌──────────────────────────────────────────────────────────────┐│ CLASSICAL POST-QUANTUM ││ ───────── ──────────── ││ ││ ROOT CA ROOT CA ││ ECDSA P-384 ML-DSA-65 ││ │ │ ││ │ Signs │ Signs ││ ▼ ▼ ││ TLS CERT TLS CERT ││ server.crt server.crt ││ ││ Same workflow — different algorithm │└──────────────────────────────────────────────────────────────┘What We’ll Do
Section titled “What We’ll Do”- Create a classical Root CA (ECDSA P-384)
- Issue a TLS certificate (ECDSA P-384)
- Create a post-quantum Root CA (ML-DSA-65)
- Issue a TLS certificate (ML-DSA-65)
- Compare sizes
Run the Demo
Section titled “Run the Demo”./journey/01-quickstart/demo.shDuration: 10 minutes
The Commands
Section titled “The Commands”After running the demo, artifacts are in output/.
Profiles: See
profiles/in this directory to customize algorithms or extensions.
Step 1: Create Classical Root CA
Section titled “Step 1: Create Classical Root CA”qpki ca init --profile profiles/classic-root-ca.yaml \ --var cn="Classic Root CA" --ca-dir ./classic-caStep 2: Issue Classical TLS Certificate
Section titled “Step 2: Issue Classical TLS Certificate”# Generate key and CSRqpki csr gen --algorithm ecdsa-p384 \ --keyout classic-server.key \ --cn classic.example.com \ --out classic-server.csr
qpki cert issue --ca-dir ./classic-ca \ --profile profiles/classic-tls-server.yaml \ --csr classic-server.csr \ --out classic-server.crtStep 3: Create Post-Quantum Root CA
Section titled “Step 3: Create Post-Quantum Root CA”qpki ca init --profile profiles/pqc-root-ca.yaml \ --var cn="PQ Root CA" --ca-dir ./pqc-caStep 4: Issue Post-Quantum TLS Certificate
Section titled “Step 4: Issue Post-Quantum TLS Certificate”# Generate key and CSRqpki csr gen --algorithm ml-dsa-65 \ --keyout pq-server.key \ --cn pq.example.com \ --out pq-server.csr
qpki cert issue --ca-dir ./pqc-ca \ --profile profiles/pqc-tls-server.yaml \ --csr pq-server.csr \ --out pq-server.crtNotice anything? The workflow is identical. Only the algorithm name changes.
Tip: Use
qpki inspect <cert>for a quick overview, oropenssl x509 -in <cert> -text -nooutfor detailed ASN.1 output.
Expected Results
Section titled “Expected Results”Size Comparison*
Section titled “Size Comparison*”| Metric | Classical (ECDSA P-384) | Post-Quantum (ML-DSA-65) | Ratio |
|---|---|---|---|
| Public key | 97 bytes | 1,952 bytes | 20x |
| Signature | 96 bytes | 3,309 bytes | 34x |
| Certificate | ~1 KB | ~6 KB | ~6x |
* Source: NIST FIPS 204, Table 2. Certificate sizes depend on extensions.
Performance Comparison (ML-DSA-65 vs ECDSA P-384)
Section titled “Performance Comparison (ML-DSA-65 vs ECDSA P-384)”| Operation | Ratio |
|---|---|
| Key generation | 3x faster |
| Signing | ~20% faster |
| Verification | 2x faster |
Details: Algorithm Reference
The trade-off: Larger sizes, but faster operations and quantum resistance.
Key Takeaway
Section titled “Key Takeaway”Switching to post-quantum is a profile change, not an architecture change.
The workflow stays identical: qpki ca init → qpki csr gen → qpki cert issue → X.509 certificates.
Only the algorithm (and sizes) change.
Note: While the workflow stays identical, your PKI infrastructure must evolve to support:
- Multiple algorithms in parallel (hybrid certificates)
- Crypto-agile enrollment (attestation for KEM keys)
- CA versioning for reversible migration
You’ll explore these capabilities in Lab-03, Lab-09, and Lab-10.
Security Timeline
Section titled “Security Timeline” Today Q-Day Future (2025) (~2035) (2050+) │ │ │ECDSA ├──────────────────┼──────────────────────────────────────┤ │ SECURE │ BROKEN │ │ │ │ML-DSA ├──────────────────┼──────────────────────────────────────┤ │ SECURE │ SECURE │ │ │ │Q-Day: NIST recommends completing PQC migration by 2030-2035. See The Revelation for threat analysis.
Migration Path
Section titled “Migration Path” TODAY TRANSITION FUTURE │ │ │ ▼ ▼ ▼
┌──────────┐ ┌──────────────┐ ┌──────────┐│ Classical│ │ Hybrid │ │ PQC ││ PKI │ ────────► │ PKI │ ──────► │ PKI ││ (ECDSA) │ │(ECDSA+ML-DSA)│ │ (ML-DSA) │└──────────┘ └──────────────┘ └──────────┘
100% Compatible 100% Compatible with both Quantum-Safe